From 66bfcf8f6c034096a8bf215aa2003288089ca8c9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 13 Jul 2023 00:44:29 +0000 Subject: [PATCH] improve many things/dep updates Signed-off-by: Zoey --- .github/workflows/js.yml | 6 + .github/workflows/shellcheck.yml | 2 +- Dockerfile | 27 +- README.md | 91 +++--- backend/internal/nginx.js | 8 +- backend/package.json | 6 +- compose.yaml | 18 +- frontend/js/i18n/messages.json | 2 +- frontend/package.json | 6 +- rootfs/bin/launch.sh | 7 +- rootfs/bin/start.sh | 302 +++++++++--------- .../conf/conf.d/include/block-exploits.conf | 132 +------- rootfs/usr/local/nginx/conf/nginx.conf | 4 +- 13 files changed, 267 insertions(+), 344 deletions(-) diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index 1c43a13b..87a96ced 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -25,6 +25,12 @@ jobs: curl -L https://code.jquery.com/jquery-"$(git ls-remote --tags https://github.com/jquery/jquery | cut -d/ -f3 | sort -V | tail -1 | sed -E "s/\^\{\}//")".min.js -o rootfs/nftd/jquery.min.js curl -L https://cdn.jsdelivr.net/npm/bootstrap@"$(git ls-remote --tags https://github.com/twbs/bootstrap v3.3.* | cut -d/ -f3 | sort -V | tail -1 | sed -E "s/\^\{\}//")"/dist/css/bootstrap.min.css -o rootfs/html/404/bootstrap.min.css curl -L https://cdn.jsdelivr.net/npm/bootstrap@"$(git ls-remote --tags https://github.com/twbs/bootstrap v3.3.* | cut -d/ -f3 | sort -V | tail -1 | sed -E "s/\^\{\}//")"/dist/css/bootstrap.min.css -o rootfs/html/default/bootstrap.min.css + - name: eslint + run: | + yarn global add nginxbeautifier + mv rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf block-exploits.conf + nginxbeautifier -s 4 -r rootfs/usr/local/nginx/conf + mv block-exploits.conf rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf - name: push changes run: | git add -A diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 7aaa35e8..d7363bf6 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -14,4 +14,4 @@ jobs: with: check_together: 'yes' env: - SHELLCHECK_OPTS: --shell sh + SHELLCHECK_OPTS: --shell sh -e SC2153 diff --git a/Dockerfile b/Dockerfile index 6938a526..b9a1a35a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,7 +55,7 @@ RUN apk add --no-cache ca-certificates git build-base && \ FROM zoeyvid/nginx-quic:176 COPY rootfs / -RUN apk add --no-cache ca-certificates tzdata \ +RUN apk add --no-cache ca-certificates tzdata tini \ lua5.1-lzlib \ nodejs-current \ openssl apache2-utils \ @@ -73,10 +73,6 @@ RUN apk add --no-cache ca-certificates tzdata \ echo "Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-after.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \ - wget https://patch-diff.githubusercontent.com/raw/coreruleset/coreruleset/pull/3218.patch -O /tmp/coreruleset/http3.patch && \ - cd /tmp/coreruleset && \ - git apply /tmp/coreruleset/http3.patch && \ - cd / && \ mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \ cp /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ sed -i '/#/!d' /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ @@ -122,6 +118,25 @@ ENV NODE_ENV=production \ PATH="/usr/local/certbot/bin:$PATH" \ DB_SQLITE_FILE=/data/etc/npm/database.sqlite +ENV PUID=0 \ + PGID=0 \ + NIBEP=48693 \ + NPM_PORT=81 \ + IPV4_BINDING=0.0.0.0 \ + NPM_IPV4_BINDING=0.0.0.0 \ + IPV6_BINDING=[::] \ + NPM_IPV6_BINDING=[::] \ + DISABLE_IPV6=false \ + NPM_DISABLE_IPV6=false \ + NPM_LISTEN_LOCALHOST=false \ + NPM_CERT_ID=0 \ + DISABLE_HTTP=false \ + NGINX_LOG_NOT_FOUND=false \ + CLEAN=true \ + FULLCLEAN=false \ + PHP81=false \ + PHP82=false + WORKDIR /app -ENTRYPOINT ["start.sh"] +ENTRYPOINT ["tini", "--", "start.sh"] HEALTHCHECK CMD healthcheck.sh diff --git a/README.md b/README.md index 1de5afc5..609f828d 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,9 @@ running at home or otherwise, including free TLS, without having to know too muc - [Screenshots](https://nginxproxymanager.com/screenshots) -# Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283. +## Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283. +## Note: NO armv7 support +## Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host ## Project Goal @@ -40,7 +42,7 @@ so that the barrier for entry here is low. - Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io) - Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx -- Free trusted TLS certificates using Certbot (Let's Encrypt) or provide your own custom TLS certificates +- Free trusted TLS certificates using Certbot (Let's Encrypt/other CAs) or provide your own custom TLS certificates - Access Lists and basic HTTP Authentication for your hosts - Advanced