#!/bin/bash # Per-port Traefik middleware writer. # # The legacy traefikSetupLabelsMiddlewares + MIDDLEWARE_TAG path treats login # protection as a whole-app flag, which falls apart for apps that expose # multiple HTTP routes (one needs auth, another doesn't) and for the Traefik # dashboard which routes to api@internal rather than a container port. # # This processor walks the parsed port arrays from initializeAppVariables and # stamps a separate MIDDLEWARE_TAG_ per port that has traefik=true. The # per-port login_required column controls whether protectionAuth@file is # included. # # Auth precedence: when Authelia is enabled and installed, it takes the auth # slot and basic-auth (protectionAuth) is skipped — chaining both means the # user gets two login prompts back-to-back, which is bad UX, not extra # security. IP whitelist + auth still compose normally (network filter + # identity check are layered concerns). tagsProcessorPortMiddlewares() { local file="$1" local app_name="$2" if [[ -z "$file" || -z "$app_name" ]]; then return 0 fi # Excluded apps that historically opted out of the default middleware # chain — keeps existing behavior for onlyoffice / owncloud which do # their own routing. local exclude_apps=("onlyoffice" "owncloud") local include_default="true" if [[ " ${exclude_apps[@]} " =~ " $app_name " ]]; then include_default="false" fi local count=${#port_service_names[@]} local i=0 while [[ $i -lt $count ]]; do local idx=$((i + 1)) local p_traefik="${port_traefik_managed[$i]}" local p_login="${port_login_requireds[$i]}" if [[ "$p_traefik" == "true" ]]; then local mw=() [[ "$include_default" == "true" ]] && mw+=("default@file") [[ "$whitelist" == "true" ]] && mw+=("global-ipwhitelist@file") # Authelia precedence: if authelia is on AND installed, it owns # the auth slot. protectionAuth is dropped even when login=true. if [[ "$authelia_setup" == "true" ]] \ && [[ $(dockerCheckAppInstalled "authelia" "docker") == "installed" ]]; then mw+=("authelia@docker") elif [[ "$p_login" == "true" ]]; then mw+=("protectionAuth@file") fi # CrowdSec bouncer: HTTP-layer ban filter in front of every public # route. Auto-attached when CrowdSec is installed on the host AND # the global toggle is not "false". Per-app opt-out: # CFG__CROWDSEC_DISABLE=true. local app_crowdsec_disable_var="CFG_${app_name^^}_CROWDSEC_DISABLE" if [[ "${CFG_CROWDSEC_BOUNCER:-true}" == "true" ]] \ && [[ "${!app_crowdsec_disable_var:-false}" != "true" ]] \ && command -v cscli >/dev/null 2>&1; then mw+=("crowdsec-bouncer@file") fi # onlyoffice / mastodon / similar app-specific middlewares if [[ "$app_name" == "onlyoffice" ]]; then mw+=("onlyoffice-headers") fi local joined; joined=$(IFS=,; echo "${mw[*]}") tagsManagerUpdateUniversalTag "$file" "MIDDLEWARE_TAG_${idx}" "$joined" fi ((i++)) done }