From e6db3cea7b6bda5f234471121bb1ca0e493693ce Mon Sep 17 00:00:00 2001
From: MattIPv4 <me@mattcowley.co.uk>
Date: Fri, 8 May 2020 17:58:38 +0100
Subject: [PATCH] Begin making conf files

---
 package-lock.json                        |  29 ++++++
 package.json                             |   2 +
 src/nginxconfig/generators/index.js      |  26 ++++++
 src/nginxconfig/generators/nginx.conf.js | 114 +++++++++++++++++++++++
 src/nginxconfig/templates/app.vue        |   9 +-
 src/nginxconfig/util/ssl_profiles.js     |  83 +++++++++++++++++
 6 files changed, 259 insertions(+), 4 deletions(-)
 create mode 100644 src/nginxconfig/generators/index.js
 create mode 100644 src/nginxconfig/generators/nginx.conf.js
 create mode 100644 src/nginxconfig/util/ssl_profiles.js

diff --git a/package-lock.json b/package-lock.json
index 785a17f..a413ff1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1117,6 +1117,14 @@
         }
       }
     },
+    "@webantic/nginx-config-parser": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@webantic/nginx-config-parser/-/nginx-config-parser-1.2.0.tgz",
+      "integrity": "sha512-f+APSFykPZ06UaRgaxBCxAEUSG+qY9NVcGGqQkKfnJZaHBpqGxlR4FZixkdapnIadbw/uyWQ+96iTAXjyyJ+SQ==",
+      "requires": {
+        "glob": "^7.1.3"
+      }
+    },
     "abab": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/abab/-/abab-2.0.3.tgz",
@@ -1785,6 +1793,14 @@
       "integrity": "sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==",
       "dev": true
     },
+    "chevrotain": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-7.0.1.tgz",
+      "integrity": "sha512-B/44jrdw5GAzy483LEeVSgXSX0qOYM8lUd3l5+yf6Vl6OQjEUCm2BUiYbHRCIK6xCEvCLAFe1kj8uyV6+zdaVw==",
+      "requires": {
+        "regexp-to-ast": "0.5.0"
+      }
+    },
     "chokidar": {
       "version": "2.1.8",
       "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-2.1.8.tgz",
@@ -5388,6 +5404,14 @@
       "integrity": "sha1-yobR/ogoFpsBICCOPchCS524NCw=",
       "dev": true
     },
+    "nginx-format": {
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/nginx-format/-/nginx-format-0.1.7.tgz",
+      "integrity": "sha512-+6k0BGrASE0vE4X2sYujh0k2cZG+2DT0G82N3O+hS/7/7b3ZNzfHogthRGIJB+2xSJOvgIbJgKRVjqpyerPOtw==",
+      "requires": {
+        "chevrotain": "^7.0.1"
+      }
+    },
     "nice-try": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/nice-try/-/nice-try-1.0.5.tgz",
@@ -6649,6 +6673,11 @@
         "safe-regex": "^1.1.0"
       }
     },
+    "regexp-to-ast": {
+      "version": "0.5.0",
+      "resolved": "https://registry.npmjs.org/regexp-to-ast/-/regexp-to-ast-0.5.0.tgz",
+      "integrity": "sha512-tlbJqcMHnPKI9zSrystikWKwHkBqu2a/Sgw01h3zFjvYrMxEDYHzzoMZnUrbIfpTFEsoRnnviOXNCzFiSc54Qw=="
+    },
     "regexpp": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-2.0.1.tgz",
diff --git a/package.json b/package.json
index bcf03ef..c46fd70 100644
--- a/package.json
+++ b/package.json
@@ -34,10 +34,12 @@
   "homepage": "https://github.com/do-community/nginxconfig-vue#readme",
   "dependencies": {
     "@babel/runtime": "^7.9.2",
+    "@webantic/nginx-config-parser": "^1.2.0",
     "babel-polyfill": "^6.26.0",
     "clone": "^2.1.2",
     "do-bulma": "git+https://github.com/do-community/do-bulma.git",
     "do-vue": "git+https://github.com/do-community/do-vue.git",
+    "nginx-format": "^0.1.7",
     "parcel-bundler": "^1.12.4",
     "pretty-checkbox-vue": "^1.1.9",
     "prismjs": "^1.20.0",
diff --git a/src/nginxconfig/generators/index.js b/src/nginxconfig/generators/index.js
new file mode 100644
index 0000000..ab47395
--- /dev/null
