ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-02 15:33:32 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

rebrand SSL to TLS

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey
2023-01-02 17:01:06 +01:00
parent d7db5527d9
commit 6c56070a46
22 changed files with 164 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/docker.yml vendored
View File

@@ -30,9 +30,9 @@ jobs:
run: |
sudo npm install --global cross-env
sudo pip install certbot
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/ssl/certbot /tmp/acme-challenge
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/tls/certbot /tmp/acme-challenge
sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf
sudo cp rootfs/etc/ssl/certbot.ini /data/ssl/certbot/config.ini
sudo cp rootfs/etc/tls/certbot.ini /data/tls/certbot/config.ini
mv global backend
cd backend
npm install --force

4
.github/workflows/pull-request.yaml vendored
View File

@@ -25,9 +25,9 @@ jobs:
run: |
sudo npm install --global cross-env
sudo pip install certbot
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/ssl/certbot /tmp/acme-challenge
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/tls/certbot /tmp/acme-challenge
sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf
sudo cp rootfs/etc/ssl/certbot.ini /data/ssl/certbot/config.ini
sudo cp rootfs/etc/tls/certbot.ini /data/tls/certbot/config.ini
mv global backend
cd backend
npm install --force

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM zoeyvid/nginx-quic:30
FROM zoeyvid/nginx-quic:31
COPY rootfs /
COPY backend /app
COPY global /app/global

12
README.md
View File

@@ -12,7 +12,7 @@
This project comes as a pre-built docker image that enables you to easily forward to your websites
running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt.
running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
- [Quick Setup](#quick-setup)
- [Screenshots](https://nginxproxymanager.com/screenshots)
@@ -21,7 +21,7 @@ running at home or otherwise, including free SSL, without having to know too muc
## Project Goal
I created this project to fill a personal need to provide users with a easy way to accomplish reverse
proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
proxying hosts with TLS termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
While there might be advanced options they are optional and the project should be as simple as possible
so that the barrier for entry here is low.
@@ -32,7 +32,7 @@ so that the barrier for entry here is low.
- Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io/)
- Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx
- Free SSL using Let's Encrypt or provide your own custom SSL certificates
- Free trusted TLS certificates using Certbot (Let's Encrypt) or provide your own custom TLS certificates
- Access Lists and basic HTTP Authentication for your hosts
- Advanced Nginx configuration available for super users
- User management, permissions and audit log
@@ -44,10 +44,10 @@ so that the barrier for entry here is low.
- Fix Proxy Hosts, if origin only accepts TLSv1.3
- Only use TLSv1.2 and TLSv1.3
- Uses OCSP Stapling
- Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/ssl/custom/npm-[certificate-id]` folder
- Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder
- Smaller then the original
- Runs the admin interface on port 81 with ssl (https)
- Default page runs also with ssl (https)
- Runs the admin interface on port 81 with https
- Default page runs also with https
- Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if you use the npm directly as webserver
- Expose INTERNAL backend api only to localhost
- Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers), enabled by default if you enable hsts

