ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-03 07:53:39 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

enable ssl_early_data, default enable http2, option to enable brotli, fix shellcheck

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey
2023-01-20 08:09:52 +01:00
parent e0be3a5ea3
commit 45895ac53e
33 changed files with 367 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/docker-latest.yml vendored
View File

@@ -26,12 +26,10 @@ jobs:
- name: Push develop to latest
run: |
curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 -o ./regctl
chmod +x ./regctl
./regctl image copy ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest
./regctl image copy ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest
docker buildx imagetools create --tag ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }}
docker buildx imagetools create --tag ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }}
- name: Show Nginx version
run: |
docker run --rm --entrypoint sh ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
docker run --rm --entrypoint nginx ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -V
docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -V

4
.github/workflows/docker.yml vendored
View File

@@ -93,5 +93,5 @@ jobs:
- name: show version
run: |
docker run --rm --entrypoint sh ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
docker run --rm --entrypoint nginx ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V
docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V

2
.github/workflows/frontend.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
export NODE_OPTIONS=--openssl-legacy-provider
npm install --global yarn
cd frontend
sed -i "s/0.0.0/$(cat ../global/.version)/g" package.json
sed -i "s|\"0.0.0\"|\""$(cat ../global/.version)"\"|g" package.json
yarn --no-lockfile install
yarn --no-lockfile build
mkdir dist/.well-known

4
.github/workflows/pull-request.yaml vendored
View File

@@ -54,7 +54,7 @@ jobs:
export NODE_OPTIONS=--openssl-legacy-provider
npm install --global yarn
cd frontend
sed -i "s/0.0.0/$(cat ../global/.version)/g" package.json
sed -i "s|\"0.0.0\"|\""$(cat ../global/.version)"\"|g" package.json
yarn --no-lockfile install
yarn --no-lockfile build
mkdir dist/.well-known
@@ -92,7 +92,7 @@ jobs:
tags: ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}
- name: show version
run: docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
run: docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -V
- name: add comment
uses: mshick/add-pr-comment@v2

19
.github/workflows/shellcheck.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
name: Shellcheck
on:
push:
pull_request:
workflow_dispatch:
jobs:
shellcheck:
name: Check Shell
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Shellcheck
uses: ludeeus/action-shellcheck@master
with:
check_together: 'yes'
env:
SHELLCHECK_OPTS: --shell sh

14
.github/workflows/spellcheck.yml vendored Normal file
View File

@@ -0,0 +1,14 @@
name: reviewdog
on: [pull_request]
jobs:
misspell:
name: runner / misspell
runs-on: ubuntu-latest
steps:
- name: Check out code.
uses: actions/checkout@v3
- name: misspell
uses: reviewdog/action-misspell@v1
with:
github_token: ${{ secrets.github_token }}
locale: "US"

20
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM zoeyvid/nginx-quic:32
FROM zoeyvid/nginx-quic:51
COPY rootfs /
COPY backend /app
COPY global /app/global
@@ -6,28 +6,24 @@ COPY frontend/dist /app/frontend
WORKDIR /app
RUN apk upgrade --no-cache && \
apk add --no-cache ca-certificates wget tzdata bash coreutils \
python3 \
nodejs-current npm \
openssl apache2-utils jq fcgi \
apk add --no-cache ca-certificates wget tzdata \
python3 nodejs-current npm \
gcc g++ libffi-dev python3-dev \
php81 php81-fpm php82 php82-fpm && \
grep coreutils jq openssl apache2-utils && \
# Install cross-env
npm install --global cross-env && \
# Install pip
wget https://bootstrap.pypa.io/get-pip.py -O - | python3 && \
# Change permission
chmod +x /bin/start.sh && \
chmod +x /bin/check-health.sh && \
# Build Backend
sed -i "s/0.0.0/$(cat global/.version)/g" package.json && \
sed -i "s|\"0.0.0\"|\""$(cat global/.version)"\"|g" package.json && \
npm install --force && \
# Install Certbot
pip install --no-cache-dir certbot && \
apk del --no-cache gcc g++ libffi-dev python3-dev npm
# Clean
apk del --no-cache npm gcc g++ libffi-dev python3-dev
ENV NODE_ENV=production \
DB_SQLITE_FILE=/data/database.sqlite

16
README.md
View File

@@ -53,9 +53,13 @@ so that the barrier for entry here is low.
- Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers)
- Access Log disabled
- Error Log written to console
- PHP included, you can add php extensions, see aviable packages [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-*)
- PHP optinal, you can add php extensions, see aviable packages [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php82-*)
- allows different acme servers
- up to 64 domains per cert allowed
- Brotli can be enabled
- HTTP/2 always enabled
- HTTP/2 upload fixed
- Infinite upload size allowed
## Soon
- more
@@ -81,6 +85,7 @@ alias /var/www/<your-html-site-folder-name>/;
```
b) Custom Nginx Configuration (advanced tab), which looks the following for file server and **php**:
- Note: the slash at the end of the file path is important
- Note: first enable `PHP81` and/or `PHP82` inside your compose file
- Note: you can replace `fastcgi_pass php82;` with `fastcgi_pass` `php81`/`php82` `;`
- Note: to add more php extension use the packes from [here](https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-*) and add them using the `PHP_APKS` env (see compose file)
```
@@ -120,13 +125,18 @@ services:
volumes:
- "/opt/npm:/data"
- "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
- "/var/www:/var/www" # optional, if you want to use it as webserver for html
- "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
environment:
- "TZ=Europe/Berlin"
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts
# - "PHP_APKS=php81-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-*
# - "CLEAN=false" # Clean folders
# - "FULLCLEAN=true" # Clean unused config folders
# - "PHP81=true" # Activate PHP81
# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php81-*
# - "PHP82=true" # Activate PHP82
# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php82-*
```
3. Bring up your stack by running (or deploy your portainer stack)

6
backend/package.json
View File

@@ -4,19 +4,19 @@
"description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js",
"dependencies": {
"@apidevtools/json-schema-ref-parser": "9.1.0",
"@apidevtools/json-schema-ref-parser": "10.0.1",
"ajv": "6.12.6",
"archiver": "5.3.1",
"batchflow": "0.4.0",
"bcrypt": "5.1.0",
"body-parser": "1.20.1",
"compression": "1.7.4",
"config": "3.3.8",
"config": "3.3.9",
"express": "4.18.2",
"express-fileupload": "1.4.0",
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.0",
"knex": "2.4.0",
"knex": "2.4.1",
"liquidjs": "9.43.0",
"lodash": "4.17.21",
"moment": "2.29.4",

4
backend/templates/_brotli.conf Normal file
View File

@@ -0,0 +1,4 @@
{% if http2_support -%}
# Enable Brotli
include conf.d/include/brotli.conf;
{% endif %}

4
backend/templates/_certificates.conf
View File

@@ -5,15 +5,11 @@
ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
{% else %}
# Custom SSL
include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
{% endif %}
{% endif %}

4
backend/templates/_listen.conf
View File

@@ -2,8 +2,8 @@
listen [::]:80;
{% if certificate %}
listen 443 ssl{% if http2_support %} http2{% endif %};
listen [::]:443 ssl{% if http2_support %} http2{% endif %};
listen 443 ssl http2;
listen [::]:443 ssl http2;
{% if hsts_subdomains %}
listen 443 http3;
listen [::]:443 http3;

1
backend/templates/dead_host.conf
View File

@@ -6,6 +6,7 @@ server {
{% include "_certificates.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% include "_brotli.conf" %}
{{ advanced_config }}
include conf.d/include/acme-challenge.conf;

1
backend/templates/default.conf
View File

@@ -13,6 +13,7 @@ server {
server_name _;
include conf.d/include/brotli.conf;
include conf.d/include/force-ssl.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf;

1
backend/templates/proxy_host.conf
View File

@@ -10,6 +10,7 @@ server {
{% include "_certificates.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% include "_brotli.conf" %}
include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf;

1
backend/templates/redirection_host.conf
View File

@@ -6,6 +6,7 @@ server {
{% include "_certificates.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% include "_brotli.conf" %}
{{ advanced_config }}
include conf.d/include/acme-challenge.conf;

9
compose.yaml
View File

@@ -8,10 +8,15 @@ services:
volumes:
- "/opt/npm:/data"
- "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
- "/var/www:/var/www" # optional, if you want to use it as webserver for html
