MediaMetz/customer-installer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Proxy Setup final

Browse Source
This commit is contained in:
Wolfgang
2026-01-18 18:18:21 +01:00
parent 8a94b6b183
commit c3a61484d4
1 changed files with 235 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

297
setup_nginx_proxy.sh
View File

@@ -8,6 +8,8 @@ set -Eeuo pipefail
# für eine neue n8n-Instanz über die OPNsense API.
# =============================================================================
SCRIPT_VERSION="1.0.8"
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
DEBUG="${DEBUG:-0}"
export DEBUG
@@ -29,7 +31,9 @@ die() {
# Default Configuration
# =============================================================================
# OPNsense kann über Hostname ODER IP angesprochen werden
# Port 4444 ist der Standard-Port für die OPNsense WebUI/API
OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"
OPNSENSE_PORT="${OPNSENSE_PORT:-4444}"
OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"
@@ -54,6 +58,7 @@ Required options (for proxy setup):
Optional:
--opnsense-host <ip> OPNsense IP or hostname (default: 192.168.45.1)
--opnsense-port <port> OPNsense WebUI/API port (default: 4444)
--certificate-uuid <uuid> UUID of the SSL certificate in OPNsense
--list-certificates List available certificates and exit
--test-connection Test API connection and exit
@@ -98,6 +103,7 @@ while [[ $# -gt 0 ]]; do
--backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;
--backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;
--opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
--opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;;
--certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;
--list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;
--test-connection) TEST_CONNECTION="1"; shift 1 ;;
@@ -110,7 +116,7 @@ done
# =============================================================================
# API Base URL (nach Argument-Parsing setzen!)
# =============================================================================
API_BASE="https://${OPNSENSE_HOST}/api"
API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api"
# =============================================================================
# API Helper Functions (MÜSSEN VOR list_certificates definiert werden!)
@@ -128,28 +134,94 @@ api_request() {
info "API ${method} ${url}"
local response
local http_code
if [[ -n "$data" ]]; then
response=$(curl -s -k -X "${method}" \
response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
-u "${auth}" \
-H "Content-Type: application/json" \
-d "${data}" \
"${url}" 2>&1)
else
response=$(curl -s -k -X "${method}" \
response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
-u "${auth}" \
"${url}" 2>&1)
fi
# Extract HTTP code from last line
http_code=$(echo "$response" | tail -n1)
response=$(echo "$response" | sed '$d')
# Check for permission errors
if [[ "$http_code" == "401" ]]; then
warn "API Error 401: Unauthorized - Check API key and secret"
elif [[ "$http_code" == "403" ]]; then
warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}"
elif [[ "$http_code" == "404" ]]; then
warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist"
elif [[ "$http_code" -ge 400 ]]; then
warn "API Error ${http_code} for ${endpoint}"
fi
echo "$response"
}
# Check API response for errors and return status
# Usage: if check_api_response "$response" "endpoint_name"; then ... fi
check_api_response() {
local response="$1"
local endpoint_name="$2"
# Check for JSON error responses
local status
status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok")
if [[ "$status" == "403" ]]; then
die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges"
elif [[ "$status" == "401" ]]; then
die "Authentication failed for ${endpoint_name}. Check your API key and secret."
