Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

prepare certbot changes/merge upstream

Browse source
This commit is contained in:
Zoey 2024-10-19 18:21:10 +02:00
parent 1dbf57c2ba
commit 32fd41d82b
21 changed files with 73 additions and 171 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
Dockerfile
View file

@ -62,16 +62,19 @@ RUN apk upgrade --no-cache -a && \
sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
echo "APPSEC_URL=http://127.0.0.1:7422" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
sed -i "s|APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|APPSEC_FAILURE_ACTION=.*|APPSEC_FAILURE_ACTION=deny|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|REQUEST_TIMEOUT=.*|REQUEST_TIMEOUT=2500|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|APPSEC_CONNECT_TIMEOUT=.*|APPSEC_CONNECT_TIMEOUT=1000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|APPSEC_SEND_TIMEOUT=.*|APPSEC_SEND_TIMEOUT=30000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:347-python
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs /
COPY --from=zoeyvid/certbot-docker:58 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:419 /usr/local/bin/curl /usr/local/bin/curl
COPY --from=zoeyvid/curl-quic:420 /usr/local/bin/curl /usr/local/bin/curl
ARG CRS_VER=v4.7.0
RUN apk upgrade --no-cache -a && \

12
backend/app.js
View file

@ -2,7 +2,6 @@ const express = require('express');
const bodyParser = require('body-parser');
const fileUpload = require('express-fileupload');
const compression = require('compression');
const config = require('./lib/config');
const log = require('./logger').express;
/**
@ -24,11 +23,6 @@ app.disable('x-powered-by');
app.enable('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
app.enable('strict routing');
// pretty print JSON when not live
if (config.debug()) {
app.set('json spaces', 2);
}
// CORS for everything
app.use(require('./lib/express/cors'));
@ -65,7 +59,7 @@ app.use(function (err, req, res, next) {
},
};
if (config.debug() || (req.baseUrl + req.path).includes('nginx/certificates')) {
if ((req.baseUrl + req.path).includes('nginx/certificates')) {
payload.debug = {
stack: typeof err.stack !== 'undefined' && err.stack ? err.stack.split('\n') : null,
previous: err.previous,
@ -74,9 +68,7 @@ app.use(function (err, req, res, next) {
// Not every error is worth logging - but this is good for now until it gets annoying.
if (typeof err.stack !== 'undefined' && err.stack) {
if (config.debug()) {
log.debug(err.stack);
} else if (typeof err.public === 'undefined' || !err.public) {
if (typeof err.public === 'undefined' || !err.public) {
log.warn(err.message);
}
}

1
backend/internal/certificate.js
View file

@ -794,7 +794,6 @@ const internalCertificate = {
let mainCmd = `${certbotCommand} certonly --cert-name "npm-${certificate.id}" --domains "${certificate.domain_names.join(',')}" --server "${process.env.ACME_SERVER}" --authenticator ${dnsPlugin.full_plugin_name} --${dnsPlugin.full_plugin_name}-credentials "${credentialsLocation}"`;
logger.info('Command:', mainCmd);
try {

