Fix customcert plugin to accept multisite certs as well

2023-05-31 09:39:57 -04:00 · 2023-05-31 09:39:57 -04:00 · 413b75b046
parent 87a9545d9a
commit 413b75b046
3 changed files with 42 additions and 8 deletions
--- a/src/common/core/customcert/confs/server-http/custom-cert.conf
+++ b/src/common/core/customcert/confs/server-http/custom-cert.conf
@ -1,6 +1,7 @@
 {% set os_path = import("os.path") %}

-{% if USE_CUSTOM_SSL == "yes" and os_path.isfile("/var/cache/bunkerweb/customcert/cert.pem") and os_path.isfile("/var/cache/bunkerweb/customcert/cert.key") +%}
+{% if USE_CUSTOM_SSL == "yes" %}
+{% if os_path.isfile("/var/cache/bunkerweb/customcert/cert.pem") and os_path.isfile("/var/cache/bunkerweb/customcert/key.pem") or os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/cert.pem") and os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/key.pem") +%}

 # listen on HTTPS PORT
 listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
@ -9,8 +10,16 @@ listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if U
 {% endif %}

 # TLS config
+{% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/cert.pem") %}
+ssl_certificate /var/cache/bunkerweb/customcert/{{ SERVER_NAME }}/cert.pem;
+{% else %}
 ssl_certificate /var/cache/bunkerweb/customcert/cert.pem;
-ssl_certificate_key /var/cache/bunkerweb/customcert/cert.key;
+{% endif %}
+{% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/key.pem") %}
+ssl_certificate_key /var/cache/bunkerweb/customcert/{{ SERVER_NAME }}/key.pem;
+{% else %}
+ssl_certificate_key /var/cache/bunkerweb/customcert/key.pem;
+{% endif %}
 ssl_protocols {{ SSL_PROTOCOLS }};
 ssl_prefer_server_ciphers on;
 ssl_session_tickets off;
@ -21,4 +30,5 @@ ssl_dhparam /etc/nginx/dhparam;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 {% endif %}

+{% endif %}
 {% endif %}
--- a/src/common/core/customcert/confs/server-stream/custom-cert.conf
+++ b/src/common/core/customcert/confs/server-stream/custom-cert.conf
@ -1,6 +1,7 @@
 {% set os_path = import("os.path") %}

-{% if USE_CUSTOM_SSL == "yes" and os_path.isfile("/var/cache/bunkerweb/customcert/cert.pem") and os_path.isfile("/var/cache/bunkerweb/customcert/cert.key") +%}
+{% if USE_CUSTOM_SSL == "yes" %}
+{% if os_path.isfile("/var/cache/bunkerweb/customcert/cert.pem") and os_path.isfile("/var/cache/bunkerweb/customcert/key.pem") or os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/cert.pem") and os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/key.pem") +%}

 # listen
 listen 0.0.0.0:{{ LISTEN_STREAM_PORT_SSL }} ssl {% if USE_UDP == "yes" %} udp {% endif %}{% if USE_PROXY_PROTOCOL == "yes" %} proxy_protocol {% endif %};
@ -9,8 +10,16 @@ listen [::]:{{ LISTEN_STREAM_PORT_SSL }} ssl {% if USE_UDP == "yes" %} udp {% en
 {% endif %}

 # TLS config
+{% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/cert.pem") %}
+ssl_certificate /var/cache/bunkerweb/customcert/{{ SERVER_NAME }}/cert.pem;
+{% else %}
 ssl_certificate /var/cache/bunkerweb/customcert/cert.pem;
-ssl_certificate_key /var/cache/bunkerweb/customcert/cert.key;
+{% endif %}
+{% if os_path.isfile("/var/cache/bunkerweb/customcert/" + SERVER_NAME + "/key.pem") %}
+ssl_certificate_key /var/cache/bunkerweb/customcert/{{ SERVER_NAME }}/key.pem;
+{% else %}
+ssl_certificate_key /var/cache/bunkerweb/customcert/key.pem;
+{% endif %}
 ssl_protocols {{ SSL_PROTOCOLS }};
 ssl_prefer_server_ciphers on;
 ssl_session_tickets off;
@ -21,4 +30,5 @@ ssl_dhparam /etc/nginx/dhparam;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 {% endif %}

+{% endif %}
 {% endif %}
--- a/src/common/core/customcert/jobs/custom-cert.py
+++ b/src/common/core/customcert/jobs/custom-cert.py
@ -51,8 +51,15 @@ def check_cert(
            return False

        cert_cache_path = Path(
-            sep, "var", "cache", "bunkerweb", "customcert", "cert.pem"
+            sep,
+            "var",
+            "cache",
+            "bunkerweb",
+            "customcert",
+            first_server or "",
+            "cert.pem",
        )
+        cert_cache_path.parent.mkdir(parents=True, exist_ok=True)

        cert_hash = file_hash(cert_path)
        old_hash = cache_hash(cert_cache_path, db)
@ -66,8 +73,15 @@ def check_cert(
            logger.error(f"Error while caching custom-cert cert.pem file : {err}")

        key_cache_path = Path(
-            sep, "var", "cache", "bunkerweb", "customcert", "cert.key"
+            sep,
+            "var",
+            "cache",
+            "bunkerweb",
+            "customcert",
+            first_server or "",
+            "key.pem",
        )
+        key_cache_path.parent.mkdir(parents=True, exist_ok=True)

        key_hash = file_hash(key_path)
        old_hash = cache_hash(key_cache_path, db)
@ -76,7 +90,7 @@ def check_cert(
                key_path, key_cache_path, key_hash, db, delete_file=False
            )
            if not cached:
-                logger.error(f"Error while caching custom-cert cert.key file : {err}")
+                logger.error(f"Error while caching custom-cert key.pem file : {err}")

        return True
    except:
@ -95,7 +109,7 @@ try:

    # Multisite case
    if getenv("MULTISITE") == "yes":
-        servers = getenv("SERVER_NAME", [])
+        servers = getenv("SERVER_NAME") or []

        if isinstance(servers, str):
            servers = servers.split(" ")