From f4a701c4f92bcfa1074beaf94b6a81e10e606dd0 Mon Sep 17 00:00:00 2001
From: Patrick Murphy <Patrick.Murphy@multitech.com>
Date: Thu, 30 Apr 2020 13:04:00 -0500
Subject: moved 5.2.1 changes to master

---
 recipes-core/lighttpd/files/lighttpd.init | 310 ++++++++++++++++++++++++++++++
 1 file changed, 310 insertions(+)
 create mode 100644 recipes-core/lighttpd/files/lighttpd.init

(limited to 'recipes-core/lighttpd/files/lighttpd.init')

diff --git a/recipes-core/lighttpd/files/lighttpd.init b/recipes-core/lighttpd/files/lighttpd.init
new file mode 100644
index 0000000..39860d3
--- /dev/null
+++ b/recipes-core/lighttpd/files/lighttpd.init
@@ -0,0 +1,310 @@
+#!/bin/sh
+
+enable -f libjsonget.so jsonget
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/lighttpd
+NAME=lighttpd
+ANGEL=/sbin/lighttpd-angel
+DESC="Lighttpd Web Server"
+# Web UI
+OPTS="-D -f /etc/lighttpd.conf"
+# Node-RED stub
+OPTS_NRS="-f /etc/lighttpd_nrs.conf"
+
+CAPA_NODE_RED=$(jsonget "$(< /var/run/config/device_info.json)" /capabilities/nodeRed)
+
+CONF_DIR=/var/config
+RUN_CONF_DIR=/var/run/config
+
+true2enable() {
+  if [[ "$1" == "true" ]]; then
+    echo "enable"
+  else
+    echo "disable"
+  fi
+}
+
+#Generates additional lighttpd configuration files
+#1) Enables HTTPS
+#2) Allows port configurations for HTTP and HTTPS
+#3) Enables dipservice
+#4) Allows port configurations for dipservice
+generate_config() {
+  FILE="$RUN_CONF_DIR/lighttpd_port.conf"
+  FILE_DIP="$RUN_CONF_DIR/lighttpd_dipservice.conf"
+
+  #Pull Webserver Ports
+  RMA=$(jsonget "$(< "/var/config/db.json")" /remoteAccess)
+  HTTP_ENABLED=$(jsonget "$RMA" /http/enabled)
+  HTTP_PORT=$(jsonget "$RMA" /http/port)
+  HTTPS_REDIRECT=$(jsonget "$RMA" /http/redirectToHttps)
+  HTTPS_ENABLED=$(jsonget "$RMA" /https/enabled)
+  HTTPS_PORT=$(jsonget "$RMA" /https/port)
+
+  # Advanced secure protocol settings
+  ADVANCED_SEC_VALID="false"
+  ADVANCED_SEC=$(jsonget "$(< "/var/config/db.json")" /secureProtocols/2)
+
+  if [[ "0" == "$?" ]]; then
+    ADVANCED_SEC_NAME=$(jsonget "$ADVANCED_SEC" /name)
+    if [[ "$ADVANCED_SEC_NAME" == "lighttpd" ]]; then
+      ADVANCED_SEC_VALID="true"
+      HTTPS_SSL3=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/ssl3))
+      HTTPS_TLS1=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1))
+      HTTPS_TLS1_1=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_1))
+      HTTPS_TLS1_2=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_2))
+      HTTPS_CIPHER=$(jsonget "$ADVANCED_SEC" /cipherSuite)
+      if [[ -z $HTTPS_CIPHER && -f /etc/ssl/allowed_ciphersuites ]]; then
+        HTTPS_CIPHER=$( cat /etc/ssl/allowed_ciphersuites | tr "\n" ":" )
+      fi
+      CLIENT_VERIFY=$(jsonget "$ADVANCED_SEC" /client/verify )
+    fi
+  fi
+
+  if [[ "$ADVANCED_SEC_VALID" != "true" ]]; then
+    echo "API init. Using default SSL security settings"
+    # In case of invalid Advanced Security section - start with default parameters
+    HTTPS_SSL3=$(true2enable "false")
+    HTTPS_TLS1=$(true2enable "false")
+    HTTPS_TLS1_1=$(true2enable "false")
+    HTTPS_TLS1_2=$(true2enable "true")
