ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-03 16:03:38 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

improve many things/dep updates

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
renovate[bot]
2023-07-13 00:44:29 +00:00
committed by Zoey
parent c6ecb61c9b
commit 66bfcf8f6c
13 changed files with 267 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/js.yml vendored
View File

@@ -25,6 +25,12 @@ jobs:
curl -L https://code.jquery.com/jquery-"$(git ls-remote --tags https://github.com/jquery/jquery | cut -d/ -f3 | sort -V | tail -1 | sed -E "s/\^\{\}//")".min.js -o rootfs/nftd/jquery.min.js
curl -L https://cdn.jsdelivr.net/npm/bootstrap@"$(git ls-remote --tags https://github.com/twbs/bootstrap v3.3.* | cut -d/ -f3 | sort -V | tail -1 | sed -E "s/\^\{\}//")"/dist/css/bootstrap.min.css -o rootfs/html/404/bootstrap.min.css
curl -L https://cdn.jsdelivr.net/npm/bootstrap@"$(git ls-remote --tags https://github.com/twbs/bootstrap v3.3.* | cut -d/ -f3 | sort -V | tail -1 | sed -E "s/\^\{\}//")"/dist/css/bootstrap.min.css -o rootfs/html/default/bootstrap.min.css
- name: eslint
run: |
yarn global add nginxbeautifier
mv rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf block-exploits.conf
nginxbeautifier -s 4 -r rootfs/usr/local/nginx/conf
mv block-exploits.conf rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
- name: push changes
run: |
git add -A

2
.github/workflows/shellcheck.yml vendored
View File

@@ -14,4 +14,4 @@ jobs:
with:
check_together: 'yes'
env:
SHELLCHECK_OPTS: --shell sh
SHELLCHECK_OPTS: --shell sh -e SC2153

27
Dockerfile
View File

@@ -55,7 +55,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
FROM zoeyvid/nginx-quic:176
COPY rootfs /
RUN apk add --no-cache ca-certificates tzdata \
RUN apk add --no-cache ca-certificates tzdata tini \
lua5.1-lzlib \
nodejs-current \
openssl apache2-utils \
@@ -73,10 +73,6 @@ RUN apk add --no-cache ca-certificates tzdata \
echo "Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-after.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \
wget https://patch-diff.githubusercontent.com/raw/coreruleset/coreruleset/pull/3218.patch -O /tmp/coreruleset/http3.patch && \
cd /tmp/coreruleset && \
git apply /tmp/coreruleset/http3.patch && \
cd / && \
mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \
cp /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
sed -i '/#/!d' /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
@@ -122,6 +118,25 @@ ENV NODE_ENV=production \
PATH="/usr/local/certbot/bin:$PATH" \
DB_SQLITE_FILE=/data/etc/npm/database.sqlite
ENV PUID=0 \
PGID=0 \
NIBEP=48693 \
NPM_PORT=81 \
IPV4_BINDING=0.0.0.0 \
NPM_IPV4_BINDING=0.0.0.0 \
IPV6_BINDING=[::] \
NPM_IPV6_BINDING=[::] \
DISABLE_IPV6=false \
NPM_DISABLE_IPV6=false \
NPM_LISTEN_LOCALHOST=false \
NPM_CERT_ID=0 \
DISABLE_HTTP=false \
NGINX_LOG_NOT_FOUND=false \
CLEAN=true \
FULLCLEAN=false \
PHP81=false \
PHP82=false
WORKDIR /app
ENTRYPOINT ["start.sh"]
ENTRYPOINT ["tini", "--", "start.sh"]
HEALTHCHECK CMD healthcheck.sh

