nginx-proxy-manager/backend/internal/nginx.js

const _                       = require('lodash');
const fs                      = require('fs');
const logger                  = require('../logger').nginx;
const utils                   = require('../lib/utils');
const error                   = require('../lib/error');
const { Liquid }              = require('liquidjs');
const passthroughHostModel    = require('../models/ssl_passthrough_host');
const debug_mode              = process.env.NODE_ENV !== 'production' || !!process.env.DEBUG;

const internalNginx = {

	/**
	 * This will:
	 * - test the nginx config first to make sure it's OK
	 * - create / recreate the config for the host
	 * - test again
	 * - IF OK:  update the meta with online status
	 * - IF BAD: update the meta with offline status and remove the config entirely
	 * - then reload nginx
	 *
	 * @param   {Object|String}  model
	 * @param   {String}         host_type
	 * @param   {Object}         host
	 * @returns {Promise}
	 */
	configure: (model, host_type, host) => {
		let combined_meta = {};

		return internalNginx.test()
			.then(() => {
				// Nginx is OK
				// We're deleting this config regardless.
				return internalNginx.deleteConfig(host_type, host); // Don't throw errors, as the file may not exist at all
			})
			.then(() => {
				return internalNginx.generateConfig(host_type, host);
			})
			.then(() => {
				// Test nginx again and update meta with result
				return internalNginx.test()
					.then(() => {
						// nginx is ok
						combined_meta = _.assign({}, host.meta, {
							nginx_online: true,
							nginx_err:    null
						});

						if(host_type === 'ssl_passthrough_host'){
							return passthroughHostModel
								.query()
								.patch({
									meta: combined_meta
								});
						}

						return model
							.query()
							.where('id', host.id)
							.patch({
								meta: combined_meta
							});
						
					})
					.catch((err) => {
						// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported.
						// It will always look like this:
						//   nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address)

						let valid_lines = [];
						let err_lines   = err.message.split('\n');
						err_lines.map(function (line) {
							if (line.indexOf('/var/log/nginx/error.log') === -1) {
								valid_lines.push(line);
							}
						});

						if (debug_mode) {
							logger.error('Nginx test failed:', valid_lines.join('\n'));
						}

						// config is bad, update meta and delete config
						combined_meta = _.assign({}, host.meta, {
							nginx_online: false,
							nginx_err:    valid_lines.join('\n')
						});

						return model
							.query()
							.where('id', host.id)
							.patch({
								meta: combined_meta
							})
							.then(() => {
								return internalNginx.deleteConfig(host_type, host, true);
							});
					});
			})
			.then(() => {
				return internalNginx.reload();
			})
			.then(() => {
				return combined_meta;
			});
	},

	/**
	 * @returns {Promise}
	 */
	test: () => {
		if (debug_mode) {
			logger.info('Testing Nginx configuration');
		}

		return utils.exec('/usr/sbin/nginx -t -g "error_log off;"');
	},

	/**
	 * @returns {Promise}
	 */
	reload: () => {
		return internalNginx.test()
			.then(() => {
				logger.info('Reloading Nginx');
				return utils.exec('/usr/sbin/nginx -s reload');
			});
	},

	/**
	 * @param   {String}  host_type
	 * @param   {Integer} host_id
	 * @returns {String}
	 */
	getConfigName: (host_type, host_id) => {
		host_type = host_type.replace(new RegExp('-', 'g'), '_');

		if (host_type === 'default') {
			return '/data/nginx/default_host/site.conf';
		} else if (host_type === 'ssl_passthrough_host') {
			return '/data/nginx/ssl_passthrough_host/hosts.conf';
		}

		return '/data/nginx/' + host_type + '/' + host_id + '.conf';
	},

	/**
	 * Generates custom locations
	 * @param   {Object}  host
	 * @returns {Promise}
	 */
	renderLocations: (host) => {

		//logger.info('host = ' + JSON.stringify(host, null, 2));
		return new Promise((resolve, reject) => {
			let template;

			try {
				template = fs.readFileSync(__dirname + '/../templates/_location.conf', {encoding: 'utf8'});
			} catch (err) {
				reject(new error.ConfigurationError(err.message));
				return;
			}

			let renderer          = new Liquid({
				root: __dirname + '/../templates/'
			});
			let renderedLocations = '';

			const locationRendering = async () => {
				for (let i = 0; i < host.locations.length; i++) {
					let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, 
						{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
						{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
						{certificate: host.certificate}, host.locations[i]);
			
					if (locationCopy.forward_host.indexOf('/') > -1) {
						const splitted = locationCopy.forward_host.split('/');

						locationCopy.forward_host = splitted.shift();
						locationCopy.forward_path = `/${splitted.join('/')}`;
					}

