ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-03 07:53:39 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

rebrand SSL to TLS

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey
2023-01-02 17:01:06 +01:00
parent d7db5527d9
commit 6c56070a46
22 changed files with 164 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/docker.yml vendored
View File

@@ -30,9 +30,9 @@ jobs:
run: | run: |
sudo npm install --global cross-env sudo npm install --global cross-env
sudo pip install certbot sudo pip install certbot
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/ssl/certbot /tmp/acme-challenge sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/tls/certbot /tmp/acme-challenge
sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf
sudo cp rootfs/etc/ssl/certbot.ini /data/ssl/certbot/config.ini sudo cp rootfs/etc/tls/certbot.ini /data/tls/certbot/config.ini
mv global backend mv global backend
cd backend cd backend
npm install --force npm install --force

4
.github/workflows/pull-request.yaml vendored
View File

@@ -25,9 +25,9 @@ jobs:
run: | run: |
sudo npm install --global cross-env sudo npm install --global cross-env
sudo pip install certbot sudo pip install certbot
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/ssl/certbot /tmp/acme-challenge sudo mkdir -p /usr/local/nginx/conf/conf.d/include /data/tls/certbot /tmp/acme-challenge
sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf
sudo cp rootfs/etc/ssl/certbot.ini /data/ssl/certbot/config.ini sudo cp rootfs/etc/tls/certbot.ini /data/tls/certbot/config.ini
mv global backend mv global backend
cd backend cd backend
npm install --force npm install --force

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM zoeyvid/nginx-quic:30 FROM zoeyvid/nginx-quic:31
COPY rootfs / COPY rootfs /
COPY backend /app COPY backend /app
COPY global /app/global COPY global /app/global

12
README.md
View File

@@ -12,7 +12,7 @@
This project comes as a pre-built docker image that enables you to easily forward to your websites This project comes as a pre-built docker image that enables you to easily forward to your websites
running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt. running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
- [Quick Setup](#quick-setup) - [Quick Setup](#quick-setup)
- [Screenshots](https://nginxproxymanager.com/screenshots) - [Screenshots](https://nginxproxymanager.com/screenshots)
@@ -21,7 +21,7 @@ running at home or otherwise, including free SSL, without having to know too muc
## Project Goal ## Project Goal
I created this project to fill a personal need to provide users with a easy way to accomplish reverse I created this project to fill a personal need to provide users with a easy way to accomplish reverse
proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed. proxying hosts with TLS termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
While there might be advanced options they are optional and the project should be as simple as possible While there might be advanced options they are optional and the project should be as simple as possible
so that the barrier for entry here is low. so that the barrier for entry here is low.
@@ -32,7 +32,7 @@ so that the barrier for entry here is low.
- Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io/) - Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io/)
- Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx - Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx
- Free SSL using Let's Encrypt or provide your own custom SSL certificates - Free trusted TLS certificates using Certbot (Let's Encrypt) or provide your own custom TLS certificates
- Access Lists and basic HTTP Authentication for your hosts - Access Lists and basic HTTP Authentication for your hosts
- Advanced Nginx configuration available for super users - Advanced Nginx configuration available for super users
- User management, permissions and audit log - User management, permissions and audit log
@@ -44,10 +44,10 @@ so that the barrier for entry here is low.
- Fix Proxy Hosts, if origin only accepts TLSv1.3 - Fix Proxy Hosts, if origin only accepts TLSv1.3
- Only use TLSv1.2 and TLSv1.3 - Only use TLSv1.2 and TLSv1.3
- Uses OCSP Stapling - Uses OCSP Stapling
- Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/ssl/custom/npm-[certificate-id]` folder - Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder
- Smaller then the original - Smaller then the original
- Runs the admin interface on port 81 with ssl (https) - Runs the admin interface on port 81 with https
- Default page runs also with ssl (https) - Default page runs also with https
- Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if you use the npm directly as webserver - Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if you use the npm directly as webserver
- Expose INTERNAL backend api only to localhost - Expose INTERNAL backend api only to localhost
- Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers), enabled by default if you enable hsts - Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers), enabled by default if you enable hsts