91
README.md
View File

@@ -20,7 +20,9 @@ running at home or otherwise, including free TLS, without having to know too muc
- [Screenshots](https://nginxproxymanager.com/screenshots)
# Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.
## Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.
## Note: NO armv7 support
## Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host
## Project Goal
@@ -40,7 +42,7 @@ so that the barrier for entry here is low.
- Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io)
- Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx
- Free trusted TLS certificates using Certbot (Let's Encrypt) or provide your own custom TLS certificates
- Free trusted TLS certificates using Certbot (Let's Encrypt/other CAs) or provide your own custom TLS certificates
- Access Lists and basic HTTP Authentication for your hosts
- Advanced Nginx configuration available for super users
- User management, permissions and audit log
@@ -54,7 +56,7 @@ so that the barrier for entry here is low.
- If the core ruleset blocks valid requests, please check the `/data/etc/modsecurity/crs-setup.conf` file.
- Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH).
- Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM).
- Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and relaunches it. This can result in a 502 error when you update your hosts
- Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.
- Darkmode button in the footer for comfortable viewing (CSS done by [@theraw](https://github.com/theraw))
- Fixes proxy to https origin when the origin only accepts TLSv1.3
- Only enables TLSv1.2 and TLSv1.3 protocols
@@ -72,7 +74,7 @@ so that the barrier for entry here is low.
- Access Log disabled
- Error Log written to console
- `Server` response header hidden
- PHP optional, with option to add extensions; available packages can be found [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*)
- PHP optional, with option to add extensions; available packages can be found [here](https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*)
- Allows different acme servers/certbot config file (/opt/npm/tls/certbot/config.ini)
- Supports up to 99 domains per cert
- Brotli compression can be enabled
@@ -86,7 +88,7 @@ so that the barrier for entry here is low.
- Option to set IP bindings for multiple instances in network mode host
- Option to change backend port
- See the composefile for all available options
- If you want to redirect all HTTP traffic to HTTPS, you can use the `compose.override.yaml` file. This will also enable `h2c` (unencrypted `HTTP/2`), while keeping `HTTP/1.0` and `HTTP/1.1`.
- If you want to redirect all HTTP traffic to HTTPS, you can use the `compose.override.yaml` file.
## Soon
- maybe redis and/or sql databases built in
@@ -123,7 +125,7 @@ a) Custom Nginx Configuration (advanced tab), which looks the following for file
- Note: the slash at the end of the file path is important
```
location / {
alias /var/www/<your-html-site-folder-name>/;
alias /var/www/<your-html-site-folder-name>/;
}
```
b) Custom Nginx Configuration (advanced tab), which looks the following for file server and **php**:
@@ -133,13 +135,16 @@ b) Custom Nginx Configuration (advanced tab), which looks the following for file
- Note: to add more php extension use the packages from [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php8*-*) and add them using the `PHP_APKS` env (see compose file)
```
location / {
alias /var/www/<your-php-site-folder-name>/;
alias /var/www/<your-html-site-folder-name>/;
location ~ [^/]\.php(/|$) {
fastcgi_pass php82;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {return 404;}
}}
location ~ [^/]\.php(/|$) {
fastcgi_pass php82;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404
}
}
}
```
# custom acme server
@@ -160,37 +165,37 @@ if (!-f $document_root$fastcgi_script_name) {return 404;}
```yml
version: "3"
services:
nginx-proxy-manager:
container_name: nginx-proxy-manager
image: zoeyvid/nginx-proxy-manager
restart: always
network_mode: host
volumes:
- "/opt/npm:/data"
# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
environment:
- "TZ=Europe/Berlin" # set timezone, default UTC
# - "PUID=1000" # set group id, default 0 (root)
# - "PGID=1000" # set user id, default 0 (root)
# - "NIBEP=48693" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=81" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all
# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all
# - "DISABLE_IPV6=true" # disable IPv6, incompatible with IPV6_BINDING, default false
# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, incompatible with NPM_IPV6_BINDING, default false
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, incompatible with NPM_IPV4_BINDING/NPM_IPV6_BINDING/NPM_DISABLE_IPV6, default false
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default unset/dummycerts
# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "CLEAN=false" # Clean folders, default true
# - "FULLCLEAN=true" # Clean unused config folders, default false
# - "PHP81=true" # Activate PHP81, default false
# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*, default none
# - "PHP82=true" # Activate PHP82, default false
# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*, default none
nginx-proxy-manager:
container_name: nginx-proxy-manager
image: zoeyvid/nginx-proxy-manager
restart: always
network_mode: host
volumes:
- "/opt/npm:/data"
# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
environment:
- "TZ=Europe/Berlin" # set timezone, required
# - "PUID=1000" # set group id, default 0 (root)
# - "PGID=1000" # set user id, default 0 (root)
# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all
# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all
# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false
# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "CLEAN=false" # Clean folders, default true
# - "FULLCLEAN=true" # Clean unused config folders, default false
# - "PHP81=true" # Activate PHP81, default false
# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*, default none
# - "PHP82=true" # Activate PHP82, default false
# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*, default none
```
3. Bring up your stack by running (or deploy your portainer stack)

