Refactor NGINX configuration and HA authentication

glances/Dockerfile

@@ -19,8 +19,6 @@ RUN \
         python3-dev=3.8.7-r0 \
     \
     && apk add --no-cache \
-        lua-resty-http=0.15-r0 \
-        nginx-mod-http-lua=1.18.0-r13 \
         nginx=1.18.0-r13 \
         py3-pip=20.3.3-r0 \
         python3=3.8.7-r0 \

glances/rootfs/etc/cont-init.d/nginx.sh

@@ -3,36 +3,25 @@
 # Home Assistant Community Add-on: SSH & Web Terminal
 # Configures NGINX for use with ttyd
 # ==============================================================================
-declare port
-declare certfile
-declare dns_host
-declare ingress_interface
-declare ingress_port
-declare keyfile
 
-port=$(bashio::addon.port 80)
-if bashio::var.has_value "${port}"; then
-    bashio::config.require.ssl
-
-    if bashio::config.true 'ssl'; then
-        certfile=$(bashio::config 'certfile')
-        keyfile=$(bashio::config 'keyfile')
-
-        mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
-        sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf
-        sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf
-
-    else
-        mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
-    fi
+# Generate Ingress configuration
+bashio::var.json \
+    interface "$(bashio::addon.ip_address)" \
+    port "^$(bashio::addon.ingress_port)" \
+    | tempio \
+        -template /etc/nginx/templates/ingress.gtpl \
+        -out /etc/nginx/servers/ingress.conf
 
-    sed -i "s/%%port%%/${port}/g" /etc/nginx/servers/direct.conf
+# Generate direct access configuration, if enabled.
+if bashio::var.has_value "$(bashio::addon.port 80)"; then
+    bashio::config.require.ssl
+    bashio::var.json \
+        certfile "$(bashio::config 'certfile')" \
+        keyfile "$(bashio::config 'keyfile')" \
+        leave_front_door_open "^$(bashio::config 'leave_front_door_open')" \
+        port "^$(bashio::addon.port 80)" \
+        ssl "^$(bashio::config 'ssl')" \
+        | tempio \
+            -template /etc/nginx/templates/direct.gtpl \
+            -out /etc/nginx/servers/direct.conf
 fi
-
-ingress_port=$(bashio::addon.ingress_port)
-ingress_interface=$(bashio::addon.ip_address)
-sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
-sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
-
-dns_host=$(bashio::dns.host)
-sed -i "s/%%dns_host%%/${dns_host}/g" /etc/nginx/includes/resolver.conf

glances/rootfs/etc/nginx/nginx.conf

@@ -18,10 +18,6 @@ error_log /dev/stdout error;
 
 # Load allowed environment vars
 env SUPERVISOR_TOKEN;
-env DISABLE_HA_AUTHENTICATION;
-
-# Load dynamic modules.
-include /etc/nginx/modules/*.conf;
 
 # Max num of simultaneous connections by a worker process.
 events {
@@ -40,8 +36,6 @@ http {
     default_type            application/octet-stream;
     gzip                    on;
     keepalive_timeout       65;
-    lua_load_resty_core     off;
-    lua_shared_dict         auths 16k;
     sendfile                on;
     server_tokens           off;
     tcp_nodelay             on;
@@ -52,8 +46,6 @@ http {
         ''      close;
     }
 
-    include /etc/nginx/includes/resolver.conf;
     include /etc/nginx/includes/upstream.conf;
-
     include /etc/nginx/servers/*.conf;
 }

glances/rootfs/etc/nginx/servers/.gitkeep

@@ -0,0 +1 @@
+Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)

glances/rootfs/etc/nginx/templates/direct.gtpl

@@ -0,0 +1,36 @@
+server {
+    {{ if not .ssl }}
+    listen {{ .port }} default_server;
+    {{ else }}
+    listen {{ .port }} default_server ssl http2;
+    {{ end }}
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    {{ if .ssl }}
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl_certificate /ssl/{{ .certfile }};
+    ssl_certificate_key /ssl/{{ .keyfile }};
+    {{ end }}
+
+    {{ if not .leave_front_door_open }}
+    location = /authentication {
+        internal;
+        proxy_pass              http://supervisor/auth;
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+        proxy_set_header        X-Supervisor-Token "{{ env "SUPERVISOR_TOKEN" }}";
+    }
+    {{ end }}
+
+    location / {
+        {{ if not .leave_front_door_open }}
+        auth_request /authentication;
+        auth_request_set $auth_status $upstream_status;
+        {{ end }}
+
+        proxy_pass http://backend;
+    }
+}

glances/rootfs/etc/nginx/servers/ingress.conf → glances/rootfs/etc/nginx/templates/ingress.gtpl

@@ -1,5 +1,5 @@
 server {
-    listen %%interface%%:%%port%% default_server;
+    listen {{ .interface }}:{{ .port }} default_server;
 
     include /etc/nginx/includes/server_params.conf;
     include /etc/nginx/includes/proxy_params.conf;

glances/rootfs/etc/services.d/nginx/run

@@ -8,10 +8,4 @@
 bashio::net.wait_for 61209
 
 bashio::log.info "Starting NGinx..."
-
-# Disable HA Authentication if front door is open
-if bashio::config.true 'leave_front_door_open'; then
-    export DISABLE_HA_AUTHENTICATION=true
-fi
-
 exec nginx