ChK/appServerPortalUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VibeCoding: Anmeldung für manche Services nötig

Browse Source
This commit is contained in:
chk
2026-03-21 13:12:16 +01:00
parent c2a2f7c37d
commit 5c6ea53bd4
5 changed files with 34 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
connect-proxies.sh
View File

@@ -24,7 +24,6 @@ if [ ! -f "$FWD_FILE" ]; then
fi
# 1) Globale HTTP-Kontext-Map + Resolver (idempotent)
# >>> CHANGE: Resolver NICHT hardcoden. Dynamisch aus /etc/resolv.conf ableiten, Fallback 127.0.0.11
RESOLVERS="$(awk '/^nameserver/{print $2}' /etc/resolv.conf | xargs || true)"
if [ -n "${RESOLVERS:-}" ]; then
RESOLVER_LINE="resolver $RESOLVERS ipv6=off valid=30s;"
@@ -40,7 +39,6 @@ map \$http_upgrade \$connection_upgrade {
}
$RESOLVER_LINE
NGINX
# <<< END CHANGE
# 2) Alte generierte Confs entfernen
rm -f "$CONF_DIR/"*"$HTTPS_SUFFIX" 2>/dev/null || true
@@ -50,12 +48,10 @@ rm -f "$CONF_DIR/"*"$HTTP_REDIRECT_SUFFIX" 2>/dev/null || true
LINE_NO=0
while IFS= read -r RAW || [ -n "$RAW" ]; do
LINE_NO=$((LINE_NO+1))
# trim + CR entfernen
LINE="$(printf '%s' "$RAW" | tr -d '\r' | sed 's/^[[:space:]]*//; s/[[:space:]]*$//')"
[ -z "$LINE" ] && continue
case "$LINE" in \#*) continue;; esac
# Spalten splitten (mindestens 2 erforderlich)
set -- $LINE
SERVER_NAME="${1:-}"
UPSTREAM_URL="${2:-}"
@@ -64,6 +60,7 @@ while IFS= read -r RAW || [ -n "$RAW" ]; do
VERIFY_TLS="${5:-false}"
CERT_DOMAIN="${6:-$SERVER_NAME}"
LISTEN_PORT="${7:-443}"
AUTH_REQUIRED="${8:-false}"
if [ -z "$SERVER_NAME" ] || [ -z "$UPSTREAM_URL" ]; then
echo "[connect-proxies] WARN(Line $LINE_NO): unvollständig -> $LINE"
@@ -76,23 +73,17 @@ while IFS= read -r RAW || [ -n "$RAW" ]; do
HTTPS_OUT="$CONF_DIR/${SERVER_NAME}-p${LISTEN_PORT}${HTTPS_SUFFIX}"
HTTP_REDIRECT_OUT="$CONF_DIR/${SERVER_NAME}${HTTP_REDIRECT_SUFFIX}"
# >>> NEW: Upstream normalisieren (Trailing Slash entfernen) + DNS-Check vorbereiten
SANITIZED_UPSTREAM="${UPSTREAM_URL%/}"
DNS_OK="true"
SCHEME=""; HOST=""; PORT=""
if [ "$SANITIZED_UPSTREAM" != "local" ]; then
case "$SANITIZED_UPSTREAM" in
http://*)
URI="${SANITIZED_UPSTREAM#http://}"; SCHEME="http"; DEFAULT_PORT="80"
;;
https://*)
URI="${SANITIZED_UPSTREAM#https://}"; SCHEME="https"; DEFAULT_PORT="443"
;;
http://*) URI="${SANITIZED_UPSTREAM#http://}"; SCHEME="http"; DEFAULT_PORT="80";;
https://*) URI="${SANITIZED_UPSTREAM#https://}"; SCHEME="https"; DEFAULT_PORT="443";;
*)
echo "[connect-proxies] WARN(Line $LINE_NO): $SERVER_NAME upstream_url ungültig: '$UPSTREAM_URL' überspringe."
