Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fixes/dep updates/improved tls

Browse source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
renovate[bot] 2024-08-15 18:32:12 +00:00 committed by Zoey
parent a1f44c57d1
commit bb09562f89
No known key found for this signature in database
GPG key ID: 02A3919EB4F67328
36 changed files with 406 additions and 349 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/dependency-updates.yml vendored
View file

@ -25,7 +25,7 @@ jobs:
sed -i "s|ARG CSNB_VER=.*|ARG CSNB_VER=$CSNB_VER|" Dockerfile
echo "version=$CSNB_VER" >> $GITHUB_OUTPUT
- name: Create Pull Request
uses: peter-evans/create-pull-request@v6
uses: peter-evans/create-pull-request@v7
with:
signoff: true
delete-branch: true
@ -51,7 +51,7 @@ jobs:
sed -i "s|ARG CRS_VER=.*|ARG CRS_VER=$CRS_VER|" Dockerfile
echo "version=$CRS_VER" >> $GITHUB_OUTPUT
- name: Create Pull Request
uses: peter-evans/create-pull-request@v6
uses: peter-evans/create-pull-request@v7
with:
signoff: true
delete-branch: true

2
.github/workflows/update-and-lint.yml vendored
View file

@ -24,9 +24,7 @@ jobs:
- name: nginxbeautifier
run: |
yarn global add nginxbeautifier
mv -v rootfs/usr/local/nginx/conf/exploits.conf exploits.conf
nginxbeautifier -s 4 -r rootfs/usr/local/nginx/conf
mv -v exploits.conf rootfs/usr/local/nginx/conf/exploits.conf
- name: push changes
run: |
git add -A

2
Caddy.Dockerfile
View file

@ -1,4 +1,4 @@
FROM alpine:3.20.2
FROM alpine:3.20.3
RUN apk add --no-cache ca-certificates tzdata
COPY --from=caddy:2.8.4 /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/caddy/Caddyfile

20
Dockerfile
View file

@ -1,5 +1,5 @@
# syntax=docker/dockerfile:labs
FROM --platform="$BUILDPLATFORM" alpine:3.20.2 AS frontend
FROM --platform="$BUILDPLATFORM" alpine:3.20.3 AS frontend
COPY frontend /app
COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json
ARG NODE_ENV=production \
@ -18,7 +18,7 @@ COPY darkmode.css /app/dist/css/darkmode.css
COPY security.txt /app/dist/.well-known/security.txt
FROM --platform="$BUILDPLATFORM" alpine:3.20.2 AS build-backend
FROM --platform="$BUILDPLATFORM" alpine:3.20.3 AS build-backend
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY backend /app
COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json
@ -37,7 +37,7 @@ RUN apk upgrade --no-cache -a && \
fi && \
yarn cache clean --all && \
clean-modules --yes
FROM alpine:3.20.2 AS strip-backend
FROM alpine:3.20.3 AS strip-backend
COPY --from=build-backend /app /app
RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates binutils file && \
@ -45,7 +45,7 @@ RUN apk upgrade --no-cache -a && \
find /app/node_modules -name "*.node" -type f -exec file {} \;
FROM --platform="$BUILDPLATFORM" alpine:3.20.2 AS crowdsec
FROM --platform="$BUILDPLATFORM" alpine:3.20.3 AS crowdsec
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CSNB_VER=v1.0.8
WORKDIR /src
@ -67,22 +67,24 @@ RUN apk upgrade --no-cache -a && \
sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:306-python
FROM zoeyvid/nginx-quic:340-python
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs /
COPY --from=zoeyvid/certbot-docker:46 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:408 /usr/local/bin/curl /usr/local/bin/curl
COPY --from=zoeyvid/certbot-docker:51 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:416 /usr/local/bin/curl /usr/local/bin/curl
ARG CRS_VER=v4.5.0
ARG CRS_VER=v4.7.0
RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates tzdata tini \
nodejs \
bash nano \
openssl apache2-utils \
logrotate apache2-utils \
lua5.1-lzlib lua5.1-socket \
coreutils grep findutils jq shadow su-exec \
luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \
curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \
curl https://raw.githubusercontent.com/tomwassenberg/certbot-ocsp-fetcher/refs/heads/main/certbot-ocsp-fetcher -o /usr/local/bin/certbot-ocsp-fetcher.sh && \
chmod +x /usr/local/bin/certbot-ocsp-fetcher.sh && \
git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \
mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \

8
README.md
View file

@ -20,6 +20,7 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
**Note: Other Databases like MariaDB may work, but are unsupported.** <br>
**Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br>
**Note: if you remove a cert, which is still used by a host, NPM/NPMplus will crash.** <br>
## Project Goal
@ -61,7 +62,6 @@ so that the barrier for entry here is low.
- Only enables TLSv1.2 and TLSv1.3 protocols
- Faster creation of TLS certificates can be achieved by eliminating unnecessary Nginx reloads and configuration creations.
- Uses OCSP Stapling for enhanced security
- If using custom certificates, upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder (manual migration may be needed)
- Resolved dnspod plugin issue
- To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/NPMplus/blob/develop/global/certbot-dns-plugins.js)
- Smaller docker image with alpine-based distribution
@ -91,11 +91,11 @@ so that the barrier for entry here is low.
## migration
- **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
- if you use custom certificates, you need to upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder
- some buttons have changed, check if they are still correct
- since many buttons changed, please edit every host you have and click save. (Please also resave it, if all buttons/values are fine, to update the host config to fully fit the NPMplus template)
- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/npmplus/blob/develop/global/certbot-dns-plugins.js) for the template)
- since this fork has dependency on `network_mode: host`, please don't forget to open port 80/tcp, 443/tcp and 443/udp (and maybe 81/tcp) in your firewall
- if you have a healthcheck defined in your compose yaml file, remove it - this fork defines its own healthcheck in the Dockerfile, so you don't need to have it in compose anymore
- please report all migration issues you have
# Crowdsec
1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml and enable LOGROTATE
@ -198,7 +198,7 @@ You may need to use another IP-Address.
[https://127.0.0.1:81](https://127.0.0.1:81)
Default Admin User:
```
Email: admin@example.com
Email: admin@example.org
Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi
```
Immediately after logging in with this default user you will be asked to modify your details and change your password.

6
backend/doc/api.swagger.json
View file

@ -102,7 +102,7 @@
"modified_on": "2023-03-30T01:11:50.000Z",
"is_deleted": 0,
"is_disabled": 0,
"email": "admin@example.com",
"email": "admin@example.org",
"name": "Administrator",
"nickname": "Admin",
"avatar": "",
@ -144,7 +144,7 @@
"modified_on": "2023-03-30T01:11:50.000Z",
"is_deleted": 0,
"is_disabled": 0,
"email": "admin@example.com",
"email": "admin@example.org",
"name": "Administrator",
"nickname": "Admin",
"avatar": "",
@ -223,7 +223,7 @@
"modified_on": "2023-03-30T01:11:50.000Z",
"is_deleted": 0,
"is_disabled": 0,
"email": "admin@example.com",
"email": "admin@example.org",
"name": "Administrator",
"nickname": "Admin",
"avatar": "",