Nginx configuration available for super users - User management, permissions and audit log @@ -54,7 +56,7 @@ so that the barrier for entry here is low. - If the core ruleset blocks valid requests, please check the `/data/etc/modsecurity/crs-setup.conf` file. - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH). - Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM). - - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and relaunches it. This can result in a 502 error when you update your hosts + - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283. - Darkmode button in the footer for comfortable viewing (CSS done by [@theraw](https://github.com/theraw)) - Fixes proxy to https origin when the origin only accepts TLSv1.3 - Only enables TLSv1.2 and TLSv1.3 protocols @@ -72,7 +74,7 @@ so that the barrier for entry here is low. - Access Log disabled - Error Log written to console - `Server` response header hidden -- PHP optional, with option to add extensions; available packages can be found [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*) +- PHP optional, with option to add extensions; available packages can be found [here](https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*) - Allows different acme servers/certbot config file (/opt/npm/tls/certbot/config.ini) - Supports up to 99 domains per cert - Brotli compression can be enabled @@ -86,7 +88,7 @@ so that the barrier for entry here is low. - Option to set IP bindings for multiple instances in network mode host - Option to change backend port - See the composefile for all available options -- If you want to redirect all HTTP traffic to HTTPS, you can use the `compose.override.yaml` file. This will also enable `h2c` (unencrypted `HTTP/2`), while keeping `HTTP/1.0` and `HTTP/1.1`. +- If you want to redirect all HTTP traffic to HTTPS, you can use the `compose.override.yaml` file. ## Soon - maybe redis and/or sql databases built in @@ -123,7 +125,7 @@ a) Custom Nginx Configuration (advanced tab), which looks the following for file - Note: the slash at the end of the file path is important ``` location / { -alias /var/www//; + alias /var/www//; } ``` b) Custom Nginx Configuration (advanced tab), which looks the following for file server and **php**: @@ -133,13 +135,16 @@ b) Custom Nginx Configuration (advanced tab), which looks the following for file - Note: to add more php extension use the packages from [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php8*-*) and add them using the `PHP_APKS` env (see compose file) ``` location / { -alias /var/www//; + alias /var/www//; -location ~ [^/]\.php(/|$) { -fastcgi_pass php82; -fastcgi_split_path_info ^(.+?\.php)(/.*)$; -if (!-f $document_root$fastcgi_script_name) {return 404;} -}} + location ~ [^/]\.php(/|$) { + fastcgi_pass php82; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404 + } + } +} ``` # custom acme server @@ -160,37 +165,37 @@ if (!-f $document_root$fastcgi_script_name) {return 404;} ```yml version: "3" services: - nginx-proxy-manager: - container_name: nginx-proxy-manager - image: zoeyvid/nginx-proxy-manager - restart: always - network_mode: host - volumes: - - "/opt/npm:/data" -# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php -# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork - environment: - - "TZ=Europe/Berlin" # set timezone, default UTC -# - "PUID=1000" # set group id, default 0 (root) -# - "PGID=1000" # set user id, default 0 (root) -# - "NIBEP=48693" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host -# - "NPM_PORT=81" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host -# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all -# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all -# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all -# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all -# - "DISABLE_IPV6=true" # disable IPv6, incompatible with IPV6_BINDING, default false -# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, incompatible with NPM_IPV6_BINDING, default false -# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, incompatible with NPM_IPV4_BINDING/NPM_IPV6_BINDING/NPM_DISABLE_IPV6, default false -# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default unset/dummycerts -# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false -# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false -# - "CLEAN=false" # Clean folders, default true -# - "FULLCLEAN=true" # Clean unused config folders, default false -# - "PHP81=true" # Activate PHP81, default false -# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*, default