From 0316cb066250984e88a4b8fd9e24c2af7595c6af Mon Sep 17 00:00:00 2001 From: CityFun <31820853+zhengkunwang223@users.noreply.github.com> Date: Wed, 30 Jul 2025 12:04:51 +0800 Subject: [PATCH] feat: Add HTTPS fallback prevention configuration in OpenResty (#9703) --- agent/app/api/v2/nginx.go | 36 ++++++++++ agent/app/dto/request/nginx.go | 4 ++ agent/app/dto/response/nginx.go | 4 ++ agent/app/service/nginx.go | 72 +++++++++++++++++++ agent/router/ro_nginx.go | 2 + frontend/src/api/interface/nginx.ts | 8 +++ frontend/src/api/modules/nginx.ts | 8 +++ frontend/src/lang/modules/en.ts | 2 + frontend/src/lang/modules/ja.ts | 18 +++++ frontend/src/lang/modules/ko.ts | 15 ++++ frontend/src/lang/modules/ms.ts | 18 +++++ frontend/src/lang/modules/pt-br.ts | 18 +++++ frontend/src/lang/modules/ru.ts | 18 +++++ frontend/src/lang/modules/tr.ts | 2 + frontend/src/lang/modules/zh-Hant.ts | 2 + frontend/src/lang/modules/zh.ts | 2 + .../src/views/website/website/nginx/index.vue | 5 ++ .../website/website/nginx/other/index.vue | 43 +++++++++++ 18 files changed, 277 insertions(+) create mode 100644 frontend/src/views/website/website/nginx/other/index.vue diff --git a/agent/app/api/v2/nginx.go b/agent/app/api/v2/nginx.go index 4c689c2b0..8d92a9fa7 100644 --- a/agent/app/api/v2/nginx.go +++ b/agent/app/api/v2/nginx.go @@ -157,3 +157,39 @@ func (b *BaseApi) GetNginxModules(c *gin.Context) { } helper.SuccessWithData(c, modules) } + +// @Tags OpenResty +// @Summary Operate default HTTPs +// @Accept json +// @Param request body request.NginxOperateReq true "request" +// @Success 200 +// @Security ApiKeyAuth +// @Security Timestamp +// @Router /openresty/https [post] +func (b *BaseApi) OperateDefaultHTTPs(c *gin.Context) { + var req request.NginxOperateReq + if err := helper.CheckBindAndValidate(&req, c); err != nil { + return + } + + if err := nginxService.OperateDefaultHTTPs(req); err != nil { + helper.InternalServer(c, err) + return + } + helper.Success(c) +} + +// @Tags OpenResty +// @Summary Get default HTTPs status +// @Success 200 {object} response.NginxConfigRes +// @Security ApiKeyAuth +// @Security Timestamp +// @Router /openresty/https [get] +func (b *BaseApi) GetDefaultHTTPsStatus(c *gin.Context) { + res, err := nginxService.GetDefaultHttpsStatus() + if err != nil { + helper.InternalServer(c, err) + return + } + helper.SuccessWithData(c, res) +} diff --git a/agent/app/dto/request/nginx.go b/agent/app/dto/request/nginx.go index cc70181b8..8fc9df202 100644 --- a/agent/app/dto/request/nginx.go +++ b/agent/app/dto/request/nginx.go @@ -126,3 +126,7 @@ type NginxModuleUpdate struct { Enable bool `json:"enable"` Params string `json:"params"` } + +type NginxOperateReq struct { + Operate string `json:"operate" validate:"required,oneof=enable disable"` +} diff --git a/agent/app/dto/response/nginx.go b/agent/app/dto/response/nginx.go index f848c83f2..68a9b74b3 100644 --- a/agent/app/dto/response/nginx.go +++ b/agent/app/dto/response/nginx.go @@ -80,3 +80,7 @@ type NginxBuildConfig struct { Mirror string `json:"mirror"` Modules []NginxModule `json:"modules"` } + +type NginxConfigRes struct { + Https bool `json:"https"` +} diff --git a/agent/app/service/nginx.go b/agent/app/service/nginx.go index fcd1908e5..7b57d5041 100644 --- a/agent/app/service/nginx.go +++ b/agent/app/service/nginx.go @@ -4,6 +4,8 @@ import ( "bufio" "encoding/json" "fmt" + "github.com/1Panel-dev/1Panel/agent/utils/nginx" + "github.com/1Panel-dev/1Panel/agent/utils/nginx/parser" "io" "net/http" "os" @@ -42,6 +44,9 @@ type INginxService interface { Build(req request.NginxBuildReq) error GetModules() (*response.NginxBuildConfig, error) UpdateModule(req request.NginxModuleUpdate) error + + OperateDefaultHTTPs(req request.NginxOperateReq) error + GetDefaultHttpsStatus() (*response.NginxConfigRes, error) } func NewINginxService() INginxService { @@ -348,3 +353,70 @@ func (n NginxService) UpdateModule(req request.NginxModuleUpdate) error { } return fileOp.SaveFileWithByte(moduleConfigPath, moduleByte, constant.DirPerm) } + +func (n NginxService) OperateDefaultHTTPs(req request.NginxOperateReq) error { + appInstall, err := getAppInstallByKey(constant.AppOpenresty) + if err != nil { + return err + } + websites, _ := websiteRepo.List() + hasDefaultWebsite := false + for _, website := range websites { + if website.DefaultServer { + hasDefaultWebsite = true + break + } + } + defaultConfigPath := path.Join(appInstall.GetPath(), "conf", "default", "00.default.conf") + content, err := os.ReadFile(defaultConfigPath) + if err != nil { + return err + } + if req.Operate == "enable" { + if err := handleSSLConfig(&appInstall, hasDefaultWebsite); err != nil { + return err + } + } else if req.Operate == "disable" { + defaultConfig, err := parser.NewStringParser(string(content)).Parse() + if err != nil { + return err + } + defaultConfig.FilePath = defaultConfigPath + defaultServer := defaultConfig.FindServers()[0] + defaultServer.RemoveListen(fmt.Sprintf("%d", appInstall.HttpsPort)) + defaultServer.RemoveListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort)) + defaultServer.RemoveDirective("include", []string{"/usr/local/openresty/nginx/conf/ssl/root_ssl.conf"}) + defaultServer.RemoveDirective("http2", []string{"on"}) + if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil { + return err + } + } + return nginxCheckAndReload(string(content), defaultConfigPath, appInstall.ContainerName) +} + +func (n NginxService) GetDefaultHttpsStatus() (*response.NginxConfigRes, error) { + appInstall, err := getAppInstallByKey(constant.AppOpenresty) + if err != nil { + return nil, err + } + defaultConfigPath := path.Join(appInstall.GetPath(), "conf", "default", "00.default.conf") + content, err := os.ReadFile(defaultConfigPath) + if err != nil { + return nil, err + } + defaultConfig, err := parser.NewStringParser(string(content)).Parse() + if err != nil { + return nil, err + } + defaultConfig.FilePath = defaultConfigPath + defaultServer := defaultConfig.FindServers()[0] + res := &response.NginxConfigRes{} + for _, directive := range defaultServer.GetDirectives() { + if directive.GetName() == "include" && directive.GetParameters()[0] == "/usr/local/openresty/nginx/conf/ssl/root_ssl.conf" { + return &response.NginxConfigRes{ + Https: true, + }, nil + } + } + return res, nil +} diff --git a/agent/router/ro_nginx.go b/agent/router/ro_nginx.go index 9ea4cf154..c0599e69a 100644 --- a/agent/router/ro_nginx.go +++ b/agent/router/ro_nginx.go @@ -21,5 +21,7 @@ func (a *NginxRouter) InitRouter(Router *gin.RouterGroup) { groupRouter.POST("/build", baseApi.BuildNginx) groupRouter.POST("/modules/update", baseApi.UpdateNginxModule) groupRouter.GET("/modules", baseApi.GetNginxModules) + groupRouter.POST("/https", baseApi.OperateDefaultHTTPs) + groupRouter.GET("/https", baseApi.GetDefaultHTTPsStatus) } } diff --git a/frontend/src/api/interface/nginx.ts b/frontend/src/api/interface/nginx.ts index e4edf06b2..554983eb8 100644 --- a/frontend/src/api/interface/nginx.ts +++ b/frontend/src/api/interface/nginx.ts @@ -50,4 +50,12 @@ export namespace Nginx { export interface NginxModuleUpdate extends NginxModule { operate: string; } + + export interface NginxHttpsStatus { + https: boolean; + } + + export interface NginxOperateReq { + operate: string; + } } diff --git a/frontend/src/api/modules/nginx.ts b/frontend/src/api/modules/nginx.ts index 7db458940..b4120a18c 100644 --- a/frontend/src/api/modules/nginx.ts +++ b/frontend/src/api/modules/nginx.ts @@ -33,3 +33,11 @@ export const getNginxModules = () => { export const updateNginxModule = (req: Nginx.NginxModuleUpdate) => { return http.post(`/openresty/modules/update`, req); }; + +export const getHttpsStatus = () => { + return http.get(`/openresty/https`); +}; + +export const operateHttps = (req: Nginx.NginxOperateReq) => { + return http.post(`/openresty/https`, req); +}; diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts index 734ba5413..5b35e6aa1 100644 --- a/frontend/src/lang/modules/en.ts +++ b/frontend/src/lang/modules/en.ts @@ -2566,6 +2566,8 @@ const message = { 'Scripts to execute before compilation, usually for downloading module source code, installing dependencies, etc.', buildHelper: 'Click build after adding/modifying a module. OpenResty will automatically restart upon successful build.', + defaultHttps: 'HTTPS Anti-tampering', + defaultHttpsHelper1: 'Enabling this can resolve HTTPS tampering issues.', }, ssl: { create: 'Request', diff --git a/frontend/src/lang/modules/ja.ts b/frontend/src/lang/modules/ja.ts index 851a17a6b..ef6c02440 100644 --- a/frontend/src/lang/modules/ja.ts +++ b/frontend/src/lang/modules/ja.ts @@ -2466,6 +2466,24 @@ const message = { clearProxyCache: '逆プロキシキャッシュをきれいにします', clearProxyCacheWarn: 'キャッシュで構成されたすべてのWebサイトが影響を受け、「OpenResty」が再起動されます。続けたいですか?', + create: 'モジュールを追加', + update: 'モジュールを編集', + params: 'パラメータ', + packages: 'パッケージ', + script: 'スクリプト', + module: 'モジュール', + build: 'ビルド', + buildWarn: + 'OpenRestyのビルドには一定量のCPUとメモリを確保する必要があり、時間がかかる場合がありますので、お待ちください。', + mirrorUrl: 'ソフトウェアソース', + paramsHelper: '例:--add-module=/tmp/ngx_brotli', + packagesHelper: '例:git,curl カンマ区切り', + scriptHelper: + 'コンパイル前に実行するスクリプト、通常はモジュールソースコードのダウンロード、依存関係のインストールなど', + buildHelper: + 'モジュールの追加/変更後にビルドをクリックします。ビルドが成功すると、OpenRestyは自動的に再起動します。', + defaultHttps: 'HTTPS 改ざん防止', + defaultHttpsHelper1: 'これを有効にすると、HTTPS 改ざん問題を解決できます。', }, ssl: { create: 'リクエスト', diff --git a/frontend/src/lang/modules/ko.ts b/frontend/src/lang/modules/ko.ts index 0418214cd..c15ddcfa6 100644 --- a/frontend/src/lang/modules/ko.ts +++ b/frontend/src/lang/modules/ko.ts @@ -2423,6 +2423,21 @@ const message = { clearProxyCache: '리버스 프록시 캐시 삭제', clearProxyCacheWarn: '캐시가 구성된 모든 웹사이트에 영향을 미치며 OpenResty 가 다시 시작됩니다. 계속하시겠습니까?', + create: '모듈 추가', + update: '모듈 편집', + params: '매개변수', + packages: '패키지', + script: '스크립트', + module: '모듈', + build: '빌드', + buildWarn: 'OpenResty 빌드는 CPU와 메모리의 일정량을 예약해야 하며, 시간이 오래 걸릴 수 있으니 기다려 주세요.', + mirrorUrl: '소프트웨어 소스', + paramsHelper: '예: --add-module=/tmp/ngx_brotli', + packagesHelper: '예: git,curl 쉼표로 구분', + scriptHelper: '컴파일 전에 실행할 스크립트, 일반적으로 모듈 소스 코드 다운로드, 종속성 설치 등', + buildHelper: '모듈 추가/수정 후 빌드를 클릭하세요. 