From 25f1fba96f416510f7e10782dbc148a7865d249b Mon Sep 17 00:00:00 2001 From: BatSmacker84 Date: Tue, 22 Aug 2023 11:17:26 -0500 Subject: [PATCH] added webgui switch for OCSP Stapling dead, proxy, and redirect hosts have the option to enable OCSP Stapling in the webgui --- backend/doc/api.swagger.json | 7 +++++++ backend/internal/host.js | 1 + backend/internal/nginx.js | 2 +- backend/schema/definitions.json | 5 +++++ backend/schema/endpoints/dead-hosts.json | 12 ++++++++++++ backend/schema/endpoints/proxy-hosts.json | 12 ++++++++++++ backend/schema/endpoints/redirection-hosts.json | 12 ++++++++++++ backend/templates/_ocsp.conf | 7 +++++++ backend/templates/dead_host.conf | 1 + backend/templates/proxy_host.conf | 1 + backend/templates/redirection_host.conf | 1 + frontend/js/app/nginx/dead/form.ejs | 9 +++++++++ frontend/js/app/nginx/dead/form.js | 4 +++- frontend/js/app/nginx/proxy/form.ejs | 10 +++++++++- frontend/js/app/nginx/proxy/form.js | 4 +++- frontend/js/app/nginx/redirection/form.ejs | 9 +++++++++ frontend/js/app/nginx/redirection/form.js | 4 +++- frontend/js/i18n/messages.json | 1 + frontend/js/models/dead-host.js | 1 + frontend/js/models/proxy-host.js | 1 + frontend/js/models/redirection-host.js | 1 + test/cypress/integration/api/Hosts.spec.js | 1 + 22 files changed, 101 insertions(+), 5 deletions(-) create mode 100644 backend/templates/_ocsp.conf diff --git a/backend/doc/api.swagger.json b/backend/doc/api.swagger.json index 3fa19fc4..ae2caf5a 100644 --- a/backend/doc/api.swagger.json +++ b/backend/doc/api.swagger.json @@ -96,6 +96,7 @@ "locations": [], "hsts_enabled": 0, "hsts_subdomains": 0, + "ocsp_stapling": 0, "owner": { "id": 1, "created_on": "2023-03-30T01:11:50.000Z", @@ -138,6 +139,7 @@ "locations": [], "hsts_enabled": 0, "hsts_subdomains": 0, + "ocsp_stapling": 0, "owner": { "id": 1, "created_on": "2023-03-30T01:11:50.000Z", @@ -216,6 +218,7 @@ "locations": [], "hsts_enabled": 0, "hsts_subdomains": 0, + "ocsp_stapling": 0, "certificate": null, "owner": { "id": 1, @@ -1125,6 +1128,7 @@ "enabled", "locations", "hsts_enabled", + "ocsp_stapling", "hsts_subdomains", "certificate", "use_default_location", @@ -1211,6 +1215,9 @@ "hsts_subdomains": { "type": "integer" }, + "ocsp_stapling": { + "type": "integer" + }, "certificate": { "type": "object", "nullable": true diff --git a/backend/internal/host.js b/backend/internal/host.js index 58e1d09a..92245e20 100644 --- a/backend/internal/host.js +++ b/backend/internal/host.js @@ -22,6 +22,7 @@ const internalHost = { if (!combined_data.certificate_id) { combined_data.ssl_forced = false; combined_data.http2_support = false; + combined_data.ocsp_stapling = false; } if (!combined_data.ssl_forced) { diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js index 77933e73..172c2460 100644 --- a/backend/internal/nginx.js +++ b/backend/internal/nginx.js @@ -155,7 +155,7 @@ const internalNginx = { let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, {ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support}, - {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list}, + {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {ocsp_stapling: host.ocsp_stapling}, {access_list: host.access_list}, {certificate: host.certificate}, host.locations[i]); if (locationCopy.forward_host.indexOf('/') > -1) { diff --git a/backend/schema/definitions.json b/backend/schema/definitions.json index 4b4f3405..f02ceb91 100644 --- a/backend/schema/definitions.json +++ b/backend/schema/definitions.json @@ -217,6 +217,11 @@ "example": false, "type": "boolean" }, + "ocsp_stapling": { + "description": "Is OCSP Stapling