M/eIdZddlZddlmZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl m Z ddl mZddl mZddl mZdd l mZdd l mZdd l mZdd l mZdd l mZddl mZddl mZddlZddlmZddlmZddlmZddlmZddlmZddlm Z ddl!m"Z"ddl#m Z$ddl%m&Z&ddl'm(Z(ddl'm)Z)ddl'm*Z*ddl'm+Z+ddl'm,Z,ddl'm-Z-ej\dk\rddl/m0Z1nddl1Z1dZ2dZ3dZ4d Z5d!Z6ejne8Z9Gd"d#e&jtZ;d$ee d%ee fd&Zd)e=d*e=d+e?d%dfd,Z@d%e=fd-ZAy).zNginx ConfigurationN) ExitStack)Any)Callable)Dict)Iterable)List)Mapping)Optional)Sequence)Set)Tuple)Type)Union) challenges) crypto_util) achallenges)errors)util)os)common) constants) display_ops)http_01) nginxparser)obj)parser) rc eZdZdZdZdZgdZededddfd Z e de fd Z d e d e ddffd Ze de fdZe de fdZe de fdZde de ddfdZdbdZde de de de de ddf dZdej,de de de de ddf dZ dcde ded ee deej,fd!Zd"e deej,fd#Z ddd"e d$edeej,fd%Zd&e deeeffd'Zde d(ed&e dej,fd)Z dej,de ddfd*Z!de d(ed&e dej,fd+Z"d"e dee#e e ffd,Z$d-e%e&e e fdeej,fd.Z'd/e(ej,d"e dee#e e ffd0Z)d/e(ej,d"e dee#e e ffd1Z*d"e d&e deej,fd2Z+d"e deeej,eej,ffd3Z,d4e d5e defd6Z-dej,d&e d7edefd8Z.dej,d&e defd9Z/d"e d&e dee#e e ffd:Z0de1e fd;Z2dee e ffd<Z3dej,ddfd=Z4dee fd>Z5 dcde d?e d@ee6e ee fddfdAZ7dej,de defdBZ8de dCe6e ee dfddfdDZ9dej,de ddfdEZ:dcdej,dFeee deej,ej,ffdGZ;de dHee6e ee fddfdIZdej,dee ddfdLZ?dbdMZ@dbdNZAde fdOZBdeeCdPffdQZDde fdRZEde fdSZFdTe(eGjde fdUZIdedVee dWeddfdXZJdbfdY ZKdbdZZLdfd[eCddffd\ ZMd]e deeNeOjfd^ZQd_eeGjdeeOjfd`ZSd_eeGjddfdaZTxZUS)gNginxConfiguratoraENginx configurator. .. todo:: Add proper support for comments in the config. Currently, config files modified by the configurator will lose all their comments. :ivar config: Configuration. :type config: certbot.configuration.NamespaceConfig :ivar parser: Handles low level parsing :type parser: :class:`~certbot_nginx._internal.parser` :ivar str save_notes: Human-readable config change notes :ivar reverter: saves and reverts checkpoints :type reverter: :class:`certbot.reverter.Reverter` :ivar tup version: version of Nginx zNginx Web Server plugin80)ssl_certificatessl_certificate_key ssl_dhparamadd).NreturnNct}|dtjdd|z|dtjdd|dtjdtd y) N server-root server_rootz*Nginx server root directory. (default: %s))defaulthelpctlzVPath to the 'nginx' binary, used for 'configtest' and retrieving nginx version number. sleep-seconds sleep_secondszRNumber of seconds to wait for nginx configuration changes to apply when reloading.)r-typer.)_determine_default_server_rootr CLI_DEFAULTSint)clsr(default_server_roots F/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.pyadd_parser_argumentsz&NginxConfigurator.add_parser_argumentsVsj<> M9#9#9-#H=@SS U E911%8@  OY%;%;O%LSV' (c`tjj|jddS)zNginx config file path.r,z nginx.conf)rpathjoinconfselfs r8 nginx_confzNginxConfigurator.nginx_confbs"ww||DIIm4lCCr:argskwargscX|jdd}|jdd}t||i|d|_d|_i|_i|_d|_||_||_ |j|j|jd|_ |jj|y)aInitialize an Nginx Configurator. :param tup version: version of Nginx as a tuple (1, 4, 7) (used mostly for unittesting) :param tup openssl_version: version of OpenSSL linked to Nginx as a tuple (1, 4, 7) (used mostly for unittesting) versionNopenssl_versionrredirectzensure-http-headerz staple-ocsp)popsuper__init__ save_notes new_vhost_wildcard_vhosts_wildcard_redirect_vhosts _chall_outrErF_enable_redirect_set_http_header_enable_ocsp_stapling _enhance_funcreverterrecovery_routine)r@rBrCrErF __class__s r8rLzNginxConfigurator.__init__gs**Y- **%6= $)&)59CEKM& .*.*?