59
backend/internal/certificate.js
View File

@@ -14,8 +14,8 @@ const internalHost = require('./host');
const archiver = require('archiver');
const path = require('path');
const { isArray } = require('lodash');
const certbotConfig = '/data/ssl/certbot/config.ini';
const certbotCommand = 'certbot --config-dir /data/ssl/certbot';
const certbotConfig = '/data/tls/certbot/config.ini';
const certbotCommand = 'certbot --config-dir /data/tls/certbot';
function omissions() {
return ['is_deleted'];
@@ -29,19 +29,19 @@ const internalCertificate = {
intervalProcessing: false,
initTimer: () => {
logger.info('Let\'s Encrypt Renewal Timer initialized');
logger.info('Certbot Encrypt Renewal Timer initialized');
internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.intervalTimeout);
// And do this now as well
internalCertificate.processExpiringHosts();
},
/**
* Triggered by a timer, this will check for expiring hosts and renew their ssl certs if required
* Triggered by a timer, this will check for expiring hosts and renew their tls certs if required
*/
processExpiringHosts: () => {
if (!internalCertificate.intervalProcessing) {
internalCertificate.intervalProcessing = true;
logger.info('Renewing SSL certs close to expiry...');
logger.info('Renewing TLS certs close to expiry...');
const cmd = certbotCommand + ' renew --non-interactive --quiet ' +
'--config "' + certbotConfig + '" ' +
@@ -72,7 +72,7 @@ const internalCertificate = {
certificates.map(function (certificate) {
promises.push(
internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem')
internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem')
.then((cert_info) => {
return certificateModel
.query()
@@ -124,13 +124,13 @@ const internalCertificate = {
})
.then((certificate) => {
if (certificate.provider === 'letsencrypt') {
// Request a new Cert from LE. Let the fun begin.
// Request a new Cert using Certbot. Let the fun begin.
// 1. Find out any hosts that are using any of the hostnames in this cert
// 2. Disable them in nginx temporarily
// 3. Generate the LE config
// 3. Generate the Certbot config
// 4. Request cert
// 5. Remove LE config
// 5. Remove Certbot config
// 6. Re-instate previously disabled hosts
// 1. Find out any hosts that are using any of the hostnames in this cert
@@ -166,7 +166,7 @@ const internalCertificate = {
});
});
} else {
// 3. Generate the LE config
// 3. Generate the Certbot config
return internalNginx.generateLetsEncryptRequestConfig(certificate)
.then(internalNginx.reload)
.then(async() => await new Promise((r) => setTimeout(r, 5000)))
@@ -175,7 +175,7 @@ const internalCertificate = {
return internalCertificate.requestLetsEncryptSsl(certificate);
})
.then(() => {
// 5. Remove LE config
// 5. Remove Certbot config
return internalNginx.deleteLetsEncryptRequestConfig(certificate);
})
.then(internalNginx.reload)
@@ -202,7 +202,7 @@ const internalCertificate = {
.then(() => {
// At this point, the certbot cert should exist on disk.
// Lets get the expiry date from the file and update the row silently
return internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem')
return internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem')
.then((cert_info) => {
return certificateModel
.query()
@@ -352,7 +352,7 @@ const internalCertificate = {
})
.then((certificate) => {
if (certificate.provider === 'letsencrypt') {
const zipDirectory = '/data/ssl/certbot/live/npm-' + data.id;
const zipDirectory = '/data/tls/certbot/live/npm-' + data.id;
if (!fs.existsSync(zipDirectory)) {
throw new error.ItemNotFoundError('Certificate ' + certificate.nice_name + ' does not exists');
@@ -372,7 +372,7 @@ const internalCertificate = {
resolve(resp);
}).catch((err) => reject(err));
} else {
throw new error.ValidationError('Only Let\'sEncrypt certificates can be downloaded');
throw new error.ValidationError('Only Certbot certificates can be downloaded');
}
}).catch((err) => reject(err));
});
@@ -517,7 +517,7 @@ const internalCertificate = {
writeCustomCert: (certificate) => {
logger.info('Writing Custom Certificate:', certificate);
const dir = '/data/custom_ssl/npm-' + certificate.id;
const dir = '/data/tls/custom/npm-' + certificate.id;
return new Promise((resolve, reject) => {
if (certificate.provider === 'letsencrypt') {
@@ -758,7 +758,6 @@ const internalCertificate = {
return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout');
})
.then((result) => {
// issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
const regex = /^(?:issuer=)?(.*)$/gim;
const match = regex.exec(result);
@@ -813,7 +812,7 @@ const internalCertificate = {
},
/**
* Cleans the ssl keys from the meta object and sets them to "true"
* Cleans the tls keys from the meta object and sets them to "true"
*
* @param {Object} meta
* @param {Boolean} [remove]
@@ -839,7 +838,7 @@ const internalCertificate = {
* @returns {Promise}
*/
requestLetsEncryptSsl: (certificate) => {
logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const cmd = certbotCommand + ' certonly ' +
'--config "' + certbotConfig + '" ' +
@@ -872,12 +871,12 @@ const internalCertificate = {
throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
}
logger.info(`Requesting Let's Encrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
logger.info(`Requesting Certbot certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
const credentialsLocation = '/data/ssl/certbot/credentials/credentials-' + certificate.id;
const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
// Escape single quotes and backslashes
const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
const credentialsCmd = 'mkdir -p /data/ssl/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'';
const credentialsCmd = 'mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'';
let prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies;
// Whether the plugin has a --<name>-credentials argument
@@ -943,7 +942,7 @@ const internalCertificate = {
return renewMethod(certificate)
.then(() => {
return internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem');
return internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem');
})
.then((cert_info) => {
return certificateModel
@@ -965,7 +964,7 @@ const internalCertificate = {
});
});
} else {
throw new error.ValidationError('Only Let\'sEncrypt certificates can be renewed');
throw new error.ValidationError('Only Certbot certificates can be renewed');
}
});
},
@@ -975,7 +974,7 @@ const internalCertificate = {
* @returns {Promise}
*/
renewLetsEncryptSsl: (certificate) => {
logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
logger.info('Renewing Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const cmd = certbotCommand + ' renew --force-renewal ' +
'--config "' + certbotConfig + '" ' +
@@ -1004,7 +1003,7 @@ const internalCertificate = {
throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
}
logger.info(`Renewing Let's Encrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
logger.info(`Renewing Certbot certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
let mainCmd = certbotCommand + ' renew ' +
'--config "' + certbotConfig + '" ' +
@@ -1014,7 +1013,7 @@ const internalCertificate = {
// Prepend the path to the credentials file as an environment variable
if (certificate.meta.dns_provider === 'route53') {
const credentialsLocation = '/data/ssl/certbot/credentials/credentials-' + certificate.id;
const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
}
@@ -1033,15 +1032,15 @@ const internalCertificate = {
* @returns {Promise}
*/
revokeLetsEncryptSsl: (certificate, throw_errors) => {
logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
logger.info('Revoking Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const mainCmd = certbotCommand + ' revoke ' +
'--config "' + certbotConfig + '" ' +
'--cert-path "/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' +
'--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' +
'--delete-after-revoke';
// Don't fail command if file does not exist
const delete_credentialsCmd = `rm -f '/data/ssl/certbot/credentials/credentials-${certificate.id}' || true`;
const delete_credentialsCmd = `rm -f '/data/tls/certbot/credentials/credentials-${certificate.id}' || true`;
logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd);
@@ -1065,7 +1064,7 @@ const internalCertificate = {
* @returns {Boolean}
*/
hasLetsEncryptSslCerts: (certificate) => {
const letsencryptPath = '/data/ssl/certbot/live/npm-' + certificate.id;
const letsencryptPath = '/data/tls/certbot/live/npm-' + certificate.id;
return fs.existsSync(letsencryptPath + '/fullchain.pem') && fs.existsSync(letsencryptPath + '/privkey.pem');
},

