From 0625cbc3ef458eb0ada0bd7bdda20a4b8cae91ed Mon Sep 17 00:00:00 2001 From: David Merfield Date: Fri, 27 Oct 2023 16:38:30 +0100 Subject: [PATCH] Change --- config/openresty/conf-new/auto-ssl-init.conf | 234 ------------------- 1 file changed, 234 deletions(-) diff --git a/config/openresty/conf-new/auto-ssl-init.conf b/config/openresty/conf-new/auto-ssl-init.conf index 082cd094c43..4e94c3daab3 100644 --- a/config/openresty/conf-new/auto-ssl-init.conf +++ b/config/openresty/conf-new/auto-ssl-init.conf @@ -20,244 +20,10 @@ lua_shared_dict auto_ssl_settings 64k; # found by running cat /etc/resolv.conf and looking for the nameserver value resolver 8.8.8.8 ipv6=off; -# Initial setup tasks. -init_by_lua_block { - - - local redis = require "resty.redis" - - local redis_options = { host = "{{redis.host}}", port = 6379 , prefix = "ssl" } - - local function get_redis_instance(redis_options) - - local instance = ngx.ctx.auto_ssl_redis_instance - - if instance then - return instance - end - - instance = redis:new() - - local ok, err - - if redis_options["socket"] then - ok, err = instance:connect(redis_options["socket"]) - else - ok, err = instance:connect(redis_options["host"], redis_options["port"]) - end - - if not ok then - return false, err - end - - if redis_options["auth"] then - ok, err = instance:auth(redis_options["auth"]) - if not ok then - return false, err - end - end - - ngx.ctx.auto_ssl_redis_instance = instance - return instance - end - - auto_ssl = (require "resty.auto-ssl").new() - - auto_ssl:set("redis", redis_options) - - -- Certificates are stored in redis - auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.redis") - - -- This function determines whether the incoming domain - -- should automatically issue a new SSL certificate. - -- I need to set domain:blot.im to foo in the database so that - -- the allow_domain function works as expected even though - -- it's not technically a user's domain - auto_ssl:set("allow_domain", function(domain) - - local certstorage = auto_ssl.storage - - local fullchain_pem, privkey_pem = certstorage:get_cert(domain) - - -- If we have this cert in the memory cache - -- then return it without checking redis to save time - if fullchain_pem then - return true - end - - local redis_instance, instance_err = get_redis_instance(redis_options) - - if instance_err then - return nil, instance_err - end - - local res, err = redis_instance:get('domain:' .. domain) - - if res == ngx.null then - return false - end - - return true - end) - - auto_ssl:init() - - -- now we rehydrate the cache - - local cache_directory = "{{{cache_directory}}}" - - -- this file will read the contents of the cache directory and store them in - -- the lua shared dict proxy_cache_keys_by_host so we can purge them later - - -- I'm not sure why we need to deduplicate the keys?-- - local function deduplicate_key_list_by_host (host, shared_dict) - - ngx.log(ngx.NOTICE, "deduplicate_key_list_by_host: " .. host) - - local deduplicated_key_list = {} - - -- we lpop from the list until we get nil - local key = shared_dict:lpop(host) - - while key do - - if (deduplicated_key_list[key] == nil) then - ngx.log(ngx.NOTICE, "unique key: " .. key) - table.insert(deduplicated_key_list, key) - deduplicated_key_list[key] = true - else - ngx.log(ngx.NOTICE, "duplicate key: " .. key) - end - - key = shared_dict:lpop(host) - end - - -- reinsert the keys into the list - for _, key in ipairs(deduplicated_key_list) do - ngx.log(ngx.NOTICE, "reinserting key: " .. key) - shared_dict:rpush(host, key) - end - end - - local function extractHostFromCacheFile (cache_file_path) - -- emit a warning with the cache_file_path - ngx.log(ngx.NOTICE, "extracting host from cache_file_path: " .. cache_file_path) - - -- we need to read the first line of the cache file to get the host - -- the first line is in the format: - -- KEY: http://example.com/xyz/abc - local file = io.open(cache_file_path, "r") - local first_line = file:read() - - -- keep reading the file until we get a line that starts with KEY - while (first_line ~= nil and string.match(first_line, "^KEY:") == nil) do - first_line = file:read() - end - - if (first_line == nil) then - ngx.log(ngx.NOTICE, "uri is nil") - return nil - end - - local uri = string.match(first_line, "KEY: (.*)") - - if (uri == nil) then - ngx.log(ngx.NOTICE, "uri is nil") - return nil - end - - -- the protocol is included in the uri so we need to remove it - local uri_without_protocol = string.match(uri, "://(.*)") - - -- the host is the first part of the uri, up to question mark or slash if present - local host = string.match(uri_without_protocol, "([^/?]+)") - - if (host == nil) then - ngx.log(ngx.NOTICE, "host is nil") - return nil - end - - file:close() - - ngx.log(ngx.NOTICE, "found host from cache_file_path: " .. host) - - return host - end - - -- list all the items in the cache directory - local function readdirectory(directory) - local i, t, popen = 0, {}, io.popen - local pfile = popen('find "'..directory..'" -maxdepth 1') - for line in pfile:lines() do - i = i + 1 - -- the line starts with the directory so we need to remove that - local filename = string.match(line, directory .. "/(.*)") - -- skip the first line which is the directory itself - if (i > 1 and filename ~= nil) then - table.insert(t, filename) - end - end - pfile:close() - return t - end - - if ngx ~= nil then - - -- local purged_files = purge_host(ngx.var.arg_host) - local proxy_cache_keys_by_host = ngx.shared.proxy_cache_keys_by_host - - -- first we list all the top level directories in the cache directory - local top_level_directories = readdirectory(cache_directory) - - -- store a list of hosts - local hosts = {} - - -- then for each directory we list all the files in that directory - for _, top_level_directory in ipairs(top_level_directories) do - - local top_level_directory_path = cache_directory .. "/" .. top_level_directory - local second_level_directories = readdirectory(top_level_directory_path) - - ngx.log(ngx.NOTICE, "reading top level directory: " .. top_level_directory_path) - - for _, second_level_directory in ipairs(second_level_directories) do - local second_level_directory_path = top_level_directory_path .. "/" .. second_level_directory - local files = readdirectory(second_level_directory_path) - - for _, file in ipairs(files) do - local cache_file_path = top_level_directory .. "/" .. second_level_directory .. "/" .. file - local host = extractHostFromCacheFile(second_level_directory_path .. "/" .. file) - - if (host ~= nil) then - -- add the host to the list of hosts - if (hosts[host] == nil) then - ngx.log(ngx.NOTICE, "found host: " .. host) - table.insert(hosts, host) - hosts[host] = true - end - - ngx.log(ngx.NOTICE, "found cache file path: " .. cache_file_path) - proxy_cache_keys_by_host:set(cache_file_path, true) - proxy_cache_keys_by_host:rpush(host, cache_file_path) - end - - - end - end - end - - for _, host in ipairs(hosts) do - deduplicate_key_list_by_host(host, proxy_cache_keys_by_host) - end - end - -} - init_worker_by_lua_block { auto_ssl:init_worker() } - # Internal server running on port 8999 for handling certificate tasks. server {