*?484I4I-1-G-GI &&( r:c|jdk\}tjd}|jdk\xr0|jxr"tj|j|k\}|r|rd}n d}n|rd}nd}t }t j |jtjdjd jd j|}t|jtj|S) z4Full absolute path to SSL configuration file source.)r rz1.0.2l)rrzoptions-ssl-nginx.confz+options-ssl-nginx-tls13-session-tix-on.confz!options-ssl-nginx-tls12-only.confzoptions-ssl-nginx-old.conf certbot_nginx _internal tls_configs)rErparse_loose_versionrFratexitregistercloseimportlib_resourcesfilesjoinpathstr enter_contextas_file)r@ use_tls13min_openssl_versionsession_tix_offconfig_filename file_managerrefs r8mod_ssl_conf_srcz"NginxConfigurator.mod_ssl_conf_srcsLLJ. "66x@,,)3R8L8LR  $ $T%9%9 :>Q Q  ":"O"E"> {  **+"((9BB;O'(A <--.A.I.I#.NOPPr:ctjj|jjt j S)z-Full absolute path to SSL configuration file.)rr<r=config config_dirrMOD_SSL_CONF_DESTr?s r8 mod_ssl_confzNginxConfigurator.mod_ssl_confs)ww||DKK22I4O4OPPr:ctjj|jjt j S)z?Full absolute path to digest of updated SSL configuration file.)rr<r=rqrrrUPDATED_MOD_SSL_CONF_DIGESTr?s r8updated_mod_ssl_conf_digestz-NginxConfigurator.updated_mod_ssl_conf_digests)ww||DKK22I4Y4YZZr: options_ssloptions_ssl_digestcdtj|||jtjy)zICopy Certbot's SSL options file into the system's config dir if required.N)rinstall_version_controlled_filerorALL_SSL_OPTIONS_HASHES)r@rxrys r8install_ssl_options_confz*NginxConfigurator.install_ssl_options_confs(.. +  ! !9#C#C Er:ctj|jdstjd|j t j|jd|_|j|j|_|j|j|_ |j|j|j|j tj |jdy#t"tj$f$rKt&j)ddtj*dj-|jdwxYw) zPrepare the authenticator/installer. :raises .errors.NoInstallationError: If Nginx ctl cannot be found :raises .errors.MisconfigurationError: If Nginx is misconfigured r/zvCould not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.r+NzEncountered error:Texc_infozUnable to lock {0})r exe_existsr>rNoInstallationError config_testr NginxParserrE get_versionrF_get_openssl_versionr}rtrwinstall_ssl_dhparamslock_dir_until_exitOSError LockErrorloggerdebug PluginErrorformatr?s r8preparezNginxConfigurator.prepares.tyy/0,,LM M ((=)AB  << ++-DL    '#'#<#<#>D  %%d&7&79Y9YZ !!# \  $ $TYY}%= >))* \ LL-L =$$%9%@%@=AY%Z[ [ \s ,$DA$E5domain cert_pathkey_path chain_pathfullchain_pathc|stjd|j|d}|D]F}|j|||||t j dj ||jHy)aUDeploys certificate to specified virtual host. .. note:: Aborts if the vhost is missing ssl_certificate or ssl_certificate_key. .. note:: This doesn't save the config files! :raises errors.PluginError: When unable to deploy certificate due to a lack of directives or configuration zNThe nginx plugin currently requires --fullchain-path to install a certificate.T)create_if_no_matchz.Successfully deployed certificate for {} to {}N)rr choose_vhosts _deploy_cert display_utilnotifyrfilep)r@rrrrrvhostsvhosts r8 deploy_certzNginxConfigurator.deploy_certs|$$)* *##Ft#D >E   eY*n U    P!' !< > >r:r _cert_path _chain_pathc ddd|gddd|gg}|jj||tjd|j|xj d|jddj d |jDd z c_|xj d |zz c_|xj d |zz c_y )a Helper function for deploy_cert() that handles the actual deployment this exists because we might want to do multiple deployments per domain originally passed for deploy_cert(). This is especially true with wildcard certificates  r% r&z'Deploying Certificate to VirtualHost %szChanged vhost at z with addresses of z, c32K|]}t|ywNrf.0addrs r8 z1NginxConfigurator._deploy_cert..s&ITs4y&I z ssl_certificate %s z ssl_certificate_key %s N)rupdate_or_add_server_directivesrinforrMr=addrs)r@rrrrrcert_directivess r8rzNginxConfigurator._deploy_certs%&7nM$&;S(KM 33E?K =u{{K "[[!YY&IU[[&IIK L 3nDD 7(BBr: prefer_sslno_ssl_filter_portc.|r'|j}dtjdtfd}n&|j}dtjdtfd}||vr||S|j j }i}|D]@}||j||s|jD]} ||r||| <| |vs||| <Bt|j} tjt| } | D]}||vrg||<||j|!| S)zCPrompts user to choose vhosts to install a wildcard certificate forxr)c|jSrsslrs r8preference_testzBNginxConfigurator._choose_vhosts_wildcard..preference_tests uu r:c|j Srrrs r8rzBNginxConfigurator._choose_vhosts_wildcard..preference_tests55y r:)rOr VirtualHostboolrPr get_vhosts_vhost_listening_on_port_no_sslnamessetvaluesrselect_vhost_multiplelistappend) r@rrr vhosts_cacherrfiltered_vhostsrname dialog_input return_vhostss r8_choose_vhosts_wildcardz)NginxConfigurator._choose_vhosts_wildcardsE 00L 3?? t  99L !3?? !t ! \ !' ''') 2E!