fi
# Check for validation errors
local validation_error
validation_error=$(echo "$response" | python3 -c "
import json,sys
try:
d=json.load(sys.stdin)
if 'validations' in d and d['validations']:
for field, errors in d['validations'].items():
print(f'{field}: {errors}')
except:
pass
" 2>/dev/null || true)
if [[ -n "$validation_error" ]]; then
warn "Validation errors: ${validation_error}"
return 1
fi
# Check for result status
local result
result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown")
if [[ "$result" == "failed" ]]; then
local message
message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error")
warn "API operation failed: ${message}"
return 1
fi
return 0
}
# Search for existing item by description
# OPNsense NGINX API uses "search<Type>" format, e.g., searchUpstreamServer
search_by_description() {
local endpoint="$1"
local search_endpoint="$1"
local description="$2"
local response
response=$(api_request "GET" "${endpoint}/search")
response=$(api_request "GET" "${search_endpoint}")
# Extract UUID where description matches
echo "$response" | python3 -c "
@@ -166,29 +238,22 @@ except:
" 2>/dev/null || true
}
# Find certificate by Common Name (CN)
find_certificate_by_cn() {
local cn_pattern="$1"
# Search for existing HTTP Server by servername
# HTTP Servers don't have a description field, they use servername
search_http_server_by_servername() {
local servername="$1"
local response
response=$(api_request "GET" "/trust/cert/search")
response=$(api_request "GET" "/nginx/settings/searchHttpServer")
# Extract UUID where CN contains the pattern (for wildcard certs)
# Extract UUID where servername matches
echo "$response" | python3 -c "
import json, sys
pattern = '${cn_pattern}'
try:
data = json.load(sys.stdin)
rows = data.get('rows', [])
for row in rows:
cn = row.get('cn', '')
descr = row.get('descr', '')
# Match wildcard or exact domain
if pattern in cn or pattern in descr:
print(row.get('uuid', ''))
sys.exit(0)
# Also check for wildcard pattern
if cn.startswith('*.') and pattern.endswith(cn[2:]):
if row.get('servername', '') == '${servername}':
print(row.get('uuid', ''))
sys.exit(0)
except:
@@ -196,36 +261,115 @@ except:
" 2>/dev/null || true
}
# Find certificate by Common Name (CN) or Description
# Returns the certificate ID used by NGINX API (not the full UUID)
find_certificate_by_cn() {
local cn_pattern="$1"
# First, get the certificate list from the HTTP Server schema
# This gives us the correct certificate IDs that NGINX expects
local response
response=$(api_request "GET" "/nginx/settings/getHttpServer")
# Extract certificate ID where description contains the pattern
echo "$response" | python3 -c "
import json, sys
pattern = '${cn_pattern}'.lower()
try:
data = json.load(sys.stdin)
certs = data.get('httpserver', {}).get('certificate', {})
for cert_id, cert_info in certs.items():
if cert_id: # Skip empty key
value = cert_info.get('value', '').lower()
if pattern in value:
print(cert_id)
sys.exit(0)
except Exception as e:
print(f'Error: {e}', file=sys.stderr)
" 2>/dev/null || true
}
# =============================================================================
# Utility Functions
# =============================================================================
# Test API connection
test_connection() {
info "Testing API connection to OPNsense at ${OPNSENSE_HOST}..."
info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
echo "Testing various API endpoints..."
echo ""
# Test 1: Firmware status (general API access)
echo "1. Testing /core/firmware/status..."
local response
response=$(api_request "GET" "/core/firmware/status")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'status' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo "✓ API connection successful to ${OPNSENSE_HOST}"
echo "Response: $(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d, indent=2)[:500])" 2>/dev/null || echo "$response")"
return 0
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ Firmware API: OK"
else
echo "✗ API connection failed to ${OPNSENSE_HOST}"
echo "Response: $response"
return 1
echo " ✗ Firmware API: FAILED"
echo " Response: $response"
fi
# Test 2: NGINX settings (required for this script)
echo ""
echo "2. Testing /nginx/settings/searchHttpServer..."
response=$(api_request "GET" "/nginx/settings/searchHttpServer")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ NGINX HTTP Server API: OK"
local count
count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
echo " Found ${count} HTTP Server(s)"
else
echo " ✗ NGINX HTTP Server API: FAILED"
echo " Response: $response"
fi
# Test 3: NGINX upstream servers
echo ""
echo "3. Testing /nginx/settings/searchUpstreamServer..."
response=$(api_request "GET" "/nginx/settings/searchUpstreamServer")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ NGINX Upstream Server API: OK"
local count
count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
echo " Found ${count} Upstream Server(s)"
else
echo " ✗ NGINX Upstream Server API: FAILED"
echo " Response: $response"
fi
# Test 4: Trust/Certificates (optional)
echo ""
echo "4. Testing /trust/cert/search (optional)..."
response=$(api_request "GET" "/trust/cert/search")
if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
echo " ✓ Trust/Cert API: OK"
else
local status
status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown")
if [[ "$status" == "403" ]]; then
echo " ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)"
echo " Note: You can still use --certificate-uuid to specify the certificate manually"
else
echo " ✗ Trust/Cert API: FAILED"
echo " Response: $response"
fi
fi
echo ""
echo "Connection test complete."
return 0
}
# List available certificates
list_certificates() {
info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}..."
