# ip2nginx



--- ## πŸ’‘ Project Overview **ip2nginx** is a lightweight and secure system for dynamically updating NGINX reverse proxy configurations based on public IP address changes, typically reported by edge devices like **pfSense**. It ensures that NGINX always routes traffic through the correct IP, even in dynamic environments. --- ## πŸ“š Table of Contents - [πŸ’‘ Project Overview](#-project-overview) - [βš™οΈ Features](#-features) - [πŸ“ Project Structure](#-project-structure) - [πŸš€ Update Process: update.php](#-remote-update-api-updatephp) - [πŸš€ Update Process: updater.php](#-update-process-updaterphp) - [πŸ›  Environment Setup: check_env.php](#-check_envphp-environment-setup) - [πŸ“… Cron Setup with run.sh](#-cron-setup-runsh) - [πŸ”„ Usage Example from pfSense](#-pfsense-shell-example) - [βœ… Example Entry in token.json](#-example-tokenjson) - [βœ… Example Entry in meta.json](#-example-metajson) - [πŸ›‘ Security](#-security-highlights) - [βœ… Requirements](#-requirements) - [πŸ“œ License](#-license) - [🀝 Author](#-author) --- ## βš™οΈ Features - Accepts remote updates via `update.php` using **token-authenticated** requests. - Supports both `POST` and `GET`, though **POST is preferred** to avoid token caching. - Updates only the `proxy_pass` line in the relevant `location` block of `nginx.conf`. - Automatically marks entries in `meta.json` as `"changed": 1` when input changes. - Logs all changes to `log.json` with timestamps. - Automatically reloads NGINX: `nginx -t && systemctl reload nginx` (requires root). - Built-in abuse protection: failed requests tracked and blocked. - `.htaccess` ensures that only `update.php` is externally accessible. --- ## πŸ“ Project Structure ``` ip2nginx/ β”œβ”€β”€ index.php # Shared configuration and fallback error handler β”œβ”€β”€ update.php # Receives incoming remote IP update requests β”œβ”€β”€ updater.php # CLI-only: applies changes to nginx.conf if marked β”œβ”€β”€ run.sh # Wrapper script for cron automation β”œβ”€β”€ check_env.php # Environment validator and bootstrapper β”œβ”€β”€ .htaccess # Blocks unauthorized access, routes traffic β”œβ”€β”€ data/ β”‚ β”œβ”€β”€ meta.json # Stores current configuration state per domain β”‚ β”œβ”€β”€ token.json # Stores allowed tokens (auth) β”‚ β”œβ”€β”€ log.json # Stores audit log of changes β”‚ β”œβ”€β”€ blocklist.json # Temporarily blocked IPs (48h ban) β”‚ └── failures.json # Tracks failed attempts per IP ``` --- ## 🌐 Remote Update API: `update.php` Supports **POST** (preferred) and **GET** methods. | Parameter | Required | Description | |------------|----------|-----------------------------------------------------------------------------| | `name` | βœ… | Identifier (e.g. `domain1.to.com`) | | `token` | βœ… | Secret token assigned for this name | | `ip` | ❌ | New public IP (default: auto-detected from request) | | `domain` | ❌ | Backend domain to proxy to (default: same as IP) | | `port` | ❌ | Port number (default: 443 for https, 80 for http) | | `protocol` | ❌ | One of `http` or `https` (default: `http`) | | `location` | ❌ | NGINX location block path to update (default: `/`) | Any change in `ip`, `domain`, `port`, or `protocol` triggers `"changed": 1` in `meta.json`. If **any parameter is received via GET**, then `ip` and `domain` will be overridden with the **client’s real IP** for security. --- ## 🧩 Update Process: `updater.php` To apply updates made via `update.php`: 1. Load all entries from `meta.json` 2. Check for entries marked `"changed": 1` 3. Find `/var/www/vhosts/system//conf/nginx.conf` 4. Modify the appropriate `location` block’s `proxy_pass` directive only 5. Validate and reload NGINX 6. Reset `"changed": 0` --- ## πŸ›  `check_env.php`: Environment Setup This CLI script validates: - Config files and permissions - JSON structure of each config file - Auto-creates missing files (with defaults) - Token file includes example if missing --- ## ⏱ Cron Setup: `run.sh` To automate updates, add `run.sh` to your crontab as root: ```sh sudo crontab -e ``` Then add: ```cron */5 * * * * /path/to/ip2nginx/run.sh ``` This ensures automatic application of proxy changes to NGINX config and reloads. --- ## πŸ”„ pfSense Shell Example Add the following script to `pfSense` via `System > Advanced > Cron`: ```sh #!/bin/sh SERVER="https://your-server.com/ip2nginx" NAME="domain1.to.com" DOMAIN="domain.from.com" TOKEN="YOUR_SECRET_TOKEN" curl -s -X POST "$SERVER/update.php" -d "name=$NAME" -d "domain=$DOMAIN" -d "protocol=https" -d "port=443" -d "token=$TOKEN" ``` --- ## βœ… Example: `token.json` ```json { "domain1.to.com": "SECRET_TOKEN_8v73jDKsdLzAq9DkeUz1", "domain2.to.com": "SECRET_TOKEN_3im83jUj28mjo2mI23un" } ``` --- ## βœ… Example: `meta.json` ```json { "domain1.to.com": { "domain": "domain.from.com", "ip": "192.0.2.4", "port": "443", "protocol": "https", "location": "/", "time": "2025-05-16T09:00:00+00:00", "changed": 1 } } ``` --- ## πŸ”’ Security Highlights - `.htaccess` denies access to all files except `update.php`. - Only HTTPS connections should be used. - All tokens are stored securely and verified per name. - After 3 failed attempts, IP is banned for 48 hours. - Generic error messages avoid leaking details to attackers. --- ## βœ… Requirements - PHP 7.4 or newer - NGINX with reload access (`sudo systemctl reload nginx`) - `curl` on the client side - Token definitions in `token.json` --- ## πŸ“œ License MIT (or similar): Open-source, free for use and modification. --- ## 🀝 Autor **Maintained by [SAFE-CAP / Alexander Schiemann](https://safe-cap.com)**