-;;ECUV  2"5),1OD)0,1OD)  2 2?1134 $99$|:LM " /E\)') V$  ' ' . / r: target_namecv|j|}|j|fDcgc]}|| }}|Scc}wr)_get_ranked_matches_select_best_name_match)r@rmatchesrrs r8_choose_vhost_singlez&NginxConfigurator._choose_vhost_singleHsB**;7"::7CDV !VV Ws66rc`tj|r|j|d}n|j|}|sL|r2|j |dt |j jg}ntjd|z|D] }|jr|j|"|S)aChooses a virtual host based on the given domain name. .. note:: This makes the vhost SSL-enabled if it isn't already. Follows Nginx's server block selection rules preferring blocks that are already SSL. .. todo:: This should maybe return list if no obvious answer is presented. :param str target_name: domain name :param bool create_if_no_match: If we should create a new vhost from default when there is no match found. If we can't choose a default, raise a MisconfigurationError. :returns: ssl vhosts associated with name :rtype: list of :class:`~certbot_nginx._internal.obj.VirtualHost` T)ra Cannot find a VirtualHost matching domain %s. In order for Certbot to correctly perform the challenge please add a corresponding server_name directive to your nginx configuration for every domain on your certificate: https://nginx.org/en/docs/http/server_names.html) ris_wildcard_domainrr_vhost_from_duplicated_defaultrfrq https_portrMisconfigurationErrorr_make_server_ssl)r@rrrrs r8rzNginxConfigurator.choose_vhostsMs(  " "; /11+$1OF..{;F!==k4 ../1222PU` abb -E99%%e, - r:portc|jj}d}d}|D]D}|jD]3}|jrd}|js|j |k(s2d}5F||fS)a,Returns tuple of booleans (ipv6_active, ipv6only_present) ipv6_active is true if any server block listens ipv6 address in any port ipv6only_present is true if ipv6only=on option exists in any server block ipv6 listen directive for the specified port. :param str port: Port to check ipv6only=on directive for :returns: Tuple containing information if IPv6 is enabled in the global configuration, and existence of ipv6only directive for specified port :rtype: tuple of type (bool, bool) FT)rrripv6ipv6onlyget_port)r@rr ipv6_activeipv6only_presentvhrs r8 ipv6_infozNginxConfigurator.ipv6_infozsw'')   ,B ,99"&K==T]]_%<'+$  , , ,,,r:allow_port_mismatchc"|jJ|jN|j|||}|jj|d|_t |j_|j |j||jS)zif allow_port_mismatch is False, only server blocks with matching ports will be used as a default server block template. T)remove_singleton_listen_params)rrN_get_default_vhostduplicate_vhostrr_add_server_name_to_vhost)r@rrr default_vhosts r8rz0NginxConfigurator._vhost_from_duplicated_defaults {{&&& >> ! 33F~~r:c|jj|ddgg}|jD]*}|djd|dj|,|jj ||y)Nr server_namerr)rr(rrr)r@rr name_blockrs r8rz+NginxConfigurator._add_server_name_to_vhostsl /0 KK 'D qM  % qM  & ' 33E:Fr:c|jj}g}g}|D]c}|jD]R}|js|j ||j ||j r|j |cet|dk(r|dSt|dk(r|r|dStjd|d)zRHelper method for _vhost_from_duplicated_default; see argument documentation thererrz9Could not automatically find a matching server block for z=. Set the `server_name` directive to use the Nginx installer.) rrrr-r _port_matchesrlenrr) r@rrr vhost_listall_default_vhostsport_matching_vhostsrrs r8rz$NginxConfigurator._get_default_vhosts[[++- ! E  <<&--e4))$ @,33E:    # $ )'* * # $ ).A%a( (**,88>x@I,IJ Jr:cZ|jj}|j||S)a)Returns a ranked list of vhosts that match target_name. The ranking gives preference to SSL vhosts. :param str target_name: The name to match :returns: list of dicts containing the vhost, the matching name, and the numerical rank :rtype: list )rr_rank_matches_by_name_and_ssl)r@rrs r8rz%NginxConfigurator._get_ranked_matchess)[[++- 11*kJJr:rc|sy|ddttttzttzfvr1|dd}|Dcgc] }|d|k(s |}}t|ddS|ddScc}w)a%Returns the best name match of a ranked list of vhosts. :param list matches: list of dicts containing the vhost, the matching name, and the numerical rank :returns: the most matching vhost :rtype: :class:`~certbot_nginx._internal.obj.VirtualHost` Nrrankct|dS)Nr)rrs r8z;NginxConfigurator._select_best_name_match..sAfIr:keyr)START_WILDCARD_RANKEND_WILDCARD_RANKNO_SSL_MODIFIERmax)r@rrr wildcardss r8rz)NginxConfigurator._select_best_name_matchs QZ $79J / 13D3V$XX1:f%D$+AqqyD/@AIAy&>?H Hqz'""Bs A) A)rcng}|D]}tj||j\}}|dk(r|j||tdE|dk(r|j||t dd|dk(r|j||t d|dk(s|j||tdt|dS)aReturns a ranked list of vhosts from vhost_list that match target_name. This method should always be followed by a call to _select_best_name_match. :param list vhost_list: list of vhosts to filter and rank :param str target_name: The name to match :returns: list of dicts containing the vhost, the matching name, and the numerical rank :rtype: list exact)rrrwildcard_start wildcard_endregexc |dSNrrs r8rz9NginxConfigurator._rank_matches_by_name..  QvYr:r) rget_best_matchrr NAME_RANKrr REGEX_RANKsorted)r@rrrr name_typers r8_rank_matches_by_namez'NginxConfigurator._rank_matches_by_names" 5E$33KMOItG#(,(1 34..(,(; =>n,(,(9 ;<g%(,(2 45 5$g#677r:c|j||}|D]#}|djr|dxxtz cc<%t|dS)aReturns a ranked list of vhosts from vhost_list that match target_name. The ranking gives preference to SSLishness before name match level. :param list vhost_list: list of vhosts to filter and rank :param str target_name: The name to match :returns: list of dicts containing the vhost, the matching name, and the numerical rank :rtype: list rrc |dSrrrs r8rzANginxConfigurator._rank_matches_by_name_and_ssl..rr:r)r rrr )r@rrrmatchs r8rz/NginxConfigurator._rank_matches_by_name_and_ssl sP,,ZE 1E>%%f 0  1g#677r:ctj|r|j|d|}|S|j||}|j |fDcgc]}|| }}|Scc}w)a`Chooses a single virtual host for redirect enhancement. Chooses the vhost most closely matching target_name that is listening to port without using ssl. .. todo:: This should maybe return list if no obvious answer is presented. .. todo:: The special name "$hostname" corresponds to the machine's hostname. Currently we just ignore this. :param str target_name: domain name :param str port: port number :returns: vhosts associated with name :rtype: list of :class:`~certbot_nginx._internal.obj.VirtualHost` F)rr)rrr_get_redirect_ranked_matchesr)r@rrrrrs r8choose_redirect_vhostsz(NginxConfigurator.choose_redirect_vhostssy&  " "; /11+%#'2)F  77 TJG"&">">w"G!HYA1=aYFY Zs A"A"c "|j|Dcgc]}|sd|vs |d}}|Dcgc]4}|j|t|jjdr|6}}|Dcgc]4}|j|t|jj dr|6}}|s6 |j |dt|jjg}||fS||fScc}wcc}wcc}w#tj$rg}Y||fSwxYw)aReturns a list of HTTP and HTTPS vhosts with a server_name matching target_name. If no HTTP vhost exists, one will be cloned from the default vhost. If that fails, no HTTP vhost will be returned. :param str target_name: non-wildcard domain name :returns: tuple of HTTP and HTTPS virtualhosts :rtype: tuple of :class:`~certbot_nginx._internal.obj.VirtualHost` rFT) r_vhost_listeningrfrq http01_portrrrr)r@rmrr http_vhosts https_vhostss r8choose_auth_vhostsz$NginxConfigurator.choose_auth_vhosts:s9'+&>&>{&KbqU\`aUa!G*bb$*Wb,,RT[[5L5L1MuUW W%+Vr--b#dkk6L6L2MtTV V !#BB;PUCFt{{G^G^C_ ab L(({L((cWV// ! L(( !s,C$C$C$9C)-9C.+1C33D D test_port matching_portc8|dk(s|||jk(S||k(S)NrG)DEFAULT_LISTEN_PORT)r@rrs r8rzNginxConfigurator._port_matchesWs+ B -"7 8 88 8M))r:rcjJjj|dtjdtffd |j sj k(xrk(Stfd|j DS)aTests whether a vhost has an address listening on a port with SSL enabled or disabled. :param `obj.VirtualHost` vhost: The vhost whose addresses will be tested :param port str: The port number as a string that the address should be bound to :param bool ssl: Whether SSL should be enabled or disabled on the address :returns: Whether the vhost has an address listening on the port and protocol. :rtype: bool rr)cLr|jxsS|j xr Srr)rall_addrs_are_sslrs r8 _ssl_matchesz8NginxConfigurator._vhost_listening.._ssl_matchesps.4748800 :xx<9(9$9 :r:c3rK|].