add reverse based on xataz/reverse (temporary)

reverse/rootfs/etc/s6.d/.s6-svscan/finish

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exit 0

reverse/rootfs/etc/s6.d/check_certs/run

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+sleep 60
+while true; do
+    /usr/local/bin/check_certs
+    sleep 86400
+done

reverse/rootfs/etc/s6.d/nginx/run

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec nginx

reverse/rootfs/nginx/conf.d/headers.conf

@@ -0,0 +1,2 @@
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

reverse/rootfs/nginx/conf.d/proxy.conf

@@ -0,0 +1,11 @@
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Remote-Port $remote_port;
+  proxy_redirect off;
+  proxy_set_header Proxy "";
+  proxy_pass_header Server;

reverse/rootfs/nginx/conf.d/ssl.conf

@@ -0,0 +1,10 @@
+ssl_protocols TLSv1.2;
+ssl_ecdh_curve X25519:P-521:P-384;
+ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM;
+ssl_prefer_server_ciphers on;
+
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
+ssl_session_tickets off;
+
+add_header Strict-Transport-Security "max-age=31536000";

reverse/rootfs/nginx/conf/nginx.conf

@@ -0,0 +1,77 @@
+#user web;
+worker_processes auto;
+pid /nginx/run/nginx.pid;
+daemon off;
+
+events {
+    worker_connections 2048; 
+    use epoll;
+}
+
+http {
+    include /nginx/conf/mime.types;
+    default_type  application/octet-stream;
+
+    access_log /nginx/log/nginx_access.log combined;
+    error_log /nginx/log/nginx_error.log error;
+
+    aio threads;
+    aio_write on;
+    
+    more_set_headers 'secret';
+
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay off;
+    server_tokens off;
+    proxy_max_temp_file_size 20480m;
+    
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    include /nginx/sites-enabled/*.conf;
+    include /nginx/custom_sites/*.conf;
+}

reverse/rootfs/nginx/path.d/template

@@ -0,0 +1,5 @@
+  location <frontend_path> {
+    include /nginx/conf.d/proxy.conf;
+    client_max_body_size <frontend_domain_max_body_size>;
+    proxy_pass http://<backend_addr>:<backend_port>;
+  }

reverse/rootfs/nginx/path.d/template_auth

@@ -0,0 +1,7 @@
+  location <frontend_path> {
+    include /nginx/conf.d/proxy.conf;
+    auth_basic "Who's this?";
+    auth_basic_user_file "<auth_file>";
+    client_max_body_size <frontend_domain_max_body_size>;
+    proxy_pass http://<backend_addr>:<backend_port>;
+  }

reverse/rootfs/nginx/sites-enabled/template

@@ -0,0 +1,6 @@
+server {
+  listen 8080;
+  server_name <frontend_domain>;
+  include /nginx/conf.d/headers.conf;
+  include /nginx/path.d/<frontend_domain>/*.conf;
+}

reverse/rootfs/nginx/sites-enabled/template_ssl

@@ -0,0 +1,27 @@
+server {
+  listen 8080;
+  server_name <frontend_domain>;
+
+  rewrite ^ https://<frontend_domain>:443$request_uri? permanent;
+}
+
+
+server {
+
+  listen 8443 ssl http2;
+  server_name <frontend_domain>;
+  index index.html index.php index.htm;
+
+  ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
+  ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
+  ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
+  include /nginx/conf.d/ssl.conf;
+  include /nginx/conf.d/headers.conf;
+
+  include /nginx/path.d/<frontend_domain>/*.conf;
+
+  location ~ /\.well-known/acme-challenge {
+    root /nginx/www/<frontend_domain>;
+    allow all;
+  }
+}

