diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml index 6749dea0..33891342 100644 --- a/.github/workflows/docker-latest.yml +++ b/.github/workflows/docker-latest.yml @@ -26,12 +26,10 @@ jobs: - name: Push develop to latest run: | - curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 -o ./regctl - chmod +x ./regctl - ./regctl image copy ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest - ./regctl image copy ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest + docker buildx imagetools create --tag ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} - name: Show Nginx version run: | - docker run --rm --entrypoint sh ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v" - docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v" + docker run --rm --entrypoint nginx ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -V + docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -V diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 0211d0b2..c5263771 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -93,5 +93,5 @@ jobs: - name: show version run: | - docker run --rm --entrypoint sh ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v" - docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v" + docker run --rm --entrypoint nginx ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V + docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 09c9dd86..e2ae5a1a 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -27,7 +27,7 @@ jobs: export NODE_OPTIONS=--openssl-legacy-provider npm install --global yarn cd frontend - sed -i "s/0.0.0/$(cat ../global/.version)/g" package.json + sed -i "s|\"0.0.0\"|\""$(cat ../global/.version)"\"|g" package.json yarn --no-lockfile install yarn --no-lockfile build mkdir dist/.well-known diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 56ae5638..bb1e8020 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -54,7 +54,7 @@ jobs: export NODE_OPTIONS=--openssl-legacy-provider npm install --global yarn cd frontend - sed -i "s/0.0.0/$(cat ../global/.version)/g" package.json + sed -i "s|\"0.0.0\"|\""$(cat ../global/.version)"\"|g" package.json yarn --no-lockfile install yarn --no-lockfile build mkdir dist/.well-known @@ -92,7 +92,7 @@ jobs: tags: ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} - name: show version - run: docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v" + run: docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -V - name: add comment uses: mshick/add-pr-comment@v2 diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 00000000..ec93eb1d --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,19 @@ +name: Shellcheck + +on: + push: + pull_request: + workflow_dispatch: + +jobs: + shellcheck: + name: Check Shell + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Shellcheck + uses: ludeeus/action-shellcheck@master + with: + check_together: 'yes' + env: + SHELLCHECK_OPTS: --shell sh diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml new file mode 100644 index 00000000..02fd9ec2 --- /dev/null +++ b/.github/workflows/spellcheck.yml @@ -0,0 +1,14 @@ +name: reviewdog +on: [pull_request] +jobs: + misspell: + name: runner / misspell + runs-on: ubuntu-latest + steps: + - name: Check out code. + uses: actions/checkout@v3 + - name: misspell + uses: reviewdog/action-misspell@v1 + with: + github_token: ${{ secrets.github_token }} + locale: "US" \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e3148eb9..43ae6262 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM zoeyvid/nginx-quic:32 +FROM zoeyvid/nginx-quic:51 COPY rootfs / COPY backend /app COPY global /app/global @@ -6,31 +6,27 @@ COPY frontend/dist /app/frontend WORKDIR /app RUN apk upgrade --no-cache && \ - apk add --no-cache ca-certificates wget tzdata bash coreutils \ - python3 \ - nodejs-current npm \ - openssl apache2-utils jq fcgi \ + apk add --no-cache ca-certificates wget tzdata \ + python3 nodejs-current npm \ gcc g++ libffi-dev python3-dev \ - php81 php81-fpm php82 php82-fpm && \ - + grep coreutils jq openssl apache2-utils && \ # Install cross-env npm install --global cross-env && \ - # Install pip wget https://bootstrap.pypa.io/get-pip.py -O - | python3 && \ - # Change permission chmod +x /bin/start.sh && \ chmod +x /bin/check-health.sh && \ - # Build Backend - sed -i "s/0.0.0/$(cat global/.version)/g" package.json && \ + sed -i "s|\"0.0.0\"|\""$(cat global/.version)"\"|g" package.json && \ npm install --force && \ +# Install Certbot pip install --no-cache-dir certbot && \ - apk del --no-cache gcc g++ libffi-dev python3-dev npm +# Clean + apk del --no-cache npm gcc g++ libffi-dev python3-dev ENV NODE_ENV=production \ DB_SQLITE_FILE=/data/database.sqlite ENTRYPOINT ["start.sh"] -HEALTHCHECK CMD check-health.sh +HEALTHCHECK CMD check-health.sh \ No newline at end of file diff --git a/README.md b/README.md index 3b9745a8..aac7b034 100644 --- a/README.md +++ b/README.md @@ -53,9 +53,13 @@ so that the barrier for entry here is low. - Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers) - Access Log disabled - Error Log written to console -- PHP included, you can add php extensions, see aviable packages [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-*) +- PHP optinal, you can add php extensions, see aviable packages [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php82-*) - allows different acme servers - up to 64 domains per cert allowed +- Brotli can be enabled +- HTTP/2 always enabled +- HTTP/2 upload fixed +- Infinite upload size allowed ## Soon - more @@ -81,6 +85,7 @@ alias /var/www//; ``` b) Custom Nginx Configuration (advanced tab), which looks the following for file server and **php**: - Note: the slash at the end of the file path is important +- Note: first enable `PHP81` and/or `PHP82` inside your compose file - Note: you can replace `fastcgi_pass php82;` with `fastcgi_pass` `php81`/`php82` `;` - Note: to add more php extension use the packes from [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-*) and add them using the `PHP_APKS` env (see compose file) ``` @@ -120,13 +125,18 @@ services: volumes: - "/opt/npm:/data" - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork - - "/var/www:/var/www" # optional, if you want to use it as webserver for html + - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php environment: - "TZ=Europe/Berlin" # - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors # - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost # - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts -# - "PHP_APKS=php81-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-* +# - "CLEAN=false" # Clean folders +# - "FULLCLEAN=true" # Clean unused config folders +# - "PHP81=true" # Activate PHP81 +# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php81-* +# - "PHP82=true" # Activate PHP82 +# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php82-* ``` 3. Bring up your stack by running (or deploy your portainer stack) diff --git a/backend/package.json b/backend/package.json index f8de53b1..084be746 100644 --- a/backend/package.json +++ b/backend/package.json @@ -4,19 +4,19 @@ "description": "A beautiful interface for creating Nginx endpoints", "main": "js/index.js", "dependencies": { - "@apidevtools/json-schema-ref-parser": "9.1.0", + "@apidevtools/json-schema-ref-parser": "10.0.1", "ajv": "6.12.6", "archiver": "5.3.1", "batchflow": "0.4.0", "bcrypt": "5.1.0", "body-parser": "1.20.1", "compression": "1.7.4", - "config": "3.3.8", + "config": "3.3.9", "express": "4.18.2", "express-fileupload": "1.4.0", "gravatar": "1.8.2", "jsonwebtoken": "9.0.0", - "knex": "2.4.0", + "knex": "2.4.1", "liquidjs": "9.43.0", "lodash": "4.17.21", "moment": "2.29.4", diff --git a/backend/templates/_brotli.conf b/backend/templates/_brotli.conf new file mode 100644 index 00000000..00282c2e --- /dev/null +++ b/backend/templates/_brotli.conf @@ -0,0 +1,4 @@ +{% if http2_support -%} + # Enable Brotli + include conf.d/include/brotli.conf; +{% endif %} \ No newline at end of file diff --git a/backend/templates/_certificates.conf b/backend/templates/_certificates.conf index 8b90f449..fff752d5 100644 --- a/backend/templates/_certificates.conf +++ b/backend/templates/_certificates.conf @@ -5,15 +5,11 @@ ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem; ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; {% else %} # Custom SSL include conf.d/include/tls-ciphers.conf; ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem; ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem; - ssl_stapling on; - ssl_stapling_verify on; {% endif %} {% endif %} diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf index bddd458a..22ef8d6d 100644 --- a/backend/templates/_listen.conf +++ b/backend/templates/_listen.conf @@ -2,8 +2,8 @@ listen [::]:80; {% if certificate %} - listen 443 ssl{% if http2_support %} http2{% endif %}; - listen [::]:443 ssl{% if http2_support %} http2{% endif %}; + listen 443 ssl http2; + listen [::]:443 ssl http2; {% if hsts_subdomains %} listen 443 http3; listen [::]:443 http3; diff --git a/backend/templates/dead_host.conf b/backend/templates/dead_host.conf index df8d6e6f..8c620684 100644 --- a/backend/templates/dead_host.conf +++ b/backend/templates/dead_host.conf @@ -6,6 +6,7 @@ server { {% include "_certificates.conf" %} {% include "_hsts.conf" %} {% include "_forced_ssl.conf" %} +{% include "_brotli.conf" %} {{ advanced_config }} include conf.d/include/acme-challenge.conf; diff --git a/backend/templates/default.conf b/backend/templates/default.conf index 921882b5..ad80cc0c 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -13,6 +13,7 @@ server { server_name _; + include conf.d/include/brotli.conf; include conf.d/include/force-ssl.conf; include conf.d/include/tls-ciphers.conf; include conf.d/include/acme-challenge.conf; diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index 3e98ab53..1f8f8628 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -10,6 +10,7 @@ server { {% include "_certificates.conf" %} {% include "_hsts.conf" %} {% include "_forced_ssl.conf" %} +{% include "_brotli.conf" %} include conf.d/include/acme-challenge.conf; include conf.d/include/block-exploits.conf; diff --git a/backend/templates/redirection_host.conf b/backend/templates/redirection_host.conf index d8c20d81..a5277c7d 100644 --- a/backend/templates/redirection_host.conf +++ b/backend/templates/redirection_host.conf @@ -6,6 +6,7 @@ server { {% include "_certificates.conf" %} {% include "_hsts.conf" %} {% include "_forced_ssl.conf" %} +{% include "_brotli.conf" %} {{ advanced_config }} include conf.d/include/acme-challenge.conf; diff --git a/compose.yaml b/compose.yaml index cbafca1e..6bb1032c 100644 --- a/compose.yaml +++ b/compose.yaml @@ -8,10 +8,15 @@ services: volumes: - "/opt/npm:/data" - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork - - "/var/www:/var/www" # optional, if you want to use it as webserver for html + - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php environment: - "TZ=Europe/Berlin" # - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors # - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost # - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts -# - "PHP_APKS=php81-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-* +# - "CLEAN=false" # Clean folders +# - "FULLCLEAN=true" # Clean unused config folders +# - "PHP81=true" # Activate PHP81 +# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php81-* +# - "PHP82=true" # Activate PHP82 +# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php82-* diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs index 33f6e8cf..6b9a2aec 100644 --- a/frontend/js/app/nginx/dead/form.ejs +++ b/frontend/js/app/nginx/dead/form.ejs @@ -49,7 +49,7 @@
@@ -67,7 +67,7 @@
diff --git a/frontend/js/app/nginx/dead/form.js b/frontend/js/app/nginx/dead/form.js index 336a3f4e..70bbbcf9 100644 --- a/frontend/js/app/nginx/dead/form.js +++ b/frontend/js/app/nginx/dead/form.js @@ -48,7 +48,7 @@ module.exports = Mn.View.extend({ let enabled = id === 'new' || parseInt(id, 10) > 0; - let inputs = this.ui.ssl_forced.add(this.ui.http2_support); + let inputs = this.ui.ssl_forced.add(this.ui.hsts_subdomains); inputs .prop('disabled', !enabled) .parents('.form-group') @@ -75,18 +75,6 @@ module.exports = Mn.View.extend({ this.ui.hsts_enabled.trigger('change'); }, - 'change @ui.hsts_enabled': function () { - let checked = this.ui.hsts_enabled.prop('checked'); - this.ui.hsts_subdomains - .prop('disabled', !checked) - .parents('.form-group') - .css('opacity', checked ? 1 : 0.5); - - if (!checked) { - this.ui.hsts_subdomains.prop('checked', false); - } - }, - 'change @ui.dns_challenge_switch': function () { const checked = this.ui.dns_challenge_switch.prop('checked'); if (checked) { diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs index e8569be5..7182ffb6 100644 --- a/frontend/js/app/nginx/proxy/form.ejs +++ b/frontend/js/app/nginx/proxy/form.ejs @@ -119,7 +119,7 @@
@@ -137,7 +137,7 @@
diff --git a/frontend/js/app/nginx/proxy/form.js b/frontend/js/app/nginx/proxy/form.js index 506debe0..73e4bd5b 100644 --- a/frontend/js/app/nginx/proxy/form.js +++ b/frontend/js/app/nginx/proxy/form.js @@ -62,7 +62,7 @@ module.exports = Mn.View.extend({ let enabled = id === 'new' || parseInt(id, 10) > 0; - let inputs = this.ui.ssl_forced.add(this.ui.http2_support); + let inputs = this.ui.ssl_forced.add(this.ui.hsts_subdomains); inputs .prop('disabled', !enabled) .parents('.form-group') @@ -89,18 +89,6 @@ module.exports = Mn.View.extend({ this.ui.hsts_enabled.trigger('change'); }, - 'change @ui.hsts_enabled': function () { - let checked = this.ui.hsts_enabled.prop('checked'); - this.ui.hsts_subdomains - .prop('disabled', !checked) - .parents('.form-group') - .css('opacity', checked ? 1 : 0.5); - - if (!checked) { - this.ui.hsts_subdomains.prop('checked', false); - } - }, - 'change @ui.dns_challenge_switch': function () { const checked = this.ui.dns_challenge_switch.prop('checked'); if (checked) { diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs index 8cae6fd8..803e395d 100644 --- a/frontend/js/app/nginx/redirection/form.ejs +++ b/frontend/js/app/nginx/redirection/form.ejs @@ -98,7 +98,7 @@
@@ -116,7 +116,7 @@
diff --git a/frontend/js/app/nginx/redirection/form.js b/frontend/js/app/nginx/redirection/form.js index 0067e622..bcef6067 100644 --- a/frontend/js/app/nginx/redirection/form.js +++ b/frontend/js/app/nginx/redirection/form.js @@ -48,7 +48,7 @@ module.exports = Mn.View.extend({ let enabled = id === 'new' || parseInt(id, 10) > 0; - let inputs = this.ui.ssl_forced.add(this.ui.http2_support); + let inputs = this.ui.ssl_forced.add(this.ui.hsts_subdomains); inputs .prop('disabled', !enabled) .parents('.form-group') @@ -75,18 +75,6 @@ module.exports = Mn.View.extend({ this.ui.hsts_enabled.trigger('change'); }, - 'change @ui.hsts_enabled': function () { - let checked = this.ui.hsts_enabled.prop('checked'); - this.ui.hsts_subdomains - .prop('disabled', !checked) - .parents('.form-group') - .css('opacity', checked ? 