diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-08-23 09:21:29 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-08-23 09:32:06 +0000 |
| commit | ecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b (patch) | |
| tree | 7b8ada39e9e9d6017574001a1c9059a5510422cf /src/conf_mode/https.py | |
| parent | f60d0e1ce029925b843f635b36154c90049b9577 (diff) | |
| download | vyos-1x-ecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b.tar.gz vyos-1x-ecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b.zip | |
https: T4597: Verify bind port before apply HTTPS API service
If Nginx address/port is already binded to another service
(for exampmle openconnect default port 443)
https api cannot start and we don't see any error in the output.
Add this check before applying service/commit
Diffstat (limited to 'src/conf_mode/https.py')
| -rwxr-xr-x | src/conf_mode/https.py | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 3057357fc..7cd7ea42e 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2021 VyOS maintainers and contributors +# Copyright (C) 2019-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -29,6 +29,8 @@ from vyos.pki import wrap_certificate from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call +from vyos.util import check_port_availability +from vyos.util import is_listen_port_bind_service from vyos.util import write_file from vyos import airbag @@ -107,6 +109,31 @@ def verify(https): raise ConfigError("At least one 'virtual-host <id> server-name' " "matching the 'certbot domain-name' is required.") + server_block_list = [] + + # organize by vhosts + vhost_dict = https.get('virtual-host', {}) + + if not vhost_dict: + # no specified virtual hosts (server blocks); use default + server_block_list.append(default_server_block) + else: + for vhost in list(vhost_dict): + server_block = deepcopy(default_server_block) + data = vhost_dict.get(vhost, {}) + server_block['address'] = data.get('listen-address', '*') + server_block['port'] = data.get('listen-port', '443') + server_block_list.append(server_block) + + for entry in server_block_list: + _address = entry.get('address') + _address = '0.0.0.0' if _address == '*' else _address + _port = entry.get('port') + proto = 'tcp' + if check_port_availability(_address, int(_port), proto) is not True and \ + not is_listen_port_bind_service(int(_port), 'nginx'): + raise ConfigError(f'"{proto}" port "{_port}" is used by another service') + verify_vrf(https) return None |