8
backend/internal/nginx.js
View File

@@ -107,7 +107,7 @@ const internalNginx = {
logger.info('Testing Nginx configuration');
}
return utils.exec('nginx -t -g "error_log off;"');
return utils.exec('nginx -tq');
},
/**
@@ -120,13 +120,13 @@ const internalNginx = {
if (fs.existsSync(NgxPidFilePath)) {
const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim();
if (ngxPID.length > 0) {
logger.info('Killing Nginx');
utils.exec(`kill ${ngxPID}`);
logger.info('Quitting Nginx');
utils.exec('nginx -s quit');
}
}
logger.info('Starting Nginx in three seconds');
setTimeout(() => {
utils.execfg('nginx');
utils.execfg('nginx -e stderr');
}, 3000);
});
},

6
backend/package.json
View File

@@ -15,13 +15,13 @@
"express-fileupload": "1.4.0",
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.1",
"knex": "2.4.2",
"knex": "2.5.1",
"liquidjs": "10.8.4",
"lodash": "4.17.21",
"moment": "2.29.4",
"mysql": "2.18.1",
"node-rsa": "1.1.1",
"objection": "3.0.4",
"objection": "3.1.1",
"path": "0.12.7",
"signale": "1.4.0",
"sqlite3": "5.1.6"
@@ -32,7 +32,7 @@
"author": "Jamie Curnow <jc@jc21.com>",
"license": "MIT",
"devDependencies": {
"eslint": "8.44.0",
"eslint": "8.46.0",
"eslint-plugin-align-assignments": "1.1.2"
}
}

18
compose.yaml
View File

@@ -10,24 +10,24 @@ services:
# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
environment:
- "TZ=Europe/Berlin" # set timezone, default UTC
- "TZ=Europe/Berlin" # set timezone, required
# - "PUID=1000" # set group id, default 0 (root)
# - "PGID=1000" # set user id, default 0 (root)
# - "NIBEP=48693" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=81" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
# - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all
# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all
# - "DISABLE_IPV6=true" # disable IPv6, incompatible with IPV6_BINDING, default false
# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, incompatible with NPM_IPV6_BINDING, default false
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, incompatible with NPM_IPV4_BINDING/NPM_IPV6_BINDING/NPM_DISABLE_IPV6, default false
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default unset/dummycerts
# - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false
# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "CLEAN=false" # Clean folders, default true
# - "FULLCLEAN=true" # Clean unused config folders, default false
# - "PHP81=true" # Activate PHP81, default false
# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*, default none
# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*, default none
# - "PHP82=true" # Activate PHP82, default false
# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*, default none
# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*, default none

2
frontend/js/i18n/messages.json
View File

@@ -288,7 +288,7 @@
"default-site": "Default Site",
"default-site-congratulations": "Congratulations Page",
"default-site-404": "404 Page",
"default-site-444": "Drop connection (444)",
"default-site-444": "Drop connection - only allows certbot dns-challenge",
"default-site-html": "Custom Page",
"default-site-redirect": "Redirect"
}

