From 2e6e4693a7311329ef2572e65a630960680d3cc6 Mon Sep 17 00:00:00 2001 From: Alexandre <44178713+alexbelgium@users.noreply.github.com> Date: Tue, 17 Oct 2023 08:59:23 +0200 Subject: [PATCH] revert --- tandoor_recipes/CHANGELOG.md | 2 - tandoor_recipes/README.md | 5 +- tandoor_recipes/config.json | 16 +-- .../rootfs/etc/cont-init.d/32-ingress.sh | 22 ++++ .../rootfs/etc/nginx/servers/ingress.conf | 112 ++++++++++++++++++ 5 files changed, 139 insertions(+), 18 deletions(-) create mode 100644 tandoor_recipes/rootfs/etc/cont-init.d/32-ingress.sh create mode 100644 tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf diff --git a/tandoor_recipes/CHANGELOG.md b/tandoor_recipes/CHANGELOG.md index 7c6863d2f..569c717c4 100644 --- a/tandoor_recipes/CHANGELOG.md +++ b/tandoor_recipes/CHANGELOG.md @@ -1,5 +1,3 @@ -## 1.5.6-test_ssl (14-10-2023) -- Test if ssl is working ## 1.5.6 (02-09-2023) - Update to latest version from TandoorRecipes/recipes diff --git a/tandoor_recipes/README.md b/tandoor_recipes/README.md index c8d37abea..8cdedbb0e 100644 --- a/tandoor_recipes/README.md +++ b/tandoor_recipes/README.md @@ -1,4 +1,4 @@ -## ⚠ Open Issue : [🐛 [Tandoor Recipes] is broken in pushed 1.5.6-test_ssl builds. (opened 2023-10-15)](https://github.com/alexbelgium/hassio-addons/issues/1032) by [@dcossey014](https://github.com/dcossey014) +## ⚠ Open Request : [✨ [REQUEST] Tandoor Recipes disable Gunicorn Media (opened 2023-06-28)](https://github.com/alexbelgium/hassio-addons/issues/885) by [@nough](https://github.com/nough) # Hass.io Add-ons: Tandoor recipes [![Donate][donation-badge]](https://www.buymeacoffee.com/alexbelgium) @@ -35,9 +35,6 @@ Required : "PORT": 9928 # By default, the webui is available on http://HAurl:9928. If you ever need to change the port, you should never do it within the app, but only through this option "Environment": 0|1 # 1 is debug mode, 0 is normal mode. You should run in normal mode unless actively developing. Optional : - "ssl" : "true|false", # Set ssl - "certfile" : "fullchain.pem", # Name of your ssl files located in /ssl - "keyfile" : "privkey.pem", # Name of your ssl files located in /ssl "POSTGRES_HOST": "str?", # Needed for postgresql_external "POSTGRES_PORT": "str?", # Needed for postgresql_external "POSTGRES_USER": "str?", # Needed for postgresql_external diff --git a/tandoor_recipes/config.json b/tandoor_recipes/config.json index 1ebc80f5b..6bf3ed179 100644 --- a/tandoor_recipes/config.json +++ b/tandoor_recipes/config.json @@ -62,15 +62,13 @@ "DB_ENGINE": "django.db.backends.sqlite3", "DISABLE_INGRESS": "true", "POSTGRES_DB": "/config/addons_config/tandoor_recipes/recipes.db", - "TANDOOR_PORT": "8081", "TRUSTED_PROXIES": "**" }, "image": "ghcr.io/alexbelgium/tandoor_recipes-{arch}", "map": [ "config:rw", "share:rw", - "media:rw", - "ssl:ro" + "media:rw" ], "name": "Tandoor recipes", "options": { @@ -78,9 +76,7 @@ "DB_TYPE": "sqlite", "DEBUG": "0", "SECRET_KEY": "YOUR_SECRET_KEY", - "certfile": "fullchain.pem", - "externalfiles_folder": "/config/addons_config/tandoor_recipes/externalfiles", - "keyfile": "privkey.pem" + "externalfiles_folder": "/config/addons_config/tandoor_recipes/externalfiles" }, "panel_icon": "mdi:silverware-fork-knife", "panel_title": "Tandoor Recipes", @@ -100,10 +96,7 @@ "POSTGRES_PORT": "str?", "POSTGRES_USER": "str?", "SECRET_KEY": "str", - "certfile": "str?", - "externalfiles_folder": "str?", - "keyfile": "str?", - "ssl": "bool?" + "externalfiles_folder": "str?" }, "services": [ "mysql:want" @@ -111,6 +104,5 @@ "slug": "tandoor_recipes", "udev": true, "url": "https://github.com/alexbelgium/hassio-addons", - "version": "1.5.6", - "webui": "[PROTO:ssl]://[HOST]:[PORT:8080]" + "version": "1.5.6" } diff --git a/tandoor_recipes/rootfs/etc/cont-init.d/32-ingress.sh b/tandoor_recipes/rootfs/etc/cont-init.d/32-ingress.sh new file mode 100644 index 000000000..de22468fe --- /dev/null +++ b/tandoor_recipes/rootfs/etc/cont-init.d/32-ingress.sh @@ -0,0 +1,22 @@ +#!