upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

www/nginx: merge version 0.4 from master

Browse source
This commit is contained in:
Franco Fichtner 2018-08-10 10:47:08 +02:00
parent a5fb5d168f
commit bf329e3148
5 changed files with 173 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
www/nginx/Makefile
View file

@ -1,5 +1,5 @@
PLUGIN_NAME= nginx
PLUGIN_VERSION= 0.3
PLUGIN_VERSION= 0.4
PLUGIN_COMMENT= Nginx HTTP server and reverse proxy
PLUGIN_DEPENDS= nginx
PLUGIN_MAINTAINER= franz.fabian.94@gmail.com

54
www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
View file

@ -10,4 +10,58 @@
<style>selectpicker</style>
<type>select_multiple</type>
</field>
<field>
<id>upstream.tls_enable</id>
<label>Enable TLS (HTTPS)</label>
<help>Authenticate on the Server using a client certificate.</help>
<type>checkbox</type>
</field>
<field>
<id>upstream.tls_client_certificate</id>
<label>TLS: Client Certificate</label>
<help>Authenticate on the Server using a client certificate.</help>
<style>selectpicker</style>
<type>dropdown</type>
</field>
<field>
<id>upstream.tls_name_override</id>
<label>TLS: Servername override</label>
<help>Use another hostname for SNI and certificate validation.</help>
<type>text</type>
</field>
<field>
<id>upstream.tls_protocol_versions</id>
<label>TLS: Supported Versions</label>
<style>selectpicker</style>
<type>select_multiple</type>
</field>
<field>
<id>upstream.tls_session_reuse</id>
<label>TLS: Session Reuse</label>
<type>checkbox</type>
</field>
<field>
<id>upstream.tls_trusted_certificate</id>
<label>TLS: Trusted Certificate</label>
<style>selectpicker</style>
<type>select_multiple</type>
</field>
<field>
<id>upstream.tls_verify</id>
<label>TLS: Verify Certificate</label>
<type>checkbox</type>
<help>Don't turn it off unless you really know what you are doing! Never do it because a random website tells you to do.</help>
</field>
<field>
<id>upstream.tls_verify_depth</id>
<label>TLS: Verify Depth</label>
<type>text</type>
<help>Choose how many sub-CAs can be between the server certificate and a trusted CA. 1 means the certificate has to be signed directly by a CA.</help>
</field>
<field>
<id>upstream.store</id>
<label>Store</label>
<type>checkbox</type>
<help>Store the response on the local storage.</help>
</field>
</form>

43
www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
View file

@ -73,6 +73,49 @@
<Required>Y</Required>
<multiple>Y</multiple>
</serverentries>
<store type="BooleanField">
<Required>Y</Required>
<default>0</default>
</store>
<tls_enable type="BooleanField">
<Required>Y</Required>
<default>0</default>
</tls_enable>
<tls_client_certificate type="CertificateField">
<Type>cert</Type>
<Required>N</Required>
</tls_client_certificate>
<tls_name_override type="HostnameField">
<Required>N</Required>
</tls_name_override>
<tls_protocol_versions type="OptionField">
<multiple>Y</multiple>
<OptionValues>
<TLSv1 value="TLSv1">TLSv1</TLSv1>
<TLSv1_1 value="TLSv1.1">TLSv1.1</TLSv1_1>
<TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
<TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
</OptionValues>
<Required>N</Required>
</tls_protocol_versions>
<tls_session_reuse type="BooleanField">
<Required>Y</Required>
<default>1</default>
</tls_session_reuse>
<tls_trusted_certificate type="CertificateField">
<Type>ca</Type>
<multiple>Y</multiple>
<Required>N</Required>
</tls_trusted_certificate>
<tls_verify type="BooleanField">
<Required>Y</Required>
<default>1</default>
</tls_verify>
<tls_verify_depth type="IntegerField">
<Required>N</Required>
<default>1</default>
<MinimumValue>1</MinimumValue>
</tls_verify_depth>
</upstream>
<upstream_server type="ArrayField">

49
www/nginx/src/opnsense/scripts/nginx/setup.php
View file

@ -33,7 +33,7 @@ function find_ca($refid) {
}
}
// export certificates
// export server certificates
if (!isset($config['OPNsense']['Nginx'])) {
die("nginx is not configured");
}
@ -78,7 +78,52 @@ foreach ($http_servers as $http_server) {
}
}
}
// end export certificates
// end export server certificates
// begin export client and upstream trust certificates
if (isset($nginx['upstream'])) {
if (is_array($nginx['upstream']) && !isset($nginx['upstream']['description'])) {
$upstreams = $nginx['upstream'];
} else {
$upstreams = array($nginx['upstream']);
}
foreach ($upstreams as $upstream) {
$upstream_uuid = $upstream['@attributes']['uuid'];
if (!empty($upstream['tls_enable']) && $upstream['tls_enable'] == '1')
{
// try to find the reference
if (!empty($upstream['tls_client_certificate'])) {
$cert = find_cert($upstream['tls_client_certificate']);
if (isset($cert)) {
$hostname = explode(',', $http_server['servername'])[0];
export_pem_file(
'/usr/local/etc/nginx/key/' . $upstream['tls_client_certificate'] . '.pem',
$cert['crt']
);
export_pem_file(
'/usr/local/etc/nginx/key/' . $upstream['tls_client_certificate'] . '.key',
$cert['prv']
);
}
}
if (!empty($upstream['tls_trusted_certificate'])) {
$cas = array();
foreach ($http_server['ca'] as $caref) {
$ca = find_ca($caref);
if (isset($ca)) {
$cas[] = $ca;
}
}
export_pem_file(
'/usr/local/etc/nginx/key/trust_upstream_' . $upstream_uuid . '.pem',
implode("\n", $cas)
);
}
}
}
}
// end export client and upstream trust certificates
// export users
$nginx = new Nginx();

29
www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
View file

@ -56,7 +56,34 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
{% endif %}
{% endif %}
{% if location.upstream is defined %}
proxy_pass http://upstream{{ location.upstream.replace('-','') }};
{% set upstream = helpers.getUUID(location.upstream) %}
proxy_pass http{% if upstream.tls_enable == '1' %}s{% endif %}://upstream{{ location.upstream.replace('-','') }};
{% if upstream.tls_enable == '1' %}
{% if upstream.tls_client_certificate is defined and upstream.tls_client_certificate != '' %}
proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
{% endif %}
{% if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
proxy_ssl_name {{ upstream.tls_name_override }};
{% endif %}
{% if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
{% endif %}
{% if upstream.tls_name_override is defined %}
proxy_ssl_session_reuse {% if upstream.tls_name_override != '0' %}off{% else %}on{% endif %};
{% endif %}
{% if upstream.tls_trusted_certificate is defined and upstream.tls_trusted_certificate != '' %}
proxy_ssl_trusted_certificate /usr/local/etc/nginx/key/trust_upstream_{{ location.upstream }}.pem;
{% else %}
proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
{% endif %}
{% if upstream.tls_verify_depth is defined and upstream.tls_verify_depth != '' %}
proxy_ssl_verify_depth {{ upstream.tls_verify_depth }};
{% endif %}
{% if upstream.store is defined and upstream.store != '' %}
proxy_store {% if upstream.store == '1' %}on{% else %}off{% endif %};
{% endif %}
{% endif %}
{% endif %}
}