#!/bin/bash # Per-port Traefik middleware writer. # # The legacy traefikSetupLabelsMiddlewares + MIDDLEWARE_TAG path treats login # protection as a whole-app flag, which falls apart for apps that expose # multiple HTTP routes (one needs auth, another doesn't) and for the Traefik # dashboard which routes to api@internal rather than a container port. # # This processor walks the parsed port arrays from initializeAppVariables and # stamps a separate MIDDLEWARE_TAG_ per port that has traefik=true. The # per-port login_required column controls whether protectionAuth@file is # included. # # Auth precedence: when Authelia is enabled and installed, it takes the auth # slot and basic-auth (protectionAuth) is skipped — chaining both means the # user gets two login prompts back-to-back, which is bad UX, not extra # security. IP whitelist + auth still compose normally (network filter + # identity check are layered concerns). tagsProcessorPortMiddlewares() { local file="$1" local app_name="$2" if [[ -z "$file" || -z "$app_name" ]]; then return 0 fi # Apps opt out of the default middleware chain via a per-app hook # (containers//scripts/_traefik.sh defines # appTraefikSkipsDefaultMiddleware_) — e.g. onlyoffice / owncloud, which # do their own routing. local include_default="true" declare -F "appTraefikSkipsDefaultMiddleware_${app_name}" >/dev/null 2>&1 && include_default="false" local count=${#port_service_names[@]} local i=0 while [[ $i -lt $count ]]; do local idx=$((i + 1)) local p_traefik="${port_traefik_managed[$i]}" local p_login="${port_login_requireds[$i]}" if [[ "$p_traefik" == "true" ]]; then local mw=() [[ "$include_default" == "true" ]] && mw+=("default@file") [[ "$whitelist" == "true" ]] && mw+=("global-ipwhitelist@file") # Authelia precedence: if authelia is on AND installed, it owns # the auth slot. protectionAuth is dropped even when login=true. if [[ "$authelia_setup" == "true" ]] \ && [[ $(dockerCheckAppInstalled "authelia" "docker") == "installed" ]]; then mw+=("authelia@docker") elif [[ "$p_login" == "true" ]]; then mw+=("protectionAuth@file") fi # CrowdSec bouncer: HTTP-layer ban filter in front of every public # route. Auto-attached when CrowdSec is installed on the host AND # the global toggle is not "false". Per-app opt-out: # CFG__CROWDSEC_DISABLE=true. local app_crowdsec_disable_var="CFG_${app_name^^}_CROWDSEC_DISABLE" if [[ "${CFG_CROWDSEC_BOUNCER:-true}" == "true" ]] \ && [[ "${!app_crowdsec_disable_var:-false}" != "true" ]] \ && command -v cscli >/dev/null 2>&1; then mw+=("crowdsec-bouncer@file") fi # App-specific extras (e.g. onlyoffice-headers) via the per-app hook. if declare -F "appTraefikExtraMiddlewares_${app_name}" >/dev/null 2>&1; then local _mw while IFS= read -r _mw; do [[ -n "$_mw" ]] && mw+=("$_mw") done < <("appTraefikExtraMiddlewares_${app_name}") fi local joined; joined=$(IFS=,; echo "${mw[*]}") tagsManagerUpdateUniversalTag "$file" "MIDDLEWARE_TAG_${idx}" "$joined" fi ((i++)) done }