diff options
author | Patrick Murphy <Patrick.Murphy@multitech.com> | 2020-04-30 13:04:00 -0500 |
---|---|---|
committer | John Klug <john.klug@multitech.com> | 2020-06-18 20:22:08 -0500 |
commit | 5724d72ffb2d6f4e44b65a92d5b69bcdf8551118 (patch) | |
tree | ff5b1f6243f931eccda3f378887681c086c0021e /recipes-core/lighttpd/files | |
parent | a3020c1257ad6bd653b5c619f1552b5e22fe7e0c (diff) | |
download | meta-mlinux-5724d72ffb2d6f4e44b65a92d5b69bcdf8551118.tar.gz meta-mlinux-5724d72ffb2d6f4e44b65a92d5b69bcdf8551118.tar.bz2 meta-mlinux-5724d72ffb2d6f4e44b65a92d5b69bcdf8551118.zip |
moved 5.2.1 changes to master
Diffstat (limited to 'recipes-core/lighttpd/files')
-rw-r--r-- | recipes-core/lighttpd/files/0001-lighttpd-pcre-use-pkg-config.patch | 41 | ||||
-rw-r--r-- | recipes-core/lighttpd/files/0002_extended_tls_conf.patch | 110 | ||||
-rw-r--r-- | recipes-core/lighttpd/files/0004_fastcgi_env_with_unixsocket.patch | 57 | ||||
-rw-r--r-- | recipes-core/lighttpd/files/lighttpd.conf | 209 | ||||
-rw-r--r-- | recipes-core/lighttpd/files/lighttpd.init | 310 | ||||
-rw-r--r-- | recipes-core/lighttpd/files/lighttpd_custom_images_setup | 57 | ||||
-rw-r--r-- | recipes-core/lighttpd/files/lighttpd_nrs.conf | 66 |
7 files changed, 850 insertions, 0 deletions
diff --git a/recipes-core/lighttpd/files/0001-lighttpd-pcre-use-pkg-config.patch b/recipes-core/lighttpd/files/0001-lighttpd-pcre-use-pkg-config.patch new file mode 100644 index 0000000..48be920 --- /dev/null +++ b/recipes-core/lighttpd/files/0001-lighttpd-pcre-use-pkg-config.patch @@ -0,0 +1,41 @@ +From 22afc5d9aaa215c3c87ba21c77d47da44ab3b113 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex.kanavin@gmail.com> +Date: Fri, 26 Aug 2016 18:20:32 +0300 +Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. + +RP 2014/5/22 +Upstream-Status: Pending +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> +--- + configure.ac | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5383cec..c29a902 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -651,10 +651,18 @@ AC_ARG_WITH([pcre], + ) + AC_MSG_RESULT([$WITH_PCRE]) + +-if test "$WITH_PCRE" != no; then +- if test "$WITH_PCRE" != yes; then +- PCRE_LIB="-L$WITH_PCRE/lib -lpcre" +- CPPFLAGS="$CPPFLAGS -I$WITH_PCRE/include" ++if test "$WITH_PCRE" != "no"; then ++ PKG_CHECK_MODULES(PCREPKG, [libpcre], [ ++ PCRE_LIB=${PCREPKG_LIBS} ++ CPPFLAGS="$CPPFLAGS ${PCREPKG_CFLAGS}" ++ ], [ ++ AC_MSG_ERROR([pcre pkgconfig not found, install the pcre-devel package or build with --without-pcre]) ++ ]) ++ ++ if test x"$PCRE_LIB" != x; then ++ AC_DEFINE([HAVE_LIBPCRE], [1], [libpcre]) ++ AC_DEFINE([HAVE_PCRE_H], [1], [pcre.h]) ++ AC_SUBST(PCRE_LIB) + else + AC_PATH_PROG([PCRECONFIG], [pcre-config]) + if test -n "$PCRECONFIG"; then +-- +2.15.0 diff --git a/recipes-core/lighttpd/files/0002_extended_tls_conf.patch b/recipes-core/lighttpd/files/0002_extended_tls_conf.patch new file mode 100644 index 0000000..1a216dd --- /dev/null +++ b/recipes-core/lighttpd/files/0002_extended_tls_conf.patch @@ -0,0 +1,110 @@ +diff --git a/src/base.h b/src/base.h +index 134fc41..f2d849e 100644 +--- a/src/base.h ++++ b/src/base.h +@@ -289,6 +289,9 @@ typedef struct { + unsigned short ssl_empty_fragments; /* whether to not set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */ + unsigned short ssl_use_sslv2; + unsigned short ssl_use_sslv3; ++ unsigned short ssl_use_tlsv1; ++ unsigned short ssl_use_tlsv1_1; ++ unsigned short ssl_use_tlsv1_2; + unsigned short ssl_verifyclient; + unsigned