ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-02 15:33:32 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

add php

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey
2022-12-19 08:27:13 +01:00
parent 19a304d9ce
commit 920bce627a
38 changed files with 511 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/docker-latest.yml vendored
View File

@@ -33,5 +33,5 @@ jobs:
- name: Show Nginx version
run: |
docker run --rm --entrypoint nginx ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -V
docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -V
docker run --rm --entrypoint sh ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"

115
.github/workflows/docker.yml vendored
View File

@@ -1,32 +1,60 @@
name: Build Docker Image
on:
workflow_run:
workflows: ["Build frontend"]
types:
- completed
push:
branches:
- develop
paths:
- .github/workflows/docker.yml
- Dockerfile
- frontend/**
- backend/**
- global/**
- rootfs/**
pull_request:
paths:
- .github/workflows/docker.yml
- Dockerfile
- frontend/**
- backend/**
- global/**
- rootfs/**
workflow_dispatch:
jobs:
backend-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
- name: Test Backend
run: |
sudo npm install --global cross-env
sudo pip install certbot
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /tmp/letsencrypt-acme-challenge
sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf
sudo cp rootfs/usr/local/nginx/conf/letsencrypt.ini /usr/local/nginx/conf/letsencrypt.ini
mv global backend
cd backend
npm install --force
sudo nginx
cross-env NODE_ENV=production sudo -E timeout 30 node --abort_on_uncaught_exception --max_old_space_size=250 index.js || if [ "$?" == "124" ]; then exit 0; else exit 1; fi
- name: Kill workflow
if: failure()
run: |
curl -X POST https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel --header "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Load frontend from cache
uses: actions/cache/restore@v3
with:
path: frontend/dist
key: frontend
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
@@ -40,7 +68,6 @@ jobs:
driver-opts: env.BUILDKIT_STEP_LOG_MAX_SIZE=-1
- name: Login to DockerHub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
@@ -52,44 +79,9 @@ jobs:
registry: ghcr.io
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ github.token }}
- name: Read .version file
id: version
run: echo "version=$(cat .version)" >> $GITHUB_OUTPUT
- name: Set versions
run: |
sed -i 's/"0.0.0"/"${{ steps.version.outputs.version }}"/g' frontend/package.json
cat frontend/package.json | grep "${{ steps.version.outputs.version }}"
sed -i 's/"0.0.0"/"${{ steps.version.outputs.version }}"/g' backend/package.json
cat backend/package.json | grep "${{ steps.version.outputs.version }}"
- uses: actions/setup-node@v3
with:
node-version: 18
- name: Prepair frontend
run: |
export NODE_OPTIONS=--openssl-legacy-provider
npm install --global yarn
cd frontend
yarn install
yarn build
- name: Test Backend
run: |
export NODE_OPTIONS=--openssl-legacy-provider
export DB_SQLITE_FILE=/home/runner/work/${{ github.event.repository.name }}/${{ github.event.repository.name }}/backend-test/dev.sqlite
export NODE_ENV=dev
mv global backend
cp -r backend backend-test
cd backend-test
npm install --force
timeout 10 node --abort_on_uncaught_exception --max_old_space_size=250 index.js || if [ "$?" == "124" ]; then exit 0; else exit 1; fi
- name: Build
uses: docker/build-push-action@v3
if: ${{ github.event_name != 'pull_request' }}
with:
context: .
file: ./Dockerfile
@@ -100,33 +92,6 @@ jobs:
${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }}
- name: show version
if: ${{ github.ref == 'refs/heads/develop' }}
run: |
docker run --rm --entrypoint nginx ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V
docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V
- name: Set PR-Number (PR)
if: ${{ github.event_name == 'pull_request' }}
id: pr
run: echo "pr=$(echo pr-${{ github.ref_name }} | sed "s/refs\/pull\/://g" | sed "s/\/merge//g")" >> $GITHUB_OUTPUT
- name: Build (PR)
uses: docker/build-push-action@v3
if: ${{ github.event_name == 'pull_request' }}
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
push: ${{ github.event_name == 'pull_request' }}
tags: ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}
- name: show version (PR)
if: ${{ github.event_name == 'pull_request' }}
run: docker run --rm --entrypoint nginx ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -V
- name: add comment (PR)
uses: mshick/add-pr-comment@v2
if: ${{ github.event_name == 'pull_request' }}
with:
message: "The Docker Image can now be found here: `ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}`"
repo-token: ${{ github.token }}
docker run --rm --entrypoint sh ${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ github.ref_name }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"