62
backend/internal/certificate.js
View file

@ -480,14 +480,6 @@ const internalCertificate = {
resolve();
}
});
fs.writeFile(dir + '/chain.pem', certificate.meta.intermediate_certificate, function (err) {
if (err) {
reject(err);
} else {
resolve();
}
});
}).then(() => {
return new Promise((resolve, reject) => {
fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) {
@ -777,7 +769,7 @@ const internalCertificate = {
requestLetsEncryptSsl: (certificate) => {
logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
let cmd = certbotCommand + ' certonly ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--authenticator webroot ' + '--preferred-challenges "dns,http" ' + '--domains "' + certificate.domain_names.join(',') + '"';
let cmd = certbotCommand + ' certonly ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--authenticator webroot ' + '--preferred-challenges "http,dns" ' + '--domains "' + certificate.domain_names.join(',') + '"';
if (certificate.meta.letsencrypt_email === '') {
cmd = cmd + ' --register-unsafely-without-email ';
@ -878,24 +870,31 @@ const internalCertificate = {
* @param {Object} certificate the certificate row
* @returns {Promise}
*/
renewLetsEncryptSsl: (certificate) => {
renewLetsEncryptSsl: async (certificate) => {
logger.info('Renewing Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const cmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "dns,http" ' + '--no-random-sleep-on-renew';
const cmdr = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" --no-delete-after-revoke';
logger.info('Command:', cmdr);
const revokeResult = await utils.exec(cmdr);
logger.info(revokeResult);
const cmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "http,dns" ' + '--no-random-sleep-on-renew';
logger.info('Command:', cmd);
return utils.exec(cmd).then((result) => {
logger.info(result);
return result;
});
const renewResult = await utils.exec(cmd);
logger.info(renewResult);
return renewResult;
},
/**
* @param {Object} certificate the certificate row
* @returns {Promise}
*/
renewLetsEncryptSslWithDnsChallenge: (certificate) => {
renewLetsEncryptSslWithDnsChallenge: async (certificate) => {
const dnsPlugin = dnsPlugins[certificate.meta.dns_provider];
if (!dnsPlugin) {
@ -904,14 +903,21 @@ const internalCertificate = {
logger.info(`Renewing Certbot certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
const mainCmdr = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" --no-delete-after-revoke';
logger.info('Command:', mainCmdr);
const revokeResult = await utils.exec(mainCmdr);
logger.info(revokeResult);
const mainCmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "dns,http" ' + '--no-random-sleep-on-renew';
logger.info('Command:', mainCmd);
return utils.exec(mainCmd).then(async (result) => {
logger.info(result);
return result;
});
const renewResult = await utils.exec(mainCmd);
logger.info(renewResult);
return renewResult;
},
/**
@ -924,15 +930,19 @@ const internalCertificate = {
const mainCmd = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/privkey.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' + '--delete-after-revoke';
// Don't fail command if file does not exist
const delete_credentialsCmd = `rm -f '/data/tls/certbot/credentials/credentials-${certificate.id}' || true`;
logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd);
return utils
.exec(mainCmd)
.then(async (result) => {
await utils.exec(delete_credentialsCmd);
fs.rm('/data/tls/certbot/credentials/credentials-' + certificate.id, { force: true }, (err) => {
if (err) {
logger.error('Error deleting credentials:', err.message);
if (throw_errors) {
throw err;
}
} else {
logger.info('Credentials file deleted successfully');
}
});
logger.info(result);
return result;
})

2
backend/internal/ip_ranges.js
View file

@ -102,7 +102,7 @@ const internalIpRanges = {
const renderEngine = utils.getRenderEngine();
return new Promise((resolve, reject) => {
let template = null;
const filename = '/data/nginx/ip_ranges.conf';
const filename = '/tmp/ip_ranges.conf';
try {
template = fs.readFileSync(__dirname + '/../templates/ip_ranges.conf', { encoding: 'utf8' });
} catch (err) {

