553 lines
16 KiB
Bash
Executable File
553 lines
16 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
# =============================================================================
|
|
# OPNsense NGINX Reverse Proxy Setup Script
|
|
# =============================================================================
|
|
# Dieses Script konfiguriert einen NGINX Reverse Proxy auf OPNsense
|
|
# für eine neue n8n-Instanz über die OPNsense API.
|
|
# =============================================================================
|
|
|
|
# Debug mode: 0 = nur JSON, 1 = Logs auf stderr
|
|
DEBUG="${DEBUG:-0}"
|
|
export DEBUG
|
|
|
|
# Logging functions
|
|
log_ts() { date "+[%F %T]"; }
|
|
info() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) INFO: $*" >&2; return 0; }
|
|
warn() { [[ "$DEBUG" == "1" ]] && echo "$(log_ts) WARN: $*" >&2; return 0; }
|
|
die() {
|
|
if [[ "$DEBUG" == "1" ]]; then
|
|
echo "$(log_ts) ERROR: $*" >&2
|
|
else
|
|
echo "{\"error\": \"$*\"}"
|
|
fi
|
|
exit 1
|
|
}
|
|
|
|
# =============================================================================
|
|
# Configuration
|
|
# =============================================================================
|
|
OPNSENSE_HOST="${OPNSENSE_HOST:-mediametzkabel.metz.tech}"
|
|
OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
|
|
OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"
|
|
|
|
# Wildcard-Zertifikat UUID (muss in OPNsense nachgeschlagen werden)
|
|
# Kann über --certificate-uuid oder Umgebungsvariable gesetzt werden
|
|
CERTIFICATE_UUID="${CERTIFICATE_UUID:-}"
|
|
|
|
# API Base URL
|
|
API_BASE="https://${OPNSENSE_HOST}/api"
|
|
|
|
# =============================================================================
|
|
# Usage
|
|
# =============================================================================
|
|
usage() {
|
|
cat >&2 <<'EOF'
|
|
Usage:
|
|
bash setup_nginx_proxy.sh [options]
|
|
|
|
Required options:
|
|
--ctid <id> Container ID (used as description)
|
|
--hostname <name> Hostname (e.g., sb-1768736636)
|
|
--fqdn <domain> Full domain name (e.g., sb-1768736636.userman.de)
|
|
--backend-ip <ip> Backend IP address (e.g., 192.168.45.135)
|
|
--backend-port <port> Backend port (default: 5678)
|
|
|
|
Optional:
|
|
--opnsense-host <host> OPNsense hostname (default: mediametzkabel.metz.tech)
|
|
--certificate-uuid <uuid> UUID of the SSL certificate in OPNsense
|
|
--list-certificates List available certificates and exit
|
|
--debug Enable debug mode
|
|
--help Show this help
|
|
|
|
Example:
|
|
bash setup_nginx_proxy.sh --ctid 768736636 --hostname sb-1768736636 \
|
|
--fqdn sb-1768736636.userman.de --backend-ip 192.168.45.135
|
|
EOF
|
|
}
|
|
|
|
# =============================================================================
|
|
# Default values
|
|
# =============================================================================
|
|
CTID=""
|
|
HOSTNAME=""
|
|
FQDN=""
|
|
BACKEND_IP=""
|
|
BACKEND_PORT="5678"
|
|
LIST_CERTIFICATES="0"
|
|
|
|
# =============================================================================
|
|
# Argument parsing
|
|
# =============================================================================
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--ctid) CTID="${2:-}"; shift 2 ;;
|
|
--hostname) HOSTNAME="${2:-}"; shift 2 ;;
|
|
--fqdn) FQDN="${2:-}"; shift 2 ;;
|
|
--backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;
|
|
--backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;
|
|
--opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
|
|
--certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;
|
|
--list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;
|
|
--debug) DEBUG="1"; export DEBUG; shift 1 ;;
|
|
--help|-h) usage; exit 0 ;;
|
|
*) die "Unknown option: $1 (use --help)" ;;
|
|
esac
|
|
done
|
|
|
|
# =============================================================================
|
|
# List Certificates Function
|
|
# =============================================================================
|
|
list_certificates() {
|
|
info "Fetching available certificates from OPNsense..."