- "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
environment:
- "TZ=Europe/Berlin"
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts
# - "PHP_APKS=php81-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php8*-*
# - "CLEAN=false" # Clean folders
# - "FULLCLEAN=true" # Clean unused config folders
# - "PHP81=true" # Activate PHP81
# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php81-*
# - "PHP82=true" # Activate PHP82
# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=edge&repo=community&arch=x86_64&name=php82-*

4
frontend/js/app/nginx/dead/form.ejs
View File

@@ -49,7 +49,7 @@
<div class="col-sm-5 col-md-5">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="http2_support" value="1"<%- http2_support ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<input type="checkbox" class="custom-switch-input" name="http2_support" value="1"<%- http2_support ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'http2-support') %></span>
</label>
@@ -67,7 +67,7 @@
<div class="col-sm-5 col-md-5">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_subdomains" value="1"<%- hsts_subdomains ? ' checked' : '' %><%- certificate_id && ssl_forced && hsts_enabled ? '' : ' disabled' %>>
<input type="checkbox" class="custom-switch-input" name="hsts_subdomains" value="1"<%- hsts_subdomains ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-subdomains') %></span>
</label>

14
frontend/js/app/nginx/dead/form.js
View File

@@ -48,7 +48,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0;
let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
let inputs = this.ui.ssl_forced.add(this.ui.hsts_subdomains);
inputs
.prop('disabled', !enabled)
.parents('.form-group')
@@ -75,18 +75,6 @@ module.exports = Mn.View.extend({
this.ui.hsts_enabled.trigger('change');
},
'change @ui.hsts_enabled': function () {
let checked = this.ui.hsts_enabled.prop('checked');
this.ui.hsts_subdomains
.prop('disabled', !checked)
.parents('.form-group')
.css('opacity', checked ? 1 : 0.5);
if (!checked) {
this.ui.hsts_subdomains.prop('checked', false);
}
},
'change @ui.dns_challenge_switch': function () {
const checked = this.ui.dns_challenge_switch.prop('checked');
if (checked) {

4
frontend/js/app/nginx/proxy/form.ejs
View File

@@ -119,7 +119,7 @@
<div class="col-sm-5 col-md-5">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="http2_support" value="1"<%- http2_support ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<input type="checkbox" class="custom-switch-input" name="http2_support" value="1"<%- http2_support ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'http2-support') %></span>
</label>
@@ -137,7 +137,7 @@
<div class="col-sm-5 col-md-5">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_subdomains" value="1"<%- hsts_subdomains ? ' checked' : '' %><%- certificate_id && ssl_forced && hsts_enabled ? '' : ' disabled' %>>
<input type="checkbox" class="custom-switch-input" name="hsts_subdomains" value="1"<%- hsts_subdomains ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-subdomains') %></span>
</label>

14
frontend/js/app/nginx/proxy/form.js
View File

@@ -62,7 +62,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0;
let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
let inputs = this.ui.ssl_forced.add(this.ui.hsts_subdomains);
inputs
.prop('disabled', !enabled)
.parents('.form-group')
@@ -89,18 +89,6 @@ module.exports = Mn.View.extend({
this.ui.hsts_enabled.trigger('change');
},
'change @ui.hsts_enabled': function () {
let checked = this.ui.hsts_enabled.prop('checked');
this.ui.hsts_subdomains
.prop('disabled', !checked)
.parents('.form-group')
.css('opacity', checked ? 1 : 0.5);
if (!checked) {
this.ui.hsts_subdomains.prop('checked', false);
}
},
'change @ui.dns_challenge_switch': function () {
const checked = this.ui.dns_challenge_switch.prop('checked');
if (checked) {

4
frontend/js/app/nginx/redirection/form.ejs
View File

@@ -98,7 +98,7 @@
<div class="col-sm-5 col-md-5">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="http2_support" value="1"<%- http2_support ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<input type="checkbox" class="custom-switch-input" name="http2_support" value="1"<%- http2_support ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'http2-support') %></span>
</label>
@@ -116,7 +116,7 @@
