mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-08-02 15:33:32 +00:00
dep updates/header changes/tls changes
Signed-off-by: Zoey <zoey@z0ey.de> - dep updates - upodate nginx/certbot - improve headers - change NPM to NPMplus in launch.sh - when using https backend, only TLSv1 to TLSv1.3 is now allowed, whith secure ciphers
This commit is contained in:
2
.github/workflows/js.yml
vendored
2
.github/workflows/js.yml
vendored
@@ -10,7 +10,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 19
|
||||
- name: eslint
|
||||
|
2
.github/workflows/shellcheck.yml
vendored
2
.github/workflows/shellcheck.yml
vendored
@@ -14,4 +14,4 @@ jobs:
|
||||
with:
|
||||
check_together: 'yes'
|
||||
env:
|
||||
SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153
|
||||
SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 -e SC2154
|
||||
|
@@ -1,3 +1,3 @@
|
||||
FROM caddy:2.7.4
|
||||
FROM caddy:2.7.5
|
||||
RUN apk add --no-cache ca-certificates tzdata
|
||||
COPY Caddyfile /etc/caddy/Caddyfile
|
||||
|
10
Dockerfile
10
Dockerfile
@@ -30,13 +30,6 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
|
||||
yarn cache clean --all
|
||||
|
||||
|
||||
FROM python:3.12.0-alpine3.18 as certbot
|
||||
ENV PATH="/usr/local/certbot/bin:$PATH"
|
||||
RUN apk add --no-cache ca-certificates build-base libffi-dev && \
|
||||
python3 -m venv /usr/local/certbot && \
|
||||
pip install --no-cache-dir certbot
|
||||
|
||||
|
||||
FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec
|
||||
WORKDIR /src
|
||||
RUN apk add --no-cache ca-certificates git build-base && \
|
||||
@@ -52,8 +45,9 @@ RUN apk add --no-cache ca-certificates git build-base && \
|
||||
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
|
||||
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
|
||||
|
||||
FROM zoeyvid/certbot-docker:10 as certbot
|
||||
|
||||
FROM zoeyvid/nginx-quic:206
|
||||
FROM zoeyvid/nginx-quic:210
|
||||
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
|
||||
COPY rootfs /
|
||||
RUN apk add --no-cache ca-certificates tzdata tini \
|
||||
|
@@ -2,11 +2,12 @@
|
||||
# NPMplus
|
||||
|
||||
This project comes as a pre-built docker image that enables you to easily forward to your websites
|
||||
running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
|
||||
running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot.
|
||||
|
||||
- [Quick Setup](#quick-setup)
|
||||
<!---
|
||||
- [Screenshots](https://nginxproxymanager.com/screenshots)
|
||||
|
||||
--->
|
||||
|
||||
**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
|
||||
**Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>
|
||||
|
@@ -16,7 +16,7 @@
|
||||
"gravatar": "1.8.2",
|
||||
"jsonwebtoken": "9.0.2",
|
||||
"knex": "3.0.1",
|
||||
"liquidjs": "10.9.2",
|
||||
"liquidjs": "10.9.3",
|
||||
"lodash": "4.17.21",
|
||||
"moment": "2.29.4",
|
||||
"mysql": "2.18.1",
|
||||
@@ -29,7 +29,7 @@
|
||||
"author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
|
||||
"license": "MIT",
|
||||
"devDependencies": {
|
||||
"eslint": "8.51.0",
|
||||
"eslint": "8.52.0",
|
||||
"eslint-plugin-align-assignments": "1.1.2"
|
||||
}
|
||||
}
|
||||
|
@@ -1,7 +1,19 @@
|
||||
{% if certificate and certificate_id > 0 -%}
|
||||
{% if ssl_forced == 1 or ssl_forced == true %}
|
||||
{% if hsts_enabled == 1 or hsts_enabled == true %}
|
||||
more_clear_headers "Expect-CT";
|
||||
include conf.d/include/hsts.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% unless certificate and certificate_id > 0 -%}
|
||||
{% unless ssl_forced == 1 or ssl_forced == true %}
|
||||
{% unless hsts_enabled == 1 or hsts_enabled == true %}
|
||||
more_clear_headers "Content-Security-Policy";
|
||||
|
||||
more_clear_headers "Expect-CT";
|
||||
more_clear_headers "Strict-Transport-Security";
|
||||
{% endunless %}
|
||||
{% endunless %}
|
||||
{% endunless %}
|
@@ -10,7 +10,10 @@
|
||||
listen 443 quic;
|
||||
listen [::]:443 quic;
|
||||
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
more_set_headers "Alt-Svc: h3=':443'; ma=86400";
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% unless hsts_subdomains %}
|
||||
more_clear_headers "Alt-Svc";
|
||||
{% endunless %}
|
||||
server_name {{ domain_names | join: " " }};
|
||||
|
@@ -4,7 +4,7 @@
|
||||
"description": "A beautiful interface for creating Nginx endpoints",
|
||||
"main": "js/index.js",
|
||||
"dependencies": {
|
||||
"@babel/core": "7.23.0",
|
||||
"@babel/core": "7.23.2",
|
||||
"babel-core": "6.26.3",
|
||||
"babel-loader": "8.3.0",
|
||||
"babel-preset-env": "1.7.0",
|
||||
|
@@ -331,6 +331,13 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
|
||||
full_plugin_name: 'dns-luadns',
|
||||
},
|
||||
//####################################################//
|
||||
/** multi: {
|
||||
* display_name: 'DNS multi',
|
||||
* package_name: 'certbot-dns-multi',
|
||||
* credentials: `# see https://github.com/alexzorin/certbot-dns-multi`,
|
||||
* full_plugin_name: 'dns-multi',
|
||||
* },
|
||||
**/ //####################################################//
|
||||
namecheap: {
|
||||
display_name: 'Namecheap',
|
||||
package_name: 'certbot-dns-namecheap',
|
||||
|
@@ -2,11 +2,11 @@
|
||||
|
||||
echo "
|
||||
-------------------------------------
|
||||
_ _ ____ __ __
|
||||
| \ | | _ \| \/ |
|
||||
| \| | |_) | |\/| |
|
||||
| |\ | __/| | | |
|
||||
|_| \_|_| |_| |_|
|
||||
_ _ ___ __ __ _
|
||||
| \ || . \| \ \ ___ | | _ _ ___
|
||||
| || _/| || . \| || | |[_-[
|
||||
|_\_||_| |_|_|_|| _/|_| \__|/__/
|
||||
|_|
|
||||
-------------------------------------
|
||||
Version: $(jq -r .version /app/package.json)
|
||||
Date: $(date)
|
||||
|
@@ -4,5 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
|
||||
more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
|
||||
|
||||
more_set_headers "Expect-CT: enforce; max-age=86400";
|
||||
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
|
@@ -6,7 +6,9 @@ proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
proxy_set_header Host $host;
|
||||
|
||||
proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
|
||||
proxy_http_version 1.1;
|
||||
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_hide_header Upgrade;
|
||||
proxy_pass $forward_scheme://$server:$port$request_uri;
|
||||
|
@@ -7,6 +7,6 @@ ssl_session_tickets off;
|
||||
ssl_dhparam /etc/tls/dhparam;
|
||||
|
||||
# intermediate configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
Reference in New Issue
Block a user