|
|
|
|
local response
|
|
response=$(api_request "GET" "/trust/cert/search")
|
|
|
|
echo "Available SSL Certificates in OPNsense:"
|
|
echo "========================================"
|
|
echo "$response" | python3 -c "
|
|
import json, sys
|
|
try:
|
|
data = json.load(sys.stdin)
|
|
rows = data.get('rows', [])
|
|
for row in rows:
|
|
uuid = row.get('uuid', 'N/A')
|
|
descr = row.get('descr', 'N/A')
|
|
cn = row.get('cn', 'N/A')
|
|
print(f'UUID: {uuid}')
|
|
print(f' Description: {descr}')
|
|
print(f' Common Name: {cn}')
|
|
print()
|
|
except Exception as e:
|
|
print(f'Error parsing response: {e}', file=sys.stderr)
|
|
print('Raw response:', file=sys.stderr)
|
|
sys.exit(1)
|
|
" 2>&1
|
|
}
|
|
|
|
# =============================================================================
|
|
# Validation
|
|
# =============================================================================
|
|
|
|
# Handle --list-certificates first
|
|
if [[ "$LIST_CERTIFICATES" == "1" ]]; then
|
|
list_certificates
|
|
exit 0
|
|
fi
|
|
|
|
[[ -n "$CTID" ]] || die "--ctid is required"
|
|
[[ -n "$HOSTNAME" ]] || die "--hostname is required"
|
|
[[ -n "$FQDN" ]] || die "--fqdn is required"
|
|
[[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"
|
|
|
|
info "Configuration:"
|
|
info " CTID: ${CTID}"
|
|
info " Hostname: ${HOSTNAME}"
|
|
info " FQDN: ${FQDN}"
|
|
info " Backend: ${BACKEND_IP}:${BACKEND_PORT}"
|
|
info " OPNsense: ${OPNSENSE_HOST}"
|
|
info " Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"
|
|
|
|
# =============================================================================
|
|
# API Helper Functions
|
|
# =============================================================================
|
|
|
|
# Make API request to OPNsense
|
|
api_request() {
|
|
local method="$1"
|
|
local endpoint="$2"
|
|
local data="${3:-}"
|
|
|
|
local url="${API_BASE}${endpoint}"
|
|
local auth="${OPNSENSE_API_KEY}:${OPNSENSE_API_SECRET}"
|
|
|
|
info "API ${method} ${endpoint}"
|
|
|
|
local response
|
|
if [[ -n "$data" ]]; then
|
|
response=$(curl -s -k -X "${method}" \
|
|
-u "${auth}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "${data}" \
|
|
"${url}" 2>&1)
|
|
else
|
|
response=$(curl -s -k -X "${method}" \
|
|
-u "${auth}" \
|
|
"${url}" 2>&1)
|
|
fi
|
|
|
|
echo "$response"
|
|
}
|
|
|
|
# Search for existing item by description
|
|
search_by_description() {
|
|
local endpoint="$1"
|
|
local description="$2"
|
|
|
|
local response
|
|
response=$(api_request "GET" "${endpoint}/search")
|
|
|
|
# Extract UUID where description matches
|
|
echo "$response" | python3 -c "
|
|
import json, sys
|
|
try:
|
|
data = json.load(sys.stdin)
|
|
rows = data.get('rows', [])
|
|
for row in rows:
|
|
if row.get('description', '') == '${description}':
|
|
print(row.get('uuid', ''))
|
|
sys.exit(0)
|
|
except:
|
|
pass
|
|
" 2>/dev/null || true
|
|
}
|
|
|
|
# Find certificate by Common Name (CN)
|
|
find_certificate_by_cn() {
|
|
local cn_pattern="$1"
|
|
|
|
local response
|
|
response=$(api_request "GET" "/trust/cert/search")
|
|
|
|
# Extract UUID where CN contains the pattern (for wildcard certs)
|
|
echo "$response" | python3 -c "
|
|
import json, sys
|
|
pattern = '${cn_pattern}'
|
|
