Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

changes on custom acme server/change compression mime types

Browse source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey 2024-10-19 18:49:52 +02:00
parent 7c92e832cf
commit 927d5ca5cb
No known key found for this signature in database
GPG key ID: 02A3919EB4F67328
28 changed files with 323 additions and 514 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Dockerfile
View file

@ -57,6 +57,7 @@ RUN apk upgrade --no-cache -a && \
mv crowdsec-nginx-bouncer-* crowdsec-nginx-bouncer && \ mv crowdsec-nginx-bouncer-* crowdsec-nginx-bouncer && \
sed -i "/lua_package_path/d" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \ sed -i "/lua_package_path/d" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \ sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
sed -i "s|crowdsec-nginx-bouncer|crowdsec-npmplus-bouncer|g" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
sed -i "s|API_KEY=.*|API_KEY=|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|API_KEY=.*|API_KEY=|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|ENABLED=.*|ENABLED=false|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|ENABLED=.*|ENABLED=false|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
@ -70,10 +71,10 @@ RUN apk upgrade --no-cache -a && \
sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:347-python FROM zoeyvid/nginx-quic:349-python
SHELL ["/bin/ash", "-eo", "pipefail", "-c"] SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs / COPY rootfs /
COPY --from=zoeyvid/certbot-docker:58 /usr/local /usr/local COPY --from=zoeyvid/certbot-docker:59 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:420 /usr/local/bin/curl /usr/local/bin/curl COPY --from=zoeyvid/curl-quic:420 /usr/local/bin/curl /usr/local/bin/curl
ARG CRS_VER=v4.7.0 ARG CRS_VER=v4.7.0
@ -81,7 +82,7 @@ RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates tzdata tini \ apk add --no-cache ca-certificates tzdata tini \
nodejs \ nodejs \
bash nano \ bash nano \
logrotate apache2-utils \ logrotate \
lua5.1-lzlib lua5.1-socket \ lua5.1-lzlib lua5.1-socket \
coreutils grep findutils jq shadow su-exec \ coreutils grep findutils jq shadow su-exec \
luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \ luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \
@ -123,7 +124,8 @@ ENV NODE_ENV=production \
# until https://github.com/certbot/certbot/issues/9967 is closed # until https://github.com/certbot/certbot/issues/9967 is closed
ENV PYTHONWARNINGS=ignore ENV PYTHONWARNINGS=ignore
ENV PUID=0 \ ENV ACME_SERVER="https://acme-v02.api.letsencrypt.org/directory" \
PUID=0 \
PGID=0 \ PGID=0 \
NIBEP=48693 \ NIBEP=48693 \
GOAIWSP=48683 \ GOAIWSP=48683 \

55
README.md
View file

@ -20,7 +20,6 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br> **Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
**Note: Other Databases like MariaDB may work, but are unsupported.** <br> **Note: Other Databases like MariaDB may work, but are unsupported.** <br>
**Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br> **Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br>
**Note: if you remove a cert, which is still used by a host, NPM/NPMplus will crash.** <br>
## Project Goal ## Project Goal
@ -97,6 +96,28 @@ so that the barrier for entry here is low.
- if you have a healthcheck defined in your compose yaml file, remove it - this fork defines its own healthcheck in the Dockerfile, so you don't need to have it in compose anymore - if you have a healthcheck defined in your compose yaml file, remove it - this fork defines its own healthcheck in the Dockerfile, so you don't need to have it in compose anymore
- please report all migration issues you have - please report all migration issues you have
# Quick Setup
1. Install Docker and Docker Compose (or portainer)
- [Docker Install documentation](https://docs.docker.com/engine)
- [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux)
2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):
3. Bring up your stack by running (or deploy your portainer stack)
```bash
docker compose up -d
```
4. Log in to the Admin UI
When your docker container is running, connect to it on port `81` for the admin interface.
Sometimes this can take a little bit because of the entropy of keys.
You may need to open port 81 in your firewall.
You may need to use another IP-Address.
[https://127.0.0.1:81](https://127.0.0.1:81)
Default Admin User:
```
Email: admin@example.org
Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi
```
Immediately after logging in with this default user you will be asked to modify your details and change your password.
# Crowdsec # Crowdsec
1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml and enable LOGROTATE 1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml and enable LOGROTATE
2. open `/opt/crowdsec/conf/acquis.d/npmplus.yaml` and fill it with: 2. open `/opt/crowdsec/conf/acquis.d/npmplus.yaml` and fill it with:
@ -175,34 +196,6 @@ location / {
} }
``` ```
# custom acme server
1. Open this file: `nano` `/opt/npm/ssl/certbot/config.ini`
2. uncomment the server line and change it to your acme server
3. maybe set eab keys
4. create your cert using the npm web ui
# Quick Setup
1. Install Docker and Docker Compose (or portainer)
- [Docker Install documentation](https://docs.docker.com/engine)
- [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux)
2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):
3. Bring up your stack by running (or deploy your portainer stack)
```bash
docker compose up -d
```
4. Log in to the Admin UI
When your docker container is running, connect to it on port `81` for the admin interface.
Sometimes this can take a little bit because of the entropy of keys.
You may need to open port 81 in your firewall.
You may need to use another IP-Address.
[https://127.0.0.1:81](https://127.0.0.1:81)
Default Admin User:
```
Email: admin@example.org
Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi
```
Immediately after logging in with this default user you will be asked to modify your details and change your password.
