prepare certbot changes/merge upstream

2024-10-19 18:21:10 +02:00 · 2024-10-19 18:21:10 +02:00 · 32fd41d82b
commit 32fd41d82b
parent 1dbf57c2ba
21 changed files with 73 additions and 171 deletions
--- a/11
+++ b/11
@ -62,16 +62,19 @@ RUN apk upgrade --no-cache -a && \
    sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
-    echo "APPSEC_URL=http://127.0.0.1:7422" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
-    echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|APPSEC_FAILURE_ACTION=.*|APPSEC_FAILURE_ACTION=deny|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
-    sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
+    sed -i "s|REQUEST_TIMEOUT=.*|REQUEST_TIMEOUT=2500|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|APPSEC_CONNECT_TIMEOUT=.*|APPSEC_CONNECT_TIMEOUT=1000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|APPSEC_SEND_TIMEOUT=.*|APPSEC_SEND_TIMEOUT=30000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 FROM zoeyvid/nginx-quic:347-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 COPY rootfs /
 COPY --from=zoeyvid/certbot-docker:58 /usr/local          /usr/local
-COPY --from=zoeyvid/curl-quic:419     /usr/local/bin/curl /usr/local/bin/curl
+COPY --from=zoeyvid/curl-quic:420     /usr/local/bin/curl /usr/local/bin/curl
 ARG CRS_VER=v4.7.0
 RUN apk upgrade --no-cache -a && \
--- a/backend/app.js
+++ b/backend/app.js
@ -2,7 +2,6 @@ const express = require('express');
 const bodyParser = require('body-parser');
 const fileUpload = require('express-fileupload');
 const compression = require('compression');
 const config = require('./lib/config');
 const log = require('./logger').express;
 /**
@ -24,11 +23,6 @@ app.disable('x-powered-by');
 app.enable('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
 app.enable('strict routing');
 // pretty print JSON when not live
 if (config.debug()) {
 	app.set('json spaces', 2);
 }
 // CORS for everything
 app.use(require('./lib/express/cors'));
@ -65,7 +59,7 @@ app.use(function (err, req, res, next) {
 		},
 	};
-	if (config.debug() || (req.baseUrl + req.path).includes('nginx/certificates')) {
+	if ((req.baseUrl + req.path).includes('nginx/certificates')) {
 		payload.debug = {
 			stack: typeof err.stack !== 'undefined' && err.stack ? err.stack.split('\n') : null,
 			previous: err.previous,
@ -74,9 +68,7 @@ app.use(function (err, req, res, next) {
 	// Not every error is worth logging - but this is good for now until it gets annoying.
 	if (typeof err.stack !== 'undefined' && err.stack) {
-		if (config.debug()) {
+		if (typeof err.public === 'undefined' || !err.public) {
 			log.debug(err.stack);
 		} else if (typeof err.public === 'undefined' || !err.public) {
 			log.warn(err.message);
 		}
 	}
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@ -794,7 +794,6 @@ const internalCertificate = {
 		let mainCmd = `${certbotCommand} certonly --cert-name "npm-${certificate.id}" --domains "${certificate.domain_names.join(',')}" --server "${process.env.ACME_SERVER}" --authenticator ${dnsPlugin.full_plugin_name} --${dnsPlugin.full_plugin_name}-credentials "${credentialsLocation}"`;
 		logger.info('Command:', mainCmd);
 		try {
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@ -1,7 +1,6 @@
 const _ = require('lodash');
 const fs = require('fs');
 const logger = require('../logger').nginx;
 const config = require('../lib/config');
 const utils = require('../lib/utils');
 const error = require('../lib/error');
@ -49,23 +48,23 @@ const internalNginx = {
 						});
 					})
 					.catch((err) => {
-						// Handle testing failure
+						logger.error(err.message);
 						return utils.execfg('nginx -t || true').then(() => {
 							combined_meta = _.assign({}, host.meta, {
 								nginx_online: false,
 								nginx_err: err.message,
 							});
-							return model
+						// config is bad, update meta and rename config
-								.query()
+						combined_meta = _.assign({}, host.meta, {
-								.where('id', host.id)
+							nginx_online: false,
-								.patch({
+							nginx_err: err.message,
 									meta: combined_meta,
 								})
 								.then(() => {
 									internalNginx.renameConfigAsError(host_type, host);
 								});
 						});
