Merge pull request #501 from achtnullzwei/customize-tls-server-name

Add option to customise TLS server name in resource settings
This commit is contained in:
Milo Schwartz 2025-04-20 17:54:18 -04:00 committed by GitHub
commit 957fa67e24
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 267 additions and 7 deletions

View file

@ -77,7 +77,9 @@ export const resources = sqliteTable("resources", {
applyRules: integer("applyRules", { mode: "boolean" })
.notNull()
.default(false),
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true)
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
tlsServerName: text("tlsServerName").notNull().default(""),
setHostHeader: text("setHostHeader").notNull().default("")
});
export const targets = sqliteTable("targets", {

View file

@ -9,3 +9,10 @@ export const subdomainSchema = z
.min(1, "Subdomain must be at least 1 character long")
.transform((val) => val.toLowerCase());
export const tlsNameSchema = z
.string()
.regex(
/^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9-_]+$|^$/,
"Invalid subdomain format"
)
.transform((val) => val.toLowerCase());

View file

@ -69,7 +69,9 @@ function queryResources(
http: resources.http,
protocol: resources.protocol,
proxyPort: resources.proxyPort,
enabled: resources.enabled
enabled: resources.enabled,
tlsServerName: resources.tlsServerName,
setHostHeader: resources.setHostHeader
})
.from(resources)
.leftJoin(sites, eq(resources.siteId, sites.siteId))
@ -103,7 +105,9 @@ function queryResources(
http: resources.http,
protocol: resources.protocol,
proxyPort: resources.proxyPort,
enabled: resources.enabled
enabled: resources.enabled,
tlsServerName: resources.tlsServerName,
setHostHeader: resources.setHostHeader
})
.from(resources)
.leftJoin(sites, eq(resources.siteId, sites.siteId))

View file

@ -16,6 +16,7 @@ import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import config from "@server/lib/config";
import { tlsNameSchema } from "@server/lib/schemas";
import { subdomainSchema } from "@server/lib/schemas";
import { registry } from "@server/openApi";
import { OpenAPITags } from "@server/openApi";
@ -42,7 +43,9 @@ const updateHttpResourceBodySchema = z
isBaseDomain: z.boolean().optional(),
applyRules: z.boolean().optional(),
domainId: z.string().optional(),
enabled: z.boolean().optional()
enabled: z.boolean().optional(),
tlsServerName: z.string().optional(),
setHostHeader: z.string().optional()
})
.strict()
.refine((data) => Object.keys(data).length > 0, {
@ -69,6 +72,24 @@ const updateHttpResourceBodySchema = z
{
message: "Base domain resources are not allowed"
}
)
.refine(
(data) => {
if (data.tlsServerName) {
return tlsNameSchema.safeParse(data.tlsServerName).success;
}
return true;
},
{ message: "Invalid TLS Server Name. Use domain name format, or save empty to remove the TLS Server Name." }
)
.refine(
(data) => {
if (data.setHostHeader) {
return tlsNameSchema.safeParse(data.setHostHeader).success;
}
return true;
},
{ message: "Invalid custom Host Header value. Use domain name format, or save empty to unset custom Host Header." }
);
export type UpdateResourceResponse = Resource;

View file

@ -40,7 +40,9 @@ export async function traefikConfigProvider(
org: {
orgId: orgs.orgId
},
enabled: resources.enabled
enabled: resources.enabled,
tlsServerName: resources.tlsServerName,
setHostHeader: resources.setHostHeader
})
.from(resources)
.innerJoin(sites, eq(sites.siteId, resources.siteId))
@ -139,6 +141,8 @@ export async function traefikConfigProvider(
const routerName = `${resource.resourceId}-router`;
const serviceName = `${resource.resourceId}-service`;
const fullDomain = `${resource.fullDomain}`;
const transportName = `${resource.resourceId}-transport`;
const hostHeaderMiddlewareName = `${resource.resourceId}-host-header-middleware`;
if (!resource.enabled) {
continue;
@ -278,6 +282,43 @@ export async function traefikConfigProvider(
})
}
};
// Add the serversTransport if TLS server name is provided
if (resource.tlsServerName) {
if (!config_output.http.serversTransports) {
config_output.http.serversTransports = {};
}
config_output.http.serversTransports![transportName] = {
serverName: resource.tlsServerName,
//unfortunately the following needs to be set. traefik doesn't merge the default serverTransport settings
// if defined in the static config and here. if not set, self-signed certs won't work
insecureSkipVerify: true
};
config_output.http.services![serviceName].loadBalancer.serversTransport = transportName;
}
// Add the host header middleware
if (resource.setHostHeader) {
if (!config_output.http.middlewares) {
config_output.http.middlewares = {};
}
config_output.http.middlewares[hostHeaderMiddlewareName] =
{
headers: {
customRequestHeaders: {
Host: resource.setHostHeader
}
}
};
if (!config_output.http.routers![routerName].middlewares) {
config_output.http.routers![routerName].middlewares = [];
}
config_output.http.routers![routerName].middlewares = [
...config_output.http.routers![routerName].middlewares,
hostHeaderMiddlewareName
];
}
} else {
// Non-HTTP (TCP/UDP) configuration
const protocol = resource.protocol.toLowerCase();

View file

@ -19,6 +19,7 @@ import m15 from "./scripts/1.0.0-beta15";
import m16 from "./scripts/1.0.0";
import m17 from "./scripts/1.1.0";
import m18 from "./scripts/1.2.0";
import m19 from "./scripts/1.3.0";
// THIS CANNOT IMPORT ANYTHING FROM THE SERVER
// EXCEPT FOR THE DATABASE AND THE SCHEMA
@ -37,7 +38,8 @@ const migrations = [
{ version: "1.0.0-beta.15", run: m15 },
{ version: "1.0.0", run: m16 },
{ version: "1.1.0", run: m17 },
{ version: "1.2.0", run: m18 }
{ version: "1.2.0", run: m18 },
{ version: "1.3.0", run: m19 }
// Add new migrations here as they are created
] as const;

View file

@ -0,0 +1,26 @@
import db from "@server/db";
import { sql } from "drizzle-orm";
const version = "1.3.0";
export default async function migration() {
console.log(`Running setup script ${version}...`);
try {
db.transaction((trx) => {
trx.run(
sql`ALTER TABLE 'resources' ADD 'tlsServerName' text DEFAULT '' NOT NULL;`
);
trx.run(
sql`ALTER TABLE 'resources' ADD 'setHostHeader' text DEFAULT '' NOT NULL;`
);
});
console.log(`Migrated database schema`);
} catch (e) {
console.log("Unable to migrate database schema");
throw e;
}
console.log(`${version} migration complete`);
}