4
backend/internal/nginx.js
View File

@@ -54,12 +54,12 @@ const internalNginx = {
.catch((err) => {
// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported.
// It will always look like this:
// nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address)
// nginx: [alert] could not open error log file: open() "/dev/null" failed (6: No such device or address)
let valid_lines = [];
let err_lines = err.message.split('\n');
err_lines.map(function (line) {
if (line.indexOf('/data/nginx/error.log') === -1) {
if (line.indexOf('/dev/null') === -1) {
valid_lines.push(line);
}
});

4
backend/routes/api/nginx/certificates.js
View File

@@ -207,7 +207,7 @@ router
});
/**
* Renew LE Certs
* Renew Certbot Certs
*
* /api/nginx/certificates/123/renew
*/
@@ -236,7 +236,7 @@ router
});
/**
* Download LE Certs
* Download Certbot Certs
*
* /api/nginx/certificates/123/download
*/

4
backend/setup.js
View File

@@ -180,10 +180,10 @@ const setupCertbotPlugins = () => {
if (plugins.indexOf(packages_to_install) === -1) plugins.push(packages_to_install);
// Make sure credentials file exists
const credentials_loc = '/data/ssl/certbot/credentials/credentials-' + certificate.id;
const credentials_loc = '/data/tls/certbot/credentials/credentials-' + certificate.id;
// Escape single quotes and backslashes
const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /data/ssl/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }';
const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }';
promises.push(utils.exec(credentials_cmd));
}
});

18
backend/templates/_certificates.conf
View File

@@ -1,18 +1,18 @@
{% if certificate and certificate_id > 0 -%}
{% if certificate.provider == "letsencrypt" %}
# Let's Encrypt SSL
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /data/ssl/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/ssl/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/ssl/certbot/live/npm-{{ certificate_id }}/chain.pem;
# Certbot TLS
include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
{% else %}
# Custom SSL
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /data/ssl/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/ssl/custom/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/ssl/custom/npm-{{ certificate_id }}/chain.pem;
include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
{% endif %}

6
backend/templates/default.conf
View File

@@ -14,13 +14,13 @@ server {
server_name _;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/tls/dummykey.pem;
{%- if value == "404" %}
location / {

4
frontend/js/app/nginx/dead/form.ejs
View File

@@ -55,7 +55,7 @@
</label>
</div>
</div>
<div class="col-sm-6 col-md-6">
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
@@ -64,6 +64,7 @@
</label>
</div>
</div>
<!--
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
@@ -73,6 +74,7 @@
</label>
</div>
</div>
-->
<!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt">

4
frontend/js/app/nginx/proxy/form.ejs
View File

@@ -125,7 +125,7 @@
</label>
</div>
</div>
<div class="col-sm-6 col-md-6">
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
@@ -134,6 +134,7 @@
</label>
</div>
</div>
<!--
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
@@ -143,6 +144,7 @@
</label>
</div>
</div>
-->
<!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt">

4
frontend/js/app/nginx/redirection/form.ejs
View File

@@ -104,7 +104,7 @@
</label>
</div>
</div>
<div class="col-sm-6 col-md-6">
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
@@ -113,6 +113,7 @@
</label>
</div>
</div>
<!--
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
@@ -122,6 +123,7 @@
</label>
</div>
</div>
-->
<!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt">