try:
|
|
data = json.load(sys.stdin)
|
|
rows = data.get('rows', [])
|
|
for row in rows:
|
|
cn = row.get('cn', '')
|
|
descr = row.get('descr', '')
|
|
# Match wildcard or exact domain
|
|
if pattern in cn or pattern in descr or '*.' + pattern.split('.')[-2] + '.' + pattern.split('.')[-1] in cn:
|
|
print(row.get('uuid', ''))
|
|
sys.exit(0)
|
|
# Also check for wildcard pattern
|
|
if cn.startswith('*.') and pattern.endswith(cn[1:]):
|
|
print(row.get('uuid', ''))
|
|
sys.exit(0)
|
|
except:
|
|
pass
|
|
" 2>/dev/null || true
|
|
}
|
|
|
|
# =============================================================================
|
|
# NGINX Configuration Steps
|
|
# =============================================================================
|
|
|
|
# Step 1: Create or update Upstream Server
|
|
create_upstream_server() {
|
|
local description="$1"
|
|
local server_ip="$2"
|
|
local server_port="$3"
|
|
|
|
info "Step 1: Creating Upstream Server..."
|
|
|
|
# Check if upstream server already exists
|
|
local existing_uuid
|
|
existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}")
|
|
|
|
local data
|
|
data=$(cat <<EOF
|
|
{
|
|
"upstream_server": {
|
|
"description": "${description}",
|
|
"server": "${server_ip}",
|
|
"port": "${server_port}",
|
|
"priority": "1",
|
|
"max_conns": "",
|
|
"max_fails": "",
|
|
"fail_timeout": "",
|
|
"no_use": "0"
|
|
}
|
|
}
|
|
EOF
|
|
)
|
|
|
|
local response
|
|
if [[ -n "$existing_uuid" ]]; then
|
|
info "Upstream Server exists (UUID: ${existing_uuid}), updating..."
|
|
response=$(api_request "POST" "/nginx/settings/setUpstreamServer/${existing_uuid}" "$data")
|
|
else
|
|
info "Creating new Upstream Server..."
|
|
response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
|
|
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
|
|
fi
|
|
|
|
info "Upstream Server UUID: ${existing_uuid}"
|
|
echo "$existing_uuid"
|
|
}
|
|
|
|
# Step 2: Create or update Upstream
|
|
create_upstream() {
|
|
local description="$1"
|
|
local server_uuid="$2"
|
|
|
|
info "Step 2: Creating Upstream..."
|
|
|
|
# Check if upstream already exists
|
|
local existing_uuid
|
|
existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}")
|
|
|
|
local data
|
|
data=$(cat <<EOF
|
|
{
|
|
"upstream": {
|
|
"description": "${description}",
|
|
"serverentries": "${server_uuid}",
|
|
"load_balancing_algorithm": "",
|
|
"tls_enable": "0",
|
|
"tls_client_certificate": "",
|
|
"tls_name_override": "",
|
|
"tls_protocol_versions": "",
|
|
"tls_session_reuse": "1",
|
|
"tls_trusted_certificate": ""
|
|
}
|
|
}
|
|
EOF
|
|
)
|
|
|
|
local response
|
|
if [[ -n "$existing_uuid" ]]; then
|
|
info "Upstream exists (UUID: ${existing_uuid}), updating..."
|
|
response=$(api_request "POST" "/nginx/settings/setUpstream/${existing_uuid}" "$data")
|
|
else
|
|
info "Creating new Upstream..."
|
|
response=$(api_request "POST" "/nginx/settings/addUpstream" "$data")
|
|
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
|
|
fi
|
|
|
|
info "Upstream UUID: ${existing_uuid}"
|
|
echo "$existing_uuid"
|
|
}
|
|
|
|
# Step 3: Create or update Location
|
|
create_location() {
|
|
local description="$1"
|
|
local upstream_uuid="$2"
|
|
|
|
info "Step 3: Creating Location..."