none -# - "PHP82=true" # Activate PHP82, default false -# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*, default none + nginx-proxy-manager: + container_name: nginx-proxy-manager + image: zoeyvid/nginx-proxy-manager + restart: always + network_mode: host + volumes: + - "/opt/npm:/data" +# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php +# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork + environment: + - "TZ=Europe/Berlin" # set timezone, required +# - "PUID=1000" # set group id, default 0 (root) +# - "PGID=1000" # set user id, default 0 (root) +# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host +# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host +# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all +# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all +# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all +# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all +# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false +# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST +# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false +# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts +# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false +# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false +# - "CLEAN=false" # Clean folders, default true +# - "FULLCLEAN=true" # Clean unused config folders, default false +# - "PHP81=true" # Activate PHP81, default false +# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*, default none +# - "PHP82=true" # Activate PHP82, default false +# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*, default none ``` 3. Bring up your stack by running (or deploy your portainer stack) diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js index 2a08adce..fa6299f5 100644 --- a/backend/internal/nginx.js +++ b/backend/internal/nginx.js @@ -107,7 +107,7 @@ const internalNginx = { logger.info('Testing Nginx configuration'); } - return utils.exec('nginx -t -g "error_log off;"'); + return utils.exec('nginx -tq'); }, /** @@ -120,13 +120,13 @@ const internalNginx = { if (fs.existsSync(NgxPidFilePath)) { const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim(); if (ngxPID.length > 0) { - logger.info('Killing Nginx'); - utils.exec(`kill ${ngxPID}`); + logger.info('Quitting Nginx'); + utils.exec('nginx -s quit'); } } logger.info('Starting Nginx in three seconds'); setTimeout(() => { - utils.execfg('nginx'); + utils.execfg('nginx -e stderr'); }, 3000); }); }, diff --git a/backend/package.json b/backend/package.json index 72ee3b45..0fe0cf60 100644 --- a/backend/package.json +++ b/backend/package.json @@ -15,13 +15,13 @@ "express-fileupload": "1.4.0", "gravatar": "1.8.2", "jsonwebtoken": "9.0.1", - "knex": "2.4.2", + "knex": "2.5.1", "liquidjs": "10.8.4", "lodash": "4.17.21", "moment": "2.29.4", "mysql": "2.18.1", "node-rsa": "1.1.1", - "objection": "3.0.4", + "objection": "3.1.1", "path": "0.12.7", "signale": "1.4.0", "sqlite3": "5.1.6" @@ -32,7 +32,7 @@ "author": "Jamie Curnow ", "license": "MIT", "devDependencies": { - "eslint": "8.44.0", + "eslint": "8.46.0", "eslint-plugin-align-assignments": "1.1.2" } } diff --git a/compose.yaml b/compose.yaml index e56db3b4..2f3e0ead 100644 --- a/compose.yaml +++ b/compose.yaml @@ -10,24 +10,24 @@ services: # - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php # - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork environment: - - "TZ=Europe/Berlin" # set timezone, default UTC + - "TZ=Europe/Berlin" # set timezone, required # - "PUID=1000" # set group id, default 0 (root) # - "PGID=1000" # set user id, default 0 (root) -# - "NIBEP=48693" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host -# - "NPM_PORT=81" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host +# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host +# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host # - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all # - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all # - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all # - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all -# - "DISABLE_IPV6=true" # disable IPv6, incompatible with IPV6_BINDING, default false -# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, incompatible with NPM_IPV6_BINDING, default false -# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, incompatible with NPM_IPV4_BINDING/NPM_IPV6_BINDING/NPM_DISABLE_IPV6, default false -# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default unset/dummycerts +# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false +# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST +# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false +# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts # - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false # - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false # - "CLEAN=false" # Clean folders, default true # - "FULLCLEAN=true" # Clean unused config folders, default false # - "PHP81=true" # Activate PHP81, default false -# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*, default none +# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*, default none # - "PHP82=true" # Activate PHP82, default false -# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*, default none +# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*, default none diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json index c8364ea8..1b0fed5b 100644 --- a/frontend/js/i18n/messages.json +++ b/frontend/js/i18n/messages.json @@ -288,7 +288,7 @@ "default-site": "Default Site", "default-site-congratulations": "Congratulations Page", "default-site-404": "404 Page", - "default-site-444": "Drop connection (444)", + "default-site-444": "Drop connection - only allows certbot dns-challenge", "default-site-html": "Custom Page", "default-site-redirect": "Redirect" } diff --git a/frontend/package.json b/frontend/package.json index 7ef545f3..7f5a4343 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -4,11 +4,11 @@ "description": "A beautiful interface for creating Nginx endpoints", "main": "js/index.js", "dependencies": { - "@babel/core": "7.22.8", + "@babel/core": "7.22.9", "babel-core": "6.26.3", "babel-loader": "8.3.0", "babel-preset-env": "1.7.0", - "backbone": "1.4.1", + "backbone": "1.5.0", "backbone.marionette": "4.1.3", "copy-webpack-plugin": "5.1.2", "css-loader": "5.2.7", @@ -28,7 +28,7 @@ "mini-css-extract-plugin": "1.6.2", "moment": "2.29.4", "node-sass": "7.0.3", - "nodemon": "2.0.22", + "nodemon": "3.0.1", "numeral": "2.0.6", "sass-loader": "10.4.1", "style-loader": "3.3.3", diff --git a/rootfs/bin/launch.sh b/rootfs/bin/launch.sh index 2dcc2141..5b914fc0 100755 --- a/rootfs/bin/launch.sh +++ b/rootfs/bin/launch.sh @@ -8,6 +8,8 @@ echo " | |\ | __/| | | | |_| \_|_| |_| |_| ------------------------------------- +Version: $(jq -r .version /app/package.json) +Date: $(date) User: $(whoami) PUID: $PUID User ID: $(id -u) @@ -16,8 +18,7 @@ Group ID: $(id -g) ------------------------------------- " -if ! nginx -t > /dev/null 2>&1; then - nginx -T +if ! nginx -tq; then sleep inf fi @@ -37,5 +38,5 @@ fi if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi & if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi & -index.js & +index.js wait diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh index 16e0f61b..1a89ed4d 100755 --- a/rootfs/bin/start.sh +++ b/rootfs/bin/start.sh @@ -14,83 +14,123 @@ if [ ! -d /data ]; then sleep inf fi -if [ -n "$PGID" ] && [ -z "$PUID" ]; then - echo "You've set PGID but not PUID. Running with PGID 0." - export PGID="0" + +if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then + echo "TZ is unset or invalid." + sleep inf fi -export PUID="${PUID:-0}" if ! echo "$PUID" | grep -q "^[0-9]\+$"; then - echo "You've set PUID but not to an allowed value." - echo "It needs to be a string. Allowed are digits 0-9" - echo "It is set to \"$PUID\"." + echo "PUID needs to be a number." sleep inf fi -export PGID="${PGID:-0}" if ! echo "$PGID" | grep -q "^[0-9]\+$"; then - echo "You've set PGID but not to an allowed value." - echo "It needs to be a string. Allowed are digits 0-9" - echo "It is set to \"$PGID\"." + echo "PGID needs to be a number." sleep inf fi -if [ -n "$IPV4_BINDING" ]; then - if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then - echo "You've set IPV4_BINDING but not to an allowed value." - echo "It needs to be a string. Allowed are digits 0-9 and dots" - echo "It is set to \"$IPV4_BINDING\"." - sleep inf - fi -fi - -if [ "$DISABLE_IPV6" = "true" ] && [ -n "$IPV6_BINDING" ]; then - echo "You can't disable IPv6 and set a binding for it." +if ! echo "$NIBEP" | grep -q "^[0-9]\+$"; then + echo "NIBEP needs to be a number." sleep inf fi -if [ -n "$IPV6_BINDING" ]; then - if ! echo "$IPV6_BINDING" | grep -q "\[[0-9a-f:]\+\]"; then - echo "You've set IPV6_BINDING but not to an allowed value." - echo "It needs to be a string. Allowed are small letters a-z, digits 0-9 and colons inside square bracket" - echo "It is set to \"$IPV6_BINDING\"." - sleep inf - fi +if ! echo "$NPM_PORT" | grep -q "^[0-9]\+$"; then + echo "NPM_PORT needs to be a number." + sleep