Allow advanced customization of nginx parameters in addon

[Ten0]

My use-case is that I want to setup mTLS, except for webhooks endpoints.

Because nginx's ssl_verify_client cannot be set at the location level but needs to be set at the server level, and then whether we are authenticated should be checked at the location level, this requires modifying the location / directive of the configuration.

It follows that the template is not customizable enough.

To give full flexibility to the user to patch the server config however they like, we allow them to execute arbitrary commands or scripts from within the container before starting nginx, similarly to what is done by the SSH addon and appdaemon.

Summary by CodeRabbit

• New Features

  • Added support for custom initialization commands in NGINX proxy configuration.
  • Enhanced startup script to execute user-defined initialization commands before starting the server.

• Improvements

  • Expanded configuration options to allow more flexible initialization process.
  • Updated documentation to include new optional configuration for initialization commands.
  • Added translation for the new initialization commands feature.

[home-assistant]

Hi @Ten0

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

Stale

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces enhancements to the NGINX Home Assistant SSL proxy configuration by adding support for initialization commands. The changes include updating the config.yaml file to include a new init_commands option, modifying the startup script to execute these commands before launching the nginx server, and updating the documentation and translation files to reflect this new feature. This modification allows users to specify custom initialization commands that will run during the container's startup process.

Changes

File	Change Summary
nginx_proxy/config.yaml	- Added init_commands: [] to options section - Updated schema to include init_commands: - str
nginx_proxy/rootfs/etc/s6-overlay/s6-rc.d/nginx/run	- Added logic to execute user-configured initialization commands - Implements error handling for command execution
nginx_proxy/DOCS.md	- Documented new optional configuration option init_commands
nginx_proxy/translations/en.yaml	- Added init_commands section with name and description

Sequence Diagram

sequenceDiagram
    participant Config as Configuration
    participant Script as Startup Script
    participant Nginx as Nginx Server

    Config->>Script: Provide init_commands
    Script->>Script: Validate init_commands
    alt Commands exist
        Script->>Script: Execute each command
        alt Command fails
            Script-->>Config: Log error
            Script->>Script: Exit with failure
        else All commands succeed
            Script->>Nginx: Start server
        end
    else No init_commands
        Script->>Nginx: Start server directly
    end

Loading

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2e3d246 and ef8535a.

📒 Files selected for processing (1)

• nginx_proxy/DOCS.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• nginx_proxy/DOCS.md

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 91160e1 and 9865d93.

📒 Files selected for processing (2)

• nginx_proxy/config.yaml (2 hunks)
• nginx_proxy/rootfs/etc/s6-overlay/s6-rc.d/nginx/run (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

nginx_proxy/config.yaml (6)

Pattern */**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

---

Pattern */**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

---

Pattern */**(html|markdown|md): - Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

---

Pattern */**(html|markdown|md): - Use sentence-style capitalization also in headings.

---

Pattern */**(html|markdown|md): do not comment on HTML used for icons

---

Pattern */**(html|markdown|md): Avoid flagging inline HTML for embedding videos in future reviews for this repository.

🔇 Additional comments (2)

nginx_proxy/config.yaml (2)

30-30: Good default for optional commands.

Providing an empty list (init_commands: []) as the default ensures that no commands are executed unless explicitly specified, which is a safe and clear approach for new users.

---

46-47: Schema aligns with the new feature.

Defining init_commands as a list of strings properly reflects the new functionality and ensures valid user input for each command. This is consistent and well-integrated with the rest of the schema.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9865d93 and 2e3d246.

📒 Files selected for processing (2)

• nginx_proxy/DOCS.md (1 hunks)
• nginx_proxy/translations/en.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

nginx_proxy/DOCS.md (6)

Pattern */**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

---

Pattern */**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

---

Pattern */**(html|markdown|md): - Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

---

Pattern */**(html|markdown|md): - Use sentence-style capitalization also in headings.

---

Pattern */**(html|markdown|md): do not comment on HTML used for icons

---

Pattern */**(html|markdown|md): Avoid flagging inline HTML for embedding videos in future reviews for this repository.

[agners]

To give full flexibility to the user to patch the server config however they like, we allow them to execute arbitrary commands or scripts from within the container before starting nginx, similarly to what is done by the SSH addon and appdaemon.

So you would then expect users to write sed script to change a config they don't really can see. This does seem a bit odd to me.

I'd rather prefer if we extend the template so things can be adjusted in whatever ways necessary. We could maybe even offer a full custom NGINX config instead (which IMHO, is still better than asking the user to modifying a "hidden" config via scripting).

Can you share a full example of what you want to archive in your particular use case? That might make it easier to come up with a good solution.

