LibrePortal/scripts/network/traefik/traefik_port_middlewares.sh
librelad 875a60f90f LibrePortal v0.1.0 — initial release
A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys,
Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun
VPN routing, and a web dashboard to manage it all.

Free & open forever to self-host; optional paid hosted services fund it.
See PROMISE.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-21 20:37:54 +01:00

82 lines
3.2 KiB
Bash

#!/bin/bash
# Per-port Traefik middleware writer.
#
# The legacy traefikSetupLabelsMiddlewares + MIDDLEWARE_TAG path treats login
# protection as a whole-app flag, which falls apart for apps that expose
# multiple HTTP routes (one needs auth, another doesn't) and for the Traefik
# dashboard which routes to api@internal rather than a container port.
#
# This processor walks the parsed port arrays from initializeAppVariables and
# stamps a separate MIDDLEWARE_TAG_<i> per port that has traefik=true. The
# per-port login_required column controls whether protectionAuth@file is
# included.
#
# Auth precedence: when Authelia is enabled and installed, it takes the auth
# slot and basic-auth (protectionAuth) is skipped — chaining both means the
# user gets two login prompts back-to-back, which is bad UX, not extra
# security. IP whitelist + auth still compose normally (network filter +
# identity check are layered concerns).
tagsProcessorPortMiddlewares()
{
local file="$1"
local app_name="$2"
if [[ -z "$file" || -z "$app_name" ]]; then
return 0
fi
# Excluded apps that historically opted out of the default middleware
# chain — keeps existing behavior for onlyoffice / owncloud which do
# their own routing.
local exclude_apps=("onlyoffice" "owncloud")
local include_default="true"
if [[ " ${exclude_apps[@]} " =~ " $app_name " ]]; then
include_default="false"
fi
local count=${#port_service_names[@]}
local i=0
while [[ $i -lt $count ]]; do
local idx=$((i + 1))
local p_traefik="${port_traefik_managed[$i]}"
local p_login="${port_login_requireds[$i]}"
if [[ "$p_traefik" == "true" ]]; then
local mw=()
[[ "$include_default" == "true" ]] && mw+=("default@file")
[[ "$whitelist" == "true" ]] && mw+=("global-ipwhitelist@file")
# Authelia precedence: if authelia is on AND installed, it owns
# the auth slot. protectionAuth is dropped even when login=true.
if [[ "$authelia_setup" == "true" ]] \
&& [[ $(dockerCheckAppInstalled "authelia" "docker") == "installed" ]]; then
mw+=("authelia@docker")
elif [[ "$p_login" == "true" ]]; then
mw+=("protectionAuth@file")
fi
# CrowdSec bouncer: HTTP-layer ban filter in front of every public
# route. Auto-attached when CrowdSec is installed on the host AND
# the global toggle is not "false". Per-app opt-out:
# CFG_<APP>_CROWDSEC_DISABLE=true.
local app_crowdsec_disable_var="CFG_${app_name^^}_CROWDSEC_DISABLE"
if [[ "${CFG_CROWDSEC_BOUNCER:-true}" == "true" ]] \
&& [[ "${!app_crowdsec_disable_var:-false}" != "true" ]] \
&& command -v cscli >/dev/null 2>&1; then
mw+=("crowdsec-bouncer@file")
fi
# onlyoffice / mastodon / similar app-specific middlewares
if [[ "$app_name" == "onlyoffice" ]]; then
mw+=("onlyoffice-headers")
fi
local joined; joined=$(IFS=,; echo "${mw[*]}")
tagsManagerUpdateUniversalTag "$file" "MIDDLEWARE_TAG_${idx}" "$joined"
fi
((i++))
done
}