59
backend/internal/certificate.js
View File

@@ -14,8 +14,8 @@ const internalHost = require('./host');
const archiver = require('archiver'); const archiver = require('archiver');
const path = require('path'); const path = require('path');
const { isArray } = require('lodash'); const { isArray } = require('lodash');
const certbotConfig = '/data/ssl/certbot/config.ini'; const certbotConfig = '/data/tls/certbot/config.ini';
const certbotCommand = 'certbot --config-dir /data/ssl/certbot'; const certbotCommand = 'certbot --config-dir /data/tls/certbot';
function omissions() { function omissions() {
return ['is_deleted']; return ['is_deleted'];
@@ -29,19 +29,19 @@ const internalCertificate = {
intervalProcessing: false, intervalProcessing: false,
initTimer: () => { initTimer: () => {
logger.info('Let\'s Encrypt Renewal Timer initialized'); logger.info('Certbot Encrypt Renewal Timer initialized');
internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.intervalTimeout); internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.intervalTimeout);
// And do this now as well // And do this now as well
internalCertificate.processExpiringHosts(); internalCertificate.processExpiringHosts();
}, },
/** /**
* Triggered by a timer, this will check for expiring hosts and renew their ssl certs if required * Triggered by a timer, this will check for expiring hosts and renew their tls certs if required
*/ */
processExpiringHosts: () => { processExpiringHosts: () => {
if (!internalCertificate.intervalProcessing) { if (!internalCertificate.intervalProcessing) {
internalCertificate.intervalProcessing = true; internalCertificate.intervalProcessing = true;
logger.info('Renewing SSL certs close to expiry...'); logger.info('Renewing TLS certs close to expiry...');
const cmd = certbotCommand + ' renew --non-interactive --quiet ' + const cmd = certbotCommand + ' renew --non-interactive --quiet ' +
'--config "' + certbotConfig + '" ' + '--config "' + certbotConfig + '" ' +
@@ -72,7 +72,7 @@ const internalCertificate = {
certificates.map(function (certificate) { certificates.map(function (certificate) {
promises.push( promises.push(
internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem') internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem')
.then((cert_info) => { .then((cert_info) => {
return certificateModel return certificateModel
.query() .query()
@@ -124,13 +124,13 @@ const internalCertificate = {
}) })
.then((certificate) => { .then((certificate) => {
if (certificate.provider === 'letsencrypt') { if (certificate.provider === 'letsencrypt') {
// Request a new Cert from LE. Let the fun begin. // Request a new Cert using Certbot. Let the fun begin.
// 1. Find out any hosts that are using any of the hostnames in this cert // 1. Find out any hosts that are using any of the hostnames in this cert
// 2. Disable them in nginx temporarily // 2. Disable them in nginx temporarily
// 3. Generate the LE config // 3. Generate the Certbot config
// 4. Request cert // 4. Request cert
// 5. Remove LE config // 5. Remove Certbot config
// 6. Re-instate previously disabled hosts // 6. Re-instate previously disabled hosts
// 1. Find out any hosts that are using any of the hostnames in this cert // 1. Find out any hosts that are using any of the hostnames in this cert
@@ -166,7 +166,7 @@ const internalCertificate = {
}); });
}); });
} else { } else {
// 3. Generate the LE config // 3. Generate the Certbot config
return internalNginx.generateLetsEncryptRequestConfig(certificate) return internalNginx.generateLetsEncryptRequestConfig(certificate)
.then(internalNginx.reload) .then(internalNginx.reload)
.then(async() => await new Promise((r) => setTimeout(r, 5000))) .then(async() => await new Promise((r) => setTimeout(r, 5000)))
@@ -175,7 +175,7 @@ const internalCertificate = {
return internalCertificate.requestLetsEncryptSsl(certificate); return internalCertificate.requestLetsEncryptSsl(certificate);
}) })
.then(() => { .then(() => {
// 5. Remove LE config // 5. Remove Certbot config
return internalNginx.deleteLetsEncryptRequestConfig(certificate); return internalNginx.deleteLetsEncryptRequestConfig(certificate);
}) })
.then(internalNginx.reload) .then(internalNginx.reload)
@@ -202,7 +202,7 @@ const internalCertificate = {
.then(() => { .then(() => {
// At this point, the certbot cert should exist on disk. // At this point, the certbot cert should exist on disk.
// Lets get the expiry date from the file and update the row silently // Lets get the expiry date from the file and update the row silently
return internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem') return internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem')
.then((cert_info) => { .then((cert_info) => {
return certificateModel return certificateModel
.query() .query()
@@ -352,7 +352,7 @@ const internalCertificate = {
}) })
.then((certificate) => { .then((certificate) => {
if (certificate.provider === 'letsencrypt') { if (certificate.provider === 'letsencrypt') {
const zipDirectory = '/data/ssl/certbot/live/npm-' + data.id; const zipDirectory = '/data/tls/certbot/live/npm-' + data.id;
if (!fs.existsSync(zipDirectory)) { if (!fs.existsSync(zipDirectory)) {
throw new error.ItemNotFoundError('Certificate ' + certificate.nice_name + ' does not exists'); throw new error.ItemNotFoundError('Certificate ' + certificate.nice_name + ' does not exists');
@@ -372,7 +372,7 @@ const internalCertificate = {
resolve(resp); resolve(resp);
}).catch((err) => reject(err)); }).catch((err) => reject(err));
} else { } else {
throw new error.ValidationError('Only Let\'sEncrypt certificates can be downloaded'); throw new error.ValidationError('Only Certbot certificates can be downloaded');
} }
}).catch((err) => reject(err)); }).catch((err) => reject(err));
}); });
@@ -517,7 +517,7 @@ const internalCertificate = {
writeCustomCert: (certificate) => { writeCustomCert: (certificate) => {
logger.info('Writing Custom Certificate:', certificate); logger.info('Writing Custom Certificate:', certificate);
const dir = '/data/custom_ssl/npm-' + certificate.id; const dir = '/data/tls/custom/npm-' + certificate.id;
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
if (certificate.provider === 'letsencrypt') { if (certificate.provider === 'letsencrypt') {
@@ -758,7 +758,6 @@ const internalCertificate = {
return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout'); return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout');
}) })
.then((result) => { .then((result) => {
// issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
const regex = /^(?:issuer=)?(.*)$/gim; const regex = /^(?:issuer=)?(.*)$/gim;
const match = regex.exec(result); const match = regex.exec(result);
@@ -813,7 +812,7 @@ const internalCertificate = {
}, },
/** /**
* Cleans the ssl keys from the meta object and sets them to "true" * Cleans the tls keys from the meta object and sets them to "true"
* *
* @param {Object} meta * @param {Object} meta
* @param {Boolean} [remove] * @param {Boolean} [remove]
@@ -839,7 +838,7 @@ const internalCertificate = {
* @returns {Promise} * @returns {Promise}
*/ */
requestLetsEncryptSsl: (certificate) => { requestLetsEncryptSsl: (certificate) => {
logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const cmd = certbotCommand + ' certonly ' + const cmd = certbotCommand + ' certonly ' +
'--config "' + certbotConfig + '" ' + '--config "' + certbotConfig + '" ' +
@@ -872,12 +871,12 @@ const internalCertificate = {
throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`); throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
} }
logger.info(`Requesting Let's Encrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); logger.info(`Requesting Certbot certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
const credentialsLocation = '/data/ssl/certbot/credentials/credentials-' + certificate.id; const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
// Escape single quotes and backslashes // Escape single quotes and backslashes
const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\'); const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
const credentialsCmd = 'mkdir -p /data/ssl/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\''; const credentialsCmd = 'mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'';
let prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies; let prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies;
// Whether the plugin has a --<name>-credentials argument // Whether the plugin has a --<name>-credentials argument
@@ -943,7 +942,7 @@ const internalCertificate = {
return renewMethod(certificate) return renewMethod(certificate)
.then(() => { .then(() => {
return internalCertificate.getCertificateInfoFromFile('/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem'); return internalCertificate.getCertificateInfoFromFile('/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem');
}) })
.then((cert_info) => { .then((cert_info) => {
return certificateModel return certificateModel
@@ -965,7 +964,7 @@ const internalCertificate = {
}); });
}); });
} else { } else {
throw new error.ValidationError('Only Let\'sEncrypt certificates can be renewed'); throw new error.ValidationError('Only Certbot certificates can be renewed');
} }
}); });
}, },
@@ -975,7 +974,7 @@ const internalCertificate = {
* @returns {Promise} * @returns {Promise}
*/ */
renewLetsEncryptSsl: (certificate) => { renewLetsEncryptSsl: (certificate) => {
logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Renewing Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const cmd = certbotCommand + ' renew --force-renewal ' + const cmd = certbotCommand + ' renew --force-renewal ' +
'--config "' + certbotConfig + '" ' + '--config "' + certbotConfig + '" ' +
@@ -1004,7 +1003,7 @@ const internalCertificate = {
throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`); throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
} }
logger.info(`Renewing Let's Encrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); logger.info(`Renewing Certbot certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
let mainCmd = certbotCommand + ' renew ' + let mainCmd = certbotCommand + ' renew ' +
'--config "' + certbotConfig + '" ' + '--config "' + certbotConfig + '" ' +
@@ -1014,7 +1013,7 @@ const internalCertificate = {
// Prepend the path to the credentials file as an environment variable // Prepend the path to the credentials file as an environment variable
if (certificate.meta.dns_provider === 'route53') { if (certificate.meta.dns_provider === 'route53') {
const credentialsLocation = '/data/ssl/certbot/credentials/credentials-' + certificate.id; const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd; mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
} }
@@ -1033,15 +1032,15 @@ const internalCertificate = {
* @returns {Promise} * @returns {Promise}
*/ */
revokeLetsEncryptSsl: (certificate, throw_errors) => { revokeLetsEncryptSsl: (certificate, throw_errors) => {
logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); logger.info('Revoking Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
const mainCmd = certbotCommand + ' revoke ' + const mainCmd = certbotCommand + ' revoke ' +
'--config "' + certbotConfig + '" ' + '--config "' + certbotConfig + '" ' +
'--cert-path "/data/ssl/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' + '--cert-path "/data/tls/certbot/live/npm-' + certificate.id + '/fullchain.pem" ' +
'--delete-after-revoke'; '--delete-after-revoke';
// Don't fail command if file does not exist // Don't fail command if file does not exist
const delete_credentialsCmd = `rm -f '/data/ssl/certbot/credentials/credentials-${certificate.id}' || true`; const delete_credentialsCmd = `rm -f '/data/tls/certbot/credentials/credentials-${certificate.id}' || true`;
logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd); logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd);
@@ -1065,7 +1064,7 @@ const internalCertificate = {
* @returns {Boolean} * @returns {Boolean}
*/ */
hasLetsEncryptSslCerts: (certificate) => { hasLetsEncryptSslCerts: (certificate) => {
const letsencryptPath = '/data/ssl/certbot/live/npm-' + certificate.id; const letsencryptPath = '/data/tls/certbot/live/npm-' + certificate.id;
return fs.existsSync(letsencryptPath + '/fullchain.pem') && fs.existsSync(letsencryptPath + '/privkey.pem'); return fs.existsSync(letsencryptPath + '/fullchain.pem') && fs.existsSync(letsencryptPath + '/privkey.pem');
}, },

4
backend/internal/nginx.js
View File

@@ -54,12 +54,12 @@ const internalNginx = {
.catch((err) => { .catch((err) => {
// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported. // Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported.
// It will always look like this: // It will always look like this:
// nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address) // nginx: [alert] could not open error log file: open() "/dev/null" failed (6: No such device or address)
let valid_lines = []; let valid_lines = [];
let err_lines = err.message.split('\n'); let err_lines = err.message.split('\n');
err_lines.map(function (line) { err_lines.map(function (line) {
if (line.indexOf('/data/nginx/error.log') === -1) { if (line.indexOf('/dev/null') === -1) {
valid_lines.push(line); valid_lines.push(line);
} }
}); });

