From 32fd41d82b2d8a1e9e7b5ef1e74f98f3cdda1700 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Sat, 19 Oct 2024 18:21:10 +0200
Subject: [PATCH] prepare certbot changes/merge upstream

---
 Dockerfile                                    | 11 ++--
 backend/app.js                                | 12 +---
 backend/internal/certificate.js               |  1 -
 backend/internal/nginx.js                     | 62 +++++--------------
 backend/package.json                          |  8 +--
 .../schema/components/certificate-object.json |  2 +-
 .../components/redirection-host-object.json   |  2 +-
 backend/schema/components/setting-object.json |  2 +-
 backend/setup.js                              |  6 --
 compose.yaml                                  |  2 +-
 frontend/js/app/nginx/certificates/form.ejs   |  4 ++
 frontend/js/app/nginx/dead/form.ejs           |  4 ++
 frontend/js/app/nginx/proxy/form.ejs          |  4 ++
 frontend/js/app/nginx/redirection/form.ejs    |  4 ++
 rootfs/etc/tls/certbot.ini                    | 16 +----
 rootfs/usr/local/bin/start.sh                 | 24 +++++--
 .../include/tls-ciphers-no-stapling.conf      |  2 +-
 .../conf/conf.d/include/tls-ciphers.conf      |  2 +-
 rootfs/usr/local/nginx/conf/nginx.conf        |  2 +
 scripts/cypress-dev                           | 13 ----
 test/cypress/e2e/api/FullCertProvision.cy.js  | 61 ------------------
 21 files changed, 73 insertions(+), 171 deletions(-)
 delete mode 100755 scripts/cypress-dev
 delete mode 100644 test/cypress/e2e/api/FullCertProvision.cy.js

diff --git a/Dockerfile b/Dockerfile
index 2301fd71..21ec40f5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -62,16 +62,19 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
     sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
     sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
-    echo "APPSEC_URL=http://127.0.0.1:7422" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
-    echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
-    sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
+    sed -i "s|APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|APPSEC_FAILURE_ACTION=.*|APPSEC_FAILURE_ACTION=deny|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|REQUEST_TIMEOUT=.*|REQUEST_TIMEOUT=2500|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|APPSEC_CONNECT_TIMEOUT=.*|APPSEC_CONNECT_TIMEOUT=1000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|APPSEC_SEND_TIMEOUT=.*|APPSEC_SEND_TIMEOUT=30000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
 FROM zoeyvid/nginx-quic:347-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 COPY rootfs /
 COPY --from=zoeyvid/certbot-docker:58 /usr/local          /usr/local
-COPY --from=zoeyvid/curl-quic:419     /usr/local/bin/curl /usr/local/bin/curl
+COPY --from=zoeyvid/curl-quic:420     /usr/local/bin/curl /usr/local/bin/curl
 
 ARG CRS_VER=v4.7.0
 RUN apk upgrade --no-cache -a && \
diff --git a/backend/app.js b/backend/app.js
index c13eae6e..8f2702ce 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -2,7 +2,6 @@ const express = require('express');
 const bodyParser = require('body-parser');
 const fileUpload = require('express-fileupload');
 const compression = require('compression');
-const config = require('./lib/config');
 const log = require('./logger').express;
 
 /**
@@ -24,11 +23,6 @@ app.disable('x-powered-by');
 app.enable('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
 app.enable('strict routing');
 
-// pretty print JSON when not live
-if (config.debug()) {
-	app.set('json spaces', 2);
-}
-
 // CORS for everything
 app.use(require('./lib/express/cors'));
 
@@ -65,7 +59,7 @@ app.use(function (err, req, res, next) {
 		},
 	};
 
-	if (config.debug() || (req.baseUrl + req.path).includes('nginx/certificates')) {
+	if ((req.baseUrl + req.path).includes('nginx/certificates')) {
 		payload.debug = {
 			stack: typeof err.stack !== 'undefined' && err.stack ? err.stack.split('\n') : null,
 			previous: err.previous,
@@ -74,9 +68,7 @@ app.use(function (err, req, res, next) {
 