 						return model
 							.query()
 							.where('id', host.id)
 							.patch({
 								meta: combined_meta,
 							})
 							.then(() => {
 								internalNginx.renameConfigAsError(host_type, host);
 							});
 					});
 			})
 			.then(() => {
@ -80,10 +79,6 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	test: () => {
 		if (config.debug()) {
 			logger.info('Testing Nginx configuration');
 		}
 		return utils.exec('nginx -tq');
 	},
@ -172,10 +167,6 @@ const internalNginx = {
 	generateConfig: (host_type, host) => {
 		const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);
 		if (config.debug()) {
 			logger.info('Generating ' + nice_host_type + ' Config:', JSON.stringify(host, null, 2));
 		}
 		const renderEngine = utils.getRenderEngine();
 		return new Promise((resolve, reject) => {
@ -217,29 +208,18 @@ const internalNginx = {
 				locationsPromise = Promise.resolve();
 			}
 			// Set the IPv6 setting for the host
 			host.ipv6 = internalNginx.ipv6Enabled();
 			locationsPromise.then(() => {
 				renderEngine
 					.parseAndRender(template, host)
 					.then((config_text) => {
 						fs.writeFileSync(filename, config_text, { encoding: 'utf8' });
 						if (config.debug()) {
 							logger.success('Wrote config:', filename, config_text);
 						}
 						// Restore locations array
 						host.locations = origLocations;
 						resolve(true);
 					})
 					.catch((err) => {
 						if (config.debug()) {
 							logger.warn('Could not write ' + filename + ':', err.message);
 						}
 						reject(new error.ConfigurationError(err.message));
 					});
 			});
@ -326,18 +306,6 @@ const internalNginx = {
 	advancedConfigHasDefaultLocation: function (cfg) {
 		return !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im);
 	},
 	/**
 	 * @returns {boolean}
 	 */
 	ipv6Enabled: function () {
 		if (typeof process.env.DISABLE_IPV6 !== 'undefined') {
 			const disabled = process.env.DISABLE_IPV6.toLowerCase();
 			return !(disabled === 'on' || disabled === 'true' || disabled === '1' || disabled === 'yes');
 		}
 		return true;
 	},
 };
 module.exports = internalNginx;
--- a/backend/package.json
+++ b/backend/package.json
@ -9,7 +9,7 @@
    "archiver": "7.0.1",
    "batchflow": "0.4.0",
    "bcrypt": "5.1.1",
-    "better-sqlite3": "11.3.0",
+    "better-sqlite3": "11.4.0",
    "body-parser": "2.0.1",
    "compression": "1.7.4",
    "express": "4.21.1",
@ -17,7 +17,7 @@
    "gravatar": "1.8.2",
    "jsonwebtoken": "9.0.2",
    "knex": "3.1.0",
-    "liquidjs": "10.17.0",
+    "liquidjs": "10.18.0",
    "lodash": "4.17.21",
    "moment": "2.30.1",
    "mysql2": "3.11.3",
@ -30,8 +30,8 @@
  "license": "MIT",
  "devDependencies": {
    "@apidevtools/swagger-parser": "10.1.0",
-    "@eslint/js": "9.12.0",
+    "@eslint/js": "9.13.0",
-    "eslint": "9.12.0",
+    "eslint": "9.13.0",
    "eslint-config-prettier": "9.1.0",
    "eslint-plugin-prettier": "5.2.1",
    "globals": "15.11.0",
--- a/backend/schema/components/certificate-object.json
+++ b/backend/schema/components/certificate-object.json
@ -26,7 +26,7 @@
 		"domain_names": {
 			"description": "Domain Names separated by a comma",
 			"type": "array",
-			"maxItems": 100,
+			"maxItems": 99,
 			"uniqueItems": true,
 			"items": {
 				"type": "string",
--- a/backend/schema/components/redirection-host-object.json
+++ b/backend/schema/components/redirection-host-object.json
@ -28,7 +28,7 @@
 		},
 		"forward_scheme": {
 			"type": "string",
-			"enum": ["http", "https"]
+			"enum": ["$scheme", "http", "https"]
 		},
 		"forward_domain_name": {
 			"description": "Domain Name",
--- a/backend/schema/components/setting-object.json
+++ b/backend/schema/components/setting-object.json
@ -25,7 +25,7 @@
 		"value": {
 			"description": "Value in almost any form",
 			"example": "congratulations",
-			"oneOf": [
+			"anyOf": [
 				{
 					"type": "string",
 					"minLength": 1
--- a/backend/setup.js
+++ b/backend/setup.js
@ -1,4 +1,3 @@
 const config = require('./lib/config');
 const logger = require('./logger').setup;
 const certificateModel = require('./models/certificate');
 const userModel = require('./models/user');
@ -64,8 +63,6 @@ const setupDefaultUser = () => {
