improve host recreation

try to catch beautifier error

Caddy.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.21.0
+FROM alpine:3.21.1
 RUN apk add --no-cache ca-certificates tzdata
 COPY --from=caddy:2.8.4 /usr/bin/caddy /usr/bin/caddy
 COPY Caddyfile /etc/caddy/Caddyfile

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:labs
-FROM --platform="$BUILDPLATFORM" alpine:3.21.0 AS frontend
+FROM --platform="$BUILDPLATFORM" alpine:3.21.1 AS frontend
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG NODE_ENV=production \
     NODE_OPTIONS=--openssl-legacy-provider
@@ -19,7 +19,7 @@ COPY darkmode.css /app/dist/css/darkmode.css
 COPY security.txt /app/dist/.well-known/security.txt
 
 
-FROM --platform="$BUILDPLATFORM" alpine:3.21.0 AS build-backend
+FROM --platform="$BUILDPLATFORM" alpine:3.21.1 AS build-backend
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG NODE_ENV=production \
     TARGETARCH
@@ -38,15 +38,15 @@ RUN apk upgrade --no-cache -a && \
     fi && \
     yarn cache clean --all && \
     clean-modules --yes
-FROM alpine:3.21.0 AS strip-backend
+FROM alpine:3.21.1 AS strip-backend
 COPY --from=build-backend /app /app
 RUN apk upgrade --no-cache -a && \
     apk add --no-cache ca-certificates binutils file && \
     find /app/node_modules -name "*.node" -type f -exec strip -s {} \; && \
     find /app/node_modules -name "*.node" -type f -exec file {} \;
 
 
-FROM --platform="$BUILDPLATFORM" alpine:3.21.0 AS crowdsec
+FROM --platform="$BUILDPLATFORM" alpine:3.21.1 AS crowdsec
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG CSNB_VER=v1.0.8
 WORKDIR /src
@@ -72,7 +72,7 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:371-python
+FROM zoeyvid/nginx-quic:372-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG CRS_VER=v4.10.0
 COPY rootfs /
@@ -117,7 +117,7 @@ COPY --from=frontend                  /app/dist
 LABEL com.centurylinklabs.watchtower.monitor-only="true"
 
 ENV NODE_ENV=production \
-    TV=1a \
+    TV=1b \
     ACME_SERVER="https://acme-v02.api.letsencrypt.org/directory" \
     ACME_MUST_STAPLE=false \
     ACME_OCSP_STAPLING=true \

backend/internal/access-list.js

@@ -86,7 +86,7 @@ const internalAccessList = {
 					.build(row)
 					.then(() => {
 						if (row.proxy_host_count) {
-							return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
+							return internalNginx.bulkGenerateConfigs(proxyHostModel, 'proxy_host', row.proxy_hosts);
 						}
 					})
 					.then(() => {
@@ -163,7 +163,7 @@ const internalAccessList = {
 
 					return query.then(() => {
 						// Add new items
-						if (promises.length) {
+						if (promises.length > 0) {
 							return Promise.all(promises);
 						}
 					});
@@ -190,7 +190,7 @@ const internalAccessList = {
 
 					return query.then(() => {
 						// Add new items
-						if (promises.length) {
+						if (promises.length > 0) {
 							return Promise.all(promises);
 						}
 					});
@@ -221,7 +221,7 @@ const internalAccessList = {
 					.build(row)
 					.then(() => {
 						if (row.proxy_host_count) {
-							return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
+							return internalNginx.bulkGenerateConfigs(proxyHostModel, 'proxy_host', row.proxy_hosts);
 						}
 					})
 					.then(internalNginx.reload)
@@ -320,7 +320,7 @@ const internalAccessList = {
 										row.proxy_hosts[idx].access_list_id = 0;
 									});
 
-									return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
+									return internalNginx.bulkGenerateConfigs(proxyHostModel, 'proxy_host', row.proxy_hosts);
 								})
 								.then(() => {
 									return internalNginx.reload();
@@ -476,12 +476,12 @@ const internalAccessList = {
 			}
 		}).then((htpasswd_file) => {
 			// 3. generate password for each user
-			if (list.items.length) {
+			if (list.items.length > 0) {
 				return new Promise((resolve, reject) => {
 					batchflow(list.items)
 						.sequential()
 						.each((i, item, next) => {
-							if (typeof item.password !== 'undefined' && item.password.length) {
+							if (typeof item.password !== 'undefined' && item.password.length > 0) {
 								logger.info('Adding: ' + item.username);
 
 								try {

backend/internal/certificate.js

@@ -60,7 +60,7 @@ const internalCertificate = {
 						.where('is_deleted', 0)
 						.andWhere('provider', 'letsencrypt')
 						.then((certificates) => {
-							if (certificates && certificates.length) {
+							if (certificates && certificates.length > 0) {
 								const promises = [];
 
 								certificates.map(function (certificate) {
@@ -782,7 +782,7 @@ const internalCertificate = {
 		await certbot.installPlugin(certificate.meta.dns_provider);
 		logger.info(`Requesting Certbot certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
 