38
backend/internal/nginx.js
View file

@ -1,7 +1,6 @@
const _ = require('lodash');
const fs = require('fs');
const logger = require('../logger').nginx;
const config = require('../lib/config');
const utils = require('../lib/utils');
const error = require('../lib/error');
@ -49,8 +48,9 @@ const internalNginx = {
});
})
.catch((err) => {
// Handle testing failure
return utils.execfg('nginx -t || true').then(() => {
logger.error(err.message);
// config is bad, update meta and rename config
combined_meta = _.assign({}, host.meta, {
nginx_online: false,
nginx_err: err.message,
@ -66,7 +66,6 @@ const internalNginx = {
internalNginx.renameConfigAsError(host_type, host);
});
});
});
})
.then(() => {
return internalNginx.reload();
@ -80,10 +79,6 @@ const internalNginx = {
* @returns {Promise}
*/
test: () => {
if (config.debug()) {
logger.info('Testing Nginx configuration');
}
return utils.exec('nginx -tq');
},
@ -172,10 +167,6 @@ const internalNginx = {
generateConfig: (host_type, host) => {
const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);
if (config.debug()) {
logger.info('Generating ' + nice_host_type + ' Config:', JSON.stringify(host, null, 2));
}
const renderEngine = utils.getRenderEngine();
return new Promise((resolve, reject) => {
@ -217,29 +208,18 @@ const internalNginx = {
locationsPromise = Promise.resolve();
}
// Set the IPv6 setting for the host
host.ipv6 = internalNginx.ipv6Enabled();
locationsPromise.then(() => {
renderEngine
.parseAndRender(template, host)
.then((config_text) => {
fs.writeFileSync(filename, config_text, { encoding: 'utf8' });
if (config.debug()) {
logger.success('Wrote config:', filename, config_text);
}
// Restore locations array
host.locations = origLocations;
resolve(true);
})
.catch((err) => {
if (config.debug()) {
logger.warn('Could not write ' + filename + ':', err.message);
}
reject(new error.ConfigurationError(err.message));
});
});
@ -326,18 +306,6 @@ const internalNginx = {
advancedConfigHasDefaultLocation: function (cfg) {
return !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im);
},
/**
* @returns {boolean}
*/
ipv6Enabled: function () {
if (typeof process.env.DISABLE_IPV6 !== 'undefined') {
const disabled = process.env.DISABLE_IPV6.toLowerCase();
return !(disabled === 'on' || disabled === 'true' || disabled === '1' || disabled === 'yes');
}
return true;
},
};
module.exports = internalNginx;

8
backend/package.json
View file

@ -9,7 +9,7 @@
"archiver": "7.0.1",
"batchflow": "0.4.0",
"bcrypt": "5.1.1",
"better-sqlite3": "11.3.0",
"better-sqlite3": "11.4.0",
"body-parser": "2.0.1",
"compression": "1.7.4",
"express": "4.21.1",
@ -17,7 +17,7 @@
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.2",
"knex": "3.1.0",
"liquidjs": "10.17.0",
"liquidjs": "10.18.0",
"lodash": "4.17.21",
"moment": "2.30.1",
"mysql2": "3.11.3",
@ -30,8 +30,8 @@
"license": "MIT",
"devDependencies": {
"@apidevtools/swagger-parser": "10.1.0",
"@eslint/js": "9.12.0",
"eslint": "9.12.0",
"@eslint/js": "9.13.0",
"eslint": "9.13.0",
"eslint-config-prettier": "9.1.0",
"eslint-plugin-prettier": "5.2.1",
"globals": "15.11.0",

2
backend/schema/components/certificate-object.json
View file

@ -26,7 +26,7 @@
"domain_names": {
"description": "Domain Names separated by a comma",
"type": "array",
"maxItems": 100,
"maxItems": 99,
"uniqueItems": true,
"items": {
"type": "string",

2
backend/schema/components/redirection-host-object.json
View file

@ -28,7 +28,7 @@
},
"forward_scheme": {
"type": "string",
"enum": ["http", "https"]
"enum": ["$scheme", "http", "https"]
},
"forward_domain_name": {
"description": "Domain Name",

2
backend/schema/components/setting-object.json
View file

@ -25,7 +25,7 @@
"value": {
"description": "Value in almost any form",
"example": "congratulations",
"oneOf": [
"anyOf": [
{
"type": "string",
"minLength": 1

6
backend/setup.js
View file

@ -1,4 +1,3 @@
const config = require('./lib/config');
const logger = require('./logger').setup;
const certificateModel = require('./models/certificate');
const userModel = require('./models/user');
@ -64,8 +63,6 @@ const setupDefaultUser = () => {
.then(() => {
logger.info('Initial admin setup completed');
});
} else if (config.debug()) {
logger.info('Admin user setup not required');
}
});
};
@ -96,9 +93,6 @@ const setupDefaultSettings = () => {
logger.info('Default settings added');
});
}
if (config.debug()) {
logger.info('Default setting setup not required');
}
});
};

