1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
#!/bin/sh
enable -f libjsonget.so jsonget
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/lighttpd
NAME=lighttpd
ANGEL=/sbin/lighttpd-angel
DESC="Lighttpd Web Server"
# Web UI
OPTS="-D -f /etc/lighttpd.conf"
# Node-RED stub
OPTS_NRS="-f /etc/lighttpd_nrs.conf"
CAPA_NODE_RED=$(jsonget "$(< /var/run/config/device_info.json)" /capabilities/nodeRed)
CONF_DIR=/var/config
RUN_CONF_DIR=/var/run/config
true2enable() {
if [[ "$1" == "true" ]]; then
echo "enable"
else
echo "disable"
fi
}
#Generates additional lighttpd configuration files
#1) Enables HTTPS
#2) Allows port configurations for HTTP and HTTPS
#3) Enables dipservice
#4) Allows port configurations for dipservice
generate_config() {
FILE="$RUN_CONF_DIR/lighttpd_port.conf"
FILE_DIP="$RUN_CONF_DIR/lighttpd_dipservice.conf"
#Pull Webserver Ports
RMA=$(jsonget "$(< "/var/config/db.json")" /remoteAccess)
HTTP_ENABLED=$(jsonget "$RMA" /http/enabled)
HTTP_PORT=$(jsonget "$RMA" /http/port)
HTTPS_REDIRECT=$(jsonget "$RMA" /http/redirectToHttps)
HTTPS_ENABLED=$(jsonget "$RMA" /https/enabled)
HTTPS_PORT=$(jsonget "$RMA" /https/port)
# Advanced secure protocol settings
ADVANCED_SEC_VALID="false"
ADVANCED_SEC=$(jsonget "$(< "/var/config/db.json")" /secureProtocols/2)
if [[ "0" == "$?" ]]; then
ADVANCED_SEC_NAME=$(jsonget "$ADVANCED_SEC" /name)
if [[ "$ADVANCED_SEC_NAME" == "lighttpd" ]]; then
ADVANCED_SEC_VALID="true"
HTTPS_SSL3=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/ssl3))
HTTPS_TLS1=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1))
HTTPS_TLS1_1=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_1))
HTTPS_TLS1_2=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_2))
HTTPS_CIPHER=$(jsonget "$ADVANCED_SEC" /cipherSuite)
if [[ -z $HTTPS_CIPHER && -f /etc/ssl/allowed_ciphersuites ]]; then
HTTPS_CIPHER=$( cat /etc/ssl/allowed_ciphersuites | tr "\n" ":" )
fi
CLIENT_VERIFY=$(jsonget "$ADVANCED_SEC" /client/verify )
fi
fi
if [[ "$ADVANCED_SEC_VALID" != "true" ]]; then
echo "API init. Using default SSL security settings"
# In case of invalid Advanced Security section - start with default parameters
HTTPS_SSL3=$(true2enable "false")
HTTPS_TLS1=$(true2enable "false")
HTTPS_TLS1_1=$(true2enable "false")
HTTPS_TLS1_2=$(true2enable "true")
HTTPS_CIPHER=""
CLIENT_VERIFY="false"
fi
#("Protocol" => "-ALL, TLSv1.2")
HTTPS_SSL_CONF='("Protocol" => "-ALL'
if [[ "$HTTPS_TLS1" == "enable" ]]; then
HTTPS_SSL_CONF+=', TLSv1'
fi
if [[ "$HTTPS_TLS1_1" == "enable" ]]; then
HTTPS_SSL_CONF+=', TLSv1.1'
fi
if [[ "$HTTPS_TLS1_2" == "enable" ]]; then
HTTPS_SSL_CONF+=', TLSv1.2'
fi
HTTPS_SSL_CONF+='")'
#Generate Lighttpd dipservice config
DIP=$(jsonget "$(< "$CONF_DIR/db.json")" /customDiagnostic || echo '{ "enabled": false, "port":8080 }')
DIP_ENABLED=$(jsonget "$DIP" /enabled)
DIP_PORT=$(jsonget "$DIP" /port)
echo "Generating $FILE_DIP"
> "$FILE_DIP"
#Generate Lighttpd Port Config
echo "Generating $FILE"
> "$FILE"
if [[ "$DIP_ENABLED" == "true" ]]; then
cat >> $FILE_DIP <<END
\$SERVER["socket"] == "0.0.0.0:$DIP_PORT" {
fastcgi.server = (
"/" => (
(
"host" => "127.0.0.1",
"port" => 9009,
"check-local" => "disable",
"bin-path" => "/sbin/dipservice -d /var/config/dipdata",
"max-procs" => 1,
"docroot" => "/var/config/dipdata"
)
)
)
}
END
fi
cat >> $FILE <<END
#AUTO-GENERATED LIGHTTPD HTTP/HTTPS CONFIGURATIONS
#DO NOT CHANGE THIS FILE -> CHANGE $0
END
#Explicitly set the default listening port to HTTP port.