<div class="col-sm-5 col-md-5">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_subdomains" value="1"<%- hsts_subdomains ? ' checked' : '' %><%- certificate_id && ssl_forced && hsts_enabled ? '' : ' disabled' %>>
<input type="checkbox" class="custom-switch-input" name="hsts_subdomains" value="1"<%- hsts_subdomains ? ' checked' : '' %><%- certificate_id ? '' : ' disabled' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-subdomains') %></span>
</label>

14
frontend/js/app/nginx/redirection/form.js
View File

@@ -48,7 +48,7 @@ module.exports = Mn.View.extend({
let enabled = id === 'new' || parseInt(id, 10) > 0;
let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
let inputs = this.ui.ssl_forced.add(this.ui.hsts_subdomains);
inputs
.prop('disabled', !enabled)
.parents('.form-group')
@@ -75,18 +75,6 @@ module.exports = Mn.View.extend({
this.ui.hsts_enabled.trigger('change');
},
'change @ui.hsts_enabled': function () {
let checked = this.ui.hsts_enabled.prop('checked');
this.ui.hsts_subdomains
.prop('disabled', !checked)
.parents('.form-group')
.css('opacity', checked ? 1 : 0.5);
if (!checked) {
this.ui.hsts_subdomains.prop('checked', false);
}
},
'change @ui.dns_challenge_switch': function () {
const checked = this.ui.dns_challenge_switch.prop('checked');
if (checked) {

2
frontend/js/i18n/messages.json
View File

@@ -71,7 +71,7 @@
"details": "Details",
"enable-ssl": "Enable HTTPS",
"force-ssl": "Force HTTPS",
"http2-support": "Enable HTTP/2",
"http2-support": "Enable Brotli",
"domain-names": "Domain Names",
"cert-provider": "Certificate Provider",
"block-exploits": "Block Common Exploits",

4
rootfs/bin/check-health.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash
#!/bin/sh
if (cgi-fcgi -bind -connect /dev/php81.sock &> /dev/null && cgi-fcgi -bind -connect /dev/php82.sock &> /dev/null && [ "$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')" == "OK" ]); then
if (if [ "$PHP81" = true ]; then cgi-fcgi -bind -connect /dev/php81.sock > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cgi-fcgi -bind -connect /dev/php82.sock > /dev/null 2>&1; fi && [ "$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')" = "OK" ]); then
echo "OK"
exit 0
else

413
rootfs/bin/start.sh
View File

@@ -1,112 +1,183 @@
#!/bin/bash
#!/bin/sh
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP_APKS" ]; then
if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP_APKS but not to an allowed value." || echo "error 1"
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." || echo "error 2"
echo "It is set to \""$PHP_APKS"\"." || echo "error 3"
sleep inf || exit 1
fi
apk upgrade --no-cache
if [ "$PHP81" = "true" ]; then
read -ra APKS_ARRAY <<< "$PHP_APKS" || sleep inf
for apk in "${APKS_ARRAY[@]}"; do
apk add --no-cache php81 php81-fpm fcgi
if ! echo "$apk" | grep -Ewq "php81-.*|php82-.*"; then
echo ""$apk" is a non allowed value." || echo "error 4"
echo "It needs to start with \"php81-\" or \"php82-\"." || echo "error 5"
echo "It is set to \""$apk"\"." || echo "error 6"
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP81_APKS" ]; then
if ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP81_APKS but not to an allowed value." || sleep inf
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." || sleep inf
echo "It is set to \"$PHP81_APKS\"." || sleep inf
sleep inf || exit 1
fi
echo "Installing "$apk" via apk..." | echo "error 7"
if ! apk add --no-cache "$apk" &> /dev/null; then
echo "The apk \""$apk"\" was not installed!" || echo "error 8"
for apk in $(echo "$PHP81_APKS" | tr " " "\n"); do
if ! echo "$apk" | grep -Ewq "php81-.*"; then
echo "$apk is a non allowed value." || sleep inf
echo "It needs to start with \"php81-\"." || sleep inf
echo "It is set to \"$apk\"." || sleep inf
sleep inf || exit 1
fi
echo "Installing $apk via apk..." || sleep inf
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
echo "The apk \"$apk\" was not installed!" || sleep inf
fi
done
fi
mkdir -vp /data/php
cp -vrnT /etc/php81 /data/php/81 || sleep inf
sed -i "s|user =.*|user = root|" /data/php/81/php-fpm.d/www.conf || sleep inf
sed -i "s|group =.*|group = root|" /data/php/81/php-fpm.d/www.conf || sleep inf
sed -i "s|listen =.*|listen = /dev/php81.sock|" /data/php/81/php-fpm.d/www.conf || sleep inf
sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf || sleep inf
else
rm -vrf /data/php/81
fi
if [ "$PHP82" = "true" ]; then
apk add --no-cache php82 php82-fpm fcgi