70
backend/internal/nginx.js
View file

@ -30,9 +30,7 @@ const internalNginx = {
.then(() => {
// Nginx is OK
// We're deleting this config regardless.
// Don't throw errors, as the file may not exist at all
// Delete the .err file too
return internalNginx.deleteConfig(host_type, host, false, true);
return internalNginx.deleteConfig(host_type, host);
})
.then(() => {
return internalNginx.generateConfig(host_type, host);
@ -42,7 +40,7 @@ const internalNginx = {
return internalNginx
.test()
.then(() => {
// nginx is ok
// Nginx is OK
combined_meta = _.assign({}, host.meta, {
nginx_online: true,
nginx_err: null,
@ -52,27 +50,13 @@ const internalNginx = {
meta: combined_meta,
});
})
.catch((err) => {
// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported.
// It will always look like this:
// nginx: [alert] could not open error log file: open() "/dev/null" failed (6: No such device or address)
const valid_lines = [];
const err_lines = err.message.split('\n');
err_lines.map(function (line) {
if (line.indexOf('/dev/null') === -1) {
valid_lines.push(line);
}
});
if (config.debug()) {
logger.error('Nginx test failed:', valid_lines.join('\n'));
}
// config is bad, update meta and delete config
.catch(() => {
// Handle testing failure
// Execute the command and wait for it to finish
return utils.execfg('nginx -t || true').then(() => {
combined_meta = _.assign({}, host.meta, {
nginx_online: false,
nginx_err: valid_lines.join('\n'),
nginx_err: 'see docker logs',
});
return model
@ -83,9 +67,7 @@ const internalNginx = {
})
.then(() => {
internalNginx.renameConfigAsError(host_type, host);
})
.then(() => {
return internalNginx.deleteConfig(host_type, host, true);
});
});
});
})
@ -114,6 +96,11 @@ const internalNginx = {
reload: () => {
return internalNginx.test().then(() => {
try {
utils.exec('certbot-ocsp-fetcher.sh -c /data/tls/certbot -o /data/tls/certbot/live --quiet --no-reload-webserver || true');
} catch {
// do nothing
}
if (fs.existsSync(NgxPidFilePath)) {
const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim();
if (ngxPID.length > 0) {
@ -262,20 +249,6 @@ const internalNginx = {
});
},
/**
* A simple wrapper around unlinkSync that writes to the logger
*
* @param {String} filename
*/
deleteFile: (filename) => {
logger.debug('Deleting file: ' + filename);
try {
fs.unlinkSync(filename);
} catch (err) {
logger.debug('Could not delete file:', JSON.stringify(err, null, 2));
}
},
/**
*
* @param {String} host_type
@ -291,17 +264,18 @@ const internalNginx = {
* @param {Boolean} [delete_err_file]
* @returns {Promise}
*/
deleteConfig: (host_type, host, delete_err_file) => {
deleteConfig: (host_type, host) => {
const config_file = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id);
const config_file_err = config_file + '.err';
return new Promise((resolve /*, reject */) => {
internalNginx.deleteFile(config_file);
if (delete_err_file) {
internalNginx.deleteFile(config_file_err);
}
fs.rm(config_file, { force: true }, () => {
resolve();
});
fs.rm(config_file_err, { force: true }, () => {
resolve();
});
});
},
/**
@ -314,14 +288,10 @@ const internalNginx = {
const config_file_err = config_file + '.err';
return new Promise((resolve /*, reject */) => {
fs.unlink(config_file, () => {
// ignore result, continue
fs.rename(config_file, config_file_err, () => {
// also ignore result, as this is a debugging informative file anyway
resolve();
});
});
});
},
/**
@ -346,7 +316,7 @@ const internalNginx = {
bulkDeleteConfigs: (host_type, hosts) => {
const promises = [];
hosts.map(function (host) {
promises.push(internalNginx.deleteConfig(host_type, host, true));
promises.push(internalNginx.deleteConfig(host_type, host));
});
return Promise.all(promises);

4
backend/knexfile.js
View file

@ -1,6 +1,6 @@
module.exports = {
development: {
client: 'mysql',
client: 'mysql2',
migrations: {
tableName: 'migrations',
stub: 'lib/migrate_template.js',
@ -9,7 +9,7 @@ module.exports = {
},
production: {
client: 'mysql',
client: 'mysql2',
migrations: {
tableName: 'migrations',
stub: 'lib/migrate_template.js',

2
backend/lib/config.js
View file

@ -36,7 +36,7 @@ const configure = () => {
logger.info('Using MySQL configuration');
instance = {
database: {
engine: 'mysql',
engine: 'mysql2',
host: envMysqlHost,
port: process.env.DB_MYSQL_PORT || 3306,
user: envMysqlUser,

