mirror of
https://github.com/esphome/esphome.git
synced 2024-11-26 00:48:19 +01:00
Refactor NGINX configuration of Home Assistant Add-on (#4312)
This commit is contained in:
parent
fd6d6cfb6c
commit
84698ae888
10 changed files with 60 additions and 100 deletions
|
@ -1,6 +1,8 @@
|
||||||
root /dev/null;
|
root /dev/null;
|
||||||
server_name $hostname;
|
server_name $hostname;
|
||||||
|
|
||||||
|
client_max_body_size 512m;
|
||||||
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header X-Robots-Tag none;
|
add_header X-Robots-Tag none;
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers off;
|
||||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_cache shared:SSL:10m;
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
3
docker/ha-addon-rootfs/etc/nginx/includes/upstream.conf
Normal file
3
docker/ha-addon-rootfs/etc/nginx/includes/upstream.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
upstream esphome {
|
||||||
|
server unix:/var/run/esphome.sock;
|
||||||
|
}
|
|
@ -2,7 +2,6 @@ daemon off;
|
||||||
user root;
|
user root;
|
||||||
pid /var/run/nginx.pid;
|
pid /var/run/nginx.pid;
|
||||||
worker_processes 1;
|
worker_processes 1;
|
||||||
# Hass.io addon log
|
|
||||||
error_log /proc/1/fd/1 error;
|
error_log /proc/1/fd/1 error;
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
|
@ -10,24 +9,22 @@ events {
|
||||||
|
|
||||||
http {
|
http {
|
||||||
include /etc/nginx/includes/mime.types;
|
include /etc/nginx/includes/mime.types;
|
||||||
access_log stdout;
|
|
||||||
|
access_log off;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
gzip on;
|
gzip on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
sendfile on;
|
sendfile on;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
|
tcp_nodelay on;
|
||||||
|
tcp_nopush on;
|
||||||
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Use Hass.io supervisor as resolver
|
include /etc/nginx/includes/upstream.conf;
|
||||||
resolver 172.30.32.2;
|
|
||||||
|
|
||||||
upstream esphome {
|
|
||||||
server unix:/var/run/esphome.sock;
|
|
||||||
}
|
|
||||||
|
|
||||||
include /etc/nginx/servers/*.conf;
|
include /etc/nginx/servers/*.conf;
|
||||||
}
|
}
|
||||||
|
|
1
docker/ha-addon-rootfs/etc/nginx/servers/.gitkeep
Normal file
1
docker/ha-addon-rootfs/etc/nginx/servers/.gitkeep
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)
|
|
@ -1,12 +0,0 @@
|
||||||
server {
|
|
||||||
listen %%port%% default_server;
|
|
||||||
|
|
||||||
include /etc/nginx/includes/server_params.conf;
|
|
||||||
include /etc/nginx/includes/proxy_params.conf;
|
|
||||||
# Clear Hass.io Ingress header
|
|
||||||
proxy_set_header X-HA-Ingress "";
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://esphome;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,20 +1,26 @@
|
||||||
server {
|
server {
|
||||||
listen %%port%% default_server ssl http2;
|
{{ if not .ssl }}
|
||||||
|
listen 6052 default_server;
|
||||||
|
{{ else }}
|
||||||
|
listen 6052 default_server ssl http2;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
include /etc/nginx/includes/server_params.conf;
|
include /etc/nginx/includes/server_params.conf;
|
||||||
include /etc/nginx/includes/proxy_params.conf;
|
include /etc/nginx/includes/proxy_params.conf;
|
||||||
|
|
||||||
|
{{ if .ssl }}
|
||||||
include /etc/nginx/includes/ssl_params.conf;
|
include /etc/nginx/includes/ssl_params.conf;
|
||||||
|
|
||||||
ssl on;
|
ssl_certificate /ssl/{{ .certfile }};
|
||||||
ssl_certificate /ssl/%%certfile%%;
|
ssl_certificate_key /ssl/{{ .keyfile }};
|
||||||
ssl_certificate_key /ssl/%%keyfile%%;
|
|
||||||
|
|
||||||
# Clear Hass.io Ingress header
|
|
||||||
proxy_set_header X-HA-Ingress "";