|
|
|
|
# Check if location already exists
|
|
local existing_uuid
|
|
existing_uuid=$(search_by_description "/nginx/settings/location" "${description}")
|
|
|
|
local data
|
|
data=$(cat <<EOF
|
|
{
|
|
"location": {
|
|
"description": "${description}",
|
|
"urlpattern": "/",
|
|
"matchtype": "",
|
|
"enable_secrules": "0",
|
|
"enable_learning_mode": "0",
|
|
"xss_block_score": "",
|
|
"sqli_block_score": "",
|
|
"custom_policy": "",
|
|
"rewrites": "",
|
|
"upstream": "${upstream_uuid}",
|
|
"path_prefix": "",
|
|
"websocket": "1",
|
|
"php_enable": "0",
|
|
"php_override": "",
|
|
"advanced_acl": "0",
|
|
"force_https": "1",
|
|
"honeypot": "0",
|
|
"http_cache": "0",
|
|
"http_cache_validity": "",
|
|
"authbasic": "0",
|
|
"authbasicuserfile": "",
|
|
"satisfy": "",
|
|
"naxsi_rules": "",
|
|
"limit_request_connections": "",
|
|
"limit_request_connections_burst": "",
|
|
"limit_request_connections_nodelay": "0"
|
|
}
|
|
}
|
|
EOF
|
|
)
|
|
|
|
local response
|
|
if [[ -n "$existing_uuid" ]]; then
|
|
info "Location exists (UUID: ${existing_uuid}), updating..."
|
|
response=$(api_request "POST" "/nginx/settings/setLocation/${existing_uuid}" "$data")
|
|
else
|
|
info "Creating new Location..."
|
|
response=$(api_request "POST" "/nginx/settings/addLocation" "$data")
|
|
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
|
|
fi
|
|
|
|
info "Location UUID: ${existing_uuid}"
|
|
echo "$existing_uuid"
|
|
}
|
|
|
|
# Step 4: Create or update HTTP Server
|
|
create_http_server() {
|
|
local description="$1"
|
|
local server_name="$2"
|
|
local location_uuid="$3"
|
|
local cert_uuid="$4"
|
|
|
|
info "Step 4: Creating HTTP Server..."
|
|
|
|
# Check if HTTP server already exists
|
|
local existing_uuid
|
|
existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}")
|
|
|
|
# Determine certificate configuration
|
|
local cert_config=""
|
|
local acme_config="0"
|
|
|
|
if [[ -n "$cert_uuid" ]]; then
|
|
cert_config="\"certificate\": \"${cert_uuid}\","
|
|
acme_config="0"
|
|
info "Using existing certificate: ${cert_uuid}"
|
|
else
|
|
cert_config="\"certificate\": \"\","
|
|
acme_config="1"
|
|
info "Using ACME/Let's Encrypt for certificate"
|
|
fi
|
|
|
|
local data
|
|
data=$(cat <<EOF
|
|
{
|
|
"http_server": {
|
|
"description": "${description}",
|
|
"servername": "${server_name}",
|
|
"listen_http_address": "",
|
|
"listen_http_port": "",
|
|
"listen_https_address": "",
|
|
"listen_https_port": "443",
|
|
"locations": "${location_uuid}",
|
|
"rewrites": "",
|
|
"root": "",
|
|
${cert_config}
|
|
"ca": "",
|
|
"verify_client": "",
|
|
"access_log_format": "",
|
|
"enable_acme_plugin": "${acme_config}",
|
|
"charset": "",
|
|
"https_only": "1",
|
|
"block_nonpublic_data": "0",
|
|
"naxsi_extensive_log": "0",
|
|
"sendfile": "1",
|
|
"security_header": "",
|
|
"limit_request_connections": "",
|
|
"limit_request_connections_burst": "",
|
|
"limit_request_connections_nodelay": "0"
|
|
}
|
|
}
|
|
EOF
|
|
)
|
|
|
|
local response
|
|
if [[ -n "$existing_uuid" ]]; then
|
|
info "HTTP Server exists (UUID: ${existing_uuid}), updating..."
