netbird/plugins
0
0
Fork 0
mirror of https://github.com/netbirdio/plugins.git synced 2026-05-22 18:44:07 -07:00
Code Issues Packages Projects Releases Wiki Activity

www/caddy: v1.5.4 (#3891)

Browse Source 
* Update ReverseProxyController.php

Update searchBase() for easier maintainability:

Requires: https://github.com/opnsense/core/commit/2d45b78f744059089078d56b3c108765b2d23608

* Update caddy_control.py - Change onerestart and other actions to restart

Might fix: https://github.com/opnsense/plugins/issues/3887

* Update Caddy.xml - Model Relation Fields

to allow displaying multiple elements instead of only the description. This prevents duplicates being displayed without being able to know which entry is which.

Possibly fixes:
https://github.com/opnsense/plugins/issues/3885
https://github.com/opnsense/plugins/issues/3884

Also, since the descriptions are used by "internalModelUseSafeDelete", it's better to make them all required.

* Update actions_caddy.conf - Add reload action

The rc.d file communicates directly with the caddy admin endpoint, and can reload the configuration with the /var/run/caddy/caddy.sock without restarting the whole caddy process.

* Update caddy_control.py - Add reload action

The rc.d file communicates directly with the caddy admin endpoint, and can reload the configuration with the /var/run/caddy/caddy.sock without restarting the whole caddy process.

* Update ServiceController.php - Turn off the ForceRestart

Since caddy can use a reload instead

* Add option to set a custom HTTP response code and message instead of using abort. This option can only be set globally in general settings.

* Update pkg-descr - Add 1.5.4

* Update Makefile - Bump to 1.5.4

* Tether the HTTP repond logic to the Access List for more flexibility.

* Update Caddy.xml - Change HTTPResponseCode and Message from general to accesslist

* Add configuration framework for setting custom headers. WIP for opnsense/plugins#3881

* Update Caddy.xml - This shouldn't be here anymore...

* Update Caddy.xml - Another mistake has sneaked in, fixed.

* Update reverse_proxy.volt - Add new fields to bootgrid

* Add template logic for header manipulation. WIP for opnsense/plugins#3881

* Update pkg-descr

* Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS.

* Update Caddyfile - Added some much needed comments the the most important sections and macros of the template. This should improve maintainability.

