diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index ef993f75..0211d0b2 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -30,9 +30,9 @@ jobs: run: | sudo npm install --global cross-env sudo pip install certbot - sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/ssl/certbot /tmp/acme-challenge + sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/tls/certbot /tmp/acme-challenge sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf - sudo cp rootfs/etc/ssl/certbot.ini /data/ssl/certbot/config.ini + sudo cp rootfs/etc/tls/certbot.ini /data/tls/certbot/config.ini mv global backend cd backend npm install --force diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 7b73c95a..56ae5638 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -25,9 +25,9 @@ jobs: run: | sudo npm install --global cross-env sudo pip install certbot - sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/ssl/certbot /tmp/acme-challenge + sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/tls/certbot /tmp/acme-challenge sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf - sudo cp rootfs/etc/ssl/certbot.ini /data/ssl/certbot/config.ini + sudo cp rootfs/etc/tls/certbot.ini /data/tls/certbot/config.ini mv global backend cd backend npm install --force diff --git a/Dockerfile b/Dockerfile index 9bbfde39..937a9028 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM zoeyvid/nginx-quic:30 +FROM zoeyvid/nginx-quic:31 COPY rootfs / COPY backend /app COPY global /app/global diff --git a/README.md b/README.md index a3428744..73d325f1 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This project comes as a pre-built docker image that enables you to easily forward to your websites -running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt. +running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt. - [Quick Setup](#quick-setup) - [Screenshots](https://nginxproxymanager.com/screenshots) @@ -21,7 +21,7 @@ running at home or otherwise, including free SSL, without having to know too muc ## Project Goal I created this project to fill a personal need to provide users with a easy way to accomplish reverse -proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed. +proxying hosts with TLS termination and it had to be so easy that a monkey could do it. This goal hasn't changed. While there might be advanced options they are optional and the project should be as simple as possible so that the barrier for entry here is low. @@ -32,7 +32,7 @@ so that the barrier for entry here is low. - Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io/) - Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx -- Free SSL using Let's Encrypt or provide your own custom SSL certificates +- Free trusted TLS certificates using Certbot (Let's Encrypt) or provide your own custom TLS certificates - Access Lists and basic HTTP Authentication for your hosts - Advanced Nginx configuration available for super users - User management, permissions and audit log @@ -44,10 +44,10 @@ so that the barrier for entry here is low. - Fix Proxy Hosts, if origin only accepts TLSv1.3 - Only use TLSv1.2 and TLSv1.3 - Uses OCSP Stapling - - Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/ssl/custom/npm-[certificate-id]` folder + - Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder - Smaller then the original -- Runs the admin interface on port 81 with ssl (https) -- Default page runs also with ssl (https) +- Runs the admin interface on port 81 with https +- Default page runs also with https - Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if you use the npm directly as webserver - Expose INTERNAL backend api only to localhost - Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers), enabled by default if you enable hsts diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index 0c736063..aac045bc 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -14,8 +14,8 @@ const internalHost = require('./host'); const archiver = require('archiver'); const path = require('path'); const { isArray } = require('lodash'); -const certbotConfig = '/data/ssl/certbot/config.ini'; -const certbotCommand = 'certbot --config-dir /data/ssl/certbot'; +const certbotConfig = '/data/tls/certbot/config.ini'; +const certbotCommand = 'certbot --config-dir /data/tls/certbot'; function omissions() { return ['is_deleted']; @@ -29,19 +29,19 @@ const internalCertificate = { intervalProcessing: false, initTimer: () => { - logger.info('Let\'s Encrypt Renewal Timer initialized'); + logger.info('Certbot Encrypt Renewal Timer initialized'); internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.intervalTimeout); // And do this now as well internalCertificate.processExpiringHosts(); }, /** - * Triggered by a timer, this will check for expiring hosts and renew their ssl certs if required + * Triggered by a timer, this will check for expiring hosts and renew their tls certs if required */ processExpiringHosts: () => { if (!internalCertificate.intervalProcessing) { internalCertificate.intervalProcessing = true; - logger.info('Renewing SSL certs close to expiry...'); + logger.info('Renewing TLS certs close to expiry...'); const cmd = certbotCommand + ' renew --non-interactive --quiet ' + '--config "' + certbotConfig + '" ' + @@ -72,7 +72,7 @@ const internalCertificate = { certificates.map(function (certificate) { promises.push( - internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem') + internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem') .then((cert_info) => { return certificateModel .query() @@ -124,13 +124,13 @@ const internalCertificate = { }) .then((certificate) => { if (certificate.provider === 'letsencrypt') { - // Request a new Cert from LE. Let the fun begin. + // Request a new Cert using Certbot. Let the fun begin. // 1. Find out any hosts that are using any of the hostnames in this cert // 2. Disable them in nginx temporarily - // 3. Generate the LE config + // 3. Generate the Certbot config // 4. Request cert - // 5. Remove LE config + // 5. Remove Certbot config // 6. Re-instate previously disabled hosts // 1. Find out any hosts that are using any of the hostnames in this cert @@ -166,7 +166,7 @@ const internalCertificate = { }); }); } else { - // 3. Generate the LE config + // 3. Generate the Certbot config return internalNginx.generateLetsEncryptRequestConfig(certificate) .then(internalNginx.reload) .then(async() => await new Promise((r) => setTimeout(r, 5000))) @@ -175,7 +175,7 @@ const internalCertificate = { return internalCertificate.requestLetsEncryptSsl(certificate); }) .then(() => { - // 5. Remove LE config + // 5. Remove Certbot config return internalNginx.deleteLetsEncryptRequestConfig(certificate); }) .then(internalNginx.reload) @@ -202,7 +202,7 @@ const internalCertificate = { .then(() => { // At this point, the certbot cert should exist on disk. // Lets get the expiry date from the file and update the row silently - return internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem') + return internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem') .then((cert_info) => { return certificateModel .query() @@ -352,7 +352,7 @@ const internalCertificate = { }) .then((certificate) => { if (certificate.provider === 'letsencrypt') { - const zipDirectory = '/data/ssl/certbot/live/npm-' + data.id; + const zipDirectory = '/data/tls/certbot/live/npm-' + data.id; if (!fs.existsSync(zipDirectory)) { throw new error.ItemNotFoundError('Certificate ' + certificate.nice_name + ' does not exists'); @@ -372,7 +372,7 @@ const internalCertificate = { resolve(resp); }).catch((err) => reject(err)); } else { - throw new error.ValidationError('Only Let\'sEncrypt certificates can be downloaded'); + throw new error.ValidationError('Only Certbot certificates can be downloaded'); } }).catch((err) => reject(err)); }); @@ -517,7 +517,7 @@ const internalCertificate = { writeCustomCert: (certificate) => { logger.info('Writing Custom Certificate:', certificate); - const dir = '/data/custom_ssl/npm-' + certificate.id; + const dir = '/data/tls/custom/npm-' + certificate.id; return new Promise((resolve, reject) => { if (certificate.provider === 'letsencrypt') { @@ -758,7 +758,6 @@ const internalCertificate = { return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout'); }) .then((result) => { - // issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 const regex = /^(?:issuer=)?(.*)$/gim; const match = regex.exec(result); @@ -813,7 +812,7 @@ const internalCertificate = { }, /** - * Cleans the ssl keys from the meta object and sets them to "true" + * Cleans the tls keys from the meta object and sets them to "true" * * @param {Object} meta * @param {Boolean} [remove] @@ -839,7 +838,7 @@ const internalCertificate = { * @returns {Promise} */ requestLetsEncryptSsl: (certificate) => { - logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); + logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); const cmd = certbotCommand + ' certonly ' + '--config "' + certbotConfig + '" ' + @@ -872,12 +871,12 @@ const internalCertificate = { throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`); } - logger.info(`Requesting Let's Encrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); + logger.info(`Requesting Certbot certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); - const credentialsLocation = '/data/ssl/certbot/credentials/credentials-' + certificate.id; + const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id; // Escape single quotes and backslashes const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\'); - const credentialsCmd = 'mkdir -p /data/ssl/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\''; + const credentialsCmd = 'mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\''; let prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies; // Whether the plugin has a ---credentials argument @@ -943,7 +942,7 @@ const internalCertificate = { return renewMethod(certificate) .then(() => { - return internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem'); + return internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem'); }) .then((cert_info) => { return certificateModel @@ -965,7 +964,7 @@ const internalCertificate = { }); }); } else { - throw new error.ValidationError('Only Let\'sEncrypt certificates can be renewed'); + throw new error.ValidationError('Only Certbot certificates can be renewed'); } }); }, @@ -975,7 +974,7 @@ const internalCertificate = { * @returns {Promise} */ renewLetsEncryptSsl: (certificate) => { - logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); + logger.info('Renewing Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); const cmd = certbotCommand + ' renew --force-renewal ' + '--config "' + certbotConfig + '" ' + @@ -1004,7 +1003,7 @@ const internalCertificate = { throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`); } - logger.info(`Renewing Let's Encrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); + logger.info(`Renewing Certbot certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); let mainCmd = certbotCommand + ' renew ' + '--config "' + certbotConfig + '" ' + @@ -1014,7 +1013,7 @@ const internalCertificate = { // Prepend the path to the credentials file as an environment variable if (certificate.meta.dns_provider === 'route53') { - const credentialsLocation = '/data/ssl/certbot/credentials/credentials-' + certificate.id; + const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id; mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd; } @@ -1033,15 +1032,15 @@ const internalCertificate = { * @returns {Promise} */ revokeLetsEncryptSsl: (certificate, throw_errors) => { - logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); + logger.info('Revoking Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); const mainCmd = certbotCommand + ' revoke ' + '--config "' + certbotConfig + '" ' + - '--cert-path "/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' + + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' + '--delete-after-revoke'; // Don't fail command if file does not exist - const delete_credentialsCmd = `rm -f '/data/ssl/certbot/credentials/credentials-${certificate.id}' || true`; + const delete_credentialsCmd = `rm -f '/data/tls/certbot/credentials/credentials-${certificate.id}' || true`; logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd); @@ -1065,7 +1064,7 @@ const internalCertificate = { * @returns {Boolean} */ hasLetsEncryptSslCerts: (certificate) => { - const letsencryptPath = '/data/ssl/certbot/live/npm-' + certificate.id; + const letsencryptPath = '/data/tls/certbot/live/npm-' + certificate.id; return fs.existsSync(letsencryptPath + '/fullchain.pem') && fs.existsSync(letsencryptPath + '/privkey.pem'); }, diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js index b62eb526..c319de60 100644 --- a/backend/internal/nginx.js +++ b/backend/internal/nginx.js @@ -54,12 +54,12 @@ const internalNginx = { .catch((err) => { // Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported. // It will always look like this: - // nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address) + // nginx: [alert] could not open error log file: open() "/dev/null" failed (6: No such device or address) let valid_lines = []; let err_lines = err.message.split('\n'); err_lines.map(function (line) { - if (line.indexOf('/data/nginx/error.log') === -1) { + if (line.indexOf('/dev/null') === -1) { valid_lines.push(line); } }); diff --git a/backend/routes/api/nginx/certificates.js b/backend/routes/api/nginx/certificates.js index ffdfb515..a03618a5 100644 --- a/backend/routes/api/nginx/certificates.js +++ b/backend/routes/api/nginx/certificates.js @@ -207,7 +207,7 @@ router }); /** - * Renew LE Certs + * Renew Certbot Certs * * /api/nginx/certificates/123/renew */ @@ -236,7 +236,7 @@ router }); /** - * Download LE Certs + * Download Certbot Certs * * /api/nginx/certificates/123/download */ diff --git a/backend/setup.js b/backend/setup.js index 09874703..3cfff509 100644 --- a/backend/setup.js +++ b/backend/setup.js @@ -180,10 +180,10 @@ const setupCertbotPlugins = () => { if (plugins.indexOf(packages_to_install) === -1) plugins.push(packages_to_install); // Make sure credentials file exists - const credentials_loc = '/data/ssl/certbot/credentials/credentials-' + certificate.id; + const credentials_loc = '/data/tls/certbot/credentials/credentials-' + certificate.id; // Escape single quotes and backslashes const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\'); - const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /data/ssl/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }'; + const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }'; promises.push(utils.exec(credentials_cmd)); } }); diff --git a/backend/templates/_certificates.conf b/backend/templates/_certificates.conf index 01c21bda..8b90f449 100644 --- a/backend/templates/_certificates.conf +++ b/backend/templates/_certificates.conf @@ -1,18 +1,18 @@ {% if certificate and certificate_id > 0 -%} {% if certificate.provider == "letsencrypt" %} - # Let's Encrypt SSL - include conf.d/include/ssl-ciphers.conf; - ssl_certificate /data/ssl/certbot/live/npm-{{ certificate_id }}/fullchain.pem; - ssl_certificate_key /data/ssl/certbot/live/npm-{{ certificate_id }}/privkey.pem; - ssl_trusted_certificate /data/ssl/certbot/live/npm-{{ certificate_id }}/chain.pem; + # Certbot TLS + include conf.d/include/tls-ciphers.conf; + ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem; + ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem; + ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem; ssl_stapling on; ssl_stapling_verify on; {% else %} # Custom SSL - include conf.d/include/ssl-ciphers.conf; - ssl_certificate /data/ssl/custom/npm-{{ certificate_id }}/fullchain.pem; - ssl_certificate_key /data/ssl/custom/npm-{{ certificate_id }}/privkey.pem; - ssl_trusted_certificate /data/ssl/custom/npm-{{ certificate_id }}/chain.pem; + include conf.d/include/tls-ciphers.conf; + ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem; + ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem; + ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem; ssl_stapling on; ssl_stapling_verify on; {% endif %} diff --git a/backend/templates/default.conf b/backend/templates/default.conf index fe17275b..86d0dc46 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -14,13 +14,13 @@ server { server_name _; include conf.d/include/force-ssl.conf; - include conf.d/include/ssl-ciphers.conf; + include conf.d/include/tls-ciphers.conf; include conf.d/include/acme-challenge.conf; include conf.d/include/block-exploits.conf; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; - ssl_certificate /data/nginx/dummycert.pem; - ssl_certificate_key /data/nginx/dummykey.pem; + ssl_certificate /data/tls/dummycert.pem; + ssl_certificate_key /data/tls/dummykey.pem; {%- if value == "404" %} location / { diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs index 253c4b6f..38ed0c29 100644 --- a/frontend/js/app/nginx/dead/form.ejs +++ b/frontend/js/app/nginx/dead/form.ejs @@ -55,7 +55,7 @@ -
+
+
diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs index 75c537fd..12b84e2e 100644 --- a/frontend/js/app/nginx/proxy/form.ejs +++ b/frontend/js/app/nginx/proxy/form.ejs @@ -125,7 +125,7 @@
-
+
+
diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs index 823a0cec..f06b036d 100644 --- a/frontend/js/app/nginx/redirection/form.ejs +++ b/frontend/js/app/nginx/redirection/form.ejs @@ -104,7 +104,7 @@
-
+
+
diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json index 1c4908da..25e4dfa1 100644 --- a/frontend/js/i18n/messages.json +++ b/frontend/js/i18n/messages.json @@ -21,7 +21,7 @@ "choose-file": "Choose file", "source": "Source", "destination": "Destination", - "ssl": "SSL", + "ssl": "TLS", "access": "Access", "public": "Public", "edit": "Edit", @@ -69,16 +69,16 @@ "all-hosts": { "empty-subtitle": "{manage, select, true{Why don't you create one?} other{And you don't have permission to create one.