update: streamlined run-server.sh with entrypoint.sh.

2026-02-27 22:41:55 +01:00
parent f336039cd8
commit 8be0eb7d90
5 changed files with 170 additions and 110 deletions
--- a/Caddyfile.example
+++ b/Caddyfile.example
@@ -3,15 +3,15 @@
 # Replace "__ACCOUNT_NAME__" with a desired storage account name if needed
 __ACCOUNT_NAME__.blob.core.windows.net {
 	tls __AZURITE_DIR__/__ACCOUNT_NAME___cert.pem __AZURITE_DIR__/__ACCOUNT_NAME___key.pem
-	reverse_proxy localhost:10000
+	reverse_proxy 127.0.0.1:10000
 }
 __ACCOUNT_NAME__.queue.core.windows.net {
 	tls __AZURITE_DIR__/__ACCOUNT_NAME___cert.pem __AZURITE_DIR__/__ACCOUNT_NAME___key.pem
-	reverse_proxy localhost:10001
+	reverse_proxy 127.0.0.1:10001
 }
 __ACCOUNT_NAME__.table.core.windows.net {
 	tls __AZURITE_DIR__/__ACCOUNT_NAME___cert.pem __AZURITE_DIR__/__ACCOUNT_NAME___key.pem
-	reverse_proxy localhost:10002
+	reverse_proxy 127.0.0.1:10002
 }
--- a/1
+++ b/1
@@ -26,6 +26,7 @@ RUN npm pkg set scripts.prepare="echo no-prepare"
 RUN npm ci --omit=dev --unsafe-perm
 WORKDIR /app
 COPY ./cert-functions.sh ./
 COPY ./entrypoint.sh .
 COPY ./Caddyfile.example .
 RUN chmod +x entrypoint.sh
--- a/cert-functions.sh
+++ b/cert-functions.sh
@@ -0,0 +1,63 @@
 function make_ca() {
    # Use the provided directory argument or default to AZURITE_DIR if not provided
    local CERT_DIR="${1:-$AZURITE_DIR}"
    if [[ ! -d "$CERT_DIR" ]]; then
        echo "ERROR: Certificate directory $CERT_DIR does not exist."
        return 1
    fi
    # Generate CA certificate and key if they don't exist
    if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
        echo "Generating CA certificate and key..."
        if ! openssl req \
            -x509 \
            -newkey rsa:4096 \
            -keyout "$CERT_DIR/ca_key.pem" \
            -out "$CERT_DIR/ca_cert.pem" \
            -days 3650 \
            -nodes \
            -subj "/CN=Azurite CA" \
            -text \
            -addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
            echo "Error: Failed to generate CA certificate and key." >&2
            return 1
        fi
    fi
 }
 function make_server_cert() {
    local ACCOUNT_NAME="${1:-devstoreaccount1}"
    local CERT_DIR="${2:-$AZURITE_DIR}"
    if [[ ! -d "$CERT_DIR" ]]; then
        echo "ERROR: Certificate directory $CERT_DIR does not exist."
        return 1
    fi
    # Generate server certificate and key if they don't exist
    if [[ ! -f "$CERT_DIR/${ACCOUNT_NAME}_cert.pem" || ! -f "$CERT_DIR/${ACCOUNT_NAME}_key.pem" ]]; then
        echo "Generating server certificate and key..."
        if ! openssl req \
            -newkey rsa:4096 \
            -keyout "$CERT_DIR/${ACCOUNT_NAME}_key.pem" \
            -nodes \
            -subj "/CN=${ACCOUNT_NAME}.blob.core.windows.net" \
            -addext "basicConstraints=critical,CA:FALSE" \
            -addext "keyUsage=digitalSignature,keyEncipherment" \
            -addext "extendedKeyUsage=serverAuth,clientAuth" \
            -addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:localhost,IP:127.0.0.1" \
        | openssl x509 \
            -req \
            -CA "$CERT_DIR/ca_cert.pem" \
            -CAkey "$CERT_DIR/ca_key.pem" \
            -set_serial "0x$(openssl rand -hex 16)" \
            -copy_extensions copyall \
            -days 365 \
            -text \
            -out "$CERT_DIR/${ACCOUNT_NAME}_cert.pem"; then
            echo "Error: Failed to generate server certificate and key." >&2
            exit 1
        fi
    fi
 }
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,69 +2,8 @@
 set -e
-function make_ca() {
+# Include certificate generation functions.
