CyberMind-FR
d6861fe732
Streamlit Instances: - Add Publish button with HAProxy integration (uses instance port) - Add Edit dialog for modifying instance settings - Replace enable/disable buttons with checkbox - Get LAN IP dynamically from status data - Bump luci-app-streamlit to r8 HAProxy: - Add haproxy-acme-cron script for background cert processing - Cron runs every 5 minutes to issue pending ACME certificates - Prevents UI blocking during certificate issuance - Bump secubox-app-haproxy to r19 RPCD: - Fix json_error to return consistent format with json_success Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
81 lines
2.4 KiB
Bash
81 lines
2.4 KiB
Bash
#!/bin/sh
|
|
# HAProxy ACME Certificate Background Processor
|
|
# Processes pending ACME certificate requests via cron
|
|
# Copyright (C) 2025 CyberMind.fr
|
|
|
|
LOCK_FILE="/var/run/haproxy-acme-cron.lock"
|
|
LOG_TAG="haproxy-acme-cron"
|
|
CERTS_PATH="/srv/haproxy/certs"
|
|
|
|
log_info() { logger -t "$LOG_TAG" "$*"; }
|
|
log_error() { logger -t "$LOG_TAG" -p err "$*"; }
|
|
|
|
# Prevent concurrent execution
|
|
if [ -f "$LOCK_FILE" ]; then
|
|
pid=$(cat "$LOCK_FILE" 2>/dev/null)
|
|
if [ -n "$pid" ] && kill -0 "$pid" 2>/dev/null; then
|
|
exit 0
|
|
fi
|
|
rm -f "$LOCK_FILE"
|
|
fi
|
|
echo $$ > "$LOCK_FILE"
|
|
trap "rm -f $LOCK_FILE" EXIT
|
|
|
|
# Check if haproxyctl exists
|
|
[ -x /usr/sbin/haproxyctl ] || exit 0
|
|
|
|
# Load UCI functions
|
|
. /lib/functions.sh
|
|
|
|
# Find vhosts that need ACME certificates
|
|
process_pending_certs() {
|
|
local pending_domains=""
|
|
|
|
# Callback to check each vhost
|
|
check_vhost() {
|
|
local section="$1"
|
|
local domain acme ssl enabled cert_file
|
|
|
|
config_get domain "$section" domain ""
|
|
config_get acme "$section" acme "0"
|
|
config_get ssl "$section" ssl "0"
|
|
config_get enabled "$section" enabled "1"
|
|
|
|
# Skip if not enabled, no SSL, or no ACME
|
|
[ "$enabled" != "1" ] && return
|
|
[ "$ssl" != "1" ] && return
|
|
[ "$acme" != "1" ] && return
|
|
[ -z "$domain" ] && return
|
|
|
|
# Check if certificate exists and is valid
|
|
cert_file="$CERTS_PATH/$domain.pem"
|
|
if [ ! -f "$cert_file" ]; then
|
|
log_info "Certificate missing for $domain - queuing for ACME"
|
|
pending_domains="$pending_domains $domain"
|
|
elif ! openssl x509 -checkend 604800 -noout -in "$cert_file" 2>/dev/null; then
|
|
# Certificate expires in less than 7 days
|
|
log_info "Certificate expiring soon for $domain - queuing for renewal"
|
|
pending_domains="$pending_domains $domain"
|
|
fi
|
|
}
|
|
|
|
config_load haproxy
|
|
config_foreach check_vhost vhost
|
|
|
|
# Process pending domains
|
|
for domain in $pending_domains; do
|
|
log_info "Processing ACME certificate for: $domain"
|
|
/usr/sbin/haproxyctl cert add "$domain" >/dev/null 2>&1
|
|
if [ $? -eq 0 ]; then
|
|
log_info "Certificate issued successfully for: $domain"
|
|
else
|
|
log_error "Failed to issue certificate for: $domain"
|
|
fi
|
|
# Small delay between certificate requests
|
|
sleep 5
|
|
done
|
|
}
|
|
|
|
# Run the processor
|
|
process_pending_certs
|