Skip to content

Commit

Permalink
changed lighttpd startup/config to return "503 Service unavailable"
Browse files Browse the repository at this point in the history 
status codes if the CCU startup is not yet finished. This should prevent
potential runtime issues in case external engines like ioBroker or
HomeAssistant are trying to use remoteAPI ports when not all CCU
services are properly started. In addition, we now allow only certain
query URLs for port 8181/48181 for external queries.
  • Loading branch information
@jens-maus
jens-maus committed Aug 26, 2023
1 parent ee89d2e commit e971d75
Show file tree
Hide file tree
Showing 6 changed files with 331 additions and 143 deletions.
6 changes: 6 additions & 0 deletions buildroot-external/overlay/WebUI-raspmatic/www/api/notready.cgi
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/tclsh

puts "Content-Type: text/plain"
puts "Status: 503"
puts ""
puts "CCU not ready yet"
14 changes: 14 additions & 0 deletions buildroot-external/overlay/WebUI/etc/init.d/S50lighttpd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,13 @@ start() {
echo "" >/var/etc/lighttpd_httpsredirect.conf
fi

# activate/deactivate RemoteAPI ports
if [[ -f /var/status/startupFinished ]]; then
echo "include \"/etc/lighttpd/conf.d/webui_remoteapi.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
else
echo "include \"/etc/lighttpd/conf.d/webui_remoteapi_notready.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
fi

# adjust the oom score (which is inherited by start-stop-daemon)
# to ensure that others are killed first in case of low memory situations
echo -900 >/proc/$$/oom_score_adj 2>/dev/null
Expand Down Expand Up @@ -93,6 +100,13 @@ reload() {
echo "" >/var/etc/lighttpd_httpsredirect.conf
fi

# activate/deactivate RemoteAPI ports
if [[ -f /var/status/startupFinished ]]; then
echo "include \"/etc/lighttpd/conf.d/webui_remoteapi.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
else
echo "include \"/etc/lighttpd/conf.d/webui_remoteapi_notready.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
fi

start-stop-daemon -K -s USR1 -q -p ${PIDFILE_ANGEL}
[[ -f ${PIDFILE} ]] && echo "OK" || echo "ERROR"
}
Expand Down
3 changes: 3 additions & 0 deletions buildroot-external/overlay/base/etc/init.d/S99SetupLEDs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ start() {
# signal that the system startup is finished
touch /var/status/startupFinished

# reload lighttpd to let it enable the RemoteAPI ports
/etc/init.d/S50lighttpd reload >/dev/null

echo "booted, OK"
}

Expand Down
145 changes: 2 additions & 143 deletions buildroot-external/overlay/base/etc/lighttpd/conf.d/proxy.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,146 +33,5 @@ else $SERVER["socket"] == "[::]:443" {
include "/etc/lighttpd/conf.d/webui.conf"
}

#--------------------------------
# ReGaHss Script (:8181 -> :8183)
#--------------------------------
else $SERVER["socket"] == ":8181" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}
else $SERVER["socket"] == "[::]:8181" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}

#---------------------------------------
# ReGaHss Script TLS (:48181 -> :8183)
#---------------------------------------
else $SERVER["socket"] == ":48181" {
ssl.engine = "enable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}
else $SERVER["socket"] == "[::]:48181" {
ssl.engine = "enable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}

#---------------------------------
# ReGaHss XmlRpc (:1999 -> :31999)
#---------------------------------
else $SERVER["socket"] == ":1999" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}
else $SERVER["socket"] == "[::]:1999" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}

#--------------------------------------
# ReGaHss XmlRpc TLS (:41999 -> :31999)
#--------------------------------------
else $SERVER["socket"] == ":41999" {
ssl.engine = "enable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}
else $SERVER["socket"] == "[::]:41999" {
ssl.engine = "enable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}

#---------------------------------------
# crRFD Legacy XmlRpc (:2010 -> :32010)
#---------------------------------------
else $SERVER["socket"] == ":2010" {
ssl.engine = "disable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}
else $SERVER["socket"] == "[::]:2010" {
ssl.engine = "disable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}

#-------------------------------------------
# crRFD Legacy XmlRpc TLS (:42010 -> :32010)
#-------------------------------------------
else $SERVER["socket"] == ":42010" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}
else $SERVER["socket"] == "[::]:42010" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}

#---------------------------
# HMServer (:9292 -> :39292)
#---------------------------
else $SERVER["socket"] == ":9292" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}
else $SERVER["socket"] == "[::]:9292" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}

#--------------------------------
# HMServer TLS (:49292 -> :39292)
#--------------------------------
else $SERVER["socket"] == ":49292" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}
else $SERVER["socket"] == "[::]:49292" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}

#-----------------------------
# RFD XmlRpc (:2001 -> :32001)
#-----------------------------
else $SERVER["socket"] == ":2001" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}
else $SERVER["socket"] == "[::]:2001" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}