2
compose.yaml
View file

@ -32,7 +32,7 @@ services:
# - "DISABLE_H3_QUIC=true" # disables nginx to listen on port 443 udp for default and your hosts, this will disable HTTP/3 and QUIC, default false
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "NGINX_404_REDIRECT=true" # Redirect to / instead of showing a 404 error page, default false
# - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy-buffering option of nginx, default false
# - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy_buffering/proxy_request_buffering options of nginx, default false, may not work if you use crowdsec/appsec
# - "DISABLE_NGINX_BEAUTIFIER=true" # disables nginxbeautifier, useful when it fails parsing non-standard configs, default false
# - "CLEAN=false" # Clean folders, default true
# - "FULLCLEAN=true" # Clean unused config folders, default false

4
frontend/js/app/nginx/certificates/form.ejs
View file

@ -26,12 +26,14 @@
</div>
</div>
</div>
<!---
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
<input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required>
</div>
</div>
--->
<!-- DNS challenge -->
<div class="col-sm-12 col-md-12">
@ -103,6 +105,7 @@
</div>
<!-- DNS propagation delay -->
<!---
<div class="row">
<div class="col-sm-12 col-md-12">
<div class="form-group mb-0">
@ -122,6 +125,7 @@
</div>
</div>
</div>
--->
</fieldset>
</div>

4
frontend/js/app/nginx/dead/form.ejs
View file

@ -144,6 +144,7 @@
</div>
<!-- DNS propagation delay -->
<!---
<div class="row">
<div class="col-sm-12 col-md-12">
<div class="form-group mb-0">
@ -163,16 +164,19 @@
</div>
</div>
</div>
--->
</fieldset>
</div>
<!-- Lets encrypt -->
<!---
<div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group">
<label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
<input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
</div>
</div>
--->
<div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group">
<label class="custom-switch">

4
frontend/js/app/nginx/proxy/form.ejs
View file

@ -212,6 +212,7 @@
</div>
<!-- DNS propagation delay -->
<!---
<div class="row">
<div class="col-sm-12 col-md-12">
<div class="form-group mb-0">
@ -231,16 +232,19 @@
</div>
</div>
</div>
--->
</fieldset>
</div>
<!-- Lets encrypt -->
<!---
<div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group">
<label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
<input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
</div>
</div>
--->
<div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group">
<label class="custom-switch">

4
frontend/js/app/nginx/redirection/form.ejs
View file

@ -193,6 +193,7 @@
</div>
<!-- DNS propagation delay -->
<!---
<div class="row">
<div class="col-sm-12 col-md-12">
<div class="form-group mb-0">
@ -212,16 +213,19 @@
</div>
</div>
</div>
--->
</fieldset>
</div>
<!-- Lets encrypt -->
<!---
<div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group">
<label class="form-label"><%- i18n('ssl', 'letsencrypt-email') %> <span class="form-required">*</span></label>
<input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required disabled>
</div>
</div>
--->
<div class="col-sm-12 col-md-12 letsencrypt">
<div class="form-group">
<label class="custom-switch">

14
rootfs/etc/tls/certbot.ini
View file

@ -1,20 +1,6 @@
agree-tos = true
non-interactive = true
webroot-path = /tmp/acme-challenge
new-key = true
key-type = ecdsa
must-staple = true
no-reuse-key = true
rsa-key-size = 4096
elliptic-curve = secp384r1
#server = https://acme-v02.api.letsencrypt.org/directory
#server = https://acme.zerossl.com/v2/DV90
#eab-kid = somestringofstuffwithoutquotes
#eab-hmac-key = yaddayaddahexhexnotquoted
#server = https://dv.acme-v02.api.pki.goog/directory
#eab-kid = somestringofstuffwithoutquotes
#eab-hmac-key = yaddayaddahexhexnotquoted

