From d6681733ddd1515a9bc70099daacd2d3960a33a4 Mon Sep 17 00:00:00 2001 From: Pallavi Kumari Date: Tue, 7 Oct 2025 12:28:29 +0530 Subject: [PATCH] remove custom cery type form config file --- server/lib/readConfigFile.ts | 2 - server/lib/traefik/getTraefikConfig.ts | 69 +++---------- .../private/lib/traefik/getTraefikConfig.ts | 99 +++++++++++++------ 3 files changed, 84 insertions(+), 86 deletions(-) diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts index a1899f4e..9aee8531 100644 --- a/server/lib/readConfigFile.ts +++ b/server/lib/readConfigFile.ts @@ -51,7 +51,6 @@ export const configSchema = z .nonempty("base_domain must not be empty") .transform((url) => url.toLowerCase()), cert_resolver: z.string().optional().default("letsencrypt"), - custom_cert_resolver: z.string().optional(), prefer_wildcard_cert: z.boolean().optional().default(false) }) ) @@ -188,7 +187,6 @@ export const configSchema = z https_entrypoint: z.string().optional().default("websecure"), additional_middlewares: z.array(z.string()).optional(), cert_resolver: z.string().optional().default("letsencrypt"), - custom_cert_resolver: z.string().optional(), prefer_wildcard_cert: z.boolean().optional().default(false), certificates_path: z.string().default("/var/certificates"), monitor_interval: z.number().default(5000), diff --git a/server/lib/traefik/getTraefikConfig.ts b/server/lib/traefik/getTraefikConfig.ts index 734327e2..436c76a6 100644 --- a/server/lib/traefik/getTraefikConfig.ts +++ b/server/lib/traefik/getTraefikConfig.ts @@ -248,68 +248,24 @@ export async function getTraefikConfig( } const configDomain = config.getDomain(resource.domainId); - - let certResolverFromConfig: string | undefined; - let preferWildcardCert = false; - const rawTraefikCfg = config.getRawConfig().traefik || {}; - const globalDefaultResolver: string | undefined = rawTraefikCfg.cert_resolver; - const availableResolvers = rawTraefikCfg.custom_cert_resolver - ? Object.keys(rawTraefikCfg.custom_cert_resolver) - : []; + const globalDefaultResolver = rawTraefikCfg.cert_resolver; - // Priority 1: Read from YAML config (if exists) - if (configDomain) { - certResolverFromConfig = - configDomain.cert_resolver ?? - configDomain.custom_cert_resolver; - preferWildcardCert = !!(configDomain.prefer_wildcard_cert); - } - // Priority 2: Override with database domain settings (if exists) - let finalCertResolver: string | undefined; - let finalCustomCertResolver: string | undefined; + const domainCertResolver = + resource.domainCertResolver ?? configDomain?.cert_resolver; + const domainCustomResolver = + resource.domainCustomCertResolver; + const preferWildcardCert = + resource.preferWildcardCert ?? configDomain?.prefer_wildcard_cert ?? false; - if (resource.domainCertResolver) { - finalCertResolver = resource.domainCertResolver; - if (resource.domainCertResolver === "custom" && resource.domainCustomCertResolver) { - finalCustomCertResolver = resource.domainCustomCertResolver; - } - } else { - // Fall back to config - finalCertResolver = certResolverFromConfig; - } - - // Resolve the final resolver name let resolverName: string | undefined; - if (finalCertResolver) { - if (finalCertResolver === "custom") { - // Check database custom resolver first, then config - const customResolver = finalCustomCertResolver || configDomain?.custom_cert_resolver; - - if (customResolver && typeof customResolver === "string" && customResolver.trim()) { - resolverName = customResolver.trim(); - } else { - resolverName = globalDefaultResolver; - logger.warn( - `Domain ${resource.domainId} requested custom cert resolver but none set; falling back to global resolver ${resolverName}` - ); - } - } else { - // Validate against available resolvers - if ( - availableResolvers.length === 0 || - availableResolvers.includes(finalCertResolver) - ) { - resolverName = finalCertResolver; - } else { - logger.warn( - `Unknown cert resolver "${finalCertResolver}" for domain ${resource.domainId}; falling back to global resolver.