2017-11-22 00:19:14 +01:00
#!/bin/bash
# shellcheck disable=SC2155
2016-01-07 11:11:05 +01:00
[ [ -z " ${ VHOST_DIR :- } " ] ] && \
declare -r VHOST_DIR = /etc/nginx/vhost.d
[ [ -z " ${ START_HEADER :- } " ] ] && \
declare -r START_HEADER = '## Start of configuration add by letsencrypt container'
[ [ -z " ${ END_HEADER :- } " ] ] && \
declare -r END_HEADER = '## End of configuration add by letsencrypt container'
2016-01-01 14:32:40 +01:00
2018-02-01 12:23:54 +01:00
function check_nginx_proxy_container_run {
2018-01-06 17:36:37 +01:00
local _nginx_proxy_container = $( get_nginx_proxy_container)
2018-06-05 09:44:16 +02:00
if [ [ -n " $_nginx_proxy_container " ] ] ; then
if [ [ $( docker_api " /containers/ ${ _nginx_proxy_container } /json " | jq -r '.State.Status' ) = "running" ] ] ; then
return 0
else
echo " $( date "+%Y/%m/%d %T" ) Error: nginx-proxy container ${ _nginx_proxy_container } isn't running. " >& 2
return 1
fi
else
echo " $( date "+%Y/%m/%d %T" ) Error: could not get a nginx-proxy container ID. " >& 2
return 1
fi
2018-02-01 12:23:54 +01:00
}
2018-02-08 23:57:50 +01:00
function add_location_configuration {
2016-01-07 11:11:05 +01:00
local domain = " ${ 1 :- } "
2016-01-05 14:02:15 +01:00
[ [ -z " $domain " || ! -f " ${ VHOST_DIR } / ${ domain } " ] ] && domain = default
[ [ -f " ${ VHOST_DIR } / ${ domain } " && \
-n $( sed -n " / $START_HEADER /,/ $END_HEADER /p " " ${ VHOST_DIR } / ${ domain } " ) ] ] && return 0
2016-01-01 14:32:40 +01:00
echo " $START_HEADER " > " ${ VHOST_DIR } / ${ domain } " .new
cat /app/nginx_location.conf >> " ${ VHOST_DIR } / ${ domain } " .new
echo " $END_HEADER " >> " ${ VHOST_DIR } / ${ domain } " .new
[ [ -f " ${ VHOST_DIR } / ${ domain } " ] ] && cat " ${ VHOST_DIR } / ${ domain } " >> " ${ VHOST_DIR } / ${ domain } " .new
mv -f " ${ VHOST_DIR } / ${ domain } " .new " ${ VHOST_DIR } / ${ domain } "
return 1
}
2018-02-08 23:57:50 +01:00
function remove_all_location_configurations {
2016-01-07 11:11:05 +01:00
local old_shopt_options = $( shopt -p) # Backup shopt options
shopt -s nullglob
2016-01-01 14:32:40 +01:00
for file in " ${ VHOST_DIR } " /*; do
[ [ -n $( sed -n " / $START_HEADER /,/ $END_HEADER /p " " $file " ) ] ] && \
sed -i " / $START_HEADER /,/ $END_HEADER /d " " $file "