}}", "details": "Details", - "enable-ssl": "Enable SSL", - "force-ssl": "Force SSL", + "enable-ssl": "Enable HTTPS", + "force-ssl": "Force HTTPS", "http2-support": "HTTP/2 - HTTP/3-Quic", "domain-names": "Domain Names", "cert-provider": "Certificate Provider", "block-exploits": "Block Common Exploits", "caching-enabled": "Cache Assets", - "ssl-certificate": "SSL Certificate", + "ssl-certificate": "TLS Certificate", "none": "None", - "new-cert": "Request a new SSL Certificate", + "new-cert": "Request a new TLS Certificate", "with-le": "with Certbot", "no-ssl": "This host will not use HTTPS", "advanced": "Advanced", @@ -86,7 +86,7 @@ "advanced-config": "Custom Nginx Configuration", "advanced-config-var-headline": "These proxy details are available as nginx variables:", "advanced-config-header-info": "Please note, adding a location '/' will overwrite the proxy configuration", - "hsts-enabled": "HSTS Enabled", + "hsts-enabled": "Enable HSTS (including Subdomains and preload)", "hsts-subdomains": "HSTS Subdomains", "locations": "Custom locations" }, @@ -102,7 +102,7 @@ "none": "HTTP only", "letsencrypt-email": "Email Address for Certbot", "letsencrypt-agree": "I Agree to the Let's Encrypt Terms of Service / ToS of custom set CA", - "delete-ssl": "The SSL certificates attached will NOT be removed, they will need to be removed manually.", + "delete-ssl": "The TLS certificates attached will NOT be removed, they will need to be removed manually.", "hosts-warning": "These domains must be already configured to point to this installation", "no-wildcard-without-dns": "Cannot request Certificate for wildcard domains when not using DNS challenge", "dns-challenge": "Use a DNS Challenge", @@ -128,10 +128,10 @@ "delete": "Delete Proxy Host", "delete-confirm": "Are you sure you want to delete the Proxy host for: {domains}?", "help-title": "What is a Proxy Host?", - "help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional SSL termination for your service that might not have SSL support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.", + "help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional TLS termination for your service that might not have TLS support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.", "access-list": "Access List", "allow-websocket-upgrade": "Websockets Support", - "ignore-invalid-upstream-ssl": "Ignore Invalid SSL", + "ignore-invalid-upstream-ssl": "Ignore Invalid TLS", "custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path/", "search": "Search Host…" }, @@ -182,14 +182,14 @@ "search": "Search Incoming Port…" }, "certificates": { - "title": "SSL Certificates", - "empty": "There are no SSL Certificates", - "add": "Add SSL Certificate", + "title": "TLS Certificates", + "empty": "There are no TLS Certificates", + "add": "Add TLS Certificate", "form-title": "Add {provider, select, letsencrypt{Certbot} other{Custom}} Certificate", - "delete": "Delete SSL Certificate", - "delete-confirm": "Are you sure you want to delete this SSL Certificate? Any hosts using it will need to be updated later.", - "help-title": "SSL Certificates", - "help-content": "SSL certificates (correctly known as TLS Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPM uses by default a service called Let's Encrypt to issue SSL certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPM also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.", + "delete": "Delete TLS Certificate", + "delete-confirm": "Are you sure you want to delete this TLS Certificate? Any hosts using it will need to be updated later.", + "help-title": "TLS Certificates", + "help-content": "TLS certificates (previously known as SSL Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPM uses by default a service called Let's Encrypt to issue TLS certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPM also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.", "other-certificate": "Certificate", "other-certificate-key": "Certificate Key", "other-intermediate-certificate": "Intermediate Certificate", diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 3e1fd704..de3dba97 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -9,8 +9,6 @@ * cloudflare: { * display_name: "Name displayed to the user", * package_name: "Package name in PyPi repo", - * version_requirement: "Optional package version requirements (e.g. ==1.3 or >=1.2,<2.0, see https://www.python.org/dev/peps/pep-0440/#version-specifiers)", - * dependencies: "Additional dependencies, space separated (as you would pass it to pip install)", * credentials: `Template of the credentials file`, * full_plugin_name: "The full plugin name as used in the commandline with certbot, e.g. 'dns-njalla'", * }, @@ -24,17 +22,13 @@ module.exports = { acmedns: { display_name: 'ACME-DNS', package_name: 'certbot-dns-acmedns', - version_requirement: '~=0.1.0', - dependencies: '', credentials: `dns_acmedns_api_url = http://acmedns-server/ -dns_acmedns_registration_file = /data/acme-registration.json`, +dns_acmedns_registration_file = /data/tls/certbot/acme-registration.json`, full_plugin_name: 'dns-acmedns', }, aliyun: { display_name: 'Aliyun', package_name: 'certbot-dns-aliyun', - version_requirement: '~=0.38.1', - dependencies: '', credentials: `dns_aliyun_access_key = 12345678 dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`, full_plugin_name: 'dns-aliyun', @@ -43,8 +37,6 @@ dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`, azure: { display_name: 'Azure', package_name: 'certbot-dns-azure', - version_requirement: '~=1.2.0', - dependencies: '', credentials: `# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine. # Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it. # As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required. @@ -69,8 +61,6 @@ dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf274462 cloudflare: { display_name: 'Cloudflare', package_name: 'certbot-dns-cloudflare', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: 'cloudflare', credentials: `# Cloudflare API token dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 # OR Cloudflare API credentials @@ -82,8 +72,6 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 cloudns: { display_name: 'ClouDNS', package_name: 'certbot-dns-cloudns', - version_requirement: '~=0.4.0', - dependencies: '', credentials: `# Target user ID (see https://www.cloudns.net/api-settings/) dns_cloudns_auth_id=1234 # Alternatively, one of the following two options can be set: @@ -98,8 +86,6 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 cloudxns: { display_name: 'CloudXNS', package_name: 