					//logger.info('locationCopy = ' + JSON.stringify(locationCopy, null, 2));

					// eslint-disable-next-line
					renderedLocations += await renderer.parseAndRender(template, locationCopy);
				}

			};

			locationRendering().then(() => resolve(renderedLocations));
			
		});
	},

	/**
	 * @param   {String}  host_type
	 * @param   {Object}  host
	 * @returns {Promise}
	 */
	generateConfig: (host_type, host) => {
		host_type = host_type.replace(new RegExp('-', 'g'), '_');

		if (debug_mode) {
			logger.info('Generating ' + host_type + ' Config:', host);
		}

		// logger.info('host = ' + JSON.stringify(host, null, 2));

		let renderEngine = new Liquid({
			root: __dirname + '/../templates/'
		});

		return new Promise(async (resolve, reject) => {
			let template = null;
			let filename = internalNginx.getConfigName(host_type, host.id);

			try {
				template = fs.readFileSync(__dirname + '/../templates/' + host_type + '.conf', {encoding: 'utf8'});
			} catch (err) {
				reject(new error.ConfigurationError(err.message));
				return;
			}

			let locationsPromise;
			let origLocations;

			// Manipulate the data a bit before sending it to the template
			if (host_type === 'ssl_passthrough_host') {
				if(internalNginx.sslPassthroughEnabled()){
					const allHosts = await passthroughHostModel
						.query()
						.where('is_deleted', 0)
						.groupBy('id')
						.omit(['is_deleted']);
					host = {
						all_passthrough_hosts: allHosts.map((host) => {
							// Replace dots in domain
							host.forwarding_host = internalNginx.addIpv6Brackets(host.forwarding_host);
							return host;
						}),
					}
				} else {
					internalNginx.deleteConfig(host_type, host)
				}
				
			} else if (host_type !== 'default') {
				host.use_default_location = true;
				if (typeof host.advanced_config !== 'undefined' && host.advanced_config) {
					host.use_default_location = !internalNginx.advancedConfigHasDefaultLocation(host.advanced_config);
				}
			}

			if (host.locations) {
				//logger.info ('host.locations = ' + JSON.stringify(host.locations, null, 2));
				origLocations    = [].concat(host.locations);
				locationsPromise = internalNginx.renderLocations(host).then((renderedLocations) => {
					host.locations = renderedLocations;
				});

				// Allow someone who is using / custom location path to use it, and skip the default / location
				_.map(host.locations, (location) => {
					if (location.path === '/') {
						host.use_default_location = false;
					}
				});

			} else {
				locationsPromise = Promise.resolve();
			}

			// Set the IPv6 setting for the host
			host.ipv6 = internalNginx.ipv6Enabled();

			locationsPromise.then(() => {
				renderEngine
					.parseAndRender(template, host)
					.then((config_text) => {
						fs.writeFileSync(filename, config_text, {encoding: 'utf8'});

						if (debug_mode) {
							logger.success('Wrote config:', filename, config_text);
						}

						// Restore locations array
						host.locations = origLocations;

						resolve(true);
					})
					.catch((err) => {
						if (debug_mode) {
							logger.warn('Could not write ' + filename + ':', err.message);
						}

						reject(new error.ConfigurationError(err.message));
					});
			});
		});
	},

	/**
	 * This generates a temporary nginx config listening on port 80 for the domain names listed
	 * in the certificate setup. It allows the letsencrypt acme challenge to be requested by letsencrypt
	 * when requesting a certificate without having a hostname set up already.
	 *
	 * @param   {Object}  certificate
	 * @returns {Promise}
	 */
	generateLetsEncryptRequestConfig: (certificate) => {
		if (debug_mode) {
			logger.info('Generating LetsEncrypt Request Config:', certificate);
		}

		let renderEngine = new Liquid({
			root: __dirname + '/../templates/'
		});

		return new Promise((resolve, reject) => {
			let template = null;
			let filename = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';