 	// Not every error is worth logging - but this is good for now until it gets annoying.
 	if (typeof err.stack !== 'undefined' && err.stack) {
-		if (config.debug()) {
-			log.debug(err.stack);
-		} else if (typeof err.public === 'undefined' || !err.public) {
+		if (typeof err.public === 'undefined' || !err.public) {
 			log.warn(err.message);
 		}
 	}
diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
index f1bbf222..db4a1574 100644
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -794,7 +794,6 @@ const internalCertificate = {
 
 		let mainCmd = `${certbotCommand} certonly --cert-name "npm-${certificate.id}" --domains "${certificate.domain_names.join(',')}" --server "${process.env.ACME_SERVER}" --authenticator ${dnsPlugin.full_plugin_name} --${dnsPlugin.full_plugin_name}-credentials "${credentialsLocation}"`;
 
-
 		logger.info('Command:', mainCmd);
 
 		try {
diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
index 46667f8b..e936a783 100644
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -1,7 +1,6 @@
 const _ = require('lodash');
 const fs = require('fs');
 const logger = require('../logger').nginx;
-const config = require('../lib/config');
 const utils = require('../lib/utils');
 const error = require('../lib/error');
 
@@ -49,23 +48,23 @@ const internalNginx = {
 						});
 					})
 					.catch((err) => {
-						// Handle testing failure
-						return utils.execfg('nginx -t || true').then(() => {
-							combined_meta = _.assign({}, host.meta, {
-								nginx_online: false,
-								nginx_err: err.message,
-							});
+						logger.error(err.message);
 
-							return model
-								.query()
-								.where('id', host.id)
-								.patch({
-									meta: combined_meta,
-								})
-								.then(() => {
-									internalNginx.renameConfigAsError(host_type, host);
-								});
+						// config is bad, update meta and rename config
+						combined_meta = _.assign({}, host.meta, {
+							nginx_online: false,
+							nginx_err: err.message,
 						});
+
+						return model
+							.query()
+							.where('id', host.id)
+							.patch({
+								meta: combined_meta,
+							})
+							.then(() => {
+								internalNginx.renameConfigAsError(host_type, host);
+							});
 					});
 			})
 			.then(() => {
@@ -80,10 +79,6 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	test: () => {
-		if (config.debug()) {
-			logger.info('Testing Nginx configuration');
-		}
-
 		return utils.exec('nginx -tq');
 	},
 
@@ -172,10 +167,6 @@ const internalNginx = {
 	generateConfig: (host_type, host) => {
 		const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);
 
-		if (config.debug()) {
-			logger.info('Generating ' + nice_host_type + ' Config:', JSON.stringify(host, null, 2));
-		}
-
 		const renderEngine = utils.getRenderEngine();
 
 		return new Promise((resolve, reject) => {
@@ -217,29 +208,18 @@ const internalNginx = {
 				locationsPromise = Promise.resolve();
 			}
 
-			// Set the IPv6 setting for the host
-			host.ipv6 = internalNginx.ipv6Enabled();
-
 			locationsPromise.then(() => {
 				renderEngine
 					.parseAndRender(template, host)
 					.then((config_text) => {
 						fs.writeFileSync(filename, config_text, { encoding: 'utf8' });
 
