diff --git a/adguard/Dockerfile b/adguard/Dockerfile index 3380417..e0bab49 100755 --- a/adguard/Dockerfile +++ b/adguard/Dockerfile @@ -16,8 +16,6 @@ RUN \ gnupg=2.2.27-r0 \ \ && apk add --no-cache \ - lua-resty-http=0.15-r0 \ - nginx-mod-http-lua=1.18.0-r13 \ nginx=1.18.0-r13 \ \ && if [[ "${BUILD_ARCH}" = "aarch64" ]]; then ARCH="arm64"; fi \ diff --git a/adguard/config.json b/adguard/config.json index 9110743..f9fbdb7 100755 --- a/adguard/config.json +++ b/adguard/config.json @@ -21,7 +21,6 @@ "80/tcp": "Web interface (Not required for Ingress)" }, "discovery": ["adguard"], - "hassio_api": true, "auth_api": true, "host_network": true, "map": ["ssl"], diff --git a/adguard/rootfs/etc/cont-init.d/nginx.sh b/adguard/rootfs/etc/cont-init.d/nginx.sh index 5cf5229..9fd83b4 100644 --- a/adguard/rootfs/etc/cont-init.d/nginx.sh +++ b/adguard/rootfs/etc/cont-init.d/nginx.sh @@ -5,14 +5,9 @@ # ============================================================================== declare adguard_port=45158 declare adguard_protocol=http -declare admin_port -declare certfile -declare dns_host -declare ingress_interface -declare ingress_port -declare keyfile declare tls_port +# Figure out port settings from AdGuard if bashio::var.true "$(yq read /data/adguard/AdGuardHome.yaml tls.enabled)"; then tls_port=$(yq read /data/adguard/AdGuardHome.yaml tls.port_https) @@ -22,33 +17,33 @@ then fi fi -sed -i "s#%%port%%#${adguard_port}#g" /etc/nginx/includes/upstream.conf -sed -i "s#%%protocol%%#${adguard_protocol}#g" /etc/nginx/servers/ingress.conf - -admin_port=$(bashio::addon.port 80) -if bashio::var.has_value "${admin_port}"; then +# Generate upstream configuration +bashio::var.json \ + port "^${adguard_port}" \ + | tempio \ + -template /etc/nginx/templates/upstream.gtpl \ + -out /etc/nginx/includes/upstream.conf + +# Generate Ingress configuration +bashio::var.json \ + interface "$(bashio::addon.ip_address)" \ + port "^$(bashio::addon.ingress_port)" \ + protocol "${adguard_protocol}" \ + | tempio \ + -template /etc/nginx/templates/ingress.gtpl \ + -out /etc/nginx/servers/ingress.conf + +# Generate direct access configuration, if enabled. +if bashio::var.has_value "$(bashio::addon.port 80)"; then bashio::config.require.ssl - - if bashio::config.true 'ssl'; then - certfile=$(bashio::config 'certfile') - keyfile=$(bashio::config 'keyfile') - - mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf - sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf - sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf - - else - mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf - fi - - sed -i "s/%%port%%/${admin_port}/g" /etc/nginx/servers/direct.conf - sed -i "s#%%protocol%%#${adguard_protocol}#g" /etc/nginx/servers/direct.conf + bashio::var.json \ + certfile "$(bashio::config 'certfile')" \ + keyfile "$(bashio::config 'keyfile')" \ + leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \ + port "^$(bashio::addon.port 80)" \ + protocol "${adguard_protocol}" \ + ssl "^$(bashio::config 'ssl')" \ + | tempio \ + -template /etc/nginx/templates/direct.gtpl \ + -out /etc/nginx/servers/direct.conf fi - -ingress_port=$(bashio::addon.ingress_port) -ingress_interface=$(bashio::addon.ip_address) -sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf -sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf - -dns_host=$(bashio::dns.host) -sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf diff --git a/adguard/rootfs/etc/nginx/lua/ha-auth.lua b/adguard/rootfs/etc/nginx/lua/ha-auth.lua deleted file mode 100644 index a2c633c..0000000 --- a/adguard/rootfs/etc/nginx/lua/ha-auth.lua +++ /dev/null @@ -1,83 +0,0 @@ -local http = require "resty.http" -local auths = ngx.shared.auths - -function authenticate() - - --- Test Authentication header is set and with a value - local header = ngx.req.get_headers()['Authorization'] - if header == nil or header:find(" ") == nil then - return false - end - - local divider = header:find(' ') - if header:sub(0, divider-1) ~= 'Basic' then - return false - end - - local auth = ngx.decode_base64(header:sub(divider+1)) - if auth == nil or auth:find(':') == nil then - return false - end - - divider = auth:find(':') - local username = auth:sub(0, divider-1) - local password = auth:sub(divider+1) - - --- Check if authentication is cached - if auths:get(username) == password then - ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).") - return true - end - - --- HTTP request against the Supervisor API - local httpc = http.new() - local res, err = httpc:request_uri("http://supervisor.local.hass.io/auth", { - method = "POST", - body = ngx.encode_args({["username"]=username, ["password"]=password}), - headers = { - ["Content-Type"] = "application/x-www-form-urlencoded", - ["X-Supervisor-Token"] = os.getenv("SUPERVISOR_TOKEN"), - }, - keepalive_timeout = 60, - keepalive_pool = 10 - }) - - --- Error during API request - if err then - ngx.log(ngx.WARN, "Error during Home Assistant user authentication.", err) - return false - end - - --- No result? Something went wrong... - if not res then - ngx.log(ngx.WARN, "Error during Home Assistant user authentication.") - return false - end - - --- Valid response, the username/password is valid - if res.status == 200 then - ngx.log(ngx.INFO, "Authenticated user against Home Assistant.") - auths:set(username, password, 60) - return true - end - - --- Whatever the response is, it is invalid - ngx.log(ngx.WARN, "Authentication against Home Assistant failed!") - return false -end - --- Only authenticate if its not disabled -if not os.getenv('DISABLE_HA_AUTHENTICATION') then - - --- Try to authenticate against HA - local authenticated = authenticate() - - --- If authentication failed, throw a basic auth - if not authenticated then - ngx.header.content_type = 'text/plain' - ngx.header.www_authenticate = 'Basic realm="Home Assistant"' - ngx.status = ngx.HTTP_UNAUTHORIZED - ngx.say('401 Access Denied') - ngx.exit(ngx.HTTP_UNAUTHORIZED) - end -end diff --git a/adguard/rootfs/etc/nginx/modules/ndk_http.conf b/adguard/rootfs/etc/nginx/modules/ndk_http.conf deleted file mode 100644 index 2663122..0000000 --- a/adguard/rootfs/etc/nginx/modules/ndk_http.conf +++ /dev/null @@ -1 +0,0 @@ -load_module "/usr/lib/nginx/modules/ndk_http_module.so"; diff --git a/adguard/rootfs/etc/nginx/modules/ngx_http_lua.conf b/adguard/rootfs/etc/nginx/modules/ngx_http_lua.conf deleted file mode 100644 index f885ed9..0000000 --- a/adguard/rootfs/etc/nginx/modules/ngx_http_lua.conf +++ /dev/null @@ -1 +0,0 @@ -load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so"; diff --git a/adguard/rootfs/etc/nginx/nginx.conf b/adguard/rootfs/etc/nginx/nginx.conf index 3b54416..5b96109 100644 --- a/adguard/rootfs/etc/nginx/nginx.conf +++ b/adguard/rootfs/etc/nginx/nginx.conf @@ -18,10 +18,6 @@ error_log /proc/1/fd/1 error; # Load allowed environment vars env SUPERVISOR_TOKEN; -env DISABLE_HA_AUTHENTICATION; - -# Load dynamic modules. -include /etc/nginx/modules/*.conf; # Max num of simultaneous connections by a worker process. events { @@ -40,8 +36,6 @@ http { default_type application/octet-stream; gzip on; keepalive_timeout 65; - lua_load_resty_core off; - lua_shared_dict auths 16k; sendfile on; server_tokens off; tcp_nodelay on; @@ -52,8 +46,6 @@ http { '' close; } - include /etc/nginx/includes/resolver.conf; include /etc/nginx/includes/upstream.conf; - include /etc/nginx/servers/*.conf; } diff --git a/adguard/rootfs/etc/nginx/servers/.gitkeep b/adguard/rootfs/etc/nginx/servers/.gitkeep new file mode 100644 index 0000000..85ad51b --- /dev/null +++ b/adguard/rootfs/etc/nginx/servers/.gitkeep @@ -0,0 +1 @@ +Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley) diff --git a/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled b/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled deleted file mode 100644 index 8867bc5..0000000 --- a/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen %%port%% default_server ssl http2; - - include /etc/nginx/includes/server_params.conf; - include /etc/nginx/includes/ssl_params.conf; - include /etc/nginx/includes/proxy_params.conf; - - ssl_certificate /ssl/%%certfile%%; - ssl_certificate_key /ssl/%%keyfile%%; - - location / { - access_by_lua_file /etc/nginx/lua/ha-auth.lua; - proxy_pass %%protocol%%://backend; - } - - location /dns-query { - proxy_pass %%protocol%%://backend; - } - -} diff --git a/adguard/rootfs/etc/nginx/servers/direct.disabled b/adguard/rootfs/etc/nginx/servers/direct.disabled deleted file mode 100644 index ac4f490..0000000 --- a/adguard/rootfs/etc/nginx/servers/direct.disabled +++ /dev/null @@ -1,11 +0,0 @@ -server { - listen %%port%% default_server; - - include /etc/nginx/includes/server_params.conf; - include /etc/nginx/includes/proxy_params.conf; - - location / { - access_by_lua_file /etc/nginx/lua/ha-auth.lua; - proxy_pass %%protocol%%://backend; - } -} diff --git a/adguard/rootfs/etc/nginx/templates/direct.gtpl b/adguard/rootfs/etc/nginx/templates/direct.gtpl new file mode 100644 index 0000000..60d5ace --- /dev/null +++ b/adguard/rootfs/etc/nginx/templates/direct.gtpl @@ -0,0 +1,40 @@ +server { + {{ if not .ssl }} + listen {{ .port }} default_server; + {{ else }} + listen {{ .port }} default_server ssl http2; + {{ end }} + + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + + {{ if .ssl }} + include /etc/nginx/includes/ssl_params.conf; + + ssl_certificate /ssl/{{ .certfile }}; + ssl_certificate_key /ssl/{{ .keyfile }}; + {{ end }} + + {{ if not .leave_front_door_open }} + location = /authentication { + internal; + proxy_pass http://supervisor/auth; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}"; + } + {{ end }} + + location /dns-query { + proxy_pass {{ .protocol }}://backend; + } + + location / { + {{ if not .leave_front_door_open }} + auth_request /authentication; + auth_request_set $auth_status $upstream_status; + {{ end }} + + proxy_pass {{ .protocol }}://backend; + } +} diff --git a/adguard/rootfs/etc/nginx/servers/ingress.conf b/adguard/rootfs/etc/nginx/templates/ingress.gtpl similarity index 65% rename from adguard/rootfs/etc/nginx/servers/ingress.conf rename to adguard/rootfs/etc/nginx/templates/ingress.gtpl index 070bd10..519b4ff 100644 --- a/adguard/rootfs/etc/nginx/servers/ingress.conf +++ b/adguard/rootfs/etc/nginx/templates/ingress.gtpl @@ -1,5 +1,5 @@ server { - listen %%interface%%:%%port%% default_server; + listen {{ .interface }}:{{ .port }} default_server; include /etc/nginx/includes/server_params.conf; include /etc/nginx/includes/proxy_params.conf; @@ -8,6 +8,6 @@ server { allow 172.30.32.2; deny all; - proxy_pass %%protocol%%://backend; + proxy_pass {{ .protocol }}://backend; } } diff --git a/adguard/rootfs/etc/nginx/templates/upstream.gtpl b/adguard/rootfs/etc/nginx/templates/upstream.gtpl new file mode 100644 index 0000000..3d4bfce --- /dev/null +++ b/adguard/rootfs/etc/nginx/templates/upstream.gtpl @@ -0,0 +1,3 @@ +upstream backend { + server 127.0.0.1:{{ .port }}; +} diff --git a/adguard/rootfs/etc/services.d/nginx/run b/adguard/rootfs/etc/services.d/nginx/run index 4129c55..c693d56 100644 --- a/adguard/rootfs/etc/services.d/nginx/run +++ b/adguard/rootfs/etc/services.d/nginx/run @@ -8,10 +8,4 @@ bashio::net.wait_for 45158 localhost 900 bashio::log.info "Starting NGinx..." - -# Disable HA Authentication if front door is open -if bashio::config.true 'leave_front_door_open'; then - export DISABLE_HA_AUTHENTICATION=true -fi - exec nginx