inf fi -if { [ -n "$NPM_IPV4_BINDING" ] || [ -n "$NPM_IPV6_BINDING" ]; } && [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then - echo "You can't set IPv4/IPv6 bindings for npm, while NPM_LISTEN_LOCALHOST is enabled" +if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then + echo "IPV4_BINDING needs to be a IPv4-Address." sleep inf fi +if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then + echo "NPM_IPV4_BINDING needs to be a IPv4-Address." + sleep inf +fi + +if ! echo "$IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then + echo "IPV6_BINDING needs to be a IPv6-Address inside []." + sleep inf +fi + +if ! echo "$NPM_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then + echo "NPM_IPV6_BINDING needs to be a IPv6-Address inside []." + sleep inf +fi + +if ! echo "$DISABLE_IPV6" | grep -q "^true$\|^false$"; then + echo "DISABLE_IPV6 needs to be true or false." + sleep inf +fi + +if ! echo "$NPM_DISABLE_IPV6" | grep -q "^true$\|^false$"; then + echo "NPM_DISABLE_IPV6 needs to be true or false." + sleep inf +fi + +if ! echo "$NPM_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then + echo "NPM_LISTEN_LOCALHOST needs to be true or false." + sleep inf +fi + +if ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then + echo "NPM_CERT_ID needs to be a number." + sleep inf +fi + +if ! echo "$DISABLE_HTTP" | grep -q "^true$\|^false$"; then + echo "DISABLE_HTTP needs to be true or false." + sleep inf +fi + +if ! echo "$NGINX_LOG_NOT_FOUND" | grep -q "^true$\|^false$"; then + echo "NGINX_LOG_NOT_FOUND needs to be true or false." + sleep inf +fi + +if ! echo "$CLEAN" | grep -q "^true$\|^false$"; then + echo "CLEAN needs to be true or false." + sleep inf +fi + +if ! echo "$FULLCLEAN" | grep -q "^true$\|^false$"; then + echo "FULLCLEAN needs to be true or false." + sleep inf +fi + +if ! echo "$PHP81" | grep -q "^true$\|^false$"; then + echo "PHP81 needs to be true or false." + sleep inf +fi + +if [ -n "$PHP81_APKS" ] && ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then + echo "PHP81_APKS can consist of lower letters a-z, numbers 0-9, spaces, underscores and hyphens." + sleep inf +fi + +if ! echo "$PHP82" | grep -q "^true$\|^false$"; then + echo "PHP82 needs to be true or false." + sleep inf +fi + +if [ -n "$PHP82_APKS" ] && ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then + echo "PHP82_APKS can consist of lower letters a-z, numbers 0-9, spaces, underscores and hyphens." + sleep inf +fi + + +if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then + echo "You've set PGID but not PUID. Running resetting PGID to 0." + export PGID="0" +fi + if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then export NPM_IPV4_BINDING="127.0.0.1" export NPM_IPV6_BINDING="[::1]" fi -if [ -n "$NPM_IPV4_BINDING" ]; then - if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then - echo "You've set NPM_IPV4_BINDING but not to an allowed value." - echo "It needs to be a string. Allowed are digits 0-9 and dots" - echo "It is set to \"$NPM_IPV4_BINDING\"." - sleep inf - fi -fi - -if [ "$NPM_DISABLE_IPV6" = "true" ] && [ -n "$NPM_IPV6_BINDING" ]; then - echo "You can't disable IPv6 and set a binding for it." - sleep inf -fi - -if [ -n "$NPM_IPV6_BINDING" ]; then - if ! echo "$NPM_IPV6_BINDING" | grep -q "\[[0-9a-f:]\+\]"; then - echo "You've set NPM_IPV6_BINDING but not to an allowed value." - echo "It needs to be a string. Allowed are small letters a-z, digits 0-9 and colons inside square bracket" - echo "It is set to \"$NPM_IPV6_BINDING\"." - sleep inf - fi -fi - if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ]; then apk add --no-cache fcgi fi @@ -101,16 +141,9 @@ apk add --no-cache php81-fpm # From https://github.com/nextcloud/all-in-one/pull/1377/files if [ -n "$PHP81_APKS" ]; then - if ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then - echo "You've set PHP81_APKS but not to an allowed value." - echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." - echo "It is set to \"$PHP81_APKS\"." - sleep inf - fi - for apk in $(echo "$PHP81_APKS" | tr " " "\n"); do - if ! echo "$apk" | grep -Ewq "php81-.*"; then + if ! echo "$apk" | grep -q "^php81-.*$"; then echo "$apk is a non allowed value." echo "It needs to start with \"php81-\"." echo "It is set to \"$apk\"." @@ -127,12 +160,10 @@ apk add --no-cache php81-fpm mkdir -vp /data/php cp -vrnT /etc/php81 /data/php/81 - sed -i "s|user =.*|user = root|" /data/php/81/php-fpm.d/www.conf - sed -i "s|group =.*|group = root|" /data/php/81/php-fpm.d/www.conf - sed -i "s|listen =.*|listen = /dev/php81.sock|" /data/php/81/php-fpm.d/www.conf + sed -i "s|listen =.