 					.then(() => {
 						logger.info('Initial admin setup completed');
 					});
 			} else if (config.debug()) {
 				logger.info('Admin user setup not required');
 			}
 		});
 };
@ -96,9 +93,6 @@ const setupDefaultSettings = () => {
 						logger.info('Default settings added');
 					});
 			}
 			if (config.debug()) {
 				logger.info('Default setting setup not required');
 			}
 		});
 };
--- a/compose.yaml
+++ b/compose.yaml
@ -32,7 +32,7 @@ services:
 #      - "DISABLE_H3_QUIC=true" # disables nginx to listen on port 443 udp for default and your hosts, this will disable HTTP/3 and QUIC, default false
 #      - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
 #      - "NGINX_404_REDIRECT=true" # Redirect to / instead of showing a 404 error page, default false
-#      - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy-buffering option of nginx, default false
+#      - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy_buffering/proxy_request_buffering options of nginx, default false, may not work if you use crowdsec/appsec
 #      - "DISABLE_NGINX_BEAUTIFIER=true" # disables nginxbeautifier, useful when it fails parsing non-standard configs, default false
 #      - "CLEAN=false" # Clean folders, default true
 #      - "FULLCLEAN=true" # Clean unused config folders, default false
--- a/frontend/js/app/nginx/certificates/form.ejs
+++ b/frontend/js/app/nginx/certificates/form.ejs
@ -26,12 +26,14 @@
                            </div>
                        </div>
                    </div>
 		    <!---
                    <div class="col-sm-12 col-md-12">
                        <div class="form-group">
                            <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                            <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required>
                        </div>
                    </div>
 		    --->
                    <!-- DNS challenge -->
                    <div class="col-sm-12 col-md-12">
@ -103,6 +105,7 @@
                            </div>
                            <!-- DNS propagation delay -->
 			    <!---
                            <div class="row">
                                <div class="col-sm-12 col-md-12">
                                    <div class="form-group mb-0">
@ -122,6 +125,7 @@
                                    </div>
                                </div>
                            </div>
 			    --->
                        </fieldset>
                    </div>
--- a/frontend/js/app/nginx/dead/form.ejs
+++ b/frontend/js/app/nginx/dead/form.ejs
@ -144,6 +144,7 @@
                                </div>
                                <!-- DNS propagation delay -->
 				<!---
                                <div class="row">
                                    <div class="col-sm-12 col-md-12">
                                        <div class="form-group mb-0">
@ -163,16 +164,19 @@
                                        </div>
                                    </div>
                                </div>
 				--->
                            </fieldset>
                        </div>
                        <!-- Lets encrypt -->
 			<!---
                        <div class="col-sm-12 col-md-12 letsencrypt">
                            <div class="form-group">
                                <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                                <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
                            </div>
                        </div>
 			--->
                        <div class="col-sm-12 col-md-12 letsencrypt">
                            <div class="form-group">
                                <label class="custom-switch">
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@ -212,6 +212,7 @@
                                </div>
                                <!-- DNS propagation delay -->
 				<!---
                                <div class="row">
                                    <div class="col-sm-12 col-md-12">
                                        <div class="form-group mb-0">
@ -231,16 +232,19 @@
                                        </div>
