feat: install openresty with default ssl (#8534)

2025-10-19 03:46:10 +08:00 · 2025-05-02 21:37:57 +08:00 · 2025-05-02 21:37:57 +08:00 · 4b5526a028
commit 4b5526a028
parent b382bd922b
6 changed files with 89 additions and 18 deletions
--- a/agent/app/service/app_utils.go
+++ b/agent/app/service/app_utils.go
@ -1844,9 +1844,6 @@ func getAppTags(appID uint, lang string) ([]response.TagDTO, error) {

 func handleOpenrestyFile(appInstall *model.AppInstall) error {
 	websites, _ := websiteRepo.List()
-	if len(websites) == 0 {
-		return nil
-	}
 	hasDefaultWebsite := false
 	for _, website := range websites {
 		if website.DefaultServer {
@ -1854,18 +1851,82 @@ func handleOpenrestyFile(appInstall *model.AppInstall) error {
 			break
 		}
 	}
+	if err := handleSSLConfig(appInstall, hasDefaultWebsite); err != nil {
+		return err
+	}
+	if len(websites) == 0 {
+		return nil
+	}
 	if hasDefaultWebsite {
-		installDir := appInstall.GetPath()
-		defaultConfigPath := path.Join(installDir, "conf", "default", "00.default.conf")
-		fileOp := files.NewFileOp()
-		content, err := fileOp.GetContent(defaultConfigPath)
-		if err != nil {
-			return err
-		}
-		newContent := strings.ReplaceAll(string(content), "default_server", "")
-		if err := fileOp.WriteFile(defaultConfigPath, strings.NewReader(newContent), constant.FilePerm); err != nil {
+		if err := handleDefaultServer(appInstall); err != nil {
 			return err
 		}
 	}
 	return createAllWebsitesWAFConfig(websites)
 }
+
+func handleDefaultServer(appInstall *model.AppInstall) error {
+	installDir := appInstall.GetPath()
+	defaultConfigPath := path.Join(installDir, "conf", "default", "00.default.conf")
+	fileOp := files.NewFileOp()
+	content, err := fileOp.GetContent(defaultConfigPath)
+	if err != nil {
+		return err
+	}
+	newContent := strings.ReplaceAll(string(content), "default_server", "")
+	if err := fileOp.WriteFile(defaultConfigPath, strings.NewReader(newContent), constant.FilePerm); err != nil {
+		return err
+	}
+	return nil
+}
+
+func handleSSLConfig(appInstall *model.AppInstall, defaultWebsite bool) error {
+	sslDir := path.Join(appInstall.GetPath(), "conf", "ssl")
+	fileOp := files.NewFileOp()
+	if !fileOp.Stat(sslDir) {
+		return errors.New("ssl dir not found")
+	}
+	ca, _ := websiteCARepo.GetFirst(repo.WithByName("1Panel"))
+	if ca.ID == 0 {
+		global.LOG.Errorf("create openresty default ssl failed ca not found")
+		return nil
+	}
+	caService := NewIWebsiteCAService()
+	caRequest := request.WebsiteCAObtain{
+		ID:      ca.ID,
+		Domains: "localhost",
+		KeyType: "4096",
+		Time:    99,
+		Unit:    "year",
+		Dir:     sslDir,
+		PushDir: true,
+	}
+	websiteSSL, err := caService.ObtainSSL(caRequest)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		_ = NewIWebsiteSSLService().Delete([]uint{websiteSSL.ID})
+	}()
+	defaultConfigPath := path.Join(appInstall.GetPath(), "conf", "default", "00.default.conf")
+	content, err := os.ReadFile(defaultConfigPath)
+	if err != nil {
+		return err
+	}
+	defaultConfig, err := parser.NewStringParser(string(content)).Parse()
+	if err != nil {
+		return err
+	}
+	defaultConfig.FilePath = defaultConfigPath
+	defaultServer := defaultConfig.FindServers()[0]
+	defaultServer.UpdateListen(fmt.Sprintf("%d", appInstall.HttpsPort), defaultWebsite, "ssl")
