summaryrefslogtreecommitdiff
path: root/recipes-core/lighttpd/files/lighttpd.init
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-core/lighttpd/files/lighttpd.init')
-rw-r--r--recipes-core/lighttpd/files/lighttpd.init310
1 files changed, 310 insertions, 0 deletions
diff --git a/recipes-core/lighttpd/files/lighttpd.init b/recipes-core/lighttpd/files/lighttpd.init
new file mode 100644
index 0000000..39860d3
--- /dev/null
+++ b/recipes-core/lighttpd/files/lighttpd.init
@@ -0,0 +1,310 @@
+#!/bin/sh
+
+enable -f libjsonget.so jsonget
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/lighttpd
+NAME=lighttpd
+ANGEL=/sbin/lighttpd-angel
+DESC="Lighttpd Web Server"
+# Web UI
+OPTS="-D -f /etc/lighttpd.conf"
+# Node-RED stub
+OPTS_NRS="-f /etc/lighttpd_nrs.conf"
+
+CAPA_NODE_RED=$(jsonget "$(< /var/run/config/device_info.json)" /capabilities/nodeRed)
+
+CONF_DIR=/var/config
+RUN_CONF_DIR=/var/run/config
+
+true2enable() {
+ if [[ "$1" == "true" ]]; then
+ echo "enable"
+ else
+ echo "disable"
+ fi
+}
+
+#Generates additional lighttpd configuration files
+#1) Enables HTTPS
+#2) Allows port configurations for HTTP and HTTPS
+#3) Enables dipservice
+#4) Allows port configurations for dipservice
+generate_config() {
+ FILE="$RUN_CONF_DIR/lighttpd_port.conf"
+ FILE_DIP="$RUN_CONF_DIR/lighttpd_dipservice.conf"
+
+ #Pull Webserver Ports
+ RMA=$(jsonget "$(< "/var/config/db.json")" /remoteAccess)
+ HTTP_ENABLED=$(jsonget "$RMA" /http/enabled)
+ HTTP_PORT=$(jsonget "$RMA" /http/port)
+ HTTPS_REDIRECT=$(jsonget "$RMA" /http/redirectToHttps)
+ HTTPS_ENABLED=$(jsonget "$RMA" /https/enabled)
+ HTTPS_PORT=$(jsonget "$RMA" /https/port)
+
+ # Advanced secure protocol settings
+ ADVANCED_SEC_VALID="false"
+ ADVANCED_SEC=$(jsonget "$(< "/var/config/db.json")" /secureProtocols/2)
+
+ if [[ "0" == "$?" ]]; then
+ ADVANCED_SEC_NAME=$(jsonget "$ADVANCED_SEC" /name)
+ if [[ "$ADVANCED_SEC_NAME" == "lighttpd" ]]; then
+ ADVANCED_SEC_VALID="true"
+ HTTPS_SSL3=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/ssl3))
+ HTTPS_TLS1=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1))
+ HTTPS_TLS1_1=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_1))
+ HTTPS_TLS1_2=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_2))
+ HTTPS_CIPHER=$(jsonget "$ADVANCED_SEC" /cipherSuite)
+ if [[ -z $HTTPS_CIPHER && -f /etc/ssl/allowed_ciphersuites ]]; then
+ HTTPS_CIPHER=$( cat /etc/ssl/allowed_ciphersuites | tr "\n" ":" )
+ fi
+ CLIENT_VERIFY=$(jsonget "$ADVANCED_SEC" /client/verify )
+ fi
+ fi
+
+ if [[ "$ADVANCED_SEC_VALID" != "true" ]]; then
+ echo "API init. Using default SSL security settings"
+ # In case of invalid Advanced Security section - start with default parameters
+ HTTPS_SSL3=$(true2enable "false")
+ HTTPS_TLS1=$(true2enable "false")
+ HTTPS_TLS1_1=$(true2enable "false")
+ HTTPS_TLS1_2=$(true2enable "true")
+ HTTPS_CIPHER=""
+ CLIENT_VERIFY="false"
+ fi
