diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-08-24 19:24:23 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-24 19:24:23 +0200 |
| commit | 04096a1abc98d57b1ee5d6eb8b5904988bee69ff (patch) | |
| tree | d7265b1b886345dfc9189b5b7023d8e520c41056 | |
| parent | a87e4fcc351295fb27fb781b042fc6f798e5cd0e (diff) | |
| parent | ecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b (diff) | |
| download | vyos-1x-04096a1abc98d57b1ee5d6eb8b5904988bee69ff.tar.gz vyos-1x-04096a1abc98d57b1ee5d6eb8b5904988bee69ff.zip | |
Merge pull request #1488 from sever-sever/T4597
https: T4597: Verify bind port before apply HTTPS API service
| -rwxr-xr-x | src/conf_mode/https.py | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 3057357fc..7cd7ea42e 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2021 VyOS maintainers and contributors +# Copyright (C) 2019-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -29,6 +29,8 @@ from vyos.pki import wrap_certificate from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call +from vyos.util import check_port_availability +from vyos.util import is_listen_port_bind_service from vyos.util import write_file from vyos import airbag @@ -107,6 +109,31 @@ def verify(https): raise ConfigError("At least one 'virtual-host <id> server-name' " "matching the 'certbot domain-name' is required.") + server_block_list = [] + + # organize by vhosts + vhost_dict = https.get('virtual-host', {}) + + if not vhost_dict: + # no specified virtual hosts (server blocks); use default + server_block_list.append(default_server_block) + else: + for vhost in list(vhost_dict): + server_block = deepcopy(default_server_block) + data = vhost_dict.get(vhost, {}) + server_block['address'] = data.get('listen-address', '*') + server_block['port'] = data.get('listen-port', '443') + server_block_list.append(server_block) + + for entry in server_block_list: + _address = entry.get('address') + _address = '0.0.0.0' if _address == '*' else _address + _port = entry.get('port') + proto = 'tcp' + if check_port_availability(_address, int(_port), proto) is not True and \ + not is_listen_port_bind_service(int(_port), 'nginx'): + raise ConfigError(f'"{proto}" port "{_port}" is used by another service') + verify_vrf(https) return None |