short ssl_verifyclient_enforce; + unsigned short ssl_verifyclient_depth; +diff --git a/src/configfile.c b/src/configfile.c +index bba6925..bbedd77 100644 +--- a/src/configfile.c ++++ b/src/configfile.c +@@ -146,6 +146,10 @@ static int config_insert(server *srv) { + { "server.max-request-field-size", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_SERVER }, /* 78 */ + { "ssl.read-ahead", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */ + ++ { "ssl.use-tlsv1", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 80 */ ++ { "ssl.use-tlsv1_1", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 81 */ ++ { "ssl.use-tlsv1_2", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 82 */ ++ + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + +@@ -226,6 +230,9 @@ static int config_insert(server *srv) { + s->ssl_empty_fragments = 0; + s->ssl_use_sslv2 = 0; + s->ssl_use_sslv3 = 0; ++ s->ssl_use_tlsv1 = 0; ++ s->ssl_use_tlsv1_1 = 0; ++ s->ssl_use_tlsv1_2 = 1; + s->use_ipv6 = (i == 0) ? 0 : srv->config_storage[0]->use_ipv6; + s->set_v6only = (i == 0) ? 1 : srv->config_storage[0]->set_v6only; + s->defer_accept = (i == 0) ? 0 : srv->config_storage[0]->defer_accept; +@@ -318,6 +325,9 @@ static int config_insert(server *srv) { + cv[76].destination = &(s->stream_request_body); + cv[77].destination = &(s->stream_response_body); + cv[79].destination = &(s->ssl_read_ahead); ++ cv[80].destination = &(s->ssl_use_tlsv1); ++ cv[81].destination = &(s->ssl_use_tlsv1_1); ++ cv[82].destination = &(s->ssl_use_tlsv1_2); + + srv->config_storage[i] = s; + +@@ -536,6 +546,9 @@ int config_setup_connection(server *srv, connection *con) { + PATCH(ssl_empty_fragments); + PATCH(ssl_use_sslv2); + PATCH(ssl_use_sslv3); ++ PATCH(ssl_use_tlsv1); ++ PATCH(ssl_use_tlsv1_1); ++ PATCH(ssl_use_tlsv1_2); + PATCH(etag_use_inode); + PATCH(etag_use_mtime); + PATCH(etag_use_size); +@@ -615,6 +628,12 @@ int config_patch_connection(server *srv, connection *con) { + PATCH(ssl_use_sslv2); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { + PATCH(ssl_use_sslv3); ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-tlsv1"))) { ++ PATCH(ssl_use_tlsv1); ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-tlsv1_1"))) { ++ PATCH(ssl_use_tlsv1_1); ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-tlsv1_2"))) { ++ PATCH(ssl_use_tlsv1_2); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) { + PATCH(ssl_cipher_list); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) { +diff --git a/src/network.c b/src/network.c +index 4295fe9..a3f9ec3 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -859,6 +859,33 @@ int network_init(server *srv) { + } + } + ++ if (!s->ssl_use_tlsv1) { ++ /* disable TLSv1 */ ++ if (!(SSL_OP_NO_TLSv1 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_TLSv1))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ ++ if (!s->ssl_use_tlsv1_1) { ++ /* disable TLSv1.1 */ ++ if (!(SSL_OP_NO_TLSv1_1 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_TLSv1_1))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ ++ if (!s->ssl_use_tlsv1_2) { ++ /* disable TLSv1.2 */ ++ if (!