-						if (config.debug()) {
-							logger.success('Wrote config:', filename, config_text);
-						}
-
 						// Restore locations array
 						host.locations = origLocations;
 
 						resolve(true);
 					})
 					.catch((err) => {
-						if (config.debug()) {
-							logger.warn('Could not write ' + filename + ':', err.message);
-						}
-
 						reject(new error.ConfigurationError(err.message));
 					});
 			});
@@ -326,18 +306,6 @@ const internalNginx = {
 	advancedConfigHasDefaultLocation: function (cfg) {
 		return !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im);
 	},
-
-	/**
-	 * @returns {boolean}
-	 */
-	ipv6Enabled: function () {
-		if (typeof process.env.DISABLE_IPV6 !== 'undefined') {
-			const disabled = process.env.DISABLE_IPV6.toLowerCase();
-			return !(disabled === 'on' || disabled === 'true' || disabled === '1' || disabled === 'yes');
-		}
-
-		return true;
-	},
 };
 
 module.exports = internalNginx;
diff --git a/backend/package.json b/backend/package.json
index 4b8335f3..9604104b 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -9,7 +9,7 @@
     "archiver": "7.0.1",
     "batchflow": "0.4.0",
     "bcrypt": "5.1.1",
-    "better-sqlite3": "11.3.0",
+    "better-sqlite3": "11.4.0",
     "body-parser": "2.0.1",
     "compression": "1.7.4",
     "express": "4.21.1",
@@ -17,7 +17,7 @@
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
     "knex": "3.1.0",
-    "liquidjs": "10.17.0",
+    "liquidjs": "10.18.0",
     "lodash": "4.17.21",
     "moment": "2.30.1",
     "mysql2": "3.11.3",
@@ -30,8 +30,8 @@
   "license": "MIT",
   "devDependencies": {
     "@apidevtools/swagger-parser": "10.1.0",
-    "@eslint/js": "9.12.0",
-    "eslint": "9.12.0",
+    "@eslint/js": "9.13.0",
+    "eslint": "9.13.0",
     "eslint-config-prettier": "9.1.0",
     "eslint-plugin-prettier": "5.2.1",
     "globals": "15.11.0",
diff --git a/backend/schema/components/certificate-object.json b/backend/schema/components/certificate-object.json
index b75dcf61..bbe575ed 100644
--- a/backend/schema/components/certificate-object.json
+++ b/backend/schema/components/certificate-object.json
@@ -26,7 +26,7 @@
 		"domain_names": {
 			"description": "Domain Names separated by a comma",
 			"type": "array",
-			"maxItems": 100,
+			"maxItems": 99,
 			"uniqueItems": true,
 			"items": {
 				"type": "string",
diff --git a/backend/schema/components/redirection-host-object.json b/backend/schema/components/redirection-host-object.json
index cc4dbdd2..012f971e 100644
--- a/backend/schema/components/redirection-host-object.json
+++ b/backend/schema/components/redirection-host-object.json
@@ -28,7 +28,7 @@
 		},
 		"forward_scheme": {
 			"type": "string",
-			"enum": ["http", "https"]
+			"enum": ["$scheme", "http", "https"]
 		},
 		"forward_domain_name": {
 			"description": "Domain Name",
diff --git a/backend/schema/components/setting-object.json b/backend/schema/components/setting-object.json
index e0877726..65ec2a08 100644
--- a/backend/schema/components/setting-object.json
+++ b/backend/schema/components/setting-object.json
@@ -25,7 +25,7 @@
 		"value": {
 			"description": "Value in almost any form",
 			"example": "congratulations",
-			"oneOf": [
+			"anyOf": [
 				{
 					"type": "string",
 					"minLength": 1
diff --git a/backend/setup.js b/backend/setup.js
index c5b89bb6..60544408 100644
--- a/backend/setup.js
+++ b/backend/setup.js
@@ -1,4 +1,3 @@
-const config = require('./lib/config');
 const logger = require('./logger').setup;
 const certificateModel = require('./models/certificate');
 const userModel = require('./models/user');
@@ -64,8 +63,6 @@ const setupDefaultUser = () => {
 					.then(() => {
 						logger.info('Initial admin setup completed');
 					});
-			} else if (config.debug()) {
-				logger.info('Admin user setup not required');
 			}
 		});
 };
@@ -96,9 +93,6 @@ const setupDefaultSettings = () => {
 						logger.info('Default settings added');
 					});
 			}
-			if (config.debug()) {
-				logger.info('Default setting setup not required');
-			}
 		});
 };
 