*|listen = /var/php81.sock|" /data/php/81/php-fpm.d/www.conf sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf -else +elif [ "$FULLCLEAN" = "true" ]; then rm -vrf /data/php/81 fi @@ -142,16 +173,9 @@ apk add --no-cache php82-fpm # From https://github.com/nextcloud/all-in-one/pull/1377/files if [ -n "$PHP82_APKS" ]; then - if ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then - echo "You've set PHP82_APKS but not to an allowed value." - echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores." - echo "It is set to \"$PHP82_APKS\"." - sleep inf - fi - for apk in $(echo "$PHP82_APKS" | tr " " "\n"); do - if ! echo "$apk" | grep -Ewq "php82-.*"; then + if ! echo "$apk" | grep -q "^php82-.*$"; then echo "$apk is a non allowed value." echo "It needs to start with \"php82-\"." echo "It is set to \"$apk\"." @@ -168,12 +192,10 @@ apk add --no-cache php82-fpm mkdir -vp /data/php cp -vrnT /etc/php82 /data/php/82 - sed -i "s|user =.*|user = root|" /data/php/82/php-fpm.d/www.conf - sed -i "s|group =.*|group = root|" /data/php/82/php-fpm.d/www.conf - sed -i "s|listen =.*|listen = /dev/php82.sock|" /data/php/82/php-fpm.d/www.conf + sed -i "s|listen =.*|listen = /var/php82.sock|" /data/php/82/php-fpm.d/www.conf sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf -else +elif [ "$FULLCLEAN" = "true" ]; then rm -vrf /data/php/82 fi @@ -243,10 +265,6 @@ if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then mv -vn /data/ssl/* /data/tls fi -if [ -z "$CLEAN" ]; then - export CLEAN=true -fi - if [ "$CLEAN" = "true" ]; then rm -vrf /data/letsencrypt-acme-challenge \ /data/nginx/dummycert.pem \ @@ -268,21 +286,17 @@ if [ "$CLEAN" = "true" ]; then /data/logs \ /data/error.log \ /data/nginx/error.log + certbot-cleaner.sh fi if [ -f "$DB_SQLITE_FILE" ]; then sqlite-vaccum.js fi -if [ -z "$FULLCLEAN" ]; then - export FULLCLEAN=false -fi - if [ "$FULLCLEAN" = "true" ]; then if [ "$PHP81" != "true" ] && [ "$PHP82" != "true" ]; then rm -vrf /data/php fi - certbot-cleaner.sh fi find /data/nginx -type f -name '*.conf' -exec sed -i "s| http2||g" {} \; @@ -338,24 +352,15 @@ touch /data/etc/html/index.html \ /data/nginx/custom/server_stream_udp.conf cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf -cp -v /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example +cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example -if [ -z "$NPM_CERT_ID" ]; then +if [ "$NPM_CERT_ID" = "0" ]; then export NPM_CERT=/data/tls/dummycert.pem export NPM_KEY=/data/tls/dummykey.pem echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts." else - if ! echo "$NPM_CERT_ID" | grep -q "[0-9]"; then - echo "NPM_CERT_ID is a non allowed value." - echo "It needs to be a number." - echo "It is set to \"$NPM_CERT_ID\"." - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." - else - if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then - if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then + if [ ! -f /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem ]; then echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist" export NPM_CERT=/data/tls/dummycert.pem export NPM_KEY=/data/tls/dummykey.pem @@ -364,7 +369,7 @@ else export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem" - if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then + if [ ! -f /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem ]; then echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist" export NPM_CERT=/data/tls/dummycert.pem export NPM_KEY=/data/tls/dummykey.pem @@ -373,11 +378,8 @@ else export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem" - if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then - echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." + if [ ! -f /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem ]; then + echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist, running without it" else export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem" @@ -386,7 +388,7 @@ else fi elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then - if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then + if [ ! -f /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem ]; then echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist" export NPM_CERT=/data/tls/dummycert.pem export NPM_KEY=/data/tls/dummykey.pem @@ -395,7 +397,7 @@ else export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem" - if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then + if [ ! -f /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem ]; then echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist" export