Skip to content

feat: Add settings to prevent certificate leakage. #10785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
f2c-ci-robot merged 1 commit into from
Oct 27, 2025
+172 −71
Merged

feat: Add settings to prevent certificate leakage. #10785

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions agent/app/api/v2/nginx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,13 +161,13 @@ func (b *BaseApi) GetNginxModules(c *gin.Context) {
// @Tags OpenResty
// @Summary Operate default HTTPs
// @Accept json
// @Param request body request.NginxOperateReq true "request"
// @Param request body request.NginxDefaultHTTPSUpdate true "request"
// @Success 200
// @Security ApiKeyAuth
// @Security Timestamp
// @Router /openresty/https [post]
func (b *BaseApi) OperateDefaultHTTPs(c *gin.Context) {
var req request.NginxOperateReq
var req request.NginxDefaultHTTPSUpdate
if err := helper.CheckBindAndValidate(&req, c); err != nil {
return
}
Expand Down
5 changes: 5 additions & 0 deletions agent/app/dto/request/nginx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,8 @@ type NginxModuleUpdate struct {
type NginxOperateReq struct {
Operate string `json:"operate" validate:"required,oneof=enable disable"`
}

type NginxDefaultHTTPSUpdate struct {
Operate string `json:"operate" validate:"required,oneof=enable disable"`
SSLRejectHandshake bool `json:"sslRejectHandshake"`
}
3 changes: 2 additions & 1 deletion agent/app/dto/response/nginx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,5 +82,6 @@ type NginxBuildConfig struct {
}

type NginxConfigRes struct {
Https bool `json:"https"`
Https bool `json:"https"`
SSLRejectHandshake bool `json:"sslRejectHandshake"`
}
54 changes: 31 additions & 23 deletions agent/app/service/app_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1995,7 +1995,7 @@ func handleOpenrestyFile(appInstall *model.AppInstall) error {
break
}
}
if err := handleSSLConfig(appInstall, hasDefaultWebsite); err != nil {
if err := handleSSLConfig(appInstall, hasDefaultWebsite, true); err != nil {
return err
}
if len(websites) == 0 {
Expand Down Expand Up @@ -2024,34 +2024,37 @@ func handleDefaultServer(appInstall *model.AppInstall) error {
return nil
}

func handleSSLConfig(appInstall *model.AppInstall, hasDefaultWebsite bool) error {
func handleSSLConfig(appInstall *model.AppInstall, hasDefaultWebsite bool, sslRejectHandshake bool) error {
sslDir := path.Join(appInstall.GetPath(), "conf", "ssl")
fileOp := files.NewFileOp()
if !fileOp.Stat(sslDir) {
return errors.New("ssl dir not found")
}
ca, _ := websiteCARepo.GetFirst(repo.WithByName("1Panel"))
if ca.ID == 0 {
global.LOG.Errorf("create openresty default ssl failed ca not found")
return nil
}
caService := NewIWebsiteCAService()
caRequest := request.WebsiteCAObtain{
ID: ca.ID,
Domains: "localhost",
KeyType: "4096",
Time: 99,
Unit: "year",
Dir: sslDir,
PushDir: true,
}
websiteSSL, err := caService.ObtainSSL(caRequest)
if err != nil {
return err
hasDefaultSSL := fileOp.Stat(path.Join(sslDir, "fullchain.pem")) && fileOp.Stat(path.Join(sslDir, "privkey.pem")) && fileOp.Stat(path.Join(sslDir, "root_ssl.conf"))
if !hasDefaultSSL {
ca, _ := websiteCARepo.GetFirst(repo.WithByName("1Panel"))
if ca.ID == 0 {
global.LOG.Errorf("create openresty default ssl failed ca not found")
return nil
}
caService := NewIWebsiteCAService()
caRequest := request.WebsiteCAObtain{
ID: ca.ID,
Domains: "localhost",
KeyType: "4096",
Time: 99,
Unit: "year",
Dir: sslDir,
PushDir: true,
}
websiteSSL, err := caService.ObtainSSL(caRequest)
if err != nil {
return err
}
defer func() {
_ = NewIWebsiteSSLService().Delete([]uint{websiteSSL.ID})
}()
}
defer func() {
_ = NewIWebsiteSSLService().Delete([]uint{websiteSSL.ID})
}()
defaultConfigPath := path.Join(appInstall.GetPath(), "conf", "default", "00.default.conf")
content, err := os.ReadFile(defaultConfigPath)
if err != nil {
Expand All @@ -2066,6 +2069,11 @@ func handleSSLConfig(appInstall *model.AppInstall, hasDefaultWebsite bool) error
updateDefaultServer(defaultServer, appInstall.HttpPort, appInstall.HttpsPort, !hasDefaultWebsite, true)
defaultServer.UpdateDirective("include", []string{"/usr/local/openresty/nginx/conf/ssl/root_ssl.conf"})
defaultServer.UpdateDirective("http2", []string{"on"})
if sslRejectHandshake {
defaultServer.UpdateDirective("ssl_reject_handshake", []string{"on"})
} else {
defaultServer.RemoveDirective("ssl_reject_handshake", []string{})
}
if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil {
return err
}
Expand Down
26 changes: 18 additions & 8 deletions agent/app/service/nginx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ type INginxService interface {
GetModules() (*response.NginxBuildConfig, error)
UpdateModule(req request.NginxModuleUpdate) error