* Update Caddyfile - Improve Comments, add Copyright header

* Update Caddyfile - Improve comments
This commit is contained in:
Monviech
2024-04-11 10:24:43 +02:00
committed by GitHub
parent bbebfd3e50
commit cb2e7d3e6e
15 changed files with 456 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
www/caddy/Makefile
+2 -1
View File
@@ -1,5 +1,6 @@
PLUGIN_NAME= caddy
PLUGIN_VERSION= 1.5.3
PLUGIN_VERSION= 1.5.4
PLUGIN_REVISION= 1
PLUGIN_DEPENDS= caddy-custom
PLUGIN_COMMENT= Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
PLUGIN_MAINTAINER= cedrik@pischem.com
www/caddy/pkg-descr
+11
View File
@@ -18,12 +18,23 @@ Main features of this plugin:
* Basic Auth to restrict access by username and password
* Syslog-ng integration and HTTP Access Log
* NTLM Transport
* Header manipulation with header_up and header_down
DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
Plugin Changelog
================
1.5.4
* Fix: When pressing Apply, the Caddy service will be reloaded instead of restarted. This fixes long restart times and service interruptions.
* Change: All Description Fields are now required to be populated.
* Change: Model Relation Fields now display two values instead of one to make most options appear unique.
* Add: HTTP response code and HTTP response message can be set per access list in advanced mode.
* Add: Header functionality added. Multiple header manipulations can be set per handler.
* Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability.
* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS.
1.5.3
* Change from "Phalcon Messages" to "OPNsense Messages" in Caddy.php.
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+38 -10
View File
@@ -41,9 +41,9 @@ class ReverseProxyController extends ApiMutableModelControllerBase
/*ReverseProxy Section*/
public function searchReverseProxyAction()
public function searchReverseProxyAction($add_empty='0')
{
return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DnsChallenge', 'CustomCertificate', 'AccessLog', 'DynDns', 'AcmePassthrough', 'description']);
return $this->searchBase("reverseproxy.reverse", null, 'description');
}
public function setReverseProxyAction($uuid)
@@ -74,9 +74,9 @@ class ReverseProxyController extends ApiMutableModelControllerBase
/*Subdomain Section*/
public function searchSubdomainAction()
public function searchSubdomainAction($add_empty='0')
{
return $this->searchBase("reverseproxy.subdomain", ['enabled', 'reverse', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DynDns', 'description']);
return $this->searchBase("reverseproxy.subdomain", null, 'description');
}
public function setSubdomainAction($uuid)
@@ -107,9 +107,9 @@ class ReverseProxyController extends ApiMutableModelControllerBase
/*Handler Section*/
public function searchHandleAction()
public function searchHandleAction($add_empty='0')
{
return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'ToPath', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpTlsServerName', 'HttpNtlm', 'HttpTlsInsecureSkipVerify', 'description']);
return $this->searchBase("reverseproxy.handle", null, 'description');
}
public function setHandleAction($uuid)
@@ -140,9 +140,9 @@ class ReverseProxyController extends ApiMutableModelControllerBase
/* AccessList Section */
public function searchAccessListAction()
public function searchAccessListAction($add_empty='0')
{
return $this->searchBase("reverseproxy.accesslist", ['accesslistName', 'clientIps', 'accesslistInvert', 'description']);
return $this->searchBase("reverseproxy.accesslist", null, 'description');
}
public function setAccessListAction($uuid)
@@ -168,9 +168,9 @@ class ReverseProxyController extends ApiMutableModelControllerBase
/* BasicAuth Section */
public function searchBasicAuthAction()
public function searchBasicAuthAction($add_empty='0')
{
return $this->searchBase("reverseproxy.basicauth", ['basicauthuser', 'basicauthpass', 'description']);
return $this->searchBase("reverseproxy.basicauth", null, 'description');
}
public function setBasicAuthAction($uuid)
@@ -212,4 +212,32 @@ class ReverseProxyController extends ApiMutableModelControllerBase
{
return $this->delBase("reverseproxy.basicauth", $uuid);
}
/* Header Section */
public function searchHeaderAction($add_empty='0')
{
return $this->searchBase("reverseproxy.header", null, 'description');
}
public function setHeaderAction($uuid)
{
return $this->setBase("header", "reverseproxy.header", $uuid);
}
public function addHeaderAction()
{
return $this->addBase("header", "reverseproxy.header");
}
public function getHeaderAction($uuid = null)
{
