From 32abce6b777e9a17dce2088c5c428fcc36a8dea1 Mon Sep 17 00:00:00 2001 From: Alexandre Date: Sat, 27 Jul 2024 09:56:16 +0200 Subject: [PATCH] Reapply "trusted proxies" This reverts commit 72be30c25fed514c3197fd9eb03cab787efd67cd. --- fireflyiii/config.json | 13 +++++--- fireflyiii/rootfs/etc/cont-init.d/30-ssl.sh | 30 +++++++++++++++++++ .../nginx/servers/{ingress.conf => ssl.conf} | 17 +++++++---- 3 files changed, 50 insertions(+), 10 deletions(-) create mode 100644 fireflyiii/rootfs/etc/cont-init.d/30-ssl.sh rename fireflyiii/rootfs/etc/nginx/servers/{ingress.conf => ssl.conf} (65%) diff --git a/fireflyiii/config.json b/fireflyiii/config.json index cd588a36a..c2eccde38 100644 --- a/fireflyiii/config.json +++ b/fireflyiii/config.json @@ -82,10 +82,12 @@ "silent": "true" }, "ports": { - "8080/tcp": 3473 + "8080/tcp": 3473, + "8443/tcp": null }, "ports_description": { - "8080/tcp": "web interface" + "8080/tcp": "web interface", + "8443/tcp": "ssl web interface" }, "schema": { "APP_KEY": "str", @@ -97,7 +99,10 @@ "DB_PORT": "str?", "DB_USERNAME": "str?", "Updates": "list(|hourly|daily|weekly)?", - "silent": "bool?" + "keyfile": "str", + "certfile": "str", + "silent": "bool?", + "ssl": "bool" }, "services": [ "mysql:want" @@ -106,6 +111,6 @@ "startup": "services", "udev": true, "url": "https://github.com/alexbelgium/hassio-addons", - "version": "6.1.19", + "version": "6.1.18-2", "webui": "[PROTO:ssl]://[HOST]:[PORT:8080]" } diff --git a/fireflyiii/rootfs/etc/cont-init.d/30-ssl.sh b/fireflyiii/rootfs/etc/cont-init.d/30-ssl.sh new file mode 100644 index 000000000..f5d92562d --- /dev/null +++ b/fireflyiii/rootfs/etc/cont-init.d/30-ssl.sh @@ -0,0 +1,30 @@ +#!/usr/bin/with-contenv bashio +# shellcheck shell=bash +set -e + +############### +# SSL SETTING # +############### +declare port +declare certfile +declare keyfile + +# Ssl values +if bashio::config.true 'ssl'; then + echo "Defining ssl configuration" + bashio::config.require.ssl + certfile=$(bashio::config 'certfile') + keyfile=$(bashio::config 'keyfile') + + #Check if files exist + echo "... checking if referenced certificates exist" + [ ! -f /ssl/"$certfile" ] && bashio::log.fatal "... use_own_certs is true but certificate /ssl/$certfile not found" && bashio::exit.nok + [ ! -f /ssl/"$keyfile" ] && bashio::log.fatal "... use_own_certs is true but certificate /ssl/$keyfile not found" && bashio::exit.nok + + + sed -i "/proxy_params.conf/a ssl_certificate /ssl/$certfile;" /etc/nginx/servers/ssl.conf + sed -i "/proxy_params.conf/a ssl_certificate_key /ssl/$keyfile;" /etc/nginx/servers/ssl.conf + bashio::log.info "Ssl enabled, please use https for connection. UI is at https://YOURIP:$(bashio::addon.port 2342)" +else + rm -r /etc/nginx/servers/ssl.conf +fi diff --git a/fireflyiii/rootfs/etc/nginx/servers/ingress.conf b/fireflyiii/rootfs/etc/nginx/servers/ssl.conf similarity index 65% rename from fireflyiii/rootfs/etc/nginx/servers/ingress.conf rename to fireflyiii/rootfs/etc/nginx/servers/ssl.conf index 04c7b1a32..98242a331 100644 --- a/fireflyiii/rootfs/etc/nginx/servers/ingress.conf +++ b/fireflyiii/rootfs/etc/nginx/servers/ssl.conf @@ -1,14 +1,21 @@ server { - listen %%interface%%:%%port%% default_server; + listen 8443; include /etc/nginx/includes/server_params.conf; include /etc/nginx/includes/proxy_params.conf; + ssl_certificate /ssl/%%certfile%%; + ssl_certificate_key /ssl/%%keyfile%%; + client_max_body_size 0; - location / { - root /var/www/firefly-iii/public/; - } + root /var/www/firefly-iii/public/; + + index index.html; + + location / { + root /var/www/firefly-iii/public/; + } location ~* \.php(?:$|/) { include snippets/fastcgi-php.conf; @@ -17,5 +24,3 @@ server { fastcgi_pass unix:/run/php/php8.0-fpm.sock; } } - -