reverse/rootfs/usr/local/bin/check_certs

@@ -0,0 +1,64 @@
+#!/bin/sh
+
+## Variables
+CSI="\033["
+CEND="${CSI}0m"
+CRED="${CSI}1;31m"
+CGREEN="${CSI}1;32m"
+CYELLOW="${CSI}1;33m"
+CBLUE="${CSI}1;34m"
+
+## Functions
+f_log() {
+    LOG_TYPE=$1
+    LOG_MESSAGE=$2
+
+    case "${LOG_TYPE}" in
+    "INF")
+        echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "WRN")
+        echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "ERR")
+        echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    esac
+}
+
+f_check_certs() {
+    LIST_DOMAINS=$(ls /nginx/ssl/certificates | grep .crt | grep -v issuer | sed 's|.crt||g')
+    RELOAD_NGINX=0
+
+    for domain in ${LIST_DOMAINS}; do 
+        CERTFILE=/nginx/ssl/certificates/${domain}.cert.pem
+        KEYFILE=/nginx/ssl/certificates/${domain}.key
+        CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
+        FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
+        
+        mkdir -p /nginx/www/${domain}
+        openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
+        if [ $? == 0 ]; then
+            f_log INF "Certificate for ${domain} is good for another 10 days!"
+        else
+            f_log INF "Generate New Certificate for ${domain}"
+            /usr/local/bin/lego -a -m ${EMAIL} -d ${domain} --path /nginx/ssl --webroot /nginx/www/${domain} renew
+            if [ $? == 0 ]; then
+                if [ -e ${FULLCHAINFILE} ]; then
+                    head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
+                    tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
+                    RELOAD_NGINX=1
+                    f_log INF "New Certificate for ${domain} generated" 
+                fi
+            else 
+                f_log ERR "New Certificate for ${domain} not generated"
+            fi
+        fi             
+    done
+}
+
+f_check_certs
+
+if [ ${RELOAD_NGINX} -eq 1 ]; then
+    nginx reload
+fi