info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
local response
response=$(api_request "GET" "/trust/cert/search")
echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}):"
echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}:${OPNSENSE_PORT}):"
echo "============================================================"
echo "$response" | python3 -c "
import json, sys
@@ -272,12 +416,13 @@ fi
[[ -n "$FQDN" ]] || die "--fqdn is required"
[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"
info "Script Version: ${SCRIPT_VERSION}"
info "Configuration:"
info " CTID: ${CTID}"
info " Hostname: ${HOSTNAME}"
info " FQDN: ${FQDN}"
info " Backend: ${BACKEND_IP}:${BACKEND_PORT}"
info " OPNsense: ${OPNSENSE_HOST}"
info " OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"
# =============================================================================
@@ -294,8 +439,10 @@ create_upstream_server() {
# Check if upstream server already exists
local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}")
existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}")
# Note: OPNsense API expects specific values
# no_use: empty string means "use this server" (not "0")
local data
data=$(cat <<EOF
{
@@ -306,8 +453,7 @@ create_upstream_server() {
"priority": "1",
"max_conns": "",
"max_fails": "",
"fail_timeout": "",
"no_use": "0"
"fail_timeout": ""
}
}
EOF
@@ -320,7 +466,21 @@ EOF
else
info "Creating new Upstream Server..."
response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
info "API Response: ${response}"
# OPNsense returns {"uuid":"xxx"} or {"result":"saved","uuid":"xxx"}
existing_uuid=$(echo "$response" | python3 -c "
import json,sys
try:
d = json.load(sys.stdin)
# Try different response formats
uuid = d.get('uuid', '')
if not uuid and 'rows' in d:
# Sometimes returns in rows format
uuid = d['rows'][0].get('uuid', '') if d['rows'] else ''
print(uuid)
except Exception as e:
print('', file=sys.stderr)
" 2>/dev/null || true)
fi
info "Upstream Server UUID: ${existing_uuid}"
@@ -336,7 +496,7 @@ create_upstream() {
# Check if upstream already exists
local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}")
existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}")
local data
data=$(cat <<EOF
@@ -379,7 +539,7 @@ create_location() {
# Check if location already exists
local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/location" "${description}")
existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}")
local data
data=$(cat <<EOF
@@ -439,9 +599,9 @@ create_http_server() {
info "Step 4: Creating HTTP Server..."
# Check if HTTP server already exists
# Check if HTTP server already exists (by servername, not description)
local existing_uuid
existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}")
existing_uuid=$(search_http_server_by_servername "${server_name}")
# Determine certificate configuration
local cert_config=""
@@ -457,37 +617,49 @@ create_http_server() {
info "Using ACME/Let's Encrypt for certificate"
fi
# HTTP Server configuration
# Note: API uses "httpserver" not "http_server"
# Required fields based on API schema
# listen_http_address: "80" and listen_https_address: "443" for standard ports
local data
data=$(cat <<EOF
if [[ -n "$cert_uuid" ]]; then
data=$(cat <<EOF
{
"http_server": {
"description": "${description}",
"httpserver": {
"servername": "${server_name}",
"listen_http_address": "",
"listen_http_port": "",
"listen_https_address": "",
"listen_https_port": "443",
"listen_http_address": "80",
"listen_https_address": "443",
"locations": "${location_uuid}",
"rewrites": "",
"root": "",
${cert_config}
"ca": "",
"verify_client": "",
"access_log_format": "",
"enable_acme_plugin": "${acme_config}",
"charset": "",
"certificate": "${cert_uuid}",
"verify_client": "off",
"access_log_format": "main",
"https_only": "1",
"block_nonpublic_data": "0",
"naxsi_extensive_log": "0",
"sendfile": "1",
"security_header": "",
"limit_request_connections": "",
"limit_request_connections_burst": "",
"limit_request_connections_nodelay": "0"
"http2": "1",
"sendfile": "1"
}
}
EOF
)
else
# Without certificate, enable ACME support
data=$(cat <<EOF
{
"httpserver": {
"servername": "${server_name}",
"listen_http_address": "80",
"listen_https_address": "443",
"locations": "${location_uuid}",
"enable_acme_support": "1",
"verify_client": "off",
"access_log_format": "main",
"https_only": "1",
"http2": "1",
"sendfile": "1"
}
}
EOF
)
fi
local response
if [[ -n "$existing_uuid" ]]; then
@@ -496,7 +668,8 @@ EOF
else
info "Creating new HTTP Server..."
response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
info "API Response: ${response}"
existing_uuid=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('uuid',''))" 2>/dev/null || true)
fi
info "HTTP Server UUID: ${existing_uuid}"