(SSL_OP_NO_TLSv1_2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_TLSv1_2))) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ++ ERR_error_string(ERR_get_error(), NULL)); ++ return -1; ++ } ++ } ++ + if (!buffer_string_is_empty(s->ssl_cipher_list)) { + /* Disable support for low encryption ciphers */ + if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { diff --git a/recipes-core/lighttpd/files/0004_fastcgi_env_with_unixsocket.patch b/recipes-core/lighttpd/files/0004_fastcgi_env_with_unixsocket.patch new file mode 100644 index 0000000..c265066 --- /dev/null +++ b/recipes-core/lighttpd/files/0004_fastcgi_env_with_unixsocket.patch @@ -0,0 +1,57 @@ +From bdfb7f9c6ab29d2de3576f8bd845fa871bb44ead Mon Sep 17 00:00:00 2001 +From: Serhii Voloshynov <serhii.voloshynov@globallogic.com> +Date: Tue, 6 Nov 2018 13:50:04 +0200 +Subject: [PATCH] patch + +--- + src/http-header-glue.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/http-header-glue.c b/src/http-header-glue.c +index 1916ca6..d4f42ad 100644 +--- a/src/http-header-glue.c ++++ b/src/http-header-glue.c +@@ -1457,6 +1457,8 @@ int http_cgi_headers (server *srv, connection *con, http_cgi_opts *opts, http_cg + rc |= cb(vdata, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on")); + } + ++ if (srv_sock->addr.plain.sa_family != AF_UNIX) { ++ + addr = &srv_sock->addr; + li_utostrn(buf, sizeof(buf), sock_addr_get_port(addr)); + rc |= cb(vdata, CONST_STR_LEN("SERVER_PORT"), buf, strlen(buf)); +@@ -1482,6 +1484,7 @@ int http_cgi_headers (server *srv, connection *con, http_cgi_opts *opts, http_cg + } + force_assert(s); + rc |= cb(vdata, CONST_STR_LEN("SERVER_ADDR"), s, strlen(s)); ++ } + + if (!buffer_string_is_empty(con->server_name)) { + size_t len = buffer_string_length(con->server_name); +@@ -1497,15 +1500,23 @@ int http_cgi_headers (server *srv, connection *con, http_cgi_opts *opts, http_cg + rc |= cb(vdata, CONST_STR_LEN("SERVER_NAME"), + con->server_name->ptr, len); + } else { ++ if (srv_sock->addr.plain.sa_family != AF_UNIX) { + /* set to be same as SERVER_ADDR (above) */ + rc |= cb(vdata, CONST_STR_LEN("SERVER_NAME"), s, strlen(s)); + } ++ } ++ if (srv_sock->addr.plain.sa_family == AF_UNIX) { ++ rc |= cb(vdata, CONST_STR_LEN("SERVER_IPC"), CONST_STR_LEN("yes")); ++ } ++ ++ if (srv_sock->addr.plain.sa_family != AF_UNIX) { + + rc |= cb(vdata, CONST_STR_LEN("REMOTE_ADDR"), + CONST_BUF_LEN(con->dst_addr_buf)); + + li_utostrn(buf, sizeof(buf), sock_addr_get_port(&con->dst_addr)); + rc |= cb(vdata, CONST_STR_LEN("REMOTE_PORT"), buf, strlen(buf)); ++ } + + for (n = 0; n < con->request.headers->used; n++) { + data_string *ds = (data_string *)con->request.headers->data[n]; +-- +2.7.4 + diff --git a/recipes-core/lighttpd/files/lighttpd.conf b/recipes-core/lighttpd/files/lighttpd.conf new file mode 100644 index 0000000..a3e02da --- /dev/null +++ b/recipes-core/lighttpd/files/lighttpd.conf @@ -0,0 +1,209 @@ +# lighttpd configuration file for the rcell +# include config file (/var/run/config/lighttpd_port.conf) generated at start up +# +# $Id: lighttpd.conf,v 1.7 2004/11/03 22:26:05 weigon Exp $ + +#IMPORT PORT SETTINGS +include "/var/run/config/lighttpd_port.conf" + +## local access from startup scripts and apps +$SERVER["socket"] == "/var/run/api/http.sock" { } + +## modules +server.modules = ( + "mod_rewrite", + "mod_redirect", + "mod_proxy", + "mod_alias", + "mod_access", + "mod_fastcgi", + "mod_accesslog", + "mod_openssl", + "mod_setenv") + + +## static document-root +server.document-root = "/var/www/" +setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*", + "Content-Security-Policy" => "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src 'self'; img-src 'self' data:", + "X-Frame-Options" =>"SAMEORIGIN", + "X-XSS-Protection" => "1; mode=block", + "X-Content-Type-Options" => "nosniff", + "Referrer-Policy" => "strict-origin-when-cross-origin", + "Feature-Policy" => "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; payment 