Add optional environment value 'PORT_ADMIN'

noelmartinon · noelmartinon · commit 6789be7a24c9 · 2025-12-12T14:20:24.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,21 +2,27 @@
 # UpdatEngine-server #
 ######################
 
-6.1.2:
+## 6.1.3 (2025-12-12):
+
+**✨ Improvements**
+
+- Add optional environment value 'PORT_ADMIN' to distinguish the admin IP port from the client port
+
+## 6.1.2:
 - Fix help text for 'Enable failure tolerance' feature
 
-6.1.1:
+## 6.1.1:
 - Fix ignorance of 'download_no_restart' and 'no_break_on_error' when using the extended conditions
 
-6.1.0:
+## 6.1.0:
 - Fix bug when displaying the password_change_done page
 - Fix AuthBackend authentication accepting bad passwords
 
-6.0.1:
+## 6.0.1:
 - Fix debian installation script for Python 3.12 compatibility
 - Fix escape sequence in inventory views
 
-6.0.0:
+## 6.0.0:
 - Upgrade to Django 4.2.16 LTS
 - Increase upload size limit to 5G
 - Add 'custom variables' column to deploy/package page
@@ -37,7 +43,7 @@
 - Add docker installation script
 
 
-5.0.0:
+## 5.0.0:
 - Upgrade to Django 3.2 LTS
 - Upgrade adminactions module to 1.15 version
 - Add debian upgrade script
@@ -51,40 +57,40 @@
 - Apply bulleted list style to 'packages' on the packageprofile page
 - Fix version check
 
-4.1.0:
+## 4.1.0:
 - Update last release version using json
 - Add debian installation script and new apache config
 - Complete entity ip range help text
 - Sort machines names in history filter list
 - Add os version in inventory view
 
-4.0.3:
+## 4.0.3:
 - Fix white page on mass update
 - Remove web directory indexes from apache conf
 
-4.0.2:
+## 4.0.2:
 - Fix wol issue
 - Add lines to fix potential pip3 mysqlclient issue
 - Fix version check
 
-4.0.1:
+## 4.0.1:
 - Add script db tables conversion to utf-8 (all languages support)
 - Fix bug on remove os name or arch through the web gui
 - Add 'username' condition and 'not logged in' tag
 
-4.0.0:
+## 4.0.0:
 - Port code to Python 3.7
 - Migrate to Django 2.2
 - Use the latest python packages in line with the upgrade (django-grappelli, mysqlclient...)
 
-3.0.2:
+## 3.0.2:
 - Optimizes extended conditions with client: Pre-check conditions to avoid asking client for unnecessary extended conditions if already a condition on the software is not satisfied.
 
-3.0.1:
+## 3.0.1:
 - Fix bug in imports/exports deployments
 - Fix inventory dispatch (clients < 3.0 was sending 'undefined' for UserName, Domain and Language)
 
-3.0:
+## 3.0:
 - Interface:
   - The chosen language remains displayed
   - Fix some translations in 'Export as CSV' and 'Mass update'
diff --git a/install/debian/custom.dist/.env.default b/install/debian/custom.dist/.env.default
@@ -15,6 +15,7 @@ SERVER_NAME=localhost
 
 # Updatengine port
 PORT=1979
+PORT_ADMIN=1997
 
 # Language for web interface. default to fr (French)
 LANGUAGE_CODE=fr
diff --git a/install/debian/install.sh b/install/debian/install.sh
@@ -2,7 +2,7 @@
 
 ################################################
 ## UpdatEngine-server installation script
-## 2024/12/05
+## 2025/12/12
 ################################################
 #
 #             /!\ WARNING /!\
@@ -76,6 +76,7 @@ grep -l $'\r' ./custom/.env && sed -i 's/\r//g' ./custom/.env && echo "Informati
 
 # Export all key/value pairs from the '.env' file to the shell environment
 export $(cat ./custom/.env) > /dev/null 2>&1
+[ -z $PORT_ADMIN ] && $PORT_ADMIN=$PORT
 
 # Set SECRET_KEY to a random value if not defined
 if [ -z ${SECRET_KEY} ] || [ ${SECRET_KEY} = '!mustbechanged!' ]; then
@@ -148,7 +149,11 @@ fi
 # Set apache configuration
 if [ ! -f /etc/apache2/sites-available/apache-updatengine.conf ] ; then
     echo "Set apache configuration"
-    envsubst < ${INST_DIR}/updatengine-server/requirements/apache-updatengine.conf > /etc/apache2/sites-available/apache-updatengine.conf
+    if [ "${PORT}" = "${PORT_ADMIN}" ]; then        
+        envsubst < ${INST_DIR}/updatengine-server/requirements/apache-updatengine.conf > /etc/apache2/sites-available/apache-updatengine.conf
+    else
+        envsubst < ${INST_DIR}/updatengine-server/requirements/apache-updatengine_distinct-admin-access.conf > /etc/apache2/sites-available/apache-updatengine.conf
+    fi
     a2ensite apache-updatengine
     a2enmod wsgi
 fi
diff --git a/install/docker/custom.dist/.env.default b/install/docker/custom.dist/.env.default
@@ -11,6 +11,7 @@ SERVER_NAME=localhost
 
