potluck-nginx 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 599537fcab6df50b0126d73460295be4b366101667ad4c2317199b361153a5c1
+  data.tar.gz: 6a38b16b915efa971b1b93361dd1b995937b67a61031376879cf0aae857438be
+SHA512:
+  metadata.gz: f007969613094559c4b68707b8bf87f570def7da9b5122673de84ca2a4c45409450ba348f7d8ff522191188afacdf1cf1a94c15f1a0b4cc36419e446ca921644
+  data.tar.gz: 6c3672941908c91d9151e7863ed0cb93c7e7ebf4463bcc2b7c8d997ac3baf529ef124bad4a1733c33ee3221a12cfad0cd41c60f72f85f9f2c1921f4d2646a436

data/LICENSE

@@ -0,0 +1,16 @@
+Copyright 2021 Nate Pickens
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without
+limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,31 @@
+# Potluck - Nginx
+
+An extension to the Potluck gem that provides control over the Nginx process and its configuration files
+from Ruby.
+
+## Installation
+
+Add this line to your Gemfile:
+
+```ruby
+gem('potluck-nginx')
+```
+
+Or install manually on the command line:
+
+```bash
+gem install potluck-nginx
+```
+
+## Usage
+
+[Coming soon.]
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/npickens/potluck.
+
+## License
+
+The gem is available as open source under the terms of the
+[MIT License](https://opensource.org/licenses/MIT).

data/lib/potluck/nginx.rb

@@ -0,0 +1,255 @@
+# frozen_string_literal: true
+
+require('fileutils')
+require('potluck')
+require_relative('nginx/ssl')
+require_relative('nginx/util')
+
+module Potluck
+  class Nginx < Dish
+    CONFIG_NAME_ACTIVE = 'nginx.conf'
+    CONFIG_NAME_INACTIVE = 'nginx-stopped.conf'
+    ACTIVE_CONFIG_PATTERN = File.join(DIR, '*', CONFIG_NAME_ACTIVE).freeze
+
+    TEST_CONFIG_REGEX = /nginx: configuration file (?<config>.+) test (failed|is successful)/.freeze
+    INCLUDE_REGEX = /^ *include +#{Regexp.escape(ACTIVE_CONFIG_PATTERN)} *;/.freeze
+
+    def initialize(hosts, port, subdomains: nil, ssl: nil, one_host: false, www: nil, multiple_slashes: nil,
+        multiple_question_marks: nil, trailing_slash: nil, trailing_question_mark: nil, config: {}, **args)
+      super(**args)
+
+      @hosts = Array(hosts).map { |h| h.sub(/^www\./, '') }.uniq
+      @hosts += @hosts.map { |h| "www.#{h}" }
+      @host = @hosts.first
+      @port = port
+
+      @dir = File.join(DIR, @host)
+      @ssl = SSL.new(self, @dir, @host, **ssl) if ssl
+
+      @scheme = @ssl ? 'https' : 'http'
+      @other_scheme = @ssl ? 'http' : 'https'
+      @one_host = !!one_host
+      @subdomains = Array(subdomains)
+      @www = www
+      @multiple_slashes = multiple_slashes
+      @multiple_question_marks = multiple_question_marks
+      @trailing_slash = trailing_slash
+      @trailing_question_mark = trailing_question_mark
+      @additional_config = config
+
+      FileUtils.mkdir_p(DIR)
+      FileUtils.mkdir_p(@dir)
+
+      @config_file_active = File.join(@dir, CONFIG_NAME_ACTIVE).freeze
+      @config_file_inactive = File.join(@dir, CONFIG_NAME_INACTIVE).freeze
+    end
+
+    def start
+      @ssl&.ensure_files
+      ensure_host_entries
+      ensure_include
+
+      write_config
+      activate_config
+
+      run('nginx -t')
+
+      status == :active ? reload : super
+    end
+
+    def stop(hard = false)
+      deactivate_config
+
+      hard || status != :active ? super() : reload
+    end
+
+    def reload
+      run('nginx -s reload')
+    end
+
+    private
+
+    def config
+      host_subdomains_regex = ([@host] + @subdomains).join('|')
+      hosts_subdomains_regex = (@hosts + @subdomains).join('|')
+
+      config = {
+        "upstream #{@host}" => {
+          'server' => "127.0.0.1:#{@port}",
+        },
+
+        'server' => Util.deep_merge!({
+          'charset' => 'UTF-8',
+          'access_log' => File.join(@dir, 'nginx-access.log'),
+          'error_log' => File.join(@dir, 'nginx-error.log'),
+
+          'listen' => {
+            repeat: true,
+            '8080' => true,
+            '[::]:8080' => true,
+            '4433 ssl http2' => @ssl ? true : nil,