4
backend/routes/api/nginx/certificates.js
View File

@@ -207,7 +207,7 @@ router
}); });
/** /**
* Renew LE Certs * Renew Certbot Certs
* *
* /api/nginx/certificates/123/renew * /api/nginx/certificates/123/renew
*/ */
@@ -236,7 +236,7 @@ router
}); });
/** /**
* Download LE Certs * Download Certbot Certs
* *
* /api/nginx/certificates/123/download * /api/nginx/certificates/123/download
*/ */

4
backend/setup.js
View File

@@ -180,10 +180,10 @@ const setupCertbotPlugins = () => {
if (plugins.indexOf(packages_to_install) === -1) plugins.push(packages_to_install); if (plugins.indexOf(packages_to_install) === -1) plugins.push(packages_to_install);
// Make sure credentials file exists // Make sure credentials file exists
const credentials_loc = '/data/ssl/certbot/credentials/credentials-' + certificate.id; const credentials_loc = '/data/tls/certbot/credentials/credentials-' + certificate.id;
// Escape single quotes and backslashes // Escape single quotes and backslashes
const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\'); const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /data/ssl/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }'; const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /data/tls/certbot/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }';
promises.push(utils.exec(credentials_cmd)); promises.push(utils.exec(credentials_cmd));
} }
}); });

18
backend/templates/_certificates.conf
View File

@@ -1,18 +1,18 @@
{% if certificate and certificate_id > 0 -%} {% if certificate and certificate_id > 0 -%}
{% if certificate.provider == "letsencrypt" %} {% if certificate.provider == "letsencrypt" %}
# Let's Encrypt SSL # Certbot TLS
include conf.d/include/ssl-ciphers.conf; include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/ssl/certbot/live/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/ssl/certbot/live/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/tls/certbot/live/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/ssl/certbot/live/npm-{{ certificate_id }}/chain.pem; ssl_trusted_certificate /data/tls/certbot/live/npm-{{ certificate_id }}/chain.pem;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{% else %} {% else %}
# Custom SSL # Custom SSL
include conf.d/include/ssl-ciphers.conf; include conf.d/include/tls-ciphers.conf;
ssl_certificate /data/ssl/custom/npm-{{ certificate_id }}/fullchain.pem; ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
ssl_certificate_key /data/ssl/custom/npm-{{ certificate_id }}/privkey.pem; ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
ssl_trusted_certificate /data/ssl/custom/npm-{{ certificate_id }}/chain.pem; ssl_trusted_certificate /data/tls/custom/npm-{{ certificate_id }}/chain.pem;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{% endif %} {% endif %}

6
backend/templates/default.conf
View File

@@ -14,13 +14,13 @@ server {
server_name _; server_name _;
include conf.d/include/force-ssl.conf; include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf; include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem; ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem; ssl_certificate_key /data/tls/dummykey.pem;
{%- if value == "404" %} {%- if value == "404" %}
location / { location / {

4
frontend/js/app/nginx/dead/form.ejs
View File

@@ -55,7 +55,7 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6"> <div class="col-sm-12 col-md-12">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>> <input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
@@ -64,6 +64,7 @@
</label> </label>
</div> </div>
</div> </div>
<!--
<div class="col-sm-6 col-md-6"> <div class="col-sm-6 col-md-6">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
@@ -73,6 +74,7 @@
</label> </label>
</div> </div>
</div> </div>
-->
<!-- DNS challenge --> <!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt"> <div class="col-sm-12 col-md-12 letsencrypt">

4
frontend/js/app/nginx/proxy/form.ejs
View File

@@ -125,7 +125,7 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6"> <div class="col-sm-12 col-md-12">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>> <input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
@@ -134,6 +134,7 @@
</label> </label>
</div> </div>
</div> </div>
<!--
<div class="col-sm-6 col-md-6"> <div class="col-sm-6 col-md-6">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
@@ -143,6 +144,7 @@
</label> </label>
</div> </div>
</div> </div>
-->
<!-- DNS challenge --> <!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt"> <div class="col-sm-12 col-md-12 letsencrypt">

4
frontend/js/app/nginx/redirection/form.ejs
View File

@@ -104,7 +104,7 @@
</label> </label>
</div> </div>
</div> </div>
<div class="col-sm-6 col-md-6"> <div class="col-sm-12 col-md-12">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>> <input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
@@ -113,6 +113,7 @@
</label> </label>
</div> </div>
</div> </div>
<!--
<div class="col-sm-6 col-md-6"> <div class="col-sm-6 col-md-6">
<div class="form-group"> <div class="form-group">
<label class="custom-switch"> <label class="custom-switch">
@@ -122,6 +123,7 @@
</label> </label>
</div> </div>
</div> </div>
-->
<!-- DNS challenge --> <!-- DNS challenge -->
<div class="col-sm-12 col-md-12 letsencrypt"> <div class="col-sm-12 col-md-12 letsencrypt">