-    # Use the provided directory argument or default to AZURITE_DIR if not provided
+. /app/cert-functions.sh
    local CERT_DIR="${1:-$AZURITE_DIR}"
    if [[ ! -d "$CERT_DIR" ]]; then
        echo "ERROR: Certificate directory $CERT_DIR does not exist."
        return 1
    fi
    # Generate CA certificate and key if they don't exist
    if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
        echo "Generating CA certificate and key..."
        if ! openssl req \
            -x509 \
            -newkey rsa:4096 \
            -keyout "$CERT_DIR/ca_key.pem" \
            -out "$CERT_DIR/ca_cert.pem" \
            -days 3650 \
            -nodes \
            -subj "/CN=Azurite CA" \
            -text \
            -addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
            echo "Error: Failed to generate CA certificate and key." >&2
            return 1
        fi
    fi
 }
 function make_server_cert() {
    local ACCOUNT_NAME="${1:-devstoreaccount1}"
    local CERT_DIR="${2:-$AZURITE_DIR}"
    if [[ ! -d "$CERT_DIR" ]]; then
        echo "ERROR: Certificate directory $CERT_DIR does not exist."
        return 1
    fi
    # Generate server certificate and key if they don't exist
    if [[ ! -f "$CERT_DIR/${ACCOUNT_NAME}_cert.pem" || ! -f "$CERT_DIR/${ACCOUNT_NAME}_key.pem" ]]; then
        echo "Generating server certificate and key..."
        if ! openssl req \
            -newkey rsa:4096 \
            -keyout "$CERT_DIR/${ACCOUNT_NAME}_key.pem" \
            -nodes \
            -subj "/CN=${ACCOUNT_NAME}.blob.core.windows.net" \
            -addext "basicConstraints=critical,CA:FALSE" \
            -addext "keyUsage=digitalSignature,keyEncipherment" \
            -addext "extendedKeyUsage=serverAuth,clientAuth" \
            -addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:localhost,IP:127.0.0.1" \
        | openssl x509 \
            -req \
            -CA "$CERT_DIR/ca_cert.pem" \
            -CAkey "$CERT_DIR/ca_key.pem" \
            -set_serial "0x$(openssl rand -hex 16)" \
            -copy_extensions copyall \
            -days 365 \
            -text \
            -out "$CERT_DIR/${ACCOUNT_NAME}_cert.pem"; then
            echo "Error: Failed to generate server certificate and key." >&2
            exit 1
        fi
    fi
 }
 # Setup default storage location, account name and accounts file path.
 AZURITE_DIR="/storage"
@@ -139,11 +78,11 @@ if [[ -n "$CADDY" ]]; then
    echo "Starting Caddy server..."
    caddy start --config "$AZURITE_DIR/Caddyfile" # Use start not run, start does not block the shell process.
 else
-  # If not using Caddy, configure Azurite to listen on all interfaces and use the generated self-signed certificate.
+    # If not using Caddy, configure Azurite to listen on all interfaces and use the generated self-signed certificate.
-  # This mode does not require Caddy, but it will not allow simultaneous access to the table and queue services on the same HTTPS port.
+    # This mode does not require Caddy, but it will not allow simultaneous access to the table and queue services on the same HTTPS port.