32
frontend/js/i18n/messages.json
View File

@@ -21,7 +21,7 @@
"choose-file": "Choose file",
"source": "Source",
"destination": "Destination",
"ssl": "SSL",
"ssl": "TLS",
"access": "Access",
"public": "Public",
"edit": "Edit",
@@ -69,16 +69,16 @@
"all-hosts": {
"empty-subtitle": "{manage, select, true{Why don't you create one?} other{And you don't have permission to create one.}}",
"details": "Details",
"enable-ssl": "Enable SSL",
"force-ssl": "Force SSL",
"enable-ssl": "Enable HTTPS",
"force-ssl": "Force HTTPS",
"http2-support": "HTTP/2 - HTTP/3-Quic",
"domain-names": "Domain Names",
"cert-provider": "Certificate Provider",
"block-exploits": "Block Common Exploits",
"caching-enabled": "Cache Assets",
"ssl-certificate": "SSL Certificate",
"ssl-certificate": "TLS Certificate",
"none": "None",
"new-cert": "Request a new SSL Certificate",
"new-cert": "Request a new TLS Certificate",
"with-le": "with Certbot",
"no-ssl": "This host will not use HTTPS",
"advanced": "Advanced",
@@ -86,7 +86,7 @@
"advanced-config": "Custom Nginx Configuration",
"advanced-config-var-headline": "These proxy details are available as nginx variables:",
"advanced-config-header-info": "Please note, adding a location '/' will overwrite the proxy configuration",
"hsts-enabled": "HSTS Enabled",
"hsts-enabled": "Enable HSTS (including Subdomains and preload)",
"hsts-subdomains": "HSTS Subdomains",
"locations": "Custom locations"
},
@@ -102,7 +102,7 @@
"none": "HTTP only",
"letsencrypt-email": "Email Address for Certbot",
"letsencrypt-agree": "I Agree to the <a href=\"{url}\" target=\"_blank\">Let's Encrypt Terms of Service</a> / ToS of custom set CA",
"delete-ssl": "The SSL certificates attached will NOT be removed, they will need to be removed manually.",
"delete-ssl": "The TLS certificates attached will NOT be removed, they will need to be removed manually.",
"hosts-warning": "These domains must be already configured to point to this installation",
"no-wildcard-without-dns": "Cannot request Certificate for wildcard domains when not using DNS challenge",
"dns-challenge": "Use a DNS Challenge",
@@ -128,10 +128,10 @@
"delete": "Delete Proxy Host",
"delete-confirm": "Are you sure you want to delete the Proxy host for: <strong>{domains}</strong>?",
"help-title": "What is a Proxy Host?",
"help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional SSL termination for your service that might not have SSL support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.",
"help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional TLS termination for your service that might not have TLS support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.",
"access-list": "Access List",
"allow-websocket-upgrade": "Websockets Support",
"ignore-invalid-upstream-ssl": "Ignore Invalid SSL",
"ignore-invalid-upstream-ssl": "Ignore Invalid TLS",
"custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path/",
"search": "Search Host…"
},
@@ -182,14 +182,14 @@
"search": "Search Incoming Port…"
},
"certificates": {
"title": "SSL Certificates",
"empty": "There are no SSL Certificates",
"add": "Add SSL Certificate",
"title": "TLS Certificates",
"empty": "There are no TLS Certificates",
"add": "Add TLS Certificate",
"form-title": "Add {provider, select, letsencrypt{Certbot} other{Custom}} Certificate",
"delete": "Delete SSL Certificate",
"delete-confirm": "Are you sure you want to delete this SSL Certificate? Any hosts using it will need to be updated later.",
"help-title": "SSL Certificates",
"help-content": "SSL certificates (correctly known as TLS Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPM uses by default a service called Let's Encrypt to issue SSL certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPM also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.",
"delete": "Delete TLS Certificate",
"delete-confirm": "Are you sure you want to delete this TLS Certificate? Any hosts using it will need to be updated later.",
"help-title": "TLS Certificates",
"help-content": "TLS certificates (previously known as SSL Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPM uses by default a service called Let's Encrypt to issue TLS certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPM also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.",
"other-certificate": "Certificate",
"other-certificate-key": "Certificate Key",
"other-intermediate-certificate": "Intermediate Certificate",