return $this->getBase("header", "reverseproxy.header", $uuid);
}
public function delHeaderAction($uuid)
{
return $this->delBase("reverseproxy.header", $uuid);
}
}
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
+6
View File
@@ -41,6 +41,12 @@ class ServiceController extends ApiMutableServiceControllerBase
protected static $internalServiceEnabled = 'general.enabled';
protected static $internalServiceName = 'caddy';
protected function reconfigureForceRestart()
{
// Caddy can use a reload action instead
return 0;
}
public function validateAction()
{
$backend = new Backend();
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+1
View File
@@ -43,5 +43,6 @@ class ReverseProxyController extends IndexController
$this->view->formDialogHandle = $this->getForm("dialogHandle");
$this->view->formDialogAccessList = $this->getForm("dialogAccessList");
$this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
$this->view->formDialogHeader = $this->getForm("dialogHeader");
}
}
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+16
View File
@@ -19,6 +19,22 @@
<type>checkbox</type>
<help><![CDATA[If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).]]></help>
</field>
<field>
<id>accesslist.HttpResponseCode</id>
<label>HTTP Response Code</label>
<type>text</type>
<hint>403</hint>
<help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list doesn't match. Setting this will replace "Abort Connections", all clients will stay connected but will receive the response code.]]></help>
<advanced>true</advanced>
</field>
<field>
<id>accesslist.HttpResponseMessage</id>
<label>HTTP Response Message</label>
<type>text</type>
<hint>Forbidden</hint>
<help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code.]]></help>
<advanced>true</advanced>
</field>
<field>
<id>accesslist.description</id>
<label>Description</label>
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+13
View File
@@ -36,6 +36,19 @@
<type>text</type>
<help><![CDATA[Enter a description for this handler.]]></help>
</field>
<field>
<type>header</type>
<label>Header</label>
<collapse>true</collapse>
</field>
<field>
<id>handle.header</id>
<label>Header Manipulation</label>
<type>dropdown</type>
<type>select_multiple</type>
<size>5</size>
<help><![CDATA[Select one or multiple header manipulations. These will be set to this handler. Generally this is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
</field>
<field>
<type>header</type>
<label>Upstream</label>
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+34
View File
@@ -0,0 +1,34 @@
<form>
<field>
<id>header.HeaderUpDown</id>
<label>Header</label>
<type>dropdown</type>
<help><![CDATA[header_up sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. header_down sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers]]></help>
</field>
<field>
<id>header.HeaderType</id>
<label>Header Type</label>
<hint>Host</hint>
<type>text</type>
<help><![CDATA[Enter a header, for example "Host". Use the + or - prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Some-Header" without + or -.]]></help>
</field>
<field>
<id>header.HeaderValue</id>
<label>Header Value</label>
<hint>{upstream_hostport}</hint>
<type>text</type>
<help><![CDATA[Enter a value for the above header. One of the most common options is "{upstream_hostport}". It's also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
</field>
<field>
<id>header.HeaderReplace</id>
<label>Header Replace</label>
<type>text</type>
<help><![CDATA[If a regular expression is used to search for a Header Value, here the replacement string can be set. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, $1 being the first capture group.]]></help>
</field>
<field>
<id>header.description</id>
<label>Description</label>
<type>text</type>
<help><![CDATA[Enter a description for this header.]]></help>
</field>
</form>
www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+1 -1
View File
@@ -3,7 +3,7 @@
<id>caddy.general.DynDnsIpVersions</id>
<label>DynDns IP Version</label>
<type>dropdown</type>
<help><![CDATA[Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "IPv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.]]></help>
<help><![CDATA[Select "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
</field>
<field>
<id>caddy.general.DynDnsCheckInterval</id>
www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+72 -16
View File
@@ -1,7 +1,7 @@
<model>
<mount>//Pischem/caddy</mount>
<description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
<version>1.1.5</version>
<version>1.1.7</version>
<items>
<general>
<enabled type="BooleanField">
@@ -12,8 +12,8 @@