6
frontend/package.json
View File

@@ -4,11 +4,11 @@
"description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js",
"dependencies": {
"@babel/core": "7.22.8",
"@babel/core": "7.22.9",
"babel-core": "6.26.3",
"babel-loader": "8.3.0",
"babel-preset-env": "1.7.0",
"backbone": "1.4.1",
"backbone": "1.5.0",
"backbone.marionette": "4.1.3",
"copy-webpack-plugin": "5.1.2",
"css-loader": "5.2.7",
@@ -28,7 +28,7 @@
"mini-css-extract-plugin": "1.6.2",
"moment": "2.29.4",
"node-sass": "7.0.3",
"nodemon": "2.0.22",
"nodemon": "3.0.1",
"numeral": "2.0.6",
"sass-loader": "10.4.1",
"style-loader": "3.3.3",

7
rootfs/bin/launch.sh
View File

@@ -8,6 +8,8 @@ echo "
| |\ | __/| | | |
|_| \_|_| |_| |_|
-------------------------------------
Version: $(jq -r .version /app/package.json)
Date: $(date)
User: $(whoami)
PUID: $PUID
User ID: $(id -u)
@@ -16,8 +18,7 @@ Group ID: $(id -g)
-------------------------------------
"
if ! nginx -t > /dev/null 2>&1; then
nginx -T
if ! nginx -tq; then
sleep inf
fi
@@ -37,5 +38,5 @@ fi
if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
index.js &
index.js
wait

