MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Setup NGINX Final

Browse Source
This commit is contained in:
wm
2026-01-18 18:17:40 +01:00
parent c5d376d3ac
commit 15a9104a8e
1 changed files with 227 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
setup_nginx_proxy.sh
View File

@@ -8,6 +8,8 @@ set -Eeuo pipefail
# für eine neue n8n-Instanz über die OPNsense API. # für eine neue n8n-Instanz über die OPNsense API.
# ============================================================================= # =============================================================================
SCRIPT_VERSION="1.0.8"
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr # Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}" DEBUG="${DEBUG:-0}"
export DEBUG export DEBUG
@@ -132,28 +134,94 @@ api_request() {
info "API ${method} ${url}" info "API ${method} ${url}"
local response local response
local http_code
if [[ -n "$data" ]]; then if [[ -n "$data" ]]; then
response=$(curl -s -k -X "${method}" \ response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
-u "${auth}" \ -u "${auth}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "${data}" \ -d "${data}" \
"${url}" 2>&1) "${url}" 2>&1)
else else
response=$(curl -s -k -X "${method}" \ response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
-u "${auth}" \ -u "${auth}" \
"${url}" 2>&1) "${url}" 2>&1)
fi fi
# Extract HTTP code from last line
http_code=$(echo "$response" | tail -n1)
response=$(echo "$response" | sed '$d')
# Check for permission errors
if [[ "$http_code" == "401" ]]; then
warn "API Error 401: Unauthorized - Check API key and secret"
elif [[ "$http_code" == "403" ]]; then
warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}"
elif [[ "$http_code" == "404" ]]; then
warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist"
elif [[ "$http_code" -ge 400 ]]; then
warn "API Error ${http_code} for ${endpoint}"
fi
echo "$response" echo "$response"
} }
# Check API response for errors and return status
# Usage: if check_api_response "$response" "endpoint_name"; then ... fi
check_api_response() {
local response="$1"
local endpoint_name="$2"
# Check for JSON error responses
local status
status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok")
if [[ "$status" == "403" ]]; then
die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges"
elif [[ "$status" == "401" ]]; then
die "Authentication failed for ${endpoint_name}. Check your API key and secret."
fi
# Check for validation errors
local validation_error
validation_error=$(echo "$response" | python3 -c "
import json,sys
try:
d=json.load(sys.stdin)
if 'validations' in d and d['validations']:
for field, errors in d['validations'].items():
print(f'{field}: {errors}')
except:
pass
" 2>/dev/null || true)
if [[ -n "$validation_error" ]]; then
warn "Validation errors: ${validation_error}"
return 1
fi
# Check for result status
local result
result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown")
if [[ "$result" == "failed" ]]; then
local message
message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error")
warn "API operation failed: ${message}"
return 1
fi
return 0
}
# Search for existing item by description # Search for existing item by description
# OPNsense NGINX API uses "search<Type>" format, e.g., searchUpstreamServer
search_by_description() { search_by_description() {
local endpoint="$1" local search_endpoint="$1"
local description="$2" local description="$2"
local response local response
response=$(api_request "GET" "${endpoint}/search") response=$(api_request "GET" "${search_endpoint}")
# Extract UUID where description matches # Extract UUID where description matches
echo "$response" | python3 -c " echo "$response" | python3 -c "
@@ -170,29 +238,22 @@ except:
" 2>/dev/null || true " 2>/dev/null || true
} }
# Find certificate by Common Name (CN) # Search for existing HTTP Server by servername
find_certificate_by_cn() { # HTTP Servers don't have a description field, they use servername
local cn_pattern="$1" search_http_server_by_servername() {
local servername="$1"
local response local response
response=$(api_request "GET" "/trust/cert/search") response=$(api_request "GET" "/nginx/settings/searchHttpServer")
# Extract UUID where CN contains the pattern (for wildcard certs) # Extract UUID where servername matches
echo "$response" | python3 -c " echo "$response" | python3 -c "
import json, sys import json, sys
pattern = '${cn_pattern}'
try: try:
data = json.load(sys.stdin) data = json.load(sys.stdin)
rows = data.get('rows', []) rows = data.get('rows', [])
for row in rows: for row in rows:
cn = row.get('cn', '') if row.get('servername', '') == '${servername}':
descr = row.get('descr', '')
# Match wildcard or exact domain
if pattern in cn or pattern in descr:
print(row.get('uuid', ''))
sys.exit(0)
# Also check for wildcard pattern
if cn.startswith('*.') and pattern.endswith(cn[2:]):
print(row.get('uuid', '')) print(row.get('uuid', ''))
sys.exit(0) sys.exit(0)
except: except:
@@ -200,6 +261,34 @@ except:
" 2>/dev/null || true " 2>/dev/null || true
} }
# Find certificate by Common Name (CN) or Description
# Returns the certificate ID used by NGINX API (not the full UUID)
find_certificate_by_cn() {
local cn_pattern="$1"