cat >> $FILE <<END
# listen to ipv4
server.bind = "0.0.0.0"
server.port = "$HTTP_PORT"
END
if [ "$HTTPS_ENABLED" = "true" ]; then
# Enable HTTPS for ipv4/ipv6
# See (https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config#Recommended-IPv6-setup)
HTTPS_SSL_ENGINE_CONFIG="ssl.engine = \"enable\"
ssl.use-sslv3 = \"$HTTPS_SSL3\"
ssl.openssl.ssl-conf-cmd = $HTTPS_SSL_CONF
ssl.pemfile = \"$CONF_DIR/server.pem\""
if [ "$CLIENT_VERIFY" = "true" ]; then
HTTPS_SSL_ENGINE_CONFIG+="ssl.ca-file = \"/etc/ssl/certs/ca-certificates.crt\"
ssl.verifyclient.activate = \"enable\"
ssl.verifyclient.enforce = \"enable\""
fi
if [ -n "$HTTPS_CIPHER" ]; then
HTTPS_SSL_ENGINE_CONFIG+="
ssl.cipher-list = \"$HTTPS_CIPHER\""
fi
cat >> $FILE <<END
# ipv4 socket
\$SERVER["socket"] == "0.0.0.0:$HTTPS_PORT" {
$HTTPS_SSL_ENGINE_CONFIG
}
# ipv6 socket
\$SERVER["socket"] == "[::]:$HTTPS_PORT" {
$HTTPS_SSL_ENGINE_CONFIG
}
END
fi
# Ensure that loopback can always access port 80
if [ "$HTTP_PORT" != 80 ]; then
echo "\$SERVER[\"socket\"] == \"127.0.0.1:80\" { }" >> $FILE
fi
# Enable redirect from HTTP to HTTPS if enabled
if [ "$HTTPS_REDIRECT" == "true" ]; then
HTTPS_REDIRECT_CONFIG="\$SERVER[\"socket\"] == \":$HTTP_PORT\" {
\$HTTP[\"host\"] =~ \"^([^:^/]*)(:\d*)?(.*)\" {
url.redirect = ( \"^/(.*)\" => \"https://%1:$HTTPS_PORT/\$1\" )
}
} else "
fi
HTTPX_REWRITE_URL='url.rewrite-once = ( "^/(?!static|api|tmp|help)(.+)/?$" => "/index.html" )'
#BREAKDOWN
# LINE 1: CHECK: REMOTE IP IS NOT 127.0.0.1 (LOOPBACK)
# LINE 2: CHECK: DEST PORT IS THE HTTP PORT LIGHTTPD IS LISTENING ON
# LINE 3: CHECK: HOST ADDRESS (ex: 192.168.2.1:81/whatever) MATCHES THE REGEX [DOMAIN][PORT (optional)][URI]
# THE REGEX FROM LINE 3 CAN BE ACCESSED IN LINE 4 WITH '%#' (ex: %1 == DOMAIN, %2 == PORT, %3 == URI)
# LINE 4: FUNCTION: REGEX THE URI ([MATCH ALL]) AND BUILD THE REDIRECT URL
# THE REGEX FROM LINE 4 CAN BE ACCESSED IN THE REDIRECT CONSTRUCTION WITH '$#' (ex: $1 == THE ENTIRE URI)
cat >> $FILE <<END
\$HTTP["remoteip"] != "127.0.0.1" {
$HTTPS_REDIRECT_CONFIG \$HTTP["host"] =~ "^([^:^/]*)(:\d*)?(.*)" {
\$SERVER["socket"] == "[::]:$HTTPS_PORT" {
$HTTPX_REWRITE_URL
}
\$SERVER["socket"] == ":$HTTPS_PORT" {
$HTTPX_REWRITE_URL
}
\$SERVER["socket"] == ":$HTTP_PORT" {
$HTTPX_REWRITE_URL
}
}
}
END
}
populate_www_images() {
local CONFIGIMAGES="/var/config/images"
local OEMIMAGES="/var/oem/images"
local WWWIMAGES="/var/volatile/www/images"
local WWWIMAGES_RO="/var/www/images_ro"
# Populate images only once per boot
if [ ! -d $WWWIMAGES ]; then
# Copy from oem partition to config partition
if [ ! -d $CONFIGIMAGES ]; then
if [ -d $OEMIMAGES ]; then
echo "Copying oem images"
mkdir -p $CONFIGIMAGES
cp -rf $OEMIMAGES/* $CONFIGIMAGES
fi
fi
# Copy from root partition to RAM
mkdir -p $WWWIMAGES
cp -rf $WWWIMAGES_RO/* $WWWIMAGES
# Overwrite with /var/config/images
if [ -d $CONFIGIMAGES ]; then
cp -rf $CONFIGIMAGES/* $WWWIMAGES
fi
fi
}
wait_ready() {
# wait api
local retry=0
local MAX=30
sleep 1
while [ $retry -lt $MAX ]; do
if [ "200" == "$(curl -s --unix-socket /var/run/api/http.sock -I -o /dev/null -w "%{http_code}" http://localhost/api/system)" ]; then
return
fi
retry=$(( $retry + 1 ))
echo "Waiting for API ($retry/$MAX)..."
sleep 1
done
echo "Failed waiting API!"
}
start() {
mkdir -p /var/volatile/www/tmp
lighttpd_custom_images_setup # detect mime types for UI Customization images and generate Lighttpd config fragment
generate_config
start-stop-daemon --start --background --exec $ANGEL -- $DAEMON $OPTS
if [ "$CAPA_NODE_RED" = "true" ]; then
start-stop-daemon --start -x "$DAEMON" -p /var/run/lighttpd_nrs.pid -- $OPTS_NRS
fi
wait_ready
}
stop() {
start-stop-daemon --stop --exec $ANGEL
if [ "$CAPA_NODE_RED" = "true" ]; then
start-stop-daemon --stop -x "$DAEMON" -p /var/run/lighttpd_nrs.pid
rm -f /var/run/lighttpd_nrs.pid
fi
rm -f /var/run/config/lighttpd_*
}
populate_www_images
case "$1" in
start)
echo -n "Starting $DESC: "
start
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
stop
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
stop
sleep 1
start
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
|