|
|
response=$(api_request "POST" "/nginx/settings/setHttpServer/${existing_uuid}" "$data")
|
|
else
|
|
info "Creating new HTTP Server..."
|
|
response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
|
|
existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
|
|
fi
|
|
|
|
info "HTTP Server UUID: ${existing_uuid}"
|
|
echo "$existing_uuid"
|
|
}
|
|
|
|
# Step 5: Apply configuration
|
|
apply_config() {
|
|
info "Step 5: Applying NGINX configuration..."
|
|
|
|
local response
|
|
response=$(api_request "POST" "/nginx/service/reconfigure" "{}")
|
|
|
|
info "Reconfigure response: ${response}"
|
|
|
|
# Check if successful
|
|
local status
|
|
status=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown")
|
|
|
|
if [[ "$status" == "ok" ]]; then
|
|
info "NGINX configuration applied successfully"
|
|
return 0
|
|
else
|
|
warn "NGINX reconfigure status: ${status}"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# =============================================================================
|
|
# Main
|
|
# =============================================================================
|
|
main() {
|
|
info "Starting NGINX Reverse Proxy setup for CTID ${CTID}..."
|
|
|
|
# Use CTID as description for all components
|
|
local description="${CTID}"
|
|
|
|
# Step 1: Create Upstream Server
|
|
local upstream_server_uuid
|
|
upstream_server_uuid=$(create_upstream_server "${description}" "${BACKEND_IP}" "${BACKEND_PORT}")
|
|
[[ -n "$upstream_server_uuid" ]] || die "Failed to create Upstream Server"
|
|
|
|
# Step 2: Create Upstream
|
|
local upstream_uuid
|
|
upstream_uuid=$(create_upstream "${description}" "${upstream_server_uuid}")
|
|
[[ -n "$upstream_uuid" ]] || die "Failed to create Upstream"
|
|
|
|
# Step 3: Create Location
|
|
local location_uuid
|
|
location_uuid=$(create_location "${description}" "${upstream_uuid}")
|
|
[[ -n "$location_uuid" ]] || die "Failed to create Location"
|
|
|
|
# Auto-detect certificate if not provided
|
|
local cert_uuid="${CERTIFICATE_UUID}"
|
|
if [[ -z "$cert_uuid" ]]; then
|
|
info "Auto-detecting wildcard certificate for userman.de..."
|
|
cert_uuid=$(find_certificate_by_cn "userman.de")
|
|
if [[ -n "$cert_uuid" ]]; then
|
|
info "Found certificate: ${cert_uuid}"
|
|
else
|
|
warn "No wildcard certificate found, will use ACME/Let's Encrypt"
|
|
fi
|
|
fi
|
|
|
|
# Step 4: Create HTTP Server
|
|
local http_server_uuid
|
|
http_server_uuid=$(create_http_server "${description}" "${FQDN}" "${location_uuid}" "${cert_uuid}")
|
|
[[ -n "$http_server_uuid" ]] || die "Failed to create HTTP Server"
|
|
|
|
# Step 5: Apply configuration
|
|
apply_config || warn "Configuration may need manual verification"
|
|
|
|
# Output result as JSON
|
|
local result
|
|
result=$(cat <<EOF
|
|
{
|
|
"success": true,
|
|
"ctid": "${CTID}",
|
|
"fqdn": "${FQDN}",
|
|
"backend": "${BACKEND_IP}:${BACKEND_PORT}",
|
|
"nginx": {
|
|
"upstream_server_uuid": "${upstream_server_uuid}",
|
|
"upstream_uuid": "${upstream_uuid}",
|
|
"location_uuid": "${location_uuid}",
|
|
"http_server_uuid": "${http_server_uuid}"
|
|
}
|
|
}
|
|
EOF
|
|
)
|
|
|
|
if [[ "$DEBUG" == "1" ]]; then
|
|
echo "$result"
|
|
else
|
|
# Compact JSON
|
|
echo "$result" | python3 -c "import json,sys; print(json.dumps(json.load(sys.stdin)))" 2>/dev/null || echo "$result"
|
|
fi
|
|
}
|
|
|
|
main
|