bunkerweb 1.4.0

2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
--- a/core/selfsigned/confs/server-http/self-signed.conf
+++ b/core/selfsigned/confs/server-http/self-signed.conf
@@ -0,0 +1,19 @@
+{% if GENERATE_SELF_SIGNED_SSL == "yes" %}
+
+# listen on HTTPS PORT
+listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+
+# TLS config
+ssl_certificate /opt/bunkerweb/cache/selfsigned/{{ SERVER_NAME.split(" ")[0] }}.pem;
+ssl_certificate_key /opt/bunkerweb/cache/selfsigned/{{ SERVER_NAME.split(" ")[0] }}.key;
+ssl_protocols {{ HTTPS_PROTOCOLS }};
+ssl_prefer_server_ciphers on;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+{% if "TLSv1.2" in HTTPS_PROTOCOLS +%}
+ssl_dhparam /etc/nginx/dhparam;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+{% endif %}
+
+{% endif %}
--- a/core/selfsigned/jobs/self-signed.py
+++ b/core/selfsigned/jobs/self-signed.py
@@ -0,0 +1,61 @@
+#!/usr/bin/python3
+
+import sys, os, subprocess, traceback
+
+sys.path.append("/opt/bunkerweb/deps/python")
+sys.path.append("/opt/bunkerweb/utils")
+
+import logger
+
+def generate_cert(first_server, days, subj) :
+    if os.path.isfile("/opt/bunkerweb/cache/selfsigned/" + first_server + ".pem") :
+        cmd = "openssl x509 -checkend 86400 -noout -in /opt/bunkerweb/cache/selfsigned/" + first_server + ".pem"
+        proc = subprocess.run(cmd.split(" "), stdin=subprocess.DEVNULL, stderr=subprocess.STDOUT)
+        if proc.returncode == 0 :
+            logger.log("SELF-SIGNED", "ℹ️", "Self-signed certificate already present for " + first_server)
+            return True, 0
+    logger.log("SELF-SIGNED", "ℹ️", "Generating self-signed certificate for " + first_server)
+    cmd = "openssl req -nodes -x509 -newkey rsa:4096 -keyout /opt/bunkerweb/cache/selfsigned/" + first_server + ".key -out /opt/bunkerweb/cache/selfsigned/" + first_server + ".pem -days " + days + " -subj " + subj
+    proc = subprocess.run(cmd.split(" "), stdin=subprocess.DEVNULL, stderr=subprocess.STDOUT)
+    if proc.returncode != 0 :
+        logger.log("SELF-SIGNED", "❌", "Self-signed certificate generation failed for " + first_server)
+        return False, 2
+    logger.log("SELF-SIGNED", "ℹ️", "Successfully generated self-signed certificate for " + first_server)   
+    return True, 1
+
+status = 0
+
+try :
+
+    os.makedirs("/opt/bunkerweb/cache/selfsigned/", exist_ok=True)
+
+    # Multisite case
+    if os.getenv("MULTISITE") == "yes" :
+        for first_server in os.getenv("SERVER_NAME").split(" ") :
+            if os.getenv(first_server + "_GENERATE_SELF_SIGNED_SSL", os.getenv("GENERATE_SELF_SIGNED_SSL")) != "yes" :
+                continue
+            if first_server == "" :
+                continue
+            if os.path.isfile("/opt/bunkerweb/cache/selfsigned/" + first_server + ".pem") :
+                continue
+            ret, ret_status = generate_cert(first_server, os.getenv(first_server + "_SELF_SIGNED_SSL_EXPIRY"), os.getenv(first_server + "_SELF_SIGNED_SSL_SUBJ"))
+            if not ret :
+                status = ret_status
+            elif ret_status == 1 and ret_status != 2 :
+                status = 1
+
+    # Singlesite case
+    elif os.getenv("GENERATE_SELF_SIGNED_SSL") == "yes" and os.getenv("SERVER_NAME") != "" :
+        first_server = os.getenv("SERVER_NAME").split(" ")[0]
+        ret, ret_status = generate_cert(first_server, os.getenv("SELF_SIGNED_SSL_EXPIRY"), os.getenv("SELF_SIGNED_SSL_SUBJ"))
+        if not ret :
+            status = ret_status
+        elif ret_status == 1 and ret_status != 2 :
+            status = 1
+
+except :
+    status = 2
+    logger.log("SELF-SIGNED", "❌", "Exception while running certbot-new.py :")
+    print(traceback.format_exc())
+
+sys.exit(status)
--- a/core/selfsigned/plugin.json
+++ b/core/selfsigned/plugin.json
@@ -0,0 +1,44 @@
+{
+	"id": "selfsigned",
+	"order": 999,
+	"name": "Self-signed certificate",
+	"description": "Generate self-signed certificate.",
+	"version": "0.1",
+	"settings": {
+		"GENERATE_SELF_SIGNED_SSL": {
+			"context": "multisite",
+			"default": "no",
+			"help": "Generate and use self-signed certificate.",
+			"id": "generate-self-signed-ssl",
+			"label": "Activate self-signed certificate",
+			"regex": "^(yes|no)$",
+			"type": "check"
+		},
+		"SELF_SIGNED_SSL_EXPIRY": {
+			"context": "multisite",
+			"default": "365",
+			"help": "Self-signed certificate expiry.",
+			"id": "self-signed-ssl-expiry",
+			"label": "Certificate expiry",
+			"regex": "^.*$",
+			"type": "text"
+		},
+		"SELF_SIGNED_SSL_SUBJ": {
+			"context": "multisite",
+			"default": "/CN=www.example.com/",
+			"help": "Self-signed certificate subject.",
+			"id": "self-signed-ssl-subj",
+			"label": "Certificate subject",
+			"regex": "^.*$",
+			"type": "text"
+		}
+	},
+	"jobs": [
+		{
+			"name": "self-signed",
+			"file": "self-signed.py",
+			"every": "day",
+			"reload": true
+		}
+	]
+}