update to work with new way for the firewall

2025-08-15 23:11:03 +02:00 · 2025-08-15 23:11:03 +02:00 · 920c9db231
commit 920c9db231
parent 42ce223749
2 changed files with 43 additions and 32 deletions
--- a/appinfo.yml
+++ b/appinfo.yml
@ -21,13 +21,13 @@ configdefinition:
      description: The key file used for the certificate.  ATM this nginx only supports one certificate (use wildcards)
    httpport:
      type: integer
-      default: 8080
-      minimum: 1025
+      default: 80
+      minimum: 1
      maximum: 65536
    httpsport:
      type: integer
-      default: 8443
-      minimum: 1025
+      default: 443
+      minimum: 1
      maximum: 65536
    listenhttpaddress4:
      type: string
@ -45,22 +45,25 @@ configdefinition:
      type: string
      format: ipv6
      default: "::"
-imports:
-  web:
-    "$id": "web import"
-    "$schema": "http://json-schema.org/draft-07/schema#"
-    description: What we import from other apps under the web key.  To define what we need to proxy
-    type: array
-    items:
-      type: object
-      additionalProperties: false
-      properties:
-        proxyaddress:
-          type: string
-          description: The address to proxy to
-        publicname:
-          default: ""
-          type: string
-          description: The public address to expose, it will be sufixed by the domainname we use.  Will default to the appname
-      required:
-        - proxyaddress
+ports:
+    - http
+    - https
+exports:
+  firewall:
+    redirect:
+      - from: "{{ config.httpport }}"
+        to: "{{ ports.http }}"
+        version: ipv4
+        ip: "{{ config.listenhttpaddress4 }}"
+      - from: "{{ config.httpsport }}"
+        to: "{{ ports.https }}"
+        version: ipv4
+        ip: "{{ config.listenhttpaddress4 }}"
+      - from: "{{ config.httpport }}"
+        to: "{{ ports.http }}"
+        version: ipv6
+        ip: "{{ config.listenhttpaddress6 }}"
+      - from: "{{ config.httpsport }}"
+        to: "{{ ports.https }}"
+        version: ipv6
+        ip: "{{ config.listenhttpaddress6 }}"
--- a/nginx.conf.j2
+++ b/nginx.conf.j2
@ -29,16 +29,20 @@ http {

    gzip  on;
    server {
-        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpport }};
-        listen {{ config.listenhttpaddress4 }}:{{ config.httpport }};
+        listen [{{ config.listenhttpaddress6 }}]:{{ ports.http }};
+        listen {{ config.listenhttpaddress4 }}:{{ ports.http }};
+        {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.http }};{% endif %}
+        {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.http }};{% endif %}
        server_name _;
        root /var/www/empty;
        default_type text/html;
        return 200 "Nothing to see here";
    }
    server {
-        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpsport }} ssl;
-        listen {{ config.listenhttpaddress4 }}:{{ config.httpsport }} ssl;
+        listen [{{ config.listenhttpaddress6 }}]:{{ ports.https }} ssl;
+        listen {{ config.listenhttpaddress4 }}:{{ ports.https }} ssl;
+        {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.https }} ssl;{% endif %}
+        {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.https }} ssl;{% endif %}
        server_name _;

        ssl_certificate /etc/nginx/ssl.cert;
@ -52,12 +56,14 @@ http {

 {% for app in otherapps -%}
 {%- if "web" in otherapps[app]["imports"] -%}
-{%- for onesite in otherapps[app]["imports"]["web"] -%}
+{%- for onesite in otherapps[app]["imports"]["web"]["sites"] -%}

    {# Redirect http to https.  We only support https sites #}
    server {
-        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpport }};
-        listen {{ config.listenhttpaddress4 }}:{{ config.httpport }};
+        listen [{{ config.listenhttpaddress6 }}]:{{ ports.http }};
+        listen {{ config.listenhttpaddress4 }}:{{ ports.http }};
+        {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.http }};{% endif %}
+        {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.http }};{% endif %}
        server_name {{ onesite.publicname }};
        root /var/www/empty;
        location / {
@ -65,8 +71,10 @@ http {
        }
    }
    server {
-        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpsport }} ssl;
-        listen {{ config.listenhttpaddress4 }}:{{ config.httpsport }} ssl;
+        listen [{{ config.listenhttpaddress6 }}]:{{ ports.https }} ssl;
+        listen {{ config.listenhttpaddress4 }}:{{ ports.https }} ssl;
+        {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.https }} ssl;{% endif %}
+        {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.https }} ssl;{% endif %}
        server_name {{ onesite.publicname }};

        ssl_certificate /etc/nginx/ssl.cert;