+            '[::]:4433 ssl http2' => @ssl ? true : nil,
+          },
+          'server_name' => (@hosts + @subdomains).join(' '),
+
+          'gzip' => 'on',
+          'gzip_types' => 'application/javascript application/json text/css text/plain',
+
+          'add_header' => {
+            repeat: true,
+            'Referrer-Policy' => 'same-origin',
+            'X-Frame-Options' => 'DENY',
+            'X-XSS-Protection' => '\'1; mode=block\'',
+            'X-Content-Type-Options' => 'nosniff',
+          },
+        }, @ssl ? @ssl.config : {}).merge!(
+          'location /' => {
+            raw: """
+              if ($host !~ ^#{hosts_subdomains_regex}$) { return 404; }
+
+              set $r 0;
+              set $s $scheme;
+              set $h $host;
+              set $p '';
+              set $u '';
+              set $q '';
+
+              #{if @www.nil? && @one_host == false
+                nil
+              elsif @www.nil? && @one_host == true
+                "if ($host !~ ^(www.)?#{host_subdomains_regex}$) { set $h $1#{@host}; set $r 1; }"
+              elsif @www == false && @one_host == false
+                "if ($host ~ ^www.(.+)$) { set $h $1; set $r 1; }"
+              elsif @www == false && @one_host == true
+                "if ($host !~ ^#{host_subdomains_regex}$) { set $h #{@host}; set $r 1; }"
+              elsif @www == true && @one_host == false
+                "if ($host !~ ^www.(.+)$) { set $h $1; set $r 1; }"
+              elsif @www == true && @one_host == true
+                "if ($host !~ ^www.#{host_subdomains_regex}$) { set $h www.#{@host}; set $r 1; }"
+              end}
+
+              if ($scheme = #{@other_scheme}) { set $s #{@scheme}; set $r 1; }
+              if ($http_host ~ :[0-9]+$) { set $p :#{@ssl ? '4433' : '8080'}; }
+              if ($request_uri ~ ^([^\\?]+)(\\?+.*)?$) { set $u $1; set $q $2; }
+
+              #{'if ($u ~ //) { set $u $uri; set $r 1; }' if @multiple_slashes == false}
+              #{'if ($q ~ ^\?\?+(.*)$) { set $q ?$1; set $r 1; }' if @multiple_question_marks == false}
+
+              #{if @trailing_question_mark == false
+                'if ($q ~ \?+$) { set $q \'\'; set $r 1; }'
+              elsif @trailing_question_mark == true
+                'if ($q !~ .) { set $q ?; set $r 1; }'
+              end}
+              #{if @trailing_slash == false
+                'if ($u ~ (.+?)/+$) { set $u $1; set $r 1; }'
+              elsif @trailing_slash == true
+                'if ($u ~ [^/]$) { set $u $u/; set $r 1; }'
+              end}
+
+              set $mr $request_method$r;
+
+              if ($mr ~ ^(GET|HEAD)1$) { return 301 $s://$h$p$u$q; }
+              if ($mr ~ 1$) { return 308 $s://$h$p$u$q; }
+            """.strip.gsub(/^ +/, '').gsub(/\n{3,}/, "\n\n"),
+
+            'proxy_pass' => "http://#{@host}",
+            'proxy_redirect' => 'off',
+            'proxy_set_header' => {
+              repeat: true,
+              'Host' => @host,
+              'X-Real-IP' => '$remote_addr',
+              'X-Forwarded-For' => '$proxy_add_x_forwarded_for',
+              'X-Forwarded-Proto' => @ssl ? 'https' : 'http',
+              'X-Forwarded-Port' => @ssl ? '443' : '80',
+            },
+          },
+        ),
+      }
+
+      Util.deep_merge!(config['server'], @additional_config)
+
+      config
+    end
+
+    def write_config
+      File.open(@config_file_inactive, 'w') do |file|
+        file.write(self.class.to_nginx_config(config))
+      end
+    end
+
+    def activate_config
+      FileUtils.mv(@config_file_inactive, @config_file_active)
+    end
+
+    def deactivate_config
+      FileUtils.mv(@config_file_active, @config_file_inactive) if File.exists?(@config_file_active)
+    end
+
+    def ensure_host_entries
+      content = File.read('/etc/hosts')
+      missing_entries = (@hosts + @subdomains).each_with_object([]) do |h, a|
+        a << h unless content.include?(" #{h}\n")
+      end
+
+      return if missing_entries.empty?