1 : 0.5); - - if (!checked) { - this.ui.hsts_subdomains.prop('checked', false); - } - }, - 'change @ui.dns_challenge_switch': function () { const checked = this.ui.dns_challenge_switch.prop('checked'); if (checked) { diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json index 3d855103..9185db97 100644 --- a/frontend/js/i18n/messages.json +++ b/frontend/js/i18n/messages.json @@ -71,7 +71,7 @@ "details": "Details", "enable-ssl": "Enable HTTPS", "force-ssl": "Force HTTPS", - "http2-support": "Enable HTTP/2", + "http2-support": "Enable Brotli", "domain-names": "Domain Names", "cert-provider": "Certificate Provider", "block-exploits": "Block Common Exploits", diff --git a/rootfs/bin/check-health.sh b/rootfs/bin/check-health.sh index bd2f4223..b9489b61 100644 --- a/rootfs/bin/check-health.sh +++ b/rootfs/bin/check-health.sh @@ -1,6 +1,6 @@ -#!/bin/bash +#!/bin/sh -if (cgi-fcgi -bind -connect /dev/php81.sock &> /dev/null && cgi-fcgi -bind -connect /dev/php82.sock &> /dev/null && [ "$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')" == "OK" ]); then +if (if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && [ "$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')" = "OK" ]); then echo "OK" exit 0 else diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh index 1913f667..6fb47718 100644 --- a/rootfs/bin/start.sh +++ b/rootfs/bin/start.sh @@ -1,112 +1,183 @@ -#!/bin/bash +#!/bin/sh -# From https://github.com/nextcloud/all-in-one/pull/1377/files -if [ -n "$PHP_APKS" ]; then - if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then - echo "You've set PHP_APKS but not to an allowed value." || echo "error 1" - echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." || echo "error 2" - echo "It is set to \""$PHP_APKS"\"." || echo "error 3" - sleep inf || exit 1 - fi - - - read -ra APKS_ARRAY <<< "$PHP_APKS" || sleep inf - for apk in "${APKS_ARRAY[@]}"; do - - if ! echo "$apk" | grep -Ewq "php81-.*|php82-.*"; then - echo ""$apk" is a non allowed value." || echo "error 4" - echo "It needs to start with \"php81-\" or \"php82-\"." || echo "error 5" - echo "It is set to \""$apk"\"." || echo "error 6" +apk upgrade --no-cache + +if [ "$PHP81" = "true" ]; then + +apk add --no-cache php81 php81-fpm fcgi + + # From https://github.com/nextcloud/all-in-one/pull/1377/files + if [ -n "$PHP81_APKS" ]; then + if ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then + echo "You've set PHP81_APKS but not to an allowed value." || sleep inf + echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." || sleep inf + echo "It is set to \"$PHP81_APKS\"." || sleep inf sleep inf || exit 1 fi - echo "Installing "$apk" via apk..." | echo "error 7" - if ! apk add --no-cache "$apk" &> /dev/null; then - echo "The apk \""$apk"\" was not installed!" || echo "error 8" - fi + for apk in $(echo "$PHP81_APKS" | tr " " "\n"); do + + if ! echo "$apk" | grep -Ewq "php81-.*"; then + echo "$apk is a non allowed value." || sleep inf + echo "It needs to start with \"php81-\"." || sleep inf + echo "It is set to \"$apk\"." || sleep inf + sleep inf || exit 1 + fi + + echo "Installing $apk via apk..." || sleep inf + if ! apk add --no-cache "$apk" > /dev/null 2>&1; then + echo "The apk \"$apk\" was not installed!" || sleep inf + fi - done + done + fi + + mkdir -vp /data/php + cp -vrnT /etc/php81 /data/php/81 || sleep inf + sed -i "s|user =.*|user = root|" /data/php/81/php-fpm.d/www.conf || sleep inf + sed -i "s|group =.*|group = root|" /data/php/81/php-fpm.d/www.conf || sleep inf + sed -i "s|listen =.*|listen = /dev/php81.sock|" /data/php/81/php-fpm.d/www.conf || sleep inf + sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf || sleep inf + +else + rm -vrf /data/php/81 fi +if [ "$PHP82" = "true" ]; then + +apk add --no-cache php82 php82-fpm fcgi + + # From https://github.com/nextcloud/all-in-one/pull/1377/files + if [ -n "$PHP82_APKS" ]; then + if ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then + echo "You've set PHP82_APKS but not to an allowed value." || sleep inf + echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." || sleep inf + echo "It is set to \"$PHP82_APKS\"." || sleep inf + sleep inf || exit 1 + fi + + for apk in $(echo "$PHP82_APKS" | tr " " "\n"); do + + if ! echo "$apk" | grep -Ewq "php82-.*"; then + echo "$apk is a non allowed value." || sleep inf + echo "It needs to start with \"php82-\"." || sleep inf + echo "It is set to \"$apk\"." || sleep inf + sleep inf || exit 1 + fi + + echo "Installing $apk via apk..." || sleep inf + if ! apk add --no-cache "$apk" > /dev/null 2>&1; then + echo "The apk \"$apk\" was not installed!" || sleep inf + fi + + done + fi + + mkdir -vp /data/php + cp -vrnT /etc/php82 /data/php/82 || sleep inf + sed -i "s|user =.*|user = root|" /data/php/82/php-fpm.d/www.conf || sleep inf + sed -i "s|group =.*|group = root|" /data/php/82/php-fpm.d/www.conf || sleep inf + sed -i "s|listen =.