38
.github/workflows/frontend.yml vendored Normal file
View File

@@ -0,0 +1,38 @@
name: Build frontend
on:
push:
branches:
- develop
paths:
- .github/workflows/frontend.yml
- frontend/**
- global/**
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
- name: Prepair frontend
run: |
curl https://api.github.com/repos/${{ github.repository }}/actions/caches?key=frontend -X DELETE --header "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"
export NODE_OPTIONS=--openssl-legacy-provider
npm install --global yarn
cd frontend
sed -i "s/0.0.0/$(cat ../global/.version)/g" package.json
yarn --no-lockfile install
yarn --no-lockfile build
- name: Cache frontend
uses: actions/cache/save@v3
with:
path: frontend/dist
key: frontend

99
.github/workflows/pull-request.yaml vendored Normal file
View File

@@ -0,0 +1,99 @@
name: Build PR
on:
pull_request:
paths:
- .github/workflows/pull-request
- Dockerfile
- frontend/**
- backend/**
- global/**
- rootfs/**
jobs:
backend-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
- name: Test Backend
run: |
sudo npm install --global cross-env
sudo pip install certbot
sudo mkdir -p /usr/local/nginx/conf/conf.d/include /tmp/letsencrypt-acme-challenge
sudo touch /usr/local/nginx/conf/conf.d/include/ip_ranges.conf
sudo cp rootfs/usr/local/nginx/conf/letsencrypt.ini /usr/local/nginx/conf/letsencrypt.ini
mv global backend
cd backend
npm install --force
sudo nginx
cross-env NODE_ENV=production sudo -E timeout 30 node --abort_on_uncaught_exception --max_old_space_size=250 index.js || if [ "$?" == "124" ]; then exit 0; else exit 1; fi
- name: Kill workflow
if: failure()
run: |
curl -X POST https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel --header "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
- name: Prepair frontend
run: |
export NODE_OPTIONS=--openssl-legacy-provider
npm install --global yarn
cd frontend
sed -i "s/0.0.0/$(cat ../global/.version)/g" package.json
yarn --no-lockfile install
yarn --no-lockfile build
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm64 #all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
driver-opts: env.BUILDKIT_STEP_LOG_MAX_SIZE=-1
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ github.token }}
- name: Set PR-Number
id: pr
run: echo "pr=$(echo pr-${{ github.ref_name }} | sed "s/refs\/pull\/://g" | sed "s/\/merge//g")" >> $GITHUB_OUTPUT
- name: Build
uses: docker/build-push-action@v3
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
push: ${{ github.event_name == 'pull_request' }}
tags: ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}
- name: show version
run: docker run --rm --entrypoint sh ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -c "nginx -V && php81 -v && php82 -v && php-fpm81 -v && php-fpm82 -v"
- name: add comment
uses: mshick/add-pr-comment@v2
with:
message: "The Docker Image can now be found here: `ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}`"
repo-token: ${{ github.token }}

19
Dockerfile
View File

@@ -1,15 +1,21 @@
FROM zoeyvid/nginx-quic:20
FROM zoeyvid/nginx-quic:29
COPY rootfs /
COPY backend /app
COPY global /app/global
COPY frontend/dist /app/frontend
WORKDIR /app
RUN apk upgrade --no-cache && \
apk add --no-cache ca-certificates wget tzdata \
RUN echo https://dl-cdn.alpinelinux.org/alpine/edge/testing | tee -a /etc/apk/repositories && \
apk upgrade --no-cache && \
apk add --no-cache ca-certificates wget tzdata bash coreutils \
python3 \
nodejs-current npm \
openssl apache2-utils jq \
gcc g++ libffi-dev python3-dev && \
openssl apache2-utils jq fcgi \
gcc g++ libffi-dev python3-dev \
php7 php7-fpm php8 php8-fpm php81 php81-fpm php82 php82-fpm && \
# Install cross-env
npm install --global cross-env && \
# Install pip
wget https://bootstrap.pypa.io/get-pip.py -O - | python3 && \
@@ -19,6 +25,7 @@ RUN apk upgrade --no-cache && \
chmod +x /usr/local/bin/check-health && \
# Build Backend
sed -i "s/0.0.0/$(cat global/.version)/g" package.json && \
npm install --force && \
pip install --no-cache-dir certbot && \
apk del --no-cache gcc g++ libffi-dev python3-dev npm
@@ -26,5 +33,5 @@ RUN apk upgrade --no-cache && \
ENV NODE_ENV=production \
DB_SQLITE_FILE=/data/database.sqlite
ENTRYPOINT ["start"]
ENTRYPOINT ["bash", "start"]
HEALTHCHECK CMD check-health