'certbot-dns-cloudxns', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef dns_cloudxns_secret_key = 1122334455667788`, full_plugin_name: 'dns-cloudxns', @@ -108,8 +94,6 @@ dns_cloudxns_secret_key = 1122334455667788`, constellix: { display_name: 'Constellix', package_name: 'certbot-dns-constellix', - version_requirement: '~=0.2.1', - dependencies: '', credentials: `dns_constellix_apikey = 5fb4e76f-ac91-43e5-f982458bc595 dns_constellix_secretkey = 47d99fd0-32e7-4e07-85b46d08e70b dns_constellix_endpoint = https://api.dns.constellix.com/v1`, @@ -119,8 +103,6 @@ dns_constellix_endpoint = https://api.dns.constellix.com/v1`, corenetworks: { display_name: 'Core Networks', package_name: 'certbot-dns-corenetworks', - version_requirement: '~=0.1.4', - dependencies: '', credentials: `dns_corenetworks_username = asaHB12r dns_corenetworks_password = secure_password`, full_plugin_name: 'dns-corenetworks', @@ -129,8 +111,6 @@ dns_corenetworks_password = secure_password`, cpanel: { display_name: 'cPanel', package_name: 'certbot-dns-cpanel', - version_requirement: '~=0.2.2', - dependencies: '', credentials: `cpanel_url = https://cpanel.example.com:2083 cpanel_username = user cpanel_password = hunter2`, @@ -140,8 +120,6 @@ cpanel_password = hunter2`, desec: { display_name: 'deSEC', package_name: 'certbot-dns-desec', - version_requirement: '~=0.3.0', - dependencies: '', credentials: `dns_desec_token = YOUR_DESEC_API_TOKEN dns_desec_endpoint = https://desec.io/api/v1/`, full_plugin_name: 'dns-desec', @@ -150,8 +128,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`, duckdns: { display_name: 'DuckDNS', package_name: 'certbot-dns-duckdns', - version_requirement: '~=0.9', - dependencies: '', credentials: 'dns_duckdns_token=your-duckdns-token', full_plugin_name: 'dns-duckdns', }, @@ -159,8 +135,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`, digitalocean: { display_name: 'DigitalOcean', package_name: 'certbot-dns-digitalocean', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: 'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff', full_plugin_name: 'dns-digitalocean', }, @@ -168,8 +142,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`, directadmin: { display_name: 'DirectAdmin', package_name: 'certbot-dns-directadmin', - version_requirement: '~=0.0.23', - dependencies: '', credentials: `directadmin_url = https://my.directadminserver.com:2222 directadmin_username = username directadmin_password = aSuperStrongPassword`, @@ -179,8 +151,6 @@ directadmin_password = aSuperStrongPassword`, dnsimple: { display_name: 'DNSimple', package_name: 'certbot-dns-dnsimple', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: 'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw', full_plugin_name: 'dns-dnsimple', }, @@ -188,8 +158,6 @@ directadmin_password = aSuperStrongPassword`, dnsmadeeasy: { display_name: 'DNS Made Easy', package_name: 'certbot-dns-dnsmadeeasy', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`, full_plugin_name: 'dns-dnsmadeeasy', @@ -198,8 +166,6 @@ dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`, dnspod: { display_name: 'DNSPod', package_name: 'certbot-dns-dnspod', - version_requirement: '~=0.1.0', - dependencies: '', credentials: `dns_dnspod_email = "email@example.com" dns_dnspod_api_token = "id,key"`, full_plugin_name: 'dns-dnspod', @@ -208,8 +174,6 @@ dns_dnspod_api_token = "id,key"`, domainoffensive: { display_name: 'DomainOffensive (do.de)', package_name: 'certbot-dns-do', - version_requirement: '~=0.31.0', - dependencies: '', credentials: 'dns_do_api_token = YOUR_DO_DE_AUTH_TOKEN', full_plugin_name: 'dns-do', }, @@ -217,8 +181,6 @@ dns_dnspod_api_token = "id,key"`, domeneshop: { display_name: 'Domeneshop', package_name: 'certbot-dns-domeneshop', - version_requirement: '~=0.2.8', - dependencies: '', credentials: `dns_domeneshop_client_token=YOUR_DOMENESHOP_CLIENT_TOKEN dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`, full_plugin_name: 'dns-domeneshop', @@ -227,8 +189,6 @@ dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`, dynu: { display_name: 'Dynu', package_name: 'certbot-dns-dynu', - version_requirement: '~=0.0.1', - dependencies: '', credentials: 'dns_dynu_auth_token = YOUR_DYNU_AUTH_TOKEN', full_plugin_name: 'dns-dynu', }, @@ -236,8 +196,6 @@ dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`, eurodns: { display_name: 'EuroDNS', package_name: 'certbot-dns-eurodns', - version_requirement: '~=0.0.4', - dependencies: '', credentials: `dns_eurodns_applicationId = myuser dns_eurodns_apiKey = mysecretpassword dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`, @@ -247,8 +205,6 @@ dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`, gandi: { display_name: 'Gandi Live DNS', package_name: 'certbot_plugin_gandi', - version_requirement: '~=1.3.2', - dependencies: '', credentials: `# live dns v5 api key dns_gandi_api_key=APIKEY @@ -260,8 +216,6 @@ dns_gandi_sharing_id=SHARINGID`, godaddy: { display_name: 'GoDaddy', package_name: 'certbot-dns-godaddy', - version_requirement: '~=0.2.0', - dependencies: '', credentials: `dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567 dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, full_plugin_name: 'dns-godaddy', @@ -270,8 +224,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, google: { display_name: 'Google', package_name: 'certbot-dns-google', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `{ "type": "service_account", ... @@ -282,8 +234,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, hetzner: { display_name: 'Hetzner', package_name: 'certbot-dns-hetzner', - version_requirement: '~=1.0.4', - dependencies: '', credentials: 'dns_hetzner_api_token = 0123456789abcdef0123456789abcdef', full_plugin_name: 'dns-hetzner', }, @@ -291,8 +241,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, infomaniak: { display_name: 'Infomaniak', package_name: 'certbot-dns-infomaniak', - version_requirement: '~=0.1.12', - dependencies: '', credentials: 'dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', full_plugin_name: 'dns-infomaniak', }, @@ -300,8 +248,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, inwx: { display_name: 'INWX', package_name: 