			try {
				template = fs.readFileSync(__dirname + '/../templates/letsencrypt-request.conf', {encoding: 'utf8'});
			} catch (err) {
				reject(new error.ConfigurationError(err.message));
				return;
			}

			certificate.ipv6 = internalNginx.ipv6Enabled();

			renderEngine
				.parseAndRender(template, certificate)
				.then((config_text) => {
					fs.writeFileSync(filename, config_text, {encoding: 'utf8'});

					if (debug_mode) {
						logger.success('Wrote config:', filename, config_text);
					}

					resolve(true);
				})
				.catch((err) => {
					if (debug_mode) {
						logger.warn('Could not write ' + filename + ':', err.message);
					}

					reject(new error.ConfigurationError(err.message));
				});
		});
	},

	/**
	 * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig`
	 *
	 * @param   {Object}  certificate
	 * @param   {Boolean} [throw_errors]
	 * @returns {Promise}
	 */
	deleteLetsEncryptRequestConfig: (certificate, throw_errors) => {
		return new Promise((resolve, reject) => {
			try {
				let config_file = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';

				if (debug_mode) {
					logger.warn('Deleting nginx config: ' + config_file);
				}

				fs.unlinkSync(config_file);
			} catch (err) {
				if (debug_mode) {
					logger.warn('Could not delete config:', err.message);
				}

				if (throw_errors) {
					reject(err);
				}
			}

			resolve();
		});
	},

	/**
	 * @param   {String}  host_type
	 * @param   {Object}  [host]
	 * @param   {Boolean} [throw_errors]
	 * @returns {Promise}
	 */
	deleteConfig: (host_type, host, throw_errors) => {
		host_type = host_type.replace(new RegExp('-', 'g'), '_');

		return new Promise((resolve, reject) => {
			try {
				let config_file = internalNginx.getConfigName(host_type, typeof host === 'undefined' ? 0 : host.id);

				if (debug_mode) {
					logger.warn('Deleting nginx config: ' + config_file);
				}

				fs.unlinkSync(config_file);
			} catch (err) {
				if (debug_mode) {
					logger.warn('Could not delete config:', err.message);
				}

				if (throw_errors) {
					reject(err);
				}
			}

			resolve();
		});
	},

	/**
	 * @param   {String}  host_type
	 * @param   {Array}   hosts
	 * @returns {Promise}
	 */
	bulkGenerateConfigs: (host_type, hosts) => {
		let promises = [];
		hosts.map(function (host) {
			promises.push(internalNginx.generateConfig(host_type, host));
		});

		return Promise.all(promises);
	},

	/**
	 * @param   {String}  host_type
	 * @param   {Array}   hosts
	 * @param   {Boolean} [throw_errors]
	 * @returns {Promise}
	 */
	bulkDeleteConfigs: (host_type, hosts, throw_errors) => {
		let promises = [];
		hosts.map(function (host) {
			promises.push(internalNginx.deleteConfig(host_type, host, throw_errors));
		});

		return Promise.all(promises);
	},

	/**
	 * @param   {string}  config
	 * @returns {boolean}
	 */
	advancedConfigHasDefaultLocation: function (config) {
		return !!config.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im);
	},

	/**
	 * @returns {boolean}
	 */
	ipv6Enabled: function () {
		if (typeof process.env.DISABLE_IPV6 !== 'undefined') {
			const disabled = process.env.DISABLE_IPV6.toLowerCase();
			return !(disabled === 'on' || disabled === 'true' || disabled === '1' || disabled === 'yes');
		}

		return true;
	},

	/**
	 * @returns {boolean}
	 */
	sslPassthroughEnabled: function () {
		if (typeof process.env.ENABLE_SSL_PASSTHROUGH !== 'undefined') {
			const enabled = process.env.ENABLE_SSL_PASSTHROUGH.toLowerCase();
			return (enabled === 'on' || enabled === 'true' || enabled === '1' || enabled === 'yes');
		}

		return true;
	},

	/**
	 * Helper function to add brackets to an IP if it is IPv6
	 * @returns {string}
	 */
	 addIpv6Brackets: function (ip) {
		// Only run check if ipv6 is enabled
		if (internalNginx.ipv6Enabled()) {
			const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/gi;
			if(ipv6Regex.test(ip)){
				return `[${ip}]`
			}
		}
		return ip;
	}
};

module.exports = internalNginx;