+++ b/src/nginxconfig/generators/index.js
@@ -0,0 +1,26 @@
+import ConfigParser from '@webantic/nginx-config-parser';
+const parser = new ConfigParser();
+
+import { nginxFormat } from 'nginx-format';
+
+import nginxConf from './nginx.conf';
+
+const toConf = obj => {
+    // Convert the obj to nginx
+    const rawConf = nginxFormat(parser.toConf(obj));
+
+    const commentConf = rawConf
+        .replace(/((?:^|\n)(?:[^\S\r\n]*)#.+);($|\n)/g, '$1$2') // Remove semis on comments
+        .replace(/((?:^|\n)[^\S\r\n]*[^#\s].*[^\n])\n([^\S\r\n]*)#/g, '$1\n$2\n$2#') // Double linebreak before comment
+        .replace(/((?:^|\n)[^\S\r\n]*#.*\n[^\S\r\n]*#.*\n)([^\S\r\n]*)([^#\s])/g, '$1\n$2$3'); // Double linebreak after double comment
+
+    return commentConf;
+}
+
+export default (domains, global) => {
+    const files = {};
+
+    files['nginx.conf'] = toConf(nginxConf(domains, global));
+
+    return files;
+}
diff --git a/src/nginxconfig/generators/nginx.conf.js b/src/nginxconfig/generators/nginx.conf.js
new file mode 100644
index 0000000..4d136d0
--- /dev/null
+++ b/src/nginxconfig/generators/nginx.conf.js
@@ -0,0 +1,114 @@
+import sslProfiles from '../util/ssl_profiles';
+
+export default (domains, global) => {
+    const config = {};
+
+    // Source
+    config['# Generated by nginxconfig.io'] = '';
+    if (window.location.search)
+        config[`# ${window.location.protocol}//${window.location.host}${window.location.pathname}${window.location.search}`] = '';
+
+    // Basic nignx conf
+    config.user = global.nginx.user.computed;
+    config.pid = global.nginx.pid.computed;
+    config.worker_processes = global.nginx.workerProcesses.computed;
+    config.worker_rlimit_nofile = 65535;
+    config.events = {
+        multi_accept: 'on',
+        worker_connections: 65535,
+    };
+
+    // HTTP
+    config.http = {};
+
+    if (global.php.phpBackupServer.computed)
+        config.http['upstream php'] = {
+            server: [
+                `${global.php.phpServer.computed[0] === '/' ? 'unix:' : ''}${global.php.phpServer.computed}`,
+                `${global.php.phpBackupServer.computed[0] === '/' ? 'unix:' : ''}${global.php.phpBackupServer.computed} backup`,
+            ],
+        };
+
+    config.http.charset = 'utf-8';
+    config.http.sendfile = 'on';
+    config.http.tcp_nopush = 'on';
+    config.http.tcp_nodelay = 'on';
+    if (!global.security.serverTokens.computed)
+        config.http.server_tokens = 'off';
+    if (!global.logging.logNotFound.computed)
+        config.http.log_not_found = 'off';
+    config.http.types_hash_max_size = 2048;
+    config.http.client_max_body_size = `${global.nginx.clientMaxBodySize.computed}M`;
+
+    config.http['# MIME'] = '';
+    config.http.include = 'mime.types';
+    config.http.default_type = 'application/octet-stream';
+
+    config.http['# logging'] = '';
+    config.http.access_log = global.logging.accessLog.computed.trim() || 'off';
+    config.http.error_log = global.logging.errorLog.computed.trim() || '/dev/null';
+
+    if (global.security.limitReq.computed) {
+        config.http['# limits'] = '';
+        config.http.limit_req_log_level = 'warn';
+        config.http.limit_req_zone = '$binary_remote_addr zone=login:10m rate=10r/m';
+    }
+
+    // HTTPS
+    let hasHttps = false;
+    for (const domain of domains) {
+        if (domain && domain.https && domain.https.https && domain.https.https.computed) {
+            hasHttps = true;
+            break;
+        }
+    }
+    if (hasHttps) {
+        config.http['# SSL'] = '';
+        config.http.ssl_session_timeout = '1d';