40
README.md
View File

@@ -53,28 +53,45 @@ so that the barrier for entry here is low.
- Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers), enabled by default if you enable hsts
- Access Log disabled
- Error Log written to console
- PHP included, you can add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?name=php*
## Soon
- more
- I will try to create a pr to contribute to the original project
## Hosting your home network
# Use as webserver
I won't go in to too much detail here but here are the basics for someone new to this self-hosted world.
1. Create a new Proxy Host
2. Set `Scheme` to `http`, `Forward Hostname / IP` to `0.0.0.0`, `Forward Port` to `1` and enable `Websockets Support` (you can also use other values, since these get fully ignored)
3. Maybe set an Access List
4. Make your SSL Settings
5.
a) Custom Nginx Configuration (advanced tab), which looks the following for plain html, the slash at the end of the file path is important:
```
location / {
alias /var/www/<your-html-site-folder-name>/;
}
```
b) Custom Nginx Configuration (advanced tab), which looks the following for plain html & php, the slash at the end of the file path is important:
```
location / {
alias /var/www/<your-php-site-folder-name>/;
1. Your home router will have a Port Forwarding section somewhere. Log in and find it
2. Add port forwarding for port 80 and 443 to the server hosting this project
3. Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or [Amazon Route53](https://github.com/jc21/route53-ddns)
4. Use the Nginx Proxy Manager as your gateway to forward to your other web based services
location ~ [^/]\.php(/|$) {
fastcgi_pass php82;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {return 404;}
}}
```
## Quick Setup
# Quick Setup
1. Install Docker and Docker Compose
1. Install Docker and Docker Compose (or portainer)
- [Docker Install documentation](https://docs.docker.com/engine)
- [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux)
2. Create a compose.yaml file similar to this:
2. Create a compose.yaml file similar to this (or use it as a portainer stack):
```yml
version: "3"
@@ -92,9 +109,10 @@ services:
- "TZ=Europe/Berlin"
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost
# - "PHP_APKS=php7-curl php8-curl php81-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?name=php*
```
3. Bring up your stack by running
3. Bring up your stack by running (or deploy your portainer stack)
```bash
docker compose up -d
```
@@ -103,6 +121,8 @@ docker compose up -d
When your docker container is running, connect to it on port `81` for the admin interface.
Sometimes this can take a little bit because of the entropy of keys.
You may need to open port 81 in your firewall.
You may need to use another IP-Adress.
[https://127.0.0.1:81](https://127.0.0.1:81)

2
backend/config/.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
*
!.gitignore

2
backend/config/README.md
View File

@@ -1,2 +0,0 @@
These files are use in development and are not deployed as part of the final product.

10
backend/config/default.json
View File

@@ -1,10 +0,0 @@
{
"database": {
"engine": "mysql",
"host": "db",
"name": "npm",
"user": "npm",
"password": "npm",
"port": 3306
}
}

26
backend/config/sqlite-test-db.json
View File

@@ -1,26 +0,0 @@
{
"database": {
"engine": "knex-native",
"knex": {
"client": "sqlite3",
"connection": {
"filename": "/app/config/mydb.sqlite"
},
"pool": {
"min": 0,
"max": 1,
"createTimeoutMillis": 3000,
"acquireTimeoutMillis": 30000,
"idleTimeoutMillis": 30000,
"reapIntervalMillis": 1000,
"createRetryIntervalMillis": 100,
"propagateCreateError": false
},
"migrations": {
"tableName": "migrations",
"stub": "src/backend/lib/migrate_template.js",
"directory": "src/backend/migrations"
}
}
}
}