*|listen = /dev/php82.sock|" /data/php/82/php-fpm.d/www.conf || sleep inf + sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf || sleep inf + +else + rm -vrf /data/php/82 +fi + +mkdir -p /tmp/acme-challenge || sleep inf + mkdir -vp /data/tls/certbot/renewal \ /data/tls/custom \ - /data/php \ /data/etc/html \ /data/etc/access \ /data/nginx/redirection_host \ /data/nginx/proxy_host \ /data/nginx/dead_host \ /data/nginx/stream \ - /data/nginx/custom \ - /tmp/acme-challenge || sleep inf + /data/nginx/custom || sleep inf if [ -f /data/nginx/default_host/site.conf ]; then -mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf + mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf fi if [ -f /data/nginx/default_www/index.html ]; then -mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf + mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf fi if [ -f /data/nginx/dummycert.pem ]; then -mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf + mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf fi if [ -f /data/nginx/dummykey.pem ]; then -mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf + mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf fi if [ -n "$(ls -A /data/nginx/html 2> /dev/null)" ]; then -mv -v /data/nginx/html/* /data/etc/html|| sleep inf + mv -v /data/nginx/html/* /data/etc/html|| sleep inf fi if [ -n "$(ls -A /data/access 2> /dev/null)" ]; then -mv -v /data/access/* /data/etc/access || sleep inf + mv -v /data/access/* /data/etc/access || sleep inf fi if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then -mv -v /data/nginx/access/* /data/etc/access || sleep inf + mv -v /data/nginx/access/* /data/etc/access || sleep inf fi if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then -mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf + mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf fi if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then -mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf + mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf fi if [ -n "$(ls -A /data/custom_ssl 2> /dev/null)" ]; then -mv -v /data/custom_ssl/* /data/tls/custom || sleep inf + mv -v /data/custom_ssl/* /data/tls/custom || sleep inf fi if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then -mv -v /data/ssl/* /data/tls || sleep inf + mv -v /data/ssl/* /data/tls || sleep inf fi -rm -vrf /data/nginx/default_host/site.conf \ - /data/nginx/default_www/index.html \ - /data/letsencrypt-acme-challenge \ - /data/nginx/dummycert.pem \ - /data/nginx/dummykey.pem \ - /data/nginx/default_host \ - /data/nginx/default_www \ - /data/nginx/streams \ - /data/nginx/access \ - /data/nginx/temp \ - /data/nginx/html \ - /data/index.html \ - /data/letsencrypt \ - /data/custom_ssl \ - /data/certbot \ - /data/access \ - /data/php/8 \ - /data/php/7 \ - /data/ssl \ - /data/logs \ - /data/error.log \ - /data/nginx/error.log || sleep inf +if [ -n "$CLEAN" ]; then + export CLEAN=true +fi +if [ "$CLEAN" = true ]; then + rm -vrf /data/letsencrypt-acme-challenge \ + /data/nginx/dummycert.pem \ + /data/nginx/dummykey.pem \ + /data/nginx/default_host \ + /data/nginx/default_www \ + /data/nginx/streams \ + /data/nginx/access \ + /data/nginx/temp \ + /data/nginx/html \ + /data/index.html \ + /data/letsencrypt \ + /data/custom_ssl \ + /data/certbot \ + /data/access \ + /data/php/8 \ + /data/php/7 \ + /data/ssl \ + /data/logs \ + /data/error.log \ + /data/nginx/error.log || sleep inf +fi + +if [ -n "$FULLCLEAN" ]; then + export FULLCLEAN=false +fi + +if [ "$FULLCLEAN" = true ]; then + if [ "$PHP81" != true ] && [ "$PHP82" != true ]; then + rm -vrf /data/php + fi +fi + +find /data/nginx -type f -name '*.conf' -exec sed -i "s|listen 80 http2|listen 80|g" {} \; || sleep inf find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \; || sleep inf find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || sleep inf @@ -127,11 +198,14 @@ find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/lets find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; || sleep inf find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "/Asset Caching/d" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "/assets.conf/d" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "/access_log/d" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "/proxy_http_version/d" {} \; || sleep inf + +find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling/d" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling_verify/d" {} \; || sleep inf touch /data/etc/html/index.html \ /data/nginx/default.conf \ @@ -148,119 +222,118 @@ touch /data/etc/html/index.html \ /data/nginx/custom/server_stream_udp.conf \ /usr/local/nginx/conf/conf.d/include/ip_ranges.conf || sleep inf -for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do cp -vrnT /etc/php"$phpv" /data/php/"$phpv"; done; -for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|user =.*|user = root|" /data/php/"$phpv"/php-fpm.d/www.conf; done; -for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|group =.