}j|jxr|0ywr)rr)rrr rr@s r8rz5NginxConfigurator._vhost_listening..ys9,%%dDMMO<SdASS,s47)rhas_ssl_on_directiverAddrrrrany)r@rrrr rs` ``@@r8rz"NginxConfigurator._vhost_listening^s{{&&&!KK<._vhost_matchess77tD Dr:)rrrrrfrr )r@rr all_vhostsr)rmatching_vhostss` r8rz.NginxConfigurator._get_redirect_ranked_matchessq[[++-  E#// E E E/9XUN5RVwxYw#t j,t j.t j0f$rYPwxYw)zReturns all names found in the Nginx Configuration. :returns: All ServerNames, ServerAliases, and reverse DNS entries for virtual host addresses :rtype: set z $hostnamer)rrrrremover(socket gethostnameKeyErrorupdaterget_addrrhostname_regexrprivate_ips_regexrget_ipv6_exploded inet_ptonAF_INET6AF_INET gethostbyaddrerrorherrortimeoutrget_filtered_names)r@ all_namesrrhosts r8 get_all_nameszNginxConfigurator.get_all_namessh"e [[++- !E  "";/  2 2 45   U[[ )  !}}((..t4MM$'1177=!99#'#9#9#;D",,V__dC",,V^^TB! f&:&:4&@&CD ! !4&&y11-  &#LL&--H! !s%AF$>B F4$ F10F142G*)G*ctjj|jjd}t j d|d|jj}|jJtjjtjj|j}tj|t!j"g}tjj%tjj|}t'j(tjj|dd \}}|5|j+|ddd||jfS#1swYxYw) zBGenerate invalid certs that let us create ssl directives for Nginxsnakeoilizkey.pem)key_sizekey_dirkeynamestrict_permissionsN)domainszcert.pemwb)mode)rr<r=rqwork_dirr generate_keyrFfileOpenSSLcryptoload_privatekey FILETYPE_PEMpemacme_crypto_util gen_ss_certr.r/dump_certificater unique_filewrite)r@tmp_dirle_keyrcertcert_pem cert_filers r8_get_snakeoil_pathsz%NginxConfigurator._get_snakeoil_pathss'',,t{{33Z@))7I#{{==?{{&&&nn,, NN ' '5++C&:L:L:N9OP>>22 NN ' '/#// GGLL* -D : 9  & OOH % &&++%% & &s E66E?c |jj}|jt|}dg}dg}|js-ddd|j gg}|j j|||jr>ddddj|ddg}|ds"|jd|jd|jrdddd j|ddg}|j\}}||dd d|gdd d|gdd d|jgdd d|jgg} |j j|| y)zMake a server SSL. Make a server SSL by adding new listen and SSL directives. :param vhost: The vhost to add SSL to. :type vhost: :class:`~certbot_nginx._internal.obj.VirtualHost` rGrlistenrz[::]:{0}rrz ipv6only=onz{0}r%r&includer'N)rqrrrfrrradd_server_directives ipv6_enabledrr ipv4_enabledr\rt ssl_dhparams) r@rripv6info ipv6_block ipv4_block listen_block snakeoil_cert snakeoil_key ssl_blocks r8rz"NginxConfigurator._make_server_sslse[[++ >>#j/2T T {{%xd6N6NOPL KK - -e\ B    ""$++J7 !J A;!!#&!!-0    "",,z2 !J'+&>&>&@# |   (#} = ,c< @ y#t'8'8 9 }c4+<+< =   )) 9 r:c gdS)z)Returns currently supported enhancements.rHrr?s r8supported_enhancementsz(NginxConfigurator.supported_enhancementss@@r: enhancementoptionsc |j|||y#ttf$r%tjdj |wxYw)awEnhance configuration. :param str domain: domain to enhance :param str enhancement: enhancement type defined in :const:`~certbot.plugins.enhancements.ENHANCEMENTS` :param options: options for the enhancement See :const:`~certbot.plugins.enhancements.ENHANCEMENTS` documentation for appropriate parameter. zUnsupported enhancement: {0}N)rUr0 ValueErrorrrr)r@rrmrns r8enhancezNginxConfigurator.enhance sX D +D  { +FG <*% D$$.55kBD D Ds 4A cLtt|}|j|Sr)_test_block_from_block_redirect_block_for_domain contains_list)r@rrtest_redirect_blocks r8_has_certbot_redirectz'NginxConfigurator._has_certbot_redirects&45OPV5WX""#677r:header_substringcXt|ts"tjdt |d|t j vrtj|d|j|}|stjd|D]}|j|rtjd|z|jr0td|jDr|j|\}}ddd |d gt j |zd gg}|jj!||y ) abEnables header identified by header_substring on domain. If the vhost is listening plaintextishly, separates out the relevant directives into a new server block, and only add header directive to HTTPS block. :param str domain: the domain to enable header for. :param str header_substring: String to uniquely identify a header. e.g. Strict-Transport-Security, Upgrade-Insecure-Requests :returns: Success :raises .errors.PluginError: If no viable HTTPS host can be created or set with header header_substring. zInvalid header_substring type z, expected a str.z& is not supported by the nginx plugin.z8Unable to find corresponding HTTPS host for enhancement.zExisting %s headerc36K|]}|j ywrrrs r8rz5NginxConfigurator._set_http_header..As F$TXX Fsr add_headerrrN) isinstancerfrNotSupportedErrorr2r HEADER_ARGSrr has_headerPluginEnhancementAlreadyPresentrr$r _split_blockrr`)r@rrxrr_header_directivess r8rSz"NginxConfigurator._set_http_header!sK*C0**+K.23C.D-EEV,XY Y 9#8#8 8**#$$JKM M##F+$$JL L HE 01<<(,<=?? yyS F%++ FF,,U35<.