'none'; usb 'none'", + "Strict-Transport-Security" => "max-age=31536000", + "Cache-Control" => "no-cache" +) +server.socket-perms = "0760" + +## where to send error-messages to +#server.errorlog = "/var/log/lighttpd.error.log" +server.errorlog-use-syslog = "enable" + +# disable stat cache +server.stat-cache-engine = "disable" + +## where to send access log +#accesslog.filename = "/var/log/lighttpd.access.log" +accesslog.use-syslog = "enable" + +## enable debugging +#debug.log-request-header = "enable" +#debug.log-response-header = "enable" +#debug.log-request-handling = "enable" +#debug.log-file-not-found = "enable" +#debug.log-condition-handling = "enable" + +## where to upload files +server.upload-dirs = ( "/var/volatile/tmp" ) + +# files to check for if .../ is requested +index-file.names = ( "index.php", "index.html", + "index.htm", "default.htm" ) + +# mimetype mapping +mimetype.assign = ( + ".pdf" => "application/pdf", + ".sig" => "application/pgp-signature", + ".spl" => "application/futuresplash", + ".class" => "application/octet-stream", + ".ps" => "application/postscript", + ".torrent" => "application/x-bittorrent", + ".dvi" => "application/x-dvi", + ".pac" => "application/x-ns-proxy-autoconfig", + ".swf" => "application/x-shockwave-flash", + ".tar.gz" => "application/x-tgz", + ".tgz" => "application/x-tgz", + ".tar" => "application/x-tar", + ".xhtml" => "application/xhtml+xml", + ".xht" => "application/xhtml+xml", + ".zip" => "application/zip", + ".mp3" => "audio/mpeg", + ".m3u" => "audio/x-mpegurl", + ".wma" => "audio/x-ms-wma", + ".wax" => "audio/x-ms-wax", + ".ogg" => "application/ogg", + ".wav" => "audio/x-wav", + ".gif" => "image/gif", + ".jpg" => "image/jpeg", + ".jpeg" => "image/jpeg", + ".png" => "image/png", + ".svg" => "image/svg+xml", + ".ico" => "image/x-icon", + ".xbm" => "image/x-xbitmap", + ".xpm" => "image/x-xpixmap", + ".xwd" => "image/x-xwindowdump", + ".css" => "text/css", + ".html" => "text/html", + ".htm" => "text/html", + ".asc" => "text/plain", + ".c" => "text/plain", + ".cpp" => "text/plain", + ".log" => "text/plain", + ".conf" => "text/plain", + ".text" => "text/plain", + ".txt" => "text/plain", + ".dtd" => "text/xml", + ".xml" => "text/xml", + ".mpeg" => "video/mpeg", + ".mpg" => "video/mpeg", + ".mov" => "video/quicktime", + ".qt" => "video/quicktime", + ".avi" => "video/x-msvideo", + ".asf" => "video/x-ms-asf", + ".asx" => "video/x-ms-asf", + ".wmv" => "video/x-ms-wmv", + ".bz2" => "application/x-bzip", + ".tbz" => "application/x-bzip-compressed-tar", + ".tar.bz2" => "application/x-bzip-compressed-tar", + ".mib" => "application/text", + ".js" => "application/javascript" + ) + +## deny access the file-extensions +url.access-deny = ( "~", ".inc" ) + +# send a different Server: header +server.tag = "" + +#server.error-handler-404 = "/index.html" + +#Range request are requests of one or more sub-ranges of a file. +#Range requests are very helpful for resuming interrupted downloads and fetching small portions of huge files. +#Note: Adobe Acrobat Reader can crash when it tries to open a PDF file if range requests are enabled. +$HTTP["url"] =~ "\.pdf$" { + server.range-requests = "disable" +} + +## +# which extensions should not be handle via static-file transfer +# +# .