add listen switcher

home.admin/00infoBlitz.sh

@@ -367,11 +367,12 @@ datetime=$(date)
 # if running as user "pi":
 #  - write results to a JSON file on RAM disk
 #  - update info.html file
-if [ "${EUID}" == "$(id -u pi)" ]; then
+if [ "${EUID}" = "$(id -u pi)" ]; then
 
-    json_ln_baseInfo=$(echo "${ln_baseInfo}" | cut -c 11-)  # ToDo(frennkie) this only work if lnd is ok
+    # ToDo(frennkie) this only works if lnd is ok
+    json_ln_baseInfo=$(echo "${ln_baseInfo}" | cut -c 11-)
 
-cat <<EOF > /var/cache/raspiblitz/info.json
+    cat <<EOF > /var/cache/raspiblitz/info.json
 {
     "uptime": "${uptime}",
     "datetime": "${datetime}",

home.admin/90finishSetup.sh

@@ -43,7 +43,8 @@ echo "allow: transmission"
 sudo ufw allow 49200:49250/tcp comment 'rtorrent'
 echo "allow: local web admin"
 sudo ufw allow from 192.168.0.0/16 to any port 80 comment 'allow local LAN web'
-echo "open firewall for  auto nat discover (see issue #129)"
+sudo ufw allow from 192.168.0.0/16 to any port 443 comment 'allow local LAN web'
+echo "open firewall for auto nat discover (see issue #129)"
 sudo ufw allow proto udp from 192.168.0.0/16 port 1900 to any comment 'allow local LAN SSDP for UPnP discovery'
 echo "enable lazy firewall"
 sudo ufw --force enable

home.admin/assets/blitzweb.conf

@@ -2,19 +2,22 @@
 
 server {
 
-    listen 443 ssl default_server;
+    # localhost only
-    listen [::]:443 ssl default_server;
+    listen 127.0.0.1:443 ssl default_server;
+    listen [::1]:443 ssl default_server;
+    # any interface
+    #listen 443 ssl default_server;
+    #listen [::]:443 ssl default_server;
 
     server_name _;
 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRS
+    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
-A+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
 
     add_header Strict-Transport-Security "max-age=31536000";
 
-    # ToDo(frennkie) might make sense to use lua to check if files are there (e.g. no disk) and use fallback certs)
+    # ToDo(frennkie) if /mnt/hdd/app-data is missing (e.g. no disk) this will cause nginx to fail!
     ssl_certificate /mnt/hdd/app-data/nginx/tls.cert;
     ssl_certificate_key /mnt/hdd/app-data/nginx/tls.key;
 

home.admin/config.scripts/blitz.web.sh

@@ -5,7 +5,10 @@ source /mnt/hdd/raspiblitz.conf
 # command info
 if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$1" = "-help" ]; then
   echo "the RaspiBlitz Web Interface(s)"
-  echo "blitz.web.sh [on|off]"
+  echo "blitz.web.sh on"
+  echo "blitz.web.sh off"
+  echo "blitz.web.sh listen localhost"
+  echo "blitz.web.sh listen any"
   exit 1
 fi
 
@@ -13,6 +16,89 @@ fi
 APOST=\'  # close tag for linters: '
 