diff --git a/compose.yaml b/compose.yaml
index b2c6b32d..7fb4782c 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -32,7 +32,7 @@ services:
 #      - "DISABLE_H3_QUIC=true" # disables nginx to listen on port 443 udp for default and your hosts, this will disable HTTP/3 and QUIC, default false
 #      - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
 #      - "NGINX_404_REDIRECT=true" # Redirect to / instead of showing a 404 error page, default false
-#      - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy-buffering option of nginx, default false
+#      - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy_buffering/proxy_request_buffering options of nginx, default false, may not work if you use crowdsec/appsec
 #      - "DISABLE_NGINX_BEAUTIFIER=true" # disables nginxbeautifier, useful when it fails parsing non-standard configs, default false
 #      - "CLEAN=false" # Clean folders, default true
 #      - "FULLCLEAN=true" # Clean unused config folders, default false
diff --git a/frontend/js/app/nginx/certificates/form.ejs b/frontend/js/app/nginx/certificates/form.ejs
index 24989561..ab57f5b2 100644
--- a/frontend/js/app/nginx/certificates/form.ejs
+++ b/frontend/js/app/nginx/certificates/form.ejs
@@ -26,12 +26,14 @@
                             </div>
                         </div>
                     </div>
+		    <!---
                     <div class="col-sm-12 col-md-12">
                         <div class="form-group">
                             <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                             <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required>
                         </div>
                     </div>
+		    --->
 
                     <!-- DNS challenge -->
                     <div class="col-sm-12 col-md-12">
@@ -103,6 +105,7 @@
                             </div>
 
                             <!-- DNS propagation delay -->
+			    <!---
                             <div class="row">
                                 <div class="col-sm-12 col-md-12">
                                     <div class="form-group mb-0">
@@ -122,6 +125,7 @@
                                     </div>
                                 </div>
                             </div>
+			    --->
                         </fieldset>
                     </div>
 
diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs
index addc2b21..911ba84d 100644
--- a/frontend/js/app/nginx/dead/form.ejs
+++ b/frontend/js/app/nginx/dead/form.ejs
@@ -144,6 +144,7 @@
                                 </div>
 
                                 <!-- DNS propagation delay -->
+				<!---
                                 <div class="row">
                                     <div class="col-sm-12 col-md-12">
                                         <div class="form-group mb-0">
@@ -163,16 +164,19 @@
                                         </div>
                                     </div>
                                 </div>
+				--->
                             </fieldset>
                         </div>
 
                         <!-- Lets encrypt -->
+			<!---
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">
                                 <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                                 <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
                             </div>
                         </div>
+			--->
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">
                                 <label class="custom-switch">
diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs
index 74fec07d..b074bd2e 100644
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@@ -212,6 +212,7 @@
                                 </div>
 
                                 <!-- DNS propagation delay -->
+				<!---
                                 <div class="row">
                                     <div class="col-sm-12 col-md-12">
                                         <div class="form-group mb-0">
@@ -231,16 +232,19 @@
                                         </div>
                                     </div>
                                 </div>
+				--->
                             </fieldset>
                         </div>
 
                         <!-- Lets encrypt -->
+			<!---
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">
                                 <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                                 <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
                             </div>
                         </div>
+			--->
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">
                                 <label class="custom-switch">
diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs
index f3d689e2..a2a0d341 100644
--- a/frontend/js/app/nginx/redirection/form.ejs
+++ b/frontend/js/app/nginx/redirection/form.ejs
@@ -193,6 +193,7 @@
                                 </div>
 