2
backend/internal/setting.js
View File

@@ -36,7 +36,7 @@ const internalSetting = {
if (row.id === 'default-site') {
// write the html if we need to
if (row.value === 'html') {
fs.writeFileSync('/data/nginx/default_www/index.html', row.meta.html, {encoding: 'utf8'});
fs.writeFileSync('/data/nginx/html/index.html', row.meta.html, {encoding: 'utf8'});
}
// Configure nginx

2
backend/models/access_list.js
View File

@@ -95,7 +95,7 @@ class AccessList extends Model {
}
get passauth() {
return this.pass_auth ? 'proxy_set_header Authorization "";' : '';
return this.pass_auth ? '' : 'proxy_set_header Authorization "";';
}
}

2
backend/package.json
View File

@@ -15,7 +15,7 @@
"express": "4.18.2",
"express-fileupload": "1.4.0",
"gravatar": "1.8.2",
"jsonwebtoken": "8.5.1",
"jsonwebtoken": "9.0.0",
"knex": "2.3.0",
"liquidjs": "9.43.0",
"lodash": "4.17.21",

4
backend/templates/_exploits.conf
View File

@@ -1,4 +0,0 @@
{% if block_exploits == 1 or block_exploits == true %}
# Block Exploits
include conf.d/include/block-exploits.conf;
{% endif %}

17
backend/templates/_location.conf
View File

@@ -6,27 +6,12 @@
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_pass {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};
proxy_pass {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};
{% if access_list_id > 0 %}
{% if access_list.items.length > 0 %}
# Authorization
auth_basic "Authorization required";
auth_basic_user_file /data/access/{{ access_list_id }};
{{ access_list.passauth }}
{% endif %}
# Access Rules
{% for client in access_list.clients %}
{{- client.rule -}};
{% endfor %}deny all;
# Access checks must...
{% if access_list.satisfy %}
{{ access_list.satisfy }};
{% endif %}
{% endif %}
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}

4
backend/templates/dead_host.conf
View File

@@ -9,10 +9,10 @@ server {
{{ advanced_config }}
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
{% if use_default_location %}
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
return 404;
alias /html/404/;
}
{% endif %}

50
backend/templates/default.conf
View File

@@ -1,9 +1,6 @@
# ------------------------------------------------------------
# Default Site
# ------------------------------------------------------------
{% if value == "congratulations" %}
# Skipping output, congratulations page configration is baked in.
{%- else %}
server {
listen 80 default_server;
listen [::]:80 default_server;
@@ -14,7 +11,7 @@ server {
listen 443 http3 default_server;
listen [::]:443 http3 default_server;
server_name default-host;
server_name _;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
@@ -27,10 +24,9 @@ server {
{%- if value == "404" %}
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
return 404;
alias /html/404/;
}
{% endif %}
{%- endif %}
{%- if value == "redirect" %}
location / {
@@ -39,39 +35,17 @@ server {
}
{%- endif %}
{%- if value == "html" %}
root /data/nginx/default_www;
{%- if value == "congratulations" %}
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
try_files $uri /index.html;
alias /html/default/;
}
{%- endif %}
{%- if value == "html" %}
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
alias /data/nginx/html/;
}
{%- endif %}
}
{% endif %}
# ------------------------------------------------------------
# prevent processing requests with undefined server names
# ------------------------------------------------------------
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 http3;
listen [::]:443 http3;
server_name "";
return 444;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
}

1
backend/templates/letsencrypt-request.conf
View File

@@ -7,6 +7,7 @@ server {
server_name {{ domain_names | join: " " }};
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;

51
backend/templates/proxy_host.conf
View File

@@ -8,42 +8,22 @@ server {
{% include "_listen.conf" %}
{% include "_certificates.conf" %}
{% include "_exploits.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
{% endif %}
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
{{ advanced_config }}
{{ locations }}
include conf.d/include/letsencrypt-acme-challenge.conf;
{% if use_default_location %}
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
{% if access_list_id > 0 %}
{% if access_list.items.length > 0 %}
# Authorization
auth_basic "Authorization required";
auth_basic_user_file /data/access/{{ access_list_id }};
{{ access_list.passauth }}
{% endif %}
# Access Rules
{% for client in access_list.clients %}
{{- client.rule -}};
{% endfor %}deny all;
# Access checks must...
{% if access_list.satisfy %}
{{ access_list.satisfy }};
{% endif %}
{% endif %}
{% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
@@ -56,6 +36,29 @@ server {
}
{% endif %}
{% if access_list_id > 0 %}
{% if access_list.items.length > 0 %}
# Authorization
auth_basic "Authorization required";
auth_basic_user_file /data/access/{{ access_list_id }};
{{ access_list.passauth }}
{% endif %}
# Access Rules
{% for client in access_list.clients %}
{{- client.rule -}};
{% endfor %}deny all;
# Access checks must...
{% if access_list.satisfy %}
{{ access_list.satisfy }};
{% endif %}
{% endif %}
{{ locations }}
# Custom
include /data/nginx/custom/server_proxy.conf;
}

2
backend/templates/redirection_host.conf
View File

@@ -4,12 +4,12 @@
server {
{% include "_listen.conf" %}
{% include "_certificates.conf" %}
{% include "_exploits.conf" %}
{% include "_hsts.conf" %}
{% include "_forced_ssl.conf" %}
{{ advanced_config }}
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
{% if use_default_location %}
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;

1
compose.yaml
View File

@@ -13,3 +13,4 @@ services:
- "TZ=Europe/Berlin"
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors
# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost
# - "PHP_APKS=php7-curl php8-curl php81-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?name=php*

20
frontend/js/app/nginx/proxy/form.ejs
View File

@@ -54,6 +54,16 @@
<input name="forward_port" type="number" class="form-control text-monospace" placeholder="80" value="<%- forward_port %>" required>
</div>
</div>
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('proxy-hosts', 'allow-websocket-upgrade') %></span>
</label>
</div>
</div>
<!--
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
@@ -64,16 +74,6 @@
</div>
</div>
<div class="col-sm-6 col-md-6">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
<span class="custom-switch-indicator"></span>
<span class="custom-switch-description"><%- i18n('proxy-hosts', 'allow-websocket-upgrade') %></span>
</label>
</div>
</div>
<!--
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="caching_enabled" value="1"<%- caching_enabled ? ' checked' : '' %>>

6
frontend/js/app/nginx/redirection/form.ejs
View File

@@ -51,7 +51,7 @@
</select>
</div>
</div>
<div class="col-sm-6 col-md-6">
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="preserve_path" value="1"<%- preserve_path ? ' checked' : '' %>>
@@ -60,7 +60,8 @@
</label>
</div>
</div>
<div class="col-sm-6 col-md-6">
<!---
<div class="col-sm-12 col-md-12">
<div class="form-group">
<label class="custom-switch">
<input type="checkbox" class="custom-switch-input" name="block_exploits" value="1"<%- block_exploits ? ' checked' : '' %>>
@@ -69,6 +70,7 @@
</label>
</div>
</div>
--->
</div>
</div>

2
frontend/js/i18n/messages.json
View File

@@ -228,7 +228,7 @@
"access": "Access",
"satisfy": "Satisfy",
"satisfy-any": "Allow access if at least one authorization method succseeded",
"pass-auth": "Pass credentials to backend of host",
"pass-auth": "Don't pass credentials to backend of host",
"access-add": "Add",
"auth-add": "Add",
"search": "Search Access…"

4
frontend/package.json
View File

@@ -4,7 +4,7 @@
"description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js",
"devDependencies": {
"@babel/core": "7.20.5",
"@babel/core": "7.20.7",
"babel-core": "6.26.3",
"babel-loader": "8.3.0",
"babel-preset-env": "1.7.0",
@@ -18,7 +18,7 @@
"file-loader": "6.2.0",
"html-webpack-plugin": "4.5.2",
"imports-loader": "0.8.0",
"jquery": "3.6.2",
"jquery": "3.6.3",
"jquery-mask-plugin": "1.14.16",
"jquery-serializejson": "3.2.1",
"marionette.approuter": "1.0.2",

0
.version → global/.version
View File

2
renovate.json
View File

@@ -4,7 +4,7 @@
],
"baseBranches": [],
"includeForks": true,
"automerge": true,
"automerge": false,
"branchPrefix": "renovate-deps-update-",
"rangeStrategy": "pin",
"digest": {

6
rootfs/html/404/bootstrap.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