51
backend/migrations/20240921100301_regenerate_default_host.js Normal file
View file

@ -0,0 +1,51 @@
const migrate_name = 'regenerate_default_host';
const logger = require('../logger').migrate;
const internalNginx = require('../internal/nginx');
async function regenerateDefaultHost(knex) {
const row = await knex('setting').select('*').where('id', 'default-site').first();
if (!row) {
return Promise.resolve();
}
return internalNginx
.deleteConfig('default')
.then(() => {
return internalNginx.generateConfig('default', row);
})
.then(() => {
return internalNginx.test();
})
.then(() => {
return internalNginx.reload();
});
}
/**
* Migrate
*
* @see http://knexjs.org/#Schema
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.up = function (knex) {
logger.info('[' + migrate_name + '] Migrating Up...');
return regenerateDefaultHost(knex);
};
/**
* Undo Migrate
*
* @param {Object} knex
* @param {Promise} Promise
* @returns {Promise}
*/
exports.down = function (knex) {
logger.info('[' + migrate_name + '] Migrating Down...');
return regenerateDefaultHost(knex);
};

18
backend/package.json
View file

@ -9,31 +9,31 @@
"archiver": "7.0.1",
"batchflow": "0.4.0",
"bcrypt": "5.1.1",
"better-sqlite3": "11.1.2",
"body-parser": "1.20.2",
"better-sqlite3": "11.3.0",
"body-parser": "2.0.1",
"compression": "1.7.4",
"express": "4.19.2",
"express": "4.21.0",
"express-fileupload": "1.5.1",
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.2",
"knex": "3.1.0",
"liquidjs": "10.16.1",
"liquidjs": "10.17.0",
"lodash": "4.17.21",
"moment": "2.30.1",
"mysql": "2.18.1",
"mysql2": "3.11.3",
"node-rsa": "1.1.1",
"objection": "3.1.4",
"objection": "3.1.5",
"path": "0.12.7",
"signale": "1.4.0"
},
"author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
"license": "MIT",
"devDependencies": {
"@eslint/js": "9.9.0",
"eslint": "9.9.0",
"@eslint/js": "9.11.1",
"eslint": "9.11.1",
"eslint-config-prettier": "9.1.0",
"eslint-plugin-prettier": "5.2.1",
"globals": "15.9.0",
"globals": "15.10.0",
"prettier": "3.3.3"
}
}

2
backend/setup.js
View file

@ -22,7 +22,7 @@ const setupDefaultUser = () => {
.then((row) => {
if (!row.count) {
// Create a new user and set password
let email = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com';
let email = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.org';
let password = process.env.INITIAL_ADMIN_PASSWORD || 'iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi';
logger.info('Creating a new user: ' + email + ' with password: ' + password);

5
backend/templates/_certificates.conf
View file

@ -4,12 +4,11 @@
include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem;
ssl_stapling_file /data/tls/certbot/live/npm-{{ certificate_id }}.der;
{% else %}
# Custom SSL
# Custom TLS
include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem;
{% endif %}
{% endif %}

6
backend/templates/default.conf
View file

@ -19,9 +19,9 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
{%- if value == "404" %}
location / {

2
frontend/js/app/main.js
View file

@ -48,7 +48,7 @@ const App = Mn.Application.extend({
Backbone.history.start({pushState: true});
// Ask the admin use to change their details
if (Cache.User.get('email') === 'admin@example.com') {
if (Cache.User.get('email') === 'admin@example.com' || Cache.User.get('email') === 'admin@example.org') {
Controller.showUserForm(Cache.User);
}
});