'certbot-dns-inwx', - version_requirement: '~=2.1.2', - dependencies: '', credentials: `dns_inwx_url = https://api.domrobot.com/xmlrpc/ dns_inwx_username = your_username dns_inwx_password = your_password @@ -312,8 +258,6 @@ dns_inwx_shared_secret = your_shared_secret optional`, ionos: { display_name: 'IONOS', package_name: 'certbot-dns-ionos', - version_requirement: '==2021.9.20.post1', - dependencies: '', credentials: `dns_ionos_prefix = myapikeyprefix dns_ionos_secret = verysecureapikeysecret dns_ionos_endpoint = https://api.hosting.ionos.com`, @@ -323,8 +267,6 @@ dns_ionos_endpoint = https://api.hosting.ionos.com`, ispconfig: { display_name: 'ISPConfig', package_name: 'certbot-dns-ispconfig', - version_requirement: '~=0.2.0', - dependencies: '', credentials: `dns_ispconfig_username = myremoteuser dns_ispconfig_password = verysecureremoteuserpassword dns_ispconfig_endpoint = https://localhost:8080`, @@ -334,8 +276,6 @@ dns_ispconfig_endpoint = https://localhost:8080`, isset: { display_name: 'Isset', package_name: 'certbot-dns-isset', - version_requirement: '~=0.0.3', - dependencies: '', credentials: `dns_isset_endpoint="https://customer.isset.net/api" dns_isset_token=""`, full_plugin_name: 'dns-isset', @@ -343,8 +283,6 @@ dns_isset_token=""`, joker: { display_name: 'Joker', package_name: 'certbot-dns-joker', - version_requirement: '~=1.1.0', - dependencies: '', credentials: `dns_joker_username = dns_joker_password = dns_joker_domain = `, @@ -354,8 +292,6 @@ dns_joker_domain = `, linode: { display_name: 'Linode', package_name: 'certbot-dns-linode', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64 dns_linode_version = [|3|4]`, full_plugin_name: 'dns-linode', @@ -364,8 +300,6 @@ dns_linode_version = [|3|4]`, loopia: { display_name: 'Loopia', package_name: 'certbot-dns-loopia', - version_requirement: '~=1.0.0', - dependencies: '', credentials: `dns_loopia_user = user@loopiaapi dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`, full_plugin_name: 'dns-loopia', @@ -374,8 +308,6 @@ dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`, luadns: { display_name: 'LuaDNS', package_name: 'certbot-dns-luadns', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `dns_luadns_email = user@example.com dns_luadns_token = 0123456789abcdef0123456789abcdef`, full_plugin_name: 'dns-luadns', @@ -384,8 +316,6 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`, namecheap: { display_name: 'Namecheap', package_name: 'certbot-dns-namecheap', - version_requirement: '~=1.0.0', - dependencies: '', credentials: `dns_namecheap_username = 123456 dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`, full_plugin_name: 'dns-namecheap', @@ -394,8 +324,6 @@ dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`, netcup: { display_name: 'netcup', package_name: 'certbot-dns-netcup', - version_requirement: '~=1.1.4', - dependencies: '', credentials: `dns_netcup_customer_id = 123456 dns_netcup_api_key = 0123456789abcdef0123456789abcdef01234567 dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`, @@ -405,8 +333,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`, njalla: { display_name: 'Njalla', package_name: 'certbot-dns-njalla', - version_requirement: '~=1.0.0', - dependencies: '', credentials: 'dns_njalla_token = 0123456789abcdef0123456789abcdef01234567', full_plugin_name: 'dns-njalla', }, @@ -414,8 +340,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`, nsone: { display_name: 'NS1', package_name: 'certbot-dns-nsone', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: 'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw', full_plugin_name: 'dns-nsone', }, @@ -423,8 +347,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`, oci: { display_name: 'Oracle Cloud Infrastructure DNS', package_name: 'certbot-dns-oci', - package_version: '0.3.6', - dependencies: 'oci', credentials: `[DEFAULT] user = ocid1.user.oc1... fingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx @@ -437,8 +359,6 @@ key_file = ~/.oci/oci_api_key.pem`, ovh: { display_name: 'OVH', package_name: 'certbot-dns-ovh', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `dns_ovh_endpoint = ovh-eu dns_ovh_application_key = MDAwMDAwMDAwMDAw dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw @@ -449,8 +369,6 @@ dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw`, porkbun: { display_name: 'Porkbun', package_name: 'certbot-dns-porkbun', - version_requirement: '~=0.2', - dependencies: '', credentials: `dns_porkbun_key=your-porkbun-api-key dns_porkbun_secret=your-porkbun-api-secret`, full_plugin_name: 'dns-porkbun', @@ -459,8 +377,6 @@ dns_porkbun_secret=your-porkbun-api-secret`, powerdns: { display_name: 'PowerDNS', package_name: 'certbot-dns-powerdns', - version_requirement: '~=0.2.0', - dependencies: '', credentials: `dns_powerdns_api_url = https://api.mypowerdns.example.org dns_powerdns_api_key = AbCbASsd!@34`, full_plugin_name: 'dns-powerdns', @@ -469,8 +385,6 @@ dns_powerdns_api_key = AbCbASsd!@34`, regru: { display_name: 'reg.ru', package_name: 'certbot-regru', - version_requirement: '~=1.0.2', - dependencies: '', credentials: `certbot_regru:dns_username=username certbot_regru:dns_password=password`, full_plugin_name: 'certbot-regru:dns', @@ -479,8 +393,6 @@ certbot_regru:dns_password=password`, rfc2136: { display_name: 'RFC 2136', package_name: 'certbot-dns-rfc2136', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `# Target DNS server dns_rfc2136_server = 192.0.2.1 # Target DNS port @@ -497,8 +409,6 @@ dns_rfc2136_algorithm = HMAC-SHA512`, route53: { display_name: 'Route 53 (Amazon)', package_name: 'certbot-dns-route53', - version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version - dependencies: '', credentials: `[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`, @@ -508,18 +418,14 @@ aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`, transip: { display_name: 'TransIP', package_name: 'certbot-dns-transip', - version_requirement: '~=0.4.3', - dependencies: '', credentials: `dns_transip_username = my_username -dns_transip_key_file = /data/ssl/certbot/transip-rsa.key`, +dns_transip_key_file = /data/tls/certbot/transip-rsa.key`, full_plugin_name: 