302
rootfs/bin/start.sh
View File

@@ -14,83 +14,123 @@ if [ ! -d /data ]; then
sleep inf
fi
if [ -n "$PGID" ] && [ -z "$PUID" ]; then
echo "You've set PGID but not PUID. Running with PGID 0."
export PGID="0"
if [ -z "$TZ" ] || ! echo "$TZ" | grep -q "^[A-Za-z/]\+$"; then
echo "TZ is unset or invalid."
sleep inf
fi
export PUID="${PUID:-0}"
if ! echo "$PUID" | grep -q "^[0-9]\+$"; then
echo "You've set PUID but not to an allowed value."
echo "It needs to be a string. Allowed are digits 0-9"
echo "It is set to \"$PUID\"."
echo "PUID needs to be a number."
sleep inf
fi
export PGID="${PGID:-0}"
if ! echo "$PGID" | grep -q "^[0-9]\+$"; then
echo "You've set PGID but not to an allowed value."
echo "It needs to be a string. Allowed are digits 0-9"
echo "It is set to \"$PGID\"."
echo "PGID needs to be a number."
sleep inf
fi
if [ -n "$IPV4_BINDING" ]; then
if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "You've set IPV4_BINDING but not to an allowed value."
echo "It needs to be a string. Allowed are digits 0-9 and dots"
echo "It is set to \"$IPV4_BINDING\"."
sleep inf
fi
fi
if [ "$DISABLE_IPV6" = "true" ] && [ -n "$IPV6_BINDING" ]; then
echo "You can't disable IPv6 and set a binding for it."
if ! echo "$NIBEP" | grep -q "^[0-9]\+$"; then
echo "NIBEP needs to be a number."
sleep inf
fi
if [ -n "$IPV6_BINDING" ]; then
if ! echo "$IPV6_BINDING" | grep -q "\[[0-9a-f:]\+\]"; then
echo "You've set IPV6_BINDING but not to an allowed value."
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9 and colons inside square bracket"
echo "It is set to \"$IPV6_BINDING\"."
sleep inf
fi
if ! echo "$NPM_PORT" | grep -q "^[0-9]\+$"; then
echo "NPM_PORT needs to be a number."
sleep inf
fi
if { [ -n "$NPM_IPV4_BINDING" ] || [ -n "$NPM_IPV6_BINDING" ]; } && [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
echo "You can't set IPv4/IPv6 bindings for npm, while NPM_LISTEN_LOCALHOST is enabled"
if ! echo "$IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "IPV4_BINDING needs to be a IPv4-Address."
sleep inf
fi
if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "NPM_IPV4_BINDING needs to be a IPv4-Address."
sleep inf
fi
if ! echo "$IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
echo "IPV6_BINDING needs to be a IPv6-Address inside []."
sleep inf
fi
if ! echo "$NPM_IPV6_BINDING" | grep -q "^\[[0-9a-f:]\+\]$"; then
echo "NPM_IPV6_BINDING needs to be a IPv6-Address inside []."
sleep inf
fi
if ! echo "$DISABLE_IPV6" | grep -q "^true$\|^false$"; then
echo "DISABLE_IPV6 needs to be true or false."
sleep inf
fi
if ! echo "$NPM_DISABLE_IPV6" | grep -q "^true$\|^false$"; then
echo "NPM_DISABLE_IPV6 needs to be true or false."
sleep inf
fi
if ! echo "$NPM_LISTEN_LOCALHOST" | grep -q "^true$\|^false$"; then
echo "NPM_LISTEN_LOCALHOST needs to be true or false."
sleep inf
fi
if ! echo "$NPM_CERT_ID" | grep -q "^[0-9]\+$"; then
echo "NPM_CERT_ID needs to be a number."
sleep inf
fi
if ! echo "$DISABLE_HTTP" | grep -q "^true$\|^false$"; then
echo "DISABLE_HTTP needs to be true or false."
sleep inf
fi
if ! echo "$NGINX_LOG_NOT_FOUND" | grep -q "^true$\|^false$"; then
echo "NGINX_LOG_NOT_FOUND needs to be true or false."
sleep inf
fi
if ! echo "$CLEAN" | grep -q "^true$\|^false$"; then
echo "CLEAN needs to be true or false."
sleep inf
fi
if ! echo "$FULLCLEAN" | grep -q "^true$\|^false$"; then
echo "FULLCLEAN needs to be true or false."
sleep inf
fi
if ! echo "$PHP81" | grep -q "^true$\|^false$"; then
echo "PHP81 needs to be true or false."
sleep inf
fi
if [ -n "$PHP81_APKS" ] && ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "PHP81_APKS can consist of lower letters a-z, numbers 0-9, spaces, underscores and hyphens."
sleep inf
fi
if ! echo "$PHP82" | grep -q "^true$\|^false$"; then
echo "PHP82 needs to be true or false."
sleep inf
fi
if [ -n "$PHP82_APKS" ] && ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "PHP82_APKS can consist of lower letters a-z, numbers 0-9, spaces, underscores and hyphens."
sleep inf
fi
if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then
echo "You've set PGID but not PUID. Running resetting PGID to 0."
export PGID="0"
fi
if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
export NPM_IPV4_BINDING="127.0.0.1"
export NPM_IPV6_BINDING="[::1]"
fi
if [ -n "$NPM_IPV4_BINDING" ]; then
if ! echo "$NPM_IPV4_BINDING" | grep -q "^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$"; then
