Skip to content

Commit

Permalink
Refactor NGinx configuration & HA Authentication (#104)
Browse files Browse the repository at this point in the history 
* Refactor NGinx configuration & HA Authentication

* Remove stale code
  • Loading branch information
@frenck
frenck committed Jan 24, 2021
1 parent 8042ef7 commit 373893a
Show file tree
Hide file tree
Showing 14 changed files with 75 additions and 169 deletions.
2 changes: 0 additions & 2 deletions adguard/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ RUN \
gnupg=2.2.27-r0 \
\
&& apk add --no-cache \
lua-resty-http=0.15-r0 \
nginx-mod-http-lua=1.18.0-r13 \
nginx=1.18.0-r13 \
\
&& if [[ "${BUILD_ARCH}" = "aarch64" ]]; then ARCH="arm64"; fi \
Expand Down
1 change: 0 additions & 1 deletion adguard/config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
"80/tcp": "Web interface (Not required for Ingress)"
},
"discovery": ["adguard"],
"hassio_api": true,
"auth_api": true,
"host_network": true,
"map": ["ssl"],
Expand Down
63 changes: 29 additions & 34 deletions adguard/rootfs/etc/cont-init.d/nginx.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,9 @@
# ==============================================================================
declare adguard_port=45158
declare adguard_protocol=http
declare admin_port
declare certfile
declare dns_host
declare ingress_interface
declare ingress_port
declare keyfile
declare tls_port

# Figure out port settings from AdGuard
if bashio::var.true "$(yq read /data/adguard/AdGuardHome.yaml tls.enabled)";
then
tls_port=$(yq read /data/adguard/AdGuardHome.yaml tls.port_https)
Expand All @@ -22,33 +17,33 @@ then
fi
fi

sed -i "s#%%port%%#${adguard_port}#g" /etc/nginx/includes/upstream.conf
sed -i "s#%%protocol%%#${adguard_protocol}#g" /etc/nginx/servers/ingress.conf

admin_port=$(bashio::addon.port 80)
if bashio::var.has_value "${admin_port}"; then
# Generate upstream configuration
bashio::var.json \
port "^${adguard_port}" \
| tempio \
-template /etc/nginx/templates/upstream.gtpl \
-out /etc/nginx/includes/upstream.conf

# Generate Ingress configuration
bashio::var.json \
interface "$(bashio::addon.ip_address)" \
port "^$(bashio::addon.ingress_port)" \
protocol "${adguard_protocol}" \
| tempio \
-template /etc/nginx/templates/ingress.gtpl \
-out /etc/nginx/servers/ingress.conf

# Generate direct access configuration, if enabled.
if bashio::var.has_value "$(bashio::addon.port 80)"; then
bashio::config.require.ssl

if bashio::config.true 'ssl'; then
certfile=$(bashio::config 'certfile')
keyfile=$(bashio::config 'keyfile')

mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf
sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf

else
mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
fi

sed -i "s/%%port%%/${admin_port}/g" /etc/nginx/servers/direct.conf
sed -i "s#%%protocol%%#${adguard_protocol}#g" /etc/nginx/servers/direct.conf
bashio::var.json \
certfile "$(bashio::config 'certfile')" \
keyfile "$(bashio::config 'keyfile')" \
leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \
port "^$(bashio::addon.port 80)" \
protocol "${adguard_protocol}" \
ssl "^$(bashio::config 'ssl')" \
| tempio \
-template /etc/nginx/templates/direct.gtpl \
-out /etc/nginx/servers/direct.conf
fi

ingress_port=$(bashio::addon.ingress_port)
ingress_interface=$(bashio::addon.ip_address)
sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf

dns_host=$(bashio::dns.host)
sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf
83 changes: 0 additions & 83 deletions adguard/rootfs/etc/nginx/lua/ha-auth.lua
View file

This file was deleted.

1 change: 0 additions & 1 deletion adguard/rootfs/etc/nginx/modules/ndk_http.conf
View file

This file was deleted.

1 change: 0 additions & 1 deletion adguard/rootfs/etc/nginx/modules/ngx_http_lua.conf
View file

This file was deleted.

8 changes: 0 additions & 8 deletions adguard/rootfs/etc/nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,6 @@ error_log /proc/1/fd/1 error;

# Load allowed environment vars
env SUPERVISOR_TOKEN;
env DISABLE_HA_AUTHENTICATION;

# Load dynamic modules.
include /etc/nginx/modules/*.conf;

# Max num of simultaneous connections by a worker process.
events {
Expand All @@ -40,8 +36,6 @@ http {
default_type application/octet-stream;
gzip on;
keepalive_timeout 65;
lua_load_resty_core off;
lua_shared_dict auths 16k;
sendfile on;
server_tokens off;
tcp_nodelay on;
Expand All @@ -52,8 +46,6 @@ http {
'' close;
}

include /etc/nginx/includes/resolver.conf;
include /etc/nginx/includes/upstream.conf;

include /etc/nginx/servers/*.conf;
}
1 change: 1 addition & 0 deletions adguard/rootfs/etc/nginx/servers/.gitkeep
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)
20 changes: 0 additions & 20 deletions adguard/rootfs/etc/nginx/servers/direct-ssl.disabled
View file

This file was deleted.

11 changes: 0 additions & 11 deletions adguard/rootfs/etc/nginx/servers/direct.disabled
View file

This file was deleted.

40 changes: 40 additions & 0 deletions adguard/rootfs/etc/nginx/templates/direct.gtpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
server {
{{ if not .ssl }}
listen {{ .port }} default_server;
{{ else }}
listen {{ .port }} default_server ssl http2;
{{ end }}

include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf;

{{ if .ssl }}
include /etc/nginx/includes/ssl_params.conf;

ssl_certificate /ssl/{{ .certfile }};
ssl_certificate_key /ssl/{{ .keyfile }};
{{ end }}

{{ if not .leave_front_door_open }}
location = /authentication {
internal;
proxy_pass http://supervisor/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}";
}
{{ end }}

location /dns-query {
proxy_pass {{ .protocol }}://backend;
}

location / {
{{ if not .leave_front_door_open }}
auth_request /authentication;
auth_request_set $auth_status $upstream_status;
{{ end }}

proxy_pass {{ .protocol }}://backend;
}
}
4 changes: 2 additions & 2 deletions ...ard/rootfs/etc/nginx/servers/ingress.conf → ...d/rootfs/etc/nginx/templates/ingress.gtpl
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
server {
listen %%interface%%:%%port%% default_server;
listen {{ .interface }}:{{ .port }} default_server;

include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf;
Expand All @@ -8,6 +8,6 @@ server {
allow 172.30.32.2;
deny all;

proxy_pass %%protocol%%://backend;
proxy_pass {{ .protocol }}://backend;
}
}
3 changes: 3 additions & 0 deletions adguard/rootfs/etc/nginx/templates/upstream.gtpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
upstream backend {
server 127.0.0.1:{{ .port }};
}
6 changes: 0 additions & 6 deletions adguard/rootfs/etc/services.d/nginx/run
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,4 @@
bashio::net.wait_for 45158 localhost 900

bashio::log.info "Starting NGinx..."

# Disable HA Authentication if front door is open
if bashio::config.true 'leave_front_door_open'; then
export DISABLE_HA_AUTHENTICATION=true
fi

exec nginx

0 comments on commit 373893a

Please sign in to comment.