24
rootfs/usr/local/bin/start.sh
View file

@ -20,7 +20,22 @@ touch /data/.env
if [ -n "$NPM_CERT_ID" ]; then
echo "NPM_CERT_ID is replaced by DEFAULT_CERT_ID, please change it to DEFAULT_CERT_ID"
echo "NPM_CERT_ID env is replaced by DEFAULT_CERT_ID, please change it to DEFAULT_CERT_ID"
sleep inf
fi
if [ -n "$LE_SERVER" ]; then
echo "LE_SERVER env is replaced by ACME_SERVER, please change it to ACME_SERVER"
sleep inf
fi
if [ -n "$DEBUG" ]; then
echo "DEBUG env is unsopported."
sleep inf
fi
if [ -n "$LE_STAGING" ]; then
echo "LE_STAGING env is unsopported, please use ACME_SERVER."
sleep inf
fi
@ -713,8 +728,10 @@ fi
if [ "$NGINX_DISABLE_PROXY_BUFFERING" = "true" ]; then
sed -i "s|proxy_buffering.*|proxy_buffering off;|g" /usr/local/nginx/conf/nginx.conf
sed -i "s|proxy_request_buffering.*|proxy_request_buffering off;|g" /usr/local/nginx/conf/nginx.conf
else
sed -i "s|proxy_buffering.*|proxy_buffering on;|g" /usr/local/nginx/conf/nginx.conf
sed -i "s|proxy_request_buffering.*|proxy_request_buffering on;|g" /usr/local/nginx/conf/nginx.conf
fi
if [ "$LOGROTATE" = "true" ]; then
@ -725,10 +742,9 @@ else
sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf
fi
if [ ! -s /data/tls/certbot/config.ini ]; then
cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
if [ -s /data/tls/certbot/config.ini ]; then
echo "tls/certbot/config.ini is now unsupported, to remove this warning, just delete the file - some options are replaced by env."
fi
cp -a /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
if [ ! -s /data/etc/crowdsec/ban.html ]; then
cp -van /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html

2
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
View file

@ -9,7 +9,7 @@ ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve p384_mlkem768:X25519MLKEM768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
ssl_ecdh_curve X25519MLKEM768:x25519_kyber768:x25519:x448:secp521r1:secp384r1:secp256r1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;

2
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
View file

@ -9,7 +9,7 @@ ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve p384_mlkem768:X25519MLKEM768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
ssl_ecdh_curve X25519MLKEM768:x25519_kyber768:x25519:x448:secp521r1:secp384r1:secp256r1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;

2
rootfs/usr/local/nginx/conf/nginx.conf
View file

@ -48,6 +48,8 @@ http {
gzip_static on;
proxy_buffering on;
proxy_request_buffering on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;

13
scripts/cypress-dev
View file

@ -1,13 +0,0 @@
#!/bin/bash -e
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "$DIR/.common.sh"
# Ensure docker-compose exists
if hash docker-compose 2>/dev/null; then
cd "${DIR}/.."
rm -rf "$DIR/../test/results"
docker-compose up --build cypress
else
echo -e "${RED} docker-compose command is not available${RESET}"
fi

61
test/cypress/e2e/api/FullCertProvision.cy.js
View file

@ -1,61 +0,0 @@
/// <reference types="cypress" />
describe('Full Certificate Provisions', () => {
let token;
before(() => {
cy.getToken().then((tok) => {
token = tok;
});
});
it.only('Should be able to create new http certificate', function() {
cy.task('backendApiPost', {
token: token,
path: '/api/nginx/certificates',
data: {
domain_names: [
'website1.example.com'
],
meta: {
letsencrypt_email: 'admin@example.com',
letsencrypt_agree: true,
dns_challenge: false
},
provider: 'letsencrypt'
}
}).then((data) => {
cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data);
expect(data).to.have.property('id');
expect(data.id).to.be.greaterThan(0);
expect(data.provider).to.be.equal('letsencrypt');
});
});
it('Should be able to create new DNS certificate with Powerdns', function() {
cy.task('backendApiPost', {
token: token,
path: '/api/certificates',
data: {
domain_names: [
'website2.example.com'
],
meta: {
letsencrypt_email: "admin@example.com",
dns_challenge: true,
dns_provider: 'powerdns',
dns_provider_credentials: 'dns_powerdns_api_url = http://ns1.pdns:8081\r\ndns_powerdns_api_key = npm',
letsencrypt_agree: true
},
provider: 'letsencrypt'
}
}).then((data) => {
cy.validateSwaggerSchema('post', 201, '/nginx/certificates', data);
expect(data).to.have.property('id');
expect(data.id).to.be.greaterThan(0);
expect(data.provider).to.be.equal('letsencrypt');
expect(data.meta.dns_provider).to.be.equal('powerdns');
});
});
});