echo "You've set NPM_IPV4_BINDING but not to an allowed value."
echo "It needs to be a string. Allowed are digits 0-9 and dots"
echo "It is set to \"$NPM_IPV4_BINDING\"."
sleep inf
fi
fi
if [ "$NPM_DISABLE_IPV6" = "true" ] && [ -n "$NPM_IPV6_BINDING" ]; then
echo "You can't disable IPv6 and set a binding for it."
sleep inf
fi
if [ -n "$NPM_IPV6_BINDING" ]; then
if ! echo "$NPM_IPV6_BINDING" | grep -q "\[[0-9a-f:]\+\]"; then
echo "You've set NPM_IPV6_BINDING but not to an allowed value."
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9 and colons inside square bracket"
echo "It is set to \"$NPM_IPV6_BINDING\"."
sleep inf
fi
fi
if [ "$PHP81" = "true" ] || [ "$PHP82" = "true" ]; then
apk add --no-cache fcgi
fi
@@ -101,16 +141,9 @@ apk add --no-cache php81-fpm
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP81_APKS" ]; then
if ! echo "$PHP81_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP81_APKS but not to an allowed value."
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores."
echo "It is set to \"$PHP81_APKS\"."
sleep inf
fi
for apk in $(echo "$PHP81_APKS" | tr " " "\n"); do
if ! echo "$apk" | grep -Ewq "php81-.*"; then
if ! echo "$apk" | grep -q "^php81-.*$"; then
echo "$apk is a non allowed value."
echo "It needs to start with \"php81-\"."
echo "It is set to \"$apk\"."
@@ -127,12 +160,10 @@ apk add --no-cache php81-fpm
mkdir -vp /data/php
cp -vrnT /etc/php81 /data/php/81
sed -i "s|user =.*|user = root|" /data/php/81/php-fpm.d/www.conf
sed -i "s|group =.*|group = root|" /data/php/81/php-fpm.d/www.conf
sed -i "s|listen =.*|listen = /dev/php81.sock|" /data/php/81/php-fpm.d/www.conf
sed -i "s|listen =.*|listen = /var/php81.sock|" /data/php/81/php-fpm.d/www.conf
sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf
else
elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/php/81
fi
@@ -142,16 +173,9 @@ apk add --no-cache php82-fpm
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP82_APKS" ]; then
if ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP82_APKS but not to an allowed value."
echo "It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores."
echo "It is set to \"$PHP82_APKS\"."
sleep inf
fi
for apk in $(echo "$PHP82_APKS" | tr " " "\n"); do
if ! echo "$apk" | grep -Ewq "php82-.*"; then
if ! echo "$apk" | grep -q "^php82-.*$"; then
echo "$apk is a non allowed value."
echo "It needs to start with \"php82-\"."
echo "It is set to \"$apk\"."
@@ -168,12 +192,10 @@ apk add --no-cache php82-fpm
mkdir -vp /data/php
cp -vrnT /etc/php82 /data/php/82
sed -i "s|user =.*|user = root|" /data/php/82/php-fpm.d/www.conf
sed -i "s|group =.*|group = root|" /data/php/82/php-fpm.d/www.conf
sed -i "s|listen =.*|listen = /dev/php82.sock|" /data/php/82/php-fpm.d/www.conf
sed -i "s|listen =.*|listen = /var/php82.sock|" /data/php/82/php-fpm.d/www.conf
sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf
else
elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/php/82
fi
@@ -243,10 +265,6 @@ if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then
mv -vn /data/ssl/* /data/tls
fi
if [ -z "$CLEAN" ]; then
export CLEAN=true
fi
if [ "$CLEAN" = "true" ]; then
rm -vrf /data/letsencrypt-acme-challenge \
/data/nginx/dummycert.pem \
@@ -268,21 +286,17 @@ if [ "$CLEAN" = "true" ]; then
/data/logs \
/data/error.log \
/data/nginx/error.log
certbot-cleaner.sh
fi
if [ -f "$DB_SQLITE_FILE" ]; then
sqlite-vaccum.js
fi
if [ -z "$FULLCLEAN" ]; then
export FULLCLEAN=false
fi
if [ "$FULLCLEAN" = "true" ]; then
if [ "$PHP81" != "true" ] && [ "$PHP82" != "true" ]; then
rm -vrf /data/php
fi
certbot-cleaner.sh
fi
find /data/nginx -type f -name '*.conf' -exec sed -i "s| http2||g" {} \;
@@ -338,24 +352,15 @@ touch /data/etc/html/index.html \
/data/nginx/custom/server_stream_udp.conf
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
cp -v /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
if [ -z "$NPM_CERT_ID" ]; then
if [ "$NPM_CERT_ID" = "0" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "no NPM_CERT_ID set, using dummycerts for npm and default hosts."
else
if ! echo "$NPM_CERT_ID" | grep -q "[0-9]"; then
echo "NPM_CERT_ID is a non allowed value."
echo "It needs to be a number."
echo "It is set to \"$NPM_CERT_ID\"."
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
else
if [ -d "/data/tls/certbot/live/npm-$NPM_CERT_ID" ]; then