<ValidationMessage>Please enter a valid email address.</ValidationMessage>
</TlsEmail>
<TlsAutoHttps type="OptionField">
<BlankDesc>On (default)</BlankDesc>
<OptionValues>
<on>On (default)</on>
<off>Off</off>
<disable_redirects>Disable Redirects</disable_redirects>
<disable_certs>Disable Certs</disable_certs>
@@ -21,8 +21,8 @@
</OptionValues>
</TlsAutoHttps>
<TlsDnsProvider type="OptionField">
<BlankDesc>None (default)</BlankDesc>
<OptionValues>
<none>None (default)</none>
<cloudflare>Cloudflare</cloudflare>
<duckdns>Duck DNS</duckdns>
<digitalocean>DigitalOcean</digitalocean>
@@ -59,7 +59,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.accesslist</items>
<display>accesslistName</display>
<display>accesslistName,description</display>
<display_format>%s - %s</display_format>
</reverseproxy>
</Model>
</accesslist>
@@ -84,12 +85,11 @@
<Required>Y</Required>
</DynDnsCheckInterval>
<DynDnsIpVersions type="OptionField">
<Default>ipv4</Default>
<BlankDesc>IPv4+IPv6</BlankDesc>
<OptionValues>
<ipv4>IPv4 only</ipv4>
<ipv6>IPv6 only</ipv6>
</OptionValues>
<Required>Y</Required>
</DynDnsIpVersions>
<DynDnsTTL type="IntegerField">
<Default>1</Default>
@@ -123,7 +123,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.accesslist</items>
<display>accesslistName</display>
<display>accesslistName,description</display>
<display_format>%s - %s</display_format>
</reverseproxy>
</Model>
</accesslist>
@@ -132,7 +133,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.basicauth</items>
<display>basicauthuser</display>
<display>basicauthuser,description</display>
<display_format>%s - %s</display_format>
</reverseproxy>
</Model>
<Multiple>Y</Multiple>
@@ -160,7 +162,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.reverse</items>
<display>description</display>
<display>FromDomain,FromPort</display>
<display_format>%s:%s</display_format>
</reverseproxy>
</Model>
</reverse>
@@ -179,7 +182,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.accesslist</items>
<display>accesslistName</display>
<display>accesslistName,description</display>
<display_format>%s - %s</display_format>
</reverseproxy>
</Model>
</accesslist>
@@ -188,7 +192,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.basicauth</items>
<display>basicauthuser</display>
<display>basicauthuser,description</display>
<display_format>%s - %s</display_format>
</reverseproxy>
</Model>
<Multiple>Y</Multiple>
@@ -209,7 +214,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.reverse</items>
<display>description</display>
<display>FromDomain,FromPort</display>
<display_format>%s:%s</display_format>
</reverseproxy>
</Model>
</reverse>
@@ -218,7 +224,8 @@
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.subdomain</items>
<display>description</display>
<display>FromDomain,FromPort</display>
<display_format>%s:%s</display_format>
</reverseproxy>
</Model>
</subdomain>
@@ -234,6 +241,17 @@
<Mask>/^(\/.*)?$/u</Mask>
<ValidationMessage>Please enter a valid 'Handle Path' that starts with '/'.</ValidationMessage>
</HandlePath>
<header type="ModelRelationField">
<Model>
<reverseproxy>
<source>OPNsense.Caddy.Caddy</source>
<items>reverseproxy.header</items>
<display>HeaderUpDown,HeaderType,HeaderValue,description</display>
<display_format>%s %s %s - %s</display_format>
</reverseproxy>
</Model>
<Multiple>Y</Multiple>
</header>
<ToDomain type="HostnameField">
<Required>Y</Required>
<ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
@@ -261,7 +279,9 @@
<FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
<ZoneRootAllowed>N</ZoneRootAllowed>
</HttpTlsServerName>
<description type="DescriptionField"/>
<description type="DescriptionField">
<Required>Y</Required>
</description>
</handle>
<accesslist type="ArrayField">
<accesslistName type="TextField">
@@ -278,7 +298,15 @@
<ValidationMessage>Please enter valid IP address(es) or network(s), separated by commas.</ValidationMessage>
</clientIps>
<accesslistInvert type="BooleanField"/>
<description type="DescriptionField"/>
<HttpResponseCode type="IntegerField">
<MinimumValue>100</MinimumValue>
<MaximumValue>599</MaximumValue>
<ValidationMessage>Please enter a valid HTTP response code between 100 and 599</ValidationMessage>
</HttpResponseCode>
<HttpResponseMessage type="DescriptionField"/>
<description type="DescriptionField">
<Required>Y</Required>
</description>
</accesslist>
<basicauth type="ArrayField">
<basicauthuser type="TextField">
@@ -289,8 +317,36 @@
<basicauthpass type="UpdateOnlyTextField">
<Required>Y</Required>
</basicauthpass>
<description type="DescriptionField"/>
<description type="DescriptionField">
<Required>Y</Required>