32
frontend/js/i18n/messages.json
View File

@@ -21,7 +21,7 @@
"choose-file": "Choose file", "choose-file": "Choose file",
"source": "Source", "source": "Source",
"destination": "Destination", "destination": "Destination",
"ssl": "SSL", "ssl": "TLS",
"access": "Access", "access": "Access",
"public": "Public", "public": "Public",
"edit": "Edit", "edit": "Edit",
@@ -69,16 +69,16 @@
"all-hosts": { "all-hosts": {
"empty-subtitle": "{manage, select, true{Why don't you create one?} other{And you don't have permission to create one.}}", "empty-subtitle": "{manage, select, true{Why don't you create one?} other{And you don't have permission to create one.}}",
"details": "Details", "details": "Details",
"enable-ssl": "Enable SSL", "enable-ssl": "Enable HTTPS",
"force-ssl": "Force SSL", "force-ssl": "Force HTTPS",
"http2-support": "HTTP/2 - HTTP/3-Quic", "http2-support": "HTTP/2 - HTTP/3-Quic",
"domain-names": "Domain Names", "domain-names": "Domain Names",
"cert-provider": "Certificate Provider", "cert-provider": "Certificate Provider",
"block-exploits": "Block Common Exploits", "block-exploits": "Block Common Exploits",
"caching-enabled": "Cache Assets", "caching-enabled": "Cache Assets",
"ssl-certificate": "SSL Certificate", "ssl-certificate": "TLS Certificate",
"none": "None", "none": "None",
"new-cert": "Request a new SSL Certificate", "new-cert": "Request a new TLS Certificate",
"with-le": "with Certbot", "with-le": "with Certbot",
"no-ssl": "This host will not use HTTPS", "no-ssl": "This host will not use HTTPS",
"advanced": "Advanced", "advanced": "Advanced",
@@ -86,7 +86,7 @@
"advanced-config": "Custom Nginx Configuration", "advanced-config": "Custom Nginx Configuration",
"advanced-config-var-headline": "These proxy details are available as nginx variables:", "advanced-config-var-headline": "These proxy details are available as nginx variables:",
"advanced-config-header-info": "Please note, adding a location '/' will overwrite the proxy configuration", "advanced-config-header-info": "Please note, adding a location '/' will overwrite the proxy configuration",
"hsts-enabled": "HSTS Enabled", "hsts-enabled": "Enable HSTS (including Subdomains and preload)",
"hsts-subdomains": "HSTS Subdomains", "hsts-subdomains": "HSTS Subdomains",
"locations": "Custom locations" "locations": "Custom locations"
}, },
@@ -102,7 +102,7 @@
"none": "HTTP only", "none": "HTTP only",
"letsencrypt-email": "Email Address for Certbot", "letsencrypt-email": "Email Address for Certbot",
"letsencrypt-agree": "I Agree to the <a href=\"{url}\" target=\"_blank\">Let's Encrypt Terms of Service</a> / ToS of custom set CA", "letsencrypt-agree": "I Agree to the <a href=\"{url}\" target=\"_blank\">Let's Encrypt Terms of Service</a> / ToS of custom set CA",
"delete-ssl": "The SSL certificates attached will NOT be removed, they will need to be removed manually.", "delete-ssl": "The TLS certificates attached will NOT be removed, they will need to be removed manually.",
"hosts-warning": "These domains must be already configured to point to this installation", "hosts-warning": "These domains must be already configured to point to this installation",
"no-wildcard-without-dns": "Cannot request Certificate for wildcard domains when not using DNS challenge", "no-wildcard-without-dns": "Cannot request Certificate for wildcard domains when not using DNS challenge",
"dns-challenge": "Use a DNS Challenge", "dns-challenge": "Use a DNS Challenge",
@@ -128,10 +128,10 @@
"delete": "Delete Proxy Host", "delete": "Delete Proxy Host",
"delete-confirm": "Are you sure you want to delete the Proxy host for: <strong>{domains}</strong>?", "delete-confirm": "Are you sure you want to delete the Proxy host for: <strong>{domains}</strong>?",
"help-title": "What is a Proxy Host?", "help-title": "What is a Proxy Host?",
"help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional SSL termination for your service that might not have SSL support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.", "help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional TLS termination for your service that might not have TLS support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.",
"access-list": "Access List", "access-list": "Access List",
"allow-websocket-upgrade": "Websockets Support", "allow-websocket-upgrade": "Websockets Support",
"ignore-invalid-upstream-ssl": "Ignore Invalid SSL", "ignore-invalid-upstream-ssl": "Ignore Invalid TLS",
"custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path/", "custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path/",
"search": "Search Host…" "search": "Search Host…"
}, },
@@ -182,14 +182,14 @@
"search": "Search Incoming Port…" "search": "Search Incoming Port…"
}, },
"certificates": { "certificates": {
"title": "SSL Certificates", "title": "TLS Certificates",
"empty": "There are no SSL Certificates", "empty": "There are no TLS Certificates",
"add": "Add SSL Certificate", "add": "Add TLS Certificate",
"form-title": "Add {provider, select, letsencrypt{Certbot} other{Custom}} Certificate", "form-title": "Add {provider, select, letsencrypt{Certbot} other{Custom}} Certificate",
"delete": "Delete SSL Certificate", "delete": "Delete TLS Certificate",
"delete-confirm": "Are you sure you want to delete this SSL Certificate? Any hosts using it will need to be updated later.", "delete-confirm": "Are you sure you want to delete this TLS Certificate? Any hosts using it will need to be updated later.",
"help-title": "SSL Certificates", "help-title": "TLS Certificates",
"help-content": "SSL certificates (correctly known as TLS Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPM uses by default a service called Let's Encrypt to issue SSL certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPM also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.", "help-content": "TLS certificates (previously known as SSL Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPM uses by default a service called Let's Encrypt to issue TLS certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPM also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.",
"other-certificate": "Certificate", "other-certificate": "Certificate",
"other-certificate-key": "Certificate Key", "other-certificate-key": "Certificate Key",
"other-intermediate-certificate": "Intermediate Certificate", "other-intermediate-certificate": "Intermediate Certificate",

