bundles/nginx: support disabling ssl for each vhost individually

2021-02-20 14:25:27 +01:00 · 2021-02-20 14:25:27 +01:00 · 74d81eb7ba
commit 74d81eb7ba
parent 228786f6aa
5 changed files with 27 additions and 13 deletions
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -7,7 +7,7 @@ server {
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

-% if node.metadata['nginx']['use_ssl_for_all_connections']:
+% if ssl:
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

@ -52,7 +52,7 @@ server {
        proxy_set_header     Upgrade $http_upgrade;
 % endif
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
-% if node.metadata['nginx']['use_ssl_for_all_connections']:
+% if ssl:
        proxy_set_header     X-Forwarded-Proto HTTPS;
 % endif
        proxy_set_header     X-Forwarded-Host ${domain};
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@ -47,12 +47,15 @@ svc_systemd = {
    },
 }

-if node.metadata['nginx']['use_ssl_for_all_connections']:
-    # TODO rework this to support specifying a certificate instead of
-    # relying on letsencrypt for the specific domain (for example to
-    # support wildcard certificates
-    assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt'
+# Always redirect all traffic to HTTPS, except if there is only one
+# vhost and this vhost has ssl disabled.
+install_port80_redirect = True
+if len(node.metadata.get('nginx/vhosts', {})) == 1:
+    vhost_name = list(node.metadata['nginx']['vhosts'].keys())[0]
+    if node.metadata.get('nginx/vhosts/{}/ssl'.format(vhost_name), 'letsencrypt') == False:
+        install_port80_redirect = False

+if install_port80_redirect:
    files['/etc/nginx/sites/000-port80.conf'] = {
        'source': 'port80.conf',
        'triggers': {
@ -88,5 +91,5 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():

        directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))

-    if node.metadata['nginx']['use_ssl_for_all_connections']:
+    if config.get('ssl', 'letsencrypt') == 'letsencrypt':
        files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -30,7 +30,6 @@ defaults = {
    },
    'nginx': {
        'worker_connections': 768,
-        'use_ssl_for_all_connections': True,
    },
 }

@ -49,16 +48,21 @@ def worker_processes(metadata):
@metadata_reactor.provides(
    'letsencrypt/domains',
    'letsencrypt/reload_after',
+    'nginx/vhosts',
 )
 def letsencrypt(metadata):
    if not node.has_bundle('letsencrypt'):
        raise DoNotRunAgain

    domains = {}
+    vhosts = {}

    for vhost, config in metadata.get('nginx/vhosts', {}).items():
        domain = config.get('domain', vhost)
        domains[domain] = config.get('domain_aliases', set())
+        vhosts[vhost] = {
+            'ssl': 'letsencrypt',
+        }

    return {
        'letsencrypt': {
@ -67,6 +71,9 @@ def letsencrypt(metadata):
                'nginx',
            },
        },
+        'nginx': {
+            'vhosts': vhosts,
+        },
    }


@ -105,7 +112,7 @@ def monitoring(metadata):
    for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
        domain = vconfig.get('domain', vname)

-        if metadata.get('nginx/use_ssl_for_all_connections'):
+        if vconfig['ssl']:
            scheme = 'https'
        else:
            scheme = 'http'
@ -118,7 +125,7 @@ def monitoring(metadata):
                'vars.notification.sms': True,
            }

-        if vconfig.get('check_ssl', metadata.get('nginx/use_ssl_for_all_connections')):
+        if vconfig.get('check_ssl', vconfig['ssl']):
            services['NGINX VHOST {} CERTIFICATE'.format(vname)] = {
                'check_command': 'check_https_cert_at_url',
                'vars.domain': domain,
--- a/nodes/home/octoprint-vielschichtigkeit.py
+++ b/nodes/home/octoprint-vielschichtigkeit.py
@ -22,12 +22,12 @@ nodes['home.octoprint-vielschichtigkeit'] = {
            'server': '172.19.138.20:22',
        },
        'nginx': {
-            'use_ssl_for_all_connections': False,
            'vhosts': {
                'octoprint': {
                    'domain': 'vielschichtigkeit.franzi-home.kunbox.net',
                    'do_not_set_content_security_headers': True,
                    'extras': True,
+                    'ssl': False,
                    'proxy': {
                        '/': {
                            'target': 'http://[::1]:22030/',
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -105,10 +105,14 @@ nodes['home.router'] = {
            },
        },
        'nginx': {
-            'use_ssl_for_all_connections': False,
            'restrict-to': {
                '172.19.136.0/22',
            },
+            'vhosts': {
+                'vnstat': {
+                    'ssl': False,
+                },
+            },
        },
        'openvpn-client': {
            'configs': {