Merge 'feat/use-certapi' into master

Author: mesudip

.github/workflows/docker-image.yml

@@ -4,35 +4,46 @@ on:
   push:
     tags:
       - '*'
+    branches:
+      - master
 
 jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
+      - name: Checkout
         uses: actions/checkout@v3
-      -
-        name: Set up QEMU
+
+      - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-      -
-        name: Set up Docker Buildx
+
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      -
-        name: Login to DockerHub
+
+      - name: Login to DockerHub
         uses: docker/login-action@v2
         with:
           username: mesudip
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      -
-        name: Build and push
+      - name: Build and push for tags
+        if: startsWith(github.ref, 'refs/tags/')
         uses: docker/build-push-action@v3
         with:
           file: Dockerfile
           context: .
-          platforms: linux/amd64, linux/arm64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: |
             mesudip/nginx-proxy:${{ github.ref_name }}
             mesudip/nginx-proxy:latest
+
+      - name: Build and push for main branch
+        if: github.ref == 'refs/heads/master'
+        uses: docker/build-push-action@v3
+        with:
+          file: Dockerfile
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: mesudip/nginx-proxy:${{ github.sha }}

.gitignore

@@ -1,7 +1,8 @@
 venv/
+.venv/
+
 __pycache__/
 /.idea/
 /.run_data/
-/run_data
-.env
-.venv
+run_data/
+.env

acme_nginx/Cloudflare.py

@@ -0,0 +1,144 @@
+import json
+import time
+from os import getenv
+import traceback
+from urllib.request import urlopen, Request
+
+
+class Cloudflare(object):
+    name='cloudflare'
+    def __init__(self):
+        self.token = getenv('CLOUDFLARE_API_TOKEN')
+        self.account_id=getenv('CLOUDFLARE_ACCOUNT_ID')
+        self.api = "https://api.cloudflare.com/client/v4"
+        if not self.token:
+            raise Exception('CLOUDFLARE_API_TOKEN not found in environment')
+
+        self._zones_cache = None
+        self._zones_cache_time = 0  # Unix timestamp of last cache update
+
+    def check_token(self):
+        if self.account_id:
+            api_url = "{0}/accounts/{1}/tokens/verify".format(self.api, self.account_id)
+            request_headers = self._cloudflare_headers()
+            try:
+                response = urlopen(Request(api_url, headers=request_headers))
+                if response.getcode() == 200:
+                    result = json.loads(response.read().decode('utf8'))
+                    if result.get('success') and result.get('result', {}).get('status') == 'active':
+                        print("Cloudflare API Token is valid and active.")
+                        return True
+                    else:
+                        print(f"Cloudflare API Token verification failed: {result.get('messages', result.get('errors'))}")
+                        return False
+                else:
+                    print(f"Cloudflare API Token verification failed with status code: {response.getcode()}")
+                    return False
+            except Exception as e:
+                print(f"Error during Cloudflare API Token verification: {e}")
+                return False
+        else:
+            print("CLOUDFLARE_ACCOUNT_ID not set. Cannot verify token without account ID.")
+            return False
+
+    def _cloudflare_headers(self):
+        return {
+            "Content-Type": "application/json",
+            "Authorization": "Bearer "+self.token
+        }
+    def _get_zones(self):
+        """ Fetch and cache Cloudflare zones """
+        # Cache for 1 day (86400 seconds)
+        if self._zones_cache and (time.time() - self._zones_cache_time) < 86400:
+            return self._zones_cache
+        request_headers = self._cloudflare_headers()
+        api_url = "{0}/zones?per_page=50".format(self.api)
+        response = urlopen(Request(api_url, headers=request_headers))
+        if response.getcode() != 200:
+            raise Exception(json.loads(response.read().decode('utf8')))
+        
+        zones = json.loads(response.read().decode('utf8'))['result']
+        # print("Zone cache",json.dumps([x['name'] for x in  zones],indent=2))
+        self._zones_cache = zones
+        self._zones_cache_time = time.time()
+        return zones
+
+    def _get_zone_id(self, domain):
+        """ Determine Cloudflare Zone ID for a given domain """
+        zones = self._get_zones()
+        for zone in zones:
+            if zone['name'] == domain:
+                return zone['id']
+        raise Exception("No Cloudflare zone found for domain: {0}".format(domain))
+
+    def determine_domain(self, domain):
+        """ Determine registered domain in API """
+        # For Cloudflare, we need the base domain to get the zone ID
+        # The domain passed here might be a subdomain or wildcard, e.g., 'sub.example.com' or '*.example.com'
+        # We need to find the root domain (e.g., 'example.com') that is registered as a Cloudflare zone.
+        parts = domain.split('.')
+        err=None
+        for i in range(len(parts)):
+            potential_domain = ".".join(parts[i:])
+            try:
+                self._get_zone_id(potential_domain)
+                return potential_domain
+            except Exception as e:
+                err=e
+                continue
+        if err:
+            raise err
+        else:
+            raise Exception("Could not determine Cloudflare registered domain for: {0}".format(domain))
+
+    def create_record(self, name, data, domain):
+        """
+        Create DNS record
+        Params:
+            name, string, record name (e.g., _acme-challenge.example.com)
+            data, string, record data (e.g., ACME challenge token)
+            domain, string, dns domain (e.g., example.com)
+        Return:
+            record_id, string, created record id
+        """
+        registered_domain = self.determine_domain(domain)
+        zone_id = self._get_zone_id(registered_domain)
+        api_url = "{0}/zones/{1}/dns_records".format(self.api, zone_id)
+        request_headers = self._cloudflare_headers()
+        request_data = {
+            "type": "TXT",
+            "name": name,
+            "content": data,
+            "ttl": 120,  # Cloudflare minimum TTL for TXT is 120 seconds
+            "proxied": False
+        }
+        response = urlopen(Request(
+            api_url,
+            data=json.dumps(request_data).encode('utf8'),
+            headers=request_headers)
+        )
+        
+        if response.getcode() != 200:
+            raise Exception(json.loads(response.read().decode('utf8')))
+        result=response.read().decode('utf8')
+        print("Cloudflare create record",name,result)
+        return json.loads(result)['result']['id']
+
+    def delete_record(self, record, domain):
+        """
+        Delete DNS record
+        Params:
+            record, string, record id number
+            domain, string, dns domain
+        """
+        registered_domain = self.determine_domain(domain)
+        zone_id = self._get_zone_id(registered_domain)
+        api_url = "{0}/zones/{1}/dns_records/{2}".format(self.api, zone_id, record)
+        request_headers = self._cloudflare_headers()
+        request = Request(api_url, headers=request_headers)
+        request.get_method = lambda: 'DELETE'
+        response = urlopen(request)
+        result=response.read().decode('utf8')
+        print(f"Delete dns record [{response.getcode()}]",result)
+        if response.getcode() != 200:
+            raise Exception(json.loads(response.read().decode('utf8')))

