continue work on dynamic TLS cert/key with fallback

2026-05-24 09:28:37 +00:00 · 2023-12-19 19:08:22 +01:00 · 2023-12-19 19:08:22 +01:00 · 4362080075
commit 4362080075
parent 0945f2052e
6 changed files with 75 additions and 88 deletions
--- a/src/bw/lua/bunkerweb/plugin.lua
+++ b/src/bw/lua/bunkerweb/plugin.lua
@ -13,7 +13,6 @@ function plugin:initialize(id, ctx)
 	local current_phase = ngx.get_phase()
 	for _, check_phase in ipairs {
 		"set",
-		"ssl_certificate",
 		"access",
 		"content",
 		"header_filter",
--- a/src/common/confs/server-http/ssl-certificate-lua.conf
+++ b/src/common/confs/server-http/ssl-certificate-lua.conf
@ -8,29 +8,11 @@ ssl_certificate_by_lua_block {
 	local cjson         = require "cjson"
 	local ssl			= require "ngx.ssl"

-	-- Don't process internal requests
-	local logger        = clogger:new("SSL-CERTIFICATE")
-	if ngx.req.is_internal() then
-		logger:log(ngx.INFO, "skipped ssl_certificate phase because request is internal")
-		return true
-	end
-
-	-- Start access phase
+	-- Start ssl_certificate phase
+	local logger    = clogger:new("SSL-CERTIFICATE")
 	local datastore = cdatastore:new()
 	logger:log(ngx.INFO, "ssl_certificate phase started")

-	-- Fill ctx
-	logger:log(ngx.INFO, "filling ngx.ctx ...")
-	local ok, ret, errors, ctx = helpers.fill_ctx()
-	if not ok then
-		logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
-	elseif errors then
-		for i, error in ipairs(errors) do
-			logger:log(ngx.ERR, "fill_ctx() error " .. tostring(i) .. " : " .. error)
-		end
-	end
-	logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
-
 	-- Get plugins order
 	local order, err = datastore:get("plugins_order", true)
 	if not order then
@ -48,10 +30,10 @@ ssl_certificate_by_lua_block {
 		elseif plugin_lua == nil then
 			logger:log(ngx.INFO, err)
 		else
-			-- Check if plugin has access method
+			-- Check if plugin has ssl_certificate method
 			if plugin_lua.ssl_certificate ~= nil then
 				-- New call
-				local ok, plugin_obj = helpers.new_plugin(plugin_lua, ctx)
+				local ok, plugin_obj = helpers.new_plugin(plugin_lua)
 				if not ok then
 					logger:log(ngx.ERR, plugin_obj)
 				else
@ -85,9 +67,6 @@ ssl_certificate_by_lua_block {
 	end
 	logger:log(ngx.INFO, "called ssl_certificate() methods of plugins")

-	-- Save ctx
-	ngx.ctx = ctx
-
 	logger:log(ngx.INFO, "ssl_certificate phase ended")

 	return true
--- a/src/common/core/customcert/customcert.lua
+++ b/src/common/core/customcert/customcert.lua
@ -11,9 +11,9 @@ function customcert:initialize(ctx)
 end