+
+ #("Protocol" => "-ALL, TLSv1.2")
+ HTTPS_SSL_CONF='("Protocol" => "-ALL'
+
+ if [[ "$HTTPS_TLS1" == "enable" ]]; then
+ HTTPS_SSL_CONF+=', TLSv1'
+ fi
+ if [[ "$HTTPS_TLS1_1" == "enable" ]]; then
+ HTTPS_SSL_CONF+=', TLSv1.1'
+ fi
+ if [[ "$HTTPS_TLS1_2" == "enable" ]]; then
+ HTTPS_SSL_CONF+=', TLSv1.2'
+ fi
+ HTTPS_SSL_CONF+='")'
+
+ #Generate Lighttpd dipservice config
+ DIP=$(jsonget "$(< "$CONF_DIR/db.json")" /customDiagnostic || echo '{ "enabled": false, "port":8080 }')
+ DIP_ENABLED=$(jsonget "$DIP" /enabled)
+ DIP_PORT=$(jsonget "$DIP" /port)
+
+ echo "Generating $FILE_DIP"
+ > "$FILE_DIP"
+
+ #Generate Lighttpd Port Config
+ echo "Generating $FILE"
+ > "$FILE"
+
+ if [[ "$DIP_ENABLED" == "true" ]]; then
+ cat >> $FILE_DIP <<END
+\$SERVER["socket"] == "0.0.0.0:$DIP_PORT" {
+ fastcgi.server = (
+ "/" => (
+ (
+ "host" => "127.0.0.1",
+ "port" => 9009,
+ "check-local" => "disable",
+ "bin-path" => "/sbin/dipservice -d /var/config/dipdata",
+ "max-procs" => 1,
+ "docroot" => "/var/config/dipdata"
+ )
+ )
+ )
+}
+END
+ fi
+
+ cat >> $FILE <<END
+#AUTO-GENERATED LIGHTTPD HTTP/HTTPS CONFIGURATIONS
+#DO NOT CHANGE THIS FILE -> CHANGE $0
+END
+
+#Explicitly set the default listening port to HTTP port.
+cat >> $FILE <<END
+
+# listen to ipv4
+server.bind = "0.0.0.0"
+server.port = "$HTTP_PORT"
+END
+
+ if [ "$HTTPS_ENABLED" = "true" ]; then
+ # Enable HTTPS for ipv4/ipv6
+ # See (https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config#Recommended-IPv6-setup)
+
+ HTTPS_SSL_ENGINE_CONFIG="ssl.engine = \"enable\"
+ ssl.use-sslv3 = \"$HTTPS_SSL3\"
+ ssl.openssl.ssl-conf-cmd = $HTTPS_SSL_CONF
+ ssl.pemfile = \"$CONF_DIR/server.pem\""
+
+ if [ "$CLIENT_VERIFY" = "true" ]; then
+ HTTPS_SSL_ENGINE_CONFIG+="ssl.ca-file = \"/etc/ssl/certs/ca-certificates.crt\"
+ ssl.verifyclient.activate = \"enable\"
+ ssl.verifyclient.enforce = \"enable\""
+ fi
+
+ if [ -n "$HTTPS_CIPHER" ]; then
+ HTTPS_SSL_ENGINE_CONFIG+="
+ ssl.cipher-list = \"$HTTPS_CIPHER\""
+ fi
+
+ cat >> $FILE <<END
+
+# ipv4 socket
+\$SERVER["socket"] == "0.0.0.0:$HTTPS_PORT" {
+ $HTTPS_SSL_ENGINE_CONFIG
+}
+
+# ipv6 socket
+\$SERVER["socket"] == "[::]:$HTTPS_PORT" {
+ $HTTPS_SSL_ENGINE_CONFIG
+}
+
+END
+
+ fi
+
+
+ # Ensure that loopback can always access port 80
+ if [ "$HTTP_PORT" != 80 ]; then
+ echo "\$SERVER[\"socket\"] == \"127.0.0.1:80\" { }" >> $FILE
+ fi
+
+ # Enable redirect from HTTP to HTTPS if enabled
+ if [ "$HTTPS_REDIRECT" == "true" ]; then
+ HTTPS_REDIRECT_CONFIG="\$SERVER[\"socket\"] == \":$HTTP_PORT\" {
+ \$HTTP[\"host\"] =~ \"^([^:^/]*)(:\d*)?(.*)\" {
+ url.redirect = ( \"^/(.*)\" => \"https://%1:$HTTPS_PORT/\$1\" )
+ }
+ } else "
+ fi
+
+ HTTPX_REWRITE_URL='url.rewrite-once = ( "^/(?!static|api|tmp|help)(.+)/?$" => "/index.html" )'
+
+ #BREAKDOWN
+ # LINE 1: CHECK: REMOTE IP IS NOT 127.0.0.1 (LOOPBACK)
+ # LINE 2: CHECK: DEST PORT IS THE HTTP PORT LIGHTTPD IS LISTENING ON