>D))*:;<!  KK - -e5F G Hr:cVt|}|jj||dy)z(Add redirect directive to vhost T) insert_at_topN)rtrr`)r@rrredirect_blocks r8_add_redirect_blockz%NginxConfigurator._add_redirect_blockJs,4F; )) > * 7r:only_directivescjj||}dtdtfd}dtdtffd }dtdtfd}jD]}jj || jj |d|jj |d |jj |d|||fS) aSplits this "virtual host" (i.e. this nginx server block) into separate HTTP and HTTPS blocks. :param vhost: The server block to break up into two. :param list only_directives: If this exists, only duplicate these directives when splitting the block. :type vhost: :class:`~certbot_nginx._internal.obj.VirtualHost` :returns: tuple (http_vhost, https_vhost) :rtype: tuple of type :class:`~certbot_nginx._internal.obj.VirtualHost` )r directiver)c d|vSNrrrs r8_ssl_match_funcz7NginxConfigurator._split_block.._ssl_match_func`s I% %r:c j|vSr)rt)rr@s r8_ssl_config_match_funcz>NginxConfigurator._split_block.._ssl_config_match_funccs$$ 1 1r:c d|vSrrrs r8_no_ssl_match_funcz:NginxConfigurator._split_block.._no_ssl_match_funcfs  ) )r:r^) match_funcr_)rrrfrSSL_DIRECTIVESremove_server_directives)r@rr http_vhostrrrrs` r8rzNginxConfigurator._split_blockRs[[000X  &s &t & 2c 2d 2 *# *$ *,, HI KK 0 0Y G H ,,Zo,^ ,,Z8N - P ,,UHI[,\5  r:unused_optionsc|j}|j||}|s!tjd|jy|D]}|j ||y)aRedirect all equivalent HTTP traffic to ssl_vhost. If the vhost is listening plaintextishly, separate out the relevant directives into a new server block and add a rewrite directive. .. note:: This function saves the configuration :param str domain: domain to enable redirect for :param unused_options: Not currently used :type unused_options: Not Available z>No matching insecure server blocks listening on port %s found.N)rrrr_enable_redirect_single)r@rrrrrs r8rRz"NginxConfigurator._enable_redirectts`'',,VT: KKX(( *  8E  ( ( 7 8r:c|jr:|j|ddg\}}gdg}|jj|||}|j ||r,t j d|j|jy|j||t j d|j|jy)aRedirect all equivalent HTTP traffic to ssl_vhost. If the vhost is listening plaintextishly, separate out the relevant directives into a new server block and add a rewrite directive. .. note:: This function saves the configuration :param str domain: domain to enable redirect for :param `~obj.Vhost` vhost: vhost to enable redirect for r^r)rr)r404z3Traffic on port %s already redirecting to ssl in %sz/Redirecting all traffic on port %s to ssl in %sN) rrrr`rwrrrrr)r@rrrrreturn_404_directives r8rz)NginxConfigurator._enable_redirect_singles 99 --eh 5NOMJ%E#E KK - -j:N OE  % %eV 4 KKM((%++ 7  $ $UF 3 KKI((%++ 7r:ct|ts$|"tjdt |d|j |}|D]}|j ||y)zInclude OCSP response in TLS handshake :param str domain: domain to enable OCSP response for :param chain_path: chain file path :type chain_path: `str` or `None` NzInvalid chain_path type z, expected a str or None.)r|rfrr}r2r_enable_ocsp_stapling_single)r@rrrrs r8rTz'NginxConfigurator._enable_ocsp_staplingss*c*z/E**-Ed:FVEWXE,EF F##F+ AE  - -eZ @ Ar:c|jdkrtjd|tjdddd|ggdgd d gg} |jj |||xjd j|jz c_ |xjd j|z c_ |xjdz c_ |xjdz c_ y#tj $rQ}t jt|tjd j|jd}~wwxYw)zInclude OCSP response in TLS handshake :param str vhost: vhost to enable OCSP response for :param chain_path: chain file path :type chain_path: `str` or `None` )rrzCVersion 1.3.7 or greater of nginx is needed to enable OCSP staplingNzh--chain-path is required to enable Online Certificate Status Protocol (OCSP) stapling on nginx >= 1.3.7.rssl_trusted_certificater)r ssl_staplingron)rssl_stapling_verifyrrrz7An error occurred while enabling OCSP stapling for {0}.z-OCSP Stapling was enabled on SSL Vhost: {0}. z ssl_trusted_certificate {0} z ssl_stapling on z ssl_stapling_verify on ) rErrrr`rrrrfrrrMr)r@rrstapling_directivesr:s r8rz.NginxConfigurator._enable_ocsp_stapling_singles9 <<) #$$&IJ J  $$%& & 0#z B 1 84&B  N KK - -e.A C 3396%++3F H <CCJOO 00 77++ N LLU $$$&99? 