                                 <!-- DNS propagation delay -->
+				<!---
                                 <div class="row">
                                     <div class="col-sm-12 col-md-12">
                                         <div class="form-group mb-0">
@@ -212,16 +213,19 @@
                                         </div>
                                     </div>
                                 </div>
+				--->
                             </fieldset>
                         </div>
 
                         <!-- Lets encrypt -->
+			<!---
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">
                                 <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                                 <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
                             </div>
                         </div>
+			--->
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">
                                 <label class="custom-switch">
diff --git a/rootfs/etc/tls/certbot.ini b/rootfs/etc/tls/certbot.ini
index 3202cf05..881bb510 100644
--- a/rootfs/etc/tls/certbot.ini
+++ b/rootfs/etc/tls/certbot.ini
@@ -1,20 +1,6 @@
-agree-tos = true
-non-interactive = true
-webroot-path = /tmp/acme-challenge
-
-new-key= true
+new-key = true
 key-type = ecdsa
 must-staple = true
 no-reuse-key = true
 rsa-key-size = 4096
 elliptic-curve = secp384r1
-
-#server = https://acme-v02.api.letsencrypt.org/directory
-
-#server = https://acme.zerossl.com/v2/DV90
-#eab-kid = somestringofstuffwithoutquotes
-#eab-hmac-key = yaddayaddahexhexnotquoted
-
-#server = https://dv.acme-v02.api.pki.goog/directory
-#eab-kid = somestringofstuffwithoutquotes
-#eab-hmac-key = yaddayaddahexhexnotquoted
diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh
index 2bfc4c86..029d3fd3 100755
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@@ -20,7 +20,22 @@ touch /data/.env
 
 
 if [ -n "$NPM_CERT_ID" ]; then
-    echo "NPM_CERT_ID is replaced by DEFAULT_CERT_ID, please change it to DEFAULT_CERT_ID"
+    echo "NPM_CERT_ID env is replaced by DEFAULT_CERT_ID, please change it to DEFAULT_CERT_ID"
+    sleep inf
+fi
+
+if [ -n "$LE_SERVER" ]; then
+    echo "LE_SERVER env is replaced by ACME_SERVER, please change it to ACME_SERVER"
+    sleep inf
+fi
+
+if [ -n "$DEBUG" ]; then
+    echo "DEBUG env is unsopported."
+    sleep inf
+fi
+
+if [ -n "$LE_STAGING" ]; then
+    echo "LE_STAGING env is unsopported, please use ACME_SERVER."
     sleep inf
 fi
 
@@ -713,8 +728,10 @@ fi
 
 if [ "$NGINX_DISABLE_PROXY_BUFFERING" = "true" ]; then
     sed -i "s|proxy_buffering.*|proxy_buffering off;|g" /usr/local/nginx/conf/nginx.conf
+    sed -i "s|proxy_request_buffering.*|proxy_request_buffering off;|g" /usr/local/nginx/conf/nginx.conf
 else
     sed -i "s|proxy_buffering.*|proxy_buffering on;|g" /usr/local/nginx/conf/nginx.conf
+    sed -i "s|proxy_request_buffering.*|proxy_request_buffering on;|g" /usr/local/nginx/conf/nginx.conf
 fi
 
 if [ "$LOGROTATE" = "true" ]; then
@@ -725,10 +742,9 @@ else
     sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf
 fi
 
-if [ ! -s /data/tls/certbot/config.ini ]; then
-    cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
+if [ -s /data/tls/certbot/config.ini ]; then
+    echo "tls/certbot/config.ini is now unsupported, to remove this warning, just delete the file - some options are replaced by env."
 fi
-cp -a /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
 
 if [ ! -s /data/etc/crowdsec/ban.html ]; then
     cp -van /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
index b3bfc06c..09a30d26 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
@@ -9,7 +9,7 @@ ssl_session_cache shared:SSL:10m;
 ssl_dhparam /etc/tls/dhparam;
 ssl_protocols TLSv1.2 TLSv1.3;
 