</description>
</basicauth>
<header type="ArrayField">
<HeaderUpDown type="OptionField">
<Default>header_up</Default>
<OptionValues>
<header_up>header_up</header_up>
<header_down>header_down</header_down>
</OptionValues>
<Required>Y</Required>
</HeaderUpDown>
<HeaderType type="TextField">
<Required>Y</Required>
<Mask>/^([^"]{0,1024})$/u</Mask>
<ValidationMessage>The header type must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
</HeaderType>
<HeaderValue type="TextField">
<Mask>/^([^"]{0,1024})$/u</Mask>
<ValidationMessage>The header value must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
</HeaderValue>
<HeaderReplace type="TextField">
<Mask>/^([^"]{0,1024})$/u</Mask>
<ValidationMessage>The header replacement must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
</HeaderReplace>
<description type="DescriptionField">
<Required>Y</Required>
</description>
</header>
</reverseproxy>
</items>
</model>
www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
-27
View File
@@ -28,33 +28,6 @@
$(document).ready(function() {
var data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
mapDataToFormUI(data_get_map).done(function(data){
// console.log("Fetched data:", data); // Log the fetched data
var generalSettings = data.frm_GeneralSettings.caddy.general;
// Populate TlsAutoHttps dropdown
var tlsAutoHttpsSelect = $('#caddy\\.general\\.TlsAutoHttps');
tlsAutoHttpsSelect.empty(); // Clear existing options
$.each(generalSettings.TlsAutoHttps, function(key, option) {
if (key !== "") { // Filter out the unwanted "None" option
tlsAutoHttpsSelect.append(new Option(option.value, key, false, option.selected === 1));
}
});
// Populate TlsDnsProvider dropdown
var tlsDnsProviderSelect = $('#caddy\\.general\\.TlsDnsProvider');
tlsDnsProviderSelect.empty(); // Clear existing options
$.each(generalSettings.TlsDnsProvider, function(key, option) {
if (key !== "") { // Filter out the unwanted "None" option
tlsDnsProviderSelect.append(new Option(option.value, key, false, option.selected === 1));
}
});
// Populate Trusted Proxies dropdown
var accesslistSelect = $('#caddy\\.general\\.accesslist');
accesslistSelect.empty(); // Clear existing options
$.each(generalSettings.accesslist, function(key, option) {
accesslistSelect.append(new Option(option.value, key, false, option.selected === 1));
});
// Refresh selectpicker for these dropdowns
$('.selectpicker').selectpicker('refresh');
www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+46
View File
@@ -69,6 +69,14 @@
del:'/api/caddy/ReverseProxy/delBasicAuth/',
});
$("#reverseHeaderGrid").UIBootgrid({
search:'/api/caddy/ReverseProxy/searchHeader/',
get:'/api/caddy/ReverseProxy/getHeader/',
set:'/api/caddy/ReverseProxy/setHeader/',
add:'/api/caddy/ReverseProxy/addHeader/',
del:'/api/caddy/ReverseProxy/delHeader/',
});
// Function to show alerts in the HTML message area
function showAlert(message, type = "error") {
var alertClass = type === "error" ? "alert-danger" : "alert-success";
@@ -143,6 +151,7 @@
<li class="active"><a data-toggle="tab" href="#domainsTab">Domains</a></li>
<li><a data-toggle="tab" href="#handlesTab">Handlers</a></li>
<li><a data-toggle="tab" href="#accessTab">Access</a></li>
<li><a data-toggle="tab" href="#headerTab">Headers</a></li>
</ul>
<div class="tab-content content-box">
@@ -234,6 +243,7 @@
<th data-column-id="subdomain" data-type="string">Subdomain</th>
<th data-column-id="HandleType" data-type="string" data-visible="false">Handle Type</th>
<th data-column-id="HandlePath" data-type="string" data-visible="false">Handle Path</th>
<th data-column-id="header" data-type="string" data-visible="false">Header</th>
<th data-column-id="ToDomain" data-type="string">Upstream Domain</th>
<th data-column-id="ToPort" data-type="string">Upstream Port</th>
<th data-column-id="ToPath" data-type="string" data-visible="false">Upstream Path</th>
@@ -275,6 +285,8 @@
<th data-column-id="accesslistName" data-type="string">Name</th>
<th data-column-id="clientIps" data-type="string">Client IPs</th>
<th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">Invert</th>
<th data-column-id="HttpResponseCode" data-type="string" data-visible="false">HTTP Code</th>
<th data-column-id="HttpResponseMessage" data-type="string" data-visible="false">HTTP Message</th>
<th data-column-id="description" data-type="string">Description</th>
<th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
</tr>
@@ -322,6 +334,39 @@
</div>
</div>
</div>
<!-- Header Tab -->
<div id="headerTab" class="tab-pane fade">
<div style="padding-left: 16px;">
<h1>Headers</h1>