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then
if [ ! -f /data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
@@ -364,7 +369,7 @@ else
export NPM_CERT=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/fullchain.pem
echo "NPM_CERT set to /data/tls/certbot/live/npm-$NPM_CERT_ID/fullchain.pem"
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then
if [ ! -f /data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem ]; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
@@ -373,11 +378,8 @@ else
export NPM_KEY=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/privkey.pem
echo "NPM_KEY set to /data/tls/certbot/live/npm-$NPM_CERT_ID/privkey.pem"
if ! ls /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
if [ ! -f /data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem ]; then
echo "/data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
else
export NPM_CHAIN=/data/tls/certbot/live/npm-"$NPM_CERT_ID"/chain.pem
echo "NPM_CHAIN set to /data/tls/certbot/live/npm-$NPM_CERT_ID/chain.pem"
@@ -386,7 +388,7 @@ else
fi
elif [ -d "/data/tls/custom/npm-$NPM_CERT_ID" ]; then
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem > /dev/null 2>&1; then
if [ ! -f /data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem ]; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
@@ -395,7 +397,7 @@ else
export NPM_CERT=/data/tls/custom/npm-"$NPM_CERT_ID"/fullchain.pem
echo "NPM_CERT set to /data/tls/custom/npm-$NPM_CERT_ID/fullchain.pem"
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem > /dev/null 2>&1; then
if [ ! -f /data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem ]; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/privkey.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
@@ -404,11 +406,8 @@ else
export NPM_KEY=/data/tls/custom/npm-"$NPM_CERT_ID"/privkey.pem
echo "NPM_KEY set to /data/tls/custom/npm-$NPM_CERT_ID/privkey.pem"
if ! ls /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem > /dev/null 2>&1; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist"
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "using dummycerts for npm and default hosts."
if [ ! -f /data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem ]; then
echo "/data/tls/custom/npm-$NPM_CERT_ID/chain.pem does not exist, running without it"
else
export NPM_CHAIN=/data/tls/custom/npm-"$NPM_CERT_ID"/chain.pem
echo "NPM_CHAIN set to /data/tls/custom/npm-$NPM_CERT_ID/chain.pem"
@@ -421,11 +420,23 @@ else
export NPM_KEY=/data/tls/dummykey.pem
echo "cert with ID $NPM_CERT_ID does not exist, using dummycerts for npm and default hosts."
fi
fi
fi
if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" != "/data/tls/dummykey.pem" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts for npm and default hosts."
fi
if [ "$NPM_CERT" != "/data/tls/dummycert.pem" ] && [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
echo "something went wrong, using dummycerts for npm and default hosts."
fi
if [ "$NPM_CERT" = "/data/tls/dummycert.pem" ] || [ "$NPM_KEY" = "/data/tls/dummykey.pem" ]; then
if [ ! -f /data/tls/dummycert.pem ] || [ ! -f /data/tls/dummykey.pem ]; then
rm -vrf /data/tls/dummycert.pem \
/data/tls/dummykey.pem
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
fi
else
@@ -459,59 +470,38 @@ sed -i "s|#\?ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /app/templates/def
sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /app/templates/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /app/templates/default.conf; fi
export NIBEP="${NIBEP:-48693}"
sed -i "s|48693|$NIBEP|g" /app/index.js
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
if [ -n "$IPV4_BINDING" ]; then
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
else
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen \2/g" /app/templates/stream.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" {} \;
find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" {} \;
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen \2/g" {} \;
fi
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
if [ "$DISABLE_IPV6" = "true" ]; then
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
elif [ -n "$IPV6_BINDING" ]; then
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen \[::\]:\2/g" /app/templates/stream.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:\2/g" {} \;