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP82_APKS" ]; then
if ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP82_APKS but not to an allowed value." || sleep inf
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." || sleep inf
echo "It is set to \"$PHP82_APKS\"." || sleep inf
sleep inf || exit 1
fi
done
for apk in $(echo "$PHP82_APKS" | tr " " "\n"); do
if ! echo "$apk" | grep -Ewq "php82-.*"; then
echo "$apk is a non allowed value." || sleep inf
echo "It needs to start with \"php82-\"." || sleep inf
echo "It is set to \"$apk\"." || sleep inf
sleep inf || exit 1
fi
echo "Installing $apk via apk..." || sleep inf
if ! apk add --no-cache "$apk" > /dev/null 2>&1; then
echo "The apk \"$apk\" was not installed!" || sleep inf
fi
done
fi
mkdir -vp /data/php
cp -vrnT /etc/php82 /data/php/82 || sleep inf
sed -i "s|user =.*|user = root|" /data/php/82/php-fpm.d/www.conf || sleep inf
sed -i "s|group =.*|group = root|" /data/php/82/php-fpm.d/www.conf || sleep inf
sed -i "s|listen =.*|listen = /dev/php82.sock|" /data/php/82/php-fpm.d/www.conf || sleep inf
sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf || sleep inf
else
rm -vrf /data/php/82
fi
mkdir -p /tmp/acme-challenge || sleep inf
mkdir -vp /data/tls/certbot/renewal \
/data/tls/custom \
/data/php \
/data/etc/html \
/data/etc/access \
/data/nginx/redirection_host \
/data/nginx/proxy_host \
/data/nginx/dead_host \
/data/nginx/stream \
/data/nginx/custom \
/tmp/acme-challenge || sleep inf
/data/nginx/custom || sleep inf
if [ -f /data/nginx/default_host/site.conf ]; then
mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf
mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf
fi
if [ -f /data/nginx/default_www/index.html ]; then
mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf
mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf
fi
if [ -f /data/nginx/dummycert.pem ]; then
mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf
mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf
fi
if [ -f /data/nginx/dummykey.pem ]; then
mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf
mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf
fi
if [ -n "$(ls -A /data/nginx/html 2> /dev/null)" ]; then
mv -v /data/nginx/html/* /data/etc/html|| sleep inf
mv -v /data/nginx/html/* /data/etc/html|| sleep inf
fi
if [ -n "$(ls -A /data/access 2> /dev/null)" ]; then
mv -v /data/access/* /data/etc/access || sleep inf
mv -v /data/access/* /data/etc/access || sleep inf
fi
if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then
mv -v /data/nginx/access/* /data/etc/access || sleep inf
mv -v /data/nginx/access/* /data/etc/access || sleep inf
fi
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf
mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf
fi
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf
mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf
fi
if [ -n "$(ls -A /data/custom_ssl 2> /dev/null)" ]; then
mv -v /data/custom_ssl/* /data/tls/custom || sleep inf
mv -v /data/custom_ssl/* /data/tls/custom || sleep inf
fi
if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then
mv -v /data/ssl/* /data/tls || sleep inf
mv -v /data/ssl/* /data/tls || sleep inf
fi
rm -vrf /data/nginx/default_host/site.conf \
/data/nginx/default_www/index.html \
/data/letsencrypt-acme-challenge \
/data/nginx/dummycert.pem \
/data/nginx/dummykey.pem \
/data/nginx/default_host \
/data/nginx/default_www \
/data/nginx/streams \
/data/nginx/access \
/data/nginx/temp \
/data/nginx/html \
/data/index.html \
/data/letsencrypt \
/data/custom_ssl \
/data/certbot \
/data/access \
/data/php/8 \
/data/php/7 \
/data/ssl \
/data/logs \
/data/error.log \
/data/nginx/error.log || sleep inf
if [ -n "$CLEAN" ]; then
export CLEAN=true
fi
if [ "$CLEAN" = true ]; then
rm -vrf /data/letsencrypt-acme-challenge \
/data/nginx/dummycert.pem \
/data/nginx/dummykey.pem \
/data/nginx/default_host \
/data/nginx/default_www \
/data/nginx/streams \
/data/nginx/access \
/data/nginx/temp \
/data/nginx/html \
/data/index.html \
/data/letsencrypt \
/data/custom_ssl \
/data/certbot \
/data/access \
/data/php/8 \
/data/php/7 \
/data/ssl \
/data/logs \
/data/error.log \
/data/nginx/error.log || sleep inf
fi
if [ -n "$FULLCLEAN" ]; then
export FULLCLEAN=false
fi
if [ "$FULLCLEAN" = true ]; then
if [ "$PHP81" != true ] && [ "$PHP82" != true ]; then
rm -vrf /data/php
fi
fi