9LN N Ns C%%E 8A EE cnt|jd|j|jdy)zlRestarts nginx server. :raises .errors.MisconfigurationError: If either the reload fails. r/r0N) nginx_restartr>rAr?s r8restartzNginxConfigurator.restarts& dii&?9STr:c tj|jdd|jdgy#tj $r#}t j t|d}~wwxYw)z{Check the configuration of Nginx for errors. :raises .errors.MisconfigurationError: If config_test fails r/-cz-tN)r run_scriptr>rArSubprocessErrorrrf)r@errs r8rzNginxConfigurator.config_testsT  9 OOTYYu-tT__dK L%% 9..s3x8 8 9s25A+A&&A+c  tj|jdd|jdgtjtjddt j }|j}|S#ttf$rL}tjt|dtjd|jdzd }~wwxYw) zReturn results of nginx -V :returns: version text :rtype: str :raises .PluginError: Unable to run Nginx version command r/rz-VTF)stdoutstderruniversal_newlinescheckenvrzUnable to run %s -VN) subprocessrunr>rAPIPErenv_no_snap_for_external_callsrrrprrrfrr)r@proctextr:s r8_nginx_versionz NginxConfigurator._nginx_versions :>>5!4$?!!#'779 ;D;;D  $ : LLUdL 3$$% %(88: : :sA2A66CAC  C.c|j}tjdtj}|j |}tjdtj}|j |}tjd}|j |}|st j d|st j d|st j d|d\}} |dk7rtjd |td | jd D} | d krt jd | S)zReturn version of Nginx Server. Version is returned as tuple. (ie. 2.4.7 = (2, 4, 7)) :returns: version :rtype: tuple :raises .PluginError: Unable to find Nginx version or version is unsupported z!nginx version: ([^/]+)/([0-9\.]*)zTLS SNI support enabledz --with-http_ssl_modulezUnable to find Nginx versionz;Nginx build is missing SSL module (--with-http_ssl_module).zNginx build doesn't support SNIrnginxz:NGINX derivative %s is not officially supported by certbotc32K|]}t|ywr)r5ris r8rz0NginxConfigurator.get_version..5sIc!fIr.)r0zNginx version must be 0.8.48+) rrecompile IGNORECASEfindallrrrwarningtuplesplitr}) r@r version_regexversion_matches sni_regex sni_matches ssl_regex ssl_matches product_nameproduct_version nginx_versions r8rzNginxConfigurator.get_versions*""$ #GW '//5JJ92==I ''- JJ9: ''- $$%CD D$$MO O$$%FG G(7(:% o 7 " NN&'3 5Io.C.CC.HII  : %**+JK Kr:c|j}tjd|}|s.tjd|}|stj dy|dS)aReturn version of OpenSSL linked to Nginx. Version is returned as string. If no version can be found, empty string is returned. :returns: openssl_version :rtype: str :raises .PluginError: Unable to run Nginx version command zrunning with OpenSSL ([^ ]+) zbuilt with OpenSSL ([^ ]+) zRNGINX configured with OpenSSL alternatives is not officially supported by Certbot.rGr)rrrrr)r@rrs r8rz&NginxConfigurator._get_openssl_version>sX""$**=tDjj!?FG -.qzr:cdjtj|jjdj d|j DS)z3Human-readable string to help understand the modulez^Configures Nginx to authenticate and install HTTPS.{0}Server root: {root}{0}Version: {version}rc32K|]}t|ywrrrs r8rz.NginxConfigurator.more_info..[s >AQ >r)rootrE)rrlinesepr config_rootr=rEr?s r8 more_infozNginxConfigurator.more_infoTsE !!' !8!8 > >>"("@ r:failed_achallsc y)NzThe Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.r)r@rs r8 auth_hintzNginxConfigurator.auth_hint^s  , r:title temporaryc t|jjj}|j ||j |d|_|jj d|r|s|j|yyy)aSaves all changes to the configuration files. :param str title: The title of the save. If a title is given, the configuration will be saved as a new checkpoint and put in a timestamped directory. :param bool temporary: Indicates whether the changes made will be quickly reversed in the future (ie. challenges) :raises .errors.PluginError: If there