<div style="display: block;"> <!-- Common container -->
<table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
<thead>
<tr>
<th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
<th data-column-id="HeaderUpDown" data-type="string">Header</th>
<th data-column-id="HeaderType" data-type="string">Header Type</th>
<th data-column-id="HeaderValue" data-type="string" data-visible="false">Header Value</th>
<th data-column-id="HeaderReplace" data-type="string" data-visible="false">Header Replace</th>
<th data-column-id="description" data-type="string">Description</th>
<th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
</tr>
</thead>
<tbody>
</tbody>
<tfoot>
<tr>
<td></td>
<td>
<button id="addReverseHeaderBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
<button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
</td>
</tr>
</tfoot>
</table>
</div>
</div>
</div>
</div>
<!-- Reconfigure Button -->
@@ -351,3 +396,4 @@
{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
{{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
{{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}
www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+4 -3
View File
@@ -64,9 +64,10 @@ def run_service_command(action, action_message):
# Updated actions dictionary
actions = {
"start": "onestart",
"stop": "onestop",
"restart": "onerestart",
"start": "start",
"stop": "stop",
"restart": "restart",
"reload": "reload",
"validate": "validate" # Validate action
}
www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+8 -1
View File
@@ -14,9 +14,16 @@ message:Stopping Caddy service
command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py restart
parameters:
type:script
message:Reloading Caddy configuration
message:Restarting Caddy service
description:Restart Caddy service
[reload]
command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py reload
parameters:
type:script
message:Reloading Caddy configuration
description:Reload Caddy service
[validate]
command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py validate
parameters:
www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+204 -7
View File
@@ -1,9 +1,40 @@
{#
# Copyright (c) 2023-2024 Cedrik Pischem
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#}
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
{% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
# Global Options
{
{#
# Section: Global Log Settings
# Purpose: Sets up global log settings. The time format and unix socket make Caddy compatible
# with the syslog-ng instance running on the OPNsense.
#}
log {
{% if generalSettings.LogAccessPlain|default("0") == "0" %}
{% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
@@ -19,6 +50,11 @@
}
}
{#
# Section: Global Trusted Proxy and Credential Logging
# Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.
# Credential logging is useful for troubleshooting basic auth.
#}
{% set accessListUuid = generalSettings.accesslist %}
{% set logCredentials = generalSettings.LogCredentials %}
@@ -47,6 +83,26 @@
}
{% endif %}
{#
# Section: Dynamic DNS Global Configuration
# Purpose: Sets up global configuration for Dynamic DNS. Caddy needs to be compiled with
# https://github.com/mholt/caddy-dynamicdns and https://github.com/caddy-dns. Otherwise the
# generated Caddyfile won't run. Each DNS Provider that is added below has to be compiled in.
# Some Providers don't support setting A and AAAA-Records, like acmedns.
# Most need specific configurations. Since only one provider can be used at the same time,
# they all share the same fields for configuration.
# Parameters:
# - @param dnsProvider (string): Specifies the DNS provider for DDNS updates.
# - @param dnsApiKey (string): The API key for authenticating with the DNS provider.
# - @param dnsSecretApiKey (string): A secret API key or token for additional authentication security.
# - @param dnsOptionalField1 to 4 (string): Optional configuration field for the DNS provider.
# - @param dynDnsSimpleHttp (string): URL for a simple HTTP-based service to discover the server's public IP.
# - @param dynDnsInterface (string): Network interface(s) to use for IP discovery.
# - @param dynDnsCheckInterval (integer): Interval in minutes to check for IP changes.
# - @param dynDnsIpVersions (string): The IP version(s) (IPv4, IPv6) for the DDNS update.
# - @param dynDnsTTL (integer): Time-To-Live for the DNS records, in hours.
# - @param dynDnsDomains (list): Domains and subdomains list for which DDNS updates are enabled.
#}
{% set dnsProvider = helpers.toList('Pischem.caddy.general.TlsDnsProvider') | first %}