+
+      log('Writing host entries to /etc/hosts...')
+
+      run(
+        <<~CMD
+          sudo sh -c 'printf "
+          #{missing_entries.map { |h| "127.0.0.1 #{h}\n::1       #{h}"}.join("\n")}
+          " >> /etc/hosts'
+        CMD
+      )
+    end
+
+    def ensure_include
+      config_file = `nginx -t 2>&1`[TEST_CONFIG_REGEX, :config]
+      config_content = File.read(config_file)
+
+      if config_content !~ INCLUDE_REGEX
+        File.write(config_file, config_content.sub(/^( *http *{)( *\n?)( *)/,
+          "\\1\\2\\3include #{ACTIVE_CONFIG_PATTERN};\n\n\\3"))
+      end
+    end
+
+    def self.to_nginx_config(hash, indent: 0, repeat: nil)
+      hash.each_with_object(+'') do |(k, v), config|
+        next if v.nil?
+        next if k == :repeat
+
+        config << (
+          if v.kind_of?(Hash)
+            if v[:repeat]
+              to_nginx_config(v, indent: indent, repeat: k)
+            else
+              "#{' ' * indent}#{k} {\n#{to_nginx_config(v, indent: indent + 2)}#{' ' * indent}}\n"
+            end
+          elsif k == :raw
+            "#{v.gsub(/^(?=.)/, ' ' * indent)}\n\n"
+          else
+            "#{' ' * indent}#{"#{repeat} " if repeat}#{k}#{" #{v}" unless v == true};\n"
+          end
+        )
+      end
+    end
+
+    def self.plist
+      super(
+        <<~EOS
+          <key>ProgramArguments</key>
+          <array>
+            <string>/usr/local/opt/nginx/bin/nginx</string>
+            <string>-g</string>
+            <string>daemon off;</string>
+          </array>
+          <key>StandardOutPath</key>
+          <string>/usr/local/var/log/nginx/access.log</string>
+          <key>StandardErrorPath</key>
+          <string>/usr/local/var/log/nginx/error.log</string>
+        EOS
+      )
+    end
+  end
+end

data/lib/potluck/nginx/ssl.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require('time')
+
+module Potluck
+  class Nginx < Dish
+    class SSL
+      # Based on https://hackernoon.com/how-properly-configure-nginx-server-for-tls-sg1d3udt
+      DEFAULT_CONFIG = {
+        'ssl_ciphers' => 'ECDH+AESGCM:ECDH+AES256-CBC:ECDH+AES128-CBC:DH+3DES:!ADH:!AECDH:!MD5',
+        'ssl_prefer_server_ciphers' => 'on',
+        'ssl_protocols' => 'TLSv1.2 TLSv1.3',
+        'ssl_session_cache' => 'shared:SSL:40m',
+        'ssl_session_tickets' => 'on',
+        'ssl_session_timeout' => '4h',
+        'add_header' => {
+          repeat: true,
+          'Strict-Transport-Security' => '\'max-age=31536000; includeSubDomains\' always',
+        }.freeze,
+      }.freeze
+
+      CERT_DAYS = 365
+      CERT_RENEW_DAYS = 14
+
+      attr_reader(:csr_file, :key_file, :crt_file, :dhparam_file, :config)
+
+      def initialize(nginx, dir, host, crt_file: nil, key_file: nil, dhparam_file: nil,
+          config: {})
+        @nginx = nginx
+        @dir = dir
+        @host = host
+
+        @auto_generated = !crt_file && !key_file && !dhparam_file
+
+        if !@auto_generated && (!crt_file || !key_file || !dhparam_file)
+          raise('Must supply values for all three or none: crt_file, key_file, dhparam_file')
+        end
+
+        @csr_file = File.join(@dir, "#{@host}.csr").freeze
+        @crt_file = crt_file || File.join(@dir, "#{@host}.crt").freeze
+        @key_file = key_file || File.join(@dir, "#{@host}.key").freeze
+        @dhparam_file = dhparam_file || File.join(@dir, 'dhparam.pem').freeze
+
+        @config = {
+          'ssl_certificate' => @crt_file,
+          'ssl_certificate_key' => @key_file,
+          'ssl_dhparam' => @dhparam_file,
+          'ssl_stapling' => ('on' unless @auto_generated),
+          'ssl_stapling_verify' => ('on' unless @auto_generated),
+        }.merge!(DEFAULT_CONFIG).merge!(config)
+      end
+
+      def ensure_files
+        return if !@auto_generated || (
+          File.exists?(@csr_file) &&
+          File.exists?(@key_file) &&
+          File.exists?(@crt_file) &&
+          File.exists?(@dhparam_file) &&
+          (Time.parse(
+            @nginx.run("openssl x509 -enddate -noout -in #{@crt_file}").sub('notAfter=', '')
+          ) - Time.now) >= CERT_RENEW_DAYS * 24 * 60 * 60
+        )
+
+        @nginx.log('Generating SSL files...')