102
global/certbot-dns-plugins.js
View File

@@ -9,8 +9,6 @@
* cloudflare: { * cloudflare: {
* display_name: "Name displayed to the user", * display_name: "Name displayed to the user",
* package_name: "Package name in PyPi repo", * package_name: "Package name in PyPi repo",
* version_requirement: "Optional package version requirements (e.g. ==1.3 or >=1.2,<2.0, see https://www.python.org/dev/peps/pep-0440/#version-specifiers)",
* dependencies: "Additional dependencies, space separated (as you would pass it to pip install)",
* credentials: `Template of the credentials file`, * credentials: `Template of the credentials file`,
* full_plugin_name: "The full plugin name as used in the commandline with certbot, e.g. 'dns-njalla'", * full_plugin_name: "The full plugin name as used in the commandline with certbot, e.g. 'dns-njalla'",
* }, * },
@@ -24,17 +22,13 @@ module.exports = {
acmedns: { acmedns: {
display_name: 'ACME-DNS', display_name: 'ACME-DNS',
package_name: 'certbot-dns-acmedns', package_name: 'certbot-dns-acmedns',
version_requirement: '~=0.1.0',
dependencies: '',
credentials: `dns_acmedns_api_url = http://acmedns-server/ credentials: `dns_acmedns_api_url = http://acmedns-server/
dns_acmedns_registration_file = /data/acme-registration.json`, dns_acmedns_registration_file = /data/tls/certbot/acme-registration.json`,
full_plugin_name: 'dns-acmedns', full_plugin_name: 'dns-acmedns',
}, },
aliyun: { aliyun: {
display_name: 'Aliyun', display_name: 'Aliyun',
package_name: 'certbot-dns-aliyun', package_name: 'certbot-dns-aliyun',
version_requirement: '~=0.38.1',
dependencies: '',
credentials: `dns_aliyun_access_key = 12345678 credentials: `dns_aliyun_access_key = 12345678
dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`, dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`,
full_plugin_name: 'dns-aliyun', full_plugin_name: 'dns-aliyun',
@@ -43,8 +37,6 @@ dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`,
azure: { azure: {
display_name: 'Azure', display_name: 'Azure',
package_name: 'certbot-dns-azure', package_name: 'certbot-dns-azure',
version_requirement: '~=1.2.0',
dependencies: '',
credentials: `# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine. credentials: `# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.
# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it. # Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.
# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required. # As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.
@@ -69,8 +61,6 @@ dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf274462
cloudflare: { cloudflare: {
display_name: 'Cloudflare', display_name: 'Cloudflare',
package_name: 'certbot-dns-cloudflare', package_name: 'certbot-dns-cloudflare',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: 'cloudflare',
credentials: `# Cloudflare API token credentials: `# Cloudflare API token
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
# OR Cloudflare API credentials # OR Cloudflare API credentials
@@ -82,8 +72,6 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
cloudns: { cloudns: {
display_name: 'ClouDNS', display_name: 'ClouDNS',
package_name: 'certbot-dns-cloudns', package_name: 'certbot-dns-cloudns',
version_requirement: '~=0.4.0',
dependencies: '',
credentials: `# Target user ID (see https://www.cloudns.net/api-settings/) credentials: `# Target user ID (see https://www.cloudns.net/api-settings/)
dns_cloudns_auth_id=1234 dns_cloudns_auth_id=1234
# Alternatively, one of the following two options can be set: # Alternatively, one of the following two options can be set:
@@ -98,8 +86,6 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
cloudxns: { cloudxns: {
display_name: 'CloudXNS', display_name: 'CloudXNS',
package_name: 'certbot-dns-cloudxns', package_name: 'certbot-dns-cloudxns',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef credentials: `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
dns_cloudxns_secret_key = 1122334455667788`, dns_cloudxns_secret_key = 1122334455667788`,
full_plugin_name: 'dns-cloudxns', full_plugin_name: 'dns-cloudxns',
@@ -108,8 +94,6 @@ dns_cloudxns_secret_key = 1122334455667788`,
constellix: { constellix: {
display_name: 'Constellix', display_name: 'Constellix',
package_name: 'certbot-dns-constellix', package_name: 'certbot-dns-constellix',
version_requirement: '~=0.2.1',
dependencies: '',
credentials: `dns_constellix_apikey = 5fb4e76f-ac91-43e5-f982458bc595 credentials: `dns_constellix_apikey = 5fb4e76f-ac91-43e5-f982458bc595
dns_constellix_secretkey = 47d99fd0-32e7-4e07-85b46d08e70b dns_constellix_secretkey = 47d99fd0-32e7-4e07-85b46d08e70b
dns_constellix_endpoint = https://api.dns.constellix.com/v1`, dns_constellix_endpoint = https://api.dns.constellix.com/v1`,
@@ -119,8 +103,6 @@ dns_constellix_endpoint = https://api.dns.constellix.com/v1`,
corenetworks: { corenetworks: {
display_name: 'Core Networks', display_name: 'Core Networks',
package_name: 'certbot-dns-corenetworks', package_name: 'certbot-dns-corenetworks',
version_requirement: '~=0.1.4',
dependencies: '',
credentials: `dns_corenetworks_username = asaHB12r credentials: `dns_corenetworks_username = asaHB12r
dns_corenetworks_password = secure_password`, dns_corenetworks_password = secure_password`,
full_plugin_name: 'dns-corenetworks', full_plugin_name: 'dns-corenetworks',
@@ -129,8 +111,6 @@ dns_corenetworks_password = secure_password`,
cpanel: { cpanel: {
display_name: 'cPanel', display_name: 'cPanel',
package_name: 'certbot-dns-cpanel', package_name: 'certbot-dns-cpanel',
version_requirement: '~=0.2.2',
dependencies: '',
credentials: `cpanel_url = https://cpanel.example.com:2083 credentials: `cpanel_url = https://cpanel.example.com:2083
cpanel_username = user cpanel_username = user
cpanel_password = hunter2`, cpanel_password = hunter2`,
@@ -140,8 +120,6 @@ cpanel_password = hunter2`,
desec: { desec: {
display_name: 'deSEC', display_name: 'deSEC',
package_name: 'certbot-dns-desec', package_name: 'certbot-dns-desec',
version_requirement: '~=0.3.0',
dependencies: '',
credentials: `dns_desec_token = YOUR_DESEC_API_TOKEN credentials: `dns_desec_token = YOUR_DESEC_API_TOKEN
dns_desec_endpoint = https://desec.io/api/v1/`, dns_desec_endpoint = https://desec.io/api/v1/`,
full_plugin_name: 'dns-desec', full_plugin_name: 'dns-desec',
@@ -150,8 +128,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`,
duckdns: { duckdns: {
display_name: 'DuckDNS', display_name: 'DuckDNS',
package_name: 'certbot-dns-duckdns', package_name: 'certbot-dns-duckdns',
version_requirement: '~=0.9',
dependencies: '',
credentials: 'dns_duckdns_token=your-duckdns-token', credentials: 'dns_duckdns_token=your-duckdns-token',
full_plugin_name: 'dns-duckdns', full_plugin_name: 'dns-duckdns',
}, },
@@ -159,8 +135,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`,
digitalocean: { digitalocean: {
display_name: 'DigitalOcean', display_name: 'DigitalOcean',
package_name: 'certbot-dns-digitalocean', package_name: 'certbot-dns-digitalocean',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: 'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff', credentials: 'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff',
full_plugin_name: 'dns-digitalocean', full_plugin_name: 'dns-digitalocean',
}, },
@@ -168,8 +142,6 @@ dns_desec_endpoint = https://desec.io/api/v1/`,
directadmin: { directadmin: {
display_name: 'DirectAdmin', display_name: 'DirectAdmin',
package_name: 'certbot-dns-directadmin', package_name: 'certbot-dns-directadmin',
version_requirement: '~=0.0.23',
dependencies: '',
credentials: `directadmin_url = https://my.directadminserver.com:2222 credentials: `directadmin_url = https://my.directadminserver.com:2222
directadmin_username = username directadmin_username = username
directadmin_password = aSuperStrongPassword`, directadmin_password = aSuperStrongPassword`,
@@ -179,8 +151,6 @@ directadmin_password = aSuperStrongPassword`,
dnsimple: { dnsimple: {
display_name: 'DNSimple', display_name: 'DNSimple',
package_name: 'certbot-dns-dnsimple', package_name: 'certbot-dns-dnsimple',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: 'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw', credentials: 'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw',
full_plugin_name: 'dns-dnsimple', full_plugin_name: 'dns-dnsimple',
}, },
@@ -188,8 +158,6 @@ directadmin_password = aSuperStrongPassword`,
dnsmadeeasy: { dnsmadeeasy: {
display_name: 'DNS Made Easy', display_name: 'DNS Made Easy',
