SAFE-CAP/ip2nginx
SAFE-CAP/ip2nginx
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ip2nginx/README.md
Alexander Schiemann 5c0511db27 2025-05-21_1
2025-05-21 13:35:18 +02:00

197 lines
6.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ip2nginx
[![Donate](https://img.shields.io/badge/Donate-PayPal-blue.svg)](https://www.paypal.com/donate/?hosted_button_id=JNFS79EFEM7C6)
<!-- TOC -->
## 📚 Table of Contents
- [💡 Project Overview](#-project-overview)
- [⚙️ Features](#-features)
- [📁 Project Structure](#-project-structure)
- [🚀 Update Process: update.php](#-update-process-updatephp)
- [🚀 Update Process: updater.php](#-update-process-updaterphp)
- [✅ Example Entry in meta.json](#-example-entry-in-metajson)
- [✅ Example Entry in token.json](#-example-entry-in-tokenjson)
- [🛡 Security](#-security)
- [🔄 Usage Example from pfSense](#-usage-example-from-pfsense)
- [📅 Cron Setup with run.sh](#-cron-setup-with-runsh)
- [✅ Dependencies](#-dependencies)
- [📜 License](#-license)
- [🤝 Author](#-author)
<!-- /TOC -->
**ip2nginx** is a lightweight and secure system for dynamically updating NGINX reverse proxy configurations based on public IP address changes, typically reported by edge devices like **pfSense**. It ensures that NGINX always routes traffic through the correct IP, even in dynamic environments.
**Current Version:** `0.0.1`
---
## ⚙️ Features
- Accepts remote updates via `update.php` using **token-authenticated** requests.
- Supports both `POST` and `GET`, though **POST is preferred** to avoid token caching.
- Updates only the `proxy_pass` line in the relevant `location` block of `nginx.conf`.
- Automatically marks entries in `meta.json` as `"changed": 1` when input changes.
- Logs all changes to `log.json` with timestamps.
- Automatically reloads NGINX: `nginx -t && systemctl reload nginx` (requires root).
- Built-in abuse protection: failed requests tracked and blocked.
- `.htaccess` ensures that only `update.php` is externally accessible.
---
## 📁 Project Structure
```
ip2nginx/
├── index.php # Shared configuration and fallback error handler
├── update.php # Receives incoming remote IP update requests
├── updater.php # CLI-only: applies changes to nginx.conf if marked
├── run.sh # Wrapper script for cron automation
├── check_env.php # Environment validator and bootstrapper
├── .htaccess # Blocks unauthorized access, routes traffic
├── data/
│ ├── meta.json # Stores current configuration state per domain
│ ├── token.json # Stores allowed tokens (auth)
│ ├── log.json # Stores audit log of changes
│ ├── blocklist.json # Temporarily blocked IPs (48h ban)
│ └── failures.json # Tracks failed attempts per IP
```
---
## ✅ Example: `token.json`
```json
{
"domain1.to.com": "SECRET_TOKEN_8v73jDKsdLzAq9DkeUz1",
"domain2.to.com": "SECRET_TOKEN_3im83jUj28mjo2mI23un"
}
```
---
## ✅ Example: `meta.json`
```json
{
"domain1.to.com": {
"domain": "domain.from.com",
"ip": "192.0.2.4",
"port": "443",
"protocol": "https",
"location": "/",
"time": "2025-05-16T09:00:00+00:00",
"changed": 1
}
}
```
---
## 🌐 Remote Update API: `update.php`
Supports **POST** (preferred) and **GET** methods.
| Parameter | Required | Description |
|------------|----------|-----------------------------------------------------------------------------|
| `name` | ✅ | Identifier (e.g. `domain1.to.com`) |
| `token` | ✅ | Secret token assigned for this name |
| `ip` | ❌ | New public IP (default: auto-detected from request) |
| `domain` | ❌ | Backend domain to proxy to (default: same as IP) |
| `port` | ❌ | Port number (default: 443 for https, 80 for http) |
| `protocol` | ❌ | One of `http` or `https` (default: `http`) |
| `location` | ❌ | NGINX location block path to update (default: `/`) |
Any change in `ip`, `domain`, `port`, or `protocol` triggers `"changed": 1` in `meta.json`.
If **any parameter is received via GET**, then `ip` and `domain` will be overridden with the **clients real IP** for security.
---
## 🧩 Update Process: `updater.php`
To apply updates made via `update.php`:
1. Load all entries from `meta.json`
2. Check for entries marked `"changed": 1`
3. Find `/var/www/vhosts/system/<domain>/conf/nginx.conf`
4. Modify the appropriate `location` blocks `proxy_pass` directive only
5. Validate and reload NGINX
6. Reset `"changed": 0`
---
## 🛠 `check_env.php`: Environment Setup
This CLI script validates:
- Config files and permissions
- JSON structure of each config file
- Auto-creates missing files (with defaults)
- Token file includes example if missing
---
## ⏱ Cron Setup: `run.sh`
To automate updates, add `run.sh` to your crontab as root:
```sh
sudo crontab -e
```
Then add:
```cron
*/5 * * * * /path/to/ip2nginx/run.sh
```
This ensures automatic application of proxy changes to NGINX config and reloads.
---
## 🔄 pfSense Shell Example
Add the following script to `pfSense` via `System > Advanced > Cron`:
```sh
#!/bin/sh
SERVER="https://your-server.com/ip2nginx"
NAME="domain1.to.com"
DOMAIN="domain.from.com"
TOKEN="YOUR_SECRET_TOKEN"
curl -s -X POST "$SERVER/update.php" -d "name=$NAME" -d "domain=$DOMAIN" -d "protocol=https" -d "port=443" -d "token=$TOKEN"
```
---
## 🔒 Security Highlights
- `.htaccess` denies access to all files except `update.php`.
- Only HTTPS connections should be used.
- All tokens are stored securely and verified per name.
- After 3 failed attempts, IP is banned for 48 hours.
- Generic error messages avoid leaking details to attackers.
---
## ✅ Requirements
- PHP 7.4 or newer
- NGINX with reload access (`sudo systemctl reload nginx`)
- `curl` on the client side
- Token definitions in `token.json`
---
## 📜 License
MIT (or similar): Open-source, free for use and modification.
---
**Maintained by [SAFE-CAP / Alexander Schiemann](https://safe-cap.com)**
Reference in New Issue View Git Blame Copy Permalink