+    HTTPS_CIPHER=""
+    CLIENT_VERIFY="false"
+  fi
+
+  #("Protocol" => "-ALL, TLSv1.2")
+  HTTPS_SSL_CONF='("Protocol" => "-ALL'
+
+  if [[ "$HTTPS_TLS1" == "enable" ]]; then
+    HTTPS_SSL_CONF+=', TLSv1'
+  fi
+  if [[ "$HTTPS_TLS1_1" == "enable" ]]; then
+    HTTPS_SSL_CONF+=', TLSv1.1'
+  fi
+  if [[ "$HTTPS_TLS1_2" == "enable" ]]; then
+    HTTPS_SSL_CONF+=', TLSv1.2'
+  fi
+  HTTPS_SSL_CONF+='")'
+
+  #Generate Lighttpd dipservice config
+  DIP=$(jsonget "$(< "$CONF_DIR/db.json")" /customDiagnostic || echo '{ "enabled": false, "port":8080 }')
+  DIP_ENABLED=$(jsonget "$DIP" /enabled)
+  DIP_PORT=$(jsonget "$DIP" /port)
+
+  echo "Generating $FILE_DIP"
+  > "$FILE_DIP"
+
+  #Generate Lighttpd Port Config
+  echo "Generating $FILE"
+  > "$FILE"
+
+  if [[ "$DIP_ENABLED" == "true" ]]; then
+    cat >> $FILE_DIP <<END
+\$SERVER["socket"] == "0.0.0.0:$DIP_PORT" {
+  fastcgi.server = (
+    "/" => (
+      (
+        "host" => "127.0.0.1",
+        "port" => 9009,
+        "check-local" => "disable",
+        "bin-path" => "/sbin/dipservice -d /var/config/dipdata",
+        "max-procs" => 1,
+        "docroot" => "/var/config/dipdata"
+      )
+    )
+  )
+}
+END
+  fi
+
+  cat >> $FILE <<END
+#AUTO-GENERATED LIGHTTPD HTTP/HTTPS CONFIGURATIONS
+#DO NOT CHANGE THIS FILE -> CHANGE $0
+END
+
+#Explicitly set the default listening port to HTTP port.
+cat >> $FILE <<END
+
+# listen to ipv4
+server.bind = "0.0.0.0"
+server.port = "$HTTP_PORT"
+END
+
+  if [ "$HTTPS_ENABLED" = "true" ]; then
+    # Enable HTTPS for ipv4/ipv6
+    # See (https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config#Recommended-IPv6-setup)
+
+    HTTPS_SSL_ENGINE_CONFIG="ssl.engine = \"enable\"
+    ssl.use-sslv3 = \"$HTTPS_SSL3\"
+    ssl.openssl.ssl-conf-cmd = $HTTPS_SSL_CONF
+    ssl.pemfile = \"$CONF_DIR/server.pem\""
+
+    if [ "$CLIENT_VERIFY" = "true" ]; then
+      HTTPS_SSL_ENGINE_CONFIG+="ssl.ca-file = \"/etc/ssl/certs/ca-certificates.crt\"
+    ssl.verifyclient.activate = \"enable\"
+    ssl.verifyclient.enforce = \"enable\""
+    fi
+
+    if [ -n "$HTTPS_CIPHER" ]; then
+      HTTPS_SSL_ENGINE_CONFIG+="
+    ssl.cipher-list = \"$HTTPS_CIPHER\""
+    fi
+
+    cat >> $FILE <<END
+
+# ipv4 socket
+\$SERVER["socket"] == "0.0.0.0:$HTTPS_PORT" {
+  $HTTPS_SSL_ENGINE_CONFIG
+}
+
+# ipv6 socket
+\$SERVER["socket"] == "[::]:$HTTPS_PORT" {
+  $HTTPS_SSL_ENGINE_CONFIG
+}
+
+END
+
+  fi
+
+
+  # Ensure that loopback can always access port 80
+  if [ "$HTTP_PORT" != 80 ]; then
+    echo "\$SERVER[\"socket\"] == \"127.0.0.1:80\" { }" >> $FILE
+  fi
+
+  # Enable redirect from HTTP to HTTPS if enabled
+  if [ "$HTTPS_REDIRECT" == "true" ]; then
+    HTTPS_REDIRECT_CONFIG="\$SERVER[\"socket\"] == \":$HTTP_PORT\" {
+      \$HTTP[\"host\"] =~ \"^([^:^/]*)(:\d*)?(.*)\" {
+        url.redirect = ( \"^/(.*)\" => \"https://%1:$HTTPS_PORT/\$1\" )
+      }
+    } else "
+  fi
+
+  HTTPX_REWRITE_URL='url.rewrite-once = ( "^/(?!static|api|tmp|help)(.+)/?$" => "/index.html" )'
+
+  #BREAKDOWN
+  # LINE 1: CHECK: REMOTE IP IS NOT 127.0.0.1 (LOOPBACK)