+ # LINE 3: CHECK: HOST ADDRESS (ex: 192.168.2.1:81/whatever) MATCHES THE REGEX [DOMAIN][PORT (optional)][URI]
+ # THE REGEX FROM LINE 3 CAN BE ACCESSED IN LINE 4 WITH '%#' (ex: %1 == DOMAIN, %2 == PORT, %3 == URI)
+ # LINE 4: FUNCTION: REGEX THE URI ([MATCH ALL]) AND BUILD THE REDIRECT URL
+ # THE REGEX FROM LINE 4 CAN BE ACCESSED IN THE REDIRECT CONSTRUCTION WITH '$#' (ex: $1 == THE ENTIRE URI)
+
+ cat >> $FILE <<END
+\$HTTP["remoteip"] != "127.0.0.1" {
+ $HTTPS_REDIRECT_CONFIG \$HTTP["host"] =~ "^([^:^/]*)(:\d*)?(.*)" {
+ \$SERVER["socket"] == "[::]:$HTTPS_PORT" {
+ $HTTPX_REWRITE_URL
+ }
+ \$SERVER["socket"] == ":$HTTPS_PORT" {
+ $HTTPX_REWRITE_URL
+ }
+ \$SERVER["socket"] == ":$HTTP_PORT" {
+ $HTTPX_REWRITE_URL
+ }
+ }
+}
+END
+}
+
+populate_www_images() {
+ local CONFIGIMAGES="/var/config/images"
+ local OEMIMAGES="/var/oem/images"
+ local WWWIMAGES="/var/volatile/www/images"
+ local WWWIMAGES_RO="/var/www/images_ro"
+
+ # Populate images only once per boot
+ if [ ! -d $WWWIMAGES ]; then
+
+ # Copy from oem partition to config partition
+ if [ ! -d $CONFIGIMAGES ]; then
+ if [ -d $OEMIMAGES ]; then
+ echo "Copying oem images"
+ mkdir -p $CONFIGIMAGES
+ cp -rf $OEMIMAGES/* $CONFIGIMAGES
+ fi
+ fi
+
+ # Copy from root partition to RAM
+ mkdir -p $WWWIMAGES
+ cp -rf $WWWIMAGES_RO/* $WWWIMAGES
+
+ # Overwrite with /var/config/images
+ if [ -d $CONFIGIMAGES ]; then
+ cp -rf $CONFIGIMAGES/* $WWWIMAGES
+ fi
+ fi
+}
+
+wait_ready() {
+ # wait api
+ local retry=0
+ local MAX=30
+ sleep 1
+ while [ $retry -lt $MAX ]; do
+ if [ "200" == "$(curl -s --unix-socket /var/run/api/http.sock -I -o /dev/null -w "%{http_code}" http://localhost/api/system)" ]; then
+ return
+ fi
+ retry=$(( $retry + 1 ))
+ echo "Waiting for API ($retry/$MAX)..."
+ sleep 1
+ done
+ echo "Failed waiting API!"
+}
+
+start() {
+ mkdir -p /var/volatile/www/tmp
+ lighttpd_custom_images_setup # detect mime types for UI Customization images and generate Lighttpd config fragment
+
+ generate_config
+
+ start-stop-daemon --start --background --exec $ANGEL -- $DAEMON $OPTS
+
+ if [ "$CAPA_NODE_RED" = "true" ]; then
+ start-stop-daemon --start -x "$DAEMON" -p /var/run/lighttpd_nrs.pid -- $OPTS_NRS
+ fi
+
+ wait_ready
+}
+
+stop() {
+ start-stop-daemon --stop --exec $ANGEL
+
+ if [ "$CAPA_NODE_RED" = "true" ]; then
+ start-stop-daemon --stop -x "$DAEMON" -p /var/run/lighttpd_nrs.pid
+ rm -f /var/run/lighttpd_nrs.pid
+ fi
+
+ rm -f /var/run/config/lighttpd_*
+}
+
+populate_www_images
+
+case "$1" in
+ start)
+ echo -n "Starting $DESC: "
+ start
+ echo "$NAME."
+ ;;
+ stop)
+ echo -n "Stopping $DESC: "
+ stop
+ echo "$NAME."
+ ;;
+ restart|force-reload)
+ echo -n "Restarting $DESC: "
+ stop
+ sleep 1
+ start
+ echo "$NAME."
+ ;;
+ *)
+ N=/etc/init.d/$NAME
+ echo "Usage: $N {start|stop|restart|force-reload}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 13:49:44 +0000