#2969 -- Implement certificate locator to use proper SSL cert for Icecast direct connections.

2020-06-29 16:26:48 -05:00 · 2020-06-29 16:26:48 -05:00 · 7a593e6a92
parent 5bb463a5fe
commit 7a593e6a92
5 changed files with 87 additions and 8 deletions
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -5,13 +5,14 @@ services:
    build:
      context: ../docker-azuracast-nginx-proxy
    volumes:
-      - ./util/local_ssl:/etc/nginx/certs
+      - ./util/local_ssl:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro

  web:
    build:
      context: .
    volumes:
+      - ./util/local_ssl:/etc/nginx/certs:ro
      - .:/var/azuracast/www

  mariadb:
@ -32,4 +33,6 @@ services:

  stations:
    build:
-      context: ../docker-azuracast-radio
+      context: ../docker-azuracast-radio
+    volumes:
+      - ./util/local_ssl:/etc/nginx/certs:ro
--- a/docker-compose.sample.yml
+++ b/docker-compose.sample.yml
@ -57,14 +57,14 @@ services:
    env_file: azuracast.env
    environment:
      LANG: ${LANG:-en_US.UTF-8}
-      AZURACAST_DC_REVISION: 9
+      AZURACAST_DC_REVISION: 10
      AZURACAST_VERSION: ${AZURACAST_VERSION:-latest}
      AZURACAST_SFTP_PORT: ${AZURACAST_SFTP_PORT:-2022}
      VIRTUAL_HOST: ${LETSENCRYPT_HOST:-azuracast.local}
      LETSENCRYPT_HOST: ${LETSENCRYPT_HOST}
      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
    volumes:
-      - letsencrypt:/etc/letsencrypt
+      - letsencrypt:/etc/nginx/certs:ro
      - tmp_data:/var/azuracast/www_tmp
      - station_data:/var/azuracast/stations
      - shoutcast2_install:/var/azuracast/servers/shoutcast2
@ -272,7 +272,7 @@ services:
    volumes:
      - station_data:/var/azuracast/stations
      - shoutcast2_install:/var/azuracast/servers/shoutcast2
-      - letsencrypt:/etc/nginx/ssl:ro
+      - letsencrypt:/etc/nginx/certs:ro
      - tmp_data:/var/azuracast/www_tmp
    networks:
      - frontend
--- a/src/Radio/Certificate.php
+++ b/src/Radio/Certificate.php
@ -0,0 +1,25 @@
+<?php
+namespace App\Radio;
+
+class Certificate
+{
+    protected string $keyPath;
+
+    protected string $certPath;
+
+    public function __construct(string $keyPath, string $certPath)
+    {
+        $this->keyPath = $keyPath;
+        $this->certPath = $certPath;
+    }
+    
+    public function getKeyPath(): string
+    {
+        return $this->keyPath;
+    }
+
+    public function getCertPath(): string
+    {
+        return $this->certPath;
+    }
+}
--- a/src/Radio/CertificateLocator.php
+++ b/src/Radio/CertificateLocator.php
@ -0,0 +1,48 @@
+<?php
+namespace App\Radio;
+
+use App\Settings;
+
+class CertificateLocator
+{
+    public static function findCertificate(): Certificate
+    {
+        $settings = Settings::getInstance();
+
+        if (!empty($_ENV['VIRTUAL_HOST']) && $settings->isDockerRevisionNewerThan(10)) {
+            $vhost = $_ENV['VIRTUAL_HOST'];
+
+            // Check environment variable for a virtual host.
+            $certBase = '/etc/nginx/certs';
+
+            if (is_dir($certBase)) {
+                $domainKey = $certBase . '/' . $vhost . '.key';
+                $domainCert = $certBase . '/' . $vhost . '.crt';
+
+                if (file_exists($domainKey) && file_exists($domainCert)) {
+                    return new Certificate($domainKey, $domainCert);
+                }
+
+                $defaultKey = $certBase . '/default.key';
+                $defaultCert = $certBase . '/default.crt';
+
+                if (file_exists($defaultKey) && file_exists($defaultCert)) {
+                    return new Certificate($defaultKey, $defaultCert);
+                }
+            }
+        }
+
+        return self::getDefaultCertificates();
+    }
+
+    public static function getDefaultCertificates(): Certificate
+    {
+        $settings = Settings::getInstance();
+
+        if ($settings->isDocker()) {
+            return new Certificate('/etc/nginx/ssl.key', '/etc/nginx/ssl.crt');
+        }
+
+        return new Certificate('/etc/nginx/ssl/server.key', '/etc/nginx/ssl/server.crt');
+    }
+}
--- a/src/Radio/Frontend/Icecast.php
+++ b/src/Radio/Frontend/Icecast.php
@ -3,6 +3,7 @@ namespace App\Radio\Frontend;

 use App\Entity;
 use App\Logger;
+use App\Radio\CertificateLocator;
 use App\Settings;
 use App\Utilities;
 use App\Xml\Reader;
@ -80,13 +81,15 @@ class Icecast extends AbstractFrontend
    {
        $config_dir = $station->getRadioConfigDir();
        $settings = Settings::getInstance();
-        
+
        $settingsBaseUrl = $this->settingsRepo->getSetting(Entity\Settings::BASE_URL, 'http://localhost');
        if (strpos($settingsBaseUrl, 'http') !== 0) {
            $settingsBaseUrl = 'http://' . $settingsBaseUrl;
        }
        $baseUrl = new Uri($settingsBaseUrl);

+        $certPaths = CertificateLocator::findCertificate();
+
        $defaults = [
            'location' => 'AzuraCast',
            'admin' => 'icemaster@localhost',
@ -125,8 +128,8 @@ class Icecast extends AbstractFrontend
                    '@source' => '/',
                    '@dest' => '/status.xsl',
                ],
-                'ssl-private-key' => '/etc/nginx/ssl/ssl.key',
-                'ssl-certificate' => '/etc/nginx/ssl/ssl.crt',
+                'ssl-private-key' => $certPaths->getKeyPath(),
+                'ssl-certificate' => $certPaths->getCertPath(),
                'ssl-allowed-ciphers' => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
                'deny-ip' => $this->writeIpBansFile($station),
                'x-forwarded-for' => $settings->isDocker() ? '172.*.*.*' : '127.0.0.1',