` - ); - resolverName = globalDefaultResolver; - } - } + // Handle both letsencrypt & custom cases + if (domainCertResolver === "custom") { + resolverName = domainCustomResolver?.trim(); + } else if (domainCertResolver) { + resolverName = domainCertResolver; } else { resolverName = globalDefaultResolver; } @@ -327,6 +283,7 @@ export async function getTraefikConfig( : {}) }; + const additionalMiddlewares = config.getRawConfig().traefik.additional_middlewares || []; diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts index 5e919fda..634bc818 100644 --- a/server/private/lib/traefik/getTraefikConfig.ts +++ b/server/private/lib/traefik/getTraefikConfig.ts @@ -15,6 +15,7 @@ import { certificates, db, domainNamespaces, + domains, exitNodes, loginPage, targetHealthCheck @@ -103,11 +104,17 @@ export async function getTraefikConfig( subnet: sites.subnet, exitNodeId: sites.exitNodeId, // Namespace - domainNamespaceId: domainNamespaces.domainNamespaceId + domainNamespaceId: domainNamespaces.domainNamespaceId, + // Certificate + certificateStatus: certificates.status, + domainCertResolver: domains.certResolver, + domainCustomCertResolver: domains.customCertResolver }) .from(sites) .innerJoin(targets, eq(targets.siteId, sites.siteId)) .innerJoin(resources, eq(resources.resourceId, targets.resourceId)) + .leftJoin(certificates, eq(certificates.domainId, resources.domainId)) + .leftJoin(domains, eq(domains.domainId, resources.domainId)) .leftJoin( targetHealthCheck, eq(targetHealthCheck.targetId, targets.targetId) @@ -197,7 +204,9 @@ export async function getTraefikConfig( pathMatchType: row.pathMatchType, // the targets will all have the same pathMatchType rewritePath: row.rewritePath, rewritePathType: row.rewritePathType, - priority: priority // may be null, we fallback later + priority: priority, // may be null, we fallback later + domainCertResolver: row.domainCertResolver, + domainCustomCertResolver: row.domainCustomCertResolver }); } @@ -285,6 +294,41 @@ export async function getTraefikConfig( config_output.http.services = {}; } + const domainParts = fullDomain.split("."); + let wildCard; + if (domainParts.length <= 2) { + wildCard = `*.${domainParts.join(".")}`; + } else { + wildCard = `*.${domainParts.slice(1).join(".")}`; + } + + if (!resource.subdomain) { + wildCard = resource.fullDomain; + } + + const configDomain = config.getDomain(resource.domainId); + const rawTraefikCfg = config.getRawConfig().traefik || {}; + const globalDefaultResolver = rawTraefikCfg.cert_resolver; + + + const domainCertResolver = + resource.domainCertResolver ?? configDomain?.cert_resolver; + const domainCustomResolver = + resource.domainCustomCertResolver; + const preferWildcardCert = + resource.preferWildcardCert ?? configDomain?.prefer_wildcard_cert ?? false; + + let resolverName: string | undefined; + + // Handle both letsencrypt & custom cases + if (domainCertResolver === "custom") { + resolverName = domainCustomResolver?.trim(); + } else if (domainCertResolver) { + resolverName = domainCertResolver; + } else { + resolverName = globalDefaultResolver; + } + let tls = {}; if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) { const domainParts = fullDomain.split("."); @@ -312,16 +356,16 @@ export async function getTraefikConfig( } tls = { - certResolver: certResolver, + certResolver: resolverName, ...(preferWildcardCert ? { - domains: [ - { - main: wildCard - } - ] - } - : {}) + domains: [ + { + main: wildCard, + }, + ], + } + : {}), }; } else { // find a cert that matches the full domain, if not continue @@ -573,14 +617,14 @@ export async function getTraefikConfig( })(), ...(resource.stickySession ? { - sticky: { - cookie: { - name: "p_sticky", // TODO: make this configurable via config.yml like other cookies - secure: resource.ssl, - httpOnly: true - } - } - } + sticky: { + cookie: { + name: "p_sticky", // TODO: make this configurable via config.yml like other cookies + secure: resource.ssl, + httpOnly: true + } + } + } : {}) } }; @@ -681,13 +725,13 @@ export async function getTraefikConfig( })(), ...(resource.stickySession ? { - sticky: { - ipStrategy: { - depth: 0, - sourcePort: true - } - } - } + sticky: { + ipStrategy: { + depth: 0, + sourcePort: true + } + } + } : {}) } }; @@ -735,10 +779,9 @@ export async function getTraefikConfig( loadBalancer: { servers: [ { - url: `http://${ - config.getRawConfig().server + url: `http://${config.getRawConfig().server .internal_hostname - }:${config.getRawConfig().server.next_port}` + }:${config.getRawConfig().server.next_port}` } ] }