From 4b5526a02848c854da11ad33ef9554f6a96701c0 Mon Sep 17 00:00:00 2001 From: ChengPlay <31820853+zhengkunwang223@users.noreply.github.com> Date: Fri, 2 May 2025 21:37:57 +0800 Subject: [PATCH] feat: install openresty with default ssl (#8534) --- agent/app/service/app_utils.go | 85 +++++++++++++++++++---- agent/app/service/nginx_utils.go | 2 + agent/app/service/website_ca.go | 2 +- agent/app/service/website_utils.go | 4 +- agent/cmd/server/nginx_conf/root_ssl.conf | 8 +++ agent/cmd/server/nginx_conf/ssl.conf | 6 +- 6 files changed, 89 insertions(+), 18 deletions(-) create mode 100644 agent/cmd/server/nginx_conf/root_ssl.conf diff --git a/agent/app/service/app_utils.go b/agent/app/service/app_utils.go index b4b07ea62..9869d57f9 100644 --- a/agent/app/service/app_utils.go +++ b/agent/app/service/app_utils.go @@ -1844,9 +1844,6 @@ func getAppTags(appID uint, lang string) ([]response.TagDTO, error) { func handleOpenrestyFile(appInstall *model.AppInstall) error { websites, _ := websiteRepo.List() - if len(websites) == 0 { - return nil - } hasDefaultWebsite := false for _, website := range websites { if website.DefaultServer { @@ -1854,18 +1851,82 @@ func handleOpenrestyFile(appInstall *model.AppInstall) error { break } } + if err := handleSSLConfig(appInstall, hasDefaultWebsite); err != nil { + return err + } + if len(websites) == 0 { + return nil + } if hasDefaultWebsite { - installDir := appInstall.GetPath() - defaultConfigPath := path.Join(installDir, "conf", "default", "00.default.conf") - fileOp := files.NewFileOp() - content, err := fileOp.GetContent(defaultConfigPath) - if err != nil { - return err - } - newContent := strings.ReplaceAll(string(content), "default_server", "") - if err := fileOp.WriteFile(defaultConfigPath, strings.NewReader(newContent), constant.FilePerm); err != nil { + if err := handleDefaultServer(appInstall); err != nil { return err } } return createAllWebsitesWAFConfig(websites) } + +func handleDefaultServer(appInstall *model.AppInstall) error { + installDir := appInstall.GetPath() + defaultConfigPath := path.Join(installDir, "conf", "default", "00.default.conf") + fileOp := files.NewFileOp() + content, err := fileOp.GetContent(defaultConfigPath) + if err != nil { + return err + } + newContent := strings.ReplaceAll(string(content), "default_server", "") + if err := fileOp.WriteFile(defaultConfigPath, strings.NewReader(newContent), constant.FilePerm); err != nil { + return err + } + return nil +} + +func handleSSLConfig(appInstall *model.AppInstall, defaultWebsite bool) error { + sslDir := path.Join(appInstall.GetPath(), "conf", "ssl") + fileOp := files.NewFileOp() + if !fileOp.Stat(sslDir) { + return errors.New("ssl dir not found") + } + ca, _ := websiteCARepo.GetFirst(repo.WithByName("1Panel")) + if ca.ID == 0 { + global.LOG.Errorf("create openresty default ssl failed ca not found") + return nil + } + caService := NewIWebsiteCAService() + caRequest := request.WebsiteCAObtain{ + ID: ca.ID, + Domains: "localhost", + KeyType: "4096", + Time: 99, + Unit: "year", + Dir: sslDir, + PushDir: true, + } + websiteSSL, err := caService.ObtainSSL(caRequest) + if err != nil { + return err + } + defer func() { + _ = NewIWebsiteSSLService().Delete([]uint{websiteSSL.ID}) + }() + defaultConfigPath := path.Join(appInstall.GetPath(), "conf", "default", "00.default.conf") + content, err := os.ReadFile(defaultConfigPath) + if err != nil { + return err + } + defaultConfig, err := parser.NewStringParser(string(content)).Parse() + if err != nil { + return err + } + defaultConfig.FilePath = defaultConfigPath + defaultServer := defaultConfig.FindServers()[0] + defaultServer.UpdateListen(fmt.Sprintf("%d", appInstall.HttpsPort), defaultWebsite, "ssl") + defaultServer.UpdateListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort), defaultWebsite, "ssl") + defaultServer.UpdateDirective("include", []string{"/usr/local/openresty/nginx/conf/ssl/root_ssl.conf"}) + defaultServer.UpdateDirective("http2", []string{"on"}) + defaultServer.UpdateListen(fmt.Sprintf("%d", appInstall.HttpPort), defaultWebsite, "quic", "reuseport") + defaultServer.UpdateListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort), defaultWebsite, "quic", "reuseport") + if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil { + return err + } + return nil +} diff --git a/agent/app/service/nginx_utils.go b/agent/app/service/nginx_utils.go index f431ef678..b17bf6aeb 100644 --- a/agent/app/service/nginx_utils.go +++ b/agent/app/service/nginx_utils.go @@ -121,6 +121,8 @@ func updateDefaultServerConfig(enable bool) error { defaultServer := defaultConfig.FindServers()[0] defaultServer.UpdateListen("80", enable) defaultServer.UpdateListen("[::]:80", enable) + defaultServer.UpdateListen("443", enable) + defaultServer.UpdateListen("[::]:443", enable) if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil { return err } diff --git a/agent/app/service/website_ca.go b/agent/app/service/website_ca.go index 087fd95f1..34768ba75 100644 --- a/agent/app/service/website_ca.go +++ b/agent/app/service/website_ca.go @@ -221,7 +221,7 @@ func (w WebsiteCAService) ObtainSSL(req request.WebsiteCAObtain) (*model.Website domainArray := strings.Split(req.Domains, "\n") for _, domain := range domainArray { if ipAddress := net.ParseIP(domain); ipAddress == nil { - if !common.IsValidDomain(domain) { + if domain != "localhost" && !common.IsValidDomain(domain) { err = buserr.WithName("ErrDomainFormat", domain) return nil, err } diff --git a/agent/app/service/website_utils.go b/agent/app/service/website_utils.go index aa33f6503..b0cf039e8 100644 --- a/agent/app/service/website_utils.go +++ b/agent/app/service/website_utils.go @@ -571,14 +571,14 @@ func setListen(server *components.Server, port string, ipv6, http3, defaultServe } server.UpdateListen(port, defaultServer, params...) if ssl && http3 { - server.UpdateListen(port, defaultServer, "quic", "reuseport") + server.UpdateListen(port, defaultServer, "quic") } if !ipv6 { return } server.UpdateListen("[::]:"+port, defaultServer, params...) if ssl && http3 { - server.UpdateListen("[::]:"+port, defaultServer, "quic", "reuseport") + server.UpdateListen("[::]:"+port, defaultServer, "quic") } } diff --git a/agent/cmd/server/nginx_conf/root_ssl.conf b/agent/cmd/server/nginx_conf/root_ssl.conf new file mode 100644 index 000000000..9d9b0a29e --- /dev/null +++ b/agent/cmd/server/nginx_conf/root_ssl.conf @@ -0,0 +1,8 @@ +ssl_certificate /usr/local/openresty/nginx/conf/ssl/fullchain.pem; +ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/privkey.pem; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; +ssl_prefer_server_ciphers off; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; +add_header Strict-Transport-Security "max-age=31536000"; \ No newline at end of file diff --git a/agent/cmd/server/nginx_conf/ssl.conf b/agent/cmd/server/nginx_conf/ssl.conf index 908c52fb4..b29527b71 100644 --- a/agent/cmd/server/nginx_conf/ssl.conf +++ b/agent/cmd/server/nginx_conf/ssl.conf @@ -1,8 +1,8 @@ -ssl_certificate /www/server/panel/vhost/cert/1panel.cloud/fullchain.pem; -ssl_certificate_key /www/server/panel/vhost/cert/1panel.cloud/privkey.pem; +ssl_certificate /www/sites/1panel.pro/ssl/fullchain.pem; +ssl_certificate_key /www/sites/1panel.pro/ssl/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED; -ssl_prefer_server_ciphers on; +ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; error_page 497 https://$host$request_uri;