91a15d24a8
the proxy responds with a 421, if a host header with an invalid host name is encountered. If nothing is provided (see default .env) all hosts are allowed. Examples: ALLOWED_HOSTS="localhost:8000 127.0.0.1:8000" ALLOWED_HOSTS="some.domain.example.com" Add EXTERNAL_HTTPS_PORT. See .env for the configuration.
79 lines
1.9 KiB
Bash
Executable File
79 lines
1.9 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
if [[ -z "$EXTERNAL_HTTP_PORT" ]] && [[ -z "$EXTERNAL_HTTPS_PORT" ]]; then
|
|
echo "EXTERNAL_HTTP_PORT and EXTERNAL_HTTPS_PORT are not set. Aborting."
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -f "/certs/key.pem" ]] && [[ -f "/certs/cert.pem" ]]; then
|
|
certs_exists=1
|
|
fi
|
|
|
|
if [[ -n "$EXTERNAL_HTTPS_PORT" ]] && [[ -z "$certs_exists" ]]; then
|
|
echo "Configured https, but no certificates found. Aborting"
|
|
exit 1
|
|
fi
|
|
|
|
# config: https
|
|
if [[ -n "$EXTERNAL_HTTPS_PORT" ]] ; then
|
|
cat <<EOF >> /etc/caddy/endpoint
|
|
https://:8001 {
|
|
tls /certs/cert.pem /certs/key.pem
|
|
EOF
|
|
echo "Configured https"
|
|
fi
|
|
|
|
# config: http and no https
|
|
if [[ -n "$EXTERNAL_HTTP_PORT" ]] && [[ -z "$EXTERNAL_HTTPS_PORT" ]] ; then
|
|
echo "http://:8000 {" > /etc/caddy/endpoint
|
|
echo "Configured http only"
|
|
fi
|
|
|
|
# config: https and additionally http -> create redirect-file
|
|
if [[ -n "$EXTERNAL_HTTP_PORT" ]] && [[ -n "$EXTERNAL_HTTPS_PORT" ]] ; then
|
|
cat <<EOF >> /etc/caddy/redirect
|
|
http://:8000 {
|
|
redir https://$INSTANCE_DOMAIN{uri}
|
|
}
|
|
EOF
|
|
echo "Configured http to https redirect"
|
|
fi
|
|
|
|
# Add allowed hosts from $ALLOWED_HOSTS
|
|
# If the variable is empty, all hosts are allowed.
|
|
# The hosts are ORed, so the request is valid, if one host matches.
|
|
# Example: ALLOWED_HOSTS="localhost:8000 127.0.0.1:8000"
|
|
#
|
|
# @invalid-host {
|
|
# not {
|
|
# header Host localhost:8000
|
|
# header Host 127.0.0.1:8000
|
|
# }
|
|
# }
|
|
# respond @invalid-host "Misdirected Request" 421 {
|
|
# close
|
|
# }
|
|
if [[ ! -z "$ALLOWED_HOSTS" ]]; then
|
|
cat <<EOF >> /etc/caddy/invalid_host
|
|
@invalid-host {
|
|
not {
|
|
EOF
|
|
for host in $ALLOWED_HOSTS; do
|
|
echo " host $host" >> /etc/caddy/invalid_host
|
|
done
|
|
cat <<EOF >> /etc/caddy/invalid_host
|
|
}
|
|
}
|
|
respond @invalid-host "Misdirected Request" 421 {
|
|
close
|
|
}
|
|
EOF
|
|
echo "Configured allowed hosts: $ALLOWED_HOSTS"
|
|
else
|
|
echo "All hosts allowed"
|
|
fi
|
|
|
|
exec "$@"
|