docker_nginx_auto_proxy/nginx_proxy.py

264 lines
9.1 KiB
Python
Executable File

#!/usr/bin/env python3
from docker import Client
from docker.errors import APIError
from string import Template
import json
import re
import signal
import os
import logging
target_path = "/tmp/nginx/"
auth_path = target_path + "auth/"
config_path = target_path + "conf/"
pid_file = "/var/run/nginx.pid"
non_location_template = """# proxy for container '$containername'
server {
listen $listen;
server_name $names;
$auth_config
location / {
client_max_body_size $body_size;
client_body_timeout 300s;
if ($$http_x_forwarded_for = "") {
add_header X-Forwarded-For $$remote_addr;
}
proxy_set_header Host $$host;
proxy_pass http://$ip:$port;
}
}
"""
location_template = """# proxy for container '$containername'
server {
listen $listen;
server_name $names;
$auth_config
location / {
return 301 $$scheme://$name/$location;
}
location /$location {
client_max_body_size $body_size;
client_body_timeout 300s;
if ($$http_x_forwarded_for = "") {
add_header X-Forwarded-For $$remote_addr;
}
proxy_set_header Host $$host;
proxy_pass http://$ip:$port;
}
}
"""
def analyse_env_vars(inspect_data):
"""Extracts the environment variables from the given result of an 'inspect
container' call."""
env_data = {}
counter = 0
if 'Env' not in inspect_data['Config'] or inspect_data['Config']['Env'] is None:
return env_data
for env_var in inspect_data['Config']['Env']:
t = env_var.split("=")
key = t[0]
value = t[1]
if key == 'PROXY_DATA':
if key in env_data:
key = "{key}{postfix}".format(key=key, postfix=counter)
env_data[key] = value
return env_data
def analyse_proxy_data(data):
"""Extracts the data for the proxy configuration (envrionment variable
'PROXY_DATA' and converts it to a dictionary."""
proxy_data = {}
for proxy_var in data.split(','):
t = proxy_var.split(":",1)
proxy_data[t[0]] = t[1]
return proxy_data
def check_proxy_data_format(var_content):
"""
Validates the content of the variable.
:param var_content: content of the proxy data variable
:return: True if the content is of valid format, False otherwise
"""
return re.match(r"^(\w+:[^:,]+,)+\w+:[^:,]+$", var_content) is not None
def extract_ip(inspect_data):
"""extracts the container's ip from the given inspect data"""
return inspect_data['NetworkSettings']['IPAddress']
def extract_name(inspect_data):
"""extracts the container's name from the given inspect data"""
return inspect_data['Name']
def get_if_available(dictionary, key, defValue):
if key in dictionary:
return dictionary[key]
else:
return defValue
def handle_container(id):
"""This function take a container's id and collects all data required
to create a proper proxy configuration. The configuration is then
written to the directory of temporary nginx files"""
inspect_data = client.inspect_container(id)
env_vars = analyse_env_vars(inspect_data)
for env_key in env_vars:
env_data = env_vars[env_key]
if not check_proxy_data_format(env_data):
logging.info('cannot handle container with id "%s" named "%s": %s', id, extract_name(inspect_data), env_data)
return
proxy_data = analyse_proxy_data(env_data)
container_listen_ip = get_if_available(proxy_data, 'ip', '0.0.0.0')
if container_listen_ip != '0.0.0.0' and container_listen_ip not in listen_ips:
logging.info('container "%s"(%s) does not listen on %s.', extract_name(inspect_data), container_listen_ip, str(listen_ips))
return
logging.info('container "%s"(%s) is allowed to listen on %s.', extract_name(inspect_data), container_listen_ip, str(listen_ips))
auth_data = get_if_available(proxy_data, 'auth_data', None)
logging.info('auth data: %s', auth_data)
auth_config = ''
if auth_data:
realm, htpasswd = auth_data.split(';', 1)
htpasswd = htpasswd.replace(';', ':')
auth_file_name = auth_path + 'proxy_{id}_{code}'.format(id=id, code=env_key)
with open(auth_file_name, 'w') as file:
file.write(htpasswd)
# write auth data to file
# add to config
auth_config = """