102
global/certbot-dns-plugins.js
View File

@@ -9,8 +9,6 @@
* cloudflare: {
* display_name: "Name displayed to the user",
* package_name: "Package name in PyPi repo",
* version_requirement: "Optional package version requirements (e.g. ==1.3 or >=1.2,<2.0, see https://www.python.org/dev/peps/pep-0440/#version-specifiers)",
* dependencies: "Additional dependencies, space separated (as you would pass it to pip install)",
* credentials: `Template of the credentials file`,
* full_plugin_name: "The full plugin name as used in the commandline with certbot, e.g. 'dns-njalla'",
* },
@@ -24,17 +22,13 @@ module.exports = {
acmedns: {
display_name: 'ACME-DNS',
package_name: 'certbot-dns-acmedns',
version_requirement: '~=0.1.0',
dependencies: '',
credentials: `dns_acmedns_api_url = http://acmedns-server/
dns_acmedns_registration_file = /data/acme-registration.json`,
dns_acmedns_registration_file = /data/tls/certbot/acme-registration.json`,
full_plugin_name: 'dns-acmedns',
},
aliyun: {
display_name: 'Aliyun',
package_name: 'certbot-dns-aliyun',
version_requirement: '~=0.38.1',
dependencies: '',
credentials: `dns_aliyun_access_key = 12345678
dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`,
full_plugin_name: 'dns-aliyun',
@@ -43,8 +37,6 @@ dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`,
azure: {
display_name: 'Azure',
package_name: 'certbot-dns-azure',
version_requirement: '~=1.2.0',
dependencies: '',
credentials: `# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.
# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.
# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.
@@ -69,8 +61,6 @@ dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf274462
cloudflare: {
display_name: 'Cloudflare',
package_name: 'certbot-dns-cloudflare',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: 'cloudflare',
credentials: `# Cloudflare API token
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
# OR Cloudflare API credentials
@@ -82,8 +72,6 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
cloudns: {
display_name: 'ClouDNS',
package_name: 'certbot-dns-cloudns',
version_requirement: '~=0.4.0',
dependencies: '',
credentials: `# Target user ID (see https://www.cloudns.net/api-settings/)
dns_cloudns_auth_id=1234
# Alternatively, one of the following two options can be set:
@@ -98,8 +86,6 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
cloudxns: {
display_name: 'CloudXNS',
package_name: 'certbot-dns-cloudxns',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
dns_cloudxns_secret_key = 1122334455667788`,
full_plugin_name: 'dns-cloudxns',
@@ -108,8 +94,6 @@ dns_cloudxns_secret_key = 1122334455667788`,
constellix: {
display_name: 'Constellix',
package_name: 'certbot-dns-constellix',
version_requirement: '~=0.2.1',
dependencies: '',
credentials: `dns_constellix_apikey = 5fb4e76f-ac91-43e5-f982458bc595
dns_constellix_secretkey = 47d99fd0-32e7-4e07-85b46d08e70b
dns_constellix_endpoint = https://api.dns.constellix.com/v1`,
@@ -119,8 +103,6 @@ dns_constellix_endpoint = https://api.dns.constellix.com/v1`,
corenetworks: {
display_name: 'Core Networks',
package_name: 'certbot-dns-corenetworks',
version_requirement: '~=0.1.4',
dependencies: '',
credentials: `dns_corenetworks_username = asaHB12r
dns_corenetworks_password = secure_password`,
full_plugin_name: 'dns-corenetworks',
@@ -129,8 +111,6 @@ dns_corenetworks_password = secure_password`,
cpanel: {
display_name: 'cPanel',
package_name: 'certbot-dns-cpanel',
version_requirement: '~=0.2.2',
dependencies: '',
credentials: `cpanel_url = https://cpanel.example.com:2083
cpanel_username = user
cpanel_password = hunter2`,
@@ -140,8 +120,6 @@ cpanel_password = hunter2`,
desec: {
display_name: 'deSEC',
package_name: 'certbot-dns-desec',
version_requirement: '~=0.3.0',
dependencies: '',
credentials: `dns_desec_token = YOUR_DESEC_API_TOKEN
dns_desec_endpoint = https://desec.io/api/v1/`,
full_plugin_name: 'dns-desec',
@@ -150,8 +128,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`,
duckdns: {
display_name: 'DuckDNS',
package_name: 'certbot-dns-duckdns',
version_requirement: '~=0.9',
dependencies: '',
credentials: 'dns_duckdns_token=your-duckdns-token',
full_plugin_name: 'dns-duckdns',
},
@@ -159,8 +135,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`,
digitalocean: {
display_name: 'DigitalOcean',
package_name: 'certbot-dns-digitalocean',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: 'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff',
full_plugin_name: 'dns-digitalocean',
},
@@ -168,8 +142,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`,
directadmin: {
display_name: 'DirectAdmin',
package_name: 'certbot-dns-directadmin',
version_requirement: '~=0.0.23',
dependencies: '',
credentials: `directadmin_url = https://my.directadminserver.com:2222
directadmin_username = username
directadmin_password = aSuperStrongPassword`,
@@ -179,8 +151,6 @@ directadmin_password = aSuperStrongPassword`,
dnsimple: {
display_name: 'DNSimple',
package_name: 'certbot-dns-dnsimple',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: 'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw',
full_plugin_name: 'dns-dnsimple',
},
