Development (#287)

* Fixed typo * Update dsmr Co-authored-by: Dennis Siemensma <[email protected]> Co-authored-by: Bram van Dartel <[email protected]>
xirixiz · May 26, 2022 · 73530e2 · 73530e2
1 parent b4dba56
commit 73530e2
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 5 deletions.
diff --git a/.github/workflows/build_release.yml b/.github/workflows/build_release.yml
@@ -20,7 +20,7 @@ env:
   DOCKER_BASE_IMAGE: python:3-alpine3.15
   DOCKER_TARGET_REPO: xirixiz/dsmr-reader-docker
   DOCKERFILE: Dockerfile
-  DOCKER_TARGET_RELEASE: 2022.04.01
+  DOCKER_TARGET_RELEASE: 2022.05.01
 
 jobs:
   ################################################

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 <font size="-1">
 
-[![Docker Pulls](https://img.shields.io/docker/pulls/xirixiz/dsmr-reader-docker.svg?logo=docker)](https://img.shields.io/docker/pulls/xirixiz/dsmr-reader-docker/)
+[![Docker Pulls](https://img.shields.io/docker/pulls/xirixiz/dsmr-reader-docker.svg?logo=docker)](https://hub.docker.com/r/xirixiz/dsmr-reader-docker/tags)
 [![Docker Stars](https://img.shields.io/docker/stars/xirixiz/dsmr-reader-docker.svg?logo=docker)](https://hub.docker.com/r/xirixiz/dsmr-reader-docker)
 [![GitHub Build Status](https://github.com/xirixiz/dsmr-reader-docker/workflows/DSMR:%20Build%20Docker%20images/badge.svg?logo=github)](https://github.com/xirixiz/dsmr-reader-docker/actions)
 [![GitHub Stars](https://img.shields.io/github/stars/xirixiz/dsmr-reader-docker.svg?logo=github)](https://github.com/xirixiz/dsmr-reader-docker/)
@@ -62,15 +62,23 @@ Docker tags/releases can be found here: https://hub.docker.com/r/xirixiz/dsmr-re
 
 ***
 #### Setup / parameters
-  For DSMR Reader specific environment settings, please refer to: https://dsmr-reader.readthedocs.io/nl/v4/env_settings.html
+
+* ##### Public access warning
+
+  Exposing your DSMR-reader installation to the Internet? 
+  Consider additionally using HTTP Auth (see below) or enabling *"Force password login everywhere"* in the Frontend settings in DSMR-reader, to prevent public access.
+
+* ##### Settings
+
+  For DSMR Reader specific environment settings, please refer to: [DSMR-reader env settings docs](https://dsmr-reader.readthedocs.io/nl/v5/reference/env-settings.html)
 
   It's possible to set the following settings as environment variables, for example:
   ```properties
   # Required (defaults are shown as value):
   - DJANGO_TIME_ZONE=Europe/Amsterdam
   - VIRTUAL_HOST=localhost
   # It's possible to map a UID/GID with a user/group from you local system.
-  # This will not change the username, onbly match ID's to prevent issues with access rights!
+  # This will not change the username, only match ID's to prevent issues with access rights!
   - DUID=803
   - DGID=803
   ```
@@ -147,7 +155,7 @@ It's not possible to combine those settings!!!:
   ```
 
 * ##### Remote DSMR datalogger related
-  More info: https://dsmr-reader.readthedocs.io/nl/v4/installation/datalogger.html):
+  More info: [DSMR-reader remote datalogger installation docs](https://dsmr-reader.readthedocs.io/nl/v5/how-to/installation/remote-datalogger.html):
   ```properties
   # Required. Destination(s) of the DSMR Reader (Docker) host(s)
   DSMRREADER_REMOTE_DATALOGGER_API_HOSTS=x

diff --git a/rootfs/etc/cont-init.d/20-set-app-defaults b/rootfs/etc/cont-init.d/20-set-app-defaults
@@ -250,6 +250,38 @@ function _generate_auth_configuration() {
   _info "ENABLE_HTTP_AUTH is disabled, nothing to see here. Continuing..."
 }
 
+function _generate_clientcert_auth_configuration() {
+  _info "Checking for CLIENT CERTIFICATE AUTHENTICATION configuration..."
+  if [[ -n "${ENABLE_CLIENTCERT_AUTH}" ]]; then
+    if [[ "${ENABLE_CLIENTCERT_AUTH}" = true ]]; then
+      _info "ENABLE_CLIENTCERT_AUTH is enabled, let's secure this!"
+      canWeContinue=true
+      if [[ ! -f /etc/nginx/client_cert/cacert.pem ]]; then
+        _warn "Please map a CA.pem file to /etc/nginx/client_cert/cacert.pem"
+        canWeContinue=false
+      fi
+      if [[ "${canWeContinue}" = false ]]; then
+        _error "Sorry, something failed. Please check above warnings."
+        exit 1
+      fi
+      _info "Enabling the configuration in NGINX..."
+      sed -i '/server_name _;/a\\tssl_client_certificate /etc/nginx/client_cert/cacert.pem;\n\tssl_verify_client on;' /etc/nginx/http.d/dsmr-webinterface.conf
+      if [[ -f /etc/nginx/client_cert/ca.crl ]]; then
+        _info "Found CRL file, adding to configuration..."
+        sed -i '/server_name _;/a\\tssl_crl /etc/nginx/client_cert/ca.crl;' /etc/nginx/http.d/dsmr-webinterface.conf
+      fi
+      if nginx -c /etc/nginx/nginx.conf -t 2>/dev/null; then
+        _info "CLIENT CERT AUTHENTICATION configured and enabled"
+        return
+      else
+        _error "NGINX configuration error"
+        exit 1
+      fi
+    fi
+  fi
+  _info "ENABLE_CLIENTCERT_AUTH is disabled, nothing to see here. Continuing..."
+}
+
 function _iframe {
   if [[ "${ENABLE_IFRAME}" = true ]]; then
     _info "Enabling IFrame..."
@@ -278,6 +310,7 @@ if [[ "${DSMRREADER_REMOTE_DATALOGGER_MODE}" = standalone || "${DSMRREADER_REMOT
   _check_db_availability
   _run_post_config
   _nginx_change_listen_port
+  _generate_clientcert_auth_configuration
   _nginx_ssl_configuration
   _generate_auth_configuration
 fi