-		const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
+		const credentialsLocation = '/tmp/certbot-credentials/credentials-' + certificate.id;
 		fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, { mode: 0o600 });
 
 		try {

backend/internal/host.js

@@ -160,7 +160,7 @@ const internalHost = {
 	_checkHostnameRecordsTaken: function (hostname, existing_rows, ignore_id) {
 		let is_taken = false;
 
-		if (existing_rows && existing_rows.length) {
+		if (existing_rows && existing_rows.length > 0) {
 			existing_rows.map(function (existing_row) {
 				existing_row.domain_names.map(function (existing_hostname) {
 					// Does this domain match?
@@ -186,7 +186,7 @@ const internalHost = {
 	_getHostsWithDomains: function (hosts, domain_names) {
 		const response = [];
 
-		if (hosts && hosts.length) {
+		if (hosts && hosts.length > 0) {
 			hosts.map(function (host) {
 				let host_matches = false;
 

backend/internal/nginx.js

@@ -80,22 +80,12 @@ const internalNginx = {
 	reload: () => {
 		if (process.env.ACME_OCSP_STAPLING === 'true') {
 			return utils.execFile('certbot-ocsp-fetcher.sh', ['-c', '/data/tls/certbot', '-o', '/data/tls/certbot/live', '--no-reload-webserver', '--quiet']).finally(() => {
-				if (fs.existsSync('/usr/local/nginx/logs/nginx.pid') && fs.readFileSync('/usr/local/nginx/logs/nginx.pid', 'utf8').trim().length > 0) {
-					logger.info('Reloading Nginx');
-					return utils.execFile('nginx', ['-s', 'reload']);
-				} else {
-					logger.info('Starting Nginx');
-					utils.execfg('nginx', ['-e', 'stderr']);
-				}
-			});
-		} else {
-			if (fs.existsSync('/usr/local/nginx/logs/nginx.pid') && fs.readFileSync('/usr/local/nginx/logs/nginx.pid', 'utf8').trim().length > 0) {
 				logger.info('Reloading Nginx');
 				return utils.execFile('nginx', ['-s', 'reload']);
-			} else {
-				logger.info('Starting Nginx');
-				utils.execfg('nginx', ['-e', 'stderr']);
-			}
+			});
+		} else {
+			logger.info('Reloading Nginx');
+			return utils.execFile('nginx', ['-s', 'reload']);
 		}
 	},
 
@@ -219,7 +209,11 @@ const internalNginx = {
 					})
 					.then(() => {
 						if (process.env.DISABLE_NGINX_BEAUTIFIER === 'false') {
-							utils.execFile('nginxbeautifier', ['-s', '4', filename]);
+							try {
+								utils.execFile('nginxbeautifier', ['-s', '4', filename]);
+							} catch {
+								logger.error("nginxbeautifier failed");
+							}
 						}
 					});
 			});
@@ -276,13 +270,10 @@ const internalNginx = {
 	 * @param   {Array}   hosts
 	 * @returns {Promise}
 	 */
-	bulkGenerateConfigs: (host_type, hosts) => {
-		const promises = [];
-		hosts.map(function (host) {
-			promises.push(internalNginx.generateConfig(host_type, host));
-		});
-
-		return Promise.all(promises);
+	bulkGenerateConfigs: (model, host_type, hosts) => {
+		return hosts.reduce((promise, host) => {
+			return promise.then(() => internalNginx.configure(model, host_type, host));
+		}, Promise.resolve());
 	},
 
 	/**

backend/package.json

@@ -30,7 +30,7 @@
   "author": "Jamie Curnow <[email protected]> and ZoeyVid <[email protected]>",
   "license": "MIT",
   "devDependencies": {
-    "@apidevtools/swagger-parser": "10.1.0",
+    "@apidevtools/swagger-parser": "10.1.1",
     "@eslint/js": "9.17.0",
     "eslint": "9.17.0",
     "eslint-config-prettier": "9.1.0",

backend/setup.js

@@ -101,6 +101,15 @@ const setupDefaultSettings = () => {
 						logger.info('Default settings added');
 					});
 			}
+		})
+		.then(() => {
+			settingModel
+				.query()
+				.where('id', 'default-site')
+				.first()
+				.then((row) => {
+					internalNginx.generateConfig('default', row);
+				});
 		});
 };
 