|
|
||||||
|
|
||||||
# Redirect http requests to https on the same port.
|
# Redirect http requests to https on the same port.
|
||||||
# https://rageagainstshell.com/2016/11/redirect-http-to-https-on-the-same-port-in-nginx/
|
# https://rageagainstshell.com/2016/11/redirect-http-to-https-on-the-same-port-in-nginx/
|
||||||
error_page 497 https://$http_host$request_uri;
|
error_page 497 https://$http_host$request_uri;
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# Clear Home Assistant Ingress header
|
||||||
|
proxy_set_header X-HA-Ingress "";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://esphome;
|
proxy_pass http://esphome;
|
|
@ -1,13 +1,13 @@
|
||||||
server {
|
server {
|
||||||
listen %%interface%%:%%port%% default_server;
|
listen {{ .interface }}:{{ .port }} default_server;
|
||||||
|
|
||||||
include /etc/nginx/includes/server_params.conf;
|
include /etc/nginx/includes/server_params.conf;
|
||||||
include /etc/nginx/includes/proxy_params.conf;
|
include /etc/nginx/includes/proxy_params.conf;
|
||||||
|
|
||||||
# Set Home Assistant Ingress header
|
# Set Home Assistant Ingress header
|
||||||
proxy_set_header X-HA-Ingress "YES";
|
proxy_set_header X-HA-Ingress "YES";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# Only allow from Hass.io supervisor
|
|
||||||
allow 172.30.32.2;
|
allow 172.30.32.2;
|
||||||
deny all;
|
deny all;
|
||||||
|
|
|
@ -4,60 +4,24 @@
|
||||||
# Community Hass.io Add-ons: ESPHome
|
# Community Hass.io Add-ons: ESPHome
|
||||||
# Configures NGINX for use with ESPHome
|
# Configures NGINX for use with ESPHome
|
||||||
# ==============================================================================
|
# ==============================================================================
|
||||||
declare certfile
|
|
||||||
declare direct_port
|
|
||||||
declare ingress_interface
|
|
||||||
declare ingress_port
|
|
||||||
declare keyfile
|
|
||||||
|
|
||||||
mkdir -p /var/log/nginx
|
mkdir -p /var/log/nginx
|
||||||
|
|
||||||
direct_port=$(bashio::addon.port 6052)
|
# Generate Ingress configuration
|
||||||
if bashio::var.has_value "${direct_port}"; then
|
bashio::var.json \
|
||||||
# Check SSL requirements, if enabled
|
interface "$(bashio::addon.ip_address)" \
|
||||||
if bashio::config.true 'ssl'; then
|
port "^$(bashio::addon.ingress_port)" \
|
||||||
if ! bashio::config.has_value 'certfile'; then
|
| tempio \
|
||||||
bashio::log.fatal 'SSL is enabled, but no certfile was specified.'
|
-template /etc/nginx/templates/ingress.gtpl \
|
||||||
bashio::exit.nok
|
-out /etc/nginx/servers/ingress.conf
|
||||||
fi
|
|
||||||
|
|
||||||
if ! bashio::config.has_value 'keyfile'; then
|
# Generate direct access configuration, if enabled.
|
||||||
bashio::log.fatal 'SSL is enabled, but no keyfile was specified'
|
if bashio::var.has_value "$(bashio::addon.port 6052)"; then
|
||||||
bashio::exit.nok
|
bashio::config.require.ssl
|
||||||
fi
|
bashio::var.json \
|
||||||
|
certfile "$(bashio::config 'certfile')" \
|
||||||
certfile="/ssl/$(bashio::config 'certfile')"
|
keyfile "$(bashio::config 'keyfile')" \
|
||||||
keyfile="/ssl/$(bashio::config 'keyfile')"
|
ssl "^$(bashio::config 'ssl')" \
|
||||||
|
| tempio \
|
||||||
if ! bashio::fs.file_exists "/ssl/${certfile}"; then
|
-template /etc/nginx/templates/direct.gtpl \
|
||||||
if ! bashio::fs.file_exists "/ssl/${keyfile}"; then
|
-out /etc/nginx/servers/direct.conf
|
||||||
# Both files are missing, let's print a friendlier error message
|
|
||||||
bashio::log.fatal 'You enabled encrypted connections using the "ssl": true option.'
|
|
||||||
bashio::log.fatal "However, the SSL files '${certfile}' and '${keyfile}'"
|
|
||||||
bashio::log.fatal "were not found. If you're using Hass.io on your local network and don't want"
|
|
||||||
bashio::log.fatal 'to encrypt connections to the ESPHome dashboard, you can manually disable'
|
|
||||||
bashio::log.fatal 'SSL by setting "ssl" to false."'
|
|
||||||
bashio::exit.nok
|
|
||||||
fi
|
|
||||||
bashio::log.fatal "The configured certfile '/ssl/${certfile}' was not found."
|
|
||||||
bashio::exit.nok
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! bashio::fs.file_exists "/ssl/${keyfile}"; then
|
|
||||||
bashio::log.fatal "The configured keyfile '/ssl/${keyfile}' was not found."
|
|
||||||
bashio::exit.nok
|
|
||||||
fi
|
|
||||||
mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
|
|
||||||
sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/servers/direct.conf
|
|
||||||
sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/servers/direct.conf
|
|
||||||
else
|
|
||||||
mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed -i "s/%%port%%/${direct_port}/g" /etc/nginx/servers/direct.conf
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ingress_port=$(bashio::addon.ingress_port)
|
|
||||||
ingress_interface=$(bashio::addon.ip_address)
|
|
||||||
sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
|
|
||||||
sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
|
|
||||||
|
|
Loading…
Reference in a new issue