NPM_CERT=/data/tls/dummycert.pem export NPM_KEY=/data/tls/dummykey.pem @@ -404,11 +406,8 @@ else export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem" - if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then - echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist" - export NPM_CERT=/data/tls/dummycert.pem - export NPM_KEY=/data/tls/dummykey.pem - echo "using dummycerts for npm and default hosts." + if [ ! -f /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem ]; then + echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist, running without it" else export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem" @@ -421,11 +420,23 @@ else export NPM_KEY=/data/tls/dummykey.pem echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts." fi - fi +fi + +if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" != "/data/tls/dummykey.pem" ]; then + export NPM_CERT=/data/tls/dummycert.pem + export NPM_KEY=/data/tls/dummykey.pem + echo "something went wrong, using dummycerts for npm and default hosts." +fi +if [ "$NPM_CERT" != "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then + export NPM_CERT=/data/tls/dummycert.pem + export NPM_KEY=/data/tls/dummykey.pem + echo "something went wrong, using dummycerts for npm and default hosts." fi if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] || [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then if [ ! -f /data/tls/dummycert.pem ] || [ ! -f /data/tls/dummykey.pem ]; then + rm -vrf /data/tls/dummycert.pem \ + /data/tls/dummykey.pem openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem fi else @@ -459,59 +470,38 @@ sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/def sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf; fi -export NIBEP="${NIBEP:-48693}" sed -i "s|48693|$NIBEP|g" /app/index.js sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf -if [ -n "$IPV4_BINDING" ]; then - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf - find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; -else - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen \2/g" /app/templates/stream.conf - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf - find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" {} \; - find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" {} \; -fi +sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf +sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf +find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; +find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; +find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \; if [ "$DISABLE_IPV6" = "true" ]; then sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; -elif [ -n "$IPV6_BINDING" ]; then + find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \; +else sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; -else - sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen \[::\]:\2/g" /app/templates/stream.conf - sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf - find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:\2/g" {} \; - find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:\2/g" {} \; + find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \; fi -export NPM_PORT="${NPM_PORT:-81}" - -if [ -n "$NPM_IPV4_BINDING" ]; then - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf -else - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf - sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf -fi +sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf +sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf if [ "$NPM_DISABLE_IPV6" = "true" ]; then sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/npm.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf -elif [ -n "$NPM_IPV6_BINDING" ]; then +else sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf -else - sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf - sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf fi if [ "$DISABLE_HTTP" = "true" ]; then @@ -546,9 +536,11 @@ fi if [ ! -f /data/etc/crowdsec/crowdsec.conf ]; then cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf +else + sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf fi -if grep -Eiq "ENABLED.*=.*true" /data/etc/crowdsec/crowdsec.conf; then +if grep -iq "^ENABLED[ ]\+\?=[ ]\+\?true$" /data/etc/crowdsec/crowdsec.conf; then cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf else rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf @@ -595,14 +587,32 @@ if [ "$PUID" != "0" ]; then chown -R "$PUID:$PGID" /usr/local/certbot \ /usr/local/nginx \ /data \ + /var \ /tmp + if [ "$PHP81" = "true" ]; then + sed -i "s|user =.