+
+        @nginx.run("openssl genrsa -out #{@key_file} 4096", redirect_stderr: false)
+        @nginx.run("openssl req -out #{@csr_file} -key #{@key_file} -new -sha256 -config /dev/stdin <<< "\
+          "'#{openssl_config}'", redirect_stderr: false)
+        @nginx.run("openssl x509 -in #{@csr_file} -out #{@crt_file} -signkey #{@key_file} -days "\
+          "#{CERT_DAYS} -req -sha256 -extensions req_ext -extfile /dev/stdin <<< '#{openssl_config}'",
+          redirect_stderr: false)
+        @nginx.run("openssl dhparam -out #{@dhparam_file} 2048", redirect_stderr: false)
+
+        if IS_MACOS
+          @nginx.log('Adding cert to keychain...')
+
+          @nginx.run(
+            "sudo security delete-certificate -t -c #{@host} 2>&1 || "\
+            "sudo security delete-certificate -c #{@host} 2>&1 || :"
+          )
+
+          @nginx.run("sudo security add-trusted-cert -d -r trustRoot -k "\
+            "/Library/Keychains/System.keychain #{@crt_file}")
+        end
+      end
+
+      private
+
+      def openssl_config
+        <<~EOS
+          [ req ]
+          prompt             = no
+          default_bits       = 4096
+          distinguished_name = req_distinguished_name
+          req_extensions     = req_ext
+
+          [ req_distinguished_name ]
+          commonName          = #{@host}
+
+          [ req_ext ]
+          subjectAltName = @alt_names
+
+          [alt_names]
+          DNS.1 = #{@host}
+          DNS.2 = *.#{@host}
+        EOS
+      end
+    end
+  end
+end

data/lib/potluck/nginx/util.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Potluck
+  class Nginx
+    class Util
+      def self.deep_merge!(*hashes, arrays: false)
+        hash = hashes[0]
+
+        hashes[1..-1].each do |other_hash|
+          other_hash.each do |key, other_value|
+            this_value = hash[key]
+
+            if this_value.kind_of?(Hash) && other_value.kind_of?(Hash)
+              deep_merge!(this_value, other_value, arrays: arrays)
+            elsif arrays && this_value.kind_of?(Array)
+              hash[key] |= Array(other_value)
+            else
+              hash[key] = other_value
+            end
+          end
+        end
+
+        hash
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,99 @@
+--- !ruby/object:Gem::Specification
+name: potluck-nginx
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Nate Pickens
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-03-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: potluck
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 6.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 6.0.0
+description: An extension to the Potluck gem that provides control over the Nginx
+  process and its configuration files from Ruby.
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/potluck/nginx.rb
+- lib/potluck/nginx/ssl.rb
+- lib/potluck/nginx/util.rb
+homepage: https://github.com/npickens/potluck/tree/master/potluck-nginx
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/npickens/potluck/tree/master/potluck-nginx
+  source_code_uri: https://github.com/npickens/potluck/tree/master/potluck-nginx
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.8
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key:
+specification_version: 4
+summary: A Ruby manager for Nginx.
+test_files: []