빌드가 성공하면 OpenResty가 자동으로 재시작됩니다.', + defaultHttps: 'HTTPS 변조 방지', + defaultHttpsHelper1: '이를 활성화하면 HTTPS 변조 문제를 해결할 수 있습니다.', }, ssl: { create: '요청', diff --git a/frontend/src/lang/modules/ms.ts b/frontend/src/lang/modules/ms.ts index 5d59cfa33..bf4a5ed17 100644 --- a/frontend/src/lang/modules/ms.ts +++ b/frontend/src/lang/modules/ms.ts @@ -2522,6 +2522,24 @@ const message = { clearProxyCache: 'Bersihkan cache proksi terbalik', clearProxyCacheWarn: 'Semua laman web yang dikonfigurasi dengan cache akan terjejas dan "OpenResty" akan dimulakan semula. Adakah anda mahu meneruskan?', + create: 'Tambah Modul', + update: 'Edit Modul', + params: 'Parameter', + packages: 'Pakej', + script: 'Script', + module: 'Modul', + build: 'Bina', + buildWarn: + 'Membina OpenResty memerlukan menyediakan sejumlah CPU dan memori, dan prosesnya mengambil masa yang lama, sila bersabar.', + mirrorUrl: 'Sumber Perisian', + paramsHelper: 'Contoh: --add-module=/tmp/ngx_brotli', + packagesHelper: 'Contoh: git,curl dipisahkan oleh koma', + scriptHelper: + 'Skrip yang dilaksanakan sebelum penyusunan, biasanya untuk memuat turun sumber kod modul, memasang kebergantungan, dll.', + buildHelper: + 'Klik Bina selepas menambah/mengubah suai modul. Pembinaan yang berjaya akan memulakan semula OpenResty secara automatik.', + defaultHttps: 'HTTPS Anti-tampering', + defaultHttpsHelper1: 'Mengaktifkan ini dapat menyelesaikan masalah tampering HTTPS.', }, ssl: { create: 'Permintaan', diff --git a/frontend/src/lang/modules/pt-br.ts b/frontend/src/lang/modules/pt-br.ts index e6fdc40e6..01c782285 100644 --- a/frontend/src/lang/modules/pt-br.ts +++ b/frontend/src/lang/modules/pt-br.ts @@ -2523,6 +2523,24 @@ const message = { clearProxyCache: 'Clean reverse proxy cache', clearProxyCacheWarn: 'All websites that have configured with cache will be affected and "OpenResty" will be restarted. Do you want to continue?', + create: 'Criar Módulo', + update: 'Editar Módulo', + params: 'Parâmetros', + packages: 'Pacotes', + script: 'Script', + module: 'Módulo', + build: 'Construir', + buildWarn: + 'Construir OpenResty requer a reserva de certa quantidade de CPU e memória, e o processo pode ser demorado, por favor, seja paciente.', + mirrorUrl: 'Fonte de Software', + paramsHelper: 'Por exemplo: --add-module=/tmp/ngx_brotli', + packagesHelper: 'Por exemplo: git,curl separados por vírgulas', + scriptHelper: + 'Script a ser executado antes da compilação, geralmente para baixar o código-fonte do módulo, instalar dependências, etc.', + buildHelper: + 'Clique em Construir após adicionar/modificar um módulo. Construção bem-sucedida reiniciará automaticamente o OpenResty.', + defaultHttps: 'HTTPS Anti-tampering', + defaultHttpsHelper1: 'A ativação desta opção pode resolver problemas de adulteração HTTPS.', }, ssl: { create: 'Solicitar', diff --git a/frontend/src/lang/modules/ru.ts b/frontend/src/lang/modules/ru.ts index e3c79b545..853b4e29a 100644 --- a/frontend/src/lang/modules/ru.ts +++ b/frontend/src/lang/modules/ru.ts @@ -2519,6 +2519,24 @@ const message = { clearProxyCache: 'Очистить кэш обратного прокси', clearProxyCacheWarn: 'Это повлияет на все веб-сайты с настроенным кэшем и перезапустит "OpenResty". Хотите продолжить?', + create: 'Создать модуль', + update: 