### prerun scripts (EXPERT option) - if you don't know what this is, ignore it ### prerun scripts (EXPERT option) - if you don't know what this is, ignore it
run order: entrypoint.sh (prerun scripts) => start.sh => launch.sh <br> run order: entrypoint.sh (prerun scripts) => start.sh => launch.sh <br>
if you need to run scripts before NPMplus launches put them under: `/opt/npm/etc/prerun/*.sh` (please add `#!/bin/sh` / `#!/bin/bash` to the top of the script) <br> if you need to run scripts before NPMplus launches put them under: `/opt/npm/etc/prerun/*.sh` (please add `#!/bin/sh` / `#!/bin/bash` to the top of the script) <br>
@ -221,6 +214,4 @@ If you want to sponsor them, please see [here](https://github.com/NginxProxyMana
## Getting Support ## Getting Support
1. [Found a bug?](https://github.com/ZoeyVid/NPMplus/issues) 1. [Found a bug?](https://github.com/ZoeyVid/NPMplus/issues)
2. [Discussions](https://github.com/ZoeyVid/NPMplus/discussions) 2. [Discussions](https://github.com/ZoeyVid/NPMplus/discussions)
<!--- 3. [Reddit](https://reddit.com/r/NPMplus)
3. [Reddit](https://reddit.com/r/nginxproxymanager)
--->

15
backend/internal/access-list.js
View file

@ -1,5 +1,6 @@
const _ = require('lodash'); const _ = require('lodash');
const fs = require('fs'); const fs = require('fs');
const md5 = require('apache-md5');
const batchflow = require('batchflow'); const batchflow = require('batchflow');
const logger = require('../logger').access; const logger = require('../logger').access;
const error = require('../lib/error'); const error = require('../lib/error');
@ -483,15 +484,17 @@ const internalAccessList = {
if (typeof item.password !== 'undefined' && item.password.length) { if (typeof item.password !== 'undefined' && item.password.length) {
logger.info('Adding: ' + item.username); logger.info('Adding: ' + item.username);
utils try {
.execFile('htpasswd', ['-b', htpasswd_file, item.username, item.password]) const hashedPassword = md5(item.password);
.then((/* result */) => { fs.appendFileSync(htpasswd_file, `${item.username}:${hashedPassword}\n`, { encoding: 'utf8' });
next(); next();
}) } catch (err) {
.catch((err) => {
logger.error(err); logger.error(err);
next(err); next(err);
}); }
} else {
// Proceed to next if no password
next();
} }
}) })
.error((err) => { .error((err) => {

114
backend/internal/certificate.js
View file

@ -15,7 +15,8 @@ const dnsPlugins = require('../certbot-dns-plugins.json');
const internalAuditLog = require('./audit-log'); const internalAuditLog = require('./audit-log');
const internalNginx = require('./nginx'); const internalNginx = require('./nginx');
const certbotCommand = 'certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot --agree-tos -non-interactive --config /etc/tls/certbot.ini'; const certbotCommand = 'certbot';
const certbotArgs = ['--logs-dir', '/tmp/certbot-log', '--work-dir', '/tmp/certbot-work', '--config-dir', '/data/tls/certbot', '--config', '/etc/tls/certbot.ini', '--agree-tos', '--non-interactive', '--no-eff-email', '--register-unsafely-without-email'];
function omissions() { function omissions() {
return ['is_deleted', 'owner.is_deleted']; return ['is_deleted', 'owner.is_deleted'];
@ -40,10 +41,8 @@ const internalCertificate = {
internalCertificate.intervalProcessing = true; internalCertificate.intervalProcessing = true;
logger.info('Renewing TLS certs close to expiry...'); logger.info('Renewing TLS certs close to expiry...');
const cmd = '${certbotCommand} renew --quiet';
return utils return utils
.exec(cmd) .execFile(certbotCommand, [...certbotArgs, 'renew', '--quiet', '--no-random-sleep-on-renew'])
.then((result) => { .then((result) => {
if (result) { if (result) {
logger.info('Renew Result: ' + result); logger.info('Renew Result: ' + result);
@ -498,7 +497,6 @@ const internalCertificate = {
* @param {Object} data * @param {Object} data
* @param {Array} data.domain_names * @param {Array} data.domain_names
* @param {String} data.meta.letsencrypt_email * @param {String} data.meta.letsencrypt_email
* @param {Boolean} data.meta.letsencrypt_agree
* @returns {Promise} * @returns {Promise}
*/ */
createQuickCertificate: (access, data) => { createQuickCertificate: (access, data) => {
@ -619,7 +617,7 @@ const internalCertificate = {
reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.')); reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
}, 10000); }, 10000);
utils utils
.exec('openssl pkey -in ' + filepath + ' -check -noout 2>&1 ') .execFile('openssl', ['pkey', '-in', filepath, '-check', '-noout'])
.then((result) => { .then((result) => {
clearTimeout(failTimeout); clearTimeout(failTimeout);
if (!result.toLowerCase().includes('key is valid')) { if (!result.toLowerCase().includes('key is valid')) {
@ -670,7 +668,7 @@ const internalCertificate = {
const certData = {}; const certData = {};
return utils return utils
.exec('openssl x509 -in ' + certificate_file + ' -subject -noout') .execFile('openssl', ['x509', '-in', certificate_file, '-subject', '-noout'])
.then((result) => { .then((result) => {
const regex = /(?:subject=)?[^=]+=\s*(\S+)/gim; const regex = /(?:subject=)?[^=]+=\s*(\S+)/gim;
const match = regex.exec(result); const match = regex.exec(result);
@ -679,7 +677,7 @@ const internalCertificate = {
} }
}) })
.then(() => { .then(() => {
return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout'); return utils.execFile('openssl', ['x509', '-in', certificate_file, '-issuer', '-noout']);
}) })
.then((result) => { .then((result) => {
@ -690,7 +688,7 @@ const internalCertificate = {
} }
}) })
.then(() => { .then(() => {
return utils.exec('openssl x509 -in ' + certificate_file + ' -dates -noout'); return utils.execFile('openssl', ['x509', '-in', certificate_file, '-dates', '-noout']);
}) })
.then((result) => { .then((result) => {
// notBefore=Jul 14 04:04:29 2018 GMT // notBefore=Jul 14 04:04:29 2018 GMT
@ -763,11 +761,7 @@ const internalCertificate = {
requestCertbot: (certificate) => { requestCertbot: (certificate) => {
logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
let cmd = `${certbotCommand} certonly --cert-name "npm-${certificate.id}" --domains "${certificate.domain_names.join(',')}" --server "${process.env.ACME_SERVER}" --authenticator webroot --webroot-path "/tmp/acme-challenge"`; return utils.execFile(certbotCommand, [...certbotArgs, 'certonly', '--cert-name', `npm-${certificate.id}`, '--domains', `${certificate.domain_names.join(',')}`, '--server', `${process.env.ACME_SERVER}`, '--authenticator', 'webroot', '--webroot-path', '/tmp/acme-challenge']).then((result) => {
logger.info('Command:', cmd);
return utils.exec(cmd).then((result) => {
logger.success(result); logger.success(result);
return result; return result;
}); });
@ -792,12 +786,8 @@ const internalCertificate = {
fs.mkdirSync('/data/tls/certbot/credentials', { recursive: true }); fs.mkdirSync('/data/tls/certbot/credentials', { recursive: true });
fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, { mode: 0o600 }); fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, { mode: 0o600 });
let mainCmd = `${certbotCommand} certonly --cert-name "npm-${certificate.id}" --domains "${certificate.domain_names.join(',')}" --server "${process.env.ACME_SERVER}" --authenticator ${dnsPlugin.full_plugin_name} --${dnsPlugin.full_plugin_name}-credentials "${credentialsLocation}"`;
logger.info('Command:', mainCmd);
try { try {