-ssl_ecdh_curve p384_mlkem768:X25519MLKEM768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
+ssl_ecdh_curve X25519MLKEM768:x25519_kyber768:x25519:x448:secp521r1:secp384r1:secp256r1;
 
 ssl_prefer_server_ciphers on;
 ssl_conf_command Options PrioritizeChaCha;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
index fe55745c..81267b26 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
@@ -9,7 +9,7 @@ ssl_session_cache shared:SSL:10m;
 ssl_dhparam /etc/tls/dhparam;
 ssl_protocols TLSv1.2 TLSv1.3;
 
-ssl_ecdh_curve p384_mlkem768:X25519MLKEM768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
+ssl_ecdh_curve X25519MLKEM768:x25519_kyber768:x25519:x448:secp521r1:secp384r1:secp256r1;
 
 ssl_prefer_server_ciphers on;
 ssl_conf_command Options PrioritizeChaCha;
diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf
index 3184a6d0..47d34795 100644
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -48,6 +48,8 @@ http {
     gzip_static on;
 
     proxy_buffering on;
+    proxy_request_buffering on;
+
     proxy_buffer_size 16k;
     proxy_busy_buffers_size 24k;
     proxy_buffers 64 4k;
diff --git a/scripts/cypress-dev b/scripts/cypress-dev
deleted file mode 100755
index a0c64ad9..00000000
--- a/scripts/cypress-dev
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash -e
-
-DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-. "$DIR/.common.sh"
-
-# Ensure docker-compose exists
-if hash docker-compose 2>/dev/null; then
-	cd "${DIR}/.."
-	rm -rf "$DIR/../test/results"
-	docker-compose up --build cypress
-else
-	echo -e "${RED}❯ docker-compose command is not available${RESET}"
-fi
diff --git a/test/cypress/e2e/api/FullCertProvision.cy.js b/test/cypress/e2e/api/FullCertProvision.cy.js
deleted file mode 100644
index 93cacce9..00000000
--- a/test/cypress/e2e/api/FullCertProvision.cy.js
+++ /dev/null
@@ -1,61 +0,0 @@
-/// <reference types="cypress" />
-
-describe('Full Certificate Provisions', () => {
-	let token;
-
-	before(() => {
-		cy.getToken().then((tok) => {
-			token = tok;
-		});
-	});
-
-	it.only('Should be able to create new http certificate', function() {
-		cy.task('backendApiPost', {
-			token: token,
-			path:  '/api/nginx/certificates',
-			data:  {
-				domain_names: [
-					'website1.example.com'
-				],
-				meta: {
-					letsencrypt_email: 'admin@example.com',
-					letsencrypt_agree: true,
-					dns_challenge: false
-				},
-				provider: 'letsencrypt'
-			}
-		}).then((data) => {
-			cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data);
-			expect(data).to.have.property('id');
-			expect(data.id).to.be.greaterThan(0);
-			expect(data.provider).to.be.equal('letsencrypt');
-		});
-	});
-
-	it('Should be able to create new DNS certificate with Powerdns', function() {
-		cy.task('backendApiPost', {
-			token: token,
-			path:  '/api/certificates',
-			data:  {
-				domain_names: [
-					'website2.example.com'
-				],
-				meta: {
-					letsencrypt_email: "admin@example.com",
-					dns_challenge: true,
-					dns_provider: 'powerdns',
-					dns_provider_credentials: 'dns_powerdns_api_url = http://ns1.pdns:8081\r\ndns_powerdns_api_key = npm',
-					letsencrypt_agree: true
-				},
-				provider: 'letsencrypt'
-			}
-		}).then((data) => {
-			cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data);
-			expect(data).to.have.property('id');
-			expect(data.id).to.be.greaterThan(0);
-			expect(data.provider).to.be.equal('letsencrypt');
-			expect(data.meta.dns_provider).to.be.equal('powerdns');
-		});
-	});
-
-});