From edd538a6e1c90150c99fac9c308c95f557fc95e1 Mon Sep 17 00:00:00 2001
From: Paul Sinclair <24625998+sinclairpaul@users.noreply.github.com>
Date: Fri, 29 May 2020 14:35:56 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A8=20Configure=20Adguard=20port/proto?=
 =?UTF-8?q?col=20dynamically=20on=20startup=20(#67)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adguard/DOCS.md                                      |  8 ++++++++
 adguard/rootfs/etc/cont-init.d/nginx.sh              | 11 +++++++++++
 adguard/rootfs/etc/nginx/includes/upstream.conf      |  2 +-
 adguard/rootfs/etc/nginx/servers/direct-ssl.disabled |  7 ++++++-
 adguard/rootfs/etc/nginx/servers/direct.disabled     |  2 +-
 adguard/rootfs/etc/nginx/servers/ingress.conf        |  2 +-
 6 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/adguard/DOCS.md b/adguard/DOCS.md
index 03fbf83..5a54cdf 100644
--- a/adguard/DOCS.md
+++ b/adguard/DOCS.md
@@ -85,6 +85,14 @@ authentication on the AdGuard Home by setting it to `true`.
 **Note**: _We STRONGLY suggest, not to use this, even if this add-on is
 only exposed to your internal network. USE AT YOUR OWN RISK!_
 
+## Encryption Settings (Advanced Usage)
+
+Adguard allows the configuration of running DNS-over-HTTPS and DNS-over-
+TLS locally. If you configure these options please ensure to restart the
+addon afterwards.  Also to use DNS-over-HTTPS correctly please ensure to
+configure SSL on the addon as well as in Adguard itself.  Also consider
+that the addon and Adguard cannot use the same port for SSL.
+
 ## Changelog & Releases
 
 This repository keeps a change log using [GitHub's releases][releases]
diff --git a/adguard/rootfs/etc/cont-init.d/nginx.sh b/adguard/rootfs/etc/cont-init.d/nginx.sh
index 361abf8..e00ead6 100644
--- a/adguard/rootfs/etc/cont-init.d/nginx.sh
+++ b/adguard/rootfs/etc/cont-init.d/nginx.sh
@@ -3,6 +3,8 @@
 # Home Assistant Community Add-on: AdGuard Home
 # Configures NGINX for use with the AdGuard Home server
 # ==============================================================================
+declare adguard_port=45158
+declare adguard_protocol=http
 declare admin_port
 declare certfile
 declare dns_host
@@ -10,6 +12,14 @@ declare ingress_interface
 declare ingress_port
 declare keyfile
 
+if bashio::var.true "$(yq read /data/adguard/AdGuardHome.yaml tls.enabled)"; then
+    adguard_port=$(yq read /data/adguard/AdGuardHome.yaml tls.port_https)
+    adguard_protocol=https
+fi
+
+sed -i "s#%%port%%#${adguard_port}#g" /etc/nginx/includes/upstream.conf
+sed -i "s#%%protocol%%#${adguard_protocol}#g" /etc/nginx/servers/ingress.conf
+
 admin_port=$(bashio::addon.port 80)
 if bashio::var.has_value "${admin_port}"; then
     bashio::config.require.ssl
@@ -27,6 +37,7 @@ if bashio::var.has_value "${admin_port}"; then
     fi
 
     sed -i "s/%%port%%/${admin_port}/g" /etc/nginx/servers/direct.conf
+    sed -i "s#%%protocol%%#${adguard_protocol}#g" /etc/nginx/servers/direct.conf
 fi
 
 ingress_port=$(bashio::addon.ingress_port)
diff --git a/adguard/rootfs/etc/nginx/includes/upstream.conf b/adguard/rootfs/etc/nginx/includes/upstream.conf
index 1472b1b..eb4ea3c 100644
--- a/adguard/rootfs/etc/nginx/includes/upstream.conf
+++ b/adguard/rootfs/etc/nginx/includes/upstream.conf
@@ -1,3 +1,3 @@
 upstream backend {
-    server 127.0.0.1:45158;
+    server 127.0.0.1:%%port%%;
 }
diff --git a/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled b/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled
index 1e4c181..8867bc5 100644
--- a/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled
+++ b/adguard/rootfs/etc/nginx/servers/direct-ssl.disabled
@@ -10,6 +10,11 @@ server {
 
     location / {
         access_by_lua_file /etc/nginx/lua/ha-auth.lua;
-        proxy_pass http://backend;
+        proxy_pass %%protocol%%://backend;
     }
+
+    location /dns-query {
+        proxy_pass %%protocol%%://backend;
+    }
+
 }
diff --git a/adguard/rootfs/etc/nginx/servers/direct.disabled b/adguard/rootfs/etc/nginx/servers/direct.disabled
index a036b7a..ac4f490 100644
--- a/adguard/rootfs/etc/nginx/servers/direct.disabled
+++ b/adguard/rootfs/etc/nginx/servers/direct.disabled
@@ -6,6 +6,6 @@ server {
 
     location / {
         access_by_lua_file /etc/nginx/lua/ha-auth.lua;
-        proxy_pass http://backend;
+        proxy_pass %%protocol%%://backend;
     }
 }
diff --git a/adguard/rootfs/etc/nginx/servers/ingress.conf b/adguard/rootfs/etc/nginx/servers/ingress.conf
index d655706..070bd10 100644
--- a/adguard/rootfs/etc/nginx/servers/ingress.conf
+++ b/adguard/rootfs/etc/nginx/servers/ingress.conf
@@ -8,6 +8,6 @@ server {
         allow   172.30.32.2;
         deny    all;
 
-        proxy_pass http://backend;
+        proxy_pass %%protocol%%://backend;
     }
 }