Skip to content

Commit f5ee91a

Browse files
committed
write access list to proxy host config
1 parent e2ee2cb commit f5ee91a

File tree

5 files changed

+29
-11
lines changed

5 files changed

+29
-11
lines changed

backend/internal/access-list.js

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ const internalAccessList = {
7171
// re-fetch with expansions
7272
return internalAccessList.get(access, {
7373
id: data.id,
74-
expand: ['owner', 'items', 'clients']
74+
expand: ['owner', 'items', 'clients', 'proxy_hosts.access_list.clients']
7575
}, true /* <- skip masking */);
7676
})
7777
.then((row) => {
@@ -81,7 +81,7 @@ const internalAccessList = {
8181
return internalAccessList.build(row)
8282
.then(() => {
8383
if (row.proxy_host_count) {
84-
return internalNginx.reload();
84+
return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
8585
}
8686
})
8787
.then(() => {
@@ -216,14 +216,14 @@ const internalAccessList = {
216216
// re-fetch with expansions
217217
return internalAccessList.get(access, {
218218
id: data.id,
219-
expand: ['owner', 'items', 'clients']
219+
expand: ['owner', 'items', 'clients', 'proxy_hosts.access_list.clients']
220220
}, true /* <- skip masking */);
221221
})
222222
.then((row) => {
223223
return internalAccessList.build(row)
224224
.then(() => {
225225
if (row.proxy_host_count) {
226-
return internalNginx.reload();
226+
return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
227227
}
228228
})
229229
.then(() => {
@@ -254,7 +254,7 @@ const internalAccessList = {
254254
.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
255255
.where('access_list.is_deleted', 0)
256256
.andWhere('access_list.id', data.id)
257-
.allowEager('[owner,items,clients,proxy_hosts]')
257+
.allowEager('[owner,items,clients,proxy_hosts,proxy_hosts.access_list.clients]')
258258
.omit(['access_list.is_deleted'])
259259
.first();
260260

backend/internal/proxy-host.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ const internalProxyHost = {
7373
// re-fetch with cert
7474
return internalProxyHost.get(access, {
7575
id: row.id,
76-
expand: ['certificate', 'owner', 'access_list']
76+
expand: ['certificate', 'owner', 'access_list.clients']
7777
});
7878
})
7979
.then((row) => {
@@ -186,7 +186,7 @@ const internalProxyHost = {
186186
.then(() => {
187187
return internalProxyHost.get(access, {
188188
id: data.id,
189-
expand: ['owner', 'certificate', 'access_list']
189+
expand: ['owner', 'certificate', 'access_list.clients']
190190
})
191191
.then((row) => {
192192
// Configure nginx
@@ -219,7 +219,7 @@ const internalProxyHost = {
219219
.query()
220220
.where('is_deleted', 0)
221221
.andWhere('id', data.id)
222-
.allowEager('[owner,access_list,certificate]')
222+
.allowEager('[owner,access_list,access_list.clients,certificate]')
223223
.first();
224224

225225
if (access_data.permission_visibility !== 'all') {

backend/models/access_list.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,10 @@ class AccessList extends Model {
8888
}
8989
};
9090
}
91+
92+
get satisfy() {
93+
return this.satify_any ? 'satisfy any' : 'satisfy all';
94+
}
9195
}
9296

9397
module.exports = AccessList;

backend/models/access_list_client.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,10 @@ class AccessListClient extends Model {
4949
}
5050
};
5151
}
52+
53+
get rule() {
54+
return `${this.directive} ${this.address}`;
55+
}
5256
}
5357

5458
module.exports = AccessListClient;

backend/templates/proxy_host.conf

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,21 @@ server {
2121
{% if use_default_location %}
2222

2323
location / {
24-
{%- if access_list_id > 0 -%}
25-
# Access List
24+
25+
{% if access_list_id > 0 %}
26+
# Authorization
2627
auth_basic "Authorization required";
2728
auth_basic_user_file /data/access/{{ access_list_id }};
28-
{%- endif %}
29+
30+
# Access Rules
31+
{% for client in access_list.clients %}
32+
{{- client.rule -}};
33+
{% endfor %}deny all;
34+
35+
# Access checks must...
36+
{{ access_list.satisfy }};
37+
38+
{% endif %}
2939

3040
{% include "_forced_ssl.conf" %}
3141
{% include "_hsts.conf" %}

0 commit comments

Comments
 (0)