Enabled", + "example": false, + "type": "boolean" + }, "ssl_provider": { "type": "string", "pattern": "^(letsencrypt|other)$" diff --git a/backend/schema/endpoints/dead-hosts.json b/backend/schema/endpoints/dead-hosts.json index 0c73c3be..ee81f1cd 100644 --- a/backend/schema/endpoints/dead-hosts.json +++ b/backend/schema/endpoints/dead-hosts.json @@ -30,6 +30,9 @@ "hsts_subdomains": { "$ref": "../definitions.json#/definitions/hsts_subdomains" }, + "ocsp_stapling": { + "$ref": "../definitions.json#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "../definitions.json#/definitions/http2_support" }, @@ -68,6 +71,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_subdomains" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, @@ -131,6 +137,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_enabled" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, @@ -177,6 +186,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_enabled" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, diff --git a/backend/schema/endpoints/proxy-hosts.json b/backend/schema/endpoints/proxy-hosts.json index 9a3fff2f..ea0f89fd 100644 --- a/backend/schema/endpoints/proxy-hosts.json +++ b/backend/schema/endpoints/proxy-hosts.json @@ -44,6 +44,9 @@ "hsts_subdomains": { "$ref": "../definitions.json#/definitions/hsts_subdomains" }, + "ocsp_stapling": { + "$ref": "../definitions.json#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "../definitions.json#/definitions/http2_support" }, @@ -143,6 +146,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_subdomains" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, @@ -233,6 +239,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_enabled" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, @@ -306,6 +315,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_enabled" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, diff --git a/backend/schema/endpoints/redirection-hosts.json b/backend/schema/endpoints/redirection-hosts.json index 14a46998..e5b72318 100644 --- a/backend/schema/endpoints/redirection-hosts.json +++ b/backend/schema/endpoints/redirection-hosts.json @@ -44,6 +44,9 @@ "hsts_subdomains": { "$ref": "../definitions.json#/definitions/hsts_subdomains" }, + "ocsp_stapling": { + "$ref": "../definitions.json#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "../definitions.json#/definitions/http2_support" }, @@ -97,6 +100,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_subdomains" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, @@ -178,6 +184,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_enabled" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, @@ -239,6 +248,9 @@ "hsts_subdomains": { "$ref": "#/definitions/hsts_enabled" }, + "ocsp_stapling": { + "$ref": "#/definitions/ocsp_stapling" + }, "http2_support": { "$ref": "#/definitions/http2_support" }, diff --git a/backend/templates/_ocsp.conf b/backend/templates/_ocsp.conf new file mode 100644 index 00000000..a4922edb --- /dev/null +++ b/backend/templates/_ocsp.conf @@ -0,0 +1,7 @@ +{% if certificate and certificate_id > 0 -%} +{% if ocsp_stapling == 1 or ocsp_stapling == true %} + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; +{% endif %} +{% endif %} diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf index d94dff57..f96e5664 100644 --- a/backend/templates/dead_host.conf +++ b/backend/templates/dead_host.conf @@ -5,6 +5,7 @@ server { {% include "_listen.conf" %} {% include "_certificates.conf" %} {% include "_hsts.conf" %} +{% include "_ocsp.conf" %} {% include "_forced_ssl.conf" %} access_log /data/logs/dead-host-{{ id }}_access.log standard; diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index 81a542ea..c5b4dc89 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -11,6 +11,7 @@ server { {% include "_assets.conf" %} {% include "_exploits.conf" %} {% include "_hsts.conf" %} +{% include "_ocsp.conf" %} {% include "_forced_ssl.conf" %} {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} diff --git a/backend/templates/redirection_host.conf b/backend/templates/redirection_host.conf index 339fe72e..799d98ed 100644 --- a/backend/templates/redirection_host.conf +++ b/backend/templates/redirection_host.conf @@ -7,6 +7,7 @@ server { {% include "_assets.conf" %} {% include "_exploits.conf" %} {% include "_hsts.conf" %} +{% include "_ocsp.conf" %} {% include "_forced_ssl.conf" %} access_log /data/logs/redirection-host-{{ id }}_access.log standard; diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs index 253c4b6f..e0c1cbc3 100644 --- a/frontend/js/app/nginx/dead/form.ejs +++ b/frontend/js/app/nginx/dead/form.ejs @@ -73,6 +73,15 @@ +
+
+ +
+
diff --git a/frontend/js/app/nginx/dead/form.js b/frontend/js/app/nginx/dead/form.js index 8f6774f6..dcc78439 100644 --- a/frontend/js/app/nginx/dead/form.js +++ b/frontend/js/app/nginx/dead/form.js @@ -25,6 +25,7 @@ module.exports = Mn.View.extend({ ssl_forced: 'input[name="ssl_forced"]', hsts_enabled: 'input[name="hsts_enabled"]', hsts_subdomains: 'input[name="hsts_subdomains"]', + ocsp_stapling: 'input[name="ocsp_stapling"]', http2_support: 'input[name="http2_support"]', dns_challenge_switch: 'input[name="meta[dns_challenge]"]', dns_challenge_content: '.dns-challenge', @@ -48,7 +49,7 @@ module.exports = Mn.View.extend({ let enabled = id === 'new' || parseInt(id, 10) > 0; - let inputs = this.ui.ssl_forced.add(this.ui.http2_support); + let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling); inputs .prop('disabled', !enabled) .parents('.form-group') @@ -130,6 +131,7 @@ module.exports = Mn.View.extend({ // Manipulate data.hsts_enabled = !!data.hsts_enabled; data.hsts_subdomains = !!data.hsts_subdomains; + data.ocsp_stapling = !!data.ocsp_stapling; data.http2_support = !!data.http2_support; data.ssl_forced = !!data.ssl_forced; diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs index 56868f55..5f8334c4 100644 --- a/frontend/js/app/nginx/proxy/form.ejs +++ b/frontend/js/app/nginx/proxy/form.ejs @@ -141,7 +141,15 @@
- +
+
+ +
+
diff --git a/frontend/js/app/nginx/proxy/form.js b/frontend/js/app/nginx/proxy/form.js index 1dfb5c18..77676526 100644 --- a/frontend/js/app/nginx/proxy/form.js +++ b/frontend/js/app/nginx/proxy/form.js @@ -35,6 +35,7 @@ module.exports = Mn.View.extend({ ssl_forced: 'input[name="ssl_forced"]', hsts_enabled: 'input[name="hsts_enabled"]', hsts_subdomains: 'input[name="hsts_subdomains"]', + ocsp_stapling: 'input[name="ocsp_stapling"]', http2_support: 'input[name="http2_support"]', dns_challenge_switch: 'input[name="meta[dns_challenge]"]', dns_challenge_content: '.dns-challenge', @@ -62,7 +63,7 @@ module.exports = Mn.View.extend({ let enabled = id === 'new' || parseInt(id, 10) > 0; - let inputs = this.ui.ssl_forced.add(this.ui.http2_support); + let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling); inputs .prop('disabled', !enabled) .parents('.form-group') @@ -166,6 +167,7 @@ module.exports = Mn.View.extend({ data.http2_support = !!data.http2_support; data.hsts_enabled = !!data.hsts_enabled; data.hsts_subdomains = !!data.hsts_subdomains; + data.ocsp_stapling = !!data.ocsp_stapling; data.ssl_forced = !!data.ssl_forced; if (typeof data.meta === 'undefined') data.meta = {}; diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs index 7e190719..7f6b40e9 100644 --- a/frontend/js/app/nginx/redirection/form.ejs +++ b/frontend/js/app/nginx/redirection/form.ejs @@ -120,6 +120,15 @@
