Refactor NGINX configuration of Home Assistant Add-on (#4312)

This commit is contained in:
Franck Nijhof 2023-01-18 19:54:27 +01:00 committed by Jesse Hills
parent a2925b1d37
commit 3c5de77ae9
No known key found for this signature in database
GPG key ID: BEAAE804EFD8E83A
10 changed files with 60 additions and 100 deletions

View file

@ -1,6 +1,8 @@
root /dev/null; root /dev/null;
server_name $hostname; server_name $hostname;
client_max_body_size 512m;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag none;

View file

@ -1,7 +1,6 @@
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;

View file

@ -0,0 +1,3 @@
upstream esphome {
server unix:/var/run/esphome.sock;
}

View file

@ -2,7 +2,6 @@ daemon off;
user root; user root;
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
worker_processes 1; worker_processes 1;
# Hass.io addon log
error_log /proc/1/fd/1 error; error_log /proc/1/fd/1 error;
events { events {
worker_connections 1024; worker_connections 1024;
@ -10,24 +9,22 @@ events {
http { http {
include /etc/nginx/includes/mime.types; include /etc/nginx/includes/mime.types;
access_log stdout;
access_log off;
default_type application/octet-stream; default_type application/octet-stream;
gzip on; gzip on;
keepalive_timeout 65; keepalive_timeout 65;
sendfile on; sendfile on;
server_tokens off; server_tokens off;
tcp_nodelay on;
tcp_nopush on;
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
} }
# Use Hass.io supervisor as resolver include /etc/nginx/includes/upstream.conf;
resolver 172.30.32.2;
upstream esphome {
server unix:/var/run/esphome.sock;
}
include /etc/nginx/servers/*.conf; include /etc/nginx/servers/*.conf;
} }

View file

@ -0,0 +1 @@
Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)

View file

@ -1,12 +0,0 @@
server {
listen %%port%% default_server;
include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf;
# Clear Hass.io Ingress header
proxy_set_header X-HA-Ingress "";
location / {
proxy_pass http://esphome;
}
}

View file

@ -1,20 +1,26 @@
server { server {
listen %%port%% default_server ssl http2; {{ if not .ssl }}
listen 6052 default_server;
{{ else }}
listen 6052 default_server ssl http2;
{{ end }}
include /etc/nginx/includes/server_params.conf; include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf; include /etc/nginx/includes/proxy_params.conf;
{{ if .ssl }}
include /etc/nginx/includes/ssl_params.conf; include /etc/nginx/includes/ssl_params.conf;
ssl on; ssl_certificate /ssl/{{ .certfile }};
ssl_certificate /ssl/%%certfile%%; ssl_certificate_key /ssl/{{ .keyfile }};
ssl_certificate_key /ssl/%%keyfile%%;
# Clear Hass.io Ingress header
proxy_set_header X-HA-Ingress "";
# Redirect http requests to https on the same port. # Redirect http requests to https on the same port.
# https://rageagainstshell.com/2016/11/redirect-http-to-https-on-the-same-port-in-nginx/ # https://rageagainstshell.com/2016/11/redirect-http-to-https-on-the-same-port-in-nginx/
error_page 497 https://$http_host$request_uri; error_page 497 https://$http_host$request_uri;
{{ end }}
# Clear Home Assistant Ingress header
proxy_set_header X-HA-Ingress "";
location / { location / {
proxy_pass http://esphome; proxy_pass http://esphome;

View file

@ -1,13 +1,13 @@
server { server {
listen %%interface%%:%%port%% default_server; listen {{ .interface }}:{{ .port }} default_server;
include /etc/nginx/includes/server_params.conf; include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf; include /etc/nginx/includes/proxy_params.conf;
# Set Home Assistant Ingress header # Set Home Assistant Ingress header
proxy_set_header X-HA-Ingress "YES"; proxy_set_header X-HA-Ingress "YES";
location / { location / {
# Only allow from Hass.io supervisor
allow 172.30.32.2; allow 172.30.32.2;
deny all; deny all;

View file

@ -4,60 +4,24 @@
# Community Hass.io Add-ons: ESPHome # Community Hass.io Add-ons: ESPHome
# Configures NGINX for use with ESPHome # Configures NGINX for use with ESPHome
# ============================================================================== # ==============================================================================
declare certfile
declare direct_port
declare ingress_interface
declare ingress_port
declare keyfile
mkdir -p /var/log/nginx mkdir -p /var/log/nginx
direct_port=$(bashio::addon.port 6052) # Generate Ingress configuration
if bashio::var.has_value "${direct_port}"; then bashio::var.json \
# Check SSL requirements, if enabled interface "$(bashio::addon.ip_address)" \
if bashio::config.true 'ssl'; then port "^$(bashio::addon.ingress_port)" \
if ! bashio::config.has_value 'certfile'; then | tempio \
bashio::log.fatal 'SSL is enabled, but no certfile was specified.' -template /etc/nginx/templates/ingress.gtpl \
bashio::exit.nok -out /etc/nginx/servers/ingress.conf
fi
if ! bashio::config.has_value 'keyfile'; then # Generate direct access configuration, if enabled.
bashio::log.fatal 'SSL is enabled, but no keyfile was specified' if bashio::var.has_value "$(bashio::addon.port 6052)"; then
bashio::exit.nok bashio::config.require.ssl
fi bashio::var.json \
certfile "$(bashio::config 'certfile')" \
certfile="/ssl/$(bashio::config 'certfile')" keyfile "$(bashio::config 'keyfile')" \
keyfile="/ssl/$(bashio::config 'keyfile')" ssl "^$(bashio::config 'ssl')" \
| tempio \
if ! bashio::fs.file_exists "/ssl/${certfile}"; then -template /etc/nginx/templates/direct.gtpl \
if ! bashio::fs.file_exists "/ssl/${keyfile}"; then -out /etc/nginx/servers/direct.conf
# Both files are missing, let's print a friendlier error message
bashio::log.fatal 'You enabled encrypted connections using the "ssl": true option.'
bashio::log.fatal "However, the SSL files '${certfile}' and '${keyfile}'"
bashio::log.fatal "were not found. If you're using Hass.io on your local network and don't want"
bashio::log.fatal 'to encrypt connections to the ESPHome dashboard, you can manually disable'
bashio::log.fatal 'SSL by setting "ssl" to false."'
bashio::exit.nok
fi
bashio::log.fatal "The configured certfile '/ssl/${certfile}' was not found."
bashio::exit.nok
fi
if ! bashio::fs.file_exists "/ssl/${keyfile}"; then
bashio::log.fatal "The configured keyfile '/ssl/${keyfile}' was not found."
bashio::exit.nok
fi
mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/servers/direct.conf
sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/servers/direct.conf
else
mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
fi
sed -i "s/%%port%%/${direct_port}/g" /etc/nginx/servers/direct.conf
fi fi
ingress_port=$(bashio::addon.ingress_port)
ingress_interface=$(bashio::addon.ip_address)
sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf