Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

added webgui switch for OCSP Stapling

Browse source 
dead, proxy, and redirect hosts have the option to enable OCSP Stapling in the webgui
This commit is contained in:
BatSmacker84 2023-08-22 11:17:26 -05:00 committed by Ogden Wells
parent fa851b61da
commit 25f1fba96f
No known key found for this signature in database
GPG key ID: 1A1689EC6863C99A
22 changed files with 101 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
backend/doc/api.swagger.json
View file

@ -96,6 +96,7 @@
"locations": [], "locations": [],
"hsts_enabled": 0, "hsts_enabled": 0,
"hsts_subdomains": 0, "hsts_subdomains": 0,
"ocsp_stapling": 0,
"owner": { "owner": {
"id": 1, "id": 1,
"created_on": "2023-03-30T01:11:50.000Z", "created_on": "2023-03-30T01:11:50.000Z",
@ -138,6 +139,7 @@
"locations": [], "locations": [],
"hsts_enabled": 0, "hsts_enabled": 0,
"hsts_subdomains": 0, "hsts_subdomains": 0,
"ocsp_stapling": 0,
"owner": { "owner": {
"id": 1, "id": 1,
"created_on": "2023-03-30T01:11:50.000Z", "created_on": "2023-03-30T01:11:50.000Z",
@ -216,6 +218,7 @@
"locations": [], "locations": [],
"hsts_enabled": 0, "hsts_enabled": 0,
"hsts_subdomains": 0, "hsts_subdomains": 0,
"ocsp_stapling": 0,
"certificate": null, "certificate": null,
"owner": { "owner": {
"id": 1, "id": 1,
@ -1125,6 +1128,7 @@
"enabled", "enabled",
"locations", "locations",
"hsts_enabled", "hsts_enabled",
"ocsp_stapling",
"hsts_subdomains", "hsts_subdomains",
"certificate", "certificate",
"use_default_location", "use_default_location",
@ -1211,6 +1215,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"type": "integer" "type": "integer"
}, },
"ocsp_stapling": {
"type": "integer"
},
"certificate": { "certificate": {
"type": "object", "type": "object",
"nullable": true "nullable": true

1
backend/internal/host.js
View file

@ -22,6 +22,7 @@ const internalHost = {
if (!combined_data.certificate_id) { if (!combined_data.certificate_id) {
combined_data.ssl_forced = false; combined_data.ssl_forced = false;
combined_data.http2_support = false; combined_data.http2_support = false;
combined_data.ocsp_stapling = false;
} }
if (!combined_data.ssl_forced) { if (!combined_data.ssl_forced) {

2
backend/internal/nginx.js
View file

@ -155,7 +155,7 @@ const internalNginx = {
let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits}, {ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support}, {allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list}, {hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {ocsp_stapling: host.ocsp_stapling}, {access_list: host.access_list},
{certificate: host.certificate}, host.locations[i]); {certificate: host.certificate}, host.locations[i]);
if (locationCopy.forward_host.indexOf('/') > -1) { if (locationCopy.forward_host.indexOf('/') > -1) {

5
backend/schema/definitions.json
View file

@ -217,6 +217,11 @@
"example": false, "example": false,
"type": "boolean" "type": "boolean"
}, },
"ocsp_stapling": {
"description": "Is OCSP Stapling Enabled",
"example": false,
"type": "boolean"
},
"ssl_provider": { "ssl_provider": {
"type": "string", "type": "string",
"pattern": "^(letsencrypt|other)$" "pattern": "^(letsencrypt|other)$"

12
backend/schema/endpoints/dead-hosts.json
View file

@ -30,6 +30,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "../definitions.json#/definitions/hsts_subdomains" "$ref": "../definitions.json#/definitions/hsts_subdomains"
}, },
"ocsp_stapling": {
"$ref": "../definitions.json#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "../definitions.json#/definitions/http2_support" "$ref": "../definitions.json#/definitions/http2_support"
}, },
@ -68,6 +71,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_subdomains" "$ref": "#/definitions/hsts_subdomains"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },
@ -131,6 +137,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled" "$ref": "#/definitions/hsts_enabled"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },
@ -177,6 +186,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled" "$ref": "#/definitions/hsts_enabled"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },

12
backend/schema/endpoints/proxy-hosts.json
View file

@ -44,6 +44,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "../definitions.json#/definitions/hsts_subdomains" "$ref": "../definitions.json#/definitions/hsts_subdomains"
}, },
"ocsp_stapling": {
"$ref": "../definitions.json#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "../definitions.json#/definitions/http2_support" "$ref": "../definitions.json#/definitions/http2_support"
}, },
@ -143,6 +146,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_subdomains" "$ref": "#/definitions/hsts_subdomains"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },
@ -233,6 +239,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled" "$ref": "#/definitions/hsts_enabled"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },
@ -306,6 +315,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled" "$ref": "#/definitions/hsts_enabled"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },

12
backend/schema/endpoints/redirection-hosts.json
View file

@ -44,6 +44,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "../definitions.json#/definitions/hsts_subdomains" "$ref": "../definitions.json#/definitions/hsts_subdomains"
}, },
"ocsp_stapling": {
"$ref": "../definitions.json#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "../definitions.json#/definitions/http2_support" "$ref": "../definitions.json#/definitions/http2_support"
}, },
@ -97,6 +100,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_subdomains" "$ref": "#/definitions/hsts_subdomains"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },
@ -178,6 +184,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled" "$ref": "#/definitions/hsts_enabled"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },
@ -239,6 +248,9 @@
"hsts_subdomains": { "hsts_subdomains": {
"$ref": "#/definitions/hsts_enabled" "$ref": "#/definitions/hsts_enabled"
}, },
"ocsp_stapling": {
"$ref": "#/definitions/ocsp_stapling"
},
"http2_support": { "http2_support": {
"$ref": "#/definitions/http2_support" "$ref": "#/definitions/http2_support"
}, },

7
backend/templates/_ocsp.conf Normal file
View file

@ -0,0 +1,7 @@
{% if certificate and certificate_id > 0 -%}
{% if ocsp_stapling == 1 or ocsp_stapling == true %}
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
{% endif %}
{% endif %}

1
backend/templates/dead_host.conf
View file

@ -5,6 +5,7 @@ server {
{% include "_listen.conf" %} {% include "_listen.conf" %}
{% include "_certificates.conf" %} {% include "_certificates.conf" %}
{% include "_hsts.conf" %} {% include "_hsts.conf" %}
{% include "_ocsp.conf" %}
{% include "_forced_ssl.conf" %} {% include "_forced_ssl.conf" %}
access_log /data/logs/dead-host-{{ id }}_access.log standard; access_log /data/logs/dead-host-{{ id }}_access.log standard;

1
backend/templates/proxy_host.conf
View file

@ -11,6 +11,7 @@ server {
{% include "_assets.conf" %} {% include "_assets.conf" %}
{% include "_exploits.conf" %} {% include "_exploits.conf" %}
{% include "_hsts.conf" %} {% include "_hsts.conf" %}
{% include "_ocsp.conf" %}
{% include "_forced_ssl.conf" %} {% include "_forced_ssl.conf" %}
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}

1
backend/templates/redirection_host.conf
View file

@ -7,6 +7,7 @@ server {
{% include "_assets.conf" %} {% include "_assets.conf" %}
{% include "_exploits.conf" %} {% include "_exploits.conf" %}
{% include "_hsts.conf" %} {% include "_hsts.conf" %}
{% include "_ocsp.conf" %}
{% include "_forced_ssl.conf" %} {% include "_forced_ssl.conf" %}
access_log /data/logs/redirection-host-{{ id }}_access.log standard; access_log /data/logs/redirection-host-{{ id }}_access.log standard;

9
frontend/js/app/nginx/dead/form.ejs
View file

@ -73,6 +73,15 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="ocsp_stapling" value="1"<%- ocsp_stapling ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'ocsp-stapling') %> <a href="https://en.wikipedia.org/wiki/OCSP_stapling" target="_blank"><i class="fe fe-help-circle"></i></a></span>
</label>
</div>
</div>
<!-- DNS challenge --> <!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt"> <div class="col-sm-12 col-md-12 letsencrypt">

4
frontend/js/app/nginx/dead/form.js
View file

@ -25,6 +25,7 @@ module.exports = Mn.View.extend({
ssl_forced: 'input[name="ssl_forced"]', ssl_forced: 'input[name="ssl_forced"]',
hsts_enabled: 'input[name="hsts_enabled"]', hsts_enabled: 'input[name="hsts_enabled"]',
hsts_subdomains: 'input[name="hsts_subdomains"]', hsts_subdomains: 'input[name="hsts_subdomains"]',
ocsp_stapling: 'input[name="ocsp_stapling"]',
http2_support: 'input[name="http2_support"]', http2_support: 'input[name="http2_support"]',
dns_challenge_switch: 'input[name="meta[dns_challenge]"]', dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
dns_challenge_content: '.dns-challenge', dns_challenge_content: '.dns-challenge',
@ -48,7 +49,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0; let enabled = id === 'new' || parseInt(id, 10) > 0;
let inputs = this.ui.ssl_forced.add(this.ui.http2_support); let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling);
inputs inputs
.prop('disabled', !enabled) .prop('disabled', !enabled)
.parents('.form-group') .parents('.form-group')
@ -130,6 +131,7 @@ module.exports = Mn.View.extend({
// Manipulate // Manipulate
data.hsts_enabled = !!data.hsts_enabled; data.hsts_enabled = !!data.hsts_enabled;
data.hsts_subdomains = !!data.hsts_subdomains; data.hsts_subdomains = !!data.hsts_subdomains;
data.ocsp_stapling = !!data.ocsp_stapling;
data.http2_support = !!data.http2_support; data.http2_support = !!data.http2_support;
data.ssl_forced = !!data.ssl_forced; data.ssl_forced = !!data.ssl_forced;

10
frontend/js/app/nginx/proxy/form.ejs
View file

@ -141,7 +141,15 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="ocsp_stapling" value="1"<%- ocsp_stapling ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'ocsp-stapling') %> <a href="https://en.wikipedia.org/wiki/OCSP_stapling" target="_blank"><i class="fe fe-help-circle"></i></a></span>
</label>
</div>
</div>
<!-- DNS challenge --> <!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt"> <div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group"> <div class="form-group">

4
frontend/js/app/nginx/proxy/form.js
View file

@ -35,6 +35,7 @@ module.exports = Mn.View.extend({
ssl_forced: 'input[name="ssl_forced"]', ssl_forced: 'input[name="ssl_forced"]',
hsts_enabled: 'input[name="hsts_enabled"]', hsts_enabled: 'input[name="hsts_enabled"]',
hsts_subdomains: 'input[name="hsts_subdomains"]', hsts_subdomains: 'input[name="hsts_subdomains"]',
ocsp_stapling: 'input[name="ocsp_stapling"]',
http2_support: 'input[name="http2_support"]', http2_support: 'input[name="http2_support"]',
dns_challenge_switch: 'input[name="meta[dns_challenge]"]', dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
dns_challenge_content: '.dns-challenge', dns_challenge_content: '.dns-challenge',
@ -62,7 +63,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0; let enabled = id === 'new' || parseInt(id, 10) > 0;
let inputs = this.ui.ssl_forced.add(this.ui.http2_support); let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling);
inputs inputs
.prop('disabled', !enabled) .prop('disabled', !enabled)
.parents('.form-group') .parents('.form-group')
@ -166,6 +167,7 @@ module.exports = Mn.View.extend({
data.http2_support = !!data.http2_support; data.http2_support = !!data.http2_support;
data.hsts_enabled = !!data.hsts_enabled; data.hsts_enabled = !!data.hsts_enabled;
data.hsts_subdomains = !!data.hsts_subdomains; data.hsts_subdomains = !!data.hsts_subdomains;
data.ocsp_stapling = !!data.ocsp_stapling;
data.ssl_forced = !!data.ssl_forced; data.ssl_forced = !!data.ssl_forced;
if (typeof data.meta === 'undefined') data.meta = {}; if (typeof data.meta === 'undefined') data.meta = {};

9
frontend/js/app/nginx/redirection/form.ejs
View file

@ -120,6 +120,15 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="ocsp_stapling" value="1"<%- ocsp_stapling ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'ocsp-stapling') %> <a href="https://en.wikipedia.org/wiki/OCSP_stapling" target="_blank"><i class="fe fe-help-circle"></i></a></span>
</label>
</div>
</div>
<!-- DNS challenge --> <!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt"> <div class="col-sm-12 col-md-12 letsencrypt">

4
frontend/js/app/nginx/redirection/form.js
View file

@ -26,6 +26,7 @@ module.exports = Mn.View.extend({
ssl_forced: 'input[name="ssl_forced"]', ssl_forced: 'input[name="ssl_forced"]',
hsts_enabled: 'input[name="hsts_enabled"]', hsts_enabled: 'input[name="hsts_enabled"]',
hsts_subdomains: 'input[name="hsts_subdomains"]', hsts_subdomains: 'input[name="hsts_subdomains"]',
ocsp_stapling: 'input[name="ocsp_stapling"]',
http2_support: 'input[name="http2_support"]', http2_support: 'input[name="http2_support"]',
dns_challenge_switch: 'input[name="meta[dns_challenge]"]', dns_challenge_switch: 'input[name="meta[dns_challenge]"]',
dns_challenge_content: '.dns-challenge', dns_challenge_content: '.dns-challenge',
@ -48,7 +49,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0; let enabled = id === 'new' || parseInt(id, 10) > 0;
let inputs = this.ui.ssl_forced.add(this.ui.http2_support); let inputs = this.ui.ssl_forced.add(this.ui.http2_support).add(this.ui.ocsp_stapling);
inputs inputs
.prop('disabled', !enabled) .prop('disabled', !enabled)
.parents('.form-group') .parents('.form-group')
@ -133,6 +134,7 @@ module.exports = Mn.View.extend({
data.http2_support = !!data.http2_support; data.http2_support = !!data.http2_support;
data.hsts_enabled = !!data.hsts_enabled; data.hsts_enabled = !!data.hsts_enabled;
data.hsts_subdomains = !!data.hsts_subdomains; data.hsts_subdomains = !!data.hsts_subdomains;
data.ocsp_stapling = !!data.ocsp_stapling;
data.ssl_forced = !!data.ssl_forced; data.ssl_forced = !!data.ssl_forced;
if (typeof data.meta === 'undefined') data.meta = {}; if (typeof data.meta === 'undefined') data.meta = {};

1
frontend/js/i18n/messages.json
View file

@ -88,6 +88,7 @@
"advanced-config-header-info": "Please note, that any add_header or set_header directives added here will not be used by nginx. You will have to add a custom location '/' and add the header in the custom config there.", "advanced-config-header-info": "Please note, that any add_header or set_header directives added here will not be used by nginx. You will have to add a custom location '/' and add the header in the custom config there.",
"hsts-enabled": "HSTS Enabled", "hsts-enabled": "HSTS Enabled",
"hsts-subdomains": "HSTS Subdomains", "hsts-subdomains": "HSTS Subdomains",
"ocsp-stapling": "OCSP Stapling",
"locations": "Custom locations" "locations": "Custom locations"
}, },
"locations": { "locations": {

1
frontend/js/models/dead-host.js
View file

@ -14,6 +14,7 @@ const model = Backbone.Model.extend({
http2_support: false, http2_support: false,
hsts_enabled: false, hsts_enabled: false,
hsts_subdomains: false, hsts_subdomains: false,
ocsp_stapling: false,
enabled: true, enabled: true,
meta: {}, meta: {},
advanced_config: '', advanced_config: '',

1
frontend/js/models/proxy-host.js
View file

@ -17,6 +17,7 @@ const model = Backbone.Model.extend({
ssl_forced: false, ssl_forced: false,
hsts_enabled: false, hsts_enabled: false,
hsts_subdomains: false, hsts_subdomains: false,
ocsp_stapling: false,
caching_enabled: false, caching_enabled: false,
allow_websocket_upgrade: false, allow_websocket_upgrade: false,
block_exploits: false, block_exploits: false,

1
frontend/js/models/redirection-host.js
View file

@ -17,6 +17,7 @@ const model = Backbone.Model.extend({
ssl_forced: false, ssl_forced: false,
hsts_enabled: false, hsts_enabled: false,
hsts_subdomains: false, hsts_subdomains: false,
ocsp_stapling: false,
block_exploits: false, block_exploits: false,
http2_support: false, http2_support: false,
advanced_config: '', advanced_config: '',

1
test/cypress/integration/api/Hosts.spec.js
View file

@ -32,6 +32,7 @@ describe('Hosts endpoints', () => {
http2_support: false, http2_support: false,
hsts_enabled: false, hsts_enabled: false,
hsts_subdomains: false, hsts_subdomains: false,
ocsp_stapling: false,
ssl_forced: false ssl_forced: false
} }
}).then((data) => { }).then((data) => {