Add SSL certificate to TCP streams if certificate in database

2024-08-30 18:22:48 +00:00 · 2024-03-24 17:11:04 +00:00 · 2024-03-24 17:11:04 +00:00 · b8b80d3e80
commit b8b80d3e80
parent d3a654b546
6 changed files with 23 additions and 6 deletions
--- a/backend/templates/_certificates.conf
+++ b/backend/templates/_certificates.conf
@ -2,6 +2,7 @@
 {% if certificate.provider == "letsencrypt" %}
  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
+  include conf.d/include/ssl-cache.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
--- a/backend/templates/_certificates_stream.conf
+++ b/backend/templates/_certificates_stream.conf
@ -0,0 +1,13 @@
+{% if certificate and certificate_id > 0 -%}
+{% if certificate.provider == "letsencrypt" %}
+  # Let's Encrypt SSL
+  include conf.d/include/ssl-cache-stream.conf;
+  include conf.d/include/ssl-ciphers.conf;
+  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
+{% else %}
+  # Custom SSL
+  ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem;
+  ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
+{% endif %}
+{% endif %}
--- a/backend/templates/stream.conf
+++ b/backend/templates/stream.conf
@ -5,13 +5,15 @@
 {% if enabled %}
 {% if tcp_forwarding == 1 or tcp_forwarding == true -%}
 server {
-  listen {{ incoming_port }};
+  listen {{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% if ipv6 -%}
-  listen [::]:{{ incoming_port }};
+  listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% else -%}
-  #listen [::]:{{ incoming_port }};
+  #listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% endif %}

+{% include "_certificates_stream.conf" %}
+
  proxy_pass {{ forwarding_host }}:{{ forwarding_port }};

  # Custom
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf
@ -0,0 +1,2 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL_stream:50m;
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
@ -0,0 +1,2 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:50m;
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@ -1,6 +1,3 @@
-ssl_session_timeout 5m;
-ssl_session_cache shared:SSL:50m;
-
 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';