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +## to help the rc.scripts +server.pid-file = "/var/run/lighttpd.pid" + +# Restrict server process to non priveleged user +server.username = "www" +server.groupname = "www" + +# server limit POST size in kilobytes (60MB for firmware update) +server.max-request-size = 113246 + +# server limits +server.max-keep-alive-requests = 16 +server.max-keep-alive-idle = 15 +server.max-read-idle = 60 +server.max-write-idle = 360 + +## +## Format: <errorfile-prefix><status-code>.html +## -> ..../status-404.html for 'File not found' +server.errorfile-prefix = "/var/www/errors/status-" + +## virtual directory listings +#dir-listing.activate = "enable" + +#IMPORTED CONFIGS WILL HANDLE SETTING HTTP/HTTPS + +#### fastcgi module +fastcgi.server = ( "/" => + ( "authorizer" => + ( + "mode" => "authorizer", + "check-local" => "disable", + "socket" => "/var/run/api/rcell_api.sock", + "docroot" => "/var/www" + ) + ) +) + + +$HTTP["url"] =~ "/static/js" { + setenv.add-response-header = ( "Content-Encoding" => "gzip") + mimetype.assign = ("" => "text/javascript" ) + } else $HTTP["url"] =~ "/help/template/scripts" { + setenv.add-response-header = ( "Content-Encoding" => "gzip") + mimetype.assign = ("" => "text/javascript" ) + } else $HTTP["url"] =~ "/help/whxdata/" { + setenv.add-response-header = ( "Content-Encoding" => "gzip") + mimetype.assign = ("" => "text/javascript" ) + } else $HTTP["url"] =~ "/help/template/Azure_Blue_MTS_1/layout.css" { + setenv.add-response-header = ( "Content-Encoding" => "gzip") + mimetype.assign = ("" => "text/css" ) + } else $HTTP["url"] =~ "^/api" { + fastcgi.server = ( "/api" => + ( "api" => + ( + "mode" => "responder", + "check-local" => "disable", + "socket" => "/var/run/api/rcell_api.sock" + ) + ) + ) +} + +#INCLUDE DIPSERVICE SETTINGS +include "/var/run/config/lighttpd_dipservice.conf" +include "/var/run/config/lighttpd_custom_images.conf" diff --git a/recipes-core/lighttpd/files/lighttpd.init b/recipes-core/lighttpd/files/lighttpd.init new file mode 100644 index 0000000..39860d3 --- /dev/null +++ b/recipes-core/lighttpd/files/lighttpd.init @@ -0,0 +1,310 @@ +#!/bin/sh + +enable -f libjsonget.so jsonget + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/lighttpd +NAME=lighttpd +ANGEL=/sbin/lighttpd-angel +DESC="Lighttpd Web Server" +# Web UI +OPTS="-D -f /etc/lighttpd.conf" +# Node-RED stub +OPTS_NRS="-f /etc/lighttpd_nrs.conf" + +CAPA_NODE_RED=$(jsonget "$(< /var/run/config/device_info.json)" /capabilities/nodeRed) + +CONF_DIR=/var/config +RUN_CONF_DIR=/var/run/config + +true2enable() { + if [[ "$1" == "true" ]]; then + echo "enable" + else + echo "disable" + fi +} + +#Generates additional lighttpd configuration files +#1) Enables HTTPS +#2) Allows port configurations for HTTP and HTTPS +#3) Enables dipservice +#4) Allows port configurations for dipservice +generate_config() { + FILE="$RUN_CONF_DIR/lighttpd_port.conf" + FILE_DIP="$RUN_CONF_DIR/lighttpd_dipservice.conf" + + #Pull Webserver Ports + RMA=$(jsonget "$(< "/var/config/db.json")" /remoteAccess) + HTTP_ENABLED=$(jsonget "$RMA" /http/enabled) + HTTP_PORT=$(jsonget "$RMA" /http/port) + HTTPS_REDIRECT=$(jsonget "$RMA" /http/redirectToHttps) + HTTPS_ENABLED=$(jsonget "$RMA" /https/enabled) + HTTPS_PORT=$(jsonget "$RMA" /https/port) + + # Advanced secure protocol settings + ADVANCED_SEC_VALID="false" + ADVANCED_SEC=$(jsonget "$(< "/var/config/db.json")" /secureProtocols/2) + + if [[ "0" == "$?" ]]; then + ADVANCED_SEC_NAME=$(jsonget "$ADVANCED_SEC" /name) + if [[ "$ADVANCED_SEC_NAME" == "lighttpd" ]]; then + ADVANCED_SEC_VALID="true" + HTTPS_SSL3=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/ssl3)) + HTTPS_TLS1=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1)) + HTTPS_TLS1_1=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_1)) + HTTPS_TLS1_2=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_2)) + HTTPS_CIPHER=$(jsonget "$ADVANCED_SEC" /cipherSuite) + if [[ -z $HTTPS_CIPHER && -f /etc/ssl/allowed_ciphersuites ]]; then + HTTPS_CIPHER=$( cat /etc/ssl/allowed_ciphersuites | tr "\n" ":" ) + fi + CLIENT_VERIFY=$(jsonget "$ADVANCED_SEC" /client/verify ) + fi + fi + + if [[ "$ADVANCED_SEC_VALID" != "true" ]]; then + echo "API init. Using default SSL security settings" + # In case of invalid Advanced Security section - start with default parameters + HTTPS_SSL3=$(true2enable "false") + HTTPS_TLS1=$(true2enable "false") + HTTPS_TLS1_1=$(true2enable "false") + HTTPS_TLS1_2=$(true2enable "true") + HTTPS_CIPHER="" + CLIENT_VERIFY="false" + fi + + #("Protocol" => "-ALL, TLSv1.2") + HTTPS_SSL_CONF='("Protocol" => "-ALL' + + if [[ "$HTTPS_TLS1" == "enable" ]]; then + HTTPS_SSL_CONF+=', TLSv1' + fi + if [[ "$HTTPS_TLS1_1" == "enable" ]]; then + HTTPS_SSL_CONF+=', TLSv1.1' + fi + if [[ "$HTTPS_TLS1_2" == "enable" ]]; then + HTTPS_SSL_CONF+=', TLSv1.2' + fi + HTTPS_SSL_CONF+='")' + + #Generate Lighttpd dipservice config + DIP=$(jsonget "$(< "$CONF_DIR/db.json")" /customDiagnostic || echo '{ "enabled": false, "port":8080 }') + DIP_ENABLED=$(jsonget "$DIP" /enabled) + DIP_PORT=$(jsonget "$DIP" /port) + + echo "Generating $FILE_DIP" + > "$FILE_DIP" + + #Generate Lighttpd Port Config + echo "Generating $FILE" + > "$FILE" + + if [[ "$DIP_ENABLED" == "true" ]]; then + cat >> $FILE_DIP <<END +\$SERVER["socket"] == "0.0.0.0:$DIP_PORT" { + fastcgi.server = ( + "/" => ( + ( + "host" => "127.0.0.1", + "port" => 9009, + "check-local" => "disable", + "bin-path" => "/sbin/dipservice -d /var/config/dipdata", + "max-procs" => 1, + "docroot" => "/var/config/dipdata" + ) + ) + ) +} +END + fi + + cat >> $FILE <<END +#AUTO-GENERATED LIGHTTPD HTTP/HTTPS CONFIGURATIONS +#DO NOT CHANGE THIS FILE -> CHANGE $0 +END + +#Explicitly set the default listening port to HTTP port. +cat >> $FILE <<END + +# listen to ipv4 +server.bind = "0.0.0.0" +server.port = "$HTTP_PORT" +END + + if [ "$HTTPS_ENABLED" = "true" ]; then + # Enable HTTPS for ipv4/ipv6 + # See (https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config#Recommended-IPv6-setup) + + HTTPS_SSL_ENGINE_CONFIG="ssl.engine = \"enable\" + ssl.use-sslv3 = \"$HTTPS_SSL3\" + ssl.openssl.ssl-conf-cmd = $HTTPS_SSL_CONF + ssl.pemfile = \"$CONF_DIR/server.pem\"" + + if [ "$CLIENT_VERIFY" = "true" ]; then + HTTPS_SSL_ENGINE_CONFIG+="ssl.ca-file = \"/etc/ssl/certs/ca-certificates.crt\" + ssl.verifyclient.activate = \"enable\" + ssl.verifyclient.enforce = \"enable\"" + fi + + if [ -n "$HTTPS_CIPHER" ]; then + HTTPS_SSL_ENGINE_CONFIG+=" + ssl.cipher-list = \"$HTTPS_CIPHER\"" + fi + + cat >> $FILE <<END + +# ipv4 socket +\$SERVER["socket"] == "0.0.0.0:$HTTPS_PORT" { + $HTTPS_SSL_ENGINE_CONFIG +} + +# ipv6 socket +\$SERVER["socket"] == "[::]:$HTTPS_PORT" { + $HTTPS_SSL_ENGINE_CONFIG +} + +END + + fi + + + # Ensure that loopback can always access port 80 + if [ "$HTTP_PORT" != 80 ]; then + echo "\$SERVER[\"socket\"] == \"127.0.0.1:80\" { }" >> $FILE + fi + + # Enable redirect from HTTP to HTTPS if enabled + if [ "$HTTPS_REDIRECT" == "true" ]; then + HTTPS_REDIRECT_CONFIG="\$SERVER[\"socket\"] == \":$HTTP_PORT\" { + \$HTTP[\"host\"] =~ \"^([^:^/]*)(:\d*)?(.*)\" { + url.redirect = ( \"^/(.