find /data/nginx -type f -name '*.conf' -exec sed -i "s|listen 80 http2|listen 80|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || sleep inf
@@ -127,11 +198,14 @@ find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/lets
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "/Asset Caching/d" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "/assets.conf/d" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "/access_log/d" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "/proxy_http_version/d" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling/d" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling_verify/d" {} \; || sleep inf
touch /data/etc/html/index.html \
/data/nginx/default.conf \
@@ -148,119 +222,118 @@ touch /data/etc/html/index.html \
/data/nginx/custom/server_stream_udp.conf \
/usr/local/nginx/conf/conf.d/include/ip_ranges.conf || sleep inf
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do cp -vrnT /etc/php"$phpv" /data/php/"$phpv"; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|user =.*|user = root|" /data/php/"$phpv"/php-fpm.d/www.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|group =.*|group = root|" /data/php/"$phpv"/php-fpm.d/www.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|listen =.*|listen = /dev/php"$phpv".sock|" /data/php/"$phpv"/php-fpm.d/www.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|include=.*|include=/data/php/"$phpv"/php-fpm.d/*.conf|g" /data/php/"$phpv"/php-fpm.conf; done;
if [ -z "$NPM_CERT_ID" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts." || echo "error 9"
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts." || sleep inf
else
if ! echo "$NPM_CERT_ID" | grep -q [0-9]; then
echo "NPM_CERT_ID is a non allowed value." || echo "error 10"
echo "It needs to be a number." || echo "error 11"
echo "It is set to \""$NPM_CERT_ID"\"." || echo "error 12"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 13"
if ! echo "$NPM_CERT_ID" | grep -q "[0-9]"; then
echo "NPM_CERT_ID is a non allowed value." || sleep inf
echo "It needs to be a number." || sleep inf
echo "It is set to \"$NPM_CERT_ID\"." || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
if [ -d "/data/tls/certbot/live/npm-"$NPM_CERT_ID"" ]; then
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem &> /dev/null; then
echo "/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem does not exist" || echo "error 14"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 15"
if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist" || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem
echo "NPM_CERT set to /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem" || echo "error 16"
export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem || sleep inf
echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem" || sleep inf
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem &> /dev/null; then
echo "/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem does not exist" || echo "error 17"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 18"
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist" || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem
echo "NPM_KEY set to /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem" || echo "error 19"
export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem || sleep inf
echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem" || sleep inf
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem &> /dev/null; then
echo "/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem does not exist" || echo "error 20"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 21"
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist" || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem
echo "NPM_CHAIN set to /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem" || echo "error 22"
export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem || sleep inf
echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem" || sleep inf
fi
fi
fi
elif [ -d "/data/tls/custom/npm-"$NPM_CERT_ID"" ]; then
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem &> /dev/null; then
echo "/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem does not exist" || echo "error 23"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 24"
elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist" || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem
echo "NPM_CERT set to /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem" || echo "error 25"
export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem || sleep inf
echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem" || sleep inf
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem &> /dev/null; then
echo "/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem does not exist" || echo "error 26"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 27"
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist" || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem
echo "NPM_KEY set to /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem"
export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem || sleep inf
echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem" || sleep inf
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem &> /dev/null; then
echo "/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem does not exist" || echo "error 28"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts." || echo "error 29"
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist" || sleep inf
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "using dummycerts for npm and default hosts." || sleep inf
else
export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem
echo "NPM_CHAIN set to /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem" || echo "error 30"
export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem || sleep inf
echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem" || sleep inf
fi
fi
fi
else
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "cert with ID "$NPM_CERT_ID" does not exist, using dummycerts for npm and default hosts." || echo "error 31"
export NPM_CERT=/data/tls/dummycert.pem || sleep inf
export NPM_KEY=/data/tls/dummykey.pem || sleep inf
echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts." || sleep inf
fi
fi
fi
sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /usr/local/nginx/conf/conf.d/include/default.conf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /usr/local/nginx/conf/conf.d/include/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
ns="$(< /etc/resolv.conf grep -P "^nameserver [0-9\[\].:]+$" | sed "s|nameserver ||g" | tr "\n" " " | sed "s/\(.*\) /\1/" | head -1)" || sleep inf
export ns
sed -i "s|resolver localhost;|resolver $ns;|g" /usr/local/nginx/conf/nginx.conf || sleep inf
echo "using this nameservers: \"$ns\"" || sleep inf
sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf || sleep inf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf || sleep inf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf || sleep inf; fi
sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf || sleep inf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf || sleep inf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf || sleep inf; fi
sed -i "s|#ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /app/templates/default.conf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /app/templates/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /app/templates/default.conf; fi
sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf; fi
if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
sed -i "s|#ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/default.conf || sleep inf
sed -i "s|#ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf || sleep inf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf || sleep inf; fi
if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
fi
if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then
sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf
if [ "$NGINX_LOG_NOT_FOUND" = "true" ]; then
sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf
fi
if [ -z "$NPM_CERT_ID" ]; then
@@ -269,52 +342,60 @@ if [ -z "$NPM_CERT_ID" ]; then
fi
else
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
/data/tls/dummykey.pem || sleep inf
fi
if [ ! -f /data/nginx/default.conf ]; then
mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf
mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf
fi
if [ ! -f /data/tls/certbot/config.ini ]; then
mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf
mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf
fi