 function customcert:init()
-	local ok, err = true, "success"
+	local ret_ok, ret_err = true, "success"
    if utils.has_variable("USE_CUSTOM_SSL", "yes") then
-		local multisite, err = utils.get_variable("MULTISITE")
+		local multisite, err = utils.get_variable("MULTISITE", false)
 		if not multisite then
 			return self:ret(false, "can't get MULTISITE variable : " .. err)
 		end
@ -26,14 +26,14 @@ function customcert:init()
 				local check, data = self:read_files()
 				if not check then
 					self.logger:log(ngx.ERR, "error while reading files : " .. err)
-					ok = false
-					err = "error reading files"
+					ret_ok = false
+					ret_err = "error reading files"
 				else
 					local check, err = self:load_data(data)
 					if not check then
 						self.logger:log(ngx.ERR, "error while loading data : " .. err)
-						ok = false
-						err = "error loading data"
+						ret_ok = false
+						ret_err = "error loading data"
 					end
 				end
 			end
@ -41,15 +41,15 @@ function customcert:init()
 				if multisite_vars["USE_CUSTOM_SSL"] == "yes" then
 					local check, data = self:read_files(server_name)
 					if not check then
-						self.logger:log(ngx.ERR, "error while reading files : " .. err)
-						ok = false
-						err = "error reading files"
+						self.logger:log(ngx.ERR, "error while reading files : " .. data)
+						ret_ok = false
+						ret_err = "error reading files"
 					else
 						local check, err = self:load_data(data, server_name)
 						if not check then
 							self.logger:log(ngx.ERR, "error while loading data : " .. err)
-							ok = false
-							err = "error loading data"
+							ret_ok = false
+							ret_err = "error loading data"
 						end
 					end
 				end
@ -57,33 +57,37 @@ function customcert:init()
 		else
 			local check, data = self:read_files()
 			if not check then
-				self.logger:log(ngx.ERR, "error while reading files : " .. err)
-				ok = false
-				err = "error reading files"
+				self.logger:log(ngx.ERR, "error while reading files : " .. data)
+				ret_ok = false
+				ret_err = "error reading files"
 			else
 				local check, err = self:load_data(data)
 				if not check then
 					self.logger:log(ngx.ERR, "error while loading data : " .. err)
-					ok = false
-					err = "error loading data"
+					ret_ok = false
+					ret_err = "error loading data"
 				end
 			end
 		end
 	else
-		err = "custom ssl is not used"
+		ret_err = "custom ssl is not used"
    end
-	return self:ret(ok, err)
+	return self:ret(ret_ok, ret_err)
 end

 function customcert:ssl_certificate()
+	local server_name, err = ssl.server_name()
+	if not server_name then
+		return self:ret(false, "can't get server_name : " .. err)
+	end
    if self.variables["USE_CUSTOM_SSL"] == "yes" then
 		local global_data, err = self.datastore:get("plugin_customcert_global", true)
 		if not global_data and err ~= "not found" then
 			return self:ret(false, "error while getting plugin_customcert_global from datastore : " .. err)
 		end
-		local site_data, err = self.datastore:get("plugin_customcert_" .. self.ctx.bw.server_name, true)
+		local site_data, err = self.datastore:get("plugin_customcert_" .. server_name, true)
 		if not site_data and err ~= "not found" then
-			return self:ret(false, "error while getting plugin_customcert_" .. self.ctx.bw.server_name .. " from datastore : " .. err)
+			return self:ret(false, "error while getting plugin_customcert_" .. server_name .. " from datastore : " .. err)
 		end
 		if not global_data and not site_data then
 			return self:ret(false, "both global and site cert are not present in datastore")
@ -117,7 +121,7 @@ function customcert:load_data(data, server_name)
 		return false, "error while parsing pem cert : " .. err
 	end
 	-- Load key
-	local priv_key, err = ssl.parse_priv_key(data[2])
+	local priv_key, err = ssl.parse_pem_priv_key(data[2])
 	if not priv_key then
 		return false, "error while parsing pem priv key : " .. err
 	end
--- a/src/common/core/customcert/jobs/custom-cert.py
+++ b/src/common/core/customcert/jobs/custom-cert.py
@ -118,9 +118,6 @@ try:
                    cert_path = str(file_path)
                else:
                    key_path = str(file_path)
-                
-        if cert_data != b"":
-            with open()

        if cert_path and key_path:
            logger.info(f"Checking certificate {cert_path} ...")
--- a/src/common/core/letsencrypt/letsencrypt.lua
+++ b/src/common/core/letsencrypt/letsencrypt.lua
@ -12,9 +12,9 @@ function letsencrypt:initialize(ctx)
 end