const result = await utils.exec(mainCmd); const result = await utils.execFile(certbotCommand, [...certbotArgs, 'certonly', '--cert-name', `npm-${certificate.id}`, '--domains', `${certificate.domain_names.join(',')}`, '--server', `${process.env.ACME_SERVER}`, '--authenticator', dnsPlugin.full_plugin_name, `--${dnsPlugin.full_plugin_name}-credentials`, credentialsLocation]);
logger.info(result); logger.info(result);
return result; return result;
} catch (err) { } catch (err) {
@ -857,18 +847,10 @@ const internalCertificate = {
renewCertbot: async (certificate) => { renewCertbot: async (certificate) => {
logger.info(`Renewing Certbot certificates for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); logger.info(`Renewing Certbot certificates for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
const cmdr = `${certbotCommand} revoke --cert-path "/data/tls/certbot/live/npm-${certificate.id}/fullchain.pem" --cert-path "/data/tls/certbot/live/npm-${certificate.id}/privkey.pem" --no-delete-after-revoke`; const revokeResult = await utils.execFile(certbotCommand, [...certbotArgs, 'revoke', '--cert-name', `npm-${certificate.id}`, '--no-delete-after-revoke']);
logger.info('Command:', cmdr);
const revokeResult = await utils.exec(cmdr);
logger.info(revokeResult); logger.info(revokeResult);
const cmd = `${certbotCommand} renew --force-renewal --cert-name "npm-${certificate.id}"`; const renewResult = await utils.execFile(certbotCommand, [...certbotArgs, 'renew', '--force-renewal', '--cert-name', `npm-${certificate.id}`, '--no-random-sleep-on-renew']);
logger.info('Command:', cmd);
const renewResult = await utils.exec(cmd);
logger.info(renewResult); logger.info(renewResult);
return renewResult; return renewResult;
@ -887,18 +869,10 @@ const internalCertificate = {
logger.info(`Renewing Certbot certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); logger.info(`Renewing Certbot certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
const cmdr = `${certbotCommand} revoke --cert-path "/data/tls/certbot/live/npm-${certificate.id}/fullchain.pem" --cert-path "/data/tls/certbot/live/npm-${certificate.id}/privkey.pem" --no-delete-after-revoke`; const revokeResult = await utils.execFile(certbotCommand, [...certbotArgs, 'revoke', '--cert-name', `npm-${certificate.id}`, '--no-delete-after-revoke']);
logger.info('Command:', cmdr);
const revokeResult = await utils.exec(cmdr);
logger.info(revokeResult); logger.info(revokeResult);
const cmd = `${certbotCommand} renew --force-renewal --cert-name "npm-${certificate.id}"`; const renewResult = await utils.execFile(certbotCommand, [...certbotArgs, 'renew', '--force-renewal', '--cert-name', `npm-${certificate.id}`, '--no-random-sleep-on-renew']);
logger.info('Command:', cmd);
const renewResult = await utils.exec(cmd);
logger.info(renewResult); logger.info(renewResult);
return renewResult; return renewResult;
@ -912,10 +886,8 @@ const internalCertificate = {
revokeCertbot: (certificate, throw_errors) => { revokeCertbot: (certificate, throw_errors) => {
logger.info('Revoking Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Revoking Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const mainCmd = `${certbotCommand} revoke --cert-path "/data/tls/certbot/live/npm-${certificate.id}/fullchain.pem" --cert-path "/data/tls/certbot/live/npm-${certificate.id}/privkey.pem" --no-delete-after-revoke`;
return utils return utils
.exec(mainCmd) .execFile(certbotCommand, [...certbotArgs, 'revoke', '--cert-name', `npm-${certificate.id}`, '--no-delete-after-revoke'])
.then(async (result) => { .then(async (result) => {
fs.rm('/data/tls/certbot/credentials/credentials-' + certificate.id, { force: true }, (err) => { fs.rm('/data/tls/certbot/credentials/credentials-' + certificate.id, { force: true }, (err) => {
if (err) { if (err) {
@ -939,64 +911,6 @@ const internalCertificate = {
}); });
}, },
/**
* @param {Object} in_use_result
* @param {Number} in_use_result.total_count
* @param {Array} in_use_result.proxy_hosts
* @param {Array} in_use_result.redirection_hosts
* @param {Array} in_use_result.dead_hosts
*/
disableInUseHosts: (in_use_result) => {
if (in_use_result.total_count) {
const promises = [];
if (in_use_result.proxy_hosts.length) {
promises.push(internalNginx.bulkDeleteConfigs('proxy_host', in_use_result.proxy_hosts));
}
if (in_use_result.redirection_hosts.length) {
promises.push(internalNginx.bulkDeleteConfigs('redirection_host', in_use_result.redirection_hosts));
}
if (in_use_result.dead_hosts.length) {
promises.push(internalNginx.bulkDeleteConfigs('dead_host', in_use_result.dead_hosts));
}
return Promise.all(promises);
} else {
return Promise.resolve();
}
},
/**
* @param {Object} in_use_result
* @param {Number} in_use_result.total_count
* @param {Array} in_use_result.proxy_hosts
* @param {Array} in_use_result.redirection_hosts
* @param {Array} in_use_result.dead_hosts
*/
enableInUseHosts: (in_use_result) => {
if (in_use_result.total_count) {
const promises = [];
if (in_use_result.proxy_hosts.length) {
promises.push(internalNginx.bulkGenerateConfigs('proxy_host', in_use_result.proxy_hosts));
}
if (in_use_result.redirection_hosts.length) {
promises.push(internalNginx.bulkGenerateConfigs('redirection_host', in_use_result.redirection_hosts));
}
if (in_use_result.dead_hosts.length) {
promises.push(internalNginx.bulkGenerateConfigs('dead_host', in_use_result.dead_hosts));
}
return Promise.all(promises);
} else {
return Promise.resolve();
}
},
testHttpsChallenge: async (access, domains) => { testHttpsChallenge: async (access, domains) => {
await access.can('certificates:list'); await access.can('certificates:list');

40
backend/internal/nginx.js
View file

@ -79,7 +79,7 @@ const internalNginx = {
* @returns {Promise} * @returns {Promise}
*/ */
test: () => { test: () => {
return utils.exec('nginx -tq'); return utils.execFile('nginx', ['-tq']);
}, },
/** /**
@ -88,24 +88,20 @@ const internalNginx = {
reload: () => { reload: () => {
return internalNginx.test().then(() => { return internalNginx.test().then(() => {
try { return utils
utils.exec('certbot-ocsp-fetcher.sh -c /data/tls/certbot -o /data/tls/certbot/live --no-reload-webserver --quiet || true'); .execFile('certbot-ocsp-fetcher.sh', ['-c', '/data/tls/certbot', '-o', '/data/tls/certbot/live', '--no-reload-webserver', '--quiet'])
} catch { .then(() => {
// do nothing if (fs.existsSync('/usr/local/nginx/logs/nginx.pid') && fs.readFileSync('/usr/local/nginx/logs/nginx.pid', 'utf8').trim().length > 0) {
}
if (fs.existsSync('/usr/local/nginx/logs/nginx.pid')) {
const ngxPID = fs.readFileSync('/usr/local/nginx/logs/nginx.pid', 'utf8').trim();
if (ngxPID.length > 0) {
logger.info('Reloading Nginx'); logger.info('Reloading Nginx');
utils.exec('nginx -s reload'); return utils.execFile('nginx', ['-s', 'reload']);
} else { } else {
logger.info('Starting Nginx'); logger.info('Starting Nginx');
utils.execfg('nginx -e stderr'); return utils.execfg('nginx', ['-e', 'stderr']);
}
} else {
logger.info('Starting Nginx');
utils.execfg('nginx -e stderr');
} }
})
.catch(() => {
/* do nothing */
});
}); });
}, },
@ -287,20 +283,6 @@ const internalNginx = {
return Promise.all(promises); return Promise.all(promises);
}, },
/**
* @param {String} host_type
* @param {Array} hosts
* @returns {Promise}
*/
bulkDeleteConfigs: (host_type, hosts) => {
const promises = [];
hosts.map(function (host) {
promises.push(internalNginx.deleteConfig(host_type, host));
});
return Promise.all(promises);
},
/** /**
* @param {string} config * @param {string} config
* @returns {boolean} * @returns {boolean}

3
backend/lib/certbot.js
View file

@ -59,9 +59,8 @@ const certbot = {
const plugin = dnsPlugins[pluginKey]; const plugin = dnsPlugins[pluginKey];
logger.start(`Installing ${pluginKey}...`); logger.start(`Installing ${pluginKey}...`);
const cmd = 'pip install --upgrade --no-cache-dir ' + plugin.package_name;
return utils return utils
.exec(cmd) .execFile('pip', ['install', '--upgrade', '--no-cache-dir', plugin.package_name])
.then((result) => { .then((result) => {
logger.complete(`Installed ${pluginKey}`); logger.complete(`Installed ${pluginKey}`);
return result; return result;

33
backend/lib/utils.js
View file

@ -1,41 +1,17 @@
const _ = require('lodash'); const _ = require('lodash');
const exec = require('child_process').exec;
const spawn = require('child_process').spawn; const spawn = require('child_process').spawn;
const execFile = require('child_process').execFile; const execFile = require('child_process').execFile;
const { Liquid } = require('liquidjs'); const { Liquid } = require('liquidjs');
const logger = require('../logger').global;
const error = require('./error'); const error = require('./error');
// const logger = require('../logger').global;
module.exports = { module.exports = {
/**
* @param {String} cmd
*/
exec: async function (cmd, options = {}) {
// logger.debug('CMD:', cmd);
const { stdout, stderr } = await new Promise((resolve, reject) => {
const child = exec(cmd, options, (isError, stdout, stderr) => {
if (isError) {
reject(new error.CommandError(stderr, isError));
} else {
resolve({ stdout, stderr });
}
});
child.on('error', (e) => {
reject(new error.CommandError(stderr, 1, e));
});
});
return stdout;
},
/** /**
* @param {String} cmd * @param {String} cmd
* @param {Array} args * @param {Array} args
*/ */
execFile: async function (cmd, args, options = {}) { execFile: async function (cmd, args, options = {}) {
// logger.debug('CMD: ' + cmd + ' ' + (args ? args.join(' ') : '')); logger.debug('CMD: ' + cmd + ' ' + (args ? args.join(' ') : ''));
const { stdout, stderr } = await new Promise((resolve, reject) => { const { stdout, stderr } = await new Promise((resolve, reject) => {
const child = execFile(cmd, args, options, (isError, stdout, stderr) => { const child = execFile(cmd, args, options, (isError, stdout, stderr) => {
if (isError) { if (isError) {
@ -54,10 +30,11 @@ module.exports = {
/** /**
* @param {String} cmd * @param {String} cmd
* @param {Array} args
*/ */
execfg: function (cmd) { execfg: function (cmd, args) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const childProcess = spawn(cmd, { const childProcess = spawn(cmd, args, {
shell: true, shell: true,
detached: true, detached: true,
stdio: 'inherit', stdio: 'inherit',

1
backend/package.json
View file

@ -5,6 +5,7 @@
"main": "index.js", "main": "index.js",
"dependencies": { "dependencies": {
"@apidevtools/json-schema-ref-parser": "11.7.2", "@apidevtools/json-schema-ref-parser": "11.7.2",
"apache-md5": "1.1.8",
"ajv": "8.17.1", "ajv": "8.17.1",
"archiver": "7.0.1", "archiver": "7.0.1",
"batchflow": "0.4.0", "batchflow": "0.4.0",

3
backend/schema/paths/nginx/access-lists/listID/put.json
View file

@ -49,8 +49,7 @@
"minLength": 1 "minLength": 1
}, },
"password": { "password": {
"type": "string", "type": "string"
"minLength": 1
} }
} }
} }

11
backend/setup.js
View file

@ -1,8 +1,8 @@
const fs = require('fs');
const logger = require('./logger').setup; const logger = require('./logger').setup;
const certificateModel = require('./models/certificate'); const certificateModel = require('./models/certificate');
const userModel = require('./models/user'); const userModel = require('./models/user');
const userPermissionModel = require('./models/user_permission'); const userPermissionModel = require('./models/user_permission');
const utils = require('./lib/utils');
const authModel = require('./models/auth'); const authModel = require('./models/auth');
const settingModel = require('./models/setting'); const settingModel = require('./models/setting');
const certbot = require('./lib/certbot'); const certbot = require('./lib/certbot');
@ -117,12 +117,9 @@ const setupCertbotPlugins = () => {
plugins.push(certificate.meta.dns_provider); plugins.push(certificate.meta.dns_provider);
} }
// Make sure credentials file exists const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
const credentials_loc = '/data/tls/certbot/credentials/credentials-' + certificate.id; fs.mkdirSync('/data/tls/certbot/credentials', { recursive: true });
// Escape single quotes and backslashes fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, { mode: 0o600 });
const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll("'", "\\'").replaceAll('\\', '\\\\');
const credentials_cmd = "[ -f '" + credentials_loc + "' ] || { mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo '" + escapedCredentials + "' > '" + credentials_loc + "' && chmod 600 '" + credentials_loc + "'; }";
promises.push(utils.exec(credentials_cmd));
} }
}); });

23
backend/templates/_access.conf
View file

@ -1,25 +1,24 @@
{% if access_list_id > 0 %} {%- if access_list_id > 0 %}
{% if access_list.items.length > 0 %} {%- if access_list.items.length > 0 %}
# Authorization # Authorization
auth_basic "Authorization required"; auth_basic "Authorization required";
auth_basic_user_file /data/etc/access/{{ access_list_id }}; auth_basic_user_file /data/etc/access/{{ access_list_id }};
{% if access_list.pass_auth == 0 %} {%- unless access_list.pass_auth %}
proxy_set_header Authorization ""; proxy_set_header Authorization "";
{% endif %} {%- endunless %}
{%- endif %}
{% endif %}
# Access Rules: {{ access_list.clients | size }} total # Access Rules: {{ access_list.clients | size }} total
{% for client in access_list.clients %} {%- for client in access_list.clients %}
{{client | nginxAccessRule}} {{client | nginxAccessRule}}
{% endfor %} {%- endfor %}
deny all; deny all;
# Access checks must... # Access checks must...
{% if access_list.satisfy_any == 1 %} {%- if access_list.satisfy_any %}
satisfy any; satisfy any;
{% else %} {%- else %}
satisfy all; satisfy all;
{% endif %} {%- endif %}
{% endif %} {%- endif %}

4
backend/templates/_brotli.conf
View file

@ -1,4 +1,4 @@
{% if http2_support == 1 or http2_support == true -%} {%- if http2_support %}
# Enable Brotli # Enable Brotli
include conf.d/include/brotli.conf; include conf.d/include/brotli.conf;
{% endif %} {%- endif %}

12
backend/templates/_certificates.conf
View file

@ -1,14 +1,14 @@
{% if certificate and certificate_id > 0 -%} {%- if certificate and certificate_id > 0 %}
{% if certificate.provider == "letsencrypt" %} {%- if certificate.provider == "letsencrypt" %}
# Certbot TLS # Certbot TLS
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_stapling_file /data/tls/certbot/live/npm-{{ certificate_id }}.der; ssl_stapling_file /data/tls/certbot/live/npm-{{ certificate_id }}.der;
{% else %} {%- else %}
# Custom TLS # Custom TLS
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers-no-stapling.conf;
ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
{% endif %} {%- endif %}
{% endif %} {%- endif %}

8
backend/templates/_forced_tls.conf
View file

@ -1,6 +1,6 @@
{% if certificate and certificate_id > 0 -%} {%- if certificate and certificate_id > 0 %}
{% if ssl_forced == 1 or ssl_forced == true %} {%- if ssl_forced %}
# Force TLS # Force TLS
include conf.d/include/force-tls.conf; include conf.d/include/force-tls.conf;
{% endif %} {%- endif %}
{% endif %} {%- endif %}

24
backend/templates/_hsts.conf
View file

@ -1,17 +1,17 @@
{% if certificate and certificate_id > 0 -%} {%- if certificate and certificate_id > 0 %}
{% if ssl_forced == 1 or ssl_forced == true %} {%- if ssl_forced %}
{% if hsts_enabled == 1 or hsts_enabled == true %} {%- if hsts_enabled %}
more_clear_headers "Expect-CT"; more_clear_headers "Expect-CT";
include conf.d/include/hsts.conf; include conf.d/include/hsts.conf;
{% endif %} {%- endif %}
{% endif %} {%- endif %}
{% endif %} {%- endif %}
{% unless certificate and certificate_id > 0 -%} {%- unless certificate and certificate_id > 0 %}
{% unless ssl_forced == 1 or ssl_forced == true %} {%- unless ssl_forced %}
{% unless hsts_enabled == 1 or hsts_enabled == true %} {%- unless hsts_enabled %}
more_clear_headers "Expect-CT"; more_clear_headers "Expect-CT";
more_clear_headers "Strict-Transport-Security"; more_clear_headers "Strict-Transport-Security";
{% endunless %} {%- endunless %}
{% endunless %} {%- endunless %}
{% endunless %} {%- endunless %}

10
backend/templates/_listen.conf
View file

@ -3,18 +3,18 @@
listen 80; listen 80;
listen [::]:80; listen [::]:80;
{% if certificate and certificate_id > 0 %} {%- if certificate and certificate_id > 0 %}
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
listen 443 quic; listen 443 quic;
listen [::]:443 quic; listen [::]:443 quic;
{% if hsts_subdomains == 1 or hsts_subdomains == true %} {%- if hsts_subdomains %}
more_set_headers 'Alt-Svc: h3=":443"; ma=86400'; more_set_headers 'Alt-Svc: h3=":443"; ma=86400';
{% else %} {%- else %}
more_clear_headers "Alt-Svc"; more_clear_headers "Alt-Svc";
http3 off; http3 off;
{% endif %} {%- endif %}
{% endif %} {%- endif %}
server_name {{ domain_names | join: " " }}; server_name {{ domain_names | join: " " }};

4
backend/templates/_location.conf
View file

@ -6,10 +6,10 @@ location {{ path }} {
set $forward_host "{{ forward_host }}"; set $forward_host "{{ forward_host }}";
set $forward_port {{ forward_port }}; set $forward_port {{ forward_port }};
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} {%- if allow_websocket_upgrade %}
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
{% endif %} {%- endif %}
include conf.d/include/proxy-location.conf; include conf.d/include/proxy-location.conf;
proxy_set_header X-Forwarded-Host $host{{ path }}; proxy_set_header X-Forwarded-Host $host{{ path }};

22
backend/templates/dead_host.conf
View file

@ -1,27 +1,27 @@
{% include "_header_comment.conf" %} {%- include "_header_comment.conf" %}
{% if enabled == 1 or enabled == true %} {%- if enabled %}
server { server {
{% include "_listen.conf" %} {%- include "_listen.conf" %}
{% include "_certificates.conf" %} {%- include "_certificates.conf" %}
{% include "_hsts.conf" %} {%- include "_hsts.conf" %}
{% include "_forced_tls.conf" %} {%- include "_forced_tls.conf" %}
{% include "_brotli.conf" %} {%- include "_brotli.conf" %}
include conf.d/include/always.conf; include conf.d/include/always.conf;
{{ advanced_config }} {{ advanced_config }}
{% if use_default_location == 1 or use_default_location == true %} {%- if use_default_location %}
location / { location / {
include conf.d/include/always.conf; include conf.d/include/always.conf;
root /html/dead; root /html/dead;
try_files $uri /index.html; try_files $uri /index.html;
} }
{% endif %} {%- endif %}
# Custom # Custom
include /data/nginx/custom/server_dead.conf; include /data/nginx_custom/server_dead.conf;
} }
{% endif %} {%- endif %}

4
backend/templates/ip_ranges.conf
View file

@ -1,6 +1,6 @@
{% for range in ip_ranges %} {%- for range in ip_ranges %}
set_real_ip_from {{ range }}; set_real_ip_from {{ range }};
{% endfor %} {%- endfor %}
map $http_cf_connecting_ip $real_ip { map $http_cf_connecting_ip $real_ip {
"" $http_x_real_ip; "" $http_x_real_ip;

46
backend/templates/proxy_host.conf
View file

@ -1,55 +1,55 @@
{% include "_header_comment.conf" %} {%- include "_header_comment.conf" %}
{% if enabled == 1 or enabled == true %} {%- if enabled %}
server { server {
set $forward_scheme {{ forward_scheme }}; set $forward_scheme {{ forward_scheme }};
set $server "{{ forward_host }}"; set $server "{{ forward_host }}";
set $port {{ forward_port }}; set $port {{ forward_port }};
{% include "_listen.conf" %} {%- include "_listen.conf" %}
{% include "_certificates.conf" %} {%- include "_certificates.conf" %}
{% include "_hsts.conf" %} {%- include "_hsts.conf" %}
{% include "_forced_tls.conf" %} {%- include "_forced_tls.conf" %}
{% include "_brotli.conf" %} {%- include "_brotli.conf" %}
{% include "_access.conf" %} {%- include "_access.conf" %}
{% if block_exploits == 1 or block_exploits == true %} {%- if block_exploits %}
modsecurity on; modsecurity on;
{% if caching_enabled == 1 or caching_enabled == true -%} {%- if caching_enabled %}
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf; modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf;
{% else %} {%- else %}
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf; modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
{% endif %} {%- endif %}
{% endif %} {%- endif %}
include conf.d/include/always.conf; include conf.d/include/always.conf;
{% if access_list_id > 0 %} {%- if access_list_id > 0 %}
{% if access_list.items.length > 0 %} {%- if access_list.items.length > 0 %}
{{ access_list.passauth }} {{ access_list.passauth }}
{% endif %} {%- endif %}
{% endif %} {%- endif %}
{{ advanced_config }} {{ advanced_config }}
# custom locations # custom locations
{{ locations }} {{ locations }}
{% if use_default_location == 1 or use_default_location == true %} {%- if use_default_location %}
location / { location / {
include conf.d/include/always.conf; include conf.d/include/always.conf;
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} {%- if allow_websocket_upgrade %}
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
{% endif %} {%- endif %}
# Proxy! # Proxy!
include conf.d/include/proxy.conf; include conf.d/include/proxy.conf;
} }
{% endif %} {%- endif %}
# Custom # Custom
include /data/nginx/custom/server_proxy.conf; include /data/nginx_custom/server_proxy.conf;
} }
{% endif %} {%- endif %}

28
backend/templates/redirection_host.conf
View file

@ -1,29 +1,29 @@
{% include "_header_comment.conf" %} {%- include "_header_comment.conf" %}
{% if enabled == 1 or enabled == true %} {%- if enabled %}
server { server {
{% include "_listen.conf" %} {%- include "_listen.conf" %}
{% include "_certificates.conf" %} {%- include "_certificates.conf" %}
{% include "_hsts.conf" %} {%- include "_hsts.conf" %}
{% include "_forced_tls.conf" %} {%- include "_forced_tls.conf" %}
{% include "_brotli.conf" %} {%- include "_brotli.conf" %}
include conf.d/include/always.conf; include conf.d/include/always.conf;
{{ advanced_config }} {{ advanced_config }}
{% if use_default_location == 1 or use_default_location == true %} {%- if use_default_location %}
location / { location / {
include conf.d/include/always.conf; include conf.d/include/always.conf;
{% if preserve_path == 1 or preserve_path == true %} {%- if preserve_path %}
return {{ forward_http_code }} {{ forward_scheme }}://{{ forward_domain_name }}$request_uri; return {{ forward_http_code }} {{ forward_scheme }}://{{ forward_domain_name }}$request_uri;
{% else %} {%- else %}
return {{ forward_http_code }} {{ forward_scheme }}://{{ forward_domain_name }}; return {{ forward_http_code }} {{ forward_scheme }}://{{ forward_domain_name }};
{% endif %} {%- endif %}
} }
{% endif %} {%- endif %}
# Custom # Custom
include /data/nginx/custom/server_redirect.conf; include /data/nginx_custom/server_redirect.conf;
} }
{% endif %} {%- endif %}

20
backend/templates/stream.conf
View file

@ -2,9 +2,9 @@
# {{ incoming_port }} TCP: {{ tcp_forwarding }} UDP: {{ udp_forwarding }} # {{ incoming_port }} TCP: {{ tcp_forwarding }} UDP: {{ udp_forwarding }}
# ------------------------------------------------------------ # ------------------------------------------------------------
{% if enabled == 1 or enabled == true %} {%- if enabled %}
{% if tcp_forwarding == 1 or tcp_forwarding == true -%} {%- if tcp_forwarding %}
server { server {
listen {{ incoming_port }}; listen {{ incoming_port }};
listen [::]:{{ incoming_port }}; listen [::]:{{ incoming_port }};
@ -12,21 +12,21 @@ server {
proxy_pass {{ forwarding_host }}:{{ forwarding_port }}; proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
# Custom # Custom
include /data/nginx/custom/server_stream.conf; include /data/nginx_custom/server_stream.conf;
include /data/nginx/custom/server_stream_tcp.conf; include /data/nginx_custom/server_stream_tcp.conf;
} }
{% endif %} {%- endif %}
{% if udp_forwarding == 1 or udp_forwarding == true %} {%- if udp_forwarding %}
server { server {
listen {{ incoming_port }} udp; listen {{ incoming_port }} udp;
listen [::]:{{ incoming_port }} udp; listen [::]:{{ incoming_port }} udp;
proxy_pass {{ forwarding_host }}:{{ forwarding_port }}; proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
# Custom # Custom
include /data/nginx/custom/server_stream.conf; include /data/nginx_custom/server_stream.conf;
include /data/nginx/custom/server_stream_udp.conf; include /data/nginx_custom/server_stream_udp.conf;
} }
{% endif %} {%- endif %}
{% endif %} {%- endif %}

8
compose.yaml
View file

@ -9,10 +9,14 @@ services:
# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php # - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork # - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
environment: environment:
- "TZ=Europe/Berlin" # set timezone, required - "TZ=your-timezone" # set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
- "ACME_EMAIL=your-email" # email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here
# - "ACME_SERVER=https://acme.zerossl.com/v2/DV90" # acme server to use for NEW certificates, default is (currently, may change later) set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt)
# - "ACME_EAB_KID=123456789abcdef" # Key Identifier for External Account Binding for the acme server
# - "ACME_EAB_HMAC_KEY=123456789abcdef" # HMAC key for External Account Binding for the acme server
# - "PUID=1000" # set group id, default 0 (root) # - "PUID=1000" # set group id, default 0 (root)
# - "PGID=1000" # set user id, default 0 (root), requires PUID # - "PGID=1000" # set user id, default 0 (root), requires PUID
# - "NIBEP=48694" # internal port of the NOMplus API, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host # - "NIBEP=48694" # internal port of the NPMplus API, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "GOAIWSP=48684" # internal port of goaccess, always bound to 127.0.0.1, default 48683, you need to change it, if you want to run multiple npm with goaccess instances in network mode host # - "GOAIWSP=48684" # internal port of goaccess, always bound to 127.0.0.1, default 48683, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
# - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host # - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host # - "NPM_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host

35
rootfs/usr/local/bin/launch.sh
View file

@ -36,6 +36,41 @@ if [ "$PHP83" = "true" ]; then
fi fi
fi fi
if [ "$(echo "$ACME_SERVER" | sed "s|^https\?://\([^/]\+\).*$|\1|g")" = "acme.zerossl.com" ] && [ -z "$ACME_EAB_KID" ] && [ -z "$ACME_EAB_HMAC_KEY" ]; then
if [ -z "$ACME_EMAIL" ]; then
echo "ACME_EMAIL is required to use zerossl. Either set it or use a different acme server like letsencrypt (ACME_SERVER: https://acme-v02.api.letsencrypt.org/directory)"
sleep inf
fi
ZS_EAB="$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ACME_EMAIL")"
export ZS_EAB
ACME_EAB_KID="$(echo "$ZS_EAB" | jq -r .eab_kid)"
export ACME_EAB_KID
ACME_EAB_HMAC_KEY="$(echo "$ZS_EAB" | jq -r .eab_hmac_key)"
export ACME_EAB_HMAC_KEY
fi
if [ ! -d /data/tls/certbot/accounts/"$(echo "$ACME_SERVER" | sed "s|^https\?://\([^/]\+\).*$|\1|g")" ]; then
if [ -z "$ACME_EMAIL" ]; then
if ! certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot --config /etc/tls/certbot.ini --agree-tos --non-interactive --no-eff-email \
register --server "$ACME_SERVER" --register-unsafely-without-email; then
sleep inf
fi
elif [ -n "$ACME_EMAIL" ] && [ -z "$ACME_EAB_KID" ] && [ -z "$ACME_EAB_HMAC_KEY" ]; then
if ! certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot --config /etc/tls/certbot.ini --agree-tos --non-interactive --no-eff-email \
register --server "$ACME_SERVER" --email "$ACME_EMAIL"; then
sleep inf
fi
elif [ -n "$ACME_EMAIL" ] && [ -n "$ACME_EAB_KID" ] && [ -n "$ACME_EAB_HMAC_KEY" ]; then
if ! certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot --config /etc/tls/certbot.ini --agree-tos --non-interactive --no-eff-email \
register --server "$ACME_SERVER" --eab-kid "$ACME_EAB_KID" --eab-hmac-key "$ACME_EAB_HMAC_KEY" --email "$ACME_EMAIL"; then
sleep inf
fi
fi
fi
if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi & if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi & if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi &
if [ "$LOGROTATE" = "true" ]; then while true; do logrotate --verbose --state /data/etc/logrotate.status /etc/logrotate; sleep 25h; done; fi & if [ "$LOGROTATE" = "true" ]; then while true; do logrotate --verbose --state /data/etc/logrotate.status /etc/logrotate; sleep 25h; done; fi &

148
rootfs/usr/local/bin/start.sh
View file

@ -40,13 +40,13 @@ if [ -n "$LE_STAGING" ]; then
fi fi
if [ -n "$PHP81" ]; then if [ -n "$PHP81" ]; then
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|fastcgi_pass php81;|fastcgi_pass php82;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|fastcgi_pass php81;|fastcgi_pass php82;|g" {} \;
echo "PHP81 was removed, please use PHP82 or PHP83" echo "PHP81 was removed, please use PHP82 or PHP83"
sleep inf sleep inf
fi fi
if [ -n "$PHP81_APKS" ]; then if [ -n "$PHP81_APKS" ]; then
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|fastcgi_pass php81;|fastcgi_pass php82;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|fastcgi_pass php81;|fastcgi_pass php82;|g" {} \;
echo "PHP81_APKS was removed, please use PHP82_APKS or PHP83_APKS" echo "PHP81_APKS was removed, please use PHP82_APKS or PHP83_APKS"
sleep inf sleep inf
fi fi
@ -58,6 +58,22 @@ if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z0-9_+-]\+/[A-Za-z0-9_+-]\+$";
fi fi
if ! echo "$ACME_SERVER" | grep -q "^https\?://.\+$"; then
echo "ACME_SERVER needs to start with http:// or https://"
sleep inf
fi
if [ -n "$ACME_EMAIL" ] && ! echo "$ACME_EMAIL" | grep -q "^.*@.*$"; then
echo "ACME_EMAIL needs to contains @."
sleep inf
fi
if { [ -n "$ACME_EAB_KID" ] || [ -n "$ACME_EAB_HMAC_KEY" ]; } && { [ -z "$ACME_EAB_KID" ] || [ -z "$ACME_EAB_HMAC_KEY" ] || [ -z "$ACME_EMAIL" ]; }; then
echo "You need to set ACME_EAB_KID, ACME_EAB_HMAC_KEY AND ACME_EMAIL (all are needed) or none of them or ONLY ACME_EMAIL."
sleep inf
fi
if ! echo "$PUID" | grep -q "^[0-9]\+$"; then if ! echo "$PUID" | grep -q "^[0-9]\+$"; then
echo "PUID needs to be a number." echo "PUID needs to be a number."