{% set dnsApiKey = generalSettings.TlsDnsApiKey %}
{% set dnsSecretApiKey = generalSettings.TlsDnsSecretApiKey %}
@@ -78,7 +134,7 @@
{% endfor %}
{% endfor %}
{% if dnsProvider and dnsProvider != "none" and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
{% if dnsProvider and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
dynamic_dns {
{% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
provider {{ dnsProvider }} {
@@ -207,12 +263,18 @@
}
{% endif %}
{#
# Section: ACME Email, Auto HTTPS selection and global import statement
# Purpose: The ACME email is optional for receiving certificate notices.
# Auto HTTPS is optional, the default is on (which means the section is empty).
# The import statement is for user specific configuration out of scope of this template.
#}
{% set emailValue = helpers.toList('Pischem.caddy.general.TlsEmail') | first %}
{% if emailValue %}
email {{ emailValue }}
{% endif %}
{% set autoHttpsValue = helpers.toList('Pischem.caddy.general.TlsAutoHttps') | first %}
{% if autoHttpsValue != "on" %}
{% if autoHttpsValue %}
auto_https {{ autoHttpsValue }}
{% endif %}
import /usr/local/etc/caddy/caddy.d/*.global
@@ -220,6 +282,11 @@
# Reverse Proxy Configuration
{#
# Section: HTTP-01 Challenge Redirection
# Purpose: A small premade reverse_proxy section
# that can redirect the HTTP-01 challenge to a different webserver.
#}
{% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
{% if reverse.enabled|default("0") == "1" and reverse.AcmePassthrough %}
# HTTP-01 challenge redirection for domain: "{{ reverse['@uuid'] }}"
@@ -234,8 +301,21 @@
{% endif %}
{% endfor %}
{#
# Macro: tls_configuration
# Purpose: Configures TLS settings based on the DNS provider, API keys, and optional fields.
# Sets up the Caddyfile to update TXT Records with the chosen DNS Provider and receive
# certificates with the DNS-01 challenge. Refer to Dynamic DNS section for more details.
# Parameters:
# - @param dnsProvider (string): The DNS provider used for the DNS challenge.
# - @param dnsApiKey (string): API key for the DNS provider, essential for authentication.
# - @param customCert (string, optional): The config extracted name of a certificate.
# - @param dnsChallenge (boolean): Indicates if a DNS challenge is used for certificate authentication.
# - @param dnsSecretApiKey (string, optional): A secret API key or token for additional security, depending on the provider.
# - @param TlsDnsOptionalField1 to 4 (string, optional): Additional fields for specific DNS provider configurations.
#}
{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
{% if dnsChallenge == "1" and dnsProvider and dnsProvider != "none" %}
{% if dnsChallenge == "1" and dnsProvider %}
{% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
tls {
dns {{ dnsProvider }} {
@@ -360,12 +440,74 @@
{% endif %}
{% endmacro %}
{#
# Macro: header_manipulation
# Purpose: Customizes HTTP headers for requests or responses; to add, remove, or modify headers.
# It uses a 'handle' object that specifies which headers to manipulate based on their @UUIDs.
# Each handle can have multiple of these HTTP headers assigned.
# Parameters:
# @param handle (@object):
# - @uuid (@string)
# - HeaderUpDown (string): Determines the direction of the header.
# - HeaderType (string): Specifies the name of the header.
# - HeaderValue (string, optional): The new value to set for the header, if any.
# - HeaderReplace (string, optional): Specifies a value to replace in the header.
#}
{% macro header_manipulation(handle) %}
{% if handle.header %}
{% for header_uuid in handle.header.split(',') %}
{% set header = helpers.toList('Pischem.caddy.reverseproxy.header') | selectattr('@uuid', 'equalto', header_uuid) | first %}
{# Generate directive only if HeaderUpDown and HeaderType are present #}
{% if header.HeaderUpDown and header.HeaderType %}
{# Prepare variables, making HeaderValue and HeaderReplace optional #}
{% set header_value = header.HeaderValue | default('') %}
{% set header_replace = header.HeaderReplace | default('') %}
{# Adjust output formatting based on the presence and style of HeaderValue #}
{% if header.HeaderReplace and header.HeaderValue %}
{% if header_value.startswith('{') %}
{{ header.HeaderUpDown }} {{ header.HeaderType }} {{ header_value }} "{{ header_replace }}"
{% else %}
{{ header.HeaderUpDown }} {{ header.HeaderType }} "{{ header_value }}" "{{ header_replace }}"
{% endif %}
{% elif header.HeaderValue %}
{% if header_value.startswith('{') %}
{{ header.HeaderUpDown }} {{ header.HeaderType }} {{ header_value }}
{% else %}
{{ header.HeaderUpDown }} {{ header.HeaderType }} "{{ header_value }}"
