From dfda7b2a86d7e132281861b78a997d77d22fe534 Mon Sep 17 00:00:00 2001 From: OscarSotoSanchez Date: Mon, 4 May 2020 13:35:21 +0200 Subject: [PATCH] openvidu proxy updated --- .../docker-compose.yml | 4 +- .../docker/openvidu-proxy/Dockerfile | 11 +- .../docker/openvidu-proxy/entrypoint.sh | 217 +++++++++++++----- 3 files changed, 165 insertions(+), 67 deletions(-) mode change 100644 => 100755 openvidu-server/docker/openvidu-proxy/entrypoint.sh diff --git a/openvidu-server/docker/openvidu-docker-compose/docker-compose.yml b/openvidu-server/docker/openvidu-docker-compose/docker-compose.yml index 2d46c6b7..8d2b2bbc 100644 --- a/openvidu-server/docker/openvidu-docker-compose/docker-compose.yml +++ b/openvidu-server/docker/openvidu-docker-compose/docker-compose.yml @@ -67,7 +67,7 @@ services: - MAX_PORT=65535 nginx: - image: openvidu/openvidu-proxy:2.0.0-beta2 + image: openvidu/openvidu-proxy:2.0.0-beta3 restart: on-failure network_mode: host volumes: @@ -83,4 +83,4 @@ services: - ALLOWED_ACCESS_TO_DASHBOARD=${ALLOWED_ACCESS_TO_DASHBOARD:-} - ALLOWED_ACCESS_TO_RESTAPI=${ALLOWED_ACCESS_TO_RESTAPI:-} - PROXY_MODE=CE - - WITH_DEMOS=true + - WITH_APP=true diff --git a/openvidu-server/docker/openvidu-proxy/Dockerfile b/openvidu-server/docker/openvidu-proxy/Dockerfile index 4c7de9e4..b29fd066 100644 --- a/openvidu-server/docker/openvidu-proxy/Dockerfile +++ b/openvidu-server/docker/openvidu-proxy/Dockerfile @@ -1,12 +1,11 @@ FROM nginx:1.18.0-alpine # Install required software -RUN apk update && \ - apk add bash && \ - apk add certbot && \ - apk add openssl && \ - apk add apache2-utils && \ - apk add ipcalc && \ +RUN apk update && \ + apk add bash \ + certbot \ + openssl \ + apache2-utils && \ rm -rf /var/cache/apk/* # Default nginx conf diff --git a/openvidu-server/docker/openvidu-proxy/entrypoint.sh b/openvidu-server/docker/openvidu-proxy/entrypoint.sh old mode 100644 new mode 100755 index 3169d507..b51acc17 --- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh +++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh @@ -1,5 +1,32 @@ -#!/bin/sh +#!/bin/bash +# Checks +if [ -z "${DOMAIN_OR_PUBLIC_IP}" ]; then + printf "\n =======¡ERROR!=======" + printf "\n Variable 'DOMAIN_OR_PUBLIC_IP' it's necessary\n" + exit 0 +fi + +if [ -z "${CERTIFICATE_TYPE}" ]; then + printf "\n =======¡ERROR!=======" + printf "\n Variable 'CERTIFICATE_TYPE' it's necessary\n" + exit 0 +fi + +if [[ "${CERTIFICATE_TYPE}" == "letsencrypt" && \ + "${LETSENCRYPT_EMAIL}" == "user@example.com" || \ + -z "${LETSENCRYPT_EMAIL}" ]]; then + printf "\n =======¡ERROR!=======" + printf "\n If your use LetsEncrypt mode it's necessary a correct email in 'LETSENCRYPT_EMAIL' variable\n" + exit 0 +fi + +# Global variables +CERTIFICATES_FOLDER=/etc/letsencrypt/live +CERTIFICATES_CONF="${CERTIFICATES_FOLDER}/certificates.conf" + +[ ! -d "${CERTIFICATES_FOLDER}" ] && mkdir -p "${CERTIFICATES_FOLDER}" +[ ! -f "${CERTIFICATES_CONF}" ] && touch "${CERTIFICATES_CONF}" [ -z "${PROXY_HTTP_PORT}" ] && export PROXY_HTTP_PORT=80 [ -z "${PROXY_HTTPS_PORT}" ] && export PROXY_HTTPS_PORT=443 [ -z "${ALLOWED_ACCESS_TO_DASHBOARD}" ] && export ALLOWED_ACCESS_TO_DASHBOARD=all @@ -9,64 +36,95 @@ nginx -g "daemon on;" # Show input enviroment variables -echo "Http Port: ${PROXY_HTTP_PORT}" -echo "Https Port: ${PROXY_HTTPS_PORT}" -echo "Allowed Dashboard: ${ALLOWED_ACCESS_TO_DASHBOARD}" -echo "Allowed API: ${ALLOWED_ACCESS_TO_RESTAPI}" -echo "Domain name: ${DOMAIN_OR_PUBLIC_IP}" -echo "Certificated: ${CERTIFICATE_TYPE}" -echo "Letsencrypt Email: ${LETSENCRYPT_EMAIL}" -echo "Proxy mode: ${PROXY_MODE:-CE}" -echo "Demos mode: ${WITH_DEMOS:-true}" +printf "\n =======================================" +printf "\n = INPUT VARIABLES =" +printf "\n =======================================" +printf "\n" + +printf "\n Config NGINX:" +printf "\n - Http Port: %s" "${PROXY_HTTP_PORT}" +printf "\n - Https Port: %s" "${PROXY_HTTPS_PORT}" +printf "\n - Allowed Access in Openvidu Dashboard: %s" "${ALLOWED_ACCESS_TO_DASHBOARD}" +printf "\n - Allowed Access in Openvidu API: %s" "${ALLOWED_ACCESS_TO_RESTAPI}" +printf "\n" +printf "\n Config Openvidu Application:" +printf "\n - Domain name: %s" "${DOMAIN_OR_PUBLIC_IP}" +printf "\n - Certificated: %s" "${CERTIFICATE_TYPE}" +printf "\n - Letsencrypt Email: %s" "${LETSENCRYPT_EMAIL}" +printf "\n - Openvidu Application: %s" "${WITH_APP:-true}" +printf "\n - Openvidu Application Type: %s" "${PROXY_MODE:-CE}" + +printf "\n" +printf "\n =======================================" +printf "\n = CONFIGURATION NGINX =" +printf "\n =======================================" +printf "\n" + +printf "\n Configure %s domain..." "${DOMAIN_OR_PUBLIC_IP}" +CERTIFICATED_OLD_CONFIG=$(grep "${DOMAIN_OR_PUBLIC_IP}" "${CERTIFICATES_CONF}" | cut -f2 -d$'\t') + +printf "\n - New configuration: %s" "${CERTIFICATE_TYPE}" + +if [ -z "${CERTIFICATED_OLD_CONFIG}" ]; then + printf "\n - Old configuration: none" + + rm -rf "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}" | true +else + printf "\n - Old configuration: %s" "${CERTIFICATED_OLD_CONFIG}" + + if [ "${CERTIFICATED_OLD_CONFIG}" != "${CERTIFICATE_TYPE}" ]; then + printf "\n - Restarting configuration... Removing old certificated..." + + rm -rf "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}" + fi +fi + +# Create certificate folder if don't exist and save actual conf +[ ! -d "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}" ] && mkdir -p "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}" +sed -i "/${DOMAIN_OR_PUBLIC_IP}/d" "${CERTIFICATES_CONF}" +echo -e "${DOMAIN_OR_PUBLIC_IP}\t${CERTIFICATE_TYPE}" >> "${CERTIFICATES_CONF}" case ${CERTIFICATE_TYPE} in "selfsigned") - echo "===Mode selfsigned===" - - if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then - echo "Generating certificated..." + if [[ ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && \ + ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then + printf "\n - Generating selfsigned certificate...\n" - rm -rf /etc/letsencrypt/live/* - mkdir -p "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}" - openssl req -new -nodes -x509 \ -subj "/CN=${DOMAIN_OR_PUBLIC_IP}" -days 365 \ - -keyout "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" \ - -out "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" -extensions v3_ca + -keyout "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" \ + -out "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" \ + -extensions v3_ca else - echo "The certificate already exists, using them..." + printf "\n - Selfsigned certificate already exists, using them..." fi ;; "owncert") - echo "===Mode owncert===" - - if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then - echo "Using owmcert..." - - rm -rf /etc/letsencrypt/live/* - mkdir -p "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}" - cp /owncert/certificate.key "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" - cp /owncert/certificate.cert "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" + if [[ ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && \ + ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then + printf "\n - Copying owmcert certificate..." + cp /owncert/certificate.key "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" + cp /owncert/certificate.cert "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" else - echo "The certificate already exists, using them..." + printf "\n - Owmcert certificate already exists, using them..." fi ;; - "letsencrypt") - echo "===Mode letsencrypt===" + "letsencrypt") + echo "0 12 * * * certbot renew >> /var/log/nginx/cron-letsencrypt.log" | crontab - # Auto renew cert - # Auto renew cert - echo "0 12 * * * certbot renew >> /var/log/nginx/cron-letsencrypt.log" | crontab - + if [[ ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && \ + ! -f "${CERTIFICATES_FOLDER:?}/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then + printf "\n - Requesting LetsEncrypt certificate..." - if [[ ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/privkey.pem" && ! -f "/etc/letsencrypt/live/${DOMAIN_OR_PUBLIC_IP}/fullchain.pem" ]]; then - echo "Requesting certificate..." - - certbot certonly -n --webroot -w /var/www/certbot -m "${LETSENCRYPT_EMAIL}" --agree-tos -d "${DOMAIN_OR_PUBLIC_IP}" + certbot certonly -n --webroot -w /var/www/certbot \ + -m "${LETSENCRYPT_EMAIL}" \ + --agree-tos -d "${DOMAIN_OR_PUBLIC_IP}" else - echo "The certificate already exists, using them..." + printf "\n - LetsEncrypt certificate already exists, using them..." fi ;; esac @@ -76,7 +134,7 @@ chmod -R 777 /etc/letsencrypt # Use certificates in folder '/default_nginx_conf' if [ "${PROXY_MODE}" == "CE" ]; then - if [ "${WITH_DEMOS}" == "true" ]; then + if [ "${WITH_APP}" == "true" ]; then mv /default_nginx_conf/ce/default-app.conf /default_nginx_conf/default-app.conf mv /default_nginx_conf/ce/default.conf /default_nginx_conf/default.conf else @@ -89,7 +147,7 @@ if [ "${PROXY_MODE}" == "CE" ]; then fi if [ "${PROXY_MODE}" == "PRO" ]; then - if [ "${WITH_DEMOS}" == "true" ]; then + if [ "${WITH_APP}" == "true" ]; then mv /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf else mv /default_nginx_conf/pro/default-app-without-demos.conf /default_nginx_conf/default.conf @@ -113,42 +171,70 @@ sed -i "s/{http_port}/${PROXY_HTTP_PORT}/g" /etc/nginx/conf.d/* sed -i "s/{https_port}/${PROXY_HTTPS_PORT}/g" /etc/nginx/conf.d/* # NGINX access +printf "\n" +printf "\n =======================================" +printf "\n = ALLOWED ACCESS =" +printf "\n =======================================" +printf "\n" + +printf "\n Adding rules..." LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*') PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh) valid_ip_v4() { - if ipcalc "$1" \ - | awk 'BEGIN{FS=":"; is_invalid=0} /^INVALID/ {is_invalid=1} END {exit is_invalid}' - then - return "$?" - else - return "$?" - fi + regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]+)?$' + + if [[ "$1" =~ $regex ]]; then + return "$?" + else + return "$?" + fi +} + +valid_ip_v6() +{ + regex='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/[0-9]+)?