*)\" => \"https://%1:$HTTPS_PORT/\$1\" ) + } + } else " + fi + + HTTPX_REWRITE_URL='url.rewrite-once = ( "^/(?!static|api|tmp|help)(.+)/?$" => "/index.html" )' + + #BREAKDOWN + # LINE 1: CHECK: REMOTE IP IS NOT 127.0.0.1 (LOOPBACK) + # LINE 2: CHECK: DEST PORT IS THE HTTP PORT LIGHTTPD IS LISTENING ON + # LINE 3: CHECK: HOST ADDRESS (ex: 192.168.2.1:81/whatever) MATCHES THE REGEX [DOMAIN][PORT (optional)][URI] + # THE REGEX FROM LINE 3 CAN BE ACCESSED IN LINE 4 WITH '%#' (ex: %1 == DOMAIN, %2 == PORT, %3 == URI) + # LINE 4: FUNCTION: REGEX THE URI ([MATCH ALL]) AND BUILD THE REDIRECT URL + # THE REGEX FROM LINE 4 CAN BE ACCESSED IN THE REDIRECT CONSTRUCTION WITH '$#' (ex: $1 == THE ENTIRE URI) + + cat >> $FILE <<END +\$HTTP["remoteip"] != "127.0.0.1" { + $HTTPS_REDIRECT_CONFIG \$HTTP["host"] =~ "^([^:^/]*)(:\d*)?(.*)" { + \$SERVER["socket"] == "[::]:$HTTPS_PORT" { + $HTTPX_REWRITE_URL + } + \$SERVER["socket"] == ":$HTTPS_PORT" { + $HTTPX_REWRITE_URL + } + \$SERVER["socket"] == ":$HTTP_PORT" { + $HTTPX_REWRITE_URL + } + } +} +END +} + +populate_www_images() { + local CONFIGIMAGES="/var/config/images" + local OEMIMAGES="/var/oem/images" + local WWWIMAGES="/var/volatile/www/images" + local WWWIMAGES_RO="/var/www/images_ro" + + # Populate images only once per boot + if [ ! -d $WWWIMAGES ]; then + + # Copy from oem partition to config partition + if [ ! -d $CONFIGIMAGES ]; then + if [ -d $OEMIMAGES ]; then + echo "Copying oem images" + mkdir -p $CONFIGIMAGES + cp -rf $OEMIMAGES/* $CONFIGIMAGES + fi + fi + + # Copy from root partition to RAM + mkdir -p $WWWIMAGES + cp -rf $WWWIMAGES_RO/* $WWWIMAGES + + # Overwrite with /var/config/images + if [ -d $CONFIGIMAGES ]; then + cp -rf $CONFIGIMAGES/* $WWWIMAGES + fi + fi +} + +wait_ready() { + # wait api + local retry=0 + local MAX=30 + sleep 1 + while [ $retry -lt $MAX ]; do + if [ "200" == "$(curl -s --unix-socket /var/run/api/http.sock -I -o /dev/null -w "%{http_code}" http://localhost/api/system)" ]; then + return + fi + retry=$(( $retry + 1 )) + echo "Waiting for API ($retry/$MAX)..." + sleep 1 + done + echo "Failed waiting API!" +} + +start() { + mkdir -p /var/volatile/www/tmp + lighttpd_custom_images_setup # detect mime types for UI Customization images and generate Lighttpd config fragment + + generate_config + + start-stop-daemon --start --background --exec $ANGEL -- $DAEMON $OPTS + + if [ "$CAPA_NODE_RED" = "true" ]; then + start-stop-daemon --start -x "$DAEMON" -p /var/run/lighttpd_nrs.pid -- $OPTS_NRS + fi + + wait_ready +} + +stop() { + start-stop-daemon --stop --exec $ANGEL + + if [ "$CAPA_NODE_RED" = "true" ]; then + start-stop-daemon --stop -x "$DAEMON" -p /var/run/lighttpd_nrs.pid + rm -f /var/run/lighttpd_nrs.pid + fi + + rm -f /var/run/config/lighttpd_* +} + +populate_www_images + +case "$1" in + start) + echo -n "Starting $DESC: " + start + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + stop + echo "$NAME." + ;; + restart|force-reload) + echo -n "Restarting $DESC: " + stop + sleep 1 + start + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/recipes-core/lighttpd/files/lighttpd_custom_images_setup b/recipes-core/lighttpd/files/lighttpd_custom_images_setup new file mode 100644 index 0000000..ecd5f46 --- /dev/null +++ b/recipes-core/lighttpd/files/lighttpd_custom_images_setup @@ -0,0 +1,57 @@ +#!