allow SSL conf for online demo

offspot · Mar 26, 2024 · 9d6cb07 · 9d6cb07
1 parent c0c5ee2
commit 9d6cb07
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/reverse-proxy/Dockerfile b/reverse-proxy/Dockerfile
@@ -13,6 +13,10 @@ COPY gen-caddyfile.py /src/
 ENV FQDN "generic.hotspot"
 ENV WELCOME_FQDN "goto.generic.hotspot"
 ENV METRICS_LOGS_DIR "/var/log/metrics"
+# set this when using reverse proxy in online demo to trigger real SSL certs usage
+ENV IS_ONLINE_DEMO ""
+# read SSL certs require an email address to send expiration notice to
+ENV DEMO_TLS_EMAIL "[email protected]"
 
 # store python bytecode in image
 RUN python3 -m compileall /src/gen-caddyfile.py && mv /src/__pycache__/*.pyc /usr/local/lib/

diff --git a/reverse-proxy/gen-caddyfile.py b/reverse-proxy/gen-caddyfile.py
@@ -93,13 +93,16 @@ def should_protect(self) -> bool:
 }
 
 debug: bool = bool(os.getenv("DEBUG", False))
+is_online_demo: bool = bool(os.getenv("IS_ONLINE_DEMO", False))
 template: Template = Template(
     """
 {
     admin :2020
+    {% if not is_online_demo %}
     auto_https disable_redirects
     local_certs
     skip_install_trust
+    {% endif %}
     {% if debug %}debug{% endif %}
 
     log metrics {
@@ -122,7 +125,7 @@ def should_protect(self) -> bool:
 
 # home page on domain, with prefix redirects
 {$FQDN}:80, {$FQDN}:443 {
-    tls internal
+    {% if is_online_demo %}tls {$DEMO_TLS_EMAIL}{% else %}tls internal{% endif %}
     log
 
     {% if services %}
@@ -139,14 +142,14 @@ def should_protect(self) -> bool:
 
 # welcome fqdn redirects to homepage
 {$WELCOME_FQDN}:80, {$WELCOME_FQDN}:443 {
-    tls internal
+    {% if is_online_demo %}tls {$DEMO_TLS_EMAIL}{% else %}tls internal{% endif %}
     redir {scheme}://{$FQDN}{uri} permanent
 }
 
 {% if services %}# endpoint-based services
 {% for service in services.values() %}
 {{service.name}}.{$FQDN}:80, {{service.name}}.{$FQDN}:443 {
-    tls internal
+    {% if is_online_demo %}tls {$DEMO_TLS_EMAIL}{% else %}tls internal{% endif %}
     log
 
     {% if service.should_protect %}
@@ -169,7 +172,7 @@ def should_protect(self) -> bool:
 {% if files_map %}# endpoint-based files_map
 {% for subdomain, folder in files_map.items() %}
 {{subdomain}}.{$FQDN}:80, {{subdomain}}.{$FQDN}:443 {
-    tls internal
+    {% if is_online_demo %}tls {$DEMO_TLS_EMAIL}{% else %}tls internal{% endif %}
     log
     reverse_proxy files:80 {
         rewrite /{{folder}}/{path}?{query}
@@ -185,7 +188,7 @@ def should_protect(self) -> bool:
 
 # fallback for unhandled names/IP arriving here
 :80, :443 {
-    tls internal
+    {% if is_online_demo %}tls {$DEMO_TLS_EMAIL}{% else %}tls internal{% endif %}
     log
     respond "Not Found! Oops" 404
 }