 # Updatengine nginx port
 PORT=1979
+PORT_ADMIN=1997
 
 # Configuration type
 # Valid values : empty, HTTP_REDIRECT or LETSENCRYPT
diff --git a/install/docker/docker-compose.yml b/install/docker/docker-compose.yml
@@ -68,6 +68,7 @@ services:
       - ./install/docker/custom/ssl/site.key:/etc/ssl/private/site.key
     ports:
       - $PORT:443
+      - $PORT_ADMIN:1443
     depends_on:
       web:
         condition: service_healthy
diff --git a/install/docker/entrypoint.sh b/install/docker/entrypoint.sh
@@ -47,3 +47,4 @@ fi
 gunicorn updatengine.wsgi:application --bind 0.0.0.0:8000
 
 
+
diff --git a/install/docker/install.sh b/install/docker/install.sh
@@ -2,7 +2,7 @@
 
 ################################################
 ## UpdatEngine-server docker installation script
-## 2024/12/05
+## 2025/12/12
 ################################################
 #
 ################################################
@@ -56,6 +56,9 @@ grep -l $'\r' ./custom/.env && sed -i 's/\r//g' ./custom/.env && echo "Informati
 
 # Export all key/value pairs from the '.env' file to the shell environment
 export $(cat ./custom/.env) > /dev/null 2>&1
+[ -z $PORT_ADMIN ] && $PORT_ADMIN=$PORT
+
+# Warning for LETSENCRYPT type
 if [ "$CONFIG_TYPE" = "LETSENCRYPT" ]; then
     echo "################"
     echo "ERROR: LETSENCRYPT option is not yet supported."
@@ -80,7 +83,12 @@ fi
 if [ ! -f ./custom/nginx/nginx.conf ]; then
     mkdir -p ./custom/nginx
     export DOLLAR='$'
-    envsubst < ./nginx/nginx.conf.in$CONFIG_TYPE > ./custom/nginx/nginx.conf
+    if [ "${PORT}" = "${PORT_ADMIN}" ]; then
+        envsubst < ./nginx/nginx.conf.in$CONFIG_TYPE > ./custom/nginx/nginx.conf
+    else
+        envsubst < ./nginx/nginx.conf_distinct-admin-access.in$CONFIG_TYPE > ./custom/nginx/nginx.conf
+    fi
+
 fi
 
 if ([ ! -f ./custom/ssl/site.key ] ||  [ ! -f ./custom/ssl/site.crt ]) && [ "$CONFIG_TYPE" != "LETSENCRYPT" ]; then
@@ -93,12 +101,15 @@ BASE_DIR='../..'
 cp Dockerfile $BASE_DIR/
 cp entrypoint.sh $BASE_DIR/
 envsubst < docker-compose.yml$CONFIG_TYPE > $BASE_DIR/docker-compose.yml
+if [ "${PORT}" = "${PORT_ADMIN}" ]; then
+    sed -i '/:1443/d' $BASE_DIR/docker-compose.yml
+fi
 cp ./custom/.env $BASE_DIR/
 cat $BASE_DIR/requirements/pip-packages.txt requirements.txt > $BASE_DIR/requirements.txt
 
 cd $BASE_DIR
 git pull
-docker compose up -d --build
+docker compose up -d --build --force-recreate
 