4
frontend/js/app/nginx/certificates/form.ejs
View file

@ -165,9 +165,9 @@
</div>
<div class="col-sm-12 col-md-12 other-ssl">
<div class="form-group">
<div class="form-label"><%- i18n('certificates', 'other-intermediate-certificate') %><span class="form-required">*</span></div>
<div class="form-label"><%- i18n('certificates', 'other-intermediate-certificate') %></div>
<div class="custom-file">
<input type="file" class="custom-file-input" name="meta[other_intermediate_certificate]" id="other_intermediate_certificate" required>
<input type="file" class="custom-file-input" name="meta[other_intermediate_certificate]" id="other_intermediate_certificate">
<label id="other_intermediate_certificate_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
</div>
</div>

5
frontend/js/app/nginx/certificates/form.js
View file

@ -149,10 +149,7 @@ module.exports = Mn.View.extend({
ssl_files.push({name: 'certificate_key', file: this.ui.other_certificate_key[0].files[0]});
}
if (!this.ui.other_intermediate_certificate[0].files.length || !this.ui.other_intermediate_certificate[0].files[0].size) {
alert('Intermediate Certificate file is not attached');
return;
} else {
if (this.ui.other_intermediate_certificate[0].files.length && this.ui.other_intermediate_certificate[0].files[0].size) {
if (this.ui.other_intermediate_certificate[0].files[0].size > this.max_file_size) {
alert('Intermediate Certificate file is too large (> 100kb)');
return;

6
frontend/js/app/user/form.js
View file

@ -25,10 +25,10 @@ module.exports = Mn.View.extend({
let view = this;
let data = this.ui.form.serializeJSON();
let show_password = this.model.get('email') === 'admin@example.com';
let show_password = (this.model.get('email') === 'admin@example.com' || this.model.get('email') === 'admin@example.org');
// admin@example.com is not allowed
if (data.email === 'admin@example.com') {
// admin@example.com and admin@example.org is not allowed
if (data.email === 'admin@example.com' || data.email === 'admin@example.org') {
this.ui.error.text(App.i18n('users', 'default_error')).show();
this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
return;

6
frontend/package.json
View file

@ -4,9 +4,9 @@
"description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js",
"dependencies": {
"@babel/core": "7.25.2",
"@babel/core": "7.25.7",
"babel-core": "6.26.3",
"babel-loader": "8.3.0",
"babel-loader": "8.4.1",
"babel-preset-env": "1.7.0",
"backbone": "1.6.0",
"backbone.marionette": "4.1.3",
@ -28,7 +28,7 @@
"mini-css-extract-plugin": "1.6.2",
"moment": "2.30.1",
"node-sass": "9.0.0",
"nodemon": "3.1.4",
"nodemon": "3.1.7",
"numeral": "2.0.6",
"sass-loader": "10.5.2",
"style-loader": "4.0.0",

9
rootfs/etc/tls/certbot.ini
View file

@ -4,12 +4,17 @@ webroot-path = /tmp/acme-challenge
new-key= true
key-type = ecdsa
must-staple = false
must-staple = true
no-reuse-key = true
rsa-key-size = 4096
elliptic-curve = secp384r1
# An example of using an alternate ACME server that uses EAB credentials
#server = https://acme-v02.api.letsencrypt.org/directory
#server = https://acme.zerossl.com/v2/DV90
#eab-kid = somestringofstuffwithoutquotes
#eab-hmac-key = yaddayaddahexhexnotquoted
#server = https://dv.acme-v02.api.pki.goog/directory
#eab-kid = somestringofstuffwithoutquotes
#eab-hmac-key = yaddayaddahexhexnotquoted

2
rootfs/usr/local/bin/aio.sh
View file

@ -2,7 +2,7 @@
if [ "$NC_AIO" = "true" ] && [ ! -f /data/etc/aio.lock ]; then
while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done
curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.com","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.org","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
touch /data/etc/aio.lock
echo "The default config for AIO should now be created. Please check the log for any errors and try to resolve them, then delete the aio.lock file and retry."
fi