find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:\2/g" {} \;
find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
fi
export NPM_PORT="${NPM_PORT:-81}"
if [ -n "$NPM_IPV4_BINDING" ]; then
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
else
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
fi
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $NPM_IPV4_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
if [ "$NPM_DISABLE_IPV6" = "true" ]; then
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
elif [ -n "$NPM_IPV6_BINDING" ]; then
else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $NPM_IPV6_BINDING:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
else
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm.conf
sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen \[::\]:$NPM_PORT/g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
fi
if [ "$DISABLE_HTTP" = "true" ]; then
@@ -546,9 +536,11 @@ fi
if [ ! -f /data/etc/crowdsec/crowdsec.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf
else
sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf
fi
if grep -Eiq "ENABLED.*=.*true" /data/etc/crowdsec/crowdsec.conf; then
if grep -iq "^ENABLED[ ]\+\?=[ ]\+\?true$" /data/etc/crowdsec/crowdsec.conf; then
cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf
else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
@@ -595,14 +587,32 @@ if [ "$PUID" != "0" ]; then
chown -R "$PUID:$PGID" /usr/local/certbot \
/usr/local/nginx \
/data \
/var \
/tmp
if [ "$PHP81" = "true" ]; then
sed -i "s|user =.*|user = $PUID|" /data/php/81/php-fpm.d/www.conf
sed -i "s|group =.*|group = $PGID|" /data/php/81/php-fpm.d/www.conf
fi
if [ "$PHP82" = "true" ]; then
sed -i "s|user =.*|user = $PUID|" /data/php/82/php-fpm.d/www.conf
sed -i "s|group =.*|group = $PGID|" /data/php/82/php-fpm.d/www.conf
fi
sed -i "s|user root;|#user root;|g" /usr/local/nginx/conf/nginx.conf
sudo -Eu npm launch.sh
else
chown -R 0:0 /usr/local/certbot \
/usr/local/nginx \
/data \
/var \
/tmp
if [ "$PHP81" = "true" ]; then
sed -i "s|user =.*|user = 0|" /data/php/81/php-fpm.d/www.conf
sed -i "s|group =.*|group = 0|" /data/php/81/php-fpm.d/www.conf
fi
if [ "$PHP82" = "true" ]; then
sed -i "s|user =.*|user = 0|" /data/php/82/php-fpm.d/www.conf
sed -i "s|group =.*|group = 0|" /data/php/82/php-fpm.d/www.conf
fi
sed -i "s|#\?user root;|user root;|g" /usr/local/nginx/conf/nginx.conf
launch.sh
fi

132
rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
View File

@@ -1,164 +1,50 @@
## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
return 403;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
return 403;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
## Block file injections
set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $block_file_injections 1;
return 403;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
return 403;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 403;
}
## Block common exploits
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
return 403;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
return 403;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
return 403;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
return 403;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
return 403;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
## Block spam
set $block_spam 0;
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $block_spam 1;
}
if ($block_spam = 1) {
return 403;
}
## Block user agents
set $block_user_agents 0;
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}
# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Amazonbot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Applebot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Bingbot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Facebookbot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Googlebot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "LinkedInBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Twitterbot") {
set $block_user_agents 1;
}
if ($block_user_agents = 1) {
return 403;
}

4
rootfs/usr/local/nginx/conf/nginx.conf
View File

@@ -70,11 +70,11 @@ http {
}
upstream php81 {
server unix:/dev/php81.sock;
server unix:/var/php81.sock;
}
upstream php82 {
server unix:/dev/php82.sock;
server unix:/var/php82.sock;
}
# Fancy Index