                                    </div>
                                </div>
 				--->
                            </fieldset>
                        </div>
                        <!-- Lets encrypt -->
 			<!---
                        <div class="col-sm-12 col-md-12 letsencrypt">
                            <div class="form-group">
                                <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                                <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
                            </div>
                        </div>
 			--->
                        <div class="col-sm-12 col-md-12 letsencrypt">
                            <div class="form-group">
                                <label class="custom-switch">
--- a/frontend/js/app/nginx/redirection/form.ejs
+++ b/frontend/js/app/nginx/redirection/form.ejs
@ -193,6 +193,7 @@
                                </div>
                                <!-- DNS propagation delay -->
 				<!---
                                <div class="row">
                                    <div class="col-sm-12 col-md-12">
                                        <div class="form-group mb-0">
@ -212,16 +213,19 @@
                                        </div>
                                    </div>
                                </div>
 				--->
                            </fieldset>
                        </div>
                        <!-- Lets encrypt -->
 			<!---
                        <div class="col-sm-12 col-md-12 letsencrypt">
                            <div class="form-group">
                                <label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
                                <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
                            </div>
                        </div>
 			--->
                        <div class="col-sm-12 col-md-12 letsencrypt">
                            <div class="form-group">
                                <label class="custom-switch">
--- a/rootfs/etc/tls/certbot.ini
+++ b/rootfs/etc/tls/certbot.ini
@ -1,20 +1,6 @@
-agree-tos = true
+new-key = true
 non-interactive = true
 webroot-path = /tmp/acme-challenge
 new-key= true
 key-type = ecdsa
 must-staple = true
 no-reuse-key = true
 rsa-key-size = 4096
 elliptic-curve = secp384r1
 #server = https://acme-v02.api.letsencrypt.org/directory
 #server = https://acme.zerossl.com/v2/DV90
 #eab-kid = somestringofstuffwithoutquotes
 #eab-hmac-key = yaddayaddahexhexnotquoted
 #server = https://dv.acme-v02.api.pki.goog/directory
 #eab-kid = somestringofstuffwithoutquotes
 #eab-hmac-key = yaddayaddahexhexnotquoted
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@ -20,7 +20,22 @@ touch /data/.env
 if [ -n "$NPM_CERT_ID" ]; then
-    echo "NPM_CERT_ID is replaced by DEFAULT_CERT_ID, please change it to DEFAULT_CERT_ID"
+    echo "NPM_CERT_ID env is replaced by DEFAULT_CERT_ID, please change it to DEFAULT_CERT_ID"
    sleep inf
 fi
 if [ -n "$LE_SERVER" ]; then
    echo "LE_SERVER env is replaced by ACME_SERVER, please change it to ACME_SERVER"
    sleep inf
 fi
 if [ -n "$DEBUG" ]; then
    echo "DEBUG env is unsopported."
    sleep inf
 fi
 if [ -n "$LE_STAGING" ]; then
    echo "LE_STAGING env is unsopported, please use ACME_SERVER."
    sleep inf
 fi
@ -713,8 +728,10 @@ fi
 if [ "$NGINX_DISABLE_PROXY_BUFFERING" = "true" ]; then
    sed -i "s|proxy_buffering.*|proxy_buffering off;|g" /usr/local/nginx/conf/nginx.conf
    sed -i "s|proxy_request_buffering.*|proxy_request_buffering off;|g" /usr/local/nginx/conf/nginx.conf
 else
    sed -i "s|proxy_buffering.*|proxy_buffering on;|g" /usr/local/nginx/conf/nginx.conf
    sed -i "s|proxy_request_buffering.*|proxy_request_buffering on;|g" /usr/local/nginx/conf/nginx.conf
 fi
 if [ "$LOGROTATE" = "true" ]; then
@ -725,10 +742,9 @@ else
    sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf
 fi
-if [ ! -s /data/tls/certbot/config.ini ]; then
+if [ -s /data/tls/certbot/config.ini ]; then
-    cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
+    echo "tls/certbot/config.ini is now unsupported, to remove this warning, just delete the file - some options are replaced by env."
