summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2022-08-23 09:21:29 +0000
committerViacheslav Hletenko <v.gletenko@vyos.io>2022-08-23 09:32:06 +0000
commitecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b (patch)
tree7b8ada39e9e9d6017574001a1c9059a5510422cf /src
parentf60d0e1ce029925b843f635b36154c90049b9577 (diff)
downloadvyos-1x-ecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b.tar.gz
vyos-1x-ecaafaa26f85ba4ae3f34b5382fe0ebbe38bf13b.zip
https: T4597: Verify bind port before apply HTTPS API service
If Nginx address/port is already binded to another service (for exampmle openconnect default port 443) https api cannot start and we don't see any error in the output. Add this check before applying service/commit
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/https.py29
1 files changed, 28 insertions, 1 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 3057357fc..7cd7ea42e 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2021 VyOS maintainers and contributors
+# Copyright (C) 2019-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -29,6 +29,8 @@ from vyos.pki import wrap_certificate
from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.util import call
+from vyos.util import check_port_availability
+from vyos.util import is_listen_port_bind_service
from vyos.util import write_file
from vyos import airbag
@@ -107,6 +109,31 @@ def verify(https):
raise ConfigError("At least one 'virtual-host <id> server-name' "
"matching the 'certbot domain-name' is required.")
+ server_block_list = []
+
+ # organize by vhosts
+ vhost_dict = https.get('virtual-host', {})
+
+ if not vhost_dict:
+ # no specified virtual hosts (server blocks); use default
+ server_block_list.append(default_server_block)
+ else:
+ for vhost in list(vhost_dict):
+ server_block = deepcopy(default_server_block)
+ data = vhost_dict.get(vhost, {})
+ server_block['address'] = data.get('listen-address', '*')
+ server_block['port'] = data.get('listen-port', '443')
+ server_block_list.append(server_block)
+
+ for entry in server_block_list:
+ _address = entry.get('address')
+ _address = '0.0.0.0' if _address == '*' else _address
+ _port = entry.get('port')
+ proto = 'tcp'
+ if check_port_availability(_address, int(_port), proto) is not True and \
+ not is_listen_port_bind_service(int(_port), 'nginx'):
+ raise ConfigError(f'"{proto}" port "{_port}" is used by another service')
+
verify_vrf(https)
return None