bw - refactor ssl/tls from core plugins

src/common/confs/default-server-http.conf

@@ -18,13 +18,20 @@ server {
 	# HTTPS listen
 {% set os = import("os") %}
 {% if os.path.isfile("/var/cache/bunkerweb/default-server-cert/cert.pem") +%}
-	{% if has_variable(all, "USE_CUSTOM_SSL", "yes") or has_variable(all, "AUTO_LETS_ENCRYPT", "yes") or has_variable(all, "GENERATE_SELF_SIGNED_SSL", "yes") +%}
-	listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-		{% if USE_IPV6 == "yes" +%}
-	listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
-		{% endif %}
+	ssl_protocols {{ SSL_PROTOCOLS }};
+	ssl_prefer_server_ciphers on;
+	ssl_session_tickets off;
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:MozSSL:10m;
+	{% if "TLSv1.2" in SSL_PROTOCOLS +%}
+	ssl_dhparam /etc/nginx/dhparam;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	{% endif %}
 	ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
 	ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
+	listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+	{% if USE_IPV6 == "yes" +%}
+	listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} default_server {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
 	{% endif %}
 {% endif %}
 

src/common/confs/server-http/server.conf

@@ -23,6 +23,9 @@ server {
 	set $reason_data '';
 	set $ctx_ref '';
 
+	# include config files
+	include {{ NGINX_PREFIX }}server-http/*.conf;
+
 	# include LUA files
 	include {{ NGINX_PREFIX }}set-lua.conf;
 	include {{ NGINX_PREFIX }}ssl-certificate-lua.conf;
@@ -30,6 +33,4 @@ server {
 	include {{ NGINX_PREFIX }}header-lua.conf;
 	include {{ NGINX_PREFIX }}log-lua.conf;
 
-	# include config files
-	include {{ NGINX_PREFIX }}server-http/*.conf;
 }

src/common/confs/server-http/ssl-certificate-lua.conf

@@ -10,12 +10,10 @@ ssl_dhparam /etc/nginx/dhparam;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 {% endif %}
 
-{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
 listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
 {% if USE_IPV6 == "yes" +%}
 listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
 {% endif %}
-{% endif %}
 
 ssl_certificate_by_lua_block {
 	local class         = require "middleclass"

src/common/confs/server-stream/server-stream.conf

@@ -20,11 +20,12 @@ server {
 	set $ctx_ref '';
 	set $server_name '{{ SERVER_NAME.split(" ")[0] }}';
 
+	# include config files
+	include {{ NGINX_PREFIX }}server-stream/*.conf;
+
 	# include LUA files
 	include {{ NGINX_PREFIX }}ssl-certificate-stream-lua.conf;
 	include {{ NGINX_PREFIX }}preread-stream-lua.conf;
 	include {{ NGINX_PREFIX }}log-stream-lua.conf;
 
-	# include config files
-	include {{ NGINX_PREFIX }}server-stream/*.conf;
 }

src/common/confs/server-stream/ssl-certificate-stream-lua.conf

@@ -10,12 +10,10 @@ ssl_dhparam /etc/nginx/dhparam;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 {% endif %}
 
-{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
 listen 0.0.0.0:{{ LISTEN_STREAM_PORT_SSL }} ssl {% if USE_UDP == "yes" %} udp {% endif %}{% if USE_PROXY_PROTOCOL == "yes" %} proxy_protocol {% endif %};
 {% if USE_IPV6 == "yes" +%}
 listen [::]:{{ LISTEN_STREAM_PORT_SSL }} ssl {% if USE_UDP == "yes" %} udp {% endif %}{% if USE_PROXY_PROTOCOL == "yes" %} proxy_protocol {% endif %};
 {% endif %}
-{% endif %}
 
 ssl_certificate_by_lua_block {
 	local class         = require "middleclass"

src/common/core/customcert/customcert.lua

@@ -20,6 +20,15 @@ function customcert:initialize(ctx)
 	plugin.initialize(self, "customcert", ctx)
 end
 
+function customcert:set()
+	local ngx_var = ngx.var
+	local https_configured = self.variables["USE_CUSTOM_SSL"]
+	if ngx_var.https_configured == "no" and https_configured == "yes" then
+		ngx_var.https_configured = "yes"
+	end
+	return self:ret(true, "set https_configured to " .. https_configured)
+end
+
 function customcert:init()
 	local ret_ok, ret_err = true, "success"
 	if has_variable("USE_CUSTOM_SSL", "yes") then

src/common/core/headers/confs/http/headers.conf

@@ -1,4 +0,0 @@
-map $scheme $header_cookie_secure {
-	default "";
-	"https" "secure";
-}

src/common/core/headers/confs/server-http/cookies.conf

@@ -1,9 +1,5 @@
 {% for k, v in all.items() %}
 	{% if k.startswith("COOKIE_FLAGS") and v != "" +%}
-		{% if COOKIE_AUTO_SECURE_FLAG == "yes" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%}
-			set_cookie_flag {{ v }} secure;
-		{% else +%}
-			set_cookie_flag {{ v }};
-		{% endif +%}
+		set_cookie_flag {{ v }};
 	{% endif +%}
-{% endfor %}
+{% endfor %}