$' + + if [[ "$1" =~ $regex ]]; then + return "$?" + else + return "$?" + fi } if [ "${ALLOWED_ACCESS_TO_DASHBOARD}" != "all" ]; then IFS=',' for IP in $(echo "${ALLOWED_ACCESS_TO_DASHBOARD}" | tr -d '[:space:]') do - if valid_ip_v4 "$IP"; then - if [ -z "${RULES_DASHBOARD}" ]; then + if valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then + if [ -z "${RULES_DASHBOARD}" ]; then RULES_DASHBOARD="allow $IP;" + + printf "\n - Allowing IP/RANGE %s in Dashboard..." "$IP" else if ! echo "${RULES_DASHBOARD}" | grep -q "$IP"; then RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;" + + printf "\n - Allowing IP/RANGE %s in Dashboard..." "$IP" fi fi if [ -z "${RULES_RESTAPI}" ]; then RULES_RESTAPI="allow $IP;" + + printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP" else if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;" + + printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP" fi fi else - echo "Ip or range $IP is not valid" + printf "\n =======¡ERROR!=======" + printf "\n - IP or RANGE %s is not valid\n" "$IP" + exit 0 fi done else @@ -159,16 +245,22 @@ if [ "${ALLOWED_ACCESS_TO_RESTAPI}" != "all" ]; then IFS=',' for IP in $(echo "${ALLOWED_ACCESS_TO_RESTAPI}" | tr -d '[:space:]') do - if valid_ip_v4 "$IP"; then + if valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then if [ -z "${RULES_RESTAPI}" ]; then RULES_RESTAPI="allow $IP;" + + printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP" else if ! echo "${RULES_RESTAPI}" | grep -q "$IP"; then RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;" + + printf "\n - Allowing IP/RANGE %s in Rest-API..." "$IP" fi fi else - echo "Ip or range $IP is not valid" + printf "\n =======¡ERROR!=======" + printf "\n - IP or RANGE %s is not valid\n" "$IP" + exit 0 fi done else @@ -176,7 +268,7 @@ else fi if [ "${RULES_DASHBOARD}" != "allow all;" ]; then - if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then + if ! echo "${RULES_DASHBOARD}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$IP"; then RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $PUBLIC_IP;" fi @@ -187,14 +279,14 @@ if [ "${RULES_DASHBOARD}" != "allow all;" ]; then IFS=$'\n' for IP in ${LOCAL_NETWORKS} do - if ! echo "${RULES_DASHBOARD}" | grep -q "$IP" && valid_ip_v4 "$IP"; then + if ! echo "${RULES_DASHBOARD}" | grep -q "$IP" && valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then RULES_DASHBOARD="${RULES_DASHBOARD}{new_line}allow $IP;" fi done fi if [ "${RULES_RESTAPI}" != "allow all;" ]; then - if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP"; then + if ! echo "${RULES_RESTAPI}" | grep -q "$PUBLIC_IP" && valid_ip_v4 "$PUBLIC_IP" || valid_ip_v6 "$IP"; then RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $PUBLIC_IP;" fi @@ -205,7 +297,7 @@ if [ "${RULES_RESTAPI}" != "allow all;" ]; then IFS=$'\n' for IP in ${LOCAL_NETWORKS} do - if ! echo "${RULES_RESTAPI}" | grep -q "$IP" && valid_ip_v4 "$IP"; then + if ! echo "${RULES_RESTAPI}" | grep -q "$IP" && valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then RULES_RESTAPI="${RULES_RESTAPI}{new_line}allow $IP;" fi done @@ -215,10 +307,17 @@ sed -i "s/{rules_access_dashboard}/$(echo "${RULES_DASHBOARD}" | sed 's#/#\\/#g' sed -i "s/{rules_acess_api}/$(echo "${RULES_RESTAPI}" | sed 's#/#\\/#g')/g" /etc/nginx/conf.d/* sed -i "s/{new_line}/\n\t/g" /etc/nginx/conf.d/* # New line -printf "Rules DASHBOARD: \n \t%s\n" "$(echo "${RULES_DASHBOARD}" | sed 's/{new_line}/\n\t/g')" -printf "Rules RESTAPI: \n \t%s\n" "$(echo "${RULES_RESTAPI}" | sed 's/{new_line}/\n\t/g')" +printf "\n" +printf "\n Finish Rules:" +printf "\n Openvidu Dashboard: \n\t\t- %s" "$(echo "${RULES_DASHBOARD}" | sed 's/{new_line}/\n\t\t- /g')" +printf "\n Openvidu API: \n\t\t- %s" "$(echo "${RULES_RESTAPI}" | sed 's/{new_line}/\n\t\t- /g')" # Restart nginx service +printf "\n" +printf "\n =======================================" +printf "\n = START OPENVIDU PROXY =" +printf "\n =======================================" +printf "\n\n" nginx -s reload # Init cron