264 lines
9.1 KiB
Python
Executable File
264 lines
9.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
from docker import Client
|
|
from docker.errors import APIError
|
|
from string import Template
|
|
import json
|
|
import re
|
|
import signal
|
|
import os
|
|
import logging
|
|
|
|
target_path = "/tmp/nginx/"
|
|
auth_path = target_path + "auth/"
|
|
config_path = target_path + "conf/"
|
|
pid_file = "/var/run/nginx.pid"
|
|
non_location_template = """# proxy for container '$containername'
|
|
server {
|
|
listen $listen;
|
|
server_name $names;
|
|
$auth_config
|
|
location / {
|
|
client_max_body_size $body_size;
|
|
client_body_timeout 300s;
|
|
if ($$http_x_forwarded_for = "") {
|
|
add_header X-Forwarded-For $$remote_addr;
|
|
}
|
|
proxy_set_header Host $$host;
|
|
proxy_pass http://$ip:$port;
|
|
}
|
|
}
|
|
"""
|
|
|
|
location_template = """# proxy for container '$containername'
|
|
server {
|
|
listen $listen;
|
|
server_name $names;
|
|
$auth_config
|
|
location / {
|
|
return 301 $$scheme://$name/$location;
|
|
}
|
|
location /$location {
|
|
client_max_body_size $body_size;
|
|
client_body_timeout 300s;
|
|
if ($$http_x_forwarded_for = "") {
|
|
add_header X-Forwarded-For $$remote_addr;
|
|
}
|
|
proxy_set_header Host $$host;
|
|
proxy_pass http://$ip:$port;
|
|
}
|
|
}
|
|
"""
|
|
|
|
|
|
def analyse_env_vars(inspect_data):
|
|
"""Extracts the environment variables from the given result of an 'inspect
|
|
container' call."""
|
|
env_data = {}
|
|
counter = 0
|
|
if 'Env' not in inspect_data['Config'] or inspect_data['Config']['Env'] is None:
|
|
return env_data
|
|
for env_var in inspect_data['Config']['Env']:
|
|
t = env_var.split("=")
|
|
key = t[0]
|
|
value = t[1]
|
|
if key == 'PROXY_DATA':
|
|
if key in env_data:
|
|
key = "{key}{postfix}".format(key=key, postfix=counter)
|
|
env_data[key] = value
|
|
return env_data
|
|
|
|
|
|
def analyse_proxy_data(data):
|
|
"""Extracts the data for the proxy configuration (envrionment variable
|
|
'PROXY_DATA' and converts it to a dictionary."""
|
|
proxy_data = {}
|
|
for proxy_var in data.split(','):
|
|
t = proxy_var.split(":",1)
|
|
proxy_data[t[0]] = t[1]
|
|
return proxy_data
|
|
|
|
|
|
def check_proxy_data_format(var_content):
|
|
"""
|
|
Validates the content of the variable.
|
|
:param var_content: content of the proxy data variable
|
|
:return: True if the content is of valid format, False otherwise
|
|
"""
|
|
return re.match(r"^(\w+:[^:,]+,)+\w+:[^:,]+$", var_content) is not None
|
|
|
|
|
|
def extract_ip(inspect_data):
|
|
"""extracts the container's ip from the given inspect data"""
|
|
return inspect_data['NetworkSettings']['IPAddress']
|
|
|
|
|
|
def extract_name(inspect_data):
|
|
"""extracts the container's name from the given inspect data"""
|
|
return inspect_data['Name']
|
|
|
|
|
|
def get_if_available(dictionary, key, defValue):
|
|
if key in dictionary:
|
|
return dictionary[key]
|
|
else:
|
|
return defValue
|
|
|
|
|
|
def handle_container(id):
|
|
"""This function take a container's id and collects all data required
|
|
to create a proper proxy configuration. The configuration is then
|
|
written to the directory of temporary nginx files"""
|
|
inspect_data = client.inspect_container(id)
|
|
env_vars = analyse_env_vars(inspect_data)
|
|
for env_key in env_vars:
|
|
env_data = env_vars[env_key]
|
|
if not check_proxy_data_format(env_data):
|
|
logging.info('cannot handle container with id "%s" named "%s": %s', id, extract_name(inspect_data), env_data)
|
|
return
|
|
proxy_data = analyse_proxy_data(env_data)
|
|
container_listen_ip = get_if_available(proxy_data, 'ip', '0.0.0.0')
|
|
if container_listen_ip != '0.0.0.0' and container_listen_ip not in listen_ips:
|
|
logging.info('container "%s"(%s) does not listen on %s.', extract_name(inspect_data), container_listen_ip, str(listen_ips))
|
|
return
|
|
logging.info('container "%s"(%s) is allowed to listen on %s.', extract_name(inspect_data), container_listen_ip, str(listen_ips))
|
|
auth_data = get_if_available(proxy_data, 'auth_data', None)
|
|
logging.info('auth data: %s', auth_data)
|
|
auth_config = ''
|
|
if auth_data:
|
|
realm, htpasswd = auth_data.split(';', 1)
|
|
htpasswd = htpasswd.replace(';', ':')
|
|
auth_file_name = auth_path + 'proxy_{id}_{code}'.format(id=id, code=env_key)
|
|
with open(auth_file_name, 'w') as file:
|
|
file.write(htpasswd)
|
|
# write auth data to file
|
|