done
2016-01-07 11:11:05 +01:00
eval " $old_shopt_options " # Restore shopt options
2016-01-01 14:32:40 +01:00
}
2016-01-05 14:02:15 +01:00
2018-08-01 15:07:32 +02:00
function check_cert_min_validity {
# Check if a certificate ($1) is still valid for a given amount of time in seconds ($2).
# Returns 0 if the certificate is still valid for this amount of time, 1 otherwise.
local cert_path = " $1 "
local min_validity = " $(( $( date "+%s" ) + $2 )) "
local cert_expiration
cert_expiration = " $( openssl x509 -noout -enddate -in " $cert_path " | cut -d "=" -f 2) "
cert_expiration = " $( date --utc --date " ${ cert_expiration % GMT } " "+%s" ) "
[ [ $cert_expiration -gt $min_validity ] ] || return 1
}
2018-05-20 18:15:10 +02:00
function get_self_cid {
DOCKER_PROVIDER = ${ DOCKER_PROVIDER :- docker }
case " ${ DOCKER_PROVIDER } " in
ecs| ECS)
# AWS ECS. Enabled in /etc/ecs/ecs.config (http://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html)
if [ [ -n " ${ ECS_CONTAINER_METADATA_FILE :- } " ] ] ; then
grep ContainerID " ${ ECS_CONTAINER_METADATA_FILE } " | sed 's/.*: "\(.*\)",/\1/g'
else
echo " ${ DOCKER_PROVIDER } specified as 'ecs' but not available. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html " >& 2
exit 1
fi
; ;
*)
sed -nE 's/^.+docker[\/-]([a-f0-9]{64}).*/\1/p' /proc/self/cgroup | head -n 1
; ;
esac
}
2016-02-11 21:18:20 +01:00
## Docker API
2016-01-06 19:33:16 +01:00
function docker_api {
local scheme
local curl_opts = ( -s)
local method = ${ 2 :- GET }
# data to POST
if [ [ -n " ${ 3 :- } " ] ] ; then
curl_opts += ( -d " $3 " )
fi
2016-02-11 21:18:20 +01:00
if [ [ -z " $DOCKER_HOST " ] ] ; then
echo "Error DOCKER_HOST variable not set" >& 2
return 1
fi
2016-01-06 19:33:16 +01:00
if [ [ $DOCKER_HOST = = unix://* ] ] ; then
curl_opts += ( --unix-socket ${ DOCKER_HOST #unix : // } )
2017-01-19 21:14:10 +01:00
scheme = 'http://localhost'
2016-01-06 19:33:16 +01:00
else
2016-01-08 14:31:45 +01:00
scheme = " http:// ${ DOCKER_HOST #* : // } "
2016-01-06 19:33:16 +01:00
fi
[ [ $method = "POST" ] ] && curl_opts += ( -H 'Content-Type: application/json' )
curl " ${ curl_opts [@] } " -X${ method } ${ scheme } $1
}
function docker_exec {
local id = " ${ 1 ?missing id } "
local cmd = " ${ 2 ?missing command } "
local data = $( printf '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Tty":false,"Cmd": %s }' " $cmd " )
exec_id = $( docker_api " /containers/ $id /exec " "POST" " $data " | jq -r .Id)
2018-02-01 12:23:54 +01:00
if [ [ -n " $exec_id " && " $exec_id " != "null" ] ] ; then
2016-01-06 19:33:16 +01:00
docker_api /exec/$exec_id /start "POST" '{"Detach": false, "Tty":false}'
2018-02-01 12:23:54 +01:00
else
echo " $( date "+%Y/%m/%d %T" ) , Error: can't exec command ${ cmd } in container ${ id } . Check if the container is running. " >& 2
return 1
2016-01-06 19:33:16 +01:00
fi
}
2016-02-11 21:18:20 +01:00
function docker_kill {
local id = " ${ 1 ?missing id } "
local signal = " ${ 2 ?missing signal } "
docker_api " /containers/ $id /kill?signal= $signal " "POST"
}
2017-07-13 12:44:02 +02:00
function labeled_cid {
docker_api "/containers/json" | jq -r '.[] | select(.Labels["' $1 '"])|.Id'
}
2018-02-09 10:38:44 +01:00
function is_docker_gen_container {
local id = " ${ 1 ?missing id } "
if [ [ $( docker_api " /containers/ $id /json " | jq -r '.Config.Env[]' | egrep -c '^DOCKER_GEN_VERSION=' ) = "1" ] ] ; then
return 0
else
return 1
fi
}
2018-01-06 17:36:37 +01:00
function get_docker_gen_container {
2018-02-09 00:27:14 +01:00
# First try to get the docker-gen container ID from the container label.
local docker_gen_cid = " $( labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen) "
# If the labeled_cid function dit not return anything and the env var is set, use it.
if [ [ -z " $docker_gen_cid " ] ] && [ [ -n " ${ NGINX_DOCKER_GEN_CONTAINER :- } " ] ] ; then
docker_gen_cid = " $NGINX_DOCKER_GEN_CONTAINER "
fi
# If a container ID was found, output it. The function will return 1 otherwise.
[ [ -n " $docker_gen_cid " ] ] && echo " $docker_gen_cid "
2017-07-13 12:44:02 +02:00
}
2018-01-06 17:36:37 +01:00
function get_nginx_proxy_container {
2018-02-09 00:27:14 +01:00
local volumes_from
# First try to get the nginx container ID from the container label.
local nginx_cid = " $( labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy) "
# If the labeled_cid function dit not return anything ...
if [ [ -z " ${ nginx_cid } " ] ] ; then
# ... and the env var is set, use it ...
if [ [ -n " ${ NGINX_PROXY_CONTAINER :- } " ] ] ; then
nginx_cid = " $NGINX_PROXY_CONTAINER "
# ... else try to get the container ID with the volumes_from method.
else
2018-05-20 18:15:10 +02:00
volumes_from = $( docker_api " /containers/ ${ SELF_CID :- $( get_self_cid) } /json " | jq -r '.HostConfig.VolumesFrom[]' 2>/dev/null)
2018-02-09 00:27:14 +01:00
for cid in $volumes_from ; do
cid = " ${ cid % : * } " # Remove leading :ro or :rw set by remote docker-compose (thx anoopr)
if [ [ $( docker_api " /containers/ $cid /json " | jq -r '.Config.Env[]' | egrep -c '^NGINX_VERSION=' ) = "1" ] ] ; then
nginx_cid = " $cid "
break
fi
done
fi
fi
# If a container ID was found, output it. The function will return 1 otherwise.
[ [ -n " $nginx_cid " ] ] && echo " $nginx_cid "
2017-07-13 12:44:02 +02:00
}
2016-01-06 19:33:16 +01:00
## Nginx
2018-02-08 23:57:50 +01:00
function reload_nginx {
2018-01-06 17:36:37 +01:00
local _docker_gen_container = $( get_docker_gen_container)
local _nginx_proxy_container = $( get_nginx_proxy_container)
2017-07-13 12:44:02 +02:00
if [ [ -n " ${ _docker_gen_container :- } " ] ] ; then
2017-05-28 17:30:10 +02:00
# Using docker-gen and nginx in separate container
2017-07-13 12:44:02 +02:00
echo " Reloading nginx docker-gen (using separate container ${ _docker_gen_container } )... "
docker_kill " ${ _docker_gen_container } " SIGHUP
if [ [ -n " ${ _nginx_proxy_container :- } " ] ] ; then
2017-05-28 17:30:10 +02:00
# Reloading nginx in case only certificates had been renewed
2017-07-13 12:44:02 +02:00
echo " Reloading nginx (using separate container ${ _nginx_proxy_container } )... "
docker_kill " ${ _nginx_proxy_container } " SIGHUP
2017-05-28 17:30:10 +02:00
fi
2016-02-11 21:18:20 +01:00
else
2017-07-13 12:44:02 +02:00
if [ [ -n " ${ _nginx_proxy_container :- } " ] ] ; then
echo " Reloading nginx proxy ( ${ _nginx_proxy_container } )... "
docker_exec " ${ _nginx_proxy_container } " \
2018-07-08 14:10:10 +02:00
'[ "sh", "-c", "/app/docker-entrypoint.sh /usr/local/bin/docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf; /usr/sbin/nginx -s reload" ]' \
| sed -rn 's/^.*([0-9]{4}\/[0-9]{2}\/[0-9]{2}.*$)/\1/p'
[ [ ${ PIPESTATUS [0] } -eq 1 ] ] && echo " $( date "+%Y/%m/%d %T" ) , Error: can't reload nginx-proxy. " >& 2
2016-02-11 21:18:20 +01:00
fi
2016-01-05 14:02:15 +01:00
fi
}
2016-03-27 16:44:02 +02:00
2018-10-06 22:39:01 +02:00
function set_ownership_and_permissions {
2018-09-02 21:07:49 +02:00
local path = " ${ 1 : ? } "
2018-10-07 10:16:22 +02:00
# The default ownership is root:root, with 755 permissions for folders and 644 for files.
2018-10-06 22:39:01 +02:00
local user = " ${ FILES_UID :- root } "
local group = " ${ FILES_GID :- $user } "
2018-10-07 10:16:22 +02:00
local f_perms = " ${ FILES_PERMS :- 644 } "
local d_perms = " ${ FOLDERS_PERMS :- 755 } "
2018-09-02 21:07:49 +02:00
2018-10-06 22:39:01 +02:00
if [ [ ! " $f_perms " = ~ ^[ 0-7] { 3,4} $ ] ] ; then
echo " Warning : the provided files permission octal ( $f_perms ) is incorrect. Skipping ownership and permissions check. "
return 1
fi
if [ [ ! " $d_perms " = ~ ^[ 0-7] { 3,4} $ ] ] ; then
echo " Warning : the provided folders permission octal ( $d_perms ) is incorrect. Skipping ownership and permissions check. "