307
rootfs/usr/local/bin/start.sh
View file

@ -387,7 +387,6 @@ fi
if [ "$LOGROTATE" = "true" ]; then
apk add --no-cache logrotate
sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate
touch /data/nginx/access.log \
/data/nginx/stream.log
@ -433,7 +432,7 @@ if [ -s /data/nginx/default_host/site.conf ]; then
fi
if [ -s /data/nginx/default_www/index.html ]; then
mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html
mv -vn /data/nginx/default_www/index.html /data/etc/html/index.html
fi
if [ -s /data/nginx/dummycert.pem ]; then
@ -461,7 +460,7 @@ if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then
fi
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
mv -vn /etc/letsencrypt/* /data/tls/certbot
cp -van /etc/letsencrypt/* /data/tls/certbot
fi
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
@ -504,7 +503,8 @@ if [ "$CLEAN" = "true" ]; then
/data/ssl \
/data/logs \
/data/error.log \
/data/nginx/error.log
/data/nginx/error.log \
/data/nginx/ip_ranges.conf
rm -vf /data/tls/certbot/crs/*.pem
rm -vf /data/tls/certbot/keys/*.pem
@ -531,12 +531,8 @@ if [ "$FULLCLEAN" = "true" ]; then
fi
fi
if [ "$SKIP_IP_RANGES" = "true" ]; then
rm -vf /data/nginx/ip_ranges.conf
fi
touch /data/etc/html/index.html \
/data/nginx/ip_ranges.conf \
touch /tmp/ip_ranges.conf \
/data/etc/html/index.html \
/data/nginx/custom/events.conf \
/data/nginx/custom/http.conf \
/data/nginx/custom/http_top.conf \
@ -591,6 +587,8 @@ find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \;
sed -i "/ssl_stapling/d" /data/nginx/default.conf
sed -i "/ssl_stapling_verify/d" /data/nginx/default.conf
if [ ! -s /data/etc/modsecurity/modsecurity-default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
@ -618,124 +616,6 @@ cp -a /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUS
cp -va /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins
if [ "$DEFAULT_CERT_ID" = "0" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "no DEFAULT_CERT_ID set, using dummycerts."
else
if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
export DEFAULT_CHAIN=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem
echo "DEFAULT_CHAIN set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
else
export DEFAULT_CHAIN=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem
echo "DEFAULT_CHAIN set to /data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem"
fi
fi
fi
else
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts."
fi
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
fi
else
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /app/templates/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf; fi
sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf; fi
sed -i "s|48693|$NIBEP|g" /app/index.js
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
@ -844,11 +724,6 @@ else
sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf
fi
if [ ! -s /data/nginx/default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
fi
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ ! -s /data/tls/certbot/config.ini ]; then
cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
fi
@ -878,14 +753,174 @@ else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
fi
if [ "$DEFAULT_CERT_ID" = "0" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "no DEFAULT_CERT_ID set, using dummycerts."
else
if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
if [ -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID".der ]; then
export DEFAULT_STAPLING_FILE=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID".der
echo "DEFAULT_STAPLING_FILE set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID.der"
fi
fi
fi
elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "using dummycerts."
else
export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
fi
fi
else
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts."
fi
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
export DEFAULT_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts."
fi
if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem /data/tls/dummykey.pem
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
fi
else
rm -vrf /data/tls/dummycert.pem /data/tls/dummykey.pem
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /app/templates/default.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /app/templates/default.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /app/templates/default.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /app/templates/default.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/default.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/default.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/npm.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/npm.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
fi
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf
if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /data/nginx/default.conf; fi
if [ -n "$DEFAULT_STAPLING_FILE" ]; then
sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /data/nginx/default.conf
sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /data/nginx/default.conf
else
sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /data/nginx/default.conf
sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /data/nginx/default.conf
fi
if [ ! -s /data/nginx/default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
fi
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ "$GOA" = "true" ]; then
apk add --no-cache goaccess
mkdir -vp /data/etc/goaccess/data \
/data/etc/goaccess/geoip
mkdir -vp /data/etc/goaccess/data /data/etc/goaccess/geoip
cp -van /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf
cp -van /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
elif [ "$FULLCLEAN" = "true" ]; then