@@ -188,8 +158,6 @@ directadmin_password = aSuperStrongPassword`,
dnsmadeeasy: {
display_name: 'DNS Made Easy',
package_name: 'certbot-dns-dnsmadeeasy',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`,
full_plugin_name: 'dns-dnsmadeeasy',
@@ -198,8 +166,6 @@ dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`,
dnspod: {
display_name: 'DNSPod',
package_name: 'certbot-dns-dnspod',
version_requirement: '~=0.1.0',
dependencies: '',
credentials: `dns_dnspod_email = "email@example.com"
dns_dnspod_api_token = "id,key"`,
full_plugin_name: 'dns-dnspod',
@@ -208,8 +174,6 @@ dns_dnspod_api_token = "id,key"`,
domainoffensive: {
display_name: 'DomainOffensive (do.de)',
package_name: 'certbot-dns-do',
version_requirement: '~=0.31.0',
dependencies: '',
credentials: 'dns_do_api_token = YOUR_DO_DE_AUTH_TOKEN',
full_plugin_name: 'dns-do',
},
@@ -217,8 +181,6 @@ dns_dnspod_api_token = "id,key"`,
domeneshop: {
display_name: 'Domeneshop',
package_name: 'certbot-dns-domeneshop',
version_requirement: '~=0.2.8',
dependencies: '',
credentials: `dns_domeneshop_client_token=YOUR_DOMENESHOP_CLIENT_TOKEN
dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`,
full_plugin_name: 'dns-domeneshop',
@@ -227,8 +189,6 @@ dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`,
dynu: {
display_name: 'Dynu',
package_name: 'certbot-dns-dynu',
version_requirement: '~=0.0.1',
dependencies: '',
credentials: 'dns_dynu_auth_token = YOUR_DYNU_AUTH_TOKEN',
full_plugin_name: 'dns-dynu',
},
@@ -236,8 +196,6 @@ dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`,
eurodns: {
display_name: 'EuroDNS',
package_name: 'certbot-dns-eurodns',
version_requirement: '~=0.0.4',
dependencies: '',
credentials: `dns_eurodns_applicationId = myuser
dns_eurodns_apiKey = mysecretpassword
dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`,
@@ -247,8 +205,6 @@ dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`,
gandi: {
display_name: 'Gandi Live DNS',
package_name: 'certbot_plugin_gandi',
version_requirement: '~=1.3.2',
dependencies: '',
credentials: `# live dns v5 api key
dns_gandi_api_key=APIKEY
@@ -260,8 +216,6 @@ dns_gandi_sharing_id=SHARINGID`,
godaddy: {
display_name: 'GoDaddy',
package_name: 'certbot-dns-godaddy',
version_requirement: '~=0.2.0',
dependencies: '',
credentials: `dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567
dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
full_plugin_name: 'dns-godaddy',
@@ -270,8 +224,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
google: {
display_name: 'Google',
package_name: 'certbot-dns-google',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `{
"type": "service_account",
...
@@ -282,8 +234,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
hetzner: {
display_name: 'Hetzner',
package_name: 'certbot-dns-hetzner',
version_requirement: '~=1.0.4',
dependencies: '',
credentials: 'dns_hetzner_api_token = 0123456789abcdef0123456789abcdef',
full_plugin_name: 'dns-hetzner',
},
@@ -291,8 +241,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
infomaniak: {
display_name: 'Infomaniak',
package_name: 'certbot-dns-infomaniak',
version_requirement: '~=0.1.12',
dependencies: '',
credentials: 'dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
full_plugin_name: 'dns-infomaniak',
},
@@ -300,8 +248,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
inwx: {
display_name: 'INWX',
package_name: 'certbot-dns-inwx',
version_requirement: '~=2.1.2',
dependencies: '',
credentials: `dns_inwx_url = https://api.domrobot.com/xmlrpc/
dns_inwx_username = your_username
dns_inwx_password = your_password
@@ -312,8 +258,6 @@ dns_inwx_shared_secret = your_shared_secret optional`,
ionos: {
display_name: 'IONOS',
package_name: 'certbot-dns-ionos',
version_requirement: '==2021.9.20.post1',
dependencies: '',
credentials: `dns_ionos_prefix = myapikeyprefix
dns_ionos_secret = verysecureapikeysecret
dns_ionos_endpoint = https://api.hosting.ionos.com`,
@@ -323,8 +267,6 @@ dns_ionos_endpoint = https://api.hosting.ionos.com`,
ispconfig: {
display_name: 'ISPConfig',
package_name: 'certbot-dns-ispconfig',
version_requirement: '~=0.2.0',
dependencies: '',
credentials: `dns_ispconfig_username = myremoteuser
dns_ispconfig_password = verysecureremoteuserpassword
dns_ispconfig_endpoint = https://localhost:8080`,
@@ -334,8 +276,6 @@ dns_ispconfig_endpoint = https://localhost:8080`,
isset: {
display_name: 'Isset',
package_name: 'certbot-dns-isset',
version_requirement: '~=0.0.3',
dependencies: '',
credentials: `dns_isset_endpoint="https://customer.isset.net/api"
dns_isset_token="<token>"`,
full_plugin_name: 'dns-isset',
@@ -343,8 +283,6 @@ dns_isset_token="<token>"`,
joker: {
display_name: 'Joker',
package_name: 'certbot-dns-joker',
version_requirement: '~=1.1.0',
dependencies: '',
credentials: `dns_joker_username = <Dynamic DNS Authentication Username>
dns_joker_password = <Dynamic DNS Authentication Password>
dns_joker_domain = <Dynamic DNS Domain>`,
@@ -354,8 +292,6 @@ dns_joker_domain = <Dynamic DNS Domain>`,
linode: {
display_name: 'Linode',
package_name: 'certbot-dns-linode',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64
dns_linode_version = [<blank>|3|4]`,
full_plugin_name: 'dns-linode',
