OpenSlides/caddy/entrypoint
Finn Stutzenstein 91a15d24a8
Add ALLOWED_HOSTS
the proxy responds with a 421, if a host header with an invalid host
name is encountered. If nothing is provided (see default .env) all hosts
are allowed. Examples:

ALLOWED_HOSTS="localhost:8000 127.0.0.1:8000"

ALLOWED_HOSTS="some.domain.example.com"

Add EXTERNAL_HTTPS_PORT. See .env for the configuration.
2021-04-26 16:01:35 +02:00

79 lines
1.9 KiB
Bash
Executable File

#!/bin/sh
set -e
if [[ -z "$EXTERNAL_HTTP_PORT" ]] && [[ -z "$EXTERNAL_HTTPS_PORT" ]]; then
echo "EXTERNAL_HTTP_PORT and EXTERNAL_HTTPS_PORT are not set. Aborting."
exit 1
fi
if [[ -f "/certs/key.pem" ]] && [[ -f "/certs/cert.pem" ]]; then
certs_exists=1
fi
if [[ -n "$EXTERNAL_HTTPS_PORT" ]] && [[ -z "$certs_exists" ]]; then
echo "Configured https, but no certificates found. Aborting"
exit 1
fi
# config: https
if [[ -n "$EXTERNAL_HTTPS_PORT" ]] ; then
cat <<EOF >> /etc/caddy/endpoint
https://:8001 {
tls /certs/cert.pem /certs/key.pem
EOF
echo "Configured https"
fi
# config: http and no https
if [[ -n "$EXTERNAL_HTTP_PORT" ]] && [[ -z "$EXTERNAL_HTTPS_PORT" ]] ; then
echo "http://:8000 {" > /etc/caddy/endpoint
echo "Configured http only"
fi
# config: https and additionally http -> create redirect-file
if [[ -n "$EXTERNAL_HTTP_PORT" ]] && [[ -n "$EXTERNAL_HTTPS_PORT" ]] ; then
cat <<EOF >> /etc/caddy/redirect
http://:8000 {
redir https://$INSTANCE_DOMAIN{uri}
}
EOF
echo "Configured http to https redirect"
fi
# Add allowed hosts from $ALLOWED_HOSTS
# If the variable is empty, all hosts are allowed.
# The hosts are ORed, so the request is valid, if one host matches.
# Example: ALLOWED_HOSTS="localhost:8000 127.0.0.1:8000"
#
# @invalid-host {
# not {
# header Host localhost:8000
# header Host 127.0.0.1:8000
# }
# }
# respond @invalid-host "Misdirected Request" 421 {
# close
# }
if [[ ! -z "$ALLOWED_HOSTS" ]]; then
cat <<EOF >> /etc/caddy/invalid_host
@invalid-host {
not {
EOF
for host in $ALLOWED_HOSTS; do
echo " host $host" >> /etc/caddy/invalid_host
done
cat <<EOF >> /etc/caddy/invalid_host
}
}
respond @invalid-host "Misdirected Request" 421 {
close
}
EOF
echo "Configured allowed hosts: $ALLOWED_HOSTS"
else
echo "All hosts allowed"
fi
exec "$@"