'dns-transip', }, //####################################################// tencentcloud: { display_name: 'Tencent Cloud', package_name: 'certbot-dns-tencentcloud', - version_requirement: '~=2.0.0', - dependencies: '', credentials: `dns_tencentcloud_secret_id = TENCENT_CLOUD_SECRET_ID dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`, full_plugin_name: 'dns-tencentcloud', @@ -528,8 +434,6 @@ dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`, vultr: { display_name: 'Vultr', package_name: 'certbot-dns-vultr', - version_requirement: '~=1.0.3', - dependencies: '', credentials: 'dns_vultr_key = YOUR_VULTR_API_KEY', full_plugin_name: 'dns-vultr', }, @@ -537,8 +441,6 @@ dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`, websupportsk: { display_name: 'Websupport.sk', package_name: 'certbot-dns-websupportsk', - version_requirement: '~=0.1.6', - dependencies: '', credentials: `dns_websupportsk_api_key = dns_websupportsk_secret = dns_websupportsk_domain = example.com`, diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh index 07c25f8e..be1dc871 100644 --- a/rootfs/bin/start.sh +++ b/rootfs/bin/start.sh @@ -5,32 +5,31 @@ if [ -n "$PHP_APKS" ]; then if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then echo "You've set PHP_APKS but not to an allowed value. It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores. - It is set to '$PHP_APKS'." || exit 1 + It is set to '$PHP_APKS'." || sleep inf sleep inf || exit 1 fi - read -ra APKS_ARRAY <<< "$PHP_APKS" + read -ra APKS_ARRAY <<< "$PHP_APKS" || sleep inf for apk in "${APKS_ARRAY[@]}"; do if ! echo "$apk" | grep -q "php*"; then echo "'$apk' is a non allowed value. It needs to start with php. - It is set to '$apk'." || exit 1 + It is set to '$apk'." || sleep inf sleep inf || exit 1 fi echo "Installing $apk via apk..." if ! apk add --no-cache "$apk" &> /dev/null; then - echo "The packet $apk was not installed!" + echo "The packet $apk was not installed!" || sleep inf fi done fi -mkdir -p /tmp/acme-challenge \ - /data/ssl/certbot \ - /data/ssl/custom \ +mkdir -vp /data/tls/certbot/renewal \ + /data/tls/custom \ /data/php \ /data/nginx/redirection_host \ /data/nginx/proxy_host \ @@ -38,33 +37,46 @@ mkdir -p /tmp/acme-challenge \ /data/nginx/stream \ /data/nginx/custom \ /data/nginx/access \ - /data/nginx/html || exit 1 + /data/nginx/html \ + /tmp/acme-challenge || sleep inf if [ -f /data/nginx/default_host/site.conf ]; then -mv /data/nginx/default_host/site.conf /data/nginx/default.conf || exit 1 +mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf fi if [ -f /data/nginx/default_www/index.html ]; then -mv /data/nginx/default_www/index.html /data/nginx/html/index.html || exit 1 +mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf fi -if [ -e /data/access ]; then -mv /data/access/* /data/nginx/access || exit 1 +if [ -f /data/nginx/dummycert.pem ]; then +mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf fi -if [ -e /etc/letsencrypt/live ]; then -mv /etc/letsencrypt/* /data/ssl/certbot || exit 1 +if [ -f /data/nginx/dummykey.pem ]; then +mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf fi -if [ -e /data/letsencrypt/live ]; then -mv /data/letsencrypt/* /data/ssl/certbot || exit 1 +if [ -n "$(ls -A /data/access 2> /dev/null)" ]; then +mv -v /data/access/* /data/nginx/access || sleep inf fi -if [ -e /data/custom_ssl/npm-* ]; then -mv /data/custom_ssl/* /data/ssl/custom || exit 1 +if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then +mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf fi -rm -rf /data/letsencrypt-acme-challenge \ +if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then +mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf +fi + +if [ -n "$(ls -A /data/custom_ssl 2> /dev/null)" ]; then +mv -v /data/custom_ssl/* /data/tls/custom || sleep inf +fi + +if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then +mv -v /data/ssl/* /data/tls || sleep inf +fi + +rm -vrf /data/letsencrypt-acme-challenge \ /data/nginx/default_host \ /data/nginx/default_www \ /data/nginx/streams \ @@ -74,37 +86,44 @@ rm -rf /data/letsencrypt-acme-challenge \ /data/custom_ssl \ /data/certbot \ /data/access \ + /data/ssl \ /data/logs \ /data/error.log \ - /data/nginx/error.log || exit 1 + /data/nginx/error.log || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || exit 1 +find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/ssl/custom|g" {} \; || exit 1 -find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 -find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 +find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf -find /data/ssl/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 -find /data/ssl/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 +find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate_key /data/nginx/dummykey.pem;|ssl_certificate_key /data/tls/dummykey.pem;|g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate /data/nginx/dummycert.pem;|ssl_certificate /data/tls/dummycert.pem;|g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || exit 1 +find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; || sleep inf +find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf +find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || exit 1 -find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || exit 1 +find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || sleep inf -find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || exit 1 -find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || exit 1 +find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || sleep inf -if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]; then -openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem || exit 1 +find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || sleep inf +find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || sleep inf + +if [ ! -f /data/tls/dummycert.pem ] || [ ! -f /data/tls/dummykey.pem ]; then +openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem || sleep inf fi if [ ! -f /data/nginx/default.conf ]; then -cp /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || exit 1 +mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf fi -if [ ! -f /data/ssl/certbot/config.ini ]; then -cp /etc/ssl/certbot.ini /data/ssl/certbot/config.ini || exit 1 +if [ ! -f /data/tls/certbot/config.ini ]; then +mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf fi touch /data/nginx/default.conf \ @@ -120,45 +139,45 @@ touch /data/nginx/default.conf \ /data/nginx/custom/server_stream.conf \ /data/nginx/custom/server_stream_tcp.conf \ /data/nginx/custom/server_stream_udp.conf \ - /usr/local/nginx/conf/conf.d/include/ip_ranges.conf || exit 1 + /usr/local/nginx/conf/conf.d/include/ip_ranges.conf || sleep inf -for folder in $(find /etc -maxdepth 1 -type d -name php*); do cp -Trn $folder /data/php/$(echo $folder| sed "s|/etc/php||g"); done; -for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|user =.