OperateDefaultHTTPs(req request.NginxOperateReq) error
OperateDefaultHTTPs(req request.NginxDefaultHTTPSUpdate) error
GetDefaultHttpsStatus() (*response.NginxConfigRes, error)
}

Expand Down Expand Up @@ -354,7 +354,7 @@ func (n NginxService) UpdateModule(req request.NginxModuleUpdate) error {
return fileOp.SaveFileWithByte(moduleConfigPath, moduleByte, constant.DirPerm)
}

func (n NginxService) OperateDefaultHTTPs(req request.NginxOperateReq) error {
func (n NginxService) OperateDefaultHTTPs(req request.NginxDefaultHTTPSUpdate) error {
appInstall, err := getAppInstallByKey(constant.AppOpenresty)
if err != nil {
return err
Expand All @@ -372,11 +372,18 @@ func (n NginxService) OperateDefaultHTTPs(req request.NginxOperateReq) error {
if err != nil {
return err
}
if req.Operate == "enable" {
if err := handleSSLConfig(&appInstall, hasDefaultWebsite); err != nil {
switch req.Operate {
case "enable":
if req.SSLRejectHandshake {
defaultWebsite, _ := websiteRepo.GetFirst(websiteRepo.WithDefaultServer())
if defaultWebsite.ID > 0 {
return buserr.New("ErrDefaultWebsite")
}
}
if err := handleSSLConfig(&appInstall, hasDefaultWebsite, req.SSLRejectHandshake); err != nil {
return err
}
} else if req.Operate == "disable" {
case "disable":
defaultConfig, err := parser.NewStringParser(string(content)).Parse()
if err != nil {
return err
Expand All @@ -387,6 +394,7 @@ func (n NginxService) OperateDefaultHTTPs(req request.NginxOperateReq) error {
defaultServer.RemoveListen(fmt.Sprintf("[::]:%d", appInstall.HttpsPort))
defaultServer.RemoveDirective("include", []string{"/usr/local/openresty/nginx/conf/ssl/root_ssl.conf"})
defaultServer.RemoveDirective("http2", []string{"on"})
defaultServer.RemoveDirective("ssl_reject_handshake", []string{"on"})
if err = nginx.WriteConfig(defaultConfig, nginx.IndentedStyle); err != nil {
return err
}
Expand All @@ -413,9 +421,11 @@ func (n NginxService) GetDefaultHttpsStatus() (*response.NginxConfigRes, error)
res := &response.NginxConfigRes{}
for _, directive := range defaultServer.GetDirectives() {
if directive.GetName() == "include" && directive.GetParameters()[0] == "/usr/local/openresty/nginx/conf/ssl/root_ssl.conf" {
return &response.NginxConfigRes{
Https: true,
}, nil
res.Https = true
}
if directive.GetName() == "ssl_reject_handshake" && directive.GetParameters()[0] == "on" {
res.Https = true
res.SSLRejectHandshake = true
}
}
return res, nil
Expand Down
4 changes: 3 additions & 1 deletion agent/app/service/nginx_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,9 +121,11 @@ func updateDefaultServerConfig(enable bool) error {

includeSSL := false
for _, dir := range defaultServer.GetDirectives() {
if dir.GetName() == "ssl_reject_handshake" && dir.GetParameters()[0] == "on" {
defaultServer.RemoveDirective("ssl_reject_handshake", []string{"on"})
}
if dir.GetName() == "include" && dir.GetParameters()[0] == "/usr/local/openresty/nginx/conf/ssl/root_ssl.conf" {
includeSSL = true
break
}
}
updateDefaultServer(defaultServer, nginxInstall.HttpPort, nginxInstall.HttpsPort, enable, includeSSL)
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/en.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ Status: 'Status'
start: 'Start'
stop: 'Stop'
delete: 'Delete'
ErrDefaultWebsite: 'Default website has been set, please cancel it before setting!'

#ssl
ErrSSLCannotDelete: 'The {{ .name }} certificate is being used by a website and cannot be deleted'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/es-ES.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ Status: 'Estado'
start: 'Iniciar'
stop: 'Detener'
delete: 'Eliminar'
ErrDefaultWebsite: 'El sitio web predeterminado ya está configurado, ¡cancélelo antes de configurar!'