13
rootfs/usr/local/nginx/conf/conf.d/include/always.conf
View file

@ -22,16 +22,3 @@ location /fancyindex/ {
location ~ /\.ht {
deny all;
}
location ~ /\.git {
deny all;
}
if ($blocked_user_agent) {
return 403;
}
if ($blocked_query_string) {
return 403;
}

6
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View file

@ -19,9 +19,9 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
location / {
include conf.d/include/always.conf;

7
rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf
View file

@ -1,3 +1,10 @@
# Check if the original scheme is HTTP
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
# Check if the request was forwarded with HTTP protocol
# This is necessary when behind a proxy like Cloudflare
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}

6
rootfs/usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
View file

@ -11,7 +11,7 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
}

6
rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
View file

@ -12,9 +12,9 @@ server {
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
location / {
include conf.d/include/always.conf;

16
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf Normal file
View file

@ -0,0 +1,16 @@
ssl_early_data on;
ssl_stapling off;
ssl_stapling_verify off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve p384_mlkem768:x25519_mlkem768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305;

12
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
View file

@ -4,11 +4,13 @@ ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;
ssl_session_cache shared:SSL:10m;
# intermediate configuration. tweak to your needs.
ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve p384_mlkem768:x25519_mlkem768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305;

6
rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View file

@ -18,7 +18,7 @@ server {
add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
}

6
rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf
View file

@ -11,7 +11,7 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
}

6
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View file

@ -12,9 +12,9 @@ server {
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
ssl_certificate ;
ssl_certificate_key ;
#ssl_stapling_file ;
location /api {
proxy_set_header Upgrade $http_upgrade;

22
rootfs/usr/local/nginx/conf/exploits.conf
View file

@ -1,22 +0,0 @@
map $query_string $blocked_query_string {
default 0;
"~*union.*select.*\(" 1;
"~*union.*all.*select.*" 1;
"~*concat.*\(" 1;
"~*[a-zA-Z0-9_]=(\.\.//?)+" 1;
"~*[a-zA-Z0-9_]=/([a-z0-9_.]//?)+" 1;
"~*(<|%3C).*script.*(>|%3E)" 1;
"~*GLOBALS(=|\[|\%[0-9A-Z]{0,2})" 1;
"~*_REQUEST(=|\[|\%[0-9A-Z]{0,2})" 1;
"~*proc/self/environ" 1;
"~*mosConfig_[a-zA-Z_]{1,21}(=|\%3D)" 1;
"~*base64_(en|de)code\(.*\)" 1;
}
map $http_user_agent $blocked_user_agent {
default 0;
"~*Google-Extended" 1;
"~*GPTBot" 1;
"~*ChatGPT-User" 1;
"~*CCBot" 1;
}

8
rootfs/usr/local/nginx/conf/nginx.conf
View file

@ -28,6 +28,8 @@ http {
more_clear_headers "X-Page-Speed";
more_clear_headers "X-Varnish";
server_names_hash_bucket_size 64;
aio threads;
sendfile on;
tcp_nopush on;
@ -86,8 +88,6 @@ http {
websocket "socket";
}
include exploits.conf;
upstream php82 {
server unix:/run/php82.sock;
}
@ -107,7 +107,7 @@ http {
fancyindex_default_sort name;
fancyindex_hide_parent_dir off;
fancyindex_directories_first on;
fancyindex_time_format "%d-%m-%Y %T";
fancyindex_time_format "%Y-%m-%d %T";
fancyindex_ignore "fancyindex";
fancyindex_header "/fancyindex/header.html";
fancyindex_footer "/fancyindex/footer.html";
@ -123,7 +123,7 @@ http {
include fastcgi.conf;
include /data/nginx/ip_ranges.conf;
include /tmp/ip_ranges.conf;
include /data/nginx/default.conf;
include conf.d/*.conf;