*|user = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done; -for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|group =.*|group = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done; -for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|listen =.*|listen = /dev/$(echo $folder| sed "s|/etc/||g").sock|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done; -for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|include=.*|include=/data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/*.conf|g" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.conf; done; +for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do cp -vrnT /etc/php$phpv /data/php/$phpv; done; +for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|user =.*|user = root|" /data/php/$phpv/php-fpm.d/www.conf; done; +for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|group =.*|group = root|" /data/php/$phpv/php-fpm.d/www.conf; done; +for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|listen =.*|listen = /dev/php$phpv.sock|" /data/php/$phpv/php-fpm.d/www.conf; done; +for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|include=.*|include=/data/php/$phpv/php-fpm.d/*.conf|g" /data/php/$phpv/php-fpm.conf; done; if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then -sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1 -sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1 +sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf +sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf fi if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then -sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || exit 1 +sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf fi if ! nginx -t &> /dev/null; then -nginx -T || exit 1 +nginx -T || sleep inf sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1 +cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || sleep inf sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1 +cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || sleep inf sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1 +cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then -cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1 +cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf sleep inf || exit 1 fi @@ -174,25 +193,20 @@ done if ! nginx -t &> /dev/null; then nginx -T || exit 1 -sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1 -sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1 -sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1 -sleep inf || exit 1 fi if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1 -sleep inf || exit 1 fi diff --git a/rootfs/etc/ssl/certbot.ini b/rootfs/etc/tls/certbot.ini similarity index 100% rename from rootfs/etc/ssl/certbot.ini rename to rootfs/etc/tls/certbot.ini diff --git a/rootfs/etc/ssl/dhparam b/rootfs/etc/tls/dhparam similarity index 100% rename from rootfs/etc/ssl/dhparam rename to rootfs/etc/tls/dhparam diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf index 1e0806a9..bfa3e1b8 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf @@ -14,13 +14,13 @@ server { server_name _; include conf.d/include/force-ssl.conf; - include conf.d/include/ssl-ciphers.conf; + include conf.d/include/tls-ciphers.conf; include conf.d/include/acme-challenge.conf; include conf.d/include/block-exploits.conf; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; - ssl_certificate /data/nginx/dummycert.pem; - ssl_certificate_key /data/nginx/dummykey.pem; + ssl_certificate /data/tls/dummycert.pem; + ssl_certificate_key /data/tls/dummykey.pem; location / { include conf.d/include/acme-challenge.conf; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf similarity index 93% rename from rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf rename to rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf index cc473a7c..4553f9ad 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf @@ -1,7 +1,7 @@ ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; -ssl_dhparam /etc/ssl/dhparam; +ssl_dhparam /etc/tls/dhparam; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1.3 TLSv1.2; diff --git a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf index 813796d4..a1b58b35 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf @@ -18,10 +18,10 @@ server { return 444; include conf.d/include/force-ssl.conf; - include conf.d/include/ssl-ciphers.conf; + include conf.d/include/tls-ciphers.conf; include conf.d/include/block-exploits.conf; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; - ssl_certificate /data/nginx/dummycert.pem; - ssl_certificate_key /data/nginx/dummykey.pem; + ssl_certificate /data/tls/dummycert.pem; + ssl_certificate_key /data/tls/dummykey.pem; } diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm.conf b/rootfs/usr/local/nginx/conf/conf.d/npm.conf index 5e8b0ad3..e7501a27 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf @@ -6,9 +6,9 @@ server { listen [::]:81 http3 default_server; server_name _; - ssl_certificate /data/nginx/dummycert.pem; - ssl_certificate_key /data/nginx/dummykey.pem; - include conf.d/include/ssl-ciphers.conf; + ssl_certificate /data/tls/dummycert.pem; + ssl_certificate_key /data/tls/dummykey.pem; + include conf.d/include/tls-ciphers.conf; include conf.d/include/block-exploits.conf; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';