reverse/rootfs/usr/local/bin/startup

@@ -0,0 +1,182 @@
+#!/bin/sh
+
+## Variables
+CSI="\033["
+CEND="${CSI}0m"
+CRED="${CSI}1;31m"
+CGREEN="${CSI}1;32m"
+CYELLOW="${CSI}1;33m"
+CBLUE="${CSI}1;34m"
+
+## Functions
+f_log() {
+    LOG_TYPE=$1
+    LOG_MESSAGE=$2
+
+    case "${LOG_TYPE}" in
+    "INF")
+        echo -e "${CBLUE}=INF= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "SUC")
+        echo -e "${CGREEN}=SUC= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "WRN")
+        echo -e "${CYELLOW}=WRN= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    "ERR")
+        echo -e "${CRED}=ERR= $(date +%Y/%m/%d-%H:%M:%S) ${LOG_MESSAGE}${CEND}"
+    ;;
+    esac
+}
+
+f_gen_sites_enabled() {
+    if [ "${FRONTEND_SSL}" == "true" ]; then
+        template_sites=/nginx/sites-enabled/template_ssl
+    else
+        template_sites=/nginx/sites-enabled/template
+    fi
+    sed -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' ${template_sites} > /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+}
+
+f_gen_location() {
+    container_name=$1
+    if [ ! -d /nginx/path.d/${FRONTEND_DOMAIN} ]; then
+        mkdir -p /nginx/path.d/${FRONTEND_DOMAIN}
+    fi
+
+    if [ "${FRONTEND_PATH}" == "/" ]; then
+        path_file=/nginx/path.d/${FRONTEND_DOMAIN}/base.conf
+        auth_file=/nginx/auth/${FRONTEND_DOMAIN}/base.auth
+    else
+        path_file=/nginx/path.d/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.conf
+        auth_file=/nginx/auth/${FRONTEND_DOMAIN}/${FRONTEND_PATH}.auth
+    fi
+    if [ ! -e ${path_file} ]; then
+        if [ "${FRONTEND_AUTH}" != "" ]; then
+            mkdir -p /nginx/auth/${FRONTEND_DOMAIN}
+            sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
+                -e 's|<backend_addr>|'${container_name}'|' \
+                -e 's|<backend_port>|'${BACKEND_PORT}'|' \
+                -e 's|<frontend_domain>|'${FRONTEND_DOMAIN}'|' \
+                -e 's|<frontend_path>|'${FRONTEND_PATH}'|' \
+                -e 's|<auth_file>|'${auth_file}'|' /nginx/path.d/template_auth > ${path_file}
+            echo "${FRONTEND_AUTH}" > ${auth_file}
+        else
+            sed -e 's|<frontend_domain_max_body_size>|'${FRONTEND_MAX_BODY_SIZE}'|' \
+                -e 's|<backend_addr>|'${container_name}'|' \
+                -e 's|<backend_port>|'${BACKEND_PORT}'|' \
+                -e 's|<frontend_path>|'${FRONTEND_PATH}'|' /nginx/path.d/template > ${path_file}
+        fi
+    fi
+}
+
+f_gen_certs() {
+    container_name=$1
+    if [ "${FRONTEND_SSL}" == "true" ]; then
+        CERTFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.cert.pem
+        KEYFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.key
+        CHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.chain.pem
+        FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
+        if [ ! -e ${CERTFILE} ] || [ ! -e ${KEYFILE} ] || [ ! -e ${CHAINFILE} ] || [ ! -e ${FULLCHAINFILE} ]; then
+            mkdir -p /nginx/www/${FRONTEND_DOMAIN}
+            /usr/local/bin/lego -a -m ${EMAIL} -d ${FRONTEND_DOMAIN} --path /nginx/ssl --http :8080 --tls :8443 -k ${FRONTEND_SSLTYPE} run
+            if [ $? == 0 ]; then
+                head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
+                tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
+                chown -R ${UID}:${GID} /nginx/ssl/
+            fi
+            [[ $? == 0 ]] && f_log INF "New Certificate for ${FRONTEND_DOMAIN} generated" || f_log ERR "New Certificate for ${FRONTEND_DOMAIN} not generated"
+        fi
+    fi
+}
+
+
+
+f_make_conf() {
+
+    FRONTEND_DOMAIN=mydomain.local
+    FRONTEND_MAX_BODY_SIZE=200M
+    FRONTEND_SSLTYPE=ec384
+    BACKEND_PORT=8080
+    FRONTEND_PATH="/"
+    FRONTEND_SSL=false
+    FRONTEND_AUTH=""
+
+    container_name=$1
+    IFS=$'\n' 
+    if [ "${CONTAINER_LABELS}" != "" ]; then
+        for label in ${CONTAINER_LABELS}; do
+            case "$(echo ${label} | awk '{print $1}')" in
+                "reverse.frontend.domain")
+                    FRONTEND_DOMAIN=""
+                    FRONTEND_DOMAIN="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.path")
+                    FRONTEND_PATH="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.auth")
+                    FRONTEND_AUTH="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.ssltype")
+                    FRONTEND_SSLTYPE="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.domain_max_body_size")
+                    FRONTEND_MAX_BODY_SIZE="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.frontend.ssl")
+                    FRONTEND_SSL="$(echo ${label} | awk '{print $2}')"
+                ;;
+                "reverse.backend.port")
+                    BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
+                ;;
+            esac
+        done
+        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL} and port=${BACKEND_PORT}"
+        f_gen_location ${container_name}
+        f_gen_sites_enabled
+        f_gen_certs ${container_name}
+    fi
+}
+
+
+# Check /var/run/docker.sock
+f_log INF "Check if /var/run/docker.sock exist ..."
+ls /var/run/docker.sock > /dev/null 2>&1
+if [ $? == 0 ]; then
+    f_log INF "/var/run/docker.sock exist ..."
+else
+    f_log ERR "/var/run/docker.sock don't exist ..."
+    exit 1
+fi
+
+
+f_log INF "Start reverse configuration ..."
+
+# Prepare container
+f_log INF "Create user 'reverse'"
+addgroup -g ${GID} reverse && adduser -H -s /bin/sh -D -G reverse -u ${UID} reverse
+f_log INF "Create folder"
+mkdir -p /nginx/sites-enabled /nginx /nginx/log /nginx/run /nginx/sites-enabled /nginx/ssl /nginx/ssl/selfsigned/dhparam
+
+
+# Generate file
+for container in $(curl --unix-socket /var/run/docker.sock http://localhost/containers/json 2> /dev/null | jq '.[].Names' | sed 's|.*"/\(.*\)"$|\1|;/\[/d;/\]/d'); do 
+    CONTAINER_LABELS=$(curl --unix-socket /var/run/docker.sock http://localhost/containers/${container}/json 2> /dev/null | jq '.Config.Labels' | grep -E "reverse\." | sed 's|.*"\(.*\)": "\(.*\)".*$|\1 \2|')
+    f_make_conf ${container}
+done
+
+f_log INF "Apply permissions"
+chown -R reverse:reverse /nginx /etc/s6.d
+chmod +x /usr/local/bin/check_certs
+find /etc/s6.d -name run -exec chmod +x {} \;
+find /etc/s6.d -name finish -exec chmod +x {} \;
+
+f_log SUC "End reverse configuration"
+
+
+## run s6
+if [ $# -gt 0 ]; then
+    exec su-exec reverse:reverse "$@"
+else
+    exec su-exec reverse:reverse /bin/s6-svscan /etc/s6.d    
+fi