LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
27337 Commits
1 Branch
46 MiB
Branch: lilik-openwrt-22.03
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'lilik-openwrt-22.03'
${ noResults }
openwrt-packages-dist/net/nginx-util/src/ubus-cxx.cpp

140 lines
5.3 KiB
Raw Permalink Normal View History

nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: use UCI for server configuration **tl;dr:** The functions `{add,del}_ssl` modify a server section of the UCI config if there is no `.conf` file with the same name in `/etc/nginx/conf.d/`. Then `init_lan` creates `/var/lib/nginx/uci.conf` files by copying the `/etc/nginx/uci.conf.template` and standard options from the UCI config; additionally the special path `logd` can be used in `{access,error}_log`. The init does not change the configuration beside re-creating self-signed certificates when needed. This is also the only purpose of the new `check_ssl`, which is installed as yearly cron job. **Initialization:** Invoking `nginx-util init_lan` parses the UCI configuration for package `nginx`. It creates a server part in `/var/lib/nginx/uci.conf` for each `section server '$name'` by copying all UCI options but the following: * `option uci_manage_ssl` is skipped. It is set to 'self-signed' by `nginx-util add_ssl $name`, removed by `nginx-util del_ssl $name` and used by `nginx-util check_ssl` (see below). * `logd` as path in `error_log` or `access_log` writes them to STDERR respective STDOUT, which are fowarded by Nginx's init to the log daemon. Specifically: `option error_log 'logd'` becomes `error_log stderr;` and `option access_log 'logd openwrt'` becomes `access_log /proc/self/fd/1 openwrt;` Other `[option|list] key 'value'` entries just become `key value;` directives. The init.d calls internally also `check_ssl` for rebuilding self-signed SSL certificates if needed (see below). And it still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as it is doing in the current version (so they stay available). **Defaults:** The package installs the file `/etc/nginx/restrict_locally` containing allow/deny directives for restricting the access to LAN addresses by including it into a server part. The default server '_lan' includes this file and listens on all IPs (instead of only the local IPs as it did before; other servers do not need to listen explicitly on the local IPs anymore). The default server is contained together with a server that redirects HTTP requests for inexistent URLs to HTTPS in the UCI configuration file `/etc/config/nginx`. Furthermore, the packages installs a `/etc/nginx/uci.conf.template` containing the current setup and a marker, which will be replaced by the created UCI servers when calling `init_lan`. **Other:** If there is a file named `/etc/nginx/conf.d/$name.conf` the functions `init_lan`, `add_ssl $name` and `del_ssl $name` will use that file instead of a UCI server section (this is similar to the current version). Else it selects the UCI `section server $name`, or, when there is no such section, it searches for the first one having `option server_name '… $name …'`. For this section: * `nginx-util add_ssl $name` will add to it: `option uci_manage_ssl 'self-signed'` `option ssl_certificate '/etc/nginx/conf.d/$name.crt'` `option ssl_certificate_key '/etc/nginx/conf.d/$name.key'` `option ssl_session_cache 'shared:SSL:32k'` `option ssl_session_timeout '64m'` If these options are already present, they will stay the same; just the first option `uci_manage_ssl` will always be changed to 'self-signed'. The command also changes all `listen` list items to use port 443 and ssl instead of port 80 (without ssl). If they stated another port than 80 before, they are kept the same. Furthermore, it creates a self-signed SSL certificate if necessary, i.e., if there is no *valid* certificate and key at the locations given by the options `ssl_certificate` and `ssl_certificate_key`. * `nginx-util del_ssl $name` checks if `uci_manage_ssl` is set 'self-signed' in the corresponding UCI section. Only then it removes all of the above options regardless of the value looking just at the key name. Then, it also changes all `listen` list items to use port 80 (without ssl) instead of port 443 with ssl. If stating another port than 443, they are kept the same. Furthermore, it removes the SSL certificate and key that were indicated by `ssl_certificate{,_key}`. * `nginx-util check_ssl` looks through all server sections of the UCI config for `uci_manage_ssl 'self-signed'`. On every hit it checks if the SSL certificate-key-pair indicated by the options `ssl_certificate{,_key}` is expired. Then it re-creates a self-signed certificate. If there exists at least one `section server` with `uci_manage_ssl 'self-signed'`, it will try to install itself as cron job. If there are no such sections, it removes that cron job if possible. For installing a ssl certificate and key managed by another app, you can call: `nginx-util add_ssl $name $manager $crtpath $keypath` Hereby `$name` is as above, `$manager` is an arbitrary string, and the the ssl certificate and its key are indicated by their absolute path. If you want to remove the directives again, then you can use: `nginx-util del_ssl $name $manager` Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
nginx-util: fix issues and cleanup * fix regex capture (to conform std) * fix issues for Clang/libcxx (warnings/includes) * fix CONFLICTS in the Makefile * use /bin/sh in host scripts and shellcheck them * add callback for setting arguments in ubus::call Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
4 years ago
 
  1. #include <iostream>

  2. 

  3. #include "ubus-cxx.hpp"

  4. 

  5. inline void example_for_checking_if_there_is_a_key()
  6. {
  7.     if (ubus::call("service", "list").filter("cron")) {
  8.         std::cout << "Cron is active (with or without instances) " << std::endl;
  9.     }
  10. }
  11. 