package_name: 'certbot-dns-dnsmadeeasy', package_name: 'certbot-dns-dnsmadeeasy',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a credentials: `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`, dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`,
full_plugin_name: 'dns-dnsmadeeasy', full_plugin_name: 'dns-dnsmadeeasy',
@@ -198,8 +166,6 @@ dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`,
dnspod: { dnspod: {
display_name: 'DNSPod', display_name: 'DNSPod',
package_name: 'certbot-dns-dnspod', package_name: 'certbot-dns-dnspod',
version_requirement: '~=0.1.0',
dependencies: '',
credentials: `dns_dnspod_email = "email@example.com" credentials: `dns_dnspod_email = "email@example.com"
dns_dnspod_api_token = "id,key"`, dns_dnspod_api_token = "id,key"`,
full_plugin_name: 'dns-dnspod', full_plugin_name: 'dns-dnspod',
@@ -208,8 +174,6 @@ dns_dnspod_api_token = "id,key"`,
domainoffensive: { domainoffensive: {
display_name: 'DomainOffensive (do.de)', display_name: 'DomainOffensive (do.de)',
package_name: 'certbot-dns-do', package_name: 'certbot-dns-do',
version_requirement: '~=0.31.0',
dependencies: '',
credentials: 'dns_do_api_token = YOUR_DO_DE_AUTH_TOKEN', credentials: 'dns_do_api_token = YOUR_DO_DE_AUTH_TOKEN',
full_plugin_name: 'dns-do', full_plugin_name: 'dns-do',
}, },
@@ -217,8 +181,6 @@ dns_dnspod_api_token = "id,key"`,
domeneshop: { domeneshop: {
display_name: 'Domeneshop', display_name: 'Domeneshop',
package_name: 'certbot-dns-domeneshop', package_name: 'certbot-dns-domeneshop',
version_requirement: '~=0.2.8',
dependencies: '',
credentials: `dns_domeneshop_client_token=YOUR_DOMENESHOP_CLIENT_TOKEN credentials: `dns_domeneshop_client_token=YOUR_DOMENESHOP_CLIENT_TOKEN
dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`, dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`,
full_plugin_name: 'dns-domeneshop', full_plugin_name: 'dns-domeneshop',
@@ -227,8 +189,6 @@ dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`,
dynu: { dynu: {
display_name: 'Dynu', display_name: 'Dynu',
package_name: 'certbot-dns-dynu', package_name: 'certbot-dns-dynu',
version_requirement: '~=0.0.1',
dependencies: '',
credentials: 'dns_dynu_auth_token = YOUR_DYNU_AUTH_TOKEN', credentials: 'dns_dynu_auth_token = YOUR_DYNU_AUTH_TOKEN',
full_plugin_name: 'dns-dynu', full_plugin_name: 'dns-dynu',
}, },
@@ -236,8 +196,6 @@ dns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET`,
eurodns: { eurodns: {
display_name: 'EuroDNS', display_name: 'EuroDNS',
package_name: 'certbot-dns-eurodns', package_name: 'certbot-dns-eurodns',
version_requirement: '~=0.0.4',
dependencies: '',
credentials: `dns_eurodns_applicationId = myuser credentials: `dns_eurodns_applicationId = myuser
dns_eurodns_apiKey = mysecretpassword dns_eurodns_apiKey = mysecretpassword
dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`, dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`,
@@ -247,8 +205,6 @@ dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`,
gandi: { gandi: {
display_name: 'Gandi Live DNS', display_name: 'Gandi Live DNS',
package_name: 'certbot_plugin_gandi', package_name: 'certbot_plugin_gandi',
version_requirement: '~=1.3.2',
dependencies: '',
credentials: `# live dns v5 api key credentials: `# live dns v5 api key
dns_gandi_api_key=APIKEY dns_gandi_api_key=APIKEY
@@ -260,8 +216,6 @@ dns_gandi_sharing_id=SHARINGID`,
godaddy: { godaddy: {
display_name: 'GoDaddy', display_name: 'GoDaddy',
package_name: 'certbot-dns-godaddy', package_name: 'certbot-dns-godaddy',
version_requirement: '~=0.2.0',
dependencies: '',
credentials: `dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567 credentials: `dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567
dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
full_plugin_name: 'dns-godaddy', full_plugin_name: 'dns-godaddy',
@@ -270,8 +224,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
google: { google: {
display_name: 'Google', display_name: 'Google',
package_name: 'certbot-dns-google', package_name: 'certbot-dns-google',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `{ credentials: `{
"type": "service_account", "type": "service_account",
... ...
@@ -282,8 +234,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
hetzner: { hetzner: {
display_name: 'Hetzner', display_name: 'Hetzner',
package_name: 'certbot-dns-hetzner', package_name: 'certbot-dns-hetzner',
version_requirement: '~=1.0.4',
dependencies: '',
credentials: 'dns_hetzner_api_token = 0123456789abcdef0123456789abcdef', credentials: 'dns_hetzner_api_token = 0123456789abcdef0123456789abcdef',
full_plugin_name: 'dns-hetzner', full_plugin_name: 'dns-hetzner',
}, },
@@ -291,8 +241,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
infomaniak: { infomaniak: {
display_name: 'Infomaniak', display_name: 'Infomaniak',
package_name: 'certbot-dns-infomaniak', package_name: 'certbot-dns-infomaniak',
version_requirement: '~=0.1.12',
dependencies: '',
credentials: 'dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', credentials: 'dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
full_plugin_name: 'dns-infomaniak', full_plugin_name: 'dns-infomaniak',
}, },
@@ -300,8 +248,6 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`,
inwx: { inwx: {
display_name: 'INWX', display_name: 'INWX',
package_name: 'certbot-dns-inwx', package_name: 'certbot-dns-inwx',
version_requirement: '~=2.1.2',
dependencies: '',
credentials: `dns_inwx_url = https://api.domrobot.com/xmlrpc/ credentials: `dns_inwx_url = https://api.domrobot.com/xmlrpc/
dns_inwx_username = your_username dns_inwx_username = your_username
dns_inwx_password = your_password dns_inwx_password = your_password
@@ -312,8 +258,6 @@ dns_inwx_shared_secret = your_shared_secret optional`,
ionos: { ionos: {
display_name: 'IONOS', display_name: 'IONOS',
package_name: 'certbot-dns-ionos', package_name: 'certbot-dns-ionos',
version_requirement: '==2021.9.20.post1',
dependencies: '',
credentials: `dns_ionos_prefix = myapikeyprefix credentials: `dns_ionos_prefix = myapikeyprefix
dns_ionos_secret = verysecureapikeysecret dns_ionos_secret = verysecureapikeysecret
dns_ionos_endpoint = https://api.hosting.ionos.com`, dns_ionos_endpoint = https://api.hosting.ionos.com`,
@@ -323,8 +267,6 @@ dns_ionos_endpoint = https://api.hosting.ionos.com`,
ispconfig: { ispconfig: {
display_name: 'ISPConfig', display_name: 'ISPConfig',
package_name: 'certbot-dns-ispconfig', package_name: 'certbot-dns-ispconfig',
version_requirement: '~=0.2.0',
dependencies: '',
credentials: `dns_ispconfig_username = myremoteuser credentials: `dns_ispconfig_username = myremoteuser
dns_ispconfig_password = verysecureremoteuserpassword dns_ispconfig_password = verysecureremoteuserpassword
dns_ispconfig_endpoint = https://localhost:8080`, dns_ispconfig_endpoint = https://localhost:8080`,
@@ -334,8 +276,6 @@ dns_ispconfig_endpoint = https://localhost:8080`,
isset: { isset: {
display_name: 'Isset', display_name: 'Isset',
package_name: 'certbot-dns-isset', package_name: 'certbot-dns-isset',
version_requirement: '~=0.0.3',
dependencies: '',
credentials: `dns_isset_endpoint="https://customer.isset.net/api" credentials: `dns_isset_endpoint="https://customer.isset.net/api"
dns_isset_token="<token>"`, dns_isset_token="<token>"`,
full_plugin_name: 'dns-isset', full_plugin_name: 'dns-isset',
@@ -343,8 +283,6 @@ dns_isset_token="<token>"`,
joker: { joker: {
display_name: 'Joker', display_name: 'Joker',
package_name: 'certbot-dns-joker', package_name: 'certbot-dns-joker',
version_requirement: '~=1.1.0',
dependencies: '',
credentials: `dns_joker_username = <Dynamic DNS Authentication Username> credentials: `dns_joker_username = <Dynamic DNS Authentication Username>
dns_joker_password = <Dynamic DNS Authentication Password> dns_joker_password = <Dynamic DNS Authentication Password>
dns_joker_domain = <Dynamic DNS Domain>`, dns_joker_domain = <Dynamic DNS Domain>`,
@@ -354,8 +292,6 @@ dns_joker_domain = <Dynamic DNS Domain>`,
linode: { linode: {
display_name: 'Linode', display_name: 'Linode',
package_name: 'certbot-dns-linode', package_name: 'certbot-dns-linode',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64 credentials: `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64
dns_linode_version = [<blank>|3|4]`, dns_linode_version = [<blank>|3|4]`,
full_plugin_name: 'dns-linode', full_plugin_name: 'dns-linode',
@@ -364,8 +300,6 @@ dns_linode_version = [<blank>|3|4]`,
loopia: { loopia: {
display_name: 'Loopia', display_name: 'Loopia',
package_name: 'certbot-dns-loopia', package_name: 'certbot-dns-loopia',
