Merge pull request #732 from Nebukadneza/add_front_certificate_reload

Add certificate watcher for external certs to reload nginx
master
Tim Möhlmann 6 years ago committed by GitHub
commit 6ca8ed437d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -7,7 +7,7 @@ RUN apk add --no-cache \
RUN pip3 install jinja2 RUN pip3 install jinja2
# Image specific layers under this line # Image specific layers under this line
RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl \ RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl \
&& pip3 install idna requests && pip3 install idna requests watchdog
COPY conf /conf COPY conf /conf
COPY *.py / COPY *.py /

@ -0,0 +1,63 @@
#!/usr/bin/python3
"""
Certificate watcher which reloads nginx or reconfigures it, depending on what
happens to externally supplied certificates. Only executed by start.py in case
of TLS_FLAVOR=[mail, cert]
"""
from os.path import exists, split as path_split
from os import system
import time
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler, FileDeletedEvent, \
FileCreatedEvent, FileModifiedEvent, FileMovedEvent
class ChangeHandler(FileSystemEventHandler):
"watchdog-handler listening on any event, executing the correct configuration/reload steps"
@staticmethod
def reload_nginx():
"merely reload nginx without re-configuring everything"
if exists("/var/run/nginx.pid"):
print("Reloading a running nginx")
system("nginx -s reload")
@staticmethod
def reexec_config():
"execute a reconfiguration of the system, which also reloads"
print("Reconfiguring system")
system("/config.py")
def on_any_event(self, event):
"event-listener checking if the affected files are the cert-files we're interested in"
if event.is_directory:
return
filename = path_split(event.src_path)[-1]
if isinstance(event, FileMovedEvent):
filename = path_split(event.dest_path)[-1]
if filename in ['cert.pem', 'key.pem']:
# all cases except for FileModified need re-configure
if isinstance(event, (FileCreatedEvent, FileMovedEvent, FileDeletedEvent)):
ChangeHandler.reexec_config()
# file modification needs only a nginx reload without config.py
elif isinstance(event, FileModifiedEvent):
ChangeHandler.reload_nginx()
# cert files have been moved away, re-configure
elif isinstance(event, FileMovedEvent) and path_split(event.src_path)[-1] in ['cert.pem', 'key.pem']:
ChangeHandler.reexec_config()
if __name__ == '__main__':
observer = Observer()
handler = ChangeHandler()
observer.schedule(handler, "/certs", recursive=False)
observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
observer.stop()
observer.join()

@ -9,6 +9,8 @@ if os.path.exists("/var/run/nginx.pid"):
if os.environ["TLS_FLAVOR"] in [ "letsencrypt","mail-letsencrypt" ]: if os.environ["TLS_FLAVOR"] in [ "letsencrypt","mail-letsencrypt" ]:
subprocess.Popen(["/letsencrypt.py"]) subprocess.Popen(["/letsencrypt.py"])
elif os.environ["TLS_FLAVOR"] in [ "mail", "cert" ]:
subprocess.Popen(["/certwatcher.py"])
subprocess.call(["/config.py"]) subprocess.call(["/config.py"])
os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"]) os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"])

Loading…
Cancel
Save