+
+
+ +
+
diff --git a/frontend/js/app/nginx/redirection/form.js b/frontend/js/app/nginx/redirection/form.js index 1f81feeb..6221b3b0 100644 --- a/frontend/js/app/nginx/redirection/form.js +++ b/frontend/js/app/nginx/redirection/form.js @@ -26,6 +26,7 @@ module.exports = Mn.View.extend({ ssl_forced: 'input[name="ssl_forced"]', hsts_enabled: 'input[name="hsts_enabled"]', hsts_subdomains: 'input[name="hsts_subdomains"]', + ocsp_stapling: 'input[name="ocsp_stapling"]', http2_support: 'input[name="http2_support"]', dns_challenge_switch: 'input[name="meta[dns_challenge]"]', dns_challenge_content: '.dns-challenge', @@ -48,7 +49,7 @@ module.exports = Mn.View.extend({ let enabled = id === 'new' || parseInt(id, 10) > 0; - let inputs = this.ui.ssl_forced.add(this.ui.http2_support); + let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling); inputs .prop('disabled', !enabled) .parents('.form-group') @@ -133,6 +134,7 @@ module.exports = Mn.View.extend({ data.http2_support = !!data.http2_support; data.hsts_enabled = !!data.hsts_enabled; data.hsts_subdomains = !!data.hsts_subdomains; + data.ocsp_stapling = !!data.ocsp_stapling; data.ssl_forced = !!data.ssl_forced; if (typeof data.meta === 'undefined') data.meta = {}; diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json index d77351d6..595679f5 100644 --- a/frontend/js/i18n/messages.json +++ b/frontend/js/i18n/messages.json @@ -88,6 +88,7 @@ "advanced-config-header-info": "Please note, that any add_header or set_header directives added here will not be used by nginx. You will have to add a custom location '/' and add the header in the custom config there.", "hsts-enabled": "HSTS Enabled", "hsts-subdomains": "HSTS Subdomains", + "ocsp-stapling": "OCSP Stapling", "locations": "Custom locations" }, "locations": { diff --git a/frontend/js/models/dead-host.js b/frontend/js/models/dead-host.js index 98ceef29..aa5d0f32 100644 --- a/frontend/js/models/dead-host.js +++ b/frontend/js/models/dead-host.js @@ -14,6 +14,7 @@ const model = Backbone.Model.extend({ http2_support: false, hsts_enabled: false, hsts_subdomains: false, + ocsp_stapling: false, enabled: true, meta: {}, advanced_config: '', diff --git a/frontend/js/models/proxy-host.js b/frontend/js/models/proxy-host.js index b82d09fe..e6cdb73a 100644 --- a/frontend/js/models/proxy-host.js +++ b/frontend/js/models/proxy-host.js @@ -17,6 +17,7 @@ const model = Backbone.Model.extend({ ssl_forced: false, hsts_enabled: false, hsts_subdomains: false, + ocsp_stapling: false, caching_enabled: false, allow_websocket_upgrade: false, block_exploits: false, diff --git a/frontend/js/models/redirection-host.js b/frontend/js/models/redirection-host.js index 1d0b0de2..0f76f16a 100644 --- a/frontend/js/models/redirection-host.js +++ b/frontend/js/models/redirection-host.js @@ -17,6 +17,7 @@ const model = Backbone.Model.extend({ ssl_forced: false, hsts_enabled: false, hsts_subdomains: false, + ocsp_stapling: false, block_exploits: false, http2_support: false, advanced_config: '', diff --git a/test/cypress/integration/api/Hosts.spec.js b/test/cypress/integration/api/Hosts.spec.js index 4652c8e0..cb816759 100644 --- a/test/cypress/integration/api/Hosts.spec.js +++ b/test/cypress/integration/api/Hosts.spec.js @@ -32,6 +32,7 @@ describe('Hosts endpoints', () => { http2_support: false, hsts_enabled: false, hsts_subdomains: false, + ocsp_stapling: false, ssl_forced: false } }).then((data) => {