@@ -364,8 +300,6 @@ dns_linode_version = [<blank>|3|4]`,
loopia: {
display_name: 'Loopia',
package_name: 'certbot-dns-loopia',
version_requirement: '~=1.0.0',
dependencies: '',
credentials: `dns_loopia_user = user@loopiaapi
dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`,
full_plugin_name: 'dns-loopia',
@@ -374,8 +308,6 @@ dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`,
luadns: {
display_name: 'LuaDNS',
package_name: 'certbot-dns-luadns',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_luadns_email = user@example.com
dns_luadns_token = 0123456789abcdef0123456789abcdef`,
full_plugin_name: 'dns-luadns',
@@ -384,8 +316,6 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
namecheap: {
display_name: 'Namecheap',
package_name: 'certbot-dns-namecheap',
version_requirement: '~=1.0.0',
dependencies: '',
credentials: `dns_namecheap_username = 123456
dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`,
full_plugin_name: 'dns-namecheap',
@@ -394,8 +324,6 @@ dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`,
netcup: {
display_name: 'netcup',
package_name: 'certbot-dns-netcup',
version_requirement: '~=1.1.4',
dependencies: '',
credentials: `dns_netcup_customer_id = 123456
dns_netcup_api_key = 0123456789abcdef0123456789abcdef01234567
dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
@@ -405,8 +333,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
njalla: {
display_name: 'Njalla',
package_name: 'certbot-dns-njalla',
version_requirement: '~=1.0.0',
dependencies: '',
credentials: 'dns_njalla_token = 0123456789abcdef0123456789abcdef01234567',
full_plugin_name: 'dns-njalla',
},
@@ -414,8 +340,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
nsone: {
display_name: 'NS1',
package_name: 'certbot-dns-nsone',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: 'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw',
full_plugin_name: 'dns-nsone',
},
@@ -423,8 +347,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
oci: {
display_name: 'Oracle Cloud Infrastructure DNS',
package_name: 'certbot-dns-oci',
package_version: '0.3.6',
dependencies: 'oci',
credentials: `[DEFAULT]
user = ocid1.user.oc1...
fingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
@@ -437,8 +359,6 @@ key_file = ~/.oci/oci_api_key.pem`,
ovh: {
display_name: 'OVH',
package_name: 'certbot-dns-ovh',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
@@ -449,8 +369,6 @@ dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw`,
porkbun: {
display_name: 'Porkbun',
package_name: 'certbot-dns-porkbun',
version_requirement: '~=0.2',
dependencies: '',
credentials: `dns_porkbun_key=your-porkbun-api-key
dns_porkbun_secret=your-porkbun-api-secret`,
full_plugin_name: 'dns-porkbun',
@@ -459,8 +377,6 @@ dns_porkbun_secret=your-porkbun-api-secret`,
powerdns: {
display_name: 'PowerDNS',
package_name: 'certbot-dns-powerdns',
version_requirement: '~=0.2.0',
dependencies: '',
credentials: `dns_powerdns_api_url = https://api.mypowerdns.example.org
dns_powerdns_api_key = AbCbASsd!@34`,
full_plugin_name: 'dns-powerdns',
@@ -469,8 +385,6 @@ dns_powerdns_api_key = AbCbASsd!@34`,
regru: {
display_name: 'reg.ru',
package_name: 'certbot-regru',
version_requirement: '~=1.0.2',
dependencies: '',
credentials: `certbot_regru:dns_username=username
certbot_regru:dns_password=password`,
full_plugin_name: 'certbot-regru:dns',
@@ -479,8 +393,6 @@ certbot_regru:dns_password=password`,
rfc2136: {
display_name: 'RFC 2136',
package_name: 'certbot-dns-rfc2136',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `# Target DNS server
dns_rfc2136_server = 192.0.2.1
# Target DNS port
@@ -497,8 +409,6 @@ dns_rfc2136_algorithm = HMAC-SHA512`,
route53: {
display_name: 'Route 53 (Amazon)',
package_name: 'certbot-dns-route53',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
@@ -508,18 +418,14 @@ aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
transip: {
display_name: 'TransIP',
package_name: 'certbot-dns-transip',
version_requirement: '~=0.4.3',
dependencies: '',
credentials: `dns_transip_username = my_username
dns_transip_key_file = /data/ssl/certbot/transip-rsa.key`,
dns_transip_key_file = /data/tls/certbot/transip-rsa.key`,
full_plugin_name: 'dns-transip',
},
//####################################################//
tencentcloud: {
display_name: 'Tencent Cloud',
package_name: 'certbot-dns-tencentcloud',
version_requirement: '~=2.0.0',
dependencies: '',
credentials: `dns_tencentcloud_secret_id = TENCENT_CLOUD_SECRET_ID
dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`,
full_plugin_name: 'dns-tencentcloud',
@@ -528,8 +434,6 @@ dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`,
vultr: {
display_name: 'Vultr',
package_name: 'certbot-dns-vultr',
version_requirement: '~=1.0.3',
dependencies: '',
credentials: 'dns_vultr_key = YOUR_VULTR_API_KEY',
full_plugin_name: 'dns-vultr',
},
@@ -537,8 +441,6 @@ dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`,
websupportsk: {
display_name: 'Websupport.sk',
package_name: 'certbot-dns-websupportsk',
version_requirement: '~=0.1.6',
dependencies: '',
credentials: `dns_websupportsk_api_key = <api_key>
dns_websupportsk_secret = <secret>
dns_websupportsk_domain = example.com`,