#ssl
ErrSSLCannotDelete: 'El certificado {{ .name }} está siendo utilizado por un sitio web y no puede eliminarse'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/ja.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ Status: 'ステータス'
start: '開始'
stop: '停止'
delete: '削除'
ErrDefaultWebsite: 'デフォルト Web サイトが既に設定されています。設定する前にキャンセルしてください!'

#ssl
ErrSSLCannotDelete: '{{ .name }} 証明書は Web サイトで使用されているため、削除できません'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/ko.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ Status: '상태'
start: '시작'
stop: '중지'
delete: '삭제'
ErrDefaultWebsite: '기본 웹사이트가 이미 설정되었습니다. 설정하기 전에 취소하세요!'

#SSL인증
ErrSSLCannotDelete: '{{ .name }} 인증서는 웹사이트에서 사용 중이므로 삭제할 수 없습니다.'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/ms.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ Status: 'Status'
start: 'Mulakan'
stop: 'Berhenti'
delete: 'Padam'
ErrDefaultWebsite: 'Laman web lalai telah ditetapkan, sila batalkan sebelum menetapkan!'

#ssl
ErrSSLCannotDelete: 'Sijil {{ .name }} sedang digunakan oleh tapak web dan tidak boleh dipadamkan'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/pt-BR.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ Status: 'Status'
start: 'Iniciar'
stop: 'Parar'
delete: 'Excluir'
ErrDefaultWebsite: 'O site padrão já foi definido, cancele-o antes de definir!'

#ssl
ErrSSLCannotDelete: 'O certificado {{ .name }} está sendo usado por um site e não pode ser excluído'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/ru.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ Status: 'Статус'
start: 'Запустить'
stop: 'Остановить'
delete: 'Удалить'
ErrDefaultWebsite: 'Веб-сайт по умолчанию уже установлен, отмените его перед настройкой!'

#ssl
ErrSSLCannotDelete: 'Сертификат {{ .name }} используется веб-сайтом и не может быть удален'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/zh-Hant.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ Status: '狀態'
start: '開啟'
stop: '關閉'
delete: '刪除'
ErrDefaultWebsite: '已經設置默認網站,請取消後再設置!'

#ssl
ErrSSLCannotDelete: '{{ .name }} 憑證正在被網站使用,無法刪除'
Expand Down
1 change: 1 addition & 0 deletions agent/i18n/lang/zh.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ Status: '状态'
start: '开启'
stop: '关闭'
delete: '删除'
ErrDefaultWebsite: "已经设置默认网站,请取消后再设置!"

#ssl
ErrSSLCannotDelete: "{{ .name }} 证书正在被网站使用,无法删除"
Expand Down
5 changes: 5 additions & 0 deletions frontend/src/api/interface/nginx.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,14 @@ export namespace Nginx {

export interface NginxHttpsStatus {
https: boolean;
sslRejectHandshake: boolean;
}