version_requirement: '~=1.0.0',
dependencies: '',
credentials: `dns_loopia_user = user@loopiaapi credentials: `dns_loopia_user = user@loopiaapi
dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`, dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`,
full_plugin_name: 'dns-loopia', full_plugin_name: 'dns-loopia',
@@ -374,8 +308,6 @@ dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`,
luadns: { luadns: {
display_name: 'LuaDNS', display_name: 'LuaDNS',
package_name: 'certbot-dns-luadns', package_name: 'certbot-dns-luadns',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_luadns_email = user@example.com credentials: `dns_luadns_email = user@example.com
dns_luadns_token = 0123456789abcdef0123456789abcdef`, dns_luadns_token = 0123456789abcdef0123456789abcdef`,
full_plugin_name: 'dns-luadns', full_plugin_name: 'dns-luadns',
@@ -384,8 +316,6 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
namecheap: { namecheap: {
display_name: 'Namecheap', display_name: 'Namecheap',
package_name: 'certbot-dns-namecheap', package_name: 'certbot-dns-namecheap',
version_requirement: '~=1.0.0',
dependencies: '',
credentials: `dns_namecheap_username = 123456 credentials: `dns_namecheap_username = 123456
dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`, dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`,
full_plugin_name: 'dns-namecheap', full_plugin_name: 'dns-namecheap',
@@ -394,8 +324,6 @@ dns_namecheap_api_key = 0123456789abcdef0123456789abcdef01234567`,
netcup: { netcup: {
display_name: 'netcup', display_name: 'netcup',
package_name: 'certbot-dns-netcup', package_name: 'certbot-dns-netcup',
version_requirement: '~=1.1.4',
dependencies: '',
credentials: `dns_netcup_customer_id = 123456 credentials: `dns_netcup_customer_id = 123456
dns_netcup_api_key = 0123456789abcdef0123456789abcdef01234567 dns_netcup_api_key = 0123456789abcdef0123456789abcdef01234567
dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`, dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
@@ -405,8 +333,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
njalla: { njalla: {
display_name: 'Njalla', display_name: 'Njalla',
package_name: 'certbot-dns-njalla', package_name: 'certbot-dns-njalla',
version_requirement: '~=1.0.0',
dependencies: '',
credentials: 'dns_njalla_token = 0123456789abcdef0123456789abcdef01234567', credentials: 'dns_njalla_token = 0123456789abcdef0123456789abcdef01234567',
full_plugin_name: 'dns-njalla', full_plugin_name: 'dns-njalla',
}, },
@@ -414,8 +340,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
nsone: { nsone: {
display_name: 'NS1', display_name: 'NS1',
package_name: 'certbot-dns-nsone', package_name: 'certbot-dns-nsone',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: 'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw', credentials: 'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw',
full_plugin_name: 'dns-nsone', full_plugin_name: 'dns-nsone',
}, },
@@ -423,8 +347,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
oci: { oci: {
display_name: 'Oracle Cloud Infrastructure DNS', display_name: 'Oracle Cloud Infrastructure DNS',
package_name: 'certbot-dns-oci', package_name: 'certbot-dns-oci',
package_version: '0.3.6',
dependencies: 'oci',
credentials: `[DEFAULT] credentials: `[DEFAULT]
user = ocid1.user.oc1... user = ocid1.user.oc1...
fingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx fingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
@@ -437,8 +359,6 @@ key_file = ~/.oci/oci_api_key.pem`,
ovh: { ovh: {
display_name: 'OVH', display_name: 'OVH',
package_name: 'certbot-dns-ovh', package_name: 'certbot-dns-ovh',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `dns_ovh_endpoint = ovh-eu credentials: `dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAw dns_ovh_application_key = MDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
@@ -449,8 +369,6 @@ dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw`,
porkbun: { porkbun: {
display_name: 'Porkbun', display_name: 'Porkbun',
package_name: 'certbot-dns-porkbun', package_name: 'certbot-dns-porkbun',
version_requirement: '~=0.2',
dependencies: '',
credentials: `dns_porkbun_key=your-porkbun-api-key credentials: `dns_porkbun_key=your-porkbun-api-key
dns_porkbun_secret=your-porkbun-api-secret`, dns_porkbun_secret=your-porkbun-api-secret`,
full_plugin_name: 'dns-porkbun', full_plugin_name: 'dns-porkbun',
@@ -459,8 +377,6 @@ dns_porkbun_secret=your-porkbun-api-secret`,
powerdns: { powerdns: {
display_name: 'PowerDNS', display_name: 'PowerDNS',
package_name: 'certbot-dns-powerdns', package_name: 'certbot-dns-powerdns',
version_requirement: '~=0.2.0',
dependencies: '',
credentials: `dns_powerdns_api_url = https://api.mypowerdns.example.org credentials: `dns_powerdns_api_url = https://api.mypowerdns.example.org
dns_powerdns_api_key = AbCbASsd!@34`, dns_powerdns_api_key = AbCbASsd!@34`,
full_plugin_name: 'dns-powerdns', full_plugin_name: 'dns-powerdns',
@@ -469,8 +385,6 @@ dns_powerdns_api_key = AbCbASsd!@34`,
regru: { regru: {
display_name: 'reg.ru', display_name: 'reg.ru',
package_name: 'certbot-regru', package_name: 'certbot-regru',
version_requirement: '~=1.0.2',
dependencies: '',
credentials: `certbot_regru:dns_username=username credentials: `certbot_regru:dns_username=username
certbot_regru:dns_password=password`, certbot_regru:dns_password=password`,
full_plugin_name: 'certbot-regru:dns', full_plugin_name: 'certbot-regru:dns',
@@ -479,8 +393,6 @@ certbot_regru:dns_password=password`,
rfc2136: { rfc2136: {
display_name: 'RFC 2136', display_name: 'RFC 2136',
package_name: 'certbot-dns-rfc2136', package_name: 'certbot-dns-rfc2136',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `# Target DNS server credentials: `# Target DNS server
dns_rfc2136_server = 192.0.2.1 dns_rfc2136_server = 192.0.2.1
# Target DNS port # Target DNS port
@@ -497,8 +409,6 @@ dns_rfc2136_algorithm = HMAC-SHA512`,
route53: { route53: {
display_name: 'Route 53 (Amazon)', display_name: 'Route 53 (Amazon)',
package_name: 'certbot-dns-route53', package_name: 'certbot-dns-route53',
version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version
dependencies: '',
credentials: `[default] credentials: `[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`, aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
@@ -508,18 +418,14 @@ aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
transip: { transip: {
display_name: 'TransIP', display_name: 'TransIP',
package_name: 'certbot-dns-transip', package_name: 'certbot-dns-transip',
version_requirement: '~=0.4.3',
dependencies: '',
credentials: `dns_transip_username = my_username credentials: `dns_transip_username = my_username
dns_transip_key_file = /data/ssl/certbot/transip-rsa.key`, dns_transip_key_file = /data/tls/certbot/transip-rsa.key`,
full_plugin_name: 'dns-transip', full_plugin_name: 'dns-transip',
}, },
//####################################################// //####################################################//
tencentcloud: { tencentcloud: {
display_name: 'Tencent Cloud', display_name: 'Tencent Cloud',
package_name: 'certbot-dns-tencentcloud', package_name: 'certbot-dns-tencentcloud',
version_requirement: '~=2.0.0',
dependencies: '',
credentials: `dns_tencentcloud_secret_id = TENCENT_CLOUD_SECRET_ID credentials: `dns_tencentcloud_secret_id = TENCENT_CLOUD_SECRET_ID
dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`, dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`,
full_plugin_name: 'dns-tencentcloud', full_plugin_name: 'dns-tencentcloud',
@@ -528,8 +434,6 @@ dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`,
vultr: { vultr: {
display_name: 'Vultr', display_name: 'Vultr',
package_name: 'certbot-dns-vultr', package_name: 'certbot-dns-vultr',
version_requirement: '~=1.0.3',
dependencies: '',
credentials: 'dns_vultr_key = YOUR_VULTR_API_KEY', credentials: 'dns_vultr_key = YOUR_VULTR_API_KEY',
full_plugin_name: 'dns-vultr', full_plugin_name: 'dns-vultr',
}, },
@@ -537,8 +441,6 @@ dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`,
websupportsk: { websupportsk: {
display_name: 'Websupport.sk', display_name: 'Websupport.sk',
package_name: 'certbot-dns-websupportsk', package_name: 'certbot-dns-websupportsk',
version_requirement: '~=0.1.6',
dependencies: '',
credentials: `dns_websupportsk_api_key = <api_key> credentials: `dns_websupportsk_api_key = <api_key>
dns_websupportsk_secret = <secret> dns_websupportsk_secret = <secret>
dns_websupportsk_domain = example.com`, dns_websupportsk_domain = example.com`,