return 1
fi
# Find the user numeric ID if the FILES_UID environment variable isn't numeric.
if [ [ " $user " = ~ ^[ 0-9] +$ ] ] ; then
user_num = " $user "
# Check if this user exist inside the container
elif id -u " $user " > /dev/null 2>& 1; then
# Convert the user name to numeric ID
local user_num = " $( id -u " $user " ) "
2018-12-14 09:49:51 +01:00
[ [ " $( lc $DEBUG ) " = = true ] ] && echo " Debug: numeric ID of user $user is $user_num . "
2018-10-06 22:39:01 +02:00
else
echo " Warning: user $user not found in the container, please use a numeric user ID instead of a user name. Skipping ownership and permissions check. "
return 1
fi
# Find the group numeric ID if the FILES_GID environment variable isn't numeric.
if [ [ " $group " = ~ ^[ 0-9] +$ ] ] ; then
group_num = " $group "
# Check if this group exist inside the container
elif getent group " $group " > /dev/null 2>& 1; then
# Convert the group name to numeric ID
local group_num = " $( getent group " $group " | awk -F ':' '{print $3}' ) "
2018-12-14 09:49:51 +01:00
[ [ " $( lc $DEBUG ) " = = true ] ] && echo " Debug: numeric ID of group $group is $group_num . "
2018-10-06 22:39:01 +02:00
else
echo " Warning: group $group not found in the container, please use a numeric group ID instead of a group name. Skipping ownership and permissions check. "
return 1
fi
# Check and modify ownership if required.
2018-10-13 14:09:29 +02:00
if [ [ -e " $path " ] ] ; then
if [ [ " $( stat -c %u:%g " $path " ) " != " $user_num : $group_num " ] ] ; then
2018-12-14 09:49:51 +01:00
[ [ " $( lc $DEBUG ) " = = true ] ] && echo " Debug: setting $path ownership to $user : $group . "
2018-10-13 14:09:29 +02:00
chown " $user_num : $group_num " " $path "
fi
else
2018-10-13 14:11:27 +02:00
echo " Warning: $path does not exist. Skipping ownership and permissions check. "
2018-10-13 14:09:29 +02:00
return 1
2018-09-02 21:07:49 +02:00
fi
2018-10-16 16:48:52 +02:00
# If the path is a folder, check and modify permissions if required.
2018-09-02 21:07:49 +02:00
if [ [ -d " $path " ] ] ; then
2018-10-06 22:39:01 +02:00
if [ [ " $( stat -c %a " $path " ) " != " $d_perms " ] ] ; then
2018-12-14 09:49:51 +01:00
[ [ " $( lc $DEBUG ) " = = true ] ] && echo " Debug: setting $path permissions to $d_perms . "
2018-10-06 22:39:01 +02:00
chmod " $d_perms " " $path "
2018-09-02 21:07:49 +02:00
fi
2018-10-16 16:48:52 +02:00
# If the path is a file, check and modify permissions if required.
elif [ [ -f " $path " ] ] ; then
#
if [ [ " $path " = ~ ^.*( default\. key| key\. pem| \. json) $ ] ] ; then
if [ [ " $( stat -c %a " $path " ) " != " $f_perms " ] ] ; then
2018-12-14 09:49:51 +01:00
[ [ " $( lc $DEBUG ) " = = true ] ] && echo " Debug: setting $path permissions to $f_perms . "
2018-10-16 16:48:52 +02:00
chmod " $f_perms " " $path "
fi
# ... and for public files (certificates, chains, fullchains, DH parameters).
else
if [ [ " $( stat -c %a " $path " ) " != "644" ] ] ; then
2018-12-14 09:49:51 +01:00
[ [ " $( lc $DEBUG ) " = = true ] ] && echo " Debug: setting $path permissions to 644. "
2018-10-16 16:48:52 +02:00
chmod " $f_perms " " $path "
fi
2018-09-02 21:07:49 +02:00
fi
fi
}
2016-03-27 16:44:02 +02:00
# Convert argument to lowercase (bash 4 only)
2018-02-08 23:57:50 +01:00
function lc {
2016-03-27 16:44:02 +02:00
echo " ${ @,, } "
}