 fi
 cp -a /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
 if [ ! -s /data/etc/crowdsec/ban.html ]; then
    cp -van /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
@ -9,7 +9,7 @@ ssl_session_cache shared:SSL:10m;
 ssl_dhparam /etc/tls/dhparam;
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ecdh_curve p384_mlkem768:X25519MLKEM768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
+ssl_ecdh_curve X25519MLKEM768:x25519_kyber768:x25519:x448:secp521r1:secp384r1:secp256r1;
 ssl_prefer_server_ciphers on;
 ssl_conf_command Options PrioritizeChaCha;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
@ -9,7 +9,7 @@ ssl_session_cache shared:SSL:10m;
 ssl_dhparam /etc/tls/dhparam;
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ecdh_curve p384_mlkem768:X25519MLKEM768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
+ssl_ecdh_curve X25519MLKEM768:x25519_kyber768:x25519:x448:secp521r1:secp384r1:secp256r1;
 ssl_prefer_server_ciphers on;
 ssl_conf_command Options PrioritizeChaCha;
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@ -48,6 +48,8 @@ http {
    gzip_static on;
    proxy_buffering on;
    proxy_request_buffering on;
    proxy_buffer_size 16k;
    proxy_busy_buffers_size 24k;
    proxy_buffers 64 4k;
--- a/scripts/cypress-dev
+++ b/scripts/cypress-dev
@ -1,13 +0,0 @@
 #!/bin/bash -e
 DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 . "$DIR/.common.sh"
 # Ensure docker-compose exists
 if hash docker-compose 2>/dev/null; then
 	cd "${DIR}/.."
 	rm -rf "$DIR/../test/results"
 	docker-compose up --build cypress
 else
 	echo -e "${RED}❯ docker-compose command is not available${RESET}"
 fi
--- a/test/cypress/e2e/api/FullCertProvision.cy.js
+++ b/test/cypress/e2e/api/FullCertProvision.cy.js
@ -1,61 +0,0 @@
 /// <reference types="cypress" />
 describe('Full Certificate Provisions', () => {
 	let token;
 	before(() => {
 		cy.getToken().then((tok) => {
 			token = tok;
 		});
 	});
 	it.only('Should be able to create new http certificate', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/certificates',
 			data:  {
 				domain_names: [
 					'website1.example.com'
 				],
 				meta: {
 					letsencrypt_email: 'admin@example.com',
 					letsencrypt_agree: true,
 					dns_challenge: false
 				},
 				provider: 'letsencrypt'
 			}
 		}).then((data) => {
 			cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data);
 			expect(data).to.have.property('id');
 			expect(data.id).to.be.greaterThan(0);
 			expect(data.provider).to.be.equal('letsencrypt');
 		});
 	});
 	it('Should be able to create new DNS certificate with Powerdns', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/certificates',
 			data:  {
 				domain_names: [
 					'website2.example.com'
 				],
 				meta: {
 					letsencrypt_email: "admin@example.com",
 					dns_challenge: true,
 					dns_provider: 'powerdns',
 					dns_provider_credentials: 'dns_powerdns_api_url = http://ns1.pdns:8081\r\ndns_powerdns_api_key = npm',
 					letsencrypt_agree: true
 				},
 				provider: 'letsencrypt'
 			}
 		}).then((data) => {
 			cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data);
 			expect(data).to.have.property('id');
 			expect(data.id).to.be.greaterThan(0);
 			expect(data.provider).to.be.equal('letsencrypt');
 			expect(data.meta.dns_provider).to.be.equal('powerdns');
 		});
 	});
 });