-  if [[ -n "$AZURITE_SSL" ]]; then
+    if [[ -n "$AZURITE_SSL" ]]; then
-    CERT_ARGS=("--key" "$AZURITE_DIR/${ACCOUNT_NAME}_key.pem" "--cert" "$AZURITE_DIR/${ACCOUNT_NAME}_cert.pem")
+        CERT_ARGS=("--key" "$AZURITE_DIR/${ACCOUNT_NAME}_key.pem" "--cert" "$AZURITE_DIR/${ACCOUNT_NAME}_cert.pem")
-  fi
+    fi
 fi
 # Start Azurite with the appropriate arguments based on the configuration.
--- a/run-server.sh
+++ b/run-server.sh
@@ -1,67 +1,124 @@
 #!/usr/bin/env bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Include certificate generation functions.
 . "$SCRIPT_DIR/cert-functions.sh"
 AZURITE_DIR="$SCRIPT_DIR/storage"
 if [[ ! -d "$AZURITE_DIR" ]]; then
-  echo "No accounts found"
+    echo "No accounts found"
-  exit 0
+    exit 0
 fi
 if [[ -f "$SCRIPT_DIR/accounts.env" ]]; then
    set -a
    . "$SCRIPT_DIR/accounts.env"
    set +a
 fi
 # Look up the account name from the AZURITE_ACCOUNTS variable, which is in the format "accountName:accountKey1:accountKey2;accountName2:accountKey1:accountKey2"
 ACCOUNT_NAME=$(echo "$AZURITE_ACCOUNTS" | cut -f 1 -d ';' | cut -f 1 -d ':')
 # Ensure /etc/hosts contains an entry the Azure endpoint names,
 # so Caddy can route requests to the correct service based on the hostname.
 if ! grep -qE "${ACCOUNT_NAME}\.blob\.core\.windows\.net" /etc/hosts ||
   ! grep -qE "${ACCOUNT_NAME}\.queue\.core\.windows\.net" /etc/hosts ||
   ! grep -qE "${ACCOUNT_NAME}\.table\.core\.windows\.net" /etc/hosts; then
    echo "ERROR: /etc/hosts does not contain entries for the Azure endpoints. Please ensure the following line is present in /etc/hosts:"
    echo -e "\n127.0.0.1\t${ACCOUNT_NAME}.blob.core.windows.net ${ACCOUNT_NAME}.queue.core.windows.net ${ACCOUNT_NAME}.table.core.windows.net"
    exit 1
 fi
 if ! command -v azurite &> /dev/null; then
-  echo "Azurite is not installed. Please install it with 'npm install -g azurite'"
+    echo "Azurite is not installed. Please install it with 'npm install -g azurite'"
-  exit 1
+    exit 1
 fi
 if command -v caddy &> /dev/null; then
-  CADDY=true
+    CADDY=true
 else
-  CADDY=""
+    CADDY=""
 fi
 AZURITE_SSL=""
 CERT_ARGS=()
 OAUTH_ARGS=()
 PORTS_ARGS=("--blobPort" "10000" "--queuePort" "10001" "--tablePort" "10002")
 while [[ $# -gt 0 ]]; do
-  case "$1" in
+    case "$1" in
-    --oauth)
+        --oauth)
-      OAUTH_ARGS=("--oauth" "basic")
+            case "$2" in
-      shift
+                blob)
-      ;;
+                    PORTS_ARGS=("--blobPort" "443" "--queuePort" "10001" "--tablePort" "10002")
-    --no-caddy)
+                    ;;
-      CADDY=""
+                queue)
-      shift
+                    PORTS_ARGS=("--blobPort" "10000" "--queuePort" "443" "--tablePort" "10002")
-      ;;
+                    ;;
-    *)
+                table)
-      echo "Unknown argument: $1"
+                    PORTS_ARGS=("--blobPort" "10000" "--queuePort" "10001" "--tablePort" "443")
-      exit 1
+                    ;;
-      ;;
+                *)
-  esac
+                    echo "Error: --oauth must be followed by 'blob', 'queue', or 'table'." >&2
                    exit 1
                    ;;
            esac
            OAUTH_ARGS=("--oauth" "basic")