 function letsencrypt:init()
-	local ok, err = true, "success"
+	local ret_ok, ret_err = true, "success"
    if utils.has_variable("AUTO_LETS_ENCRYPT", "yes") then
-		local multisite, err = utils.get_variable("MULTISITE")
+		local multisite, err = utils.get_variable("MULTISITE", false)
 		if not multisite then
 			return self:ret(false, "can't get MULTISITE variable : " .. err)
 		end
@ -27,49 +27,53 @@ function letsencrypt:init()
 				if multisite_vars["AUTO_LETS_ENCRYPT"] == "yes" then
 					local check, data = self:read_files(server_name)
 					if not check then
-						self.logger:log(ngx.ERR, "error while reading files : " .. err)
-						ok = false
-						err = "error reading files"
+						self.logger:log(ngx.ERR, "error while reading files : " .. data)
+						ret_ok = false
+						ret_err = "error reading files"
 					else
 						local check, err = self:load_data(data, server_name)
 						if not check then
 							self.logger:log(ngx.ERR, "error while loading data : " .. err)
-							ok = false
-							err = "error loading data"
+							ret_ok = false
+							ret_err = "error loading data"
 						end
 					end
 				end
 			end
 		else
-			local server_name, err = utils.get_variable("SERVER_NAME")
+			local server_name, err = utils.get_variable("SERVER_NAME", false)
 			if not server_name then
 				return self:ret(false, "can't get SERVER_NAME variable : " .. err)
 			end
 			local check, data = self:read_files(server_name:gmatch("%S+")[1])
 			if not check then
-				self.logger:log(ngx.ERR, "error while reading files : " .. err)
-				ok = false
-				err = "error reading files"
+				self.logger:log(ngx.ERR, "error while reading files : " .. data)
+				ret_ok = false
+				ret_err = "error reading files"
 			else
 				local check, err = self:load_data(data)
 				if not check then
 					self.logger:log(ngx.ERR, "error while loading data : " .. err)
-					ok = false
-					err = "error loading data"
+					ret_ok = false
+					ret_err = "error loading data"
 				end
 			end
 		end
 	else
-		err = "let's encrypt is not used"
+		ret_err = "let's encrypt is not used"
    end
-	return self:ret(ok, err)
+	return self:ret(ret_ok, ret_err)
 end

 function letsencrypt:ssl_certificate()
+	local server_name, err = ssl.server_name()
+	if not server_name then
+		return self:ret(false, "can't get server_name : " .. err)
+	end
    if self.variables["AUTO_LETS_ENCRYPT"] == "yes" then
-		local data, err = self.datastore:get("plugin_letsencrypt_" .. self.ctx.bw.server_name, true)
+		local data, err = self.datastore:get("plugin_letsencrypt_" .. server_name, true)
 		if not data then
-			return self:ret(false, "error while getting plugin_letsencrypt_" .. self.ctx.bw.server_name .. " from datastore : " .. err)
+			return self:ret(false, "error while getting plugin_letsencrypt_" .. server_name .. " from datastore : " .. err)
 		end
        return self:ret(true, "certificate/key data found", data)
    end
@ -100,7 +104,7 @@ function letsencrypt:load_data(data, server_name)
 		return false, "error while parsing pem cert : " .. err
 	end
 	-- Load key
-	local priv_key, err = ssl.parse_priv_key(data[2])
+	local priv_key, err = ssl.pars_pem_priv_key(data[2])
 	if not priv_key then
 		return false, "error while parsing pem priv key : " .. err
 	end
--- a/src/common/core/selfsigned/selfsigned.lua
+++ b/src/common/core/selfsigned/selfsigned.lua
@ -11,9 +11,9 @@ function selfsigned:initialize(ctx)
 end