export interface NginxOperateReq {
operate: string;
}

export interface NginxHttpsOperateReq extends NginxOperateReq {
sslRejectHandshake: boolean;
}
}
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/en.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2727,6 +2727,9 @@ const message = {
'Click build after adding/modifying a module. OpenResty will automatically restart upon successful build.',
defaultHttps: 'HTTPS Anti-tampering',
defaultHttpsHelper1: 'Enabling this can resolve HTTPS tampering issues.',
sslRejectHandshake: 'Reject default SSL handshake',
sslRejectHandshakeHelper:
'Enabling this can avoid certificate leakage, setting a default website will invalidate this setting',
},
ssl: {
create: 'Request',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/es-es.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2703,6 +2703,9 @@ const message = {
'Haz clic en compilar después de agregar/modificar un módulo. OpenResty se reiniciará automáticamente tras una compilación exitosa.',
defaultHttps: 'HTTPS Anti-manipulación',
defaultHttpsHelper1: 'Habilitar esto puede resolver problemas de manipulación de HTTPS.',
sslRejectHandshake: 'Rechazar handshake SSL predeterminado',
sslRejectHandshakeHelper:
'Habilitar esto puede evitar la fuga de certificados, establecer un sitio web predeterminado invalidará esta configuración',
},
ssl: {
create: 'Solicitar',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/ja.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2642,6 +2642,9 @@ const message = {
'モジュールの追加/変更後にビルドをクリックします。ビルドが成功すると、OpenRestyは自動的に再起動します。',
defaultHttps: 'HTTPS 改ざん防止',
defaultHttpsHelper1: 'これを有効にすると、HTTPS 改ざん問題を解決できます。',
sslRejectHandshake: 'デフォルト SSL ハンドシェイクを拒否',
sslRejectHandshakeHelper:
'有効にすると証明書の漏洩を防げますが、デフォルト Web サイトを設定するとこの設定は無効になります',
},
ssl: {
create: 'リクエスト',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/ko.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2594,6 +2594,9 @@ const message = {
buildHelper: '모듈 추가/수정 후 빌드를 클릭하세요. 빌드가 성공하면 OpenResty가 자동으로 재시작됩니다.',
defaultHttps: 'HTTPS 변조 방지',
defaultHttpsHelper1: '이를 활성화하면 HTTPS 변조 문제를 해결할 수 있습니다.',
sslRejectHandshake: '기본 SSL 핸드셰이크 거부',
sslRejectHandshakeHelper:
'활성화하면 인증서 누출을 방지할 수 있지만, 기본 웹사이트를 설정하면 이 설정이 무효화됩니다',
},
ssl: {
create: '요청',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/ms.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2704,6 +2704,9 @@ const message = {
'Klik Bina selepas menambah/mengubah suai modul. Pembinaan yang berjaya akan memulakan semula OpenResty secara automatik.',
defaultHttps: 'HTTPS Anti-tampering',
defaultHttpsHelper1: 'Mengaktifkan ini dapat menyelesaikan masalah tampering HTTPS.',
sslRejectHandshake: 'Tolak jabat tangan SSL lalai',
sslRejectHandshakeHelper:
'Mengaktifkan ini boleh mengelakkan kebocoran sijil, menetapkan laman web lalai akan membatalkan tetapan ini',
},
ssl: {
create: 'Permintaan',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/pt-br.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2709,6 +2709,9 @@ const message = {
'Clique em Construir após adicionar/modificar um módulo. Construção bem-sucedida reiniciará automaticamente o OpenResty.',
defaultHttps: 'HTTPS Anti-tampering',
defaultHttpsHelper1: 'A ativação desta opção pode resolver problemas de adulteração HTTPS.',
sslRejectHandshake: 'Rejeitar handshake SSL padrão',
sslRejectHandshakeHelper:
'Ativar isso pode evitar vazamento de certificados, definir um site padrão invalidará esta configuração',
},
ssl: {
create: 'Solicitar',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/ru.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2706,6 +2706,9 @@ const message = {
'Нажмите Сборка после добавления/изменения модуля. Успешная сборка автоматически перезапустит OpenResty.',
defaultHttps: 'HTTPS Анти-вмешательство',
defaultHttpsHelper1: 'Включение этого параметра может решить проблему вмешательства в HTTPS.',
sslRejectHandshake: 'Отклонить стандартное SSL-рукопожатие',
sslRejectHandshakeHelper:
'Включение этого может предотвратить утечку сертификатов, установка веб-сайта по умолчанию сделает эту настройку недействительной',
},
ssl: {
create: 'Запросить',
Expand Down
3 changes: 3 additions & 0 deletions frontend/src/lang/modules/tr.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2764,6 +2764,9 @@ const message = {
'Modül ekledikten/düzenledikten sonra oluştur’a tıklayın. OpenResty, başarılı oluşturma üzerine otomatik olarak yeniden başlatılacaktır.',
defaultHttps: 'HTTPS Anti-sızdırma',
defaultHttpsHelper1: 'Bu özelliği etkinleştirerek HTTPS sızdırma sorunlarını çözebilirsiniz.',
sslRejectHandshake: 'Varsayılan SSL el sıkışmasını reddet',
sslRejectHandshakeHelper:
'Etkinleştirilmesi sertifika sızıntısını önleyebilir, varsayılan bir web sitesi ayarlamak bu ayarı geçersiz kılar',
},
ssl: {
create: 'İstek',
Expand Down
2 changes: 2 additions & 0 deletions frontend/src/lang/modules/zh-Hant.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2536,6 +2536,8 @@ const message = {
buildHelper: '新增/修改模組後點擊構建,構建成功後會自動重啟 OpenResty',
defaultHttps: 'HTTPS 防竄站',
defaultHttpsHelper1: '開啟後可以解決 HTTPS 竄站問題',
sslRejectHandshake: '拒絕默認 SSL 握手',
sslRejectHandshakeHelper: '開啟之後可以避免證書洩露,設置默認網站會讓此設置失效',
},
ssl: {
create: '申請證書',
Expand Down
2 changes: 2 additions & 0 deletions frontend/src/lang/modules/zh.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2528,6 +2528,8 @@ const message = {
buildHelper: '添加/修改模块之后点击构建,构建成功后会自动重启 OpenResty',
defaultHttps: 'HTTPS 防窜站',
defaultHttpsHelper1: '开启后可以解决 HTTPS 窜站问题',
sslRejectHandshake: '拒绝默认 SSL 握手',
sslRejectHandshakeHelper: '开启之后可以避免证书泄露,设置默认网站会让此设置失效',
},
ssl: {
create: '申请证书',
Expand Down
Loading
Loading