            # Ensure Caddy is disabled when using OAuth, as Azurite does not support OAuth behind a reverse proxy.
            CADDY=""
            AZURITE_SSL=true
            shift 2
            ;;
        --ssl)
            AZURITE_SSL=true
            # Ensure Caddy is disabled when using Azurite's built-in SSL support.
            CADDY=""
            shift
            ;;
        --no-caddy)
            # Disable Caddy, but do not enable SSL for Azurite.
            CADDY=""
            shift
            ;;
        *)
            echo "Unknown argument: $1"
            exit 1
            ;;
    esac
 done
-AZURITE_ACCOUNTS_FILE="$AZURITE_DIR/accounts.env"
+# Ensure certificates are generated before starting Azurite or Caddy.
-set -a
+if [[ -n "$AZURITE_SSL" || -n "$CADDY" ]]; then
-. $AZURITE_ACCOUNTS_FILE
+    if ! make_ca "$AZURITE_DIR"; then
-set +a
+        echo "Error: Failed to create CA certificate and key." >&2
        exit 1
    fi
    if ! make_server_cert "$ACCOUNT_NAME" "$AZURITE_DIR"; then
        echo "Error: Failed to create server certificate and key." >&2
        exit 1
    fi
 fi
 if [[ -n "$CADDY" ]]; then
-  # If using Caddy, it will reverse proxy blob, queue, and table endpoints to different ports on localhost,
+    # If using Caddy, it will reverse proxy blob, queue, and table endpoints to different ports on localhost,
-  # allowing simultaneous access to all services on a single HTTPS port.
+    # allowing simultaneous access to all services on a single HTTPS port.
-  echo "Starting Caddy server..."
+    # Generate a Caddyfile configuration based on the account name and storage directory.
-  caddy start --config Caddyfile # Use start not run, start does not block the shell process.
+    sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_DIR__|${AZURITE_DIR}|g" "$SCRIPT_DIR/Caddyfile.example" > "$AZURITE_DIR/Caddyfile"
-  trap "echo 'Stopping Caddy server...'; caddy stop" EXIT INT TERM HUP KILL STOP
+    echo "Starting Caddy server..."
-  CERT_ARGS=()
+    caddy start --config "$AZURITE_DIR/Caddyfile" # Use start not run, start does not block the shell process.
-  BLOB_ARGS=()
+    trap "echo 'Stopping Caddy server...'; caddy stop" EXIT INT TERM HUP KILL STOP
-  OAUTH_ARGS=() # Ensure OAuth is disabled when using Caddy, as Azurite does not support OAuth in reverse proxy mode.
+    CERT_ARGS=()
    OAUTH_ARGS=() # Ensure OAuth is disabled when using Caddy, as Azurite does not support OAuth in reverse proxy mode.
 else
-  # If not using Caddy, configure Azurite to listen on all interfaces and use the generated self-signed certificate.
+    # If not using Caddy, configure Azurite to listen on all interfaces and use the generated self-signed certificate.
-  # This mode does not require Caddy, but it will not allow simultaneous access to the table and queue services on the same HTTPS port.
+    # This mode does not require Caddy, but it will not allow simultaneous access to the table and queue services on the same HTTPS port.
-  BLOB_ARGS=("--blobHost" "0.0.0.0" "--blobPort" "443")
+    CERT_ARGS=("--key" "$AZURITE_DIR/server_key.pem" "--cert" "$AZURITE_DIR/server_cert.pem")
  CERT_ARGS=("--key" "$AZURITE_DIR/server_key.pem" "--cert" "$AZURITE_DIR/server_cert.pem")
 fi
 azurite \
    --disableTelemetry \
    --location "$AZURITE_DIR" \
-    "${CERT_ARGS[@]}" \
+    --blobHost 127.0.0.1 --queueHost 127.0.0.1 --tableHost 127.0.0.1 \
-    "${BLOB_ARGS[@]}" \
+    "${PORTS_ARGS[@]}" "${CERT_ARGS[@]}" "${OAUTH_ARGS[@]}"
    "${OAUTH_ARGS[@]}"