continue
;;
continue;;
esac
HOSTPORT="${URI%%/*}"
HOST="${HOSTPORT%%:*}"
@@ -107,12 +98,26 @@ while IFS= read -r RAW || [ -n "$RAW" ]; do
DNS_OK="unknown"
fi
fi
# <<< END NEW
if [ -f "$FULLCHAIN" ] && [ -f "$PRIVKEY" ]; then
echo "[connect-proxies] [+] $SERVER_NAME: Zertifikat OK (cert_domain=$CERT_DOMAIN). Erzeuge 443 …"
# Fall A: local (statisch, kein proxy_pass)
# Auth-Block vorbereiten
AUTH_BLOCK=""
if [ "$AUTH_REQUIRED" = "true" ]; then
AUTH_BLOCK="
auth_request /auth;
location = /auth {
proxy_pass http://appserverauth:3000/internal/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length \"\";
proxy_set_header X-Original-URI \$request_uri;
proxy_set_header Host server.schooltech.ch;
proxy_set_header Cookie \$http_cookie;
}"
fi
# Fall A: local (statisch, kein Proxy)
if [ "$SANITIZED_UPSTREAM" = "local" ]; then
cat > "$HTTPS_OUT" <<NGINX
# Auto-generated - 443 static site
@@ -120,6 +125,7 @@ server {
listen ${LISTEN_PORT} ssl http2;
listen [::]:${LISTEN_PORT} ssl http2;
server_name $SERVER_NAME;
$AUTH_BLOCK
ssl_certificate $FULLCHAIN;
ssl_certificate_key $PRIVKEY;
@@ -132,7 +138,6 @@ server {
location /api/ {
proxy_pass http://appserverauth:3000/api/;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
@@ -146,9 +151,8 @@ server {
NGINX
else
# >>> NEW: Zwei Pfade DNS_OK=false => Placeholder; sonst Proxy mit Laufzeit-Resolver
# Proxy-Fall: DNS OK?
if [ "$DNS_OK" = "false" ]; then
# 443 Placeholder keine Proxy-Verbindung, saubere 503
cat > "$HTTPS_OUT" <<NGINX
# Auto-generated - 443 placeholder (DNS failed)
server {
@@ -169,13 +173,14 @@ server {
}
NGINX
else
# 443 Proxy DNS ok/unknown: Laufzeit-Auflösung + freundlicher 503 bei Downstreams
# Proxy mit Laufzeit-Auflösung
cat > "$HTTPS_OUT" <<NGINX
# Auto-generated - 443 reverse proxy
server {
listen ${LISTEN_PORT} ssl http2;
listen [::]:${LISTEN_PORT} ssl http2;
server_name $SERVER_NAME;
$AUTH_BLOCK
ssl_certificate $FULLCHAIN;
ssl_certificate_key $PRIVKEY;
@@ -183,12 +188,10 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Fehler sauber abfangen und 503 liefern (statt rohe 502/504)
proxy_intercept_errors on;
error_page 502 503 504 = @service_down;
location / {
# >>> CHANGE: variable proxy_pass -> DNS zur Laufzeit (verhindert nginx -t Crash)
set \$target $SANITIZED_UPSTREAM;
proxy_pass \$target;
@@ -239,14 +242,12 @@ NGINX
default_type text/html;
return 503 "<!doctype html><html><head><meta charset='utf-8'><title>Service temporarily unavailable</title></head><body style='font-family:sans-serif;margin:3rem'><h1>$server_name nicht erreichbar</h1><p>Der Dienst ist momentan nicht verfügbar. Bitte später erneut versuchen.</p></body></html>";
}
}
NGINX
fi
# <<< END NEW
fi
# 80->443 Redirect-Server nur, wenn gewünscht
# 80->443 Redirect-Server
if [ "$HTTP_BEHAVIOR" = "redirect" ]; then
cat > "$HTTP_REDIRECT_OUT" <<NGINX
# Auto-generated 80->443 redirect for $SERVER_NAME
@@ -255,7 +256,6 @@ server {
listen [::]:80;
server_name $SERVER_NAME;
# ACME-Ausnahme
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
default_type "text/plain; charset=utf-8";
@@ -267,7 +267,6 @@ server {
}
NGINX
else
# Sicherstellen, dass kein alter Redirect liegen bleibt
rm -f "$HTTP_REDIRECT_OUT" 2>/dev/null || true
fi