dep updates/header changes/tls changes

Signed-off-by: Zoey <zoey@z0ey.de>

- dep updates
- upodate nginx/certbot
- improve headers
- change NPM to NPMplus in launch.sh
- when using https backend, only TLSv1 to TLSv1.3 is now allowed, whith secure ciphers
This commit is contained in:
renovate[bot]
2023-10-12 01:35:04 +00:00
committed by Zoey
parent 36298f284d
commit 8987ff9c6d
14 changed files with 44 additions and 26 deletions

View File

@@ -10,7 +10,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 19
- name: eslint

View File

@@ -14,4 +14,4 @@ jobs:
with:
check_together: 'yes'
env:
SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153
SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 -e SC2154

View File

@@ -1,3 +1,3 @@
FROM caddy:2.7.4
FROM caddy:2.7.5
RUN apk add --no-cache ca-certificates tzdata
COPY Caddyfile /etc/caddy/Caddyfile

View File

@@ -30,13 +30,6 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
yarn cache clean --all
FROM python:3.12.0-alpine3.18 as certbot
ENV PATH="/usr/local/certbot/bin:$PATH"
RUN apk add --no-cache ca-certificates build-base libffi-dev && \
python3 -m venv /usr/local/certbot && \
pip install --no-cache-dir certbot
FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec
WORKDIR /src
RUN apk add --no-cache ca-certificates git build-base && \
@@ -52,8 +45,9 @@ RUN apk add --no-cache ca-certificates git build-base && \
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/certbot-docker:10 as certbot
FROM zoeyvid/nginx-quic:206
FROM zoeyvid/nginx-quic:210
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs /
RUN apk add --no-cache ca-certificates tzdata tini \

View File

@@ -2,11 +2,12 @@
# NPMplus
This project comes as a pre-built docker image that enables you to easily forward to your websites
running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot.
- [Quick Setup](#quick-setup)
<!---
- [Screenshots](https://nginxproxymanager.com/screenshots)
--->
**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
**Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>

View File

@@ -16,7 +16,7 @@
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.2",
"knex": "3.0.1",
"liquidjs": "10.9.2",
"liquidjs": "10.9.3",
"lodash": "4.17.21",
"moment": "2.29.4",
"mysql": "2.18.1",
@@ -29,7 +29,7 @@
"author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
"license": "MIT",
"devDependencies": {
"eslint": "8.51.0",
"eslint": "8.52.0",
"eslint-plugin-align-assignments": "1.1.2"
}
}

View File

@@ -1,7 +1,19 @@
{% if certificate and certificate_id > 0 -%}
{% if ssl_forced == 1 or ssl_forced == true %}
{% if hsts_enabled == 1 or hsts_enabled == true %}
more_clear_headers "Expect-CT";
include conf.d/include/hsts.conf;
{% endif %}
{% endif %}
{% endif %}
{% unless certificate and certificate_id > 0 -%}
{% unless ssl_forced == 1 or ssl_forced == true %}
{% unless hsts_enabled == 1 or hsts_enabled == true %}
more_clear_headers "Content-Security-Policy";
more_clear_headers "Expect-CT";
more_clear_headers "Strict-Transport-Security";
{% endunless %}
{% endunless %}
{% endunless %}

View File

@@ -10,7 +10,10 @@
listen 443 quic;
listen [::]:443 quic;
add_header Alt-Svc 'h3=":443"; ma=86400';
more_set_headers "Alt-Svc: h3=':443'; ma=86400";
{% endif %}
{% endif %}
{% unless hsts_subdomains %}
more_clear_headers "Alt-Svc";
{% endunless %}
server_name {{ domain_names | join: " " }};

View File

@@ -4,7 +4,7 @@
"description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js",
"dependencies": {
"@babel/core": "7.23.0",
"@babel/core": "7.23.2",
"babel-core": "6.26.3",
"babel-loader": "8.3.0",
"babel-preset-env": "1.7.0",

View File

@@ -331,6 +331,13 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
full_plugin_name: 'dns-luadns',
},
//####################################################//
/** multi: {
* display_name: 'DNS multi',
* package_name: 'certbot-dns-multi',
* credentials: `# see https://github.com/alexzorin/certbot-dns-multi`,
* full_plugin_name: 'dns-multi',
* },
**/ //####################################################//
namecheap: {
display_name: 'Namecheap',
package_name: 'certbot-dns-namecheap',

View File

@@ -2,11 +2,11 @@
echo "
-------------------------------------
_ _ ____ __ __
| \ | | _ \| \/ |
| \| | |_) | |\/| |
| |\ | __/| | | |
|_| \_|_| |_| |_|
_ _ ___ __ __ _
| \ || . \| \ \ ___ | | _ _ ___
| || _/| || . \| || | |[_-[
|_\_||_| |_|_|_|| _/|_| \__|/__/
|_|
-------------------------------------
Version: $(jq -r .version /app/package.json)
Date: $(date)

View File

@@ -4,5 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
more_set_headers "Expect-CT: enforce; max-age=86400";
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";

View File

@@ -6,7 +6,9 @@ proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
proxy_http_version 1.1;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
proxy_http_version 1.1;
proxy_hide_header Upgrade;
proxy_pass $forward_scheme://$server:$port$request_uri;

View File

@@ -7,6 +7,6 @@ ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.3 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;