1Panel-dev/1Panel
1
1
Fork 0
mirror of https://github.com/1Panel-dev/1Panel.git synced 2025-12-16 20:42:40 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: install openresty with default ssl (#8534)

Browse source
This commit is contained in:
ChengPlay 2025-05-02 21:37:57 +08:00 committed by GitHub
parent b382bd922b
commit 4b5526a028
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 89 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
agent/app/service/app_utils.go
View file

@ -1844,9 +1844,6 @@ func getAppTags(appID uint, lang string) ([]response.TagDTO, error) {
func handleOpenrestyFile(appInstall *model.AppInstall) error { func handleOpenrestyFile(appInstall *model.AppInstall) error {
websites, _ := websiteRepo.List() websites, _ := websiteRepo.List()
if len(websites) == 0 {
return nil
}
hasDefaultWebsite := false hasDefaultWebsite := false
for _, website := range websites { for _, website := range websites {
if website.DefaultServer { if website.DefaultServer {
@ -1854,18 +1851,82 @@ func handleOpenrestyFile(appInstall *model.AppInstall) error {
break break
} }
} }
if err := handleSSLConfig(appInstall, hasDefaultWebsite); err != nil {
return err
}
if len(websites) == 0 {
return nil
}
if hasDefaultWebsite { if hasDefaultWebsite {
installDir := appInstall.GetPath() if err := handleDefaultServer(appInstall); err != nil {
defaultConfigPath := path.Join(installDir, "conf", "default", "00.default.conf")
fileOp := files.NewFileOp()
content, err := fileOp.GetContent(defaultConfigPath)
if err != nil {
return err
}
newContent := strings.ReplaceAll(string(content), "default_server", "")
if err := fileOp.WriteFile(defaultConfigPath, strings.NewReader(newContent), constant.FilePerm); err != nil {
return err return err
} }
} }
return createAllWebsitesWAFConfig(websites) return createAllWebsitesWAFConfig(websites)
} }
func handleDefaultServer(appInstall *model.AppInstall) error {
installDir := appInstall.GetPath()
defaultConfigPath := path.Join(installDir, "conf", "default", "00.default.conf")
fileOp := files.NewFileOp()
content, err := fileOp.GetContent(defaultConfigPath)
if err != nil {
return err
}
newContent := strings.ReplaceAll(string(content), "default_server", "")
if err := fileOp.WriteFile(defaultConfigPath, strings.NewReader(newContent), constant.FilePerm); err != nil {
return err
}
return nil
}
func handleSSLConfig(appInstall *model.AppInstall, defaultWebsite bool) error {
sslDir := path.Join(appInstall.GetPath(), "conf", "ssl")
fileOp := files.NewFileOp()
if !fileOp.Stat(sslDir) {
return errors.New("ssl dir not found")
}
ca, _ := websiteCARepo.GetFirst(repo.WithByName("1Panel"))
if ca.ID == 0 {
global.LOG.Errorf("create openresty default ssl failed ca not found")
return nil
}
caService := NewIWebsiteCAService()
caRequest := request.WebsiteCAObtain{
ID: ca.ID,
Domains: "localhost",
KeyType: "4096",
Time: 99,
Unit: "year",
Dir: sslDir,
PushDir: true,
}
websiteSSL, err := caService.ObtainSSL(caRequest)
if err != nil {
return err
}
defer func() {
_ = NewIWebsiteSSLService().Delete([]uint{websiteSSL.ID})
}()
defaultConfigPath := path.Join(appInstall.GetPath(), "conf", "default", "00.default.conf")
content, err := os.ReadFile(defaultConfigPath)
if err != nil {
return err
}
defaultConfig, err := parser.NewStringParser(string(content)).Parse()
if err != nil {
return err
}
defaultConfig.FilePath = defaultConfigPath
defaultServer := defaultConfig.FindServers()[0]
defaultServer.UpdateListen(fmt.Sprintf("%d", appInstall.HttpsPort), defaultWebsite, "ssl")
defaultServer.UpdateListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort), defaultWebsite, "ssl")
defaultServer.UpdateDirective("include", []string{"/usr/local/openresty/nginx/conf/ssl/root_ssl.conf"})
defaultServer.UpdateDirective("http2", []string{"on"})
defaultServer.UpdateListen(fmt.Sprintf("%d", appInstall.HttpPort), defaultWebsite, "quic", "reuseport")
defaultServer.UpdateListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort), defaultWebsite, "quic", "reuseport")
if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil {
return err
}
return nil
}

2
agent/app/service/nginx_utils.go
View file

@ -121,6 +121,8 @@ func updateDefaultServerConfig(enable bool) error {
defaultServer := defaultConfig.FindServers()[0] defaultServer := defaultConfig.FindServers()[0]
defaultServer.UpdateListen("80", enable) defaultServer.UpdateListen("80", enable)
defaultServer.UpdateListen("[::]:80", enable) defaultServer.UpdateListen("[::]:80", enable)
defaultServer.UpdateListen("443", enable)
defaultServer.UpdateListen("[::]:443", enable)
if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil { if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil {
return err return err
} }

2
agent/app/service/website_ca.go
View file

@ -221,7 +221,7 @@ func (w WebsiteCAService) ObtainSSL(req request.WebsiteCAObtain) (*model.Website
domainArray := strings.Split(req.Domains, "\n") domainArray := strings.Split(req.Domains, "\n")
for _, domain := range domainArray { for _, domain := range domainArray {
if ipAddress := net.ParseIP(domain); ipAddress == nil { if ipAddress := net.ParseIP(domain); ipAddress == nil {
if !common.IsValidDomain(domain) { if domain != "localhost" && !common.IsValidDomain(domain) {
err = buserr.WithName("ErrDomainFormat", domain) err = buserr.WithName("ErrDomainFormat", domain)
return nil, err return nil, err
} }

4
agent/app/service/website_utils.go
View file

@ -571,14 +571,14 @@ func setListen(server *components.Server, port string, ipv6, http3, defaultServe
} }
server.UpdateListen(port, defaultServer, params...) server.UpdateListen(port, defaultServer, params...)
if ssl && http3 { if ssl && http3 {
server.UpdateListen(port, defaultServer, "quic", "reuseport") server.UpdateListen(port, defaultServer, "quic")
} }
if !ipv6 { if !ipv6 {
return return
} }
server.UpdateListen("[::]:"+port, defaultServer, params...) server.UpdateListen("[::]:"+port, defaultServer, params...)
if ssl && http3 { if ssl && http3 {
server.UpdateListen("[::]:"+port, defaultServer, "quic", "reuseport") server.UpdateListen("[::]:"+port, defaultServer, "quic")
} }
} }

8
agent/cmd/server/nginx_conf/root_ssl.conf Normal file
View file

@ -0,0 +1,8 @@
ssl_certificate /usr/local/openresty/nginx/conf/ssl/fullchain.pem;
ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";

6
agent/cmd/server/nginx_conf/ssl.conf
View file

@ -1,8 +1,8 @@
ssl_certificate /www/server/panel/vhost/cert/1panel.cloud/fullchain.pem; ssl_certificate /www/sites/1panel.pro/ssl/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/1panel.cloud/privkey.pem; ssl_certificate_key /www/sites/1panel.pro/ssl/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
error_page 497 https://$host$request_uri; error_page 497 https://$host$request_uri;