A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys, Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun VPN routing, and a web dashboard to manage it all. Free & open forever to self-host; optional paid hosted services fund it. See PROMISE.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
82 lines
3.2 KiB
Bash
82 lines
3.2 KiB
Bash
#!/bin/bash
|
|
|
|
# Per-port Traefik middleware writer.
|
|
#
|
|
# The legacy traefikSetupLabelsMiddlewares + MIDDLEWARE_TAG path treats login
|
|
# protection as a whole-app flag, which falls apart for apps that expose
|
|
# multiple HTTP routes (one needs auth, another doesn't) and for the Traefik
|
|
# dashboard which routes to api@internal rather than a container port.
|
|
#
|
|
# This processor walks the parsed port arrays from initializeAppVariables and
|
|
# stamps a separate MIDDLEWARE_TAG_<i> per port that has traefik=true. The
|
|
# per-port login_required column controls whether protectionAuth@file is
|
|
# included.
|
|
#
|
|
# Auth precedence: when Authelia is enabled and installed, it takes the auth
|
|
# slot and basic-auth (protectionAuth) is skipped — chaining both means the
|
|
# user gets two login prompts back-to-back, which is bad UX, not extra
|
|
# security. IP whitelist + auth still compose normally (network filter +
|
|
# identity check are layered concerns).
|
|
tagsProcessorPortMiddlewares()
|
|
{
|
|
local file="$1"
|
|
local app_name="$2"
|
|
|
|
if [[ -z "$file" || -z "$app_name" ]]; then
|
|
return 0
|
|
fi
|
|
|
|
# Excluded apps that historically opted out of the default middleware
|
|
# chain — keeps existing behavior for onlyoffice / owncloud which do
|
|
# their own routing.
|
|
local exclude_apps=("onlyoffice" "owncloud")
|
|
local include_default="true"
|
|
if [[ " ${exclude_apps[@]} " =~ " $app_name " ]]; then
|
|
include_default="false"
|
|
fi
|
|
|
|
local count=${#port_service_names[@]}
|
|
local i=0
|
|
while [[ $i -lt $count ]]; do
|
|
local idx=$((i + 1))
|
|
local p_traefik="${port_traefik_managed[$i]}"
|
|
local p_login="${port_login_requireds[$i]}"
|
|
|
|
if [[ "$p_traefik" == "true" ]]; then
|
|
local mw=()
|
|
[[ "$include_default" == "true" ]] && mw+=("default@file")
|
|
[[ "$whitelist" == "true" ]] && mw+=("global-ipwhitelist@file")
|
|
|
|
# Authelia precedence: if authelia is on AND installed, it owns
|
|
# the auth slot. protectionAuth is dropped even when login=true.
|
|
if [[ "$authelia_setup" == "true" ]] \
|
|
&& [[ $(dockerCheckAppInstalled "authelia" "docker") == "installed" ]]; then
|
|
mw+=("authelia@docker")
|
|
elif [[ "$p_login" == "true" ]]; then
|
|
mw+=("protectionAuth@file")
|
|
fi
|
|
|
|
# CrowdSec bouncer: HTTP-layer ban filter in front of every public
|
|
# route. Auto-attached when CrowdSec is installed on the host AND
|
|
# the global toggle is not "false". Per-app opt-out:
|
|
# CFG_<APP>_CROWDSEC_DISABLE=true.
|
|
local app_crowdsec_disable_var="CFG_${app_name^^}_CROWDSEC_DISABLE"
|
|
if [[ "${CFG_CROWDSEC_BOUNCER:-true}" == "true" ]] \
|
|
&& [[ "${!app_crowdsec_disable_var:-false}" != "true" ]] \
|
|
&& command -v cscli >/dev/null 2>&1; then
|
|
mw+=("crowdsec-bouncer@file")
|
|
fi
|
|
|
|
# onlyoffice / mastodon / similar app-specific middlewares
|
|
if [[ "$app_name" == "onlyoffice" ]]; then
|
|
mw+=("onlyoffice-headers")
|
|
fi
|
|
|
|
local joined; joined=$(IFS=,; echo "${mw[*]}")
|
|
tagsManagerUpdateUniversalTag "$file" "MIDDLEWARE_TAG_${idx}" "$joined"
|
|
fi
|
|
|
|
((i++))
|
|
done
|
|
}
|