Add ability to mark a node as being over a proxy

This commit is contained in:
Dane Everitt 2017-04-27 22:52:37 -04:00
parent 801aae968c
commit 3ee7b7cff1
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
7 changed files with 86 additions and 21 deletions

View file

@ -11,6 +11,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
* Added new scripts for service options that allows installation of software in a privileged Docker container on the node prior to marking a server as installed.
* Added ability to reinstall a server using the currently assigned service and option.
* Added ability to change a server's service and service option, as well as change pack assignments and other management services in that regard.
* Added support for using a proxy such as Cloudflare with a node connection. Previously there was no way to tell the panel to connect over SSL without marking the Daemon as also using SSL.
### Changed
* Environment setting commands now attempt to auto-quote strings with spaces in them, as well as comment lines that are edited to avoid manual changes being overwritten.

View file

@ -88,7 +88,7 @@ class NodesController extends Controller
]),
$request->intersect([
'name', 'location_id', 'fqdn',
'scheme', 'memory', 'disk',
'scheme', 'memory', 'disk', 'behind_proxy',
'daemonBase', 'daemonSFTP', 'daemonListen',
])
));
@ -218,7 +218,7 @@ class NodesController extends Controller
'public', 'disk_overallocate', 'memory_overallocate',
]),
$request->intersect([
'name', 'location_id', 'fqdn',
'name', 'location_id', 'fqdn', 'behind_proxy',
'scheme', 'memory', 'disk', 'upload_size',
'reset_secret', 'daemonSFTP', 'daemonListen',
])

View file

@ -59,6 +59,7 @@ class Node extends Model
'disk' => 'integer',
'daemonListen' => 'integer',
'daemonSFTP' => 'integer',
'behind_proxy' => 'boolean',
];
/**
@ -68,8 +69,8 @@ class Node extends Model
*/
protected $fillable = [
'public', 'name', 'location_id',
'fqdn', 'scheme', 'memory',
'memory_overallocate', 'disk',
'fqdn', 'scheme', 'behind_proxy',
'memory', 'memory_overallocate', 'disk',
'disk_overallocate', 'upload_size',
'daemonSecret', 'daemonBase',
'daemonSFTP', 'daemonListen',
@ -121,7 +122,7 @@ class Node extends Model
'host' => '0.0.0.0',
'listen' => $this->daemonListen,
'ssl' => [
'enabled' => $this->scheme === 'https',
'enabled' => (! $this->behind_proxy && $this->scheme === 'https'),
'certificate' => '/etc/letsencrypt/live/' . $this->fqdn . '/fullchain.pem',
'key' => '/etc/letsencrypt/live/' . $this->fqdn . '/privkey.pem',
],
@ -143,7 +144,7 @@ class Node extends Model
'count' => 3,
],
'remote' => [
'base' => config('app.url'),
'base' => route('index'),
'download' => route('remote.download'),
'installed' => route('remote.install'),
],

View file

@ -52,6 +52,7 @@ class NodeRepository
'public' => 'required|numeric|between:0,1',
'fqdn' => 'required|string|unique:nodes,fqdn',
'scheme' => 'required|regex:/^(http(s)?)$/',
'behind_proxy' => 'required|boolean',
'memory' => 'required|numeric|min:1',
'memory_overallocate' => 'required|numeric|min:-1',
'disk' => 'required|numeric|min:1',
@ -109,6 +110,7 @@ class NodeRepository
'public' => 'numeric|between:0,1',
'fqdn' => 'string|unique:nodes,fqdn,' . $id,
'scheme' => 'regex:/^(http(s)?)$/',
'behind_proxy' => 'boolean',
'memory' => 'numeric|min:1',
'memory_overallocate' => 'numeric|min:-1',
'disk' => 'numeric|min:1',
@ -166,7 +168,7 @@ class NodeRepository
'web' => [
'listen' => $node->daemonListen,
'ssl' => [
'enabled' => ($node->scheme === 'https'),
'enabled' => (! $node->behind_proxy && $node->scheme === 'https'),
],
],
'sftp' => [

View file

@ -0,0 +1,32 @@
<?php
use Illuminate\Support\Facades\Schema;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class AddAbilityToDefineConnectionOverSSLWithDaemonBehindProxy extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('nodes', function (Blueprint $table) {
$table->boolean('behind_proxy')->after('scheme')->default(false);
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('nodes', function (Blueprint $table) {
$table->dropColumn('behind_proxy');
});
}
}