acme_nginx/test_cloudflare.py

@@ -0,0 +1,77 @@
+import os
+from acme_nginx.Cloudflare import Cloudflare
+
+def run_cloudflare_tests():
+    print("--- Cloudflare API Test Script ---")
+
+    # Ensure environment variables are set
+    if not os.getenv('CLOUDFLARE_API_TOKEN'):
+        print("Error: CLOUDFLARE_API_TOKEN environment variable not set.")
+        print("Please set it before running the test.")
+        return
+    if not os.getenv('CLOUDFLARE_ACCOUNT_ID'):
+        print("Warning: CLOUDFLARE_ACCOUNT_ID environment variable not set.")
+        print("Some tests (like token verification) might not work without it.")
+        # Continue, as other functions like listing zones might still work
+
+    try:
+        cf = Cloudflare()
+
+        # 1. Check token
+        print("\n1. Checking Cloudflare API Token...")
+        if cf.check_token():
+            print("Token check successful.")
+        else:
+            print("Token check failed or account ID not set. Please check your environment variables.")
+            # Depending on the failure, we might want to exit here or continue with other tests
+            # For now, let's continue to see if other operations work (e.g., if only account_id is missing)
+
+        # 2. List zones and print domains/zones
+        print("\n2. Listing Cloudflare Zones...")
+        zones = cf._get_zones() # Accessing internal method for testing purposes
+        if zones:
+            print(f"Found {len(zones)} zones:")
+            for zone in zones:
+                print(f"  Domain: {zone['name']}, Zone ID: {zone['id']}")
+        else:
+            print("No zones found or an error occurred while fetching zones.")
+
+        # 3. Try adding and deleting a record
+        print("\n3. Attempting to add and delete a test TXT record...")
+        # IMPORTANT: Replace with a domain you own and manage in Cloudflare for actual testing
+        # and ensure it's a domain that won't cause issues with a temporary TXT record.
+        # For a real test, you might need to dynamically determine a domain from your zones.
+        test_domain = os.getenv('CLOUDFLARE_TEST_DOMAIN') # e.g., "example.com"
+        if not test_domain:
+            print("Skipping record add/delete test: CLOUDFLARE_TEST_DOMAIN environment variable not set.")
+            print("Please set CLOUDFLARE_TEST_DOMAIN to a domain you manage in Cloudflare to run this test.")
+            return
+
+        test_record_name = f"_acme-challenge.test.{test_domain}"
+        test_record_data = "test_data_12345"
+        record_id = None
+
+        try:
+            print(f"  Adding TXT record '{test_record_name}' with data '{test_record_data}' to domain '{test_domain}'...")
+            record_id = cf.create_record(test_record_name, test_record_data, test_domain)
+            print(f"  Record added successfully. Record ID: {record_id}")
+
+            print(f"  Deleting record ID: {record_id} from domain '{test_domain}'...")
+            cf.delete_record(record_id, test_domain)
+            print("  Record deleted successfully.")
+
+        except Exception as e:
+            print(f"  Error during record add/delete test: {e}")
+            if record_id:
+                print(f"  Attempting to clean up record {record_id} if it was created...")
+                try:
+                    cf.delete_record(record_id, test_domain)
+                    print("  Cleanup successful.")
+                except Exception as cleanup_e:
+                    print(f"  Cleanup failed: {cleanup_e}")
+
+    except Exception as e:
+        print(f"An unexpected error occurred during Cloudflare tests: {e}")
+
+if __name__ == "__main__":
+    run_cloudflare_tests()