# add to config
|
|
auth_config = """
|
|
auth_basic "{realm}";
|
|
auth_basic_user_file {file};
|
|
""".format(realm=realm,file=auth_file_name)
|
|
substitutes = {
|
|
'containername': '{c} {d}'.format(c=extract_name(inspect_data), d=env_data),
|
|
'ip': extract_ip(inspect_data),
|
|
'location': get_if_available(proxy_data, 'location', ''),
|
|
'names': get_if_available(proxy_data, 'server_names', '').replace(';', ' '),
|
|
'port': get_if_available(proxy_data, 'port', 80),
|
|
'body_size': get_if_available(proxy_data, 'body_size', '1m'),
|
|
'listen': '*:80',
|
|
'auth_config': auth_config
|
|
}
|
|
logging.info('writing to %sproxy_%s', config_path, id)
|
|
with open(config_path + '/proxy_{id}_{code}'.format(id=id,code=env_key), 'w') as file:
|
|
if substitutes['location'] == '':
|
|
del substitutes['location']
|
|
logging.info(Template(non_location_template).safe_substitute(substitutes))
|
|
file.write(Template(non_location_template).safe_substitute(substitutes))
|
|
else:
|
|
# make sure we have a name for the redirect
|
|
substitutes['name'] = substitutes['names'].split(' ')[0]
|
|
logging.info(Template(location_template).safe_substitute(substitutes))
|
|
file.write(Template(location_template).safe_substitute(substitutes))
|
|
|
|
|
|
def reload_nginx_configuration():
|
|
logging.info('HUPing nginx')
|
|
os.kill(pid, signal.SIGHUP)
|
|
|
|
|
|
def get_pid():
|
|
"""This function reads the process id from the given file."""
|
|
with open(pid_file, 'r') as file:
|
|
return int(file.read())
|
|
|
|
|
|
def get_docker_id():
|
|
"""This function extracts the container's id from /proc/self/cgroup."""
|
|
id = ''
|
|
with open('/proc/self/cgroup', 'r') as file:
|
|
lines = file.read().split('\n')
|
|
for line in lines:
|
|
index = line.find('docker-')
|
|
if index != -1:
|
|
id = line[index+7:-6]
|
|
break
|
|
index = line.find('docker/')
|
|
if index != -1:
|
|
id = line[index+7:]
|
|
break
|
|
if id == '':
|
|
logging.error('could not determine container\'s id!')
|
|
return id
|
|
|
|
|
|
def get_listen_ips():
|
|
inspect_data = client.inspect_container(get_docker_id())
|
|
mappings = inspect_data['NetworkSettings']['Ports']['80/tcp']
|
|
ips = []
|
|
if mappings is None or len(mappings) == 0:
|
|
ips.append('0.0.0.0')
|
|
else:
|
|
logging.info('count %s', len(mappings))
|
|
for data in mappings:
|
|
ips.append(data['HostIp'])
|
|
return ips
|
|
|
|
|
|
def setup_logging():
|
|
logging.basicConfig(format='%(asctime)s [%(levelname)s]: %(message)s', level=logging.INFO)
|
|
|
|
if __name__ == '__main__':
|
|
setup_logging()
|
|
|
|
# prepare required stuff
|
|
pid = get_pid()
|
|
logging.info('nginx pid: %s', str(pid))
|
|
if not os.path.exists(config_path):
|
|
logging.info('creating target path: %s', target_path)
|
|
os.mkdir(target_path)
|
|
logging.info('creating target path: %s', auth_path)
|
|
os.mkdir(auth_path)
|
|
logging.info('creating target path: %s', config_path)
|
|
os.mkdir(config_path)
|
|
|
|
client = Client(base_url='unix://var/run/docker.sock', version='1.15')
|
|
|
|
listen_ips = get_listen_ips()
|
|
logging.info('Listening on %s.', listen_ips)
|
|
if len(listen_ips) != 1:
|
|
logging.error('auto_proxy should only listen on 1 IP at a time, everything else can have security implications.')
|
|
exit()
|
|
|
|
# handle all running containers existing at startup of this container
|
|
container_ids = client.containers(quiet=True)
|
|
for container_id in container_ids:
|
|
handle_container(container_id['Id'])
|
|
reload_nginx_configuration()
|
|
|
|
# hook to the events
|
|
for line in client.events():
|
|
line_str = line.decode("utf-8")
|
|
event = json.loads(line_str)
|
|
|
|
if not 'id' in event:
|
|
continue
|
|
container_id = event['id']
|
|
try:
|
|
inspect_data = client.inspect_container(container_id)
|
|
ip = extract_ip(inspect_data)
|
|
except APIError:
|
|
ip = ''
|
|
|
|
if ip == '':
|
|
logging.info('removing data for container %s', container_id)
|
|
# since a container can expose multiple ports per PROXY_DATA it
|
|
# will generate multiple files. All names contain the container id.
|
|
# This will be used to delete all relevant files for a container
|
|
for filename in os.listdir(config_path):
|
|
if container_id in filename:
|
|
logging.info('removing file %s%s', config_path, container_id)
|
|
os.remove(config_path + filename)
|
|
else:
|
|
handle_container(container_id)
|
|
|
|
reload_nginx_configuration()
|