#----------------------------------
# RFD XmlRpc TLS (:42001 -> :32001)
#----------------------------------
else $SERVER["socket"] == ":42001" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}
else $SERVER["socket"] == "[::]:42001" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}

#--------------------------------
# HS485D XmlRpc (:2000 -> :32000)
#--------------------------------
else $SERVER["socket"] == ":2000" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}
else $SERVER["socket"] == "[::]:2000" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}

#------------------------------
# HS485D TLS (:42000 -> :32000)
#------------------------------
else $SERVER["socket"] == ":42000" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}
else $SERVER["socket"] == "[::]:42000" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}
# include all webui remote api port definitions
include "/var/etc/lighttpd_webui_remoteapi.conf"
163 changes: 163 additions & 0 deletions buildroot-external/overlay/base/etc/lighttpd/conf.d/webui_remoteapi.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
#--------------------------------
# ReGaHss Script (:8181 -> :8183)
#--------------------------------
else $SERVER["socket"] == ":8181" {
ssl.engine = "disable"
$HTTP["url"] !~ "\.(?:exe|oxml|hssml)" {
$HTTP["remoteip"] !~ "^(127\.0\.0\.1|::ffff:127\.0\.0\.1|::1)$" {
url.access-deny = ( "" )
}
}
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}
else $SERVER["socket"] == "[::]:8181" {
ssl.engine = "disable"
$HTTP["url"] !~ "\.(?:exe|oxml|hssml)" {
$HTTP["remoteip"] !~ "^(127\.0\.0\.1|::ffff:127\.0\.0\.1|::1)$" {
url.access-deny = ( "" )
}
}
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}

#---------------------------------------
# ReGaHss Script TLS (:48181 -> :8183)
#---------------------------------------
else $SERVER["socket"] == ":48181" {
ssl.engine = "enable"
$HTTP["url"] !~ "\.(?:exe|oxml|hssml)" {
$HTTP["remoteip"] !~ "^(127\.0\.0\.1|::ffff:127\.0\.0\.1|::1)$" {
url.access-deny = ( "" )
}
}
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}
else $SERVER["socket"] == "[::]:48181" {
ssl.engine = "enable"
$HTTP["url"] !~ "\.(?:exe|oxml|hssml)" {
$HTTP["remoteip"] !~ "^(127\.0\.0\.1|::ffff:127\.0\.0\.1|::1)$" {
url.access-deny = ( "" )
}
}
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 8183)))
}

#---------------------------------
# ReGaHss XmlRpc (:1999 -> :31999)
#---------------------------------
else $SERVER["socket"] == ":1999" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}
else $SERVER["socket"] == "[::]:1999" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}

#--------------------------------------
# ReGaHss XmlRpc TLS (:41999 -> :31999)
#--------------------------------------
else $SERVER["socket"] == ":41999" {
ssl.engine = "enable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}
else $SERVER["socket"] == "[::]:41999" {
ssl.engine = "enable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 31999)))
}

#---------------------------------------
# crRFD Legacy XmlRpc (:2010 -> :32010)
#---------------------------------------
else $SERVER["socket"] == ":2010" {
ssl.engine = "disable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}
else $SERVER["socket"] == "[::]:2010" {
ssl.engine = "disable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}

#-------------------------------------------
# crRFD Legacy XmlRpc TLS (:42010 -> :32010)
#-------------------------------------------
else $SERVER["socket"] == ":42010" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}
else $SERVER["socket"] == "[::]:42010" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32010)))
}

#---------------------------
# HMServer (:9292 -> :39292)
#---------------------------
else $SERVER["socket"] == ":9292" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}
else $SERVER["socket"] == "[::]:9292" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}

#--------------------------------
# HMServer TLS (:49292 -> :39292)
#--------------------------------
else $SERVER["socket"] == ":49292" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}
else $SERVER["socket"] == "[::]:49292" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 39292)))
}

#-----------------------------
# RFD XmlRpc (:2001 -> :32001)
#-----------------------------
else $SERVER["socket"] == ":2001" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}
else $SERVER["socket"] == "[::]:2001" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}

#----------------------------------
# RFD XmlRpc TLS (:42001 -> :32001)
#----------------------------------
else $SERVER["socket"] == ":42001" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}
else $SERVER["socket"] == "[::]:42001" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32001)))
}

#--------------------------------
# HS485D XmlRpc (:2000 -> :32000)
#--------------------------------
else $SERVER["socket"] == ":2000" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}
else $SERVER["socket"] == "[::]:2000" {
ssl.engine = "disable"
proxy.server = ( "" => ("localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}

#------------------------------
# HS485D TLS (:42000 -> :32000)
#------------------------------
else $SERVER["socket"] == ":42000" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}
else $SERVER["socket"] == "[::]:42000" {
ssl.engine = "enable"
proxy.server = ( "" => ( "localhost" => ("host" => "127.0.0.1", "port" => 32000)))
}
Loading

0 comments on commit e971d75

Please sign in to comment.