*|group = root|" /data/php/"$phpv"/php-fpm.d/www.conf; done; -for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|listen =.*|listen = /dev/php"$phpv".sock|" /data/php/"$phpv"/php-fpm.d/www.conf; done; -for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|include=.*|include=/data/php/"$phpv"/php-fpm.d/*.conf|g" /data/php/"$phpv"/php-fpm.conf; done; - if [ -z "$NPM_CERT_ID" ]; then - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts." || echo "error 9" + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts." || sleep inf else - if ! echo "$NPM_CERT_ID" | grep -q [0-9]; then - echo "NPM_CERT_ID is a non allowed value." || echo "error 10" - echo "It needs to be a number." || echo "error 11" - echo "It is set to \""$NPM_CERT_ID"\"." || echo "error 12" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 13" + if ! echo "$NPM_CERT_ID" | grep -q "[0-9]"; then + echo "NPM_CERT_ID is a non allowed value." || sleep inf + echo "It needs to be a number." || sleep inf + echo "It is set to \"$NPM_CERT_ID\"." || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - if [ -d "/data/tls/certbot/live/npm-"$NPM_CERT_ID"" ]; then - if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem &> /dev/null; then - echo "/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem does not exist" || echo "error 14" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 15" + if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then + if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then + echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist" || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem - echo "NPM_CERT set to /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem" || echo "error 16" + export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem || sleep inf + echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem" || sleep inf - if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem &> /dev/null; then - echo "/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem does not exist" || echo "error 17" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 18" + if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then + echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist" || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem - echo "NPM_KEY set to /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem" || echo "error 19" + export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem || sleep inf + echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem" || sleep inf - if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem &> /dev/null; then - echo "/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem does not exist" || echo "error 20" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 21" + if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then + echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist" || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem - echo "NPM_CHAIN set to /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem" || echo "error 22" + export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem || sleep inf + echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem" || sleep inf fi fi fi - elif [ -d "/data/tls/custom/npm-"$NPM_CERT_ID"" ]; then - if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem &> /dev/null; then - echo "/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem does not exist" || echo "error 23" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 24" + elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then + if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then + echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist" || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem - echo "NPM_CERT set to /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem" || echo "error 25" + export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem || sleep inf + echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem" || sleep inf - if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem &> /dev/null; then - echo "/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem does not exist" || echo "error 26" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 27" + if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then + echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist" || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem - echo "NPM_KEY set to /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem" + export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem || sleep inf + echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem" || sleep inf - if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem &> /dev/null; then - echo "/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem does not exist" || echo "error 28" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." || echo "error 29" + if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then + echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist" || sleep inf + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "using dummycerts for npm and default hosts." || sleep inf else - export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem - echo "NPM_CHAIN set to /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem" || echo "error 30" + export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem || sleep inf + echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem" || sleep inf fi fi fi else - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "cert with ID "$NPM_CERT_ID" does not exist, using dummycerts for npm and default hosts." || echo "error 31" + export NPM_CERT=/data/tls/dummycert.pem || sleep inf + export NPM_KEY=/data/tls/dummykey.pem || sleep inf + echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts." || sleep inf fi fi fi -sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /usr/local/nginx/conf/conf.d/include/default.conf -sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /usr/local/nginx/conf/conf.d/include/default.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi +ns="$(< /etc/resolv.conf grep -P "^nameserver [0-9\[\].:]+$" | sed "s|nameserver ||g" | tr "\n" " " | sed "s/\(.*\) /\1/" | head -1)" || sleep inf +export ns +sed -i "s|resolver localhost;|resolver $ns;|g" /usr/local/nginx/conf/nginx.conf || sleep inf +echo "using this nameservers: \"$ns\"" || sleep inf -sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /usr/local/nginx/conf/conf.d/no-server-name.conf -sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /usr/local/nginx/conf/conf.d/no-server-name.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi +sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf || sleep inf +sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf || sleep inf +if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf || sleep inf; fi -sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /usr/local/nginx/conf/conf.d/npm.conf -sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /usr/local/nginx/conf/conf.d/npm.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /usr/local/nginx/conf/conf.d/npm.conf; fi +sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf || sleep inf +sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf || sleep inf +if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf || sleep inf; fi -sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /app/templates/default.conf -sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /app/templates/default.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /app/templates/default.conf; fi +sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf +sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf +if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf; fi -if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then -sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf -sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf +sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/default.conf || sleep inf +sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf || sleep inf +if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf || sleep inf; fi + +if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then + sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf + sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf fi -if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then -sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf +if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then + sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf fi if [ -z "$NPM_CERT_ID" ]; then @@ -269,52 +342,60 @@ if [ -z "$NPM_CERT_ID" ]; then fi else rm -vrf /data/tls/dummycert.pem \ - /data/tls/dummykey.pem + /data/tls/dummykey.pem || sleep inf fi if [ ! -f /data/nginx/default.conf ]; then -mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf + mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf fi if [ ! -f /data/tls/certbot/config.ini ]; then -mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf + mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf fi -sed -i "s|ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /data/nginx/default.conf -sed -i "s|ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /data/nginx/default.conf -if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /data/nginx/default.conf; fi +sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.conf || sleep inf +sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf || sleep inf +if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf || sleep inf; fi -if ! nginx -t &> /dev/null; then -nginx -T || sleep inf -sleep inf || exit 1 +if ! nginx -t > /dev/null 2>&1; then + nginx -T || sleep inf + sleep inf || exit 1 fi -if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf -sleep inf || exit 1 +if [ "$PHP81" = "true" ]; then + if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; then + cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf + sleep inf || exit 1 + fi fi -if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf -sleep inf || exit 1 +if [ "$PHP82" = "true" ]; then + if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; then + cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf + sleep inf || exit 1 + fi fi -while (nginx -t &> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null); do -nginx || exit 1 & -cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR || exit 1 & -cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR || exit 1 & -node --abort_on_uncaught_exception --max_old_space_size=250 index.js || exit 1 & -wait +while (nginx -t > /dev/null 2>&1 && if [ "$PHP81" = true ]; then cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; fi); do + nginx || exit 1 & + if [ "$PHP81" = "true" ]; then cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR || exit 1; fi & + if [ "$PHP82" = "true" ]; then cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR || exit 1; fi & + node --abort_on_uncaught_exception --max_old_space_size=250 index.js || exit 1 & + wait done -if ! nginx -t &> /dev/null; then -nginx -T || exit 1 +if ! nginx -t > /dev/null 2>&1; then + nginx -T || sleep inf fi -if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1 +if [ "$PHP81" = "true" ]; then + if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; then + cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf + fi fi -if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1 +if [ "$PHP82" = "true" ]; then + if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; then + cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf + fi fi diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf b/rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf new file mode 100644 index 00000000..432de7e2 --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf @@ -0,0 +1,4 @@ +brotli on; +brotli_types *; +brotli_comp_level 11; +brotli_static on; \ No newline at end of file diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf index 83d79b4a..bc9c6fb0 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf @@ -13,6 +13,7 @@ server { server_name _; + include conf.d/include/brotli.conf; include conf.d/include/force-ssl.conf; include conf.d/include/tls-ciphers.conf; include conf.d/include/acme-challenge.conf; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf index de0102b3..41882f78 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf @@ -1,11 +1,13 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header Early-Data $ssl_early_data; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; -proxy_http_version 1.1; proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2; +proxy_http_version 1.1; + proxy_pass $forward_scheme://$server:$port$request_uri; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf index 4553f9ad..20054c72 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf @@ -1,3 +1,8 @@ +ssl_stapling on; +ssl_stapling_verify on; + +ssl_early_data on; + ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; diff --git a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf index 44a87c4a..b775670e 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf @@ -17,6 +17,7 @@ server { server_name ""; return 444; + include conf.d/include/brotli.conf; include conf.d/include/force-ssl.conf; include conf.d/include/tls-ciphers.conf; include conf.d/include/block-exploits.conf; diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm.conf b/rootfs/usr/local/nginx/conf/conf.d/npm.conf index 035a8cc4..7ec92ed5 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf @@ -7,6 +7,7 @@ server { add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; server_name _; + include conf.d/include/brotli.conf; include conf.d/include/force-ssl.conf; include conf.d/include/tls-ciphers.conf; include conf.d/include/block-exploits.conf; @@ -24,6 +25,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Early-Data $ssl_early_data; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; @@ -33,8 +35,6 @@ server { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_read_timeout 15m; - proxy_send_timeout 15m; } location / { diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf index 251c32ee..b4ab6f9d 100644 --- a/rootfs/usr/local/nginx/conf/nginx.conf +++ b/rootfs/usr/local/nginx/conf/nginx.conf @@ -27,13 +27,15 @@ http { tcp_nopush on; tcp_nodelay on; client_max_body_size 0; + client_body_buffer_size 512k; gzip on; - gunzip on; gzip_vary on; gzip_types *; gzip_proxied any; gzip_comp_level 9; + gunzip on; + gzip_static on; resolver localhost; fastcgi_index index.php; @@ -42,6 +44,7 @@ http { error_page 404 =307 $scheme://$host:$server_port; error_page 497 =301 https://$host:$server_port$request_uri; + proxy_read_timeout 86400s; proxy_headers_hash_max_size 1024; proxy_headers_hash_bucket_size 128; @@ -89,7 +92,6 @@ http { set_real_ip_from fec0::/10; include fastcgi.conf; - fastcgi_param HTTP_PROXY ""; include conf.d/include/ip_ranges.conf;