was an error in an attempt to save the configuration, or an error creating a checkpoint rG)extN)rrparsedkeysadd_to_checkpointrMfiledumpfinalize_checkpoint)r@rr save_filess r8savezNginxConfigurator.saveiso++0023  z4??IF $   $ $U +#5r:cdt|d|_|jj y)zRevert all previously modified files. Reverts all modified files that have not been saved as a checkpoint :raises .errors.PluginError: If unable to recover the configuration N)rKrWrNrload)r@rXs r8rWz"NginxConfigurator.recovery_routines'  " r:cf|jd|_|jjy)zUsed to cleanup challenge configurations. :raises .errors.PluginError: If unable to revert the challenge config. N)revert_temporary_configrNrrr?s r8revert_challenge_configz)NginxConfigurator.revert_challenge_configs' $$& r:rollbackcft||d|_|jj y)zRollback saved checkpoints. :param int rollback: Number of checkpoints to revert :raises .errors.PluginError: If there is a problem with the input or the function is unable to correctly revert the configuration N)rKrollback_checkpointsrNrr)r@rrXs r8rz&NginxConfigurator.rollback_checkpointss) $X. r: unused_domainc$tjgS)z%Return list of challenge preferences.)rHTTP01)r@rs r8get_chall_prefz NginxConfigurator.get_chall_prefs!!""r:achallsc|xjt|z c_dgt|z}tj|}t |D]F\}}t |t jstjd|j||H|j}|jt |D]\}}|||j|<|Dcgc]}|s| c}Scc}w)a Perform the configuration related challenge. This function currently assumes all challenges will be fulfilled. If this turns out not to be the case in the future. Cleanup and outstanding challenges will have to be designed better. NzEChallenge should be an instance of KeyAuthorizationAnnotatedChallenge)rQrr NginxHttp01 enumerater|r"KeyAuthorizationAnnotatedChallengerError add_challperformrindices) r@r responses http_doerrachall http_responserespresponses r8rzNginxConfigurator.performs 3w<'CG&3w#>#>>RU>$'>,0>0C#//CsCcC"%C7:C?CC*EI/c/t/4Y'H^b'HR77#7$7 !#// !HTRUYDW ! @A !D8s8)1%T#Y2G)H8MQ887c7#//7d7:ACA*25d3i3H*IANRA $8#//$819#$8CG$8RU 90+U38_+Zc, 3  "*;+I+I"J OR ,(3-,4,D,0  S   #C#Dj>R>R9S4T# !@tK$B$BC!@*667!@HtK$B$BCr:r#blockr)cbtj|}tj|d|ddS)Nr)r UnspacedListrcomment_directive)r test_blocks r8rsrss.))%0J Z+ cr?r:rc |}d}tj|r.d}|jdd}|jdd}d|zdz}d d d d d |d d |zd g gdd ggdgg}|S)N=~rz\.*z[^.]+^$rifrz($hostz%s))z r)r301rzhttps://$host$request_urir)rrreplace)rupdated_domain match_symbolrs r8rtrtsNL v& '//U;'//W=~-3 4h\3@VX[\ O   N r: nginx_ctlrAsleep_durationcJ d}tj5}tj|d|ddgt j ||d}|j d|jjd}d d d jdk7rtjd |tj5}tj|d|g||t j d }|jdk7rF|j dtjd |jjdz d d d |dkDrt!j"|y y #1swYxYw#1swY1xYw#ttf$rtjd wxYw)aRestarts the Nginx Server. .. todo:: Nginx restart is fatal if the configuration references non-existent SSL cert/key files. Remove references to /etc/letsencrypt before restart. :param str nginx_ctl: Path to the Nginx binary. :param str nginx_conf: Path to the Nginx configuration file. :param int sleep_duration: How long to sleep after sending the reload signal. rGrz-sreloadF)rrrrrzutf-8Nznginx reload failed: %s)rrrrznginx restart failed: %sznginx restart failed)tempfile TemporaryFilerrrrseekreaddecode returncoderrrrrrptimesleep)r!rAr" reload_outputoutr nginx_procs r8rrsC  # # % 7>>9dJh"O&*&I&I&K),SGD HHQKHHJ--g6M  7 ??a  LL3] C'') RS'^^Yj,Is0S0S0U]bd ((A-HHQK 663chhj6G6G6PPRR. R >"7 7 7 R R Z C**+ABBCs=E=A"E%:AE=;BE1E=%E.*E=1E:6E==%F"ctjjddk(r%tjdtj }|Stj d}|S)N CERTBOT_DOCS1z or r,)renvirongetrLINUX_SERVER_ROOTFREEBSD_DARWIN_SERVER_ROOTr4)r7s r8r3r3s^ zz~~n%,"+"="=!>?%%.%I%I$J L (44]C r:)Brr` contextlibrloggingrr.rsysr%r+typingrrrrrr r r r r rrrMacmerrrRcertbotrrrcertbot.compatrcertbot.displayrcertbot.pluginsrcertbot_nginx._internalrrrrrr version_infoimportlib.resources resourcesrcrrrrr getLoggerrr Configuratorr#rsrfrtr5rr3rr:r8rFs/    00"-/+/'*v5      8 $]++]@%$s)S  s tCy  *#S*#c*#3*#4*#Zr: