Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fixes/dep updates/improved tls

Browse source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
renovate[bot] 2024-08-15 18:32:12 +00:00 committed by Zoey
parent a1f44c57d1
commit bb09562f89
No known key found for this signature in database
GPG key ID: 02A3919EB4F67328
36 changed files with 406 additions and 349 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/dependency-updates.yml vendored
View file

@ -25,7 +25,7 @@ jobs:
sed -i "s|ARG CSNB_VER=.*|ARG CSNB_VER=$CSNB_VER|" Dockerfile sed -i "s|ARG CSNB_VER=.*|ARG CSNB_VER=$CSNB_VER|" Dockerfile
echo "version=$CSNB_VER" >> $GITHUB_OUTPUT echo "version=$CSNB_VER" >> $GITHUB_OUTPUT
- name: Create Pull Request - name: Create Pull Request
uses: peter-evans/create-pull-request@v6 uses: peter-evans/create-pull-request@v7
with: with:
signoff: true signoff: true
delete-branch: true delete-branch: true
@ -51,7 +51,7 @@ jobs:
sed -i "s|ARG CRS_VER=.*|ARG CRS_VER=$CRS_VER|" Dockerfile sed -i "s|ARG CRS_VER=.*|ARG CRS_VER=$CRS_VER|" Dockerfile
echo "version=$CRS_VER" >> $GITHUB_OUTPUT echo "version=$CRS_VER" >> $GITHUB_OUTPUT
- name: Create Pull Request - name: Create Pull Request
uses: peter-evans/create-pull-request@v6 uses: peter-evans/create-pull-request@v7
with: with:
signoff: true signoff: true
delete-branch: true delete-branch: true

2
.github/workflows/update-and-lint.yml vendored
View file

@ -24,9 +24,7 @@ jobs:
- name: nginxbeautifier - name: nginxbeautifier
run: | run: |
yarn global add nginxbeautifier yarn global add nginxbeautifier
mv -v rootfs/usr/local/nginx/conf/exploits.conf exploits.conf
nginxbeautifier -s 4 -r rootfs/usr/local/nginx/conf nginxbeautifier -s 4 -r rootfs/usr/local/nginx/conf
mv -v exploits.conf rootfs/usr/local/nginx/conf/exploits.conf
- name: push changes - name: push changes
run: | run: |
git add -A git add -A

2
Caddy.Dockerfile
View file

@ -1,4 +1,4 @@
FROM alpine:3.20.2 FROM alpine:3.20.3
RUN apk add --no-cache ca-certificates tzdata RUN apk add --no-cache ca-certificates tzdata
COPY --from=caddy:2.8.4 /usr/bin/caddy /usr/bin/caddy COPY --from=caddy:2.8.4 /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/caddy/Caddyfile COPY Caddyfile /etc/caddy/Caddyfile

20
Dockerfile
View file

@ -1,5 +1,5 @@
# syntax=docker/dockerfile:labs # syntax=docker/dockerfile:labs
FROM --platform="$BUILDPLATFORM" alpine:3.20.2 AS frontend FROM --platform="$BUILDPLATFORM" alpine:3.20.3 AS frontend
COPY frontend /app COPY frontend /app
COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json
ARG NODE_ENV=production \ ARG NODE_ENV=production \
@ -18,7 +18,7 @@ COPY darkmode.css /app/dist/css/darkmode.css
COPY security.txt /app/dist/.well-known/security.txt COPY security.txt /app/dist/.well-known/security.txt
FROM --platform="$BUILDPLATFORM" alpine:3.20.2 AS build-backend FROM --platform="$BUILDPLATFORM" alpine:3.20.3 AS build-backend
SHELL ["/bin/ash", "-eo", "pipefail", "-c"] SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY backend /app COPY backend /app
COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json
@ -37,7 +37,7 @@ RUN apk upgrade --no-cache -a && \
fi && \ fi && \
yarn cache clean --all && \ yarn cache clean --all && \
clean-modules --yes clean-modules --yes
FROM alpine:3.20.2 AS strip-backend FROM alpine:3.20.3 AS strip-backend
COPY --from=build-backend /app /app COPY --from=build-backend /app /app
RUN apk upgrade --no-cache -a && \ RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates binutils file && \ apk add --no-cache ca-certificates binutils file && \
@ -45,7 +45,7 @@ RUN apk upgrade --no-cache -a && \
find /app/node_modules -name "*.node" -type f -exec file {} \; find /app/node_modules -name "*.node" -type f -exec file {} \;
FROM --platform="$BUILDPLATFORM" alpine:3.20.2 AS crowdsec FROM --platform="$BUILDPLATFORM" alpine:3.20.3 AS crowdsec
SHELL ["/bin/ash", "-eo", "pipefail", "-c"] SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CSNB_VER=v1.0.8 ARG CSNB_VER=v1.0.8
WORKDIR /src WORKDIR /src
@ -67,22 +67,24 @@ RUN apk upgrade --no-cache -a && \
sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:306-python FROM zoeyvid/nginx-quic:340-python
SHELL ["/bin/ash", "-eo", "pipefail", "-c"] SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs / COPY rootfs /
COPY --from=zoeyvid/certbot-docker:46 /usr/local /usr/local COPY --from=zoeyvid/certbot-docker:51 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:408 /usr/local/bin/curl /usr/local/bin/curl COPY --from=zoeyvid/curl-quic:416 /usr/local/bin/curl /usr/local/bin/curl
ARG CRS_VER=v4.5.0 ARG CRS_VER=v4.7.0
RUN apk upgrade --no-cache -a && \ RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates tzdata tini \ apk add --no-cache ca-certificates tzdata tini \
nodejs \ nodejs \
bash nano \ bash nano \
openssl apache2-utils \ logrotate apache2-utils \
lua5.1-lzlib lua5.1-socket \ lua5.1-lzlib lua5.1-socket \
coreutils grep findutils jq shadow su-exec \ coreutils grep findutils jq shadow su-exec \
luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \ luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \
curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \ curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \
curl https://raw.githubusercontent.com/tomwassenberg/certbot-ocsp-fetcher/refs/heads/main/certbot-ocsp-fetcher -o /usr/local/bin/certbot-ocsp-fetcher.sh && \
chmod +x /usr/local/bin/certbot-ocsp-fetcher.sh && \
git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \ git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \
mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \ mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \

8
README.md
View file

@ -20,6 +20,7 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br> **Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
**Note: Other Databases like MariaDB may work, but are unsupported.** <br> **Note: Other Databases like MariaDB may work, but are unsupported.** <br>
**Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br> **Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br>
**Note: if you remove a cert, which is still used by a host, NPM/NPMplus will crash.** <br>
## Project Goal ## Project Goal
@ -61,7 +62,6 @@ so that the barrier for entry here is low.
- Only enables TLSv1.2 and TLSv1.3 protocols - Only enables TLSv1.2 and TLSv1.3 protocols
- Faster creation of TLS certificates can be achieved by eliminating unnecessary Nginx reloads and configuration creations. - Faster creation of TLS certificates can be achieved by eliminating unnecessary Nginx reloads and configuration creations.
- Uses OCSP Stapling for enhanced security - Uses OCSP Stapling for enhanced security
- If using custom certificates, upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder (manual migration may be needed)
- Resolved dnspod plugin issue - Resolved dnspod plugin issue
- To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/NPMplus/blob/develop/global/certbot-dns-plugins.js) - To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/NPMplus/blob/develop/global/certbot-dns-plugins.js)
- Smaller docker image with alpine-based distribution - Smaller docker image with alpine-based distribution
@ -91,11 +91,11 @@ so that the barrier for entry here is low.
## migration ## migration
- **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
- if you use custom certificates, you need to upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder - since many buttons changed, please edit every host you have and click save. (Please also resave it, if all buttons/values are fine, to update the host config to fully fit the NPMplus template)
- some buttons have changed, check if they are still correct
- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/npmplus/blob/develop/global/certbot-dns-plugins.js) for the template) - please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/npmplus/blob/develop/global/certbot-dns-plugins.js) for the template)
- since this fork has dependency on `network_mode: host`, please don't forget to open port 80/tcp, 443/tcp and 443/udp (and maybe 81/tcp) in your firewall - since this fork has dependency on `network_mode: host`, please don't forget to open port 80/tcp, 443/tcp and 443/udp (and maybe 81/tcp) in your firewall
- if you have a healthcheck defined in your compose yaml file, remove it - this fork defines its own healthcheck in the Dockerfile, so you don't need to have it in compose anymore - if you have a healthcheck defined in your compose yaml file, remove it - this fork defines its own healthcheck in the Dockerfile, so you don't need to have it in compose anymore
- please report all migration issues you have
# Crowdsec # Crowdsec
1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml and enable LOGROTATE 1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml and enable LOGROTATE
@ -198,7 +198,7 @@ You may need to use another IP-Address.
[https://127.0.0.1:81](https://127.0.0.1:81) [https://127.0.0.1:81](https://127.0.0.1:81)
Default Admin User: Default Admin User:
``` ```
Email: admin@example.com Email: admin@example.org
Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi
``` ```
Immediately after logging in with this default user you will be asked to modify your details and change your password. Immediately after logging in with this default user you will be asked to modify your details and change your password.

6
backend/doc/api.swagger.json
View file

@ -102,7 +102,7 @@
"modified_on": "2023-03-30T01:11:50.000Z", "modified_on": "2023-03-30T01:11:50.000Z",
"is_deleted": 0, "is_deleted": 0,
"is_disabled": 0, "is_disabled": 0,
"email": "admin@example.com", "email": "admin@example.org",
"name": "Administrator", "name": "Administrator",
"nickname": "Admin", "nickname": "Admin",
"avatar": "", "avatar": "",
@ -144,7 +144,7 @@
"modified_on": "2023-03-30T01:11:50.000Z", "modified_on": "2023-03-30T01:11:50.000Z",
"is_deleted": 0, "is_deleted": 0,
"is_disabled": 0, "is_disabled": 0,
"email": "admin@example.com", "email": "admin@example.org",
"name": "Administrator", "name": "Administrator",
"nickname": "Admin", "nickname": "Admin",
"avatar": "", "avatar": "",
@ -223,7 +223,7 @@
"modified_on": "2023-03-30T01:11:50.000Z", "modified_on": "2023-03-30T01:11:50.000Z",
"is_deleted": 0, "is_deleted": 0,
"is_disabled": 0, "is_disabled": 0,
"email": "admin@example.com", "email": "admin@example.org",
"name": "Administrator", "name": "Administrator",
"nickname": "Admin", "nickname": "Admin",
"avatar": "", "avatar": "",

62
backend/internal/certificate.js
View file

@ -480,14 +480,6 @@ const internalCertificate = {
resolve(); resolve();
} }
}); });
fs.writeFile(dir + '/chain.pem', certificate.meta.intermediate_certificate, function (err) {
if (err) {
reject(err);
} else {
resolve();
}
});
}).then(() => { }).then(() => {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) { fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) {
@ -777,7 +769,7 @@ const internalCertificate = {
requestLetsEncryptSsl: (certificate) => { requestLetsEncryptSsl: (certificate) => {
logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
let cmd = certbotCommand + ' certonly ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--authenticator webroot ' + '--preferred-challenges "dns,http" ' + '--domains "' + certificate.domain_names.join(',') + '"'; let cmd = certbotCommand + ' certonly ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--authenticator webroot ' + '--preferred-challenges "http,dns" ' + '--domains "' + certificate.domain_names.join(',') + '"';
if (certificate.meta.letsencrypt_email === '') { if (certificate.meta.letsencrypt_email === '') {
cmd = cmd + ' --register-unsafely-without-email '; cmd = cmd + ' --register-unsafely-without-email ';
@ -878,24 +870,31 @@ const internalCertificate = {
* @param {Object} certificate the certificate row * @param {Object} certificate the certificate row
* @returns {Promise} * @returns {Promise}
*/ */
renewLetsEncryptSsl: (certificate) => { renewLetsEncryptSsl: async (certificate) => {
logger.info('Renewing Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Renewing Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const cmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "dns,http" ' + '--no-random-sleep-on-renew'; const cmdr = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" --no-delete-after-revoke';
logger.info('Command:', cmdr);
const revokeResult = await utils.exec(cmdr);
logger.info(revokeResult);
const cmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "http,dns" ' + '--no-random-sleep-on-renew';
logger.info('Command:', cmd); logger.info('Command:', cmd);
return utils.exec(cmd).then((result) => { const renewResult = await utils.exec(cmd);
logger.info(result); logger.info(renewResult);
return result;
}); return renewResult;
}, },
/** /**
* @param {Object} certificate the certificate row * @param {Object} certificate the certificate row
* @returns {Promise} * @returns {Promise}
*/ */
renewLetsEncryptSslWithDnsChallenge: (certificate) => { renewLetsEncryptSslWithDnsChallenge: async (certificate) => {
const dnsPlugin = dnsPlugins[certificate.meta.dns_provider]; const dnsPlugin = dnsPlugins[certificate.meta.dns_provider];
if (!dnsPlugin) { if (!dnsPlugin) {
@ -904,14 +903,21 @@ const internalCertificate = {
logger.info(`Renewing Certbot certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); logger.info(`Renewing Certbot certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
const mainCmdr = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" --no-delete-after-revoke';
logger.info('Command:', mainCmdr);
const revokeResult = await utils.exec(mainCmdr);
logger.info(revokeResult);
const mainCmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "dns,http" ' + '--no-random-sleep-on-renew'; const mainCmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "dns,http" ' + '--no-random-sleep-on-renew';
logger.info('Command:', mainCmd); logger.info('Command:', mainCmd);
return utils.exec(mainCmd).then(async (result) => { const renewResult = await utils.exec(mainCmd);
logger.info(result); logger.info(renewResult);
return result;
}); return renewResult;
}, },
/** /**
@ -924,15 +930,19 @@ const internalCertificate = {
const mainCmd = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' + '--delete-after-revoke'; const mainCmd = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' + '--delete-after-revoke';
// Don't fail command if file does not exist
const delete_credentialsCmd = `rm -f '/data/tls/certbot/credentials/credentials-${certificate.id}' || true`;
logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd);
return utils return utils
.exec(mainCmd) .exec(mainCmd)
.then(async (result) => { .then(async (result) => {
await utils.exec(delete_credentialsCmd); fs.rm('/data/tls/certbot/credentials/credentials-' + certificate.id, { force: true }, (err) => {
if (err) {
logger.error('Error deleting credentials:', err.message);
if (throw_errors) {
throw err;
}
} else {
logger.info('Credentials file deleted successfully');
}
});
logger.info(result); logger.info(result);
return result; return result;
}) })

2
backend/internal/ip_ranges.js
View file

@ -102,7 +102,7 @@ const internalIpRanges = {
const renderEngine = utils.getRenderEngine(); const renderEngine = utils.getRenderEngine();
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
let template = null; let template = null;
const filename = '/data/nginx/ip_ranges.conf'; const filename = '/tmp/ip_ranges.conf';
try { try {
template = fs.readFileSync(__dirname + '/../templates/ip_ranges.conf', { encoding: 'utf8' }); template = fs.readFileSync(__dirname + '/../templates/ip_ranges.conf', { encoding: 'utf8' });
} catch (err) { } catch (err) {

100
backend/internal/nginx.js
View file

@ -30,9 +30,7 @@ const internalNginx = {
.then(() => { .then(() => {
// Nginx is OK // Nginx is OK
// We're deleting this config regardless. // We're deleting this config regardless.
// Don't throw errors, as the file may not exist at all return internalNginx.deleteConfig(host_type, host);
// Delete the .err file too
return internalNginx.deleteConfig(host_type, host, false, true);
}) })
.then(() => { .then(() => {
return internalNginx.generateConfig(host_type, host); return internalNginx.generateConfig(host_type, host);
@ -42,7 +40,7 @@ const internalNginx = {
return internalNginx return internalNginx
.test() .test()
.then(() => { .then(() => {
// nginx is ok // Nginx is OK
combined_meta = _.assign({}, host.meta, { combined_meta = _.assign({}, host.meta, {
nginx_online: true, nginx_online: true,
nginx_err: null, nginx_err: null,
@ -52,41 +50,25 @@ const internalNginx = {
meta: combined_meta, meta: combined_meta,
}); });
}) })
.catch((err) => { .catch(() => {
// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported. // Handle testing failure
// It will always look like this: // Execute the command and wait for it to finish
// nginx: [alert] could not open error log file: open() "/dev/null" failed (6: No such device or address) return utils.execfg('nginx -t || true').then(() => {
combined_meta = _.assign({}, host.meta, {
const valid_lines = []; nginx_online: false,
const err_lines = err.message.split('\n'); nginx_err: 'see docker logs',
err_lines.map(function (line) {
if (line.indexOf('/dev/null') === -1) {
valid_lines.push(line);
}
});
if (config.debug()) {
logger.error('Nginx test failed:', valid_lines.join('\n'));
}
// config is bad, update meta and delete config
combined_meta = _.assign({}, host.meta, {
nginx_online: false,
nginx_err: valid_lines.join('\n'),
});
return model
.query()
.where('id', host.id)
.patch({
meta: combined_meta,
})
.then(() => {
internalNginx.renameConfigAsError(host_type, host);
})
.then(() => {
return internalNginx.deleteConfig(host_type, host, true);
}); });
return model
.query()
.where('id', host.id)
.patch({
meta: combined_meta,
})
.then(() => {
internalNginx.renameConfigAsError(host_type, host);
});
});
}); });
}) })
.then(() => { .then(() => {
@ -114,6 +96,11 @@ const internalNginx = {
reload: () => { reload: () => {
return internalNginx.test().then(() => { return internalNginx.test().then(() => {
try {
utils.exec('certbot-ocsp-fetcher.sh -c /data/tls/certbot -o /data/tls/certbot/live --quiet --no-reload-webserver || true');
} catch {
// do nothing
}
if (fs.existsSync(NgxPidFilePath)) { if (fs.existsSync(NgxPidFilePath)) {
const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim(); const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim();
if (ngxPID.length > 0) { if (ngxPID.length > 0) {
@ -262,20 +249,6 @@ const internalNginx = {
}); });
}, },
/**
* A simple wrapper around unlinkSync that writes to the logger
*
* @param {String} filename
*/
deleteFile: (filename) => {
logger.debug('Deleting file: ' + filename);
try {
fs.unlinkSync(filename);
} catch (err) {
logger.debug('Could not delete file:', JSON.stringify(err, null, 2));
}
},
/** /**
* *
* @param {String} host_type * @param {String} host_type
@ -291,16 +264,17 @@ const internalNginx = {
* @param {Boolean} [delete_err_file] * @param {Boolean} [delete_err_file]
* @returns {Promise} * @returns {Promise}
*/ */
deleteConfig: (host_type, host, delete_err_file) => { deleteConfig: (host_type, host) => {
const config_file = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id); const config_file = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id);
const config_file_err = config_file + '.err'; const config_file_err = config_file + '.err';
return new Promise((resolve /*, reject */) => { return new Promise((resolve /*, reject */) => {
internalNginx.deleteFile(config_file); fs.rm(config_file, { force: true }, () => {
if (delete_err_file) { resolve();
internalNginx.deleteFile(config_file_err); });
} fs.rm(config_file_err, { force: true }, () => {
resolve(); resolve();
});
}); });
}, },
@ -314,12 +288,8 @@ const internalNginx = {
const config_file_err = config_file + '.err'; const config_file_err = config_file + '.err';
return new Promise((resolve /*, reject */) => { return new Promise((resolve /*, reject */) => {
fs.unlink(config_file, () => { fs.rename(config_file, config_file_err, () => {
// ignore result, continue resolve();
fs.rename(config_file, config_file_err, () => {
// also ignore result, as this is a debugging informative file anyway
resolve();
});
}); });
}); });
}, },
@ -346,7 +316,7 @@ const internalNginx = {
bulkDeleteConfigs: (host_type, hosts) => { bulkDeleteConfigs: (host_type, hosts) => {
const promises = []; const promises = [];
hosts.map(function (host) { hosts.map(function (host) {
promises.push(internalNginx.deleteConfig(host_type, host, true)); promises.push(internalNginx.deleteConfig(host_type, host));
}); });
return Promise.all(promises); return Promise.all(promises);

4
backend/knexfile.js
View file

@ -1,6 +1,6 @@
module.exports = { module.exports = {
development: { development: {
client: 'mysql', client: 'mysql2',
migrations: { migrations: {
tableName: 'migrations', tableName: 'migrations',
stub: 'lib/migrate_template.js', stub: 'lib/migrate_template.js',
@ -9,7 +9,7 @@ module.exports = {
}, },
production: { production: {
client: 'mysql', client: 'mysql2',
migrations: { migrations: {
tableName: 'migrations', tableName: 'migrations',
stub: 'lib/migrate_template.js', stub: 'lib/migrate_template.js',

2
backend/lib/config.js
View file

@ -36,7 +36,7 @@ const configure = () => {
logger.info('Using MySQL configuration'); logger.info('Using MySQL configuration');
instance = { instance = {
database: { database: {
engine: 'mysql', engine: 'mysql2',
host: envMysqlHost, host: envMysqlHost,
port: process.env.DB_MYSQL_PORT || 3306, port: process.env.DB_MYSQL_PORT || 3306,
user: envMysqlUser, user: envMysqlUser,

51
backend/migrations/20240921100301_regenerate_default_host.js Normal file
View file

@ -0,0 +1,51 @@
const migrate_name = 'regenerate_default_host';
const logger = require('../logger').migrate;
const internalNginx = require('../internal/nginx');
async function regenerateDefaultHost(knex) {
const row = await knex('setting').select('*').where('id', 'default-site').first();
if (!row) {
return Promise.resolve();
}
return internalNginx
.deleteConfig('default')
.then(() => {
return internalNginx.generateConfig('default', row);
})
.then(() => {
return internalNginx.test();
})
.then(() => {
return internalNginx.reload();
});
}
/**
* Migrate
*
* @see http://knexjs.org/#Schema
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.up = function (knex) {
logger.info('[' + migrate_name + '] Migrating Up...');
return regenerateDefaultHost(knex);
};
/**
* Undo Migrate
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.down = function (knex) {
logger.info('[' + migrate_name + '] Migrating Down...');
return regenerateDefaultHost(knex);
};

18
backend/package.json
View file

@ -9,31 +9,31 @@
"archiver": "7.0.1", "archiver": "7.0.1",
"batchflow": "0.4.0", "batchflow": "0.4.0",
"bcrypt": "5.1.1", "bcrypt": "5.1.1",
"better-sqlite3": "11.1.2", "better-sqlite3": "11.3.0",
"body-parser": "1.20.2", "body-parser": "2.0.1",
"compression": "1.7.4", "compression": "1.7.4",
"express": "4.19.2", "express": "4.21.0",
"express-fileupload": "1.5.1", "express-fileupload": "1.5.1",
"gravatar": "1.8.2", "gravatar": "1.8.2",
"jsonwebtoken": "9.0.2", "jsonwebtoken": "9.0.2",
"knex": "3.1.0", "knex": "3.1.0",
"liquidjs": "10.16.1", "liquidjs": "10.17.0",
"lodash": "4.17.21", "lodash": "4.17.21",
"moment": "2.30.1", "moment": "2.30.1",
"mysql": "2.18.1", "mysql2": "3.11.3",
"node-rsa": "1.1.1", "node-rsa": "1.1.1",
"objection": "3.1.4", "objection": "3.1.5",
"path": "0.12.7", "path": "0.12.7",
"signale": "1.4.0" "signale": "1.4.0"
}, },
"author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>", "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
"license": "MIT", "license": "MIT",
"devDependencies": { "devDependencies": {
"@eslint/js": "9.9.0", "@eslint/js": "9.11.1",
"eslint": "9.9.0", "eslint": "9.11.1",
"eslint-config-prettier": "9.1.0", "eslint-config-prettier": "9.1.0",
"eslint-plugin-prettier": "5.2.1", "eslint-plugin-prettier": "5.2.1",
"globals": "15.9.0", "globals": "15.10.0",
"prettier": "3.3.3" "prettier": "3.3.3"
} }
} }

2
backend/setup.js
View file

@ -22,7 +22,7 @@ const setupDefaultUser = () => {
.then((row) => { .then((row) => {
if (!row.count) { if (!row.count) {
// Create a new user and set password // Create a new user and set password
let email = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com'; let email = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.org';
let password = process.env.INITIAL_ADMIN_PASSWORD || 'iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi'; let password = process.env.INITIAL_ADMIN_PASSWORD || 'iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi';
logger.info('Creating a new user: ' + email + ' with password: ' + password); logger.info('Creating a new user: ' + email + ' with password: ' + password);

5
backend/templates/_certificates.conf
View file

@ -4,12 +4,11 @@
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem; ssl_stapling_file /data/tls/certbot/live/npm-{{ certificate_id }}.der;
{% else %} {% else %}
# Custom SSL # Custom TLS
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem;
{% endif %} {% endif %}
{% endif %} {% endif %}

6
backend/templates/default.conf
View file

@ -19,9 +19,9 @@ server {
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf; include conf.d/include/always.conf;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
{%- if value == "404" %} {%- if value == "404" %}
location / { location / {

2
frontend/js/app/main.js
View file

@ -48,7 +48,7 @@ const App = Mn.Application.extend({
Backbone.history.start({pushState: true}); Backbone.history.start({pushState: true});
// Ask the admin use to change their details // Ask the admin use to change their details
if (Cache.User.get('email') === 'admin@example.com') { if (Cache.User.get('email') === 'admin@example.com' || Cache.User.get('email') === 'admin@example.org') {
Controller.showUserForm(Cache.User); Controller.showUserForm(Cache.User);
} }
}); });

4
frontend/js/app/nginx/certificates/form.ejs
View file

@ -165,9 +165,9 @@
</div> </div>
<div class="col-sm-12 col-md-12 other-ssl"> <div class="col-sm-12 col-md-12 other-ssl">
<div class="form-group"> <div class="form-group">
<div class="form-label"><%- i18n('certificates', 'other-intermediate-certificate') %><span class="form-required">*</span></div> <div class="form-label"><%- i18n('certificates', 'other-intermediate-certificate') %></div>
<div class="custom-file"> <div class="custom-file">
<input type="file" class="custom-file-input" name="meta[other_intermediate_certificate]" id="other_intermediate_certificate" required> <input type="file" class="custom-file-input" name="meta[other_intermediate_certificate]" id="other_intermediate_certificate">
<label id="other_intermediate_certificate_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label> <label id="other_intermediate_certificate_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
</div> </div>
</div> </div>

5
frontend/js/app/nginx/certificates/form.js
View file

@ -149,10 +149,7 @@ module.exports = Mn.View.extend({
ssl_files.push({name: 'certificate_key', file: this.ui.other_certificate_key[0].files[0]}); ssl_files.push({name: 'certificate_key', file: this.ui.other_certificate_key[0].files[0]});
} }
if (!this.ui.other_intermediate_certificate[0].files.length || !this.ui.other_intermediate_certificate[0].files[0].size) { if (this.ui.other_intermediate_certificate[0].files.length && this.ui.other_intermediate_certificate[0].files[0].size) {
alert('Intermediate Certificate file is not attached');
return;
} else {
if (this.ui.other_intermediate_certificate[0].files[0].size > this.max_file_size) { if (this.ui.other_intermediate_certificate[0].files[0].size > this.max_file_size) {
alert('Intermediate Certificate file is too large (> 100kb)'); alert('Intermediate Certificate file is too large (> 100kb)');
return; return;

6
frontend/js/app/user/form.js
View file

@ -25,10 +25,10 @@ module.exports = Mn.View.extend({
let view = this; let view = this;
let data = this.ui.form.serializeJSON(); let data = this.ui.form.serializeJSON();
let show_password = this.model.get('email') === 'admin@example.com'; let show_password = (this.model.get('email') === 'admin@example.com' || this.model.get('email') === 'admin@example.org');
// admin@example.com is not allowed // admin@example.com and admin@example.org is not allowed
if (data.email === 'admin@example.com') { if (data.email === 'admin@example.com' || data.email === 'admin@example.org') {
this.ui.error.text(App.i18n('users', 'default_error')).show(); this.ui.error.text(App.i18n('users', 'default_error')).show();
this.ui.buttons.prop('disabled', false).removeClass('btn-disabled'); this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
return; return;

6
frontend/package.json
View file

@ -4,9 +4,9 @@
"description": "A beautiful interface for creating Nginx endpoints", "description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js", "main": "js/index.js",
"dependencies": { "dependencies": {
"@babel/core": "7.25.2", "@babel/core": "7.25.7",
"babel-core": "6.26.3", "babel-core": "6.26.3",
"babel-loader": "8.3.0", "babel-loader": "8.4.1",
"babel-preset-env": "1.7.0", "babel-preset-env": "1.7.0",
"backbone": "1.6.0", "backbone": "1.6.0",
"backbone.marionette": "4.1.3", "backbone.marionette": "4.1.3",
@ -28,7 +28,7 @@
"mini-css-extract-plugin": "1.6.2", "mini-css-extract-plugin": "1.6.2",
"moment": "2.30.1", "moment": "2.30.1",
"node-sass": "9.0.0", "node-sass": "9.0.0",
"nodemon": "3.1.4", "nodemon": "3.1.7",
"numeral": "2.0.6", "numeral": "2.0.6",
"sass-loader": "10.5.2", "sass-loader": "10.5.2",
"style-loader": "4.0.0", "style-loader": "4.0.0",

15
rootfs/etc/tls/certbot.ini
View file

@ -4,12 +4,17 @@ webroot-path = /tmp/acme-challenge
new-key= true new-key= true
key-type = ecdsa key-type = ecdsa
must-staple = false must-staple = true
no-reuse-key = true no-reuse-key = true
rsa-key-size = 4096 rsa-key-size = 4096
elliptic-curve = secp384r1 elliptic-curve = secp384r1
# An example of using an alternate ACME server that uses EAB credentials #server = https://acme-v02.api.letsencrypt.org/directory
# server = https://dv.acme-v02.api.pki.goog/directory
# eab-kid = somestringofstuffwithoutquotes #server = https://acme.zerossl.com/v2/DV90
# eab-hmac-key = yaddayaddahexhexnotquoted #eab-kid = somestringofstuffwithoutquotes
#eab-hmac-key = yaddayaddahexhexnotquoted
#server = https://dv.acme-v02.api.pki.goog/directory
#eab-kid = somestringofstuffwithoutquotes
#eab-hmac-key = yaddayaddahexhexnotquoted

2
rootfs/usr/local/bin/aio.sh
View file

@ -2,7 +2,7 @@
if [ "$NC_AIO" = "true" ] && [ ! -f /data/etc/aio.lock ]; then if [ "$NC_AIO" = "true" ] && [ ! -f /data/etc/aio.lock ]; then
while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done
curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.com","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)" curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.org","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
touch /data/etc/aio.lock touch /data/etc/aio.lock
echo "The default config for AIO should now be created. Please check the log for any errors and try to resolve them, then delete the aio.lock file and retry." echo "The default config for AIO should now be created. Please check the log for any errors and try to resolve them, then delete the aio.lock file and retry."
fi fi

307
rootfs/usr/local/bin/start.sh
View file

@ -387,7 +387,6 @@ fi
if [ "$LOGROTATE" = "true" ]; then if [ "$LOGROTATE" = "true" ]; then
apk add --no-cache logrotate
sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate
touch /data/nginx/access.log \ touch /data/nginx/access.log \
/data/nginx/stream.log /data/nginx/stream.log
@ -433,7 +432,7 @@ if [ -s /data/nginx/default_host/site.conf ]; then
fi fi
if [ -s /data/nginx/default_www/index.html ]; then if [ -s /data/nginx/default_www/index.html ]; then
mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html mv -vn /data/nginx/default_www/index.html /data/etc/html/index.html
fi fi
if [ -s /data/nginx/dummycert.pem ]; then if [ -s /data/nginx/dummycert.pem ]; then
@ -461,7 +460,7 @@ if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then
fi fi
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
mv -vn /etc/letsencrypt/* /data/tls/certbot cp -van /etc/letsencrypt/* /data/tls/certbot
fi fi
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
@ -504,7 +503,8 @@ if [ "$CLEAN" = "true" ]; then
/data/ssl \ /data/ssl \
/data/logs \ /data/logs \
/data/error.log \ /data/error.log \
/data/nginx/error.log /data/nginx/error.log \
/data/nginx/ip_ranges.conf
rm -vf /data/tls/certbot/crs/*.pem rm -vf /data/tls/certbot/crs/*.pem
rm -vf /data/tls/certbot/keys/*.pem rm -vf /data/tls/certbot/keys/*.pem
@ -531,12 +531,8 @@ if [ "$FULLCLEAN" = "true" ]; then
fi fi
fi fi
if [ "$SKIP_IP_RANGES" = "true" ]; then touch /tmp/ip_ranges.conf \
rm -vf /data/nginx/ip_ranges.conf /data/etc/html/index.html \
fi
touch /data/etc/html/index.html \
/data/nginx/ip_ranges.conf \
/data/nginx/custom/events.conf \ /data/nginx/custom/events.conf \
/data/nginx/custom/http.conf \ /data/nginx/custom/http.conf \
/data/nginx/custom/http_top.conf \ /data/nginx/custom/http_top.conf \
@ -591,6 +587,8 @@ find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling/d" {} \; find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \; find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \;
sed -i "/ssl_stapling/d" /data/nginx/default.conf
sed -i "/ssl_stapling_verify/d" /data/nginx/default.conf
if [ ! -s /data/etc/modsecurity/modsecurity-default.conf ]; then if [ ! -s /data/etc/modsecurity/modsecurity-default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf cp -van /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
@ -618,124 +616,6 @@ cp -a /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUS
cp -va /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins cp -va /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins
if [ "$DEFAULT_CERT_ID" = "0" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "no DEFAULT_CERT_ID set, using dummycerts."
else
if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
export DEFAULT_CHAIN=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem
echo "DEFAULT_CHAIN set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
export DEFAULT_CHAIN=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem
echo "DEFAULT_CHAIN set to /data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
else
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts."
fi
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
fi
else
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /app/templates/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf; fi
sed -i "s|48693|$NIBEP|g" /app/index.js sed -i "s|48693|$NIBEP|g" /app/index.js
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
@ -844,11 +724,6 @@ else
sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf
fi fi
if [ ! -s /data/nginx/default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
fi
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ ! -s /data/tls/certbot/config.ini ]; then if [ ! -s /data/tls/certbot/config.ini ]; then
cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
fi fi
@ -878,14 +753,174 @@ else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
fi fi
if [ "$DEFAULT_CERT_ID" = "0" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "no DEFAULT_CERT_ID set, using dummycerts."
else
if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID".der ]; then
export DEFAULT_STAPLING_FILE=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID".der
echo "DEFAULT_STAPLING_FILE set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID.der"
fi
fi
fi
elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
fi
fi
else
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts."
fi
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem /data/tls/dummykey.pem
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
fi
else
rm -vrf /data/tls/dummycert.pem /data/tls/dummykey.pem
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /app/templates/default.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /app/templates/default.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /app/templates/default.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /app/templates/default.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/default.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/default.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/npm.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/npm.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /data/nginx/default.conf; fi if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /data/nginx/default.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /data/nginx/default.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /data/nginx/default.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /data/nginx/default.conf
fi
if [ ! -s /data/nginx/default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
fi
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ "$GOA" = "true" ]; then if [ "$GOA" = "true" ]; then
apk add --no-cache goaccess apk add --no-cache goaccess
mkdir -vp /data/etc/goaccess/data \ mkdir -vp /data/etc/goaccess/data /data/etc/goaccess/geoip
/data/etc/goaccess/geoip
cp -van /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf cp -van /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf
cp -van /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf cp -van /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
elif [ "$FULLCLEAN" = "true" ]; then elif [ "$FULLCLEAN" = "true" ]; then

13
rootfs/usr/local/nginx/conf/conf.d/include/always.conf
View file

@ -22,16 +22,3 @@ location /fancyindex/ {
location ~ /\.ht { location ~ /\.ht {
deny all; deny all;
} }
location ~ /\.git {
deny all;
}
if ($blocked_user_agent) {
return 403;
}
if ($blocked_query_string) {
return 403;
}

6
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View file

@ -19,9 +19,9 @@ server {
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf; include conf.d/include/always.conf;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
location / { location / {
include conf.d/include/always.conf; include conf.d/include/always.conf;

7
rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf
View file

@ -1,3 +1,10 @@
# Check if the original scheme is HTTP
if ($scheme = "http") { if ($scheme = "http") {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
# Check if the request was forwarded with HTTP protocol
# This is necessary when behind a proxy like Cloudflare
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}

6
rootfs/usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
View file

@ -11,7 +11,7 @@ server {
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf; include conf.d/include/always.conf;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
} }

6
rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
View file

@ -12,9 +12,9 @@ server {
modsecurity on; modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf; modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
location / { location / {
include conf.d/include/always.conf; include conf.d/include/always.conf;

16
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf Normal file
View file

@ -0,0 +1,16 @@
ssl_early_data on;
ssl_stapling off;
ssl_stapling_verify off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve p384_mlkem768:x25519_mlkem768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305;

12
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
View file

@ -4,11 +4,13 @@ ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;
# intermediate configuration. tweak to your needs. ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve p384_mlkem768:x25519_mlkem768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305;

6
rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View file

@ -18,7 +18,7 @@ server {
add_header Alt-Svc 'h3=":443"; ma=86400'; add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on; http3 on;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
} }

6
rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf
View file

@ -11,7 +11,7 @@ server {
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf; include conf.d/include/always.conf;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
} }

6
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View file

@ -12,9 +12,9 @@ server {
modsecurity on; modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf; modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
#ssl_certificate ; ssl_certificate ;
#ssl_certificate_key ; ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_stapling_file ;
location /api { location /api {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;

22
rootfs/usr/local/nginx/conf/exploits.conf
View file

@ -1,22 +0,0 @@
map $query_string $blocked_query_string {
default 0;
"~*union.*select.*\(" 1;
"~*union.*all.*select.*" 1;
"~*concat.*\(" 1;
"~*[a-zA-Z0-9_]=(\.\.//?)+" 1;
"~*[a-zA-Z0-9_]=/([a-z0-9_.]//?)+" 1;
"~*(<|%3C).*script.*(>|%3E)" 1;
"~*GLOBALS(=|\[|\%[0-9A-Z]{0,2})" 1;
"~*_REQUEST(=|\[|\%[0-9A-Z]{0,2})" 1;
"~*proc/self/environ" 1;
"~*mosConfig_[a-zA-Z_]{1,21}(=|\%3D)" 1;
"~*base64_(en|de)code\(.*\)" 1;
}
map $http_user_agent $blocked_user_agent {
default 0;
"~*Google-Extended" 1;
"~*GPTBot" 1;
"~*ChatGPT-User" 1;
"~*CCBot" 1;
}

8
rootfs/usr/local/nginx/conf/nginx.conf
View file

@ -28,6 +28,8 @@ http {
more_clear_headers "X-Page-Speed"; more_clear_headers "X-Page-Speed";
more_clear_headers "X-Varnish"; more_clear_headers "X-Varnish";
server_names_hash_bucket_size 64;
aio threads; aio threads;
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
@ -86,8 +88,6 @@ http {
websocket "socket"; websocket "socket";
} }
include exploits.conf;
upstream php82 { upstream php82 {
server unix:/run/php82.sock; server unix:/run/php82.sock;
} }
@ -107,7 +107,7 @@ http {
fancyindex_default_sort name; fancyindex_default_sort name;
fancyindex_hide_parent_dir off; fancyindex_hide_parent_dir off;
fancyindex_directories_first on; fancyindex_directories_first on;
fancyindex_time_format "%d-%m-%Y %T"; fancyindex_time_format "%Y-%m-%d %T";
fancyindex_ignore "fancyindex"; fancyindex_ignore "fancyindex";
fancyindex_header "/fancyindex/header.html"; fancyindex_header "/fancyindex/header.html";
fancyindex_footer "/fancyindex/footer.html"; fancyindex_footer "/fancyindex/footer.html";
@ -123,7 +123,7 @@ http {
include fastcgi.conf; include fastcgi.conf;
include /data/nginx/ip_ranges.conf; include /tmp/ip_ranges.conf;
include /data/nginx/default.conf; include /data/nginx/default.conf;
include conf.d/*.conf; include conf.d/*.conf;