sed -i "s|ssl_certificate .*|ssl_certificate "$NPM_CERT";|g" /data/nginx/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key "$NPM_KEY";|g" /data/nginx/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate "$NPM_CHAIN";|g" /data/nginx/default.conf; fi
sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.conf || sleep inf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf || sleep inf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf || sleep inf; fi
if ! nginx -t &> /dev/null; then
nginx -T || sleep inf
sleep inf || exit 1
if ! nginx -t > /dev/null 2>&1; then
nginx -T || sleep inf
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
if [ "$PHP81" = "true" ]; then
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
fi
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
if [ "$PHP82" = "true" ]; then
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
fi
fi
while (nginx -t &> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null); do
nginx || exit 1 &
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR || exit 1 &
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR || exit 1 &
node --abort_on_uncaught_exception --max_old_space_size=250 index.js || exit 1 &
wait
while (nginx -t > /dev/null 2>&1 && if [ "$PHP81" = true ]; then cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; fi && if [ "$PHP82" = true ]; then cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; fi); do
nginx || exit 1 &
if [ "$PHP81" = "true" ]; then cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR || exit 1; fi &
if [ "$PHP82" = "true" ]; then cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR || exit 1; fi &
node --abort_on_uncaught_exception --max_old_space_size=250 index.js || exit 1 &
wait
done
if ! nginx -t &> /dev/null; then
nginx -T || exit 1
if ! nginx -t > /dev/null 2>&1; then
nginx -T || sleep inf
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1
if [ "$PHP81" = "true" ]; then
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt > /dev/null 2>&1; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf
fi
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1
if [ "$PHP82" = "true" ]; then
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt > /dev/null 2>&1; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf
fi
fi

4
rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf Normal file
View File

@@ -0,0 +1,4 @@
brotli on;
brotli_types *;
brotli_comp_level 11;
brotli_static on;

1
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View File

@@ -13,6 +13,7 @@ server {
server_name _;
include conf.d/include/brotli.conf;
include conf.d/include/force-ssl.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf;

4
rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
View File

@@ -1,11 +1,13 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
proxy_http_version 1.1;
proxy_pass $forward_scheme://$server:$port$request_uri;

5
rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
View File

@@ -1,3 +1,8 @@
ssl_stapling on;
ssl_stapling_verify on;
ssl_early_data on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

1
rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View File

@@ -17,6 +17,7 @@ server {
server_name "";
return 444;
include conf.d/include/brotli.conf;
include conf.d/include/force-ssl.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf;

4
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View File

@@ -7,6 +7,7 @@ server {
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
server_name _;
include conf.d/include/brotli.conf;
include conf.d/include/force-ssl.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf;
@@ -24,6 +25,7 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
@@ -33,8 +35,6 @@ server {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 15m;
proxy_send_timeout 15m;
}
location / {

6
rootfs/usr/local/nginx/conf/nginx.conf
View File

@@ -27,13 +27,15 @@ http {
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 0;
client_body_buffer_size 512k;
gzip on;
gunzip on;
gzip_vary on;
gzip_types *;
gzip_proxied any;
gzip_comp_level 9;
gunzip on;
gzip_static on;
resolver localhost;
fastcgi_index index.php;
@@ -42,6 +44,7 @@ http {
error_page 404 =307 $scheme://$host:$server_port;
error_page 497 =301 https://$host:$server_port$request_uri;
proxy_read_timeout 86400s;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
@@ -89,7 +92,6 @@ http {
set_real_ip_from fec0::/10;
include fastcgi.conf;
fastcgi_param HTTP_PROXY "";
include conf.d/include/ip_ranges.conf;