Browse Source

security: use tls-proxy.js instead of inline node -e in entrypoint.sh

pull/2552/head
Platon47 4 months ago
committed by GitHub
parent
commit
f54327c13d
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 86
      scripts/entrypoint.sh

86
scripts/entrypoint.sh

@ -2,16 +2,15 @@
#===
# wg-easy-ip-tls entrypoint
# Architecture:
# - dumb-init is PID 1 and spawns this script for proper
# signal forwarding and zombie reaping
# - Nitro (wg-easy) runs on HTTP internally on NITRO_PORT
# - If LEGO_ENABLED=true and INSECURE!=true: a Node.js TLS
# reverse proxy wraps Nitro on PORT (HTTPS termination)
# Certs are loaded at startup; renewed certs are applied
# via server.setSecureContext() without restart
# - If INSECURE=true: Nitro listens directly on PORT (HTTP)
# - A background renewal loop re-runs lego-renew.sh every
# LEGO_RENEW_INTERVAL seconds (default: 5 days)
# - dumb-init is PID 1 and spawns this script for proper
# signal forwarding and zombie reaping
# - Nitro (wg-easy) runs on HTTP internally on NITRO_PORT
# - If LEGO_ENABLED=true and INSECURE!=true: tls-proxy.js
# wraps Nitro on PORT (HTTPS termination)
# Certs are hot-reloaded via server.setSecureContext() without restart
# - If INSECURE=true: Nitro listens directly on PORT (HTTP)
# - A background renewal loop re-runs lego-renew.sh every
# LEGO_RENEW_INTERVAL seconds (default: 5 days)
#===
set -eu
@ -79,66 +78,13 @@ if [ "$LEGO_ENABLED" = "true" ] && [ "$INSECURE" != "true" ]; then
done
echo "[entrypoint] Starting TLS proxy on port $PORT..."
# Use setSecureContext for cert hot-reload (works with IP certs - no SNI needed)
node -e "
const https = require('https');
const http = require('http');
const net = require('net');
const fs = require('fs');
const CERT_FILE = '$CERT_FILE';
const KEY_FILE = '$KEY_FILE';
const NITRO_PORT = $NITRO_PORT;
const loadCreds = () => ({
cert: fs.readFileSync(CERT_FILE),
key: fs.readFileSync(KEY_FILE),
});
const server = https.createServer(loadCreds(), (req, res) => {
const proxy = http.request({
hostname: '127.0.0.1',
port: NITRO_PORT,
path: req.url,
method: req.method,
headers: req.headers,
}, (proxyRes) => {
res.writeHead(proxyRes.statusCode, proxyRes.headers);
proxyRes.pipe(res);
});
proxy.on('error', (e) => {
console.error('[tls-proxy] error:', e.message);
if (!res.headersSent) { res.writeHead(502); }
res.end('Bad Gateway');
});
req.pipe(proxy);
});
server.on('upgrade', (req, socket, head) => {
const conn = net.connect(NITRO_PORT, '127.0.0.1', () => {
conn.write('GET ' + req.url + ' HTTP/1.1\\r\\n' +
Object.entries(req.headers).map(([k,v]) => k + ': ' + v).join('\\r\\n') +
'\\r\\n\\r\\n');
if (head && head.length) conn.write(head);
socket.pipe(conn);
conn.pipe(socket);
});
conn.on('error', (e) => {
console.error('[tls-proxy] ws error:', e.message);
socket.destroy();
});
});
// Hot-reload certs when lego-renew.sh updates them
fs.watchFile(CERT_FILE, { interval: 60000, persistent: true }, (curr, prev) => {
if (curr.mtime !== prev.mtime) {
try {
server.setSecureContext(loadCreds());
console.log('[tls-proxy] Certificate reloaded at ' + curr.mtime.toISOString());
} catch (e) {
console.error('[tls-proxy] Failed to reload cert:', e.message);
}
}
});
server.listen($PORT, '0.0.0.0', () => {
console.log('[tls-proxy] HTTPS listening on 0.0.0.0:$PORT -> http://127.0.0.1:$NITRO_PORT');
});
" &
# tls-proxy.js reads cert paths and ports from environment variables
# This avoids shell variable interpolation into JavaScript code (injection-safe)
CERT_FILE="$CERT_FILE" \
KEY_FILE="$KEY_FILE" \
NITRO_PORT="$NITRO_PORT" \
PORT="$PORT" \
node /usr/local/bin/tls-proxy.js &
echo $! > "$PROXY_PID_FILE"
else
# -- HTTP mode (INSECURE=true or LEGO_ENABLED=false) ---

Loading…
Cancel
Save