# First, get the certificate list from the HTTP Server schema
# This gives us the correct certificate IDs that NGINX expects
local response
response=$(api_request "GET" "/nginx/settings/getHttpServer")
# Extract certificate ID where description contains the pattern
echo "$response" | python3 -c "
import json, sys
pattern = '${cn_pattern}'.lower()
try:
data = json.load(sys.stdin)
certs = data.get('httpserver', {}).get('certificate', {})
for cert_id, cert_info in certs.items():
if cert_id: # Skip empty key
value = cert_info.get('value', '').lower()
if pattern in value:
print(cert_id)
sys.exit(0)
except Exception as e:
print(f'Error: {e}', file=sys.stderr)
" 2>/dev/null || true
}
# ============================================================================= # =============================================================================
# Utility Functions # Utility Functions
# ============================================================================= # =============================================================================
@@ -208,18 +297,69 @@ except:
test_connection() { test_connection() {
info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..." info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
echo "Testing various API endpoints..."
echo ""
# Test 1: Firmware status (general API access)
echo "1. Testing /core/firmware/status..."
local response local response
response=$(api_request "GET" "/core/firmware/status") response=$(api_request "GET" "/core/firmware/status")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'status' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then echo " ✓ Firmware API: OK"
echo "✓ API connection successful to ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
echo "Response: $(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d, indent=2)[:500])" 2>/dev/null || echo "$response")"
return 0
else else
echo "✗ API connection failed to ${OPNSENSE_HOST}:${OPNSENSE_PORT}" echo " ✗ Firmware API: FAILED"
echo "Response: $response" echo " Response: $response"
return 1
fi fi
# Test 2: NGINX settings (required for this script)
echo ""
echo "2. Testing /nginx/settings/searchHttpServer..."
response=$(api_request "GET" "/nginx/settings/searchHttpServer")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ NGINX HTTP Server API: OK"
local count
count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
echo " Found ${count} HTTP Server(s)"
else
echo " ✗ NGINX HTTP Server API: FAILED"
echo " Response: $response"
fi
# Test 3: NGINX upstream servers
echo ""
echo "3. Testing /nginx/settings/searchUpstreamServer..."
response=$(api_request "GET" "/nginx/settings/searchUpstreamServer")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ NGINX Upstream Server API: OK"
local count
count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
echo " Found ${count} Upstream Server(s)"
else
echo " ✗ NGINX Upstream Server API: FAILED"
echo " Response: $response"
fi
# Test 4: Trust/Certificates (optional)
echo ""
echo "4. Testing /trust/cert/search (optional)..."
response=$(api_request "GET" "/trust/cert/search")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ Trust/Cert API: OK"
else
local status
status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown")
if [[ "$status" == "403" ]]; then
echo " ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)"
echo " Note: You can still use --certificate-uuid to specify the certificate manually"
else
echo " ✗ Trust/Cert API: FAILED"
echo " Response: $response"
fi
fi
echo ""
echo "Connection test complete."
return 0
} }
# List available certificates # List available certificates
@@ -276,12 +416,13 @@ fi
[[ -n "$FQDN" ]] || die "--fqdn is required" [[ -n "$FQDN" ]] || die "--fqdn is required"
[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required" [[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"
info "Script Version: ${SCRIPT_VERSION}"
info "Configuration:" info "Configuration:"
info " CTID: ${CTID}" info " CTID: ${CTID}"
info " Hostname: ${HOSTNAME}" info " Hostname: ${HOSTNAME}"
info " FQDN: ${FQDN}" info " FQDN: ${FQDN}"
info " Backend: ${BACKEND_IP}:${BACKEND_PORT}" info " Backend: ${BACKEND_IP}:${BACKEND_PORT}"
info " OPNsense: ${OPNSENSE_HOST}" info " OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}" info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"
# ============================================================================= # =============================================================================
@@ -298,8 +439,10 @@ create_upstream_server() {
# Check if upstream server already exists # Check if upstream server already exists
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}") existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}")
# Note: OPNsense API expects specific values
# no_use: empty string means "use this server" (not "0")
local data local data
data=$(cat <<EOF data=$(cat <<EOF
{ {
@@ -310,8 +453,7 @@ create_upstream_server() {
"priority": "1", "priority": "1",
"max_conns": "", "max_conns": "",
"max_fails": "", "max_fails": "",
"fail_timeout": "", "fail_timeout": ""
"no_use": "0"
} }
} }
EOF EOF
@@ -324,7 +466,21 @@ EOF
else else
info "Creating new Upstream Server..." info "Creating new Upstream Server..."
