#!/usr/bin/env bash set -Eeuo pipefail # ============================================================================= # OPNsense NGINX Reverse Proxy Setup Script # ============================================================================= # Dieses Script konfiguriert einen NGINX Reverse Proxy auf OPNsense # für eine neue n8n-Instanz über die OPNsense API. # ============================================================================= SCRIPT_VERSION="1.0.8" # Debug mode: 0 = nur JSON, 1 = Logs auf stderr DEBUG="${DEBUG:-0}" export DEBUG # Logging functions log_ts() { date "+[%F %T]"; } info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; } warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; } die() { if [[ "$DEBUG" == "1" ]]; then echo "$(log_ts) ERROR: $*" >&2 else echo "{\"error\": \"$*\"}" fi exit 1 } # ============================================================================= # Default Configuration # ============================================================================= # OPNsense kann über Hostname ODER IP angesprochen werden # Port 4444 ist der Standard-Port für die OPNsense WebUI/API OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}" OPNSENSE_PORT="${OPNSENSE_PORT:-4444}" OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}" OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}" # Wildcard-Zertifikat UUID (muss in OPNsense nachgeschlagen werden) # Kann über --certificate-uuid oder Umgebungsvariable gesetzt werden CERTIFICATE_UUID="${CERTIFICATE_UUID:-}" # ============================================================================= # Usage # ============================================================================= usage() { cat >&2 <<'EOF' Usage: bash setup_nginx_proxy.sh [options] Required options (for proxy setup): --ctid Container ID (used as description) --hostname Hostname (e.g., sb-1768736636) --fqdn Full domain name (e.g., sb-1768736636.userman.de) --backend-ip Backend IP address (e.g., 192.168.45.135) --backend-port Backend port (default: 5678) Optional: --opnsense-host OPNsense IP or hostname (default: 192.168.45.1) --opnsense-port OPNsense WebUI/API port (default: 4444) --certificate-uuid UUID of the SSL certificate in OPNsense --list-certificates List available certificates and exit --test-connection Test API connection and exit --debug Enable debug mode --help Show this help Examples: # List certificates: bash setup_nginx_proxy.sh --list-certificates --debug # Test API connection: bash setup_nginx_proxy.sh --test-connection --debug # Setup proxy: bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \ --fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135 # With custom OPNsense IP: bash setup_nginx_proxy.sh --opnsense-host 192.168.45.1 --list-certificates EOF } # ============================================================================= # Default values for arguments # ============================================================================= CTID="" HOSTNAME="" FQDN="" BACKEND_IP="" BACKEND_PORT="5678" LIST_CERTIFICATES="0" TEST_CONNECTION="0" # ============================================================================= # Argument parsing # ============================================================================= while [[ $# -gt 0 ]]; do case "$1" in --ctid) CTID="${2:-}"; shift 2 ;; --hostname) HOSTNAME="${2:-}"; shift 2 ;; --fqdn) FQDN="${2:-}"; shift 2 ;; --backend-ip) BACKEND_IP="${2:-}"; shift 2 ;; --backend-port) BACKEND_PORT="${2:-}"; shift 2 ;; --opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;; --opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;; --certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;; --list-certificates) LIST_CERTIFICATES="1"; shift 1 ;; --test-connection) TEST_CONNECTION="1"; shift 1 ;; --debug) DEBUG="1"; export DEBUG; shift 1 ;; --help|-h) usage; exit 0 ;; *) die "Unknown option: $1 (use --help)" ;; esac done # ============================================================================= # API Base URL (nach Argument-Parsing setzen!) # ============================================================================= API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api" # ============================================================================= # API Helper Functions (MÜSSEN VOR list_certificates definiert werden!) # ============================================================================= # Make API request to OPNsense api_request() { local method="$1" local endpoint="$2" local data="${3:-}" local url="${API_BASE}${endpoint}" local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}" info "API ${method} ${url}" local response local http_code if [[ -n "$data" ]]; then response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \ -u "${auth}" \ -H "Content-Type: application/json" \ -d "${data}" \ "${url}" 2>&1) else response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \ -u "${auth}" \ "${url}" 2>&1) fi # Extract HTTP code from last line http_code=$(echo "$response" | tail -n1) response=$(echo "$response" | sed '$d') # Check for permission errors if [[ "$http_code" == "401" ]]; then warn "API Error 401: Unauthorized - Check API key and secret" elif [[ "$http_code" == "403" ]]; then warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}" elif [[ "$http_code" == "404" ]]; then warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist" elif [[ "$http_code" -ge 400 ]]; then warn "API Error ${http_code} for ${endpoint}" fi echo "$response" } # Check API response for errors and return status # Usage: if check_api_response "$response" "endpoint_name"; then ... fi check_api_response() { local response="$1" local endpoint_name="$2" # Check for JSON error responses local status status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok") if [[ "$status" == "403" ]]; then die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges" elif [[ "$status" == "401" ]]; then die "Authentication failed for ${endpoint_name}. Check your API key and secret." fi # Check for validation errors local validation_error validation_error=$(echo "$response" | python3 -c " import json,sys try: d=json.load(sys.stdin) if 'validations' in d and d['validations']: for field, errors in d['validations'].items(): print(f'{field}: {errors}') except: pass " 2>/dev/null || true) if [[ -n "$validation_error" ]]; then warn "Validation errors: ${validation_error}" return 1 fi # Check for result status local result result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown") if [[ "$result" == "failed" ]]; then local message message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error") warn "API operation failed: ${message}" return 1 fi return 0 } # Search for existing item by description # OPNsense NGINX API uses "search" format, e.g., searchUpstreamServer search_by_description() { local search_endpoint="$1" local description="$2" local response response=$(api_request "GET" "${search_endpoint}") # Extract UUID where description matches echo "$response" | python3 -c " import json, sys try: data = json.load(sys.stdin) rows = data.get('rows', []) for row in rows: if row.get('description', '') == '${description}': print(row.get('uuid', '')) sys.exit(0) except: pass " 2>/dev/null || true } # Search for existing HTTP Server by servername # HTTP Servers don't have a description field, they use servername search_http_server_by_servername() { local servername="$1" local response response=$(api_request "GET" "/nginx/settings/searchHttpServer") # Extract UUID where servername matches echo "$response" | python3 -c " import json, sys try: data = json.load(sys.stdin) rows = data.get('rows', []) for row in rows: if row.get('servername', '') == '${servername}': print(row.get('uuid', '')) sys.exit(0) except: pass " 2>/dev/null || true } # Find certificate by Common Name (CN) or Description # Returns the certificate ID used by NGINX API (not the full UUID) find_certificate_by_cn() { local cn_pattern="$1" # First, get the certificate list from the HTTP Server schema # This gives us the correct certificate IDs that NGINX expects local response response=$(api_request "GET" "/nginx/settings/getHttpServer") # Extract certificate ID where description contains the pattern echo "$response" | python3 -c " import json, sys pattern = '${cn_pattern}'.lower() try: data = json.load(sys.stdin) certs = data.get('httpserver', {}).get('certificate', {}) for cert_id, cert_info in certs.items(): if cert_id: # Skip empty key value = cert_info.get('value', '').lower() if pattern in value: print(cert_id) sys.exit(0) except Exception as e: print(f'Error: {e}', file=sys.stderr) " 2>/dev/null || true } # ============================================================================= # Utility Functions # ============================================================================= # Test API connection test_connection() { info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..." echo "Testing various API endpoints..." echo "" # Test 1: Firmware status (general API access) echo "1. Testing /core/firmware/status..." local response response=$(api_request "GET" "/core/firmware/status") if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then echo " ✓ Firmware API: OK" else echo " ✗ Firmware API: FAILED" echo " Response: $response" fi # Test 2: NGINX settings (required for this script) echo "" echo "2. Testing /nginx/settings/searchHttpServer..." response=$(api_request "GET" "/nginx/settings/searchHttpServer") if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then echo " ✓ NGINX HTTP Server API: OK" local count count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?") echo " Found ${count} HTTP Server(s)" else echo " ✗ NGINX HTTP Server API: FAILED" echo " Response: $response" fi # Test 3: NGINX upstream servers echo "" echo "3. Testing /nginx/settings/searchUpstreamServer..." response=$(api_request "GET" "/nginx/settings/searchUpstreamServer") if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then echo " ✓ NGINX Upstream Server API: OK" local count count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?") echo " Found ${count} Upstream Server(s)" else echo " ✗ NGINX Upstream Server API: FAILED" echo " Response: $response" fi # Test 4: Trust/Certificates (optional) echo "" echo "4. Testing /trust/cert/search (optional)..." response=$(api_request "GET" "/trust/cert/search") if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then echo " ✓ Trust/Cert API: OK" else local status status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown") if [[ "$status" == "403" ]]; then echo " ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)" echo " Note: You can still use --certificate-uuid to specify the certificate manually" else echo " ✗ Trust/Cert API: FAILED" echo " Response: $response" fi fi echo "" echo "Connection test complete." return 0 } # List available certificates list_certificates() { info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..." local response response=$(api_request "GET" "/trust/cert/search") echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}:${OPNSENSE_PORT}):" echo "============================================================" echo "$response" | python3 -c " import json, sys try: data = json.load(sys.stdin) rows = data.get('rows', []) if not rows: print('No certificates found.') print('Raw response:', data) for row in rows: uuid = row.get('uuid', 'N/A') descr = row.get('descr', 'N/A') cn = row.get('cn', 'N/A') print(f'UUID: {uuid}') print(f' Description: {descr}') print(f' Common Name: {cn}') print() except Exception as e: print(f'Error parsing response: {e}', file=sys.stderr) print(f'Raw response: {sys.stdin.read()}', file=sys.stderr) sys.exit(1) " 2>&1 } # ============================================================================= # Handle special commands first (before validation) # ============================================================================= if [[ "$TEST_CONNECTION" == "1" ]]; then test_connection exit $? fi if [[ "$LIST_CERTIFICATES" == "1" ]]; then list_certificates exit 0 fi # ============================================================================= # Validation (nur für Proxy-Setup) # ============================================================================= [[ -n "$CTID" ]] || die "--ctid is required" [[ -n "$HOSTNAME" ]] || die "--hostname is required" [[ -n "$FQDN" ]] || die "--fqdn is required" [[ -n "$BACKEND_IP" ]] || die "--backend-ip is required" info "Script Version: ${SCRIPT_VERSION}" info "Configuration:" info " CTID: ${CTID}" info " Hostname: ${HOSTNAME}" info " FQDN: ${FQDN}" info " Backend: ${BACKEND_IP}:${BACKEND_PORT}" info " OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}" info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}" # ============================================================================= # NGINX Configuration Steps # ============================================================================= # Step 1: Create or update Upstream Server create_upstream_server() { local description="$1" local server_ip="$2" local server_port="$3" info "Step 1: Creating Upstream Server..." # Check if upstream server already exists local existing_uuid existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}") # Note: OPNsense API expects specific values # no_use: empty string means "use this server" (not "0") local data data=$(cat </dev/null || true) fi info "Upstream Server UUID: ${existing_uuid}" echo "$existing_uuid" } # Step 2: Create or update Upstream create_upstream() { local description="$1" local server_uuid="$2" info "Step 2: Creating Upstream..." # Check if upstream already exists local existing_uuid existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}") local data data=$(cat </dev/null || true) fi info "Upstream UUID: ${existing_uuid}" echo "$existing_uuid" } # Step 3: Create or update Location create_location() { local description="$1" local upstream_uuid="$2" info "Step 3: Creating Location..." # Check if location already exists local existing_uuid existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}") local data data=$(cat </dev/null || true) fi info "Location UUID: ${existing_uuid}" echo "$existing_uuid" } # Step 4: Create or update HTTP Server create_http_server() { local description="$1" local server_name="$2" local location_uuid="$3" local cert_uuid="$4" info "Step 4: Creating HTTP Server..." # Check if HTTP server already exists (by servername, not description) local existing_uuid existing_uuid=$(search_http_server_by_servername "${server_name}") # Determine certificate configuration local cert_config="" local acme_config="0" if [[ -n "$cert_uuid" ]]; then cert_config="\"certificate\": \"${cert_uuid}\"," acme_config="0" info "Using existing certificate: ${cert_uuid}" else cert_config="\"certificate\": \"\"," acme_config="1" info "Using ACME/Let's Encrypt for certificate" fi # HTTP Server configuration # Note: API uses "httpserver" not "http_server" # Required fields based on API schema # listen_http_address: "80" and listen_https_address: "443" for standard ports local data if [[ -n "$cert_uuid" ]]; then data=$(cat </dev/null || true) fi info "HTTP Server UUID: ${existing_uuid}" echo "$existing_uuid" } # Step 5: Apply configuration apply_config() { info "Step 5: Applying NGINX configuration..." local response response=$(api_request "POST" "/nginx/service/reconfigure" "{}") info "Reconfigure response: ${response}" # Check if successful local status status=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown") if [[ "$status" == "ok" ]]; then info "NGINX configuration applied successfully" return 0 else warn "NGINX reconfigure status: ${status}" return 1 fi } # ============================================================================= # Main # ============================================================================= main() { info "Starting NGINX Reverse Proxy setup for CTID ${CTID}..." # Use CTID as description for all components local description="${CTID}" # Step 1: Create Upstream Server local upstream_server_uuid upstream_server_uuid=$(create_upstream_server "${description}" "${BACKEND_IP}" "${BACKEND_PORT}") [[ -n "$upstream_server_uuid" ]] || die "Failed to create Upstream Server" # Step 2: Create Upstream local upstream_uuid upstream_uuid=$(create_upstream "${description}" "${upstream_server_uuid}") [[ -n "$upstream_uuid" ]] || die "Failed to create Upstream" # Step 3: Create Location local location_uuid location_uuid=$(create_location "${description}" "${upstream_uuid}") [[ -n "$location_uuid" ]] || die "Failed to create Location" # Auto-detect certificate if not provided local cert_uuid="${CERTIFICATE_UUID}" if [[ -z "$cert_uuid" ]]; then info "Auto-detecting wildcard certificate for userman.de..." cert_uuid=$(find_certificate_by_cn "userman.de") if [[ -n "$cert_uuid" ]]; then info "Found certificate: ${cert_uuid}" else warn "No wildcard certificate found, will use ACME/Let's Encrypt" fi fi # Step 4: Create HTTP Server local http_server_uuid http_server_uuid=$(create_http_server "${description}" "${FQDN}" "${location_uuid}" "${cert_uuid}") [[ -n "$http_server_uuid" ]] || die "Failed to create HTTP Server" # Step 5: Apply configuration apply_config || warn "Configuration may need manual verification" # Output result as JSON local result result=$(cat </dev/null || echo "$result" fi } main