+  # LINE 2: CHECK: DEST PORT IS THE HTTP PORT LIGHTTPD IS LISTENING ON
+  # LINE 3: CHECK: HOST ADDRESS (ex: 192.168.2.1:81/whatever) MATCHES THE REGEX [DOMAIN][PORT (optional)][URI]
+  #   THE REGEX FROM LINE 3 CAN BE ACCESSED IN LINE 4 WITH '%#' (ex: %1 == DOMAIN, %2 == PORT, %3 == URI)
+  # LINE 4: FUNCTION: REGEX THE URI ([MATCH ALL]) AND BUILD THE REDIRECT URL
+  #   THE REGEX FROM LINE 4 CAN BE ACCESSED IN THE REDIRECT CONSTRUCTION WITH '$#' (ex: $1 == THE ENTIRE URI)
+
+  cat >> $FILE <<END
+\$HTTP["remoteip"] != "127.0.0.1" {
+  $HTTPS_REDIRECT_CONFIG \$HTTP["host"] =~ "^([^:^/]*)(:\d*)?(.*)" {
+    \$SERVER["socket"] == "[::]:$HTTPS_PORT" {
+      $HTTPX_REWRITE_URL
+    }
+    \$SERVER["socket"] == ":$HTTPS_PORT" {
+      $HTTPX_REWRITE_URL
+    }
+    \$SERVER["socket"] == ":$HTTP_PORT" {
+      $HTTPX_REWRITE_URL
+    }
+  }
+}
+END
+}
+
+populate_www_images() {
+  local CONFIGIMAGES="/var/config/images"
+  local OEMIMAGES="/var/oem/images"
+  local WWWIMAGES="/var/volatile/www/images"
+  local WWWIMAGES_RO="/var/www/images_ro"
+
+  # Populate images only once per boot
+  if [ ! -d $WWWIMAGES ]; then
+
+    # Copy from oem partition to config partition
+    if [ ! -d $CONFIGIMAGES ]; then
+      if [ -d $OEMIMAGES ]; then
+        echo "Copying oem images"
+        mkdir -p $CONFIGIMAGES
+        cp -rf $OEMIMAGES/* $CONFIGIMAGES
+      fi
+    fi
+
+    # Copy from root partition to RAM
+    mkdir -p $WWWIMAGES
+    cp -rf $WWWIMAGES_RO/* $WWWIMAGES
+
+    # Overwrite with /var/config/images
+    if [ -d $CONFIGIMAGES ]; then
+      cp -rf $CONFIGIMAGES/* $WWWIMAGES
+    fi
+  fi
+}
+
+wait_ready() {
+  # wait api
+  local retry=0
+  local MAX=30
+  sleep 1
+  while [ $retry -lt $MAX ]; do
+    if [ "200" == "$(curl -s --unix-socket /var/run/api/http.sock -I -o /dev/null -w "%{http_code}" http://localhost/api/system)" ]; then
+      return
+    fi
+    retry=$(( $retry + 1 ))
+    echo "Waiting for API ($retry/$MAX)..."
+    sleep 1
+  done
+  echo "Failed waiting API!"
+}
+
+start() {
+  mkdir -p /var/volatile/www/tmp
+  lighttpd_custom_images_setup  # detect mime types for UI Customization images and generate Lighttpd config fragment
+
+  generate_config
+
+  start-stop-daemon --start --background --exec $ANGEL -- $DAEMON $OPTS
+
+  if [ "$CAPA_NODE_RED" = "true" ]; then
+    start-stop-daemon --start -x "$DAEMON" -p /var/run/lighttpd_nrs.pid -- $OPTS_NRS
+  fi
+
+  wait_ready
+}
+
+stop() {
+  start-stop-daemon --stop --exec $ANGEL
+
+  if [ "$CAPA_NODE_RED" = "true" ]; then
+    start-stop-daemon --stop -x "$DAEMON" -p /var/run/lighttpd_nrs.pid
+    rm -f /var/run/lighttpd_nrs.pid
+  fi
+
+  rm -f /var/run/config/lighttpd_*
+}
+
+populate_www_images
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+	start
+	echo "$NAME."
+	;;
+  stop)
+	echo -n "Stopping $DESC: "
+	stop
+	echo "$NAME."
+	;;
+  restart|force-reload)
+	echo -n "Restarting $DESC: "
+	stop
+	sleep 1
+	start
+	echo "$NAME."
+	;;
+  *)
+    N=/etc/init.d/$NAME
+    echo "Usage: $N {start|stop|restart|force-reload}" >&2
+    exit 1
+    ;;
+esac
+
+exit 0
-- 
cgit v1.2.3