+	defaultServer.UpdateListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort), defaultWebsite, "ssl")
+	defaultServer.UpdateDirective("include", []string{"/usr/local/openresty/nginx/conf/ssl/root_ssl.conf"})
+	defaultServer.UpdateDirective("http2", []string{"on"})
+	defaultServer.UpdateListen(fmt.Sprintf("%d", appInstall.HttpPort), defaultWebsite, "quic", "reuseport")
+	defaultServer.UpdateListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort), defaultWebsite, "quic", "reuseport")
+	if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil {
+		return err
+	}
+	return nil
+}
--- a/agent/app/service/nginx_utils.go
+++ b/agent/app/service/nginx_utils.go
@ -121,6 +121,8 @@ func updateDefaultServerConfig(enable bool) error {
 	defaultServer := defaultConfig.FindServers()[0]
 	defaultServer.UpdateListen("80", enable)
 	defaultServer.UpdateListen("[::]:80", enable)
+	defaultServer.UpdateListen("443", enable)
+	defaultServer.UpdateListen("[::]:443", enable)
 	if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil {
 		return err
 	}
--- a/agent/app/service/website_ca.go
+++ b/agent/app/service/website_ca.go
@ -221,7 +221,7 @@ func (w WebsiteCAService) ObtainSSL(req request.WebsiteCAObtain) (*model.Website
 			domainArray := strings.Split(req.Domains, "\n")
 			for _, domain := range domainArray {
 				if ipAddress := net.ParseIP(domain); ipAddress == nil {
-					if !common.IsValidDomain(domain) {
+					if domain != "localhost" && !common.IsValidDomain(domain) {
 						err = buserr.WithName("ErrDomainFormat", domain)
 						return nil, err
 					}
--- a/agent/app/service/website_utils.go
+++ b/agent/app/service/website_utils.go
@ -571,14 +571,14 @@ func setListen(server *components.Server, port string, ipv6, http3, defaultServe
 	}
 	server.UpdateListen(port, defaultServer, params...)
 	if ssl && http3 {
-		server.UpdateListen(port, defaultServer, "quic", "reuseport")
+		server.UpdateListen(port, defaultServer, "quic")
 	}
 	if !ipv6 {
 		return
 	}
 	server.UpdateListen("[::]:"+port, defaultServer, params...)
 	if ssl && http3 {
-		server.UpdateListen("[::]:"+port, defaultServer, "quic", "reuseport")
+		server.UpdateListen("[::]:"+port, defaultServer, "quic")
 	}
 }

--- a/agent/cmd/server/nginx_conf/root_ssl.conf
+++ b/agent/cmd/server/nginx_conf/root_ssl.conf
@ -0,0 +1,8 @@
+ssl_certificate    /usr/local/openresty/nginx/conf/ssl/fullchain.pem;
+ssl_certificate_key    /usr/local/openresty/nginx/conf/ssl/privkey.pem;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+ssl_prefer_server_ciphers off;
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+add_header Strict-Transport-Security "max-age=31536000";
--- a/agent/cmd/server/nginx_conf/ssl.conf
+++ b/agent/cmd/server/nginx_conf/ssl.conf
@ -1,8 +1,8 @@
-ssl_certificate    /www/server/panel/vhost/cert/1panel.cloud/fullchain.pem;
-ssl_certificate_key    /www/server/panel/vhost/cert/1panel.cloud/privkey.pem;
+ssl_certificate    /www/sites/1panel.pro/ssl/fullchain.pem;
+ssl_certificate_key    /www/sites/1panel.pro/ssl/privkey.pem;
 ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
-ssl_prefer_server_ciphers on;
+ssl_prefer_server_ciphers off;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;
 error_page 497  https://$host$request_uri;