main.py

@@ -73,8 +73,8 @@ def eventLoop():
                 process_network_event(eventAction, event)
             elif eventType == "container":
                 if eventAction == "health_status":
-                    break
-                    #process_container_health_event(event)
+                    # process_container_health_event(event)
+                    continue
                 else:
                     process_container_event(eventAction, event)
 
@@ -119,7 +119,8 @@ def process_network_event(action, event):
 try:
     server = WebServer(client)
     eventLoop()
-except (KeyboardInterrupt, SystemExit):
+except (KeyboardInterrupt, SystemExit) as e:
+    # traceback.print_exception(e)
     print("-------------------------------\nPerforming Graceful ShutDown !!")
     if server is not None:
         server.cleanup()

nginx_proxy/WebServer.py

@@ -18,7 +18,7 @@
 from nginx_proxy import Container
 from nginx_proxy import ProxyConfigData
 from nginx_proxy.Host import Host
-
+from acme_nginx.Cloudflare import Cloudflare
 
 class WebServer():
     def __init__(self, client: DockerClient, *args):
@@ -36,7 +36,19 @@ def __init__(self, client: DockerClient, *args):
         self.template = Template(file.read())
         file.close()
         self.learn_yourself()
-        self.ssl_processor = post_processors.SslCertificateProcessor(self.nginx, self, start_ssl_thread=False,ssl_dir=self.config['ssl_dir'])
+        
+        wildcard_dns_provider = None
+        if os.getenv('CLOUDFLARE_API_TOKEN'):
+            wildcard_dns_provider = Cloudflare()
+        # Add other providers here if needed, e.g., elif os.getenv('DIGITALOCEAN_API_TOKEN'): wildcard_dns_provider = 'digitalocean'
+
+        self.ssl_processor = post_processors.SslCertificateProcessor(
+            self.nginx,
+            self,
+            start_ssl_thread=False,
+            ssl_dir=self.config['ssl_dir'],
+            default_wildcard_dns_provider=wildcard_dns_provider
+        )
         self.basic_auth_processor = post_processors.BasicAuthProcessor( self.config['conf_dir'] + "/basic_auth")
         self.redirect_processor = post_processors.RedirectProcessor()
 

run_local.sh

@@ -7,5 +7,7 @@
 #
 
 mkdir -p ./.run_data/conf.d
-#
-DUMMY_NGINX=y CHALLENGE_DIR=./.run_data/acme_challenges SSL_DIR=./.run_data NGINX_CONF_DIR=./.run_data python3 main.py
+
+LETSENCRYPT_API=https://acme-staging-v02.api.letsencrypt.org/directory \
+CHALLENGE_DIR=./.run_data/acme_challenges \
+DUMMY_NGINX=y SSL_DIR=./.run_data NGINX_CONF_DIR=./.run_data python3 main.py