*|user = $PUID|" /data/php/81/php-fpm.d/www.conf + sed -i "s|group =.*|group = $PGID|" /data/php/81/php-fpm.d/www.conf + fi + if [ "$PHP82" = "true" ]; then + sed -i "s|user =.*|user = $PUID|" /data/php/82/php-fpm.d/www.conf + sed -i "s|group =.*|group = $PGID|" /data/php/82/php-fpm.d/www.conf + fi sed -i "s|user root;|#user root;|g" /usr/local/nginx/conf/nginx.conf sudo -Eu npm launch.sh else chown -R 0:0 /usr/local/certbot \ /usr/local/nginx \ /data \ + /var \ /tmp + if [ "$PHP81" = "true" ]; then + sed -i "s|user =.*|user = 0|" /data/php/81/php-fpm.d/www.conf + sed -i "s|group =.*|group = 0|" /data/php/81/php-fpm.d/www.conf + fi + if [ "$PHP82" = "true" ]; then + sed -i "s|user =.*|user = 0|" /data/php/82/php-fpm.d/www.conf + sed -i "s|group =.*|group = 0|" /data/php/82/php-fpm.d/www.conf + fi sed -i "s|#\?user root;|user root;|g" /usr/local/nginx/conf/nginx.conf launch.sh fi diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf index 3b15e06f..d139368d 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf @@ -1,164 +1,50 @@ ## Block SQL injections -set $block_sql_injections 0; - if ($query_string ~ "union.*select.*\(") { - set $block_sql_injections 1; + return 403; } if ($query_string ~ "union.*all.*select.*") { - set $block_sql_injections 1; + return 403; } if ($query_string ~ "concat.*\(") { - set $block_sql_injections 1; -} - -if ($block_sql_injections = 1) { return 403; } ## Block file injections -set $block_file_injections 0; - if ($query_string ~ "[a-zA-Z0-9_]=http://") { - set $block_file_injections 1; + return 403; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { - set $block_file_injections 1; + return 403; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { - set $block_file_injections 1; -} - -if ($block_file_injections = 1) { return 403; } ## Block common exploits -set $block_common_exploits 0; - if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { - set $block_common_exploits 1; + return 403; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { - set $block_common_exploits 1; + return 403; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { - set $block_common_exploits 1; + return 403; } if ($query_string ~ "proc/self/environ") { - set $block_common_exploits 1; + return 403; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { - set $block_common_exploits 1; + return 403; } if ($query_string ~ "base64_(en|de)code\(.*\)") { - set $block_common_exploits 1; -} - -if ($block_common_exploits = 1) { - return 403; -} - -## Block spam -set $block_spam 0; - -if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { - set $block_spam 1; -} - -if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { - set $block_spam 1; -} - -if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { - set $block_spam 1; -} - -if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { - set $block_spam 1; -} - -if ($block_spam = 1) { - return 403; -} - -## Block user agents -set $block_user_agents 0; - -# Disable Akeeba Remote Control 2.5 and earlier -if ($http_user_agent ~ "Indy Library") { - set $block_user_agents 1; -} - -# Common bandwidth hoggers and hacking tools. -if ($http_user_agent ~ "libwww-perl") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "GetRight") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "GetWeb!") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Go!Zilla") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Download Demon") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Go-Ahead-Got-It") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "TurnitinBot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "GrabNet") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Amazonbot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Applebot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Bingbot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Facebookbot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Googlebot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "LinkedInBot") { - set $block_user_agents 1; -} - -if ($http_user_agent ~ "Twitterbot") { - set $block_user_agents 1; -} - -if ($block_user_agents = 1) { return 403; } diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf index 99eceea1..0eab1756 100644 --- a/rootfs/usr/local/nginx/conf/nginx.conf +++ b/rootfs/usr/local/nginx/conf/nginx.conf @@ -70,11 +70,11 @@ http { } upstream php81 { - server unix:/dev/php81.sock; + server unix:/var/php81.sock; } upstream php82 { - server unix:/dev/php82.sock; + server unix:/var/php82.sock; } # Fancy Index