[agners]

Let's see if we can come up with something better than using scripting to adjust configs.

[Ten0]

I was thinking I'd probably not largely override the file if I had that script.

It's mostly about giving full flexibility. If people aren't able to docker exec or read the source code to know what the file would look like and sed in there, then they could just use cp and fully override.

In my case specifically what I want to do is this:

	# mtls
	ssl_client_certificate /path/to/root.crt;
	ssl_verify_client optional;

	location / {
		if ($ssl_client_verify != SUCCESS) {
			return 403;
		}
		include /path/to/base_location_config.conf;
	}

	location /api/webhook/ {
		include /path/to/base_location_config.conf;
	}

with base_location_config.conf:

# This should be exactly what HA generates by default

proxy_pass http://homeassistant.local.hass.io:8123;
proxy_set_header Host $http_host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Currently my workaround is that I've configured a stub server as the default server (with an unused domain name), and the actual server that I use is configured manually, so I have to copy and maintain template contents to the base_location_config.conf file.

I'd love to just sed to the line after location /, but others may want to cp their own config file, replacing it entirely as you mentioned.

Having a template parameter for "extra default location statements" that would yield at the top would indeed solve my use case, but it feels like someone may have other needs that this wouldn't cover and I don't care about writing this as a dedicated template parameter or as a sed command, so I favored the way that would make it possible for qualified people to do whatever they want without re-packaging the addon.

Maybe another option would be to be able to fully disable default server, so people could just always configure it as an extra server.

[agners]

It's mostly about giving full flexibility. If people aren't able to docker exec or read the source code to know what the file would look like and sed in there, then they could just use cp and fully override.

But even cp'ing a useful config seems hard/almost unrealistic without gleaning at the existing config.

Of course init_commands allow for lots of flexibility, but it also has a very high chance of breaking if we change the default template. Once such option is in, you can only loose as an add-on maintainer: Touch anything and you make people angry because you broke their production system 😥

I mean, we could introduce a "generic" add-on, where you can just have just a init command in config. Then you can apk add whatever package you need and configure it using that script. This of course is an extreme case, but it is kinda the other end of the spectrum in terms of flexibility. Just allowing generic init command for this add-on is too open IMHO. This is the NGINX Proxy add-on, it is somewhat opinionated.

That being said, I can see your use case, and it in my opinion it somewhat in scope of what user would want to do.

We could go two avenues: Explicitly support client certificate (e.g. by introducing client_certificate as an option, and if it is set, we'd add the server level config option and add the very option to the root location. We could either exclude webhooks by default or make this yet another config, e.g. client_certificate_exclude_locations.

It should be possible to do this with a single location section as well, with something along these lines:

    if ($uri !~ ^/api/webhook/) {
        if ($ssl_client_verify != SUCCESS) {
            return 403;
        }
    }

If we can get a way with a single location config, then maybe just adding a location include?

        location / {
            {{- if (has "default_location" .options.customize) }}
            include /share/{{ .options.customize.default_location }};
            {{- end }}
            ...

Another alternative would be to enable location customizations. It seems that if two location sections are in a server section, the last one takes precedence. So we could move this section to the end of the server section:

        {{- if .options.customize.active }}
        include /share/{{ .options.customize.default }};
        {{- end }}

This then would allow users to override location / { in a customization file. By default lots of duplication would be necessary, unless we also introduce a base_location.conf similar to the way you did.

I think I'd lean towards the second solution for now, add a location customization option. With that we can cover your use case and likely others today. An explicit client certificate option is still possible in the future.

[Ten0]

It seems that if two location sections are in a server section, the last one takes precedence.

I seem to recall that I tested this and actually got a fatal error that I had 2 location / statements.

Touch anything and you make people angry because you broke their production system

I think I'd lean towards the second solution for now, add a location customization option

I see what you mean...
I have no strong opinion towards either, both seem fine to me 😊👍️

When I started up my server and lazily decided to just trust HA's login page in the beginning, it wasn't two weeks before I received alerts of people trying to login from china and VPN servers though 😅 so maybe making it easier for people to setup mTLS might be nice 🙂
Ofc this doesn't show that the HA interface failed me there, but without mTLS you can quickly get bitten by things like this so I'm very happy to reduce the attack surface. 😅

[agners]

Ofc this doesn't show that the HA interface failed me there, but without mTLS you can quickly get bitten by things like this so I'm very happy to reduce the attack surface. 😅

Yeah, totally agree, reducing attack surface is a very good security practice!

That said, as you probably know/experienced, deploying mTLS has it's own set of challenges 😅

Let's attempt option 2 for now (location include). This allows to use the NGINX proxy to actually test this a bit more.