nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
-
mentioned in commit a0ee7a4a
-
mentioned in commit 8a733506
-
mentioned in commit 9c5d92b5
-
mentioned in commit d52f063f
-
mentioned in commit bacd9936
-
mentioned in commit dbba7196
-
mentioned in commit dae279a7
-
mentioned in commit 76c6ed01
-
mentioned in commit f1027aa9
-
mentioned in commit 6ec25b1c
-
mentioned in commit ad6a33c1
-
mentioned in commit e5216cc7
-
mentioned in commit f0447f1d
-
mentioned in commit 6283373b
-
mentioned in commit 63105898
-
mentioned in commit c9bbe424
-
mentioned in commit 16fdcc51
-
mentioned in commit d4023639
-
mentioned in commit 67035f90
-
mentioned in commit 687a4af7
-
mentioned in commit 9ab45c3b
-
mentioned in commit 4184a3be
-
mentioned in commit 36b83b59
-
mentioned in commit 2dbaa48a
-
mentioned in commit 99c6802c
-
mentioned in commit bc9c56c6
-
mentioned in commit 80de639f
-
mentioned in commit 85a61183
-
mentioned in commit ce05ba74
-
mentioned in commit 5932b03e
-
mentioned in commit 16b0ca2f
-
mentioned in commit 1a577341
-
mentioned in commit 5bbbc141
-
mentioned in commit b0f8efb5
-
mentioned in commit 122ed84b
-
mentioned in commit 4bd9c754
-
mentioned in commit 1e81a4cc
-
mentioned in commit 2c9353dc
-
mentioned in commit 52b299f0
-
mentioned in commit d86e10a1
-
mentioned in commit cfe2b7c6
-
mentioned in commit a89c73a2
-
mentioned in commit 5ac9c979
-
mentioned in commit 3f063a91
-
mentioned in commit b7a8a412
-
mentioned in commit 8f7a3ed0
-
mentioned in commit 30231df2
-
mentioned in commit fded2942
-
mentioned in commit 37561a7d
-
mentioned in commit e431449d
-
mentioned in commit 22c89b22
-
mentioned in commit 515d700a
-
mentioned in commit a577db3d
-
mentioned in commit 752fe6e7
-
mentioned in commit dfcae3ee
-
mentioned in commit c9e547e0
-
mentioned in commit 172ded03
-
mentioned in commit 9f0cdd8b
-
mentioned in commit 87162250
-
mentioned in commit 16a8519f
-
mentioned in commit b5d039b7
-
mentioned in commit 5c6be66f
-
mentioned in commit 8d332059
-
mentioned in commit 48bbaacb
-
mentioned in commit 02f9c572
-
mentioned in commit 45d7c466
-
mentioned in commit dcc84d8e
-
mentioned in commit bfb89ba6
-
mentioned in commit 281c014f
-
mentioned in commit de6eafb1
-
mentioned in commit e7a93295
-
mentioned in commit 77083eea
-
mentioned in commit d0c5ba48
-
mentioned in commit d0787e46
-
mentioned in commit 01c5b48a
-
mentioned in commit 24b2047c
-
mentioned in commit b98f346f
-
mentioned in commit aab2e75b
-
mentioned in commit cb6df362
-
mentioned in commit 07ae667a
-
mentioned in commit d23d4d51
-
mentioned in commit 6c570bb0
-
mentioned in commit b246fc8d
-
mentioned in commit 20dda5a7
-
mentioned in commit ff9d0580
-
mentioned in commit 15e513c5
-
mentioned in commit fb5f32c4
-
mentioned in commit 484198d7
-
mentioned in commit 7573a469
-
mentioned in commit 6b90d070
-
mentioned in commit 5150776f
-
mentioned in commit 23bd5b74
-
mentioned in commit 401a0614
-
mentioned in commit e80d3599
-
mentioned in commit ff88dfbb
-
mentioned in commit c5dd704c
-
mentioned in commit 29a00921
-
mentioned in commit bec07320
-
mentioned in commit 15b497f1
-
mentioned in commit 9bdca8d3
-
mentioned in commit 29289e85
-
mentioned in commit f33b5c4c
-
mentioned in commit c79b8bd5
-
mentioned in commit f3b7de5c
-
mentioned in commit c6c194f6
-
mentioned in commit a4a0ee51
-
mentioned in commit 76483264
-
mentioned in commit 5214d984
-
mentioned in commit d7a31868
-
mentioned in commit dd654593
-
mentioned in commit 44fdafdb
-
mentioned in commit 1a1f8735
-
mentioned in commit 1b6d7e2a
-
mentioned in commit 4c03345c
-
mentioned in commit 319bd20a
-
mentioned in commit 427d9703
-
mentioned in commit 35b9de70
-
mentioned in commit 4167c854
-
mentioned in commit 64c86b3a
-
mentioned in commit 3545874b
-
mentioned in commit f0c5b4ef
-
mentioned in commit f587bebe
-
mentioned in commit 79ee3564
-
mentioned in commit 36af8003
-
mentioned in commit 64fddd32
-
mentioned in commit 966c730d
-
mentioned in commit 26b9d187
-
mentioned in commit 9bce6884
-
mentioned in commit 12a1d8e1
-
mentioned in commit 7bfe7dba
-
mentioned in commit 8581111b
-
mentioned in commit f3b929ad
-
mentioned in commit 88c1732b
-
mentioned in commit b8f17b74
-
mentioned in commit 1a410c4c
-
mentioned in commit af7db459
-
mentioned in commit d6195b42
-
mentioned in commit f00d670c
-
mentioned in commit 778fa868
-
mentioned in commit a0996236
-
mentioned in commit 37e7f826
-
mentioned in commit c251ebaf
-
mentioned in commit 32f1c01c
-
mentioned in commit 757f64a8
-
mentioned in commit 73cfd5a6
-
mentioned in commit 3bfb1609
-
mentioned in commit d9896f92
-
mentioned in commit a468c685
-
mentioned in commit d1e48d82
-
mentioned in commit c6964ccc
-
mentioned in commit 8e4fa263
-
mentioned in commit 3120643e
-
mentioned in commit 1358ee15
-
mentioned in commit cfd40e68
-
mentioned in commit 752a2d21
-
mentioned in commit 42c48e9e
-
mentioned in commit 67327c0f
-
mentioned in commit e0cf7b01
-
mentioned in commit d8d96cd7