diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml
index 934c4b0d..40b22a05 100644
--- a/.github/workflows/js.yml
+++ b/.github/workflows/js.yml
@@ -10,7 +10,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
node-version: 19
- name: eslint
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index 7b4f7d29..a0d27fc4 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -14,4 +14,4 @@ jobs:
with:
check_together: 'yes'
env:
- SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153
+ SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 -e SC2154
diff --git a/Caddy.Dockerfile b/Caddy.Dockerfile
index 6ec69ea2..0eb3c9e2 100644
--- a/Caddy.Dockerfile
+++ b/Caddy.Dockerfile
@@ -1,3 +1,3 @@
-FROM caddy:2.7.4
+FROM caddy:2.7.5
RUN apk add --no-cache ca-certificates tzdata
COPY Caddyfile /etc/caddy/Caddyfile
diff --git a/Dockerfile b/Dockerfile
index 69f68082..c8cf869d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,13 +30,6 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
yarn cache clean --all
-FROM python:3.12.0-alpine3.18 as certbot
-ENV PATH="/usr/local/certbot/bin:$PATH"
-RUN apk add --no-cache ca-certificates build-base libffi-dev && \
- python3 -m venv /usr/local/certbot && \
- pip install --no-cache-dir certbot
-
-
FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec
WORKDIR /src
RUN apk add --no-cache ca-certificates git build-base && \
@@ -52,8 +45,9 @@ RUN apk add --no-cache ca-certificates git build-base && \
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
+FROM zoeyvid/certbot-docker:10 as certbot
-FROM zoeyvid/nginx-quic:206
+FROM zoeyvid/nginx-quic:210
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs /
RUN apk add --no-cache ca-certificates tzdata tini \
diff --git a/README.md b/README.md
index 4d5e2c6b..79f95fc0 100644
--- a/README.md
+++ b/README.md
@@ -2,11 +2,12 @@
# NPMplus
This project comes as a pre-built docker image that enables you to easily forward to your websites
-running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
+running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot.
- [Quick Setup](#quick-setup)
+
**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.**
**Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.**
diff --git a/backend/package.json b/backend/package.json
index d029cb99..d11e690c 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -16,7 +16,7 @@
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.2",
"knex": "3.0.1",
- "liquidjs": "10.9.2",
+ "liquidjs": "10.9.3",
"lodash": "4.17.21",
"moment": "2.29.4",
"mysql": "2.18.1",
@@ -29,7 +29,7 @@
"author": "Jamie Curnow and ZoeyVid ",
"license": "MIT",
"devDependencies": {
- "eslint": "8.51.0",
+ "eslint": "8.52.0",
"eslint-plugin-align-assignments": "1.1.2"
}
}
diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf
index 82664d0f..a794e638 100644
--- a/backend/templates/_hsts.conf
+++ b/backend/templates/_hsts.conf
@@ -1,7 +1,19 @@
{% if certificate and certificate_id > 0 -%}
{% if ssl_forced == 1 or ssl_forced == true %}
{% if hsts_enabled == 1 or hsts_enabled == true %}
+ more_clear_headers "Expect-CT";
include conf.d/include/hsts.conf;
{% endif %}
{% endif %}
{% endif %}
+
+{% unless certificate and certificate_id > 0 -%}
+{% unless ssl_forced == 1 or ssl_forced == true %}
+{% unless hsts_enabled == 1 or hsts_enabled == true %}
+ more_clear_headers "Content-Security-Policy";
+
+ more_clear_headers "Expect-CT";
+ more_clear_headers "Strict-Transport-Security";
+{% endunless %}
+{% endunless %}
+{% endunless %}
\ No newline at end of file
diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
index 2b5973e5..50b1f1f3 100644
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -10,7 +10,10 @@
listen 443 quic;
listen [::]:443 quic;
- add_header Alt-Svc 'h3=":443"; ma=86400';
+ more_set_headers "Alt-Svc: h3=':443'; ma=86400";
{% endif %}
{% endif %}
+{% unless hsts_subdomains %}
+ more_clear_headers "Alt-Svc";
+{% endunless %}
server_name {{ domain_names | join: " " }};
diff --git a/frontend/package.json b/frontend/package.json
index 6ea27b00..94ea1c69 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -4,7 +4,7 @@
"description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js",
"dependencies": {
- "@babel/core": "7.23.0",
+ "@babel/core": "7.23.2",
"babel-core": "6.26.3",
"babel-loader": "8.3.0",
"babel-preset-env": "1.7.0",
diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js
index d94c3a5a..37c8f88d 100644
--- a/global/certbot-dns-plugins.js
+++ b/global/certbot-dns-plugins.js
@@ -331,6 +331,13 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
full_plugin_name: 'dns-luadns',
},
//####################################################//
+/** multi: {
+* display_name: 'DNS multi',
+* package_name: 'certbot-dns-multi',
+* credentials: `# see https://github.com/alexzorin/certbot-dns-multi`,
+* full_plugin_name: 'dns-multi',
+* },
+**/ //####################################################//
namecheap: {
display_name: 'Namecheap',
package_name: 'certbot-dns-namecheap',
diff --git a/rootfs/bin/launch.sh b/rootfs/bin/launch.sh
index 48e1c019..0be3e4bb 100755
--- a/rootfs/bin/launch.sh
+++ b/rootfs/bin/launch.sh
@@ -2,11 +2,11 @@
echo "
-------------------------------------
- _ _ ____ __ __
-| \ | | _ \| \/ |
-| \| | |_) | |\/| |
-| |\ | __/| | | |
-|_| \_|_| |_| |_|
+ _ _ ___ __ __ _
+| \ || . \| \ \ ___ | | _ _ ___
+| || _/| || . \| || | |[_-[
+|_\_||_| |_|_|_|| _/|_| \__|/__/
+ |_|
-------------------------------------
Version: $(jq -r .version /app/package.json)
Date: $(date)
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
index 58f094bf..11de7076 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
@@ -4,5 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
-more_set_headers "Expect-CT: enforce; max-age=86400";
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
\ No newline at end of file
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
index b6bacc6b..5ddb173e 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
@@ -6,7 +6,9 @@ proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
-proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
-proxy_http_version 1.1;
+proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
+proxy_http_version 1.1;
+proxy_hide_header Upgrade;
proxy_pass $forward_scheme://$server:$port$request_uri;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
index 42031f82..c467f4cd 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
@@ -7,6 +7,6 @@ ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;
# intermediate configuration. tweak to your needs.
-ssl_protocols TLSv1.3 TLSv1.2;
+ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;