{% endif %}
{% else %}
{{ header.HeaderUpDown }} {{ header.HeaderType }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endmacro %}
{#
# Macro: reverse_proxy_configuration
# Purpose: Sets up the handle with the reverse proxy configurations. The TLS Settings are generated here for the Upstream.
# Integrated Macros: header_manipulation
# Parameters:
# @param handle (@object):
# - @uuid (@string)
# - HandleType (string): Specifies the handling strategy.
# - HandlePath (string, optional): The path the handle should match on.
# - ToDomain (string): Target domain for the reverse proxy.
# - ToPort (string, optional): Target port on the ToDomain.
# - ToPath (string, optional): Destination path on the ToDomain.
# - HttpTls (boolean, optional): Enable TLS for the connection.
# - HttpNtlm (boolean, optional): Enable NTLM authentication for the connection.
# - HttpTlsInsecureSkipVerify (boolean, optional): If true, the server's SSL certificate is not verified.
# - HttpTlsTrustedCaCerts (string, optional): The config extracted name of a CA certificate.
# - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
#}
{% macro reverse_proxy_configuration(handle) %}
{{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
{% if handle.ToPath|default("") != "" %}
rewrite * {{ handle.ToPath }}{uri}
{% endif %}
reverse_proxy {{ handle.ToDomain }}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %} {
{{ header_manipulation(handle) }}
{% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
{% if handle.HttpNtlm|default("0") == "1" %}
transport http_ntlm {
@@ -401,6 +543,18 @@
}
{% endmacro %}
{#
# Macro: access_list_configuration
# Purpose: Defines access lists based on client IP addresses. The standard logic is "allow these IP addresses, deny all others."
# A handle with an @ matcher is created that will put the reverse_proxy_configuration inside. That means, the traffic will
# only get to the reverse proxy, when the access list matches. Invert is also possible, to explicitely deny IPs.
# The assembly is handled by the "Section: Reverse Proxy Configurations".
# Parameters:
# @param accesslist (@object):
# - @uuid (@string)
# - clientIps (@string): A comma-separated list of client IP addresses
# - invert (@boolean): A flag that inverts the logic of the access list
#}
{% macro access_list_configuration(accesslist, invert) %}
{% set client_ips = accesslist.clientIps.split(',') %}
{% set client_ips_space_separated = client_ips | join(' ') %}
@@ -409,6 +563,16 @@
}
{% endmacro %}
{#
# Macro: basicauth_configuration
# Purpose: Implements basic authentication with a username and password for access.
# Parameters:
# @param basicauth_uuids (@string): A comma-separated list of UUIDs, each UUID corresponding to
# a specific user credentials (username and password).
# - @uuid (@string)
# - basicauthuser (@string): The username required for authentication.
# - basicauthpass (@string): The password associated with the username.
#}
{% macro basicauth_configuration(basicauth_uuids) %}
{% if basicauth_uuids %}
basicauth {
@@ -422,6 +586,20 @@
{% endif %}
{% endmacro %}
{#
# Section: Reverse Proxy Configurations
# Purpose: Assembles reverse proxy configurations using predefined macros.
# This is the main logic of the whole template, handle with care.
# Macros Used:
# - tls_configuration
# - basicauth_configuration
# - access_list_configuration
# - reverse_proxy_configuration
# - indirect: header_manipulation
# Important Details:
# - Order of Path specific Handles - Prioritizes order of specific path handles over catch-all handles.
# - Order of Wildcard Domains and Subdomains: Handles for wildcard domains come after all subdomains.
#}
{% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
{% if reverse.enabled|default("0") == "1" %}
# Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
@@ -491,8 +669,17 @@
{% endif %}
{% endfor %}
{% endif %}
{% if Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% if subdomain.accesslist %}
{% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
{% elif Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% endif %}
{% else %}
{% if Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% endif %}
{% endif %}
}
{% endif %}
@@ -531,8 +718,18 @@
{% endif %}
{% endfor %}
{% endif %}
{% if Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
{% if accesslist %}
{% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
{% elif Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% endif %}
{% else %}
{% if Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% endif %}
{% endif %}
}
{% endif %}