src/common/core/headers/headers.lua

@@ -112,6 +112,27 @@ function headers:header()
 			ngx_header[header] = nil
 		end
 	end
+	-- Set secure flag
+	local set_cookie = ngx_header["Set-Cookie"]
+	if self.ctx.bw.scheme == "https" and self.variables["COOKIE_AUTO_SECURE_FLAG"] == "yes" and set_cookie ~= nil then
+		local new_set_cookie = nil
+		if type(set_cookie) == "string" then
+			new_set_cookie = set_cookie
+			if not set_cookie:find("[Ss]ecure") then
+				new_set_cookie = new_set_cookie .. "; Secure"
+			end
+		elseif type(set_cookie) == "table" then
+			new_set_cookie = {}
+			for _, single_set_cookie in ipairs(set_cookie) do
+				check_set_cookie = single_set_cookie
+				if not check_set_cookie:find("[Ss]ecure") then
+					check_set_cookie = check_set_cookie .. "; Secure"
+				end
+				table.insert(new_set_cookie, check_set_cookie)
+			end
+		end
+		ngx_header["Set-Cookie"] = new_set_cookie
+	end
 	return self:ret(true, "edited headers for request")
 end
 

src/common/core/letsencrypt/letsencrypt.lua

@@ -33,6 +33,15 @@ function letsencrypt:initialize(ctx)
 	plugin.initialize(self, "letsencrypt", ctx)
 end
 
+function letsencrypt:set()
+	local ngx_var = ngx.var
+	local https_configured = self.variables["AUTO_LETS_ENCRYPT"]
+	if ngx_var.https_configured == "no" and https_configured == "yes" then
+		ngx_var.https_configured = "yes"
+	end
+	return self:ret(true, "set https_configured to " .. https_configured)
+end
+
 function letsencrypt:init()
 	local ret_ok, ret_err = true, "success"
 	if has_variable("AUTO_LETS_ENCRYPT", "yes") then

src/common/core/misc/confs/default-server-http/disable.conf

@@ -16,12 +16,14 @@ ssl_client_hello_by_lua_block {
 	local ERROR = ngx.ERROR
 	local WARN = ngx.WARN
 	local ERR = ngx.ERR
+	local INFO = ngx.INFO
 	local get_variable = utils.get_variable
 	local host, err = ssl_clt.get_client_hello_server_name()
 	if not host then
 		logger:log(WARN, "can't get SNI host, denying access : " .. (err or "no SNI"))
 		return exit(ERROR)
 	end
+	logger:log(INFO, "SNI host is " .. host)
 	local multisite, err = get_variable("MULTISITE", false)
 	if not multisite then
 		logger:log(ERR, "can't get MULTISITE variable : " .. err)

src/common/core/misc/confs/server-http/redirect-http-to-https.conf

@@ -1,11 +1,12 @@
+set $https_configured 'no';
+set $auto_redirect 'no';
+
 {% if REDIRECT_HTTP_TO_HTTPS == "yes" +%}
 if ($scheme = http) {
 	return 301 https://$host$request_uri;
 }
 {% elif AUTO_REDIRECT_HTTP_TO_HTTPS == "yes" +%}
-	{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" +%}
-if ($scheme = http) {
+if ($auto_redirect = yes) {
 	return 301 https://$host$request_uri;
 }
-	{% endif +%}
 {% endif +%}

src/common/core/misc/misc.lua

@@ -14,6 +14,15 @@ function misc:initialize(ctx)
 	plugin.initialize(self, "misc", ctx)
 end
 
+function misc:set()
+	local ngx_var = ngx.var
+	local auto_redirect = 'no'
+	if ngx_var.scheme == "http" and ngx_var.https_configured == "yes" then
+		auto_redirect = 'yes'
+	end
+	return self:ret(true, "set auto_redirect to " .. auto_redirect)
+end
+
 function misc:access()
 	-- Check if method is valid
 	local method = self.ctx.bw.request_method

src/common/core/order.json

@@ -15,7 +15,7 @@
     "letsencrypt",
     "selfsigned"
   ],
-  "set": ["sessions", "whitelist"],
+  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned", "misc"],
   "ssl_certificate": ["customcert", "letsencrypt", "selfsigned"],
   "access": [
     "whitelist",

src/common/core/selfsigned/selfsigned.lua

@@ -20,6 +20,15 @@ function selfsigned:initialize(ctx)
 	plugin.initialize(self, "selfsigned", ctx)
 end
 
+function selfsigned:set()
+	local ngx_var = ngx.var
+	local https_configured = self.variables["GENERATE_SELF_SIGNED_SSL"]
+	if ngx_var.https_configured == "no" and https_configured == "yes" then
+		ngx_var.https_configured = "yes"
+	end
+	return self:ret(true, "set https_configured to " .. https_configured)
+end
+
 function selfsigned:init()
 	local ret_ok, ret_err = true, "success"
 	if has_variable("GENERATE_SELF_SIGNED_SSL", "yes") then