/usr/bin/bashio +# shellcheck shell=bash +set -e + +if [[ -n "${DISABLE_INGRESS}" ]]; then + bashio::log.info "Ingress disabled" + sed -i "/nginx/d" /etc/cont-init.d/99-run.sh + exit 0 +fi + +################# +# NGINX SETTING # +################# +declare ingress_interface +declare ingress_port + +ingress_port="$(bashio::addon.ingress_port)" +ingress_interface="$(bashio::addon.ip_address)" +ingress_entry=$(bashio::addon.ingress_entry) +sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf +sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf +sed -i "s|%%ingress_entry%%|${ingress_entry}|g" /etc/nginx/servers/ingress.conf diff --git a/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf b/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf new file mode 100644 index 000000000..3a2f5202a --- /dev/null +++ b/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf @@ -0,0 +1,112 @@ +server { + listen %%interface%%:%%port%% default_server; + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + client_max_body_size 0; + + root /opt/recipes/cookbook; + +location /switch-space/ { + proxy_pass http://127.0.0.1:8080/switch-space/; + + proxy_redirect "/" "%%ingress_entry%%/"; + + # Allow ingress subpath + #proxy_set_header X-Script-Name %%ingress_entry%%; + proxy_cookie_path / %%ingress_entry%%/; + + # Allow frames + add_header X-Frame-Options SAMEORIGIN; + add_header Access-Control-Allow-Origin *; + proxy_set_header Accept-Encoding ""; + + # avoid mixed content + # Ensure work with both http and https (code by @met67) + if ($http_referer ~* "^(http[s]?)://([^:]+):(\d*)(/.*)$") { + set $x_scheme $1; + set $x_host $2; + set $x_port ":$3"; + } + # Ensure works if standard port (code by @met67) + if ($http_referer ~* "^(http[s]?)://([^:]+)(/.*)$") { + set $x_scheme $1; + set $x_host $2; + set $x_port ""; + } + proxy_set_header X-Scheme $x_scheme; + proxy_set_header X-Host $x_host; + proxy_set_header X-Port $x_port; + proxy_set_header X-Forwarded-Proto $x_scheme; + + proxy_set_header Host $x_host$x_port; # Required for addresses without ports + + # Correct url without port when using https + absolute_redirect off; + sub_filter_once off; + sub_filter_types *; + sub_filter https://$x_host/ https://$x_host$x_port/; + sub_filter http://$x_host/ http://$x_host$x_port/; + sub_filter "/static" "%%ingress_entry%%/static"; + sub_filter "/media" "%%ingress_entry%%/media"; + sub_filter "http://127.0.0.1:8080/" "/"; +} + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_buffering off; + proxy_read_timeout 30; + proxy_set_header Connection "Upgrade"; + proxy_set_header Upgrade $http_upgrade; + + # Allow ingress subpath + proxy_set_header X-Script-Name %%ingress_entry%%; + proxy_cookie_path / %%ingress_entry%%/; + + # Allow frames + proxy_hide_header "Content-Security-Policy"; + add_header X-Frame-Options SAMEORIGIN; # Required for ingress frame + add_header Access-Control-Allow-Origin *; + proxy_set_header Accept-Encoding ""; + + # avoid mixed content + # Ensure work with both http and https (code by @met67) + if ($http_referer ~* "^(http[s]?)://([^:]+):(\d*)(/.*)$") { + set $x_scheme $1; + set $x_host $2; + set $x_port ":$3"; + } + # Ensure works if standard port (code by @met67) + if ($http_referer ~* "^(http[s]?)://([^:]+)(/.*)$") { + set $x_scheme $1; + set $x_host $2; + set $x_port ""; + } + proxy_set_header X-Scheme $x_scheme; + proxy_set_header X-Host $x_host; + proxy_set_header X-Port $x_port; + proxy_set_header X-Forwarded-Proto $x_scheme; + + proxy_set_header Host $x_host$x_port; # Required for addresses without ports + + # Correct url without port when using https + absolute_redirect off; + sub_filter_once off; + sub_filter_types *; + sub_filter https://$x_host/ https://$x_host$x_port/; + sub_filter http://$x_host/ http://$x_host$x_port/; + + # Rewrite url + sub_filter "/static" "%%ingress_entry%%/static"; + sub_filter "/media" "%%ingress_entry%%/media"; + sub_filter "http://127.0.0.1:8080/" "/"; + } + +location /media/ { + alias /config/addons_config/tandoor_recipes/mediafiles/; + } + +location /static/ { + alias /data/recipes/staticfiles/; + } + +}