@@ -115,7 +124,7 @@ const setupCertbotPlugins = () => {
 		.where('is_deleted', 0)
 		.andWhere('provider', 'letsencrypt')
 		.then((certificates) => {
-			if (certificates && certificates.length) {
+			if (certificates && certificates.length > 0) {
 				const plugins = [];
 				const promises = [];
 
@@ -129,7 +138,7 @@ const setupCertbotPlugins = () => {
 				});
 
 				return certbot.installPlugins(plugins).then(() => {
-					if (promises.length) {
+					if (promises.length > 0) {
 						return Promise.all(promises).then(() => {
 							logger.info('Added Certbot plugins ' + plugins.join(', '));
 						});
@@ -145,76 +154,56 @@ const setupCertbotPlugins = () => {
  * @returns {Promise}
  */
 const regenerateAllHosts = () => {
-	settingModel
-		.query()
-		.where('id', 'default-site')
-		.first()
-		.then((row) => {
-			internalNginx.generateConfig('default', row);
-		})
-		.then(() => {
-			if (process.env.REGENERATE_ALL === 'true') {
-				const promises = [];
-
-				promises.push(
-					proxyModel
-						.query()
-						.where('is_deleted', 0)
-						.andWhere('enabled', 1)
-						.withGraphFetched('[access_list.[clients, items], certificate]')
-						.then((rows) => {
-							if (rows && rows.length) {
-								internalNginx.bulkGenerateConfigs('proxy_host', rows);
-							}
-						}),
-				);
-
-				promises.push(
-					redirectModel
-						.query()
-						.where('is_deleted', 0)
-						.andWhere('enabled', 1)
-						.withGraphFetched('[certificate]')
-						.then((rows) => {
-							if (rows && rows.length) {
-								internalNginx.bulkGenerateConfigs('redirection_host', rows);
-							}
-						}),
-				);
-
-				promises.push(
-					deadModel
-						.query()
-						.where('is_deleted', 0)
-						.andWhere('enabled', 1)
-						.withGraphFetched('[certificate]')
-						.then((rows) => {
-							if (rows && rows.length) {
-								internalNginx.bulkGenerateConfigs('dead_host', rows);
-							}
-						}),
-				);
-
-				promises.push(
-					streamModel
-						.query()
-						.where('is_deleted', 0)
-						.andWhere('enabled', 1)
-						.then((rows) => {
-							if (rows && rows.length) {
-								internalNginx.bulkGenerateConfigs('stream', rows);
-							}
-						}),
-				);
-
-				// Execute all promises and then write the hash
-				return Promise.all(promises).then(() => {
-					utils.writeHash();
-				});
-			}
-		});
-
-	return Promise.resolve(); // Return resolved promise if REGENERATE_ALL is not true
+	if (process.env.REGENERATE_ALL === 'true') {
+		return proxyModel
+			.query()
+			.where('is_deleted', 0)
+			.andWhere('enabled', 1)
+			.withGraphFetched('[access_list.[clients, items], certificate]')
+			.then((rows) => {
+				if (rows && rows.length > 0) {
+					internalNginx.bulkGenerateConfigs(proxyModel, 'proxy_host', rows);
+				}
+			})
+			.then(() => {
+				return redirectModel
+					.query()
+					.where('is_deleted', 0)
+					.andWhere('enabled', 1)
+					.withGraphFetched('[certificate]')
+					.then((rows) => {
+						if (rows && rows.length > 0) {
+							internalNginx.bulkGenerateConfigs(redirectModel, 'redirection_host', rows);
+						}
+					});
+			})
+			.then(() => {
+				return deadModel
+					.query()
+					.where('is_deleted', 0)
+					.andWhere('enabled', 1)
+					.withGraphFetched('[certificate]')
+					.then((rows) => {
+						if (rows && rows.length > 0) {
+							internalNginx.bulkGenerateConfigs(deadModel, 'dead_host', rows);
+						}
+					});
+			})
+			.then(() => {
+				return streamModel
+					.query()
+					.where('is_deleted', 0)
+					.andWhere('enabled', 1)
+					.then((rows) => {
+						if (rows && rows.length > 0) {
+							internalNginx.bulkGenerateConfigs(streamModel, 'stream', rows);
+						}
+					});
+			})
+			.then(() => {
+				utils.writeHash();
+			});
+	}
 };
 
 module.exports = function () {

backend/templates/_certificates.conf

@@ -1,7 +1,6 @@
 {% if certificate and certificate_id > 0 %}
 {% if certificate.provider == "letsencrypt" %}
   # Certbot TLS
-  include conf.d/include/tls-ciphers.conf;
   ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
   ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
   {% if env.ACME_OCSP_STAPLING == "true" %}
@@ -11,7 +10,6 @@
   {% endif %}
 {% else %}
   # Custom TLS
-  include conf.d/include/tls-ciphers-no-stapling.conf;
   ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
   ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
 {% endif %}