services for proxy data

app.rb

@@ -1,6 +1,8 @@
 require 'base64'
 require 'uri'
 require 'net/http'
+require 'zlib'
+require 'rubygems/package'
 require './environment.rb'
 
 use Rack::Session::Cookie, key:          'neocities',
@@ -1446,6 +1448,88 @@ post '/site/:username/block' do |username|
   end
 end
 
+get '/sysops/proxy/map.txt' do
+  require_proxy_auth
+  domains = ''
+  Site.exclude(domain: nil).
+       exclude(domain: '').
+       select(:username,:domain).
+       all.
+       collect do |s|
+    domains << "#{s.domain} #{s.username};\n"
+  end
+  content_type :text
+  domains
+end
+
+get '/sysops/proxy/sslcerts.tar.gz' do
+  require_proxy_auth
+  sites = Site.ssl_sites
+
+  nginx_config = ''
+
+  tar = StringIO.new
+
+  Gem::Package::TarWriter.new(tar) do |writer|
+    writer.mkdir 'sslcerts', 0740
+    writer.mkdir 'sslcerts/certs', 0740
+
+    sites.each do |site|
+      writer.add_file "sslcerts/certs/#{site.username}.key", 0640 do |f|
+        f.write site.ssl_key
+      end
+
+      writer.add_file "sslcerts/certs/#{site.username}.crt", 0640 do |f|
+        f.write site.ssl_cert
+      end
+
+      nginx_config << %{
+        server {
+          listen 443 ssl;
+          server_name #{site.domain} *.#{site.domain};
+          ssl_certificate certs/#{site.username}.crt;
+          ssl_certificate_key certs/#{site.username}.key;
+
+          location / {
+            proxy_http_version 1.1;
+            proxy_set_header Host #{site.username}.neocities.org;
+            proxy_pass http://127.0.0.1$request_uri;
+          }
+        }
+      }.unindent
+    end
+
+    writer.add_file "sslcerts/sslsites.conf", 0640 do |f|
+      f.write nginx_config
+    end
+  end
+
+  tar.rewind
+
+  package = StringIO.new 'b'
+  package.set_encoding 'binary'
+  gzip = Zlib::GzipWriter.new package
+  gzip.write tar.read
+  tar.close
+  gzip.finish
+  package.rewind
+
+  attachment
+  package.read
+end
+
+class ProxyAccessViolation < StandardError; end
+
+def require_proxy_auth
+  begin
+    auth = request.env['HTTP_AUTHORIZATION']
+    user, pass = Base64.decode64(auth.match(/Basic (.+)/)[1]).split(':')
+    raise ProxyAccessViolation unless pass == $config['proxy_pass']
+  rescue
+    raise ProxyAccessViolation, "Violator: #{request.ip}" unless pass == $config['proxy_pass']
+  end
+end
+
 def require_admin
   redirect '/' unless signed_in? && current_site.is_admin
 end

config.yml.template

@@ -9,6 +9,7 @@ development:
   stripe_publishable_key: fillout
   stripe_api_key: fillout
   ip_hash_salt: "400$8$1$fc21863da5d531c1"
+  proxy_pass: 'somethinglongandrandom'
 test:
   database: 'postgres://neocities@127.0.0.1/neocities_test'
   database_pool: 1
@@ -20,3 +21,4 @@ test:
   stripe_publishable_key: fillout
   stripe_api_key: fillout
   ip_hash_salt: "400$8$1$fc21863da5d531c1"
+  proxy_pass: 'somethinglongandrandom'

ext/string.rb

@@ -11,4 +11,8 @@ class String
       self[0..length]
     end
   end
+
+  def unindent
+    gsub /^#{scan(/^\s*/).min_by{|l|l.length}}/, ""
+  end
 end

models/site.rb

@@ -230,6 +230,14 @@ class Site < Sequel::Model
 
       false
     end
+
+    def ssl_sites
+      select(:id, :username, :domain, :ssl_key, :ssl_cert).
+      exclude(domain: nil).
+      exclude(ssl_key: nil).
+      exclude(ssl_cert: nil).
+      all
+    end
   end
 
   def ip=(ip)