sleep inf sleep inf
@ -419,6 +435,10 @@ mkdir -p /tmp/acme-challenge \
/tmp/npmhome \ /tmp/npmhome \
/tmp/goa /tmp/goa
if [ -d /data/nginx/custom ]; then
mv -vn /data/nginx/custom /data/nginx_custom
fi
mkdir -vp /data/tls/certbot/credentials \ mkdir -vp /data/tls/certbot/credentials \
/data/tls/certbot/renewal \ /data/tls/certbot/renewal \
/data/tls/custom \ /data/tls/custom \
@ -432,7 +452,7 @@ mkdir -vp /data/tls/certbot/credentials \
/data/nginx/proxy_host \ /data/nginx/proxy_host \
/data/nginx/dead_host \ /data/nginx/dead_host \
/data/nginx/stream \ /data/nginx/stream \
/data/nginx/custom /data/nginx_custom
if [ -s /data/database.sqlite ] && [ "$DB_SQLITE_FILE" != "/data/database.sqlite" ]; then if [ -s /data/database.sqlite ] && [ "$DB_SQLITE_FILE" != "/data/database.sqlite" ]; then
mv -vn /data/database.sqlite "$DB_SQLITE_FILE" mv -vn /data/database.sqlite "$DB_SQLITE_FILE"
@ -458,8 +478,8 @@ if [ -s /data/nginx/dummykey.pem ]; then
mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem
fi fi
if [ -f /data/nginx/custom/root.conf ]; then if [ -f /data/nginx_custom/root.conf ]; then
mv -vn /data/nginx/custom/root.conf /data/nginx/custom/root_top.conf mv -vn /data/nginx_custom/root.conf /data/nginx_custom/root_top.conf
fi fi
if [ -n "$(ls -A /data/nginx/html 2> /dev/null)" ]; then if [ -n "$(ls -A /data/nginx/html 2> /dev/null)" ]; then
@ -548,60 +568,61 @@ fi
touch /tmp/ip_ranges.conf \ touch /tmp/ip_ranges.conf \
/data/etc/html/index.html \ /data/etc/html/index.html \
/data/nginx/custom/events.conf \ /data/nginx_custom/events.conf \
/data/nginx/custom/http.conf \ /data/nginx_custom/http.conf \
/data/nginx/custom/http_top.conf \ /data/nginx_custom/http_top.conf \
/data/nginx/custom/root_top.conf \ /data/nginx_custom/root_top.conf \
/data/nginx/custom/server_dead.conf \ /data/nginx_custom/server_dead.conf \
/data/nginx/custom/server_proxy.conf \ /data/nginx_custom/server_proxy.conf \
/data/nginx/custom/server_redirect.conf \ /data/nginx_custom/server_redirect.conf \
/data/nginx/custom/stream.conf \ /data/nginx_custom/stream.conf \
/data/nginx/custom/stream_top.conf \ /data/nginx_custom/stream_top.conf \
/data/nginx/custom/server_stream.conf \ /data/nginx_custom/server_stream.conf \
/data/nginx/custom/server_stream_tcp.conf \ /data/nginx_custom/server_stream_tcp.conf \
/data/nginx/custom/server_stream_udp.conf \ /data/nginx_custom/server_stream_udp.conf \
/data/etc/modsecurity/modsecurity-extra.conf /data/etc/modsecurity/modsecurity-extra.conf
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s| http2||g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|nginx/custom|nginx_custom|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|\(listen .*\) http3|\1 quic|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s| http2||g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|quic reuseport;|quic;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|\(listen .*\) http3|\1 quic|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|security_headers on;|include conf.d/include/hsts.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|quic reuseport;|quic;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|more_set_headers \"Alt-Svc: h3=':443'; ma=86400\";|more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|security_headers on;|include conf.d/include/hsts.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|more_set_headers \"Alt-Svc: h3=':443'; ma=86400\";|more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/nginx/access|/data/etc/access|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/access|/data/etc/access|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/data/ssl|/data/tls|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|ssl_certificate_key /data/nginx/dummykey.pem;|ssl_certificate_key /data/tls/dummykey.pem;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate_key /data/nginx/dummykey.pem;|ssl_certificate_key /data/tls/dummykey.pem;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|ssl_certificate /data/nginx/dummycert.pem;|ssl_certificate /data/tls/dummycert.pem;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate /data/nginx/dummycert.pem;|ssl_certificate /data/tls/dummycert.pem;|g" {} \;
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \;
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \;
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/block-exploits.conf/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/block-exploits.conf/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|/html/404|/html/dead|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/html/404|/html/dead|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/acme-challenge.conf;|include conf.d/include/always.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/acme-challenge.conf;|include conf.d/include/always.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/always.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/always.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/force-ssl.conf;|include conf.d/include/force-tls.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/force-ssl.conf;|include conf.d/include/force-tls.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/http3/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/http3/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/Asset Caching/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/Asset Caching/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/assets.conf/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/assets.conf/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/error_log/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/error_log/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/access_log/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/access_log/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/proxy_http_version/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/proxy_http_version/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling_verify/d" {} \;
if [ -s /data/nginx/default.conf ]; then sed -i "/ssl_stapling/d" /data/nginx/default.conf; fi if [ -s /data/nginx/default.conf ]; then sed -i "/ssl_stapling/d" /data/nginx/default.conf; fi
if [ -s /data/nginx/default.conf ]; then sed -i "/ssl_stapling_verify/d" /data/nginx/default.conf; fi if [ -s /data/nginx/default.conf ]; then sed -i "/ssl_stapling_verify/d" /data/nginx/default.conf; fi
@ -642,7 +663,7 @@ sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /app/templates/default.conf sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /app/templates/default.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9-]\+\)/listen $IPV4_BINDING:\2/g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9-]\+\)/listen $IPV4_BINDING:\2/g" {} \;
if [ "$DISABLE_IPV6" = "true" ]; then if [ "$DISABLE_IPV6" = "true" ]; then
sed -i "s|ipv6=on;|ipv6=off;|g" /usr/local/nginx/conf/nginx.conf sed -i "s|ipv6=on;|ipv6=off;|g" /usr/local/nginx/conf/nginx.conf
@ -650,14 +671,14 @@ if [ "$DISABLE_IPV6" = "true" ]; then
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /app/templates/default.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /app/templates/default.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9-]\+\)/#listen \[\1\]:\2/g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9-]\+\)/#listen \[\1\]:\2/g" {} \;
else else
sed -i "s|ipv6=off;|ipv6=on;|g" /usr/local/nginx/conf/nginx.conf sed -i "s|ipv6=off;|ipv6=on;|g" /usr/local/nginx/conf/nginx.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /app/templates/_listen.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /app/templates/_listen.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /app/templates/default.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /app/templates/default.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9-]\+\)/listen $IPV6_BINDING:\2/g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9-]\+\)/listen $IPV6_BINDING:\2/g" {} \;
fi fi
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
@ -686,12 +707,17 @@ if [ "$DISABLE_HTTP" = "true" ]; then
sed -i "s|#\?\(listen.*80\)|#\1|g" /app/templates/_listen.conf sed -i "s|#\?\(listen.*80\)|#\1|g" /app/templates/_listen.conf
sed -i "s|#\?\(listen.*80\)|#\1|g" /app/templates/default.conf sed -i "s|#\?\(listen.*80\)|#\1|g" /app/templates/default.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
elif [ "$DISABLE_IPV6" = "true" ]; then
sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:80\)|\1|g" /app/templates/_listen.conf
sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:80\)|\1|g" /app/templates/default.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:80\)|\1|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:80\)|\1|g" {} \;