124
rootfs/bin/start.sh
View File

@@ -5,32 +5,31 @@ if [ -n "$PHP_APKS" ]; then
if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP_APKS but not to an allowed value.
It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores.
It is set to '$PHP_APKS'." || exit 1
It is set to '$PHP_APKS'." || sleep inf
sleep inf || exit 1
fi
read -ra APKS_ARRAY <<< "$PHP_APKS"
read -ra APKS_ARRAY <<< "$PHP_APKS" || sleep inf
for apk in "${APKS_ARRAY[@]}"; do
if ! echo "$apk" | grep -q "php*"; then
echo "'$apk' is a non allowed value.
It needs to start with php.
It is set to '$apk'." || exit 1
It is set to '$apk'." || sleep inf
sleep inf || exit 1
fi
echo "Installing $apk via apk..."
if ! apk add --no-cache "$apk" &> /dev/null; then
echo "The packet $apk was not installed!"
echo "The packet $apk was not installed!" || sleep inf
fi
done
fi
mkdir -p /tmp/acme-challenge \
/data/ssl/certbot \
/data/ssl/custom \
mkdir -vp /data/tls/certbot/renewal \
/data/tls/custom \
/data/php \
/data/nginx/redirection_host \
/data/nginx/proxy_host \
@@ -38,33 +37,46 @@ mkdir -p /tmp/acme-challenge \
/data/nginx/stream \
/data/nginx/custom \
/data/nginx/access \
/data/nginx/html || exit 1
/data/nginx/html \
/tmp/acme-challenge || sleep inf
if [ -f /data/nginx/default_host/site.conf ]; then
mv /data/nginx/default_host/site.conf /data/nginx/default.conf || exit 1
mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf
fi
if [ -f /data/nginx/default_www/index.html ]; then
mv /data/nginx/default_www/index.html /data/nginx/html/index.html || exit 1
mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf
fi
if [ -e /data/access ]; then
mv /data/access/* /data/nginx/access || exit 1
if [ -f /data/nginx/dummycert.pem ]; then
mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf
fi
if [ -e /etc/letsencrypt/live ]; then
mv /etc/letsencrypt/* /data/ssl/certbot || exit 1
if [ -f /data/nginx/dummykey.pem ]; then
mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf
fi
if [ -e /data/letsencrypt/live ]; then
mv /data/letsencrypt/* /data/ssl/certbot || exit 1
if [ -n "$(ls -A /data/access 2> /dev/null)" ]; then
mv -v /data/access/* /data/nginx/access || sleep inf
fi
if [ -e /data/custom_ssl/npm-* ]; then
mv /data/custom_ssl/* /data/ssl/custom || exit 1
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf
fi
rm -rf /data/letsencrypt-acme-challenge \
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf
fi
if [ -n "$(ls -A /data/custom_ssl 2> /dev/null)" ]; then
mv -v /data/custom_ssl/* /data/tls/custom || sleep inf
fi
if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then
mv -v /data/ssl/* /data/tls || sleep inf
fi
rm -vrf /data/letsencrypt-acme-challenge \
/data/nginx/default_host \
/data/nginx/default_www \
/data/nginx/streams \
@@ -74,37 +86,44 @@ rm -rf /data/letsencrypt-acme-challenge \
/data/custom_ssl \
/data/certbot \
/data/access \
/data/ssl \
/data/logs \
/data/error.log \
/data/nginx/error.log || exit 1
/data/nginx/error.log || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/ssl/custom|g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/ssl/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1
find /data/ssl/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate_key /data/nginx/dummykey.pem;|ssl_certificate_key /data/tls/dummykey.pem;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate /data/nginx/dummycert.pem;|ssl_certificate /data/tls/dummycert.pem;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || exit 1
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; || sleep inf
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || sleep inf
if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]; then
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || sleep inf
if [ ! -f /data/tls/dummycert.pem ] || [ ! -f /data/tls/dummykey.pem ]; then
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem || sleep inf
fi
if [ ! -f /data/nginx/default.conf ]; then
cp /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || exit 1
mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf
fi
if [ ! -f /data/ssl/certbot/config.ini ]; then
cp /etc/ssl/certbot.ini /data/ssl/certbot/config.ini || exit 1
if [ ! -f /data/tls/certbot/config.ini ]; then
mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf
fi
touch /data/nginx/default.conf \
@@ -120,45 +139,45 @@ touch /data/nginx/default.conf \
/data/nginx/custom/server_stream.conf \
/data/nginx/custom/server_stream_tcp.conf \
/data/nginx/custom/server_stream_udp.conf \
/usr/local/nginx/conf/conf.d/include/ip_ranges.conf || exit 1
/usr/local/nginx/conf/conf.d/include/ip_ranges.conf || sleep inf
for folder in $(find /etc -maxdepth 1 -type d -name php*); do cp -Trn $folder /data/php/$(echo $folder| sed "s|/etc/php||g"); done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|user =.*|user = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|group =.*|group = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|listen =.*|listen = /dev/$(echo $folder| sed "s|/etc/||g").sock|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|include=.*|include=/data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/*.conf|g" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do cp -vrnT /etc/php$phpv /data/php/$phpv; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|user =.*|user = root|" /data/php/$phpv/php-fpm.d/www.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|group =.*|group = root|" /data/php/$phpv/php-fpm.d/www.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|listen =.*|listen = /dev/php$phpv.sock|" /data/php/$phpv/php-fpm.d/www.conf; done;
for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|include=.*|include=/data/php/$phpv/php-fpm.d/*.conf|g" /data/php/$phpv/php-fpm.conf; done;
if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
fi
if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then
sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || exit 1
sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf
fi
if ! nginx -t &> /dev/null; then
nginx -T || exit 1
nginx -T || sleep inf
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1
fi
@@ -174,25 +193,20 @@ done
if ! nginx -t &> /dev/null; then
nginx -T || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi

0
rootfs/etc/ssl/certbot.ini → rootfs/etc/tls/certbot.ini
View File

0
rootfs/etc/ssl/dhparam → rootfs/etc/tls/dhparam
View File

6
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View File

@@ -14,13 +14,13 @@ server {
server_name _;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/tls/dummykey.pem;
location / {
include conf.d/include/acme-challenge.conf;

2
rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf → rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
View File

@@ -1,7 +1,7 @@
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/ssl/dhparam;
ssl_dhparam /etc/tls/dhparam;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.3 TLSv1.2;

6
rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View File

@@ -18,10 +18,10 @@ server {
return 444;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/tls/dummykey.pem;
}

6
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View File

@@ -6,9 +6,9 @@ server {
listen [::]:81 http3 default_server;
server_name _;
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/tls/dummykey.pem;
include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';