 
+###################
+# FUNCTIONS
+###################
+function set_nginx_blitzweb_listen() {
+   # first parameter to function should be either "localhost" or "any"
+   listen_to=${1}
+
+   if [ -f "/etc/nginx/sites-available/blitzweb.conf" ]; then
+       if ! grep -Eq '^\s*#?\s*listen 127.0.0.1:443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+           echo "Error: missing expected line for: lo:v4 https"
+           exit 1
+       else
+           if grep -Eq '^\s*#\s*listen 127.0.0.1:443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+           #echo "found: lo:v4 https (disabled line)"
+               if [ ${listen_to} = "localhost" ]; then
+                   sudo sed -i -E 's/#\s*(listen 127.0.0.1:443 ssl default_server;)/\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           else
+               #echo "found: lo:v4 https (enabled line)"
+               if [ ${listen_to} = "any" ]; then
+                   sudo sed -i -E 's/(listen 127.0.0.1:443 ssl default_server;)/#\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+          fi
+
+       fi
+
+       if ! grep -Eq '^\s*#?\s*listen \[::1\]:443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+           echo "Error: missing expected line for: lo:v6 https"
+           exit 1
+       else
+           if grep -Eq '^\s*#\s*listen \[::1\]:443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+               #echo "found: lo:v6 https (disabled line)"
+               if [ ${listen_to} = "localhost" ]; then
+                   sudo sed -i -E 's/#\s*(listen \[::1\]:443 ssl default_server;)/\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           else
+               #echo "found: lo:v6 https (enabled line)"
+               if [ ${listen_to} = "any" ]; then
+                   sudo sed -i -E 's/(listen \[::1\]:443 ssl default_server;)/#\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           fi
+
+       fi
+
+       if ! grep -Eq '^\s*#?\s*listen 443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+           echo "Error: missing expected line for: any:v4 https"
+           exit 1
+       else
+           if grep -Eq '^\s*#\s*listen 443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+               #echo "found: any:v4 https (disabled line)"
+               if [ ${listen_to} = "any" ]; then
+                   sudo sed -i -E 's/#\s*(listen 443 ssl default_server;)/\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           else
+               #echo "found: any:v4 https (enabled line)"
+               if [ ${listen_to} = "localhost" ]; then
+                   sudo sed -i -E 's/(listen 443 ssl default_server;)/#\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           fi
+
+       fi
+
+       if ! grep -Eq '^\s*#?\s*listen \[::\]:443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+           echo "Error: missing expected line for: any:v6 https"
+           exit 1
+       else
+           if grep -Eq '^\s*#\s*listen \[::\]:443 ssl default_server;$' /etc/nginx/sites-available/blitzweb.conf; then
+               #echo "found: any:v6 https (disabled line)"
+               if [ ${listen_to} = "any" ]; then
+                   sudo sed -i -E 's/#\s*(listen \[::\]:443 ssl default_server;)/\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           else
+               #echo "found: any:v6 https (enabled line)"
+               if [ ${listen_to} = "localhost" ]; then
+                   sudo sed -i -E 's/(listen \[::\]:443 ssl default_server;)/#\1/g' /etc/nginx/sites-available/blitzweb.conf
+               fi
+           fi
+       fi
+   fi
+}
+
+
+
 ###################
 # SWITCH ON
 ###################
@@ -58,9 +144,6 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
 
   sudo ln -sf /etc/nginx/sites-available/public.conf /etc/nginx/sites-enabled/public.conf
 
-  # open firewall
-  sudo ufw allow 80 comment 'nginx http_80' 2>/dev/null
-
   ### RaspiBlitz Webserver on HTTPS 443
 
   # copy webroot
@@ -94,9 +177,6 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
     sudo chmod 640 /etc/nginx/.htpasswd
   fi
 
-  # open firewall
-  sudo ufw allow 443 comment 'nginx https_443' 2>/dev/null
-
   # restart NGINX
   sudo systemctl restart nginx
 
@@ -111,6 +191,19 @@ elif [ "$1" = "0" ] || [ "$1" = "off" ]; then
   sudo systemctl stop nginx
   sudo systemctl disable nginx >/dev/null
 
+
+###################
+# LISTEN
+###################
+elif [ "$1" = "listen" ]; then
+
+  if [ "$2" = "localhost" ] || [ "$2" = "any" ]; then
+    echo "Setting NGINX to listen on: ${2}"
+    set_nginx_blitzweb_listen "${2}"
+  else
+    echo "# FAIL: parameter not known - run with -h for help"
+  fi
+
 else
   echo "# FAIL: parameter not known - run with -h for help"
 fi