'Редактировать модуль', + params: 'Параметры', + packages: 'Пакеты', + script: 'Скрипт', + module: 'Модуль', + build: 'Сборка', + buildWarn: + 'Сборка OpenResty требует резервирования определенного количества CPU и памяти, процесс может занять много времени, пожалуйста, подождите.', + mirrorUrl: 'Источник программного обеспечения', + paramsHelper: 'Например: --add-module=/tmp/ngx_brotli', + packagesHelper: 'Например: git,curl разделенные запятыми', + scriptHelper: + 'Скрипт, выполняемый перед компиляцией, обычно для загрузки исходного кода модуля, установки зависимостей и т.д.', + buildHelper: + 'Нажмите Сборка после добавления/изменения модуля. Успешная сборка автоматически перезапустит OpenResty.', + defaultHttps: 'HTTPS Анти-вмешательство', + defaultHttpsHelper1: 'Включение этого параметра может решить проблему вмешательства в HTTPS.', }, ssl: { create: 'Запросить', diff --git a/frontend/src/lang/modules/tr.ts b/frontend/src/lang/modules/tr.ts index a6f7d2a03..90e3df85a 100644 --- a/frontend/src/lang/modules/tr.ts +++ b/frontend/src/lang/modules/tr.ts @@ -2597,6 +2597,8 @@ const message = { 'Derlemeden önce çalıştırılacak betikler, genellikle modül kaynak kodunu indirmek, bağımlılıkları kurmak vb. için', buildHelper: 'Modül ekledikten/düzenledikten sonra oluştur’a tıklayın. OpenResty, başarılı oluşturma üzerine otomatik olarak yeniden başlatılacaktır.', + defaultHttps: 'HTTPS Anti-sızdırma', + defaultHttpsHelper1: 'Bu özelliği etkinleştirerek HTTPS sızdırma sorunlarını çözebilirsiniz.', }, ssl: { create: 'İstek', diff --git a/frontend/src/lang/modules/zh-Hant.ts b/frontend/src/lang/modules/zh-Hant.ts index a1b1c6e70..f34d6c50d 100644 --- a/frontend/src/lang/modules/zh-Hant.ts +++ b/frontend/src/lang/modules/zh-Hant.ts @@ -2395,6 +2395,8 @@ const message = { packagesHelper: '例如:git,curl 以逗號分割', scriptHelper: '編譯之前執行的腳本,通常用於下載模組原始碼,安裝依賴等', buildHelper: '添加/修改模組後點擊構建,構建成功後會自動重啟 OpenResty', + defaultHttps: 'HTTPS 防竄站', + defaultHttpsHelper1: '開啟後可以解決 HTTPS 竄站問題', }, ssl: { create: '申請證書', diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts index 5f5f46082..f2a963e75 100644 --- a/frontend/src/lang/modules/zh.ts +++ b/frontend/src/lang/modules/zh.ts @@ -2384,6 +2384,8 @@ const message = { packagesHelper: '例如:git,curl 按,分割', scriptHelper: '编译之前执行的脚本,一般为下载模块源码,安装依赖等', buildHelper: '添加/修改模块之后点击构建,构建成功后会自动重启 OpenResty', + defaultHttps: 'HTTPS 防窜站', + defaultHttpsHelper1: '开启后可以解决 HTTPS 窜站问题', }, ssl: { create: '申请证书', diff --git a/frontend/src/views/website/website/nginx/index.vue b/frontend/src/views/website/website/nginx/index.vue index 27a1d0266..2232d6a53 100644 --- a/frontend/src/views/website/website/nginx/index.vue +++ b/frontend/src/views/website/website/nginx/index.vue @@ -26,6 +26,9 @@ {{ $t('runtime.module') }} + + {{ $t('website.other') }} + @@ -44,6 +48,7 @@ import ContainerLog from '@/components/log/container/index.vue'; import NginxPer from './performance/index.vue'; import Status from './status/index.vue'; import Module from './module/index.vue'; +import Other from './other/index.vue'; const activeName = ref('1'); diff --git a/frontend/src/views/website/website/nginx/other/index.vue b/frontend/src/views/website/website/nginx/other/index.vue new file mode 100644 index 000000000..61f998428 --- /dev/null +++ b/frontend/src/views/website/website/nginx/other/index.vue @@ -0,0 +1,43 @@ + + +