+        config.http.ssl_session_cache = 'shared:SSL:10m';
+        config.http.ssl_session_tickets = 'off';
+
+        if (sslProfiles[global.https.sslProfile.computed].dh_param_size) {
+            config.http['# Diffie-Hellman parameter for DHE ciphersuites'] = '';
+            config.http.ssl_dhparam = `${global.nginx.nginxConfigDirectory.computed.replace(/\/+$/, '')}/dhparam.pem`;
+        }
+
+        config.http[`# ${sslProfiles[global.https.sslProfile.computed].name} configuration`] = '';
+        config.http.ssl_protocols = sslProfiles[global.https.sslProfile.computed].protocols.join(' ');
+        if (sslProfiles[global.https.sslProfile.computed].ciphers.length)
+            config.http.ssl_ciphers = sslProfiles[global.https.sslProfile.computed].ciphers.join(':');
+        if (sslProfiles[global.https.sslProfile.computed].server_preferred_order)
+            config.http.ssl_prefer_server_ciphers = 'on';
+
+        config.http['# OCSP Stapling'] = '';
+        config.http.ssl_stapling = 'on';
+        config.http.ssl_stapling_verify = 'on';
+
+        if (global.https.ocspCloudflare.computed
+            || global.https.ocspGoogle.computed
+            || global.https.ocspOpenDns.computed) {
+            const ips = [];
+            if (global.https.ocspCloudflare.computed) ips.push('1.1.1.1', '1.0.0.1');
+            if (global.https.ocspGoogle.computed) ips.push('8.8.8.8', '8.8.4.4');
+            if (global.https.ocspOpenDns.computed) ips.push('208.67.222.222', '208.67.220.220');
+
+            config.http.resolver = `${ips.join(' ')} valid=60s`;
+            config.http.resolver_timeout = '2s';
+        }
+    }
+
+    // Configs!
+    config.http['# load configs'] = '';
+    config.http.include = [
+        `${global.nginx.nginxConfigDirectory.computed.replace(/\/+$/, '')}/conf.d/*.conf`,
+        global.tools.modularizedStructure.computed ? `${global.nginx.nginxConfigDirectory.computed.replace(/\/+$/, '')}/sites-enabled/*` : '',
+    ].filter(x => !!x);
+
+    // Single file configs
+    if (!global.tools.modularizedStructure.computed) {
+        // TODO: figure out merging in all the other configs
+    }
+
+    // Done!
+    return config;
+};
diff --git a/src/nginxconfig/templates/app.vue b/src/nginxconfig/templates/app.vue
index fda41c0..8215c0e 100644
--- a/src/nginxconfig/templates/app.vue
+++ b/src/nginxconfig/templates/app.vue
@@ -63,7 +63,8 @@ limitations under the License.
 
                 <div :class="`column ${splitColumn ? 'is-half' : 'is-full'} is-full-mobile is-full-tablet`">
                     <h2>Config files</h2>
-                    <Prism language="json" :code="exportData"></Prism>
+                    <!--<Prism language="nginx" :code="exportData"></Prism>-->
+                    <pre><code>{{exportData}}</code></pre>
                 </div>
             </div>
         </div>
@@ -75,14 +76,14 @@ limitations under the License.
 <script>
     import clone from 'clone';
     import Prism from 'vue-prism-component';
-    import 'prismjs/components/prism-json';
+    import 'prismjs/components/prism-nginx';
     import Header from 'do-vue/src/templates/header';
     import Footer from 'do-vue/src/templates/footer';
     import isChanged from '../util/is_changed';
-    import exportData from '../util/export_data';
     import importData from '../util/import_data';
     import isObject from '../util/is_object';
     import i18n from '../i18n';
+    import generators from '../generators';
     import Domain from './domain';
     import Global from './global';
     import Setup from './setup';
@@ -112,7 +113,7 @@ limitations under the License.
