169 lines
5.1 KiB
Bash
Executable File
169 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
|
|
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
|
|
setKazVars
|
|
. "${DOCKERS_ENV}"
|
|
. "${KAZ_ROOT}/secret/SetAllPass.sh"
|
|
|
|
printKazMsg "\n *** Proxy update config"
|
|
|
|
#NGINX_TMPL=config/nginx.tmpl.conf
|
|
#NGINX_CONF=config/nginx.conf
|
|
DOCKER_DIST=docker-compose.tmpl.yml.dist
|
|
DOCKER_TMPL=docker-compose.tmpl.yml
|
|
DOCKER_CONF=docker-compose.yml
|
|
PASSFILE=conf/passfile
|
|
|
|
ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
|
|
ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
|
|
|
|
# TODO
|
|
# for service in agora cloud paheko wiki wp; do
|
|
# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
|
|
# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
|
|
# done
|
|
|
|
cd $(dirname $0)
|
|
# update ip allowed
|
|
TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
|
|
if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
|
|
cat > "${TRAEFIK_ALLOW_IP_FILE}" <<EOF
|
|
http:
|
|
middlewares:
|
|
test-ipwhitelist:
|
|
ipWhiteList:
|
|
sourceRange:
|
|
# Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
|
|
#ALLOWEDIP
|
|
- "0.0.0.0/0"
|
|
#FINALLOWEDIP
|
|
test-adminipwhitelist:
|
|
ipWhiteList:
|
|
sourceRange:
|
|
# Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
|
|
#ADMINIP
|
|
- "0.0.0.0/0"
|
|
#FINADMINIP
|
|
EOF
|
|
fi
|
|
|
|
# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
|
|
if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
|
|
sed -i 's/#ADMINIP/#ADMINIP\n #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
|
|
sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
|
|
grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n - \"{}\"/" ${TRAEFIK_ALLOW_IP_FILE}
|
|
fi
|
|
if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
|
|
sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
|
|
sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
|
|
grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n - \"{}\"/" ${TRAEFIK_ALLOW_IP_FILE}
|
|
fi
|
|
|
|
|
|
CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
|
|
CERTFILE=conf/dynamic/certificates.yml
|
|
if [ ! -f "${CERTFILE}" ]; then
|
|
cp "${CERTFILE_TMPL}" "${CERTFILE}"
|
|
case "${domain}" in
|
|
kaz.bzh)
|
|
SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
|
|
SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
|
|
;;
|
|
kaz.local)
|
|
SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
|
|
SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
|
|
;;
|
|
*)
|
|
SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
|
|
SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
|
|
;;
|
|
esac
|
|
|
|
sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
|
|
sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
|
|
fi
|
|
|
|
# cat > "${PROXY_PORT_CFG}" <<EOF
|
|
# listen 443 ssl http2;
|
|
|
|
# ssl_certificate ${SSL_CERT};
|
|
# ssl_certificate_key ${SSL_KEY};
|
|
|
|
# ssl_session_timeout 1d;
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_early_data on;
|
|
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
# ssl_prefer_server_ciphers on;
|
|
# ssl_session_cache shared:SSL:50m;
|
|
# ssl_stapling on;
|
|
# ssl_stapling_verify on;
|
|
# EOF
|
|
#fi
|
|
|
|
# update redirect
|
|
# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
|
|
# if [ ! -f "${PROXY_REDIRECT}" ]; then
|
|
# cat > "${PROXY_REDIRECT}" <<EOF
|
|
# server {
|
|
# listen 80;
|
|
# return 301 https://\$host\$request_uri;
|
|
# }
|
|
|
|
# # file
|
|
# server {
|
|
# listen 80;
|
|
# server_name file.${domain};
|
|
# return 301 https://depot.${domain}\$request_uri;
|
|
# }
|
|
|
|
# # cacl
|
|
# server {
|
|
# listen 80;
|
|
# server_name calc.${domain};
|
|
# return 301 https://tableur.${domain}\$request_uri;
|
|
# }
|
|
|
|
# # date
|
|
# server {
|
|
# listen 80;
|
|
# server_name date.${domain};
|
|
# return 301 https://sondage.${domain}\$request_uri;
|
|
# }
|
|
|
|
# # cloud
|
|
# server {
|
|
# listen 80;
|
|
# server_name bureau.${domain};
|
|
# return 301 https://cloud.${domain}\$request_uri;
|
|
# }
|
|
|
|
# # mattermost
|
|
# server {
|
|
# listen 80;
|
|
# server_name mattermost.${domain};
|
|
# return 301 https://agora.${domain}\$request_uri;
|
|
# }
|
|
|
|
# # dokuwiki
|
|
# server {
|
|
# listen 80;
|
|
# server_name dokuwiki.${domain};
|
|
# return 301 https://wiki.${domain}\$request_uri;
|
|
# }
|
|
# EOF
|
|
# fi
|
|
|
|
cd $(dirname $0)
|
|
|
|
|
|
[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
|
|
[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
|
|
if [ -f "conf/root_ca.crt" ]; then
|
|
sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL}
|
|
fi
|
|
"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
|
|
# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
|
|
|
|
#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &
|