 # Create admin account if none
 docker exec -it updatengine-server bash -c "echo 'select count(*) from auth_user;' | python manage.py dbshell | grep -v 'count' | grep 0" > /dev/null 2>&1
diff --git a/install/docker/nginx/nginx.conf_distinct-admin-access.in b/install/docker/nginx/nginx.conf_distinct-admin-access.in
@@ -0,0 +1,51 @@
+upstream updatengine {
+    server web:8000;
+}
+
+# Client access
+server {
+    listen 443 ssl;
+    server_name ${SERVER_NAME};
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/certs/site.crt;
+    ssl_certificate_key /etc/ssl/private/site.key;    
+
+    location /post/ {
+        proxy_pass http://updatengine;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_redirect off;
+    }
+
+    location /media/ {
+        alias /app/updatengine/media/;
+    }
+}
+
+# Admin access
+server {
+    listen 1443 ssl;
+    server_name ${SERVER_NAME};
+    server_tokens off;
+
+    client_max_body_size 5G;
+
+    ssl_certificate /etc/ssl/certs/site.crt;
+    ssl_certificate_key /etc/ssl/private/site.key;
+
+    location / {
+        proxy_pass http://updatengine;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_redirect off;
+    }
+
+    location /static/ {
+        alias /app/updatengine/static/;
+    }
+
+    location /media/ {
+        alias /app/updatengine/media/;
+    }
+}
diff --git a/requirements/apache-updatengine_distinct-admin-access.conf b/requirements/apache-updatengine_distinct-admin-access.conf
@@ -0,0 +1,88 @@
+WSGIPythonHome ${VENV_DIR}/
+WSGIPythonPath ${INST_DIR}/updatengine-server/updatengine
+WSGIApplicationGroup %{GLOBAL}
+
+# Client access
+Listen ${PORT}
+<VirtualHost *:${PORT}>
+    WSGIDaemonProcess updatengine-cli display-name=updatengine-cli user=www-data processes=2 threads=15
+    WSGIScriptAlias / ${INST_DIR}/updatengine-server/updatengine/wsgi.py
+
+    Alias /static/ ${INST_DIR}/updatengine-server/updatengine/static/
+    Alias /media/ ${INST_DIR}/updatengine-server/updatengine/media/
+    
+    Loglevel    info
+    ErrorLog    /var/log/apache2/updatengine.err
+    CustomLog   /var/log/apache2/updatengine.log "%{%Y%m%d%H%M}t|%h|http://%v%U|%s"
+
+    RewriteEngine On
+    RewriteCond %{REQUEST_URI} !^/post/.*
+    RewriteCond %{REQUEST_URI} !^/media/.*
+    RewriteRule .* - [R=404]
+
+    <Directory ${INST_DIR}/updatengine-server/updatengine>
+        <Files wsgi.py>
+            Require all granted
+        </Files>
+    </Directory>
+
+    <Directory ${INST_DIR}/updatengine-server/updatengine/media>
+        Options -Indexes
+        Require all granted
+    </Directory>
+
+    <IfModule mod_headers.c>
+        Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, proxy-revalidate"
+    </IfModule>
+
+    <IfModule mod_ssl.c>
+        SSLEngine on
+        SSLCertificateFile     ${SSL_DIR}/updatengine.crt
+        SSLCertificateKeyFile  ${SSL_DIR}/updatengine.key
+    </IfModule>
+    
+</VirtualHost>
+
+# Admin access
+Listen ${PORT_ADMIN}
+<VirtualHost *:${PORT_ADMIN}>
+    WSGIDaemonProcess updatengine display-name=updatengine user=www-data processes=2 threads=15
+    WSGIScriptAlias / ${INST_DIR}/updatengine-server/updatengine/wsgi.py
+
+    Alias /static/ ${INST_DIR}/updatengine-server/updatengine/static/
+    Alias /media/ ${INST_DIR}/updatengine-server/updatengine/media/
+
+    Loglevel    info
+    ErrorLog    /var/log/apache2/updatengine.err
+    CustomLog   /var/log/apache2/updatengine.log "%{%Y%m%d%H%M}t|%h|http://%v%U|%s"
+
+    LimitRequestBody 5368709120
+
+    <Directory ${INST_DIR}/updatengine-server/updatengine>
+        <Files wsgi.py>
+            Require all granted
+        </Files>
+    </Directory>
+
+    <Directory ${INST_DIR}/updatengine-server/updatengine/static>
+        Options -Indexes
+        Require all granted
+    </Directory>
+
+    <Directory ${INST_DIR}/updatengine-server/updatengine/media>
+        Options -Indexes
+        Require all granted
+    </Directory>
+
+    <IfModule mod_headers.c>
+        Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, proxy-revalidate"
+    </IfModule>
+
+    <IfModule mod_ssl.c>
+        SSLEngine on
+        SSLCertificateFile     ${SSL_DIR}/updatengine.crt
+        SSLCertificateKeyFile  ${SSL_DIR}/updatengine.key
+    </IfModule>
+
+</VirtualHost>
+
diff --git a/updatengine/settings.py.in b/updatengine/settings.py.in
@@ -34,7 +34,7 @@ PROJECT_URL = 'https://${SERVER_NAME}:${PORT}'
 ALLOWED_HOSTS = ['${SERVER_NAME}']
 
 # List of trusted origins
-CSRF_TRUSTED_ORIGINS = ['https://${SERVER_NAME}:${PORT}']
+CSRF_TRUSTED_ORIGINS = ['https://${SERVER_NAME}:${PORT}','https://${SERVER_NAME}:${PORT_ADMIN}']
 
 # Interface language
 LANGUAGES = (

Original file line number	Diff line number	Diff line change
`@@ -47,3 +47,4 @@ fi`
`47`	`47`	`gunicorn updatengine.wsgi:application --bind 0.0.0.0:8000`
`48`	`48`
`49`	`49`
	`50`	`+`