revert(cistech-tunnel): restore to original working state at a7691b1
Some checks failed
Test / test (push) Has been cancelled
Some checks failed
Test / test (push) Has been cancelled
- Removed shared/ folder (host routing scripts) - Restored original config.json, docker-compose.json - Restored original Dockerfile and entrypoint.sh Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -2,42 +2,13 @@
|
||||
set -euo pipefail
|
||||
|
||||
: "${OC_URL:?OC_URL required}"
|
||||
|
||||
# Auto-fetch server certificate pin if not provided
|
||||
get_server_cert_pin() {
|
||||
local url="$1"
|
||||
local host=$(echo "$url" | sed -E 's|https?://([^/:]+).*|\1|')
|
||||
local port=443
|
||||
|
||||
echo "Fetching certificate pin from $host:$port..." >&2
|
||||
|
||||
# Get certificate and compute pin-sha256
|
||||
local pin=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
|
||||
openssl x509 -pubkey -noout 2>/dev/null | \
|
||||
openssl pkey -pubin -outform DER 2>/dev/null | \
|
||||
openssl dgst -sha256 -binary | \
|
||||
base64)
|
||||
|
||||
if [[ -n "$pin" ]]; then
|
||||
echo "pin-sha256:$pin"
|
||||
else
|
||||
echo "ERROR: Failed to fetch certificate from $host" >&2
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Get or fetch OC_SERVERCERT
|
||||
if [[ -z "${OC_SERVERCERT:-}" ]]; then
|
||||
OC_SERVERCERT=$(get_server_cert_pin "$OC_URL")
|
||||
echo "Auto-detected server cert: $OC_SERVERCERT"
|
||||
fi
|
||||
: "${OC_SERVERCERT:?OC_SERVERCERT required}"
|
||||
|
||||
NOVNC_PORT="${NOVNC_PORT:-6901}"
|
||||
VNC_PASSWORD="${VNC_PASSWORD:-changeme}"
|
||||
DISPLAY_ADDR="${DISPLAY:-:1}"
|
||||
OC_INTERFACE="${OC_INTERFACE:-tun0}"
|
||||
OC_USER="${OC_USER:-}"
|
||||
OC_PASSWORD="${OC_PASSWORD:-}"
|
||||
OC_TOTP_SECRET="${OC_TOTP_SECRET:-}"
|
||||
|
||||
# Default to hidden browser if OC_USER is set
|
||||
@@ -74,7 +45,6 @@ export OC_URL="$OC_URL"
|
||||
export OC_SERVERCERT="$OC_SERVERCERT"
|
||||
export OC_INTERFACE="$OC_INTERFACE"
|
||||
export OC_USER="$OC_USER"
|
||||
export OC_PASSWORD="$OC_PASSWORD"
|
||||
export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT"
|
||||
export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}"
|
||||
export OC_AUTHGROUP="${OC_AUTHGROUP:-}"
|
||||
@@ -96,14 +66,8 @@ ENVFILE
|
||||
source /etc/vpn.env
|
||||
echo "[$(date)] Starting VPN connection..."
|
||||
|
||||
# Set password for openconnect
|
||||
export OPENCONNECT_PASSWORD="$OC_PASSWORD"
|
||||
|
||||
# openconnect-sso reads TOTP from keyring automatically
|
||||
# Pass password via stdin for SSO form if needed
|
||||
if [[ -n "$OC_USER" && -n "$OC_PASSWORD" ]]; then
|
||||
echo "$OC_PASSWORD" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
|
||||
elif [[ -n "$OC_USER" ]]; then
|
||||
if [[ -n "$OC_USER" ]]; then
|
||||
echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
|
||||
else
|
||||
openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
|
||||
@@ -196,12 +160,6 @@ setup_nat() {
|
||||
iptables -t nat -C POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE 2>/dev/null || \
|
||||
iptables -t nat -A POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE
|
||||
echo "NAT enabled on $OC_INTERFACE"
|
||||
|
||||
# Trigger host routing service
|
||||
if [ -d /runtime ]; then
|
||||
touch /runtime/restart-routing
|
||||
echo "Host routing trigger sent"
|
||||
fi
|
||||
break
|
||||
fi
|
||||
sleep 2
|
||||
|
||||
Reference in New Issue
Block a user