155 lines
5.8 KiB
Bash
155 lines
5.8 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
function make_ca() {
|
|
# Use the provided directory argument or default to AZURITE_DIR if not provided
|
|
local CERT_DIR="${1:-$AZURITE_DIR}"
|
|
|
|
if [[ ! -d "$CERT_DIR" ]]; then
|
|
echo "ERROR: Certificate directory $CERT_DIR does not exist."
|
|
return 1
|
|
fi
|
|
|
|
# Generate CA certificate and key if they don't exist
|
|
if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
|
|
echo "Generating CA certificate and key..."
|
|
if ! openssl req \
|
|
-x509 \
|
|
-newkey rsa:4096 \
|
|
-keyout "$CERT_DIR/ca_key.pem" \
|
|
-out "$CERT_DIR/ca_cert.pem" \
|
|
-days 3650 \
|
|
-nodes \
|
|
-subj "/CN=Azurite CA" \
|
|
-text \
|
|
-addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
|
|
echo "Error: Failed to generate CA certificate and key." >&2
|
|
return 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function make_server_cert() {
|
|
local ACCOUNT_NAME="${1:-devstoreaccount1}"
|
|
local CERT_DIR="${2:-$AZURITE_DIR}"
|
|
|
|
if [[ ! -d "$CERT_DIR" ]]; then
|
|
echo "ERROR: Certificate directory $CERT_DIR does not exist."
|
|
return 1
|
|
fi
|
|
|
|
# Generate server certificate and key if they don't exist
|
|
if [[ ! -f "$CERT_DIR/${ACCOUNT_NAME}_cert.pem" || ! -f "$CERT_DIR/${ACCOUNT_NAME}_key.pem" ]]; then
|
|
echo "Generating server certificate and key..."
|
|
if ! openssl req \
|
|
-newkey rsa:4096 \
|
|
-keyout "$CERT_DIR/${ACCOUNT_NAME}_key.pem" \
|
|
-nodes \
|
|
-subj "/CN=${ACCOUNT_NAME}.blob.core.windows.net" \
|
|
-addext "basicConstraints=critical,CA:FALSE" \
|
|
-addext "keyUsage=digitalSignature,keyEncipherment" \
|
|
-addext "extendedKeyUsage=serverAuth,clientAuth" \
|
|
-addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:localhost,IP:127.0.0.1" \
|
|
| openssl x509 \
|
|
-req \
|
|
-CA "$CERT_DIR/ca_cert.pem" \
|
|
-CAkey "$CERT_DIR/ca_key.pem" \
|
|
-set_serial "0x$(openssl rand -hex 16)" \
|
|
-copy_extensions copyall \
|
|
-days 365 \
|
|
-text \
|
|
-out "$CERT_DIR/${ACCOUNT_NAME}_cert.pem"; then
|
|
echo "Error: Failed to generate server certificate and key." >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# Setup default storage location, account name and accounts file path.
|
|
AZURITE_DIR="/storage"
|
|
|
|
# Check, if the AZURITE_ACCOUNTS variable is set
|
|
if [[ -z "$AZURITE_ACCOUNTS" ]]; then
|
|
# Generate a default account
|
|
export AZURITE_ACCOUNTS="devstoreaccount1:$(openssl rand -base64 32)"
|
|
fi
|
|
|
|
# Look up the account name from the AZURITE_ACCOUNTS variable, which is in the format "accountName:accountKey1:accountKey2;accountName2:accountKey1:accountKey2"
|
|
ACCOUNT_NAME=$(echo "$AZURITE_ACCOUNTS" | cut -f 1 -d ';' | cut -f 1 -d ':')
|
|
|
|
# Ensure /etc/hosts contains an entry the Azure endpoint names,
|
|
# so Caddy can route requests to the correct service based on the hostname.
|
|
if ! grep -qE "${ACCOUNT_NAME}\.blob\.core\.windows\.net" /etc/hosts ||
|
|
! grep -qE "${ACCOUNT_NAME}\.queue\.core\.windows\.net" /etc/hosts ||
|
|
! grep -qE "${ACCOUNT_NAME}\.table\.core\.windows\.net" /etc/hosts; then
|
|
echo -e "\n127.0.0.1\t${ACCOUNT_NAME}.blob.core.windows.net ${ACCOUNT_NAME}.queue.core.windows.net ${ACCOUNT_NAME}.table.core.windows.net" >> /etc/hosts
|
|
fi
|
|
|
|
CADDY=true
|
|
AZURITE_SSL=""
|
|
CERT_ARGS=()
|
|
OAUTH_ARGS=()
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--oauth)
|
|
OAUTH_ARGS=("--oauth" "basic")
|
|
# Ensure Caddy is disabled when using OAuth, as Azurite does not support OAuth behind a reverse proxy.
|
|
CADDY=""
|
|
AZURITE_SSL=true
|
|
shift
|
|
;;
|
|
--ssl)
|
|
AZURITE_SSL=true
|
|
# Ensure Caddy is disabled when using Azurite's built-in SSL support.
|
|
CADDY=""
|
|
shift
|
|
;;
|
|
--no-caddy)
|
|
# Disable Caddy on request.
|
|
CADDY=""
|
|
shift
|
|
;;
|
|
*)
|
|
echo "Unknown argument: $1"
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Ensure certificates are generated before starting Azurite or Caddy.
|
|
if [[ -n "$AZURITE_SSL" || -n "$CADDY" ]]; then
|
|
if ! make_ca "$AZURITE_DIR"; then
|
|
echo "Error: Failed to create CA certificate and key." >&2
|
|
exit 1
|
|
fi
|
|
|
|
if ! make_server_cert "$ACCOUNT_NAME" "$AZURITE_DIR"; then
|
|
echo "Error: Failed to create server certificate and key." >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [[ -n "$CADDY" ]]; then
|
|
# If using Caddy, it will reverse proxy blob, queue, and table endpoints to different ports on localhost,
|
|
# allowing simultaneous access to all services on a single HTTPS port.
|
|
# Generate a Caddyfile configuration based on the account name and storage directory.
|
|
sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_DIR__|${AZURITE_DIR}|g" /app/Caddyfile.example > "$AZURITE_DIR/Caddyfile"
|
|
echo "Starting Caddy server..."
|
|
caddy start --config "$AZURITE_DIR/Caddyfile" # Use start not run, start does not block the shell process.
|
|
else
|
|
# If not using Caddy, configure Azurite to listen on all interfaces and use the generated self-signed certificate.
|
|
# This mode does not require Caddy, but it will not allow simultaneous access to the table and queue services on the same HTTPS port.
|
|
if [[ -n "$AZURITE_SSL" ]]; then
|
|
CERT_ARGS=("--key" "$AZURITE_DIR/${ACCOUNT_NAME}_key.pem" "--cert" "$AZURITE_DIR/${ACCOUNT_NAME}_cert.pem")
|
|
fi
|
|
fi
|
|
|
|
exec node /app/azurite/src/azurite.js \
|
|
--disableTelemetry \
|
|
--location "$AZURITE_DIR" \
|
|
--blobHost 0.0.0.0 --queueHost 0.0.0.0 --tableHost 0.0.0.0 \
|
|
--blobPort 10010 --queuePort 10011 --tablePort 10012 \
|
|
"${CERT_ARGS[@]}" "${OAUTH_ARGS[@]}"
|