response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data") response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true) info "API Response: ${response}"
# OPNsense returns {"uuid":"xxx"} or {"result":"saved","uuid":"xxx"}
existing_uuid=$(echo "$response" | python3 -c "
import json,sys
try:
d = json.load(sys.stdin)
# Try different response formats
uuid = d.get('uuid', '')
if not uuid and 'rows' in d:
# Sometimes returns in rows format
uuid = d['rows'][0].get('uuid', '') if d['rows'] else ''
print(uuid)
except Exception as e:
print('', file=sys.stderr)
" 2>/dev/null || true)
fi fi
info "Upstream Server UUID: ${existing_uuid}" info "Upstream Server UUID: ${existing_uuid}"
@@ -340,7 +496,7 @@ create_upstream() {
# Check if upstream already exists # Check if upstream already exists
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}") existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}")
local data local data
data=$(cat <<EOF data=$(cat <<EOF
@@ -383,7 +539,7 @@ create_location() {
# Check if location already exists # Check if location already exists
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/location" "${description}") existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}")
local data local data
data=$(cat <<EOF data=$(cat <<EOF
@@ -443,9 +599,9 @@ create_http_server() {
info "Step 4: Creating HTTP Server..." info "Step 4: Creating HTTP Server..."
# Check if HTTP server already exists # Check if HTTP server already exists (by servername, not description)
local existing_uuid local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}") existing_uuid=$(search_http_server_by_servername "${server_name}")
# Determine certificate configuration # Determine certificate configuration
local cert_config="" local cert_config=""
@@ -461,37 +617,49 @@ create_http_server() {
info "Using ACME/Let's Encrypt for certificate" info "Using ACME/Let's Encrypt for certificate"
fi fi
# HTTP Server configuration
# Note: API uses "httpserver" not "http_server"
# Required fields based on API schema
# listen_http_address: "80" and listen_https_address: "443" for standard ports
local data local data
data=$(cat <<EOF if [[ -n "$cert_uuid" ]]; then
data=$(cat <<EOF
{ {
"http_server": { "httpserver": {
"description": "${description}",
"servername": "${server_name}", "servername": "${server_name}",
"listen_http_address": "", "listen_http_address": "80",
"listen_http_port": "", "listen_https_address": "443",
"listen_https_address": "",
"listen_https_port": "443",
"locations": "${location_uuid}", "locations": "${location_uuid}",
"rewrites": "", "certificate": "${cert_uuid}",
"root": "", "verify_client": "off",
${cert_config} "access_log_format": "main",
"ca": "",
"verify_client": "",
"access_log_format": "",
"enable_acme_plugin": "${acme_config}",
"charset": "",
"https_only": "1", "https_only": "1",
"block_nonpublic_data": "0", "http2": "1",
"naxsi_extensive_log": "0", "sendfile": "1"
"sendfile": "1",
"security_header": "",
"limit_request_connections": "",
"limit_request_connections_burst": "",
"limit_request_connections_nodelay": "0"
} }
} }
EOF EOF
) )
else
# Without certificate, enable ACME support
data=$(cat <<EOF
{
"httpserver": {
"servername": "${server_name}",
"listen_http_address": "80",
"listen_https_address": "443",
"locations": "${location_uuid}",
"enable_acme_support": "1",
"verify_client": "off",
"access_log_format": "main",
"https_only": "1",
"http2": "1",
"sendfile": "1"
}
}
EOF
)
fi
local response local response
if [[ -n "$existing_uuid" ]]; then if [[ -n "$existing_uuid" ]]; then
@@ -500,7 +668,8 @@ EOF
else else
info "Creating new HTTP Server..." info "Creating new HTTP Server..."
response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data") response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true) info "API Response: ${response}"
existing_uuid=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('uuid',''))" 2>/dev/null || true)
fi fi
info "HTTP Server UUID: ${existing_uuid}" info "HTTP Server UUID: ${existing_uuid}"