/bin/bash +# Detects mime types for UI Customization images and generates according Lighttpd config fragment + +CONFIG_PATH="/var/run/config/lighttpd_custom_images.conf" +IMAGE_PATH="/var/www/static/images/" +MAGIC_DB_PATH="/usr/share/misc/magic-images.mgc" +shopt -s nullglob + +echoerr() { + echo "$@" 1>&2 +} + +generate_mime_assign() { + local IMAGE="$1" + local OUTPUT=$(file -ib "$IMAGE" --magic-file "$MAGIC_DB_PATH") + local CONTENT_TYPE + + if [ "$?" -ne "0" ] || [[ "$OUTPUT" == "" ]] || [[ "$OUTPUT" == *"cannot open"* ]]; then + echoerr "Failed to run file(1): ${?}; ${OUTPUT}" + return 1 + fi + + CONTENT_TYPE="$OUTPUT" + cat <<END +\$HTTP["url"] =~ "/static/images/$IMAGE" { + mimetype.assign = ("" => "$CONTENT_TYPE") + } +END +} + +process_files() { + local INDENT=" " + local ELSE_STRING="" + local FRAGMENT + + for IMAGE in custom_*; do + INDENT=" " + + FRAGMENT=$(generate_mime_assign $IMAGE) + if [ "$?" -eq "0" ]; then + echo "${INDENT}${ELSE_STRING}${FRAGMENT}" >> "$CONFIG_PATH" + ELSE_STRING="else " + fi + done +} + +echo "Generating $CONFIG_PATH" + +# truncate and write head +cat > "$CONFIG_PATH" <<END +\$HTTP["url"] =~ "/static/images/custom_" { +END + +cd "$IMAGE_PATH" && process_files + +# write tail (closing brace) +echo "}" >> "$CONFIG_PATH" diff --git a/recipes-core/lighttpd/files/lighttpd_nrs.conf b/recipes-core/lighttpd/files/lighttpd_nrs.conf new file mode 100644 index 0000000..8c23747 --- /dev/null +++ b/recipes-core/lighttpd/files/lighttpd_nrs.conf @@ -0,0 +1,66 @@ +server.modules = ( "mod_expire" ) +server.bind = "127.0.0.1" +server.port = 1882 +server.document-root = "/var/www/node-red/node-red-stub" +server.max-keep-alive-requests = 0 +expire.url = ( "/" => "access 0 days" ) +server.errorlog-use-syslog = "enable" +server.upload-dirs = ( "/var/volatile/tmp" ) +index-file.names = ( "index.html" ) +server.pid-file = "/var/run/lighttpd_nrs.pid" +server.errorfile-prefix = "/var/www/node-red/node-red-errors/status-" +mimetype.assign = ( + ".pdf" => "application/pdf", + ".sig" => "application/pgp-signature", + ".spl" => "application/futuresplash", + ".class" => "application/octet-stream", + ".ps" => "application/postscript", + ".torrent" => "application/x-bittorrent", + ".dvi" => "application/x-dvi", + ".gz" => "application/x-gzip", + ".pac" => "application/x-ns-proxy-autoconfig", + ".swf" => "application/x-shockwave-flash", + ".tar.gz" => "application/x-tgz", + ".tgz" => "application/x-tgz", + ".tar" => "application/x-tar", + ".xhtml" => "application/xhtml+xml", + ".xht" => "application/xhtml+xml", + ".zip" => "application/zip", + ".mp3" => "audio/mpeg", + ".m3u" => "audio/x-mpegurl", + ".wma" => "audio/x-ms-wma", + ".wax" => "audio/x-ms-wax", + ".ogg" => "application/ogg", + ".wav" => "audio/x-wav", + ".gif" => "image/gif", + ".jpg" => "image/jpeg", + ".jpeg" => "image/jpeg", + ".png" => "image/png", + ".xbm" => "image/x-xbitmap", + ".xpm" => "image/x-xpixmap", + ".xwd" => "image/x-xwindowdump", + ".css" => "text/css", + ".html" => "text/html", + ".htm" => "text/html", + ".js" => "text/javascript", + ".asc" => "text/plain", + ".c" => "text/plain", + ".cpp" => "text/plain", + ".log" => "text/plain", + ".conf" => "text/plain", + ".text" => "text/plain", + ".txt" => "text/plain", + ".dtd" => "text/xml", + ".xml" => "text/xml", + ".mpeg" => "video/mpeg", + ".mpg" => "video/mpeg", + ".mov" => "video/quicktime", + ".qt" => "video/quicktime", + ".avi" => "video/x-msvideo", + ".asf" => "video/x-ms-asf", + ".asx" => "video/x-ms-asf", + ".wmv" => "video/x-ms-wmv", + ".bz2" => "application/x-bzip", + ".tbz" => "application/x-bzip-compressed-tar", + ".tar.bz2" => "application/x-bzip-compressed-tar" +) |