  12. inline void example_for_getting_values()
  13. {
  14.     auto lan_status = ubus::call("network.interface.lan", "status");
  15.     for (const auto* t : lan_status.filter("ipv6-address", "", "address")) {
  16.         // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)

  17.         auto* x = const_cast<blob_attr*>(t);
  18.         std::cout << "[" << blobmsg_get_string(x) << "] ";
  19.     }
  20.     for (const auto* t : lan_status.filter("ipv4-address", "").filter("address")) {
  21.         // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)

  22.         auto* x = const_cast<blob_attr*>(t);
  23.         std::cout << blobmsg_get_string(x) << " ";
  24.     }
  25.     std::cout << std::endl;
  26. }
  27. 

  28. inline void example_for_sending_message()
  29. {
  30.     auto set_arg = [](blob_buf* buf) -> int { return blobmsg_add_string(buf, "config", "nginx"); };
  31.     for (const auto* t : ubus::call("uci", "get", set_arg).filter("values")) {
  32.         // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)

  33.         auto* x = const_cast<blob_attr*>(t);
  34.         std::cout << blobmsg_get_string(x) << "\n";
  35.     }
  36. }
  37. 

  38. inline void example_for_exploring()
  39. {
  40.     ubus::strings keys{"ipv4-address", "", ""};
  41.     for (const auto* t : ubus::call("network.interface.lan", "status").filter(keys)) {
  42.         // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)

  43.         auto* x = const_cast<blob_attr*>(t);
  44.         std::cout << blobmsg_name(x) << ": ";
  45.         switch (blob_id(x)) {
  46.             case BLOBMSG_TYPE_UNSPEC: std::cout << "[unspecified]"; break;
  47.             case BLOBMSG_TYPE_ARRAY: std::cout << "[array]"; break;
  48.             case BLOBMSG_TYPE_TABLE: std::cout << "[table]"; break;
  49.             case BLOBMSG_TYPE_STRING: std::cout << blobmsg_get_string(x); break;
  50.             case BLOBMSG_TYPE_INT64: std::cout << blobmsg_get_u64(x); break;
  51.             case BLOBMSG_TYPE_INT32: std::cout << blobmsg_get_u32(x); break;
  52.             case BLOBMSG_TYPE_INT16: std::cout << blobmsg_get_u16(x); break;
  53.             case BLOBMSG_TYPE_BOOL: std::cout << blobmsg_get_bool(x); break;
  54.             case BLOBMSG_TYPE_DOUBLE: std::cout << blobmsg_get_double(x); break;
  55.             default: std::cout << "[unknown]";
  56.         }
  57.         std::cout << std::endl;
  58.     }
  59. }
  60. 

  61. inline void example_for_recursive_exploring()
  62. {  // output like from the original ubus call:

  63.     const auto explore = [](auto message) -> void {
  64.         auto end = message.end();
  65.         auto explore_internal = [&end](auto& explore_ref, auto it, size_t depth = 1) -> void {
  66.             std::cout << std::endl;
  67.             bool first = true;
  68.             for (; it != end; ++it) {
  69.                 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)

  70.                 auto* attr = const_cast<blob_attr*>(*it);
  71.                 if (first) {
  72.                     first = false;
  73.                 }
  74.                 else {
  75.                     std::cout << ",\n";
  76.                 }
  77.                 std::cout << std::string(depth, '\t');
  78.                 std::string name = blobmsg_name(attr);
  79.                 if (!name.empty()) {
  80.                     std::cout << "\"" << name << "\": ";
  81.                 }
  82.                 switch (blob_id(attr)) {
  83.                     case BLOBMSG_TYPE_UNSPEC: std::cout << "(unspecified)"; break;
  84.                     case BLOBMSG_TYPE_ARRAY:
  85.                         std::cout << "[";
  86.                         explore_ref(explore_ref, ubus::iterator{attr}, depth + 1);
  87.                         std::cout << "\n" << std::string(depth, '\t') << "]";
  88.                         break;
  89.                     case BLOBMSG_TYPE_TABLE:
  90.                         std::cout << "{";
  91.                         explore_ref(explore_ref, ubus::iterator{attr}, depth + 1);
  92.                         std::cout << "\n" << std::string(depth, '\t') << "}";
  93.                         break;
  94.                     case BLOBMSG_TYPE_STRING:
  95.                         std::cout << "\"" << blobmsg_get_string(attr) << "\"";
  96.                         break;
  97.                     case BLOBMSG_TYPE_INT64: std::cout << blobmsg_get_u64(attr); break;
  98.                     case BLOBMSG_TYPE_INT32: std::cout << blobmsg_get_u32(attr); break;
  99.                     case BLOBMSG_TYPE_INT16: std::cout << blobmsg_get_u16(attr); break;
  100.                     case BLOBMSG_TYPE_BOOL:
  101.                         std::cout << (blobmsg_get_bool(attr) ? "true" : "false");
  102.                         break;
  103.                     case BLOBMSG_TYPE_DOUBLE: std::cout << blobmsg_get_double(attr); break;
  104.                     default: std::cout << "(unknown)"; break;
  105.                 }
  106.             }
  107.         };
  108.         std::cout << "{";
  109.         explore_internal(explore_internal, message.begin());
  110.         std::cout << "\n}" << std::endl;
  111.     };
  112.     explore(ubus::call("network.interface.lan", "status"));
  113. }
  114. 

  115. auto main() -> int
  116. {
  117.     try {
  118.         example_for_checking_if_there_is_a_key();
  119. 

  120.         example_for_getting_values();
  121. 

  122.         example_for_sending_message();
  123. 

  124.         example_for_exploring();
  125. 

  126.         example_for_recursive_exploring();
  127. 

  128.         return 0;
  129.     }
  130. 

  131.     catch (const std::exception& e) {
  132.         std::cerr << e.what() << std::endl;
  133.     }
  134. 

  135.     catch (...) {
  136.         perror("main error");
  137.     }
  138. 

  139.     return 1;
  140. }