                 return this.$data.domains.map((domain, index) => [domain, index]).filter(d => d[0] !== null);
             },
             exportData() {
-                return JSON.stringify(exportData(this.activeDomains, this.$data.global), null, 2);
+                return generators(this.activeDomains, this.$data.global)['nginx.conf'];
             },
         },
         mounted() {
diff --git a/src/nginxconfig/util/ssl_profiles.js b/src/nginxconfig/util/ssl_profiles.js
new file mode 100644
index 0000000..8a18008
--- /dev/null
+++ b/src/nginxconfig/util/ssl_profiles.js
@@ -0,0 +1,83 @@
+// https://github.com/mozilla/ssl-config-generator/blob/master/src/static/guidelines/5.0.json
+export default {
+    modern: {
+        name: 'Mozilla Modern',
+        protocols: [
+            'TLSv1.3',
+        ],
+        ciphers: [
+            // 'TLS_AES_256_GCM_SHA384',
+            // 'TLS_AES_128_GCM_SHA256',
+            // 'TLS_CHACHA20_POLY1305_SHA256',
+        ],
+        server_preferred_order: false,
+        dh_param_size: false,
+        oldest_clients: ['Firefox 63', 'Android 10.0', 'Chrome 70', 'Edge 75', 'Java 11', 'OpenSSL 1.1.1', 'Opera 57', 'Safari 12.1'],
+    },
+    intermediate: {
+        name: 'Mozilla Intermediate',
+        protocols: [
+            'TLSv1.2',
+            'TLSv1.3',
+        ],
+        ciphers: [
+            // 'TLS_AES_256_GCM_SHA384',
+            // 'TLS_AES_128_GCM_SHA256',
+            // 'TLS_CHACHA20_POLY1305_SHA256',
+            'ECDHE-ECDSA-AES128-GCM-SHA256',
+            'ECDHE-RSA-AES128-GCM-SHA256',
+            'ECDHE-ECDSA-AES256-GCM-SHA384',
+            'ECDHE-RSA-AES256-GCM-SHA384',
+            'ECDHE-ECDSA-CHACHA20-POLY1305',
+            'ECDHE-RSA-CHACHA20-POLY1305',
+            'DHE-RSA-AES128-GCM-SHA256',
+            'DHE-RSA-AES256-GCM-SHA384',
+        ],
+        server_preferred_order: false,
+        dh_param_size: 2048,
+        oldest_clients: ['Firefox 27', 'Android 4.4.2', 'Chrome 31', 'Edge', 'IE 11 on Windows 7', 'Java 8u31', 'OpenSSL 1.0.1', 'Opera 20', 'Safari 9'],
+    },
+    old: {
+        name: 'Mozilla Old',
+        protocols: [
+            'TLSv1',
+            'TLSv1.1',
+            'TLSv1.2',
+            'TLSv1.3',
+        ],
+        ciphers: [
+            // 'TLS_AES_256_GCM_SHA384',
+            // 'TLS_AES_128_GCM_SHA256',
+            // 'TLS_CHACHA20_POLY1305_SHA256',
+            'ECDHE-ECDSA-AES128-GCM-SHA256',
+            'ECDHE-RSA-AES128-GCM-SHA256',
+            'ECDHE-ECDSA-AES256-GCM-SHA384',
+            'ECDHE-RSA-AES256-GCM-SHA384',
+            'ECDHE-ECDSA-CHACHA20-POLY1305',
+            'ECDHE-RSA-CHACHA20-POLY1305',
+            'DHE-RSA-AES128-GCM-SHA256',
+            'DHE-RSA-AES256-GCM-SHA384',
+            'DHE-RSA-CHACHA20-POLY1305',
+            'ECDHE-ECDSA-AES128-SHA256',
+            'ECDHE-RSA-AES128-SHA256',
+            'ECDHE-ECDSA-AES128-SHA',
+            'ECDHE-RSA-AES128-SHA',
+            'ECDHE-ECDSA-AES256-SHA384',
+            'ECDHE-RSA-AES256-SHA384',
+            'ECDHE-ECDSA-AES256-SHA',
+            'ECDHE-RSA-AES256-SHA',
+            'DHE-RSA-AES128-SHA256',
+            'DHE-RSA-AES256-SHA256',
+            'AES128-GCM-SHA256',
+            'AES256-GCM-SHA384',
+            'AES128-SHA256',
+            'AES256-SHA256',
+            'AES128-SHA',
+            'AES256-SHA',
+            'DES-CBC3-SHA',
+        ],
+        server_preferred_order: true,
+        dh_param_size: 1024,
+        oldest_clients: ['Firefox 1', 'Android 2.3', 'Chrome 1', 'Edge 12', 'IE8 on Windows XP', 'Java 6', 'OpenSSL 0.9.8', 'Opera 5', 'Safari 1'],
+    },
+};