124
rootfs/bin/start.sh
View File

@@ -5,32 +5,31 @@ if [ -n "$PHP_APKS" ]; then
if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP_APKS but not to an allowed value. echo "You've set PHP_APKS but not to an allowed value.
It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores. It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores.
It is set to '$PHP_APKS'." || exit 1 It is set to '$PHP_APKS'." || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
read -ra APKS_ARRAY <<< "$PHP_APKS" read -ra APKS_ARRAY <<< "$PHP_APKS" || sleep inf
for apk in "${APKS_ARRAY[@]}"; do for apk in "${APKS_ARRAY[@]}"; do
if ! echo "$apk" | grep -q "php*"; then if ! echo "$apk" | grep -q "php*"; then
echo "'$apk' is a non allowed value. echo "'$apk' is a non allowed value.
It needs to start with php. It needs to start with php.
It is set to '$apk'." || exit 1 It is set to '$apk'." || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
echo "Installing $apk via apk..." echo "Installing $apk via apk..."
if ! apk add --no-cache "$apk" &> /dev/null; then if ! apk add --no-cache "$apk" &> /dev/null; then
echo "The packet $apk was not installed!" echo "The packet $apk was not installed!" || sleep inf
fi fi
done done
fi fi
mkdir -p /tmp/acme-challenge \ mkdir -vp /data/tls/certbot/renewal \
/data/ssl/certbot \ /data/tls/custom \
/data/ssl/custom \
/data/php \ /data/php \
/data/nginx/redirection_host \ /data/nginx/redirection_host \
/data/nginx/proxy_host \ /data/nginx/proxy_host \
@@ -38,33 +37,46 @@ mkdir -p /tmp/acme-challenge \
/data/nginx/stream \ /data/nginx/stream \
/data/nginx/custom \ /data/nginx/custom \
/data/nginx/access \ /data/nginx/access \
/data/nginx/html || exit 1 /data/nginx/html \
/tmp/acme-challenge || sleep inf
if [ -f /data/nginx/default_host/site.conf ]; then if [ -f /data/nginx/default_host/site.conf ]; then
mv /data/nginx/default_host/site.conf /data/nginx/default.conf || exit 1 mv -vn /data/nginx/default_host/site.conf /data/nginx/default.conf || sleep inf
fi fi
if [ -f /data/nginx/default_www/index.html ]; then if [ -f /data/nginx/default_www/index.html ]; then
mv /data/nginx/default_www/index.html /data/nginx/html/index.html || exit 1 mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html || sleep inf
fi fi
if [ -e /data/access ]; then if [ -f /data/nginx/dummycert.pem ]; then
mv /data/access/* /data/nginx/access || exit 1 mv -vn /data/nginx/dummycert.pem /data/tls/dummycert.pem || sleep inf
fi fi
if [ -e /etc/letsencrypt/live ]; then if [ -f /data/nginx/dummykey.pem ]; then
mv /etc/letsencrypt/* /data/ssl/certbot || exit 1 mv -vn /data/nginx/dummykey.pem /data/tls/dummykey.pem || sleep inf
fi fi
if [ -e /data/letsencrypt/live ]; then if [ -n "$(ls -A /data/access 2> /dev/null)" ]; then
mv /data/letsencrypt/* /data/ssl/certbot || exit 1 mv -v /data/access/* /data/nginx/access || sleep inf
fi fi
if [ -e /data/custom_ssl/npm-* ]; then if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
mv /data/custom_ssl/* /data/ssl/custom || exit 1 mv -v /etc/letsencrypt/* /data/tls/certbot || sleep inf
fi fi
rm -rf /data/letsencrypt-acme-challenge \ if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
mv -v /data/letsencrypt/* /data/tls/certbot || sleep inf
fi
if [ -n "$(ls -A /data/custom_ssl 2> /dev/null)" ]; then
mv -v /data/custom_ssl/* /data/tls/custom || sleep inf
fi
if [ -n "$(ls -A /data/ssl 2> /dev/null)" ]; then
mv -v /data/ssl/* /data/tls || sleep inf
fi
rm -vrf /data/letsencrypt-acme-challenge \
/data/nginx/default_host \ /data/nginx/default_host \
/data/nginx/default_www \ /data/nginx/default_www \
/data/nginx/streams \ /data/nginx/streams \
@@ -74,37 +86,44 @@ rm -rf /data/letsencrypt-acme-challenge \
/data/custom_ssl \ /data/custom_ssl \
/data/certbot \ /data/certbot \
/data/access \ /data/access \
/data/ssl \
/data/logs \ /data/logs \
/data/error.log \ /data/error.log \
/data/nginx/error.log || exit 1 /data/nginx/error.log || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/ssl/custom|g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/ssl/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate_key /data/nginx/dummykey.pem;|ssl_certificate_key /data/tls/dummykey.pem;|g" {} \; || sleep inf
find /data/ssl/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/ssl/certbot|g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|ssl_certificate /data/nginx/dummycert.pem;|ssl_certificate /data/tls/dummycert.pem;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || exit 1 find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/ssl|/data/tls|g" {} \; || sleep inf
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/tls/certbot/renewal -type f -name '*.conf' -exec sed -i "s|/data/letsencrypt|/data/tls/certbot|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/assets.conf;||g" {} \; || sleep inf
find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \; || sleep inf
if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]; then find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || sleep inf
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem || exit 1 find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || sleep inf
if [ ! -f /data/tls/dummycert.pem ] || [ ! -f /data/tls/dummykey.pem ]; then
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem || sleep inf
fi fi
if [ ! -f /data/nginx/default.conf ]; then if [ ! -f /data/nginx/default.conf ]; then
cp /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || exit 1 mv -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || sleep inf
fi fi
if [ ! -f /data/ssl/certbot/config.ini ]; then if [ ! -f /data/tls/certbot/config.ini ]; then
cp /etc/ssl/certbot.ini /data/ssl/certbot/config.ini || exit 1 mv -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini || sleep inf
fi fi
touch /data/nginx/default.conf \ touch /data/nginx/default.conf \
@@ -120,45 +139,45 @@ touch /data/nginx/default.conf \
/data/nginx/custom/server_stream.conf \ /data/nginx/custom/server_stream.conf \
/data/nginx/custom/server_stream_tcp.conf \ /data/nginx/custom/server_stream_tcp.conf \
/data/nginx/custom/server_stream_udp.conf \ /data/nginx/custom/server_stream_udp.conf \
/usr/local/nginx/conf/conf.d/include/ip_ranges.conf || exit 1 /usr/local/nginx/conf/conf.d/include/ip_ranges.conf || sleep inf
for folder in $(find /etc -maxdepth 1 -type d -name php*); do cp -Trn $folder /data/php/$(echo $folder| sed "s|/etc/php||g"); done; for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do cp -vrnT /etc/php$phpv /data/php/$phpv; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|user =.*|user = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done; for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|user =.*|user = root|" /data/php/$phpv/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|group =.*|group = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done; for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|group =.*|group = root|" /data/php/$phpv/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|listen =.*|listen = /dev/$(echo $folder| sed "s|/etc/||g").sock|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done; for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|listen =.*|listen = /dev/php$phpv.sock|" /data/php/$phpv/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|include=.*|include=/data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/*.conf|g" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.conf; done; for phpv in $(ls -1 /etc | grep php | sed "s|php||g"); do sed -i "s|include=.*|include=/data/php/$phpv/php-fpm.d/*.conf|g" /data/php/$phpv/php-fpm.conf; done;
if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1 sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1 sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || sleep inf
fi fi
if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then
sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || exit 1 sed -i "s/log_not_found off;/log_not_found on;/g" /usr/local/nginx/conf/nginx.conf || sleep inf
fi fi
if ! nginx -t &> /dev/null; then if ! nginx -t &> /dev/null; then
nginx -T || exit 1 nginx -T || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || sleep inf
sleep inf || exit 1 sleep inf || exit 1
fi fi
@@ -174,25 +193,20 @@ done
if ! nginx -t &> /dev/null; then if ! nginx -t &> /dev/null; then
nginx -T || exit 1 nginx -T || exit 1
sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt &> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1 cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi fi

0
rootfs/etc/ssl/certbot.ini → rootfs/etc/tls/certbot.ini
View File

0
rootfs/etc/ssl/dhparam → rootfs/etc/tls/dhparam
View File

6
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View File

@@ -14,13 +14,13 @@ server {
server_name _; server_name _;
include conf.d/include/force-ssl.conf; include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf; include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem; ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem; ssl_certificate_key /data/tls/dummykey.pem;
location / { location / {
include conf.d/include/acme-challenge.conf; include conf.d/include/acme-challenge.conf;

2
rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf → rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
View File

@@ -1,7 +1,7 @@
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off; ssl_session_tickets off;
ssl_dhparam /etc/ssl/dhparam; ssl_dhparam /etc/tls/dhparam;
# intermediate configuration. tweak to your needs. # intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.3 TLSv1.2; ssl_protocols TLSv1.3 TLSv1.2;

6
rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View File

@@ -18,10 +18,10 @@ server {
return 444; return 444;
include conf.d/include/force-ssl.conf; include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem; ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem; ssl_certificate_key /data/tls/dummykey.pem;
} }

6
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View File

@@ -6,9 +6,9 @@ server {
listen [::]:81 http3 default_server; listen [::]:81 http3 default_server;
server_name _; server_name _;
ssl_certificate /data/nginx/dummycert.pem; ssl_certificate /data/tls/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem; ssl_certificate_key /data/tls/dummykey.pem;
include conf.d/include/ssl-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';