#2969 -- Implement certificate locator to use proper SSL cert for Icecast direct connections.
This commit is contained in:
parent
5bb463a5fe
commit
7a593e6a92
|
@ -5,13 +5,14 @@ services:
|
|||
build:
|
||||
context: ../docker-azuracast-nginx-proxy
|
||||
volumes:
|
||||
- ./util/local_ssl:/etc/nginx/certs
|
||||
- ./util/local_ssl:/etc/nginx/certs:ro
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
|
||||
web:
|
||||
build:
|
||||
context: .
|
||||
volumes:
|
||||
- ./util/local_ssl:/etc/nginx/certs:ro
|
||||
- .:/var/azuracast/www
|
||||
|
||||
mariadb:
|
||||
|
@ -32,4 +33,6 @@ services:
|
|||
|
||||
stations:
|
||||
build:
|
||||
context: ../docker-azuracast-radio
|
||||
context: ../docker-azuracast-radio
|
||||
volumes:
|
||||
- ./util/local_ssl:/etc/nginx/certs:ro
|
|
@ -57,14 +57,14 @@ services:
|
|||
env_file: azuracast.env
|
||||
environment:
|
||||
LANG: ${LANG:-en_US.UTF-8}
|
||||
AZURACAST_DC_REVISION: 9
|
||||
AZURACAST_DC_REVISION: 10
|
||||
AZURACAST_VERSION: ${AZURACAST_VERSION:-latest}
|
||||
AZURACAST_SFTP_PORT: ${AZURACAST_SFTP_PORT:-2022}
|
||||
VIRTUAL_HOST: ${LETSENCRYPT_HOST:-azuracast.local}
|
||||
LETSENCRYPT_HOST: ${LETSENCRYPT_HOST}
|
||||
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
|
||||
volumes:
|
||||
- letsencrypt:/etc/letsencrypt
|
||||
- letsencrypt:/etc/nginx/certs:ro
|
||||
- tmp_data:/var/azuracast/www_tmp
|
||||
- station_data:/var/azuracast/stations
|
||||
- shoutcast2_install:/var/azuracast/servers/shoutcast2
|
||||
|
@ -272,7 +272,7 @@ services:
|
|||
volumes:
|
||||
- station_data:/var/azuracast/stations
|
||||
- shoutcast2_install:/var/azuracast/servers/shoutcast2
|
||||
- letsencrypt:/etc/nginx/ssl:ro
|
||||
- letsencrypt:/etc/nginx/certs:ro
|
||||
- tmp_data:/var/azuracast/www_tmp
|
||||
networks:
|
||||
- frontend
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
<?php
|
||||
namespace App\Radio;
|
||||
|
||||
class Certificate
|
||||
{
|
||||
protected string $keyPath;
|
||||
|
||||
protected string $certPath;
|
||||
|
||||
public function __construct(string $keyPath, string $certPath)
|
||||
{
|
||||
$this->keyPath = $keyPath;
|
||||
$this->certPath = $certPath;
|
||||
}
|
||||
|
||||
public function getKeyPath(): string
|
||||
{
|
||||
return $this->keyPath;
|
||||
}
|
||||
|
||||
public function getCertPath(): string
|
||||
{
|
||||
return $this->certPath;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
<?php
|
||||
namespace App\Radio;
|
||||
|
||||
use App\Settings;
|
||||
|
||||
class CertificateLocator
|
||||
{
|
||||
public static function findCertificate(): Certificate
|
||||
{
|
||||
$settings = Settings::getInstance();
|
||||
|
||||
if (!empty($_ENV['VIRTUAL_HOST']) && $settings->isDockerRevisionNewerThan(10)) {
|
||||
$vhost = $_ENV['VIRTUAL_HOST'];
|
||||
|
||||
// Check environment variable for a virtual host.
|
||||
$certBase = '/etc/nginx/certs';
|
||||
|
||||
if (is_dir($certBase)) {
|
||||
$domainKey = $certBase . '/' . $vhost . '.key';
|
||||
$domainCert = $certBase . '/' . $vhost . '.crt';
|
||||
|
||||
if (file_exists($domainKey) && file_exists($domainCert)) {
|
||||
return new Certificate($domainKey, $domainCert);
|
||||
}
|
||||
|
||||
$defaultKey = $certBase . '/default.key';
|
||||
$defaultCert = $certBase . '/default.crt';
|
||||
|
||||
if (file_exists($defaultKey) && file_exists($defaultCert)) {
|
||||
return new Certificate($defaultKey, $defaultCert);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return self::getDefaultCertificates();
|
||||
}
|
||||
|
||||
public static function getDefaultCertificates(): Certificate
|
||||
{
|
||||
$settings = Settings::getInstance();
|
||||
|
||||
if ($settings->isDocker()) {
|
||||
return new Certificate('/etc/nginx/ssl.key', '/etc/nginx/ssl.crt');
|
||||
}
|
||||
|
||||
return new Certificate('/etc/nginx/ssl/server.key', '/etc/nginx/ssl/server.crt');
|
||||
}
|
||||
}
|
|
@ -3,6 +3,7 @@ namespace App\Radio\Frontend;
|
|||
|
||||
use App\Entity;
|
||||
use App\Logger;
|
||||
use App\Radio\CertificateLocator;
|
||||
use App\Settings;
|
||||
use App\Utilities;
|
||||
use App\Xml\Reader;
|
||||
|
@ -80,13 +81,15 @@ class Icecast extends AbstractFrontend
|
|||
{
|
||||
$config_dir = $station->getRadioConfigDir();
|
||||
$settings = Settings::getInstance();
|
||||
|
||||
|
||||
$settingsBaseUrl = $this->settingsRepo->getSetting(Entity\Settings::BASE_URL, 'http://localhost');
|
||||
if (strpos($settingsBaseUrl, 'http') !== 0) {
|
||||
$settingsBaseUrl = 'http://' . $settingsBaseUrl;
|
||||
}
|
||||
$baseUrl = new Uri($settingsBaseUrl);
|
||||
|
||||
$certPaths = CertificateLocator::findCertificate();
|
||||
|
||||
$defaults = [
|
||||
'location' => 'AzuraCast',
|
||||
'admin' => 'icemaster@localhost',
|
||||
|
@ -125,8 +128,8 @@ class Icecast extends AbstractFrontend
|
|||
'@source' => '/',
|
||||
'@dest' => '/status.xsl',
|
||||
],
|
||||
'ssl-private-key' => '/etc/nginx/ssl/ssl.key',
|
||||
'ssl-certificate' => '/etc/nginx/ssl/ssl.crt',
|
||||
'ssl-private-key' => $certPaths->getKeyPath(),
|
||||
'ssl-certificate' => $certPaths->getCertPath(),
|
||||
'ssl-allowed-ciphers' => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
|
||||
'deny-ip' => $this->writeIpBansFile($station),
|
||||
'x-forwarded-for' => $settings->isDocker() ? '172.*.*.*' : '127.0.0.1',
|
||||
|
|
Loading…
Reference in New Issue