Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

close #782/update coreruleset/switch to freenginx/dep updates/remove aws cloudfront ips/block apache files

Browse source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
renovate[bot] 2024-04-19 21:24:37 +00:00 committed by Zoey
parent e5070f5972
commit 5e9619beef
No known key found for this signature in database
GPG key ID: 02A3919EB4F67328
7 changed files with 22 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Dockerfile
View file

@ -58,10 +58,10 @@ RUN apk upgrade --no-cache -a && \
echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:271 FROM zoeyvid/nginx-quic:python-275
SHELL ["/bin/ash", "-eo", "pipefail", "-c"] SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CRS_VER=v4.1.0 ARG CRS_VER=v4.2.0
COPY rootfs / COPY rootfs /
COPY --from=zoeyvid/certbot-docker:34 /usr/local /usr/local COPY --from=zoeyvid/certbot-docker:34 /usr/local /usr/local

2
README.md
View file

@ -12,7 +12,7 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br> **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
---> --->
**Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br> **Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>
**Note: NO armv7 and route53 support.** <br> **Note: NO armv7, route53 and aws cloudfront ip ranges support.** <br>
**Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.** <br> **Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.** <br>
**Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br> **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br> **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>

25
backend/internal/ip_ranges.js
View file

@ -5,7 +5,6 @@ const error = require('../lib/error');
const utils = require('../lib/utils'); const utils = require('../lib/utils');
const internalNginx = require('./nginx'); const internalNginx = require('./nginx');
const CLOUDFRONT_URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json';
const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4'; const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4';
const CLOUDFARE_V6_URL = 'https://www.cloudflare.com/ips-v6'; const CLOUDFARE_V6_URL = 'https://www.cloudflare.com/ips-v6';
@ -57,29 +56,7 @@ const internalIpRanges = {
let ip_ranges = []; let ip_ranges = [];
return internalIpRanges return internalIpRanges
.fetchUrl(CLOUDFRONT_URL) .fetchUrl(CLOUDFARE_V4_URL)
.then((cloudfront_data) => {
const data = JSON.parse(cloudfront_data);
if (data && typeof data.prefixes !== 'undefined') {
data.prefixes.map((item) => {
if (item.service === 'CLOUDFRONT') {
ip_ranges.push(item.ip_prefix);
}
});
}
if (data && typeof data.ipv6_prefixes !== 'undefined') {
data.ipv6_prefixes.map((item) => {
if (item.service === 'CLOUDFRONT') {
ip_ranges.push(item.ipv6_prefix);
}
});
}
})
.then(() => {
return internalIpRanges.fetchUrl(CLOUDFARE_V4_URL);
})
.then((cloudfare_data) => { .then((cloudfare_data) => {
const items = cloudfare_data.split('\n').filter((line) => regIpV4.test(line)); const items = cloudfare_data.split('\n').filter((line) => regIpV4.test(line));
ip_ranges = [...ip_ranges, ...items]; ip_ranges = [...ip_ranges, ...items];

8
backend/package.json
View file

@ -4,7 +4,7 @@
"description": "A beautiful interface for creating Nginx endpoints", "description": "A beautiful interface for creating Nginx endpoints",
"main": "index.js", "main": "index.js",
"dependencies": { "dependencies": {
"@apidevtools/json-schema-ref-parser": "11.5.5", "@apidevtools/json-schema-ref-parser": "11.6.1",
"ajv": "6.12.6", "ajv": "6.12.6",
"archiver": "7.0.1", "archiver": "7.0.1",
"batchflow": "0.4.0", "batchflow": "0.4.0",
@ -16,7 +16,7 @@
"gravatar": "1.8.2", "gravatar": "1.8.2",
"jsonwebtoken": "9.0.2", "jsonwebtoken": "9.0.2",
"knex": "3.1.0", "knex": "3.1.0",
"liquidjs": "10.11.0", "liquidjs": "10.11.1",
"lodash": "4.17.21", "lodash": "4.17.21",
"moment": "2.30.1", "moment": "2.30.1",
"mysql": "2.18.1", "mysql": "2.18.1",
@ -29,8 +29,8 @@
"author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>", "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
"license": "MIT", "license": "MIT",
"devDependencies": { "devDependencies": {
"@eslint/js": "9.0.0", "@eslint/js": "9.1.1",
"eslint": "9.0.0", "eslint": "9.1.1",
"eslint-config-prettier": "9.1.0", "eslint-config-prettier": "9.1.0",
"eslint-plugin-prettier": "5.1.3", "eslint-plugin-prettier": "5.1.3",
"globals": "15.0.0", "globals": "15.0.0",

8
backend/templates/ip_ranges.conf
View file

@ -1,3 +1,11 @@
{% for range in ip_ranges %} {% for range in ip_ranges %}
set_real_ip_from {{ range }}; set_real_ip_from {{ range }};
{% endfor %} {% endfor %}
map $http_cf_connecting_ip $real_ip {
"" $http_x_real_ip;
default $http_cf_connecting_ip;
}
more_set_input_headers "X-IP: $real_ip";
real_ip_header X-IP;

2
renovate.json
View file

@ -2,7 +2,7 @@
"extends": [ "extends": [
"config:base" "config:base"
], ],
"baseBranches": [], "baseBranches": ["develop", "php"],
"includeForks": true, "includeForks": true,
"automerge": false, "automerge": false,
"branchPrefix": "renovate-deps-update-", "branchPrefix": "renovate-deps-update-",

4
rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
View file

@ -16,3 +16,7 @@ location = /nftd {
location /nftd/ { location /nftd/ {
alias /nftd/; alias /nftd/;
} }
location ~ /\.ht {
deny all;
}