View file

@ -78,19 +78,28 @@
<div>
<div class="radio radio-success radio-inline">
<input type="radio" id="pSSLTrue" value="https" name="scheme" checked>
<label for="pSSLTrue"> Enable SSL </label>
<label for="pSSLTrue"> Use SSL Connection</label>
</div>
<div class="radio radio-danger radio-inline">
<input type="radio" id="pSSLFalse" value="http" name="scheme">
<label for="pSSLFalse"> Disable SSL </label>
<label for="pSSLFalse"> Use HTTP Connection</label>
</div>
</div>
<p class="text-muted small">SSL should only be disabled if this node is assigned an IP address as the FQDN and not an actual FQDN. Disabling SSL could allow a malicious user to intercept traffic between the panel and the daemon potentially exposing sensitive information.</p>
<p class="text-muted small">In most cases you should select to use a SSL connection. If using an IP Address or you do not wish to use SSL at all, select a HTTP connection.</p>
</div>
<div class="form-group">
<label for="pDaemonBase" class="form-label">Daemon Server File Directory</label>
<input type="text" name="daemonBase" id="pDaemonBase" class="form-control" value="/srv/daemon-data" />
<p class="text-muted small">Enter the directory where server files should be stored. <strong>If you use OVH you should check your partition scheme. You may need to use <code>/home/daemon-data</code> to have enough space.</strong></p>
<label class="form-label">Behind Proxy</label>
<div>
<div class="radio radio-success radio-inline">
<input type="radio" id="pProxyFalse" value="0" name="behind_proxy" checked>
<label for="pProxyFalse"> Not Behind Proxy </label>
</div>
<div class="radio radio-info radio-inline">
<input type="radio" id="pProxyTrue" value="1" name="behind_proxy">
<label for="pProxyTrue"> Behind Proxy </label>
</div>
</div>
<p class="text-muted small">If you are running the daemon behind a proxy such as Cloudflare, select this to have the daemon skip looking for certificates on boot.</p>
</div>
</div>
</div>
@ -102,6 +111,11 @@
</div>
<div class="box-body">
<div class="row">
<div class="form-group col-xs-12">
<label for="pDaemonBase" class="form-label">Daemon Server File Directory</label>
<input type="text" name="daemonBase" id="pDaemonBase" class="form-control" value="/srv/daemon-data" />
<p class="text-muted small">Enter the directory where server files should be stored. <strong>If you use OVH you should check your partition scheme. You may need to use <code>/home/daemon-data</code> to have enough space.</strong></p>
</div>
<div class="form-group col-md-6">
<label for="pMemory" class="form-label">Total Memory</label>
<div class="input-group">

View file

@ -89,18 +89,33 @@
</small></p>
</div>
<div class="form-group col-xs-12">
<label for="scheme" class="control-label"><span class="label label-warning"><i class="fa fa-power-off"></i></span> Secure Socket Layer</label>
<div class="row" style="padding: 7px 0;">
<div class="col-xs-6">
<input type="radio" name="scheme" value="https" id="scheme_ssl" {{ (old('scheme', $node->scheme) === 'https') ? 'checked' : '' }}/> <label for="scheme_ssl" style="padding-left: 5px;">Enable HTTPS/SSL</label>
<label class="form-label"><span class="label label-warning"><i class="fa fa-power-off"></i></span> Communicate Over SSL</label>
<div>
<div class="radio radio-success radio-inline">
<input type="radio" id="pSSLTrue" value="https" name="scheme" {{ (old('scheme', $node->scheme) === 'https') ? 'checked' : '' }}>
<label for="pSSLTrue"> Use SSL Connection</label>
</div>
<div class="col-xs-6">
<input type="radio" name="scheme" value="http" id="scheme_nossl" {{ (old('scheme', $node->scheme) === 'http') ? 'checked' : '' }}/> <label for="scheme_nossl" style="padding-left: 5px;">Disable HTTPS/SSL</label>
<div class="radio radio-danger radio-inline">
<input type="radio" id="pSSLFalse" value="http" name="scheme" {{ (old('scheme', $node->scheme) !== 'https') ? 'checked' : '' }}>
<label for="pSSLFalse"> Use HTTP Connection</label>
</div>
</div>
<p class="text-muted"><small>You should always leave SSL enabled for nodes. Disabling SSL could allow a malicious user to intercept traffic between the panel and the daemon potentially exposing sensitive information.</small></p>
<p class="text-muted small">In most cases you should select to use a SSL connection. If using an IP Address or you do not wish to use SSL at all, select a HTTP connection.</p>
</div>
<div class="form-group col-xs-12">
<label class="form-label"><span class="label label-warning"><i class="fa fa-power-off"></i></span> Behind Proxy</label>
<div>
<div class="radio radio-success radio-inline">
<input type="radio" id="pProxyFalse" value="0" name="behind_proxy" {{ (old('behind_proxy', $node->behind_proxy) == false) ? 'checked' : '' }}>
<label for="pProxyFalse"> Not Behind Proxy </label>
</div>
<div class="radio radio-info radio-inline">
<input type="radio" id="pProxyTrue" value="1" name="behind_proxy" {{ (old('behind_proxy', $node->behind_proxy) == true) ? 'checked' : '' }}>
<label for="pProxyTrue"> Behind Proxy </label>
</div>
</div>
<p class="text-muted small">If you are running the daemon behind a proxy such as Cloudflare, select this to have the daemon skip looking for certificates on boot.</p>
</div>
</div>
</div>
</div>