else else
sed -i "s|#\?\(listen.*80\)|\1|g" /app/templates/_listen.conf sed -i "s|#\?\(listen.*80\)|\1|g" /app/templates/_listen.conf
sed -i "s|#\?\(listen.*80\)|\1|g" /app/templates/default.conf sed -i "s|#\?\(listen.*80\)|\1|g" /app/templates/default.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
fi fi
if [ "$DISABLE_H3_QUIC" = "true" ]; then if [ "$DISABLE_H3_QUIC" = "true" ]; then
@ -701,8 +727,17 @@ if [ "$DISABLE_H3_QUIC" = "true" ]; then
sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|#\1|g" /app/templates/default.conf sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|#\1|g" /app/templates/default.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*quic\)|#\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*quic\)|#\1|g" {} \;
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|#\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|#\1|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*quic\)|#\1|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*quic\)|#\1|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|#\1|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|#\1|g" {} \;
elif [ "$DISABLE_IPV6" = "true" ]; then
sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+.*quic\)|\1|g" /app/templates/_listen.conf
sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" /app/templates/_listen.conf
sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+.*quic\)|\1|g" /app/templates/default.conf
sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" /app/templates/default.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+.*quic\)|\1|g" {} \;
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen [0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+.*quic\)|\1|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" {} \;
else else
sed -i "s|#\?\(listen.*quic\)|\1|g" /app/templates/_listen.conf sed -i "s|#\?\(listen.*quic\)|\1|g" /app/templates/_listen.conf
sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" /app/templates/_listen.conf sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" /app/templates/_listen.conf
@ -710,8 +745,8 @@ else
sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" /app/templates/default.conf sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" /app/templates/default.conf
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*quic\)|\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*quic\)|\1|g" {} \;
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" {} \; find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(listen.*quic\)|\1|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*quic\)|\1|g" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(more_set_headers 'Alt-Svc: h3=\":443\"; ma=86400';\)|\1|g" {} \;
fi fi
if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then
@ -948,11 +983,6 @@ if [ "$DISABLE_NGINX_BEAUTIFIER" = "false" ]; then
nginxbeautifier -s 4 -r /data/nginx nginxbeautifier -s 4 -r /data/nginx
fi fi
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|add_header alt-svc 'h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400';|add_header Alt-Svc 'h3=\":443\"; ma=86400';|g" {} \;
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "s|add_header alt-svc 'h3=\":443\";|add_header Alt-Svc 'h3=\":443\"; ma=86400';|g" {} \;
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ma=86400, h3-29=\":443\";/d" {} \;
#find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/^[[:space:]]*ma=86400';[[:space:]]*$/d" {} \;
rm -vf /usr/local/nginx/logs/nginx.pid rm -vf /usr/local/nginx/logs/nginx.pid
rm -vf /run/*.sock rm -vf /run/*.sock

2
rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf
View file

@ -1,4 +1,4 @@
brotli on; brotli on;
brotli_types *; brotli_types text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio;
brotli_comp_level 0; brotli_comp_level 0;
brotli_static on; brotli_static on;

14
rootfs/usr/local/nginx/conf/nginx.conf
View file

@ -6,11 +6,11 @@ worker_processes auto;
worker_cpu_affinity auto; worker_cpu_affinity auto;
# Custom # Custom
include /data/nginx/custom/root_top.conf; include /data/nginx_custom/root_top.conf;
events { events {
# Custom # Custom
include /data/nginx/custom/events.conf; include /data/nginx_custom/events.conf;
} }
http { http {
@ -40,7 +40,7 @@ http {
gzip on; gzip on;
gzip_vary on; gzip_vary on;
gzip_types *; gzip_types text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio;
gzip_proxied any; gzip_proxied any;
gzip_comp_level 1; gzip_comp_level 1;
gzip_http_version 1.0; gzip_http_version 1.0;
@ -132,7 +132,7 @@ http {
include conf.d/*.conf; include conf.d/*.conf;
# Custom # Custom
include /data/nginx/custom/http_top.conf; include /data/nginx_custom/http_top.conf;
# Files generated by NPM # Files generated by NPM
include /data/nginx/proxy_host/*.conf; include /data/nginx/proxy_host/*.conf;
@ -140,7 +140,7 @@ http {
include /data/nginx/dead_host/*.conf; include /data/nginx/dead_host/*.conf;
# Custom # Custom
include /data/nginx/custom/http.conf; include /data/nginx_custom/http.conf;
} }
stream { stream {
@ -149,11 +149,11 @@ stream {
resolver local=on valid=10s ipv6=on; resolver local=on valid=10s ipv6=on;
# Custom # Custom
include /data/nginx/custom/stream_top.conf; include /data/nginx_custom/stream_top.conf;
# Files generated by NPM # Files generated by NPM
include /data/nginx/stream/*.conf; include /data/nginx/stream/*.conf;
# Custom # Custom
include /data/nginx/custom/stream.conf; include /data/nginx_custom/stream.conf;
} }

124
test/cypress/e2e/api/Settings.cy.js
View file

@ -1,124 +0,0 @@
/// <reference types="cypress" />
describe('Settings endpoints', () => {
let token;
before(() => {
cy.getToken().then((tok) => {
token = tok;
});
});
it('Get all settings', function() {
cy.task('backendApiGet', {
token: token,
path: '/api/settings',
}).then((data) => {
cy.validateSwaggerSchema('get', 200, '/settings', data);
expect(data.length).to.be.greaterThan(0);
});
});
it('Get default-site setting', function() {
cy.task('backendApiGet', {
token: token,
path: '/api/settings/default-site',
}).then((data) => {
cy.validateSwaggerSchema('get', 200, '/settings/{settingID}', data);
expect(data).to.have.property('id');
expect(data.id).to.be.equal('default-site');
});
});
it('Default Site congratulations', function() {
cy.task('backendApiPut', {
token: token,
path: '/api/settings/default-site',
data: {
value: 'congratulations',
},
}).then((data) => {
cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data);
expect(data).to.have.property('id');
expect(data.id).to.be.equal('default-site');
expect(data).to.have.property('value');
expect(data.value).to.be.equal('congratulations');
});
});
it('Default Site 404', function() {
cy.task('backendApiPut', {
token: token,
path: '/api/settings/default-site',
data: {
value: '404',
},
}).then((data) => {
cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data);
expect(data).to.have.property('id');
expect(data.id).to.be.equal('default-site');
expect(data).to.have.property('value');
expect(data.value).to.be.equal('404');
});
});
it('Default Site 444', function() {
cy.task('backendApiPut', {
token: token,
path: '/api/settings/default-site',
data: {
value: '444',
},
}).then((data) => {
cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data);
expect(data).to.have.property('id');
expect(data.id).to.be.equal('default-site');
expect(data).to.have.property('value');
expect(data.value).to.be.equal('444');
});
});
it('Default Site redirect', function() {
cy.task('backendApiPut', {
token: token,
path: '/api/settings/default-site',
data: {
value: 'redirect',
meta: {
redirect: 'https://www.google.com',
},
},
}).then((data) => {
cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data);
expect(data).to.have.property('id');
expect(data.id).to.be.equal('default-site');
expect(data).to.have.property('value');
expect(data.value).to.be.equal('redirect');
expect(data).to.have.property('meta');
expect(data.meta).to.have.property('redirect');
expect(data.meta.redirect).to.be.equal('https://www.google.com');
});
});
it('Default Site html', function() {
cy.task('backendApiPut', {
token: token,
path: '/api/settings/default-site',
data: {
value: 'html',
meta: {
html: '<p>hello world</p>'
},
},
}).then((data) => {
cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data);
expect(data).to.have.property('id');
expect(data.id).to.be.equal('default-site');
expect(data).to.have.property('value');
expect(data.value).to.be.equal('html');
expect(data).to.have.property('meta');
expect(data.meta).to.have.property('html');
expect(data.meta.html).to.be.equal('<p>hello world</p>');
});
});
});