 function selfsigned:init()
-	local ok, err = true, "success"
+	local ret_ok, ret_err = true, "success"
    if utils.has_variable("GENERATE_SELF_SIGNED_SSL", "yes") then
-		local multisite, err = utils.get_variable("MULTISITE")
+		local multisite, err = utils.get_variable("MULTISITE", false)
 		if not multisite then
 			return self:ret(false, "can't get MULTISITE variable : " .. err)
 		end
@ -26,49 +26,53 @@ function selfsigned:init()
 				if multisite_vars["GENERATE_SELF_SIGNED_SSL"] == "yes" then
 					local check, data = self:read_files(server_name)
 					if not check then
-						self.logger:log(ngx.ERR, "error while reading files : " .. err)
-						ok = false
-						err = "error reading files"
+						self.logger:log(ngx.ERR, "error while reading files : " .. data)
+						ret_ok = false
+						ret_err = "error reading files"
 					else
 						local check, err = self:load_data(data, server_name)
 						if not check then
 							self.logger:log(ngx.ERR, "error while loading data : " .. err)
-							ok = false
-							err = "error loading data"
+							ret_ok = false
+							ret_err = "error loading data"
 						end
 					end
 				end
 			end
 		else
-			local server_name, err = utils.get_variable("SERVER_NAME")
+			local server_name, err = utils.get_variable("SERVER_NAME", false)
 			if not server_name then
 				return self:ret(false, "can't get SERVER_NAME variable : " .. err)
 			end
 			local check, data = self:read_files(server_name:gmatch("%S+")[1])
 			if not check then
-				self.logger:log(ngx.ERR, "error while reading files : " .. err)
-				ok = false
-				err = "error reading files"
+				self.logger:log(ngx.ERR, "error while reading files : " .. data)
+				ret_ok = false
+				ret_err = "error reading files"
 			else
 				local check, err = self:load_data(data)
 				if not check then
 					self.logger:log(ngx.ERR, "error while loading data : " .. err)
-					ok = false
-					err = "error loading data"
+					ret_ok = false
+					ret_err = "error loading data"
 				end
 			end
 		end
 	else
-		err = "self signed is not used"
+		ret_err = "self signed is not used"
    end
-	return self:ret(ok, err)
+	return self:ret(ret_ok, ret_err)
 end

 function selfsigned:ssl_certificate()
+	local server_name, err = ssl.server_name()
+	if not server_name then
+		return self:ret(false, "can't get server_name : " .. err)
+	end
    if self.variables["GENERATE_SELF_SIGNED_SSL"] == "yes" then
-		local data, err = self.datastore:get("plugin_selfsigned_" .. self.ctx.bw.server_name, true)
+		local data, err = self.datastore:get("plugin_selfsigned_" .. server_name, true)
 		if not data then
-			return self:ret(false, "error while getting plugin_selfsigned_" .. self.ctx.bw.server_name .. " from datastore : " .. err)
+			return self:ret(false, "error while getting plugin_selfsigned_" .. server_name .. " from datastore : " .. err)
 		end
        return self:ret(true, "certificate/key data found", data)
    end
@ -77,8 +81,8 @@ end

 function selfsigned:read_files(server_name)
 	local files = {
-		"/var/cache/bunkerweb/selfsigned/" .. server_name .. "/cert.pem",
-		"/var/cache/bunkerweb/selfsigned/" .. server_name .. "/key.pem"
+		"/var/cache/bunkerweb/selfsigned/" .. server_name .. ".pem",
+		"/var/cache/bunkerweb/selfsigned/" .. server_name .. ".key"
 	}
 	local data = {}
 	for i, file in ipairs(files) do
@ -99,7 +103,7 @@ function selfsigned:load_data(data, server_name)
 		return false, "error while parsing pem cert : " .. err
 	end
 	-- Load key
-	local priv_key, err = ssl.parse_priv_key(data[2])
+	local priv_key, err = ssl.parse_pem_priv_key(data[2])
 	if not priv_key then
 		return false, "error while parsing pem priv key : " .. err
 	end