auth_basic "{realm}";
auth_basic_user_file {file};
""".format(realm=realm,file=auth_file_name)
substitutes = {
'containername': '{c} {d}'.format(c=extract_name(inspect_data), d=env_data),
'ip': extract_ip(inspect_data),
'location': get_if_available(proxy_data, 'location', ''),
'names': get_if_available(proxy_data, 'server_names', '').replace(';', ' '),
'port': get_if_available(proxy_data, 'port', 80),
'body_size': get_if_available(proxy_data, 'body_size', '1m'),
'listen': '*:80',
'auth_config': auth_config
}
logging.info('writing to %sproxy_%s', config_path, id)
with open(config_path + '/proxy_{id}_{code}'.format(id=id,code=env_key), 'w') as file:
if substitutes['location'] == '':
del substitutes['location']
logging.info(Template(non_location_template).safe_substitute(substitutes))
file.write(Template(non_location_template).safe_substitute(substitutes))
else:
# make sure we have a name for the redirect
substitutes['name'] = substitutes['names'].split(' ')[0]
logging.info(Template(location_template).safe_substitute(substitutes))
file.write(Template(location_template).safe_substitute(substitutes))
def reload_nginx_configuration():
logging.info('HUPing nginx')
os.kill(pid, signal.SIGHUP)
def get_pid():
"""This function reads the process id from the given file."""
with open(pid_file, 'r') as file:
return int(file.read())
def get_docker_id():
"""This function extracts the container's id from /proc/self/cgroup."""
id = ''
with open('/proc/self/cgroup', 'r') as file:
lines = file.read().split('\n')
for line in lines:
index = line.find('docker-')
if index != -1:
id = line[index+7:-6]
break
index = line.find('docker/')
if index != -1:
id = line[index+7:]
break
if id == '':
logging.error('could not determine container\'s id!')
return id
def get_listen_ips():
inspect_data = client.inspect_container(get_docker_id())
mappings = inspect_data['NetworkSettings']['Ports']['80/tcp']
ips = []
if mappings is None or len(mappings) == 0:
ips.append('0.0.0.0')
else:
logging.info('count %s', len(mappings))
for data in mappings:
ips.append(data['HostIp'])
return ips
def setup_logging():
logging.basicConfig(format='%(asctime)s [%(levelname)s]: %(message)s', level=logging.INFO)
if __name__ == '__main__':
setup_logging()
# prepare required stuff
pid = get_pid()
logging.info('nginx pid: %s', str(pid))
if not os.path.exists(config_path):
logging.info('creating target path: %s', target_path)
os.mkdir(target_path)
logging.info('creating target path: %s', auth_path)
os.mkdir(auth_path)
logging.info('creating target path: %s', config_path)
os.mkdir(config_path)
client = Client(base_url='unix://var/run/docker.sock', version='1.15')
listen_ips = get_listen_ips()
logging.info('Listening on %s.', listen_ips)
if len(listen_ips) != 1:
logging.error('auto_proxy should only listen on 1 IP at a time, everything else can have security implications.')
exit()
# handle all running containers existing at startup of this container
container_ids = client.containers(quiet=True)
for container_id in container_ids:
handle_container(container_id['Id'])
reload_nginx_configuration()
# hook to the events
for line in client.events():
line_str = line.decode("utf-8")
event = json.loads(line_str)
if not 'id' in event:
continue
container_id = event['id']
try:
inspect_data = client.inspect_container(container_id)
ip = extract_ip(inspect_data)
except APIError:
ip = ''
if ip == '':
logging.info('removing data for container %s', container_id)
# since a container can expose multiple ports per PROXY_DATA it
# will generate multiple files. All names contain the container id.
# This will be used to delete all relevant files for a container
for filename in os.listdir(config_path):
if container_id in filename:
logging.info('removing file %s%s', config_path, container_id)
os.remove(config_path + filename)
else:
handle_container(container_id)
reload_nginx_configuration()