26
rootfs/html/404/index.html Normal file
View File

@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>404 Not Found</title>
<link href="/bootstrap.min.css" rel="stylesheet">
<style>
.jumbotron {
margin-top: 50px;
}
</style>
</head>
<body>
<div class="container">
<div class="jumbotron">
<h1 class="text-center">404 Not Found</h1>
</div>
<p class="text-center">
<small>Powered by <a href="https://github.com/ZoeyVid/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a>
</small>
</p>
</div>
</body>
</html>

6
rootfs/html/default/bootstrap.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

13
rootfs/var/www/html/index.html → rootfs/html/default/index.html
View File

@@ -5,20 +5,25 @@
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Default Site</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
<link href="/bootstrap.min.css" rel="stylesheet">
<style>
.jumbotron { margin-top: 50px; }
.jumbotron {
margin-top: 50px;
}
</style>
</head>
<body>
<div class="container">
<div class="jumbotron">
<h1>Congratulations!</h1>
<h1 class="text-center">Congratulations!</h1>
<p>You've successfully started the Nginx Proxy Manager.</p>
<p>If you're seeing this site then you're trying to access a host that isn't set up yet.</p>
<p>Log in to the Admin panel to get started.</p>
</div>
<p class="text-center"><small>Powered by <a href="https://github.com/jc21/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a></small></p>
<p class="text-center">
<small>Powered by <a href="https://github.com/ZoeyVid/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a>
</small>
</p>
</div>
</body>
</html>

4
rootfs/usr/local/bin/check-health
View File

@@ -1,8 +1,6 @@
#!/bin/sh
OK=$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')
if [ "$OK" == "OK" ]; then
if (cgi-fcgi -bind -connect /dev/php7.sock > /dev/null && cgi-fcgi -bind -connect /dev/php8.sock > /dev/null && cgi-fcgi -bind -connect /dev/php81.sock > /dev/null && cgi-fcgi -bind -connect /dev/php82.sock > /dev/null && [ "$(wget -q --no-check-certificate https://127.0.0.1:81/api -O - | jq --raw-output '.status')" == "OK" ]); then
echo "OK"
exit 0
else

110
rootfs/usr/local/bin/start
View File

@@ -1,18 +1,52 @@
#!/bin/sh
if [ -f /data/nginx/default_host/site.conf ]; then
mv /data/nginx/default_host/site.conf /data/nginx/default.conf || exit 1
# From https://github.com/nextcloud/all-in-one/pull/1377/files
if [ -n "$PHP_APKS" ]; then
if ! echo "$PHP_APKS" | grep -q "^[a-z0-9 _-]\+$"; then
echo "You've set PHP_APKS but not to an allowed value.
It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens and underscores.
It is set to '$PHP_APKS'." || exit 1
sleep inf || exit 1
fi
read -ra APKS_ARRAY <<< "$PHP_APKS"
for apk in "${APKS_ARRAY[@]}"; do
if ! echo "$apk" | grep -q "php*"; then
echo "'$apk' is a non allowed value.
It needs to start with php.
It is set to '$apk'." || exit 1
sleep inf || exit 1
fi
echo "Installing $apk via apk..."
if ! apk add --no-cache "$apk" >/dev/null; then
echo "The packet $apk was not installed!"
fi
done
fi
mkdir -p /tmp/letsencrypt-acme-challenge \
/data/letsencrypt \
/data/custom_ssl \
/data/access \
/data/php \
/data/nginx/redirection_host \
/data/nginx/proxy_host \
/data/nginx/dead_host \
/data/nginx/stream \
/data/nginx/custom || exit 1
/data/nginx/custom \
/data/nginx/html || exit 1
if [ -f /data/nginx/default_host/site.conf ]; then
mv /data/nginx/default_host/site.conf /data/nginx/default.conf || exit 1
fi
if [ -f /data/nginx/default_www/index.html ]; then
mv /data/nginx/default_www/index.html /data/nginx/html/index.html || exit 1
fi
rm -rf /data/letsencrypt-acme-challenge \
/data/nginx/default_host \
@@ -36,7 +70,17 @@ find /data/nginx -type f -name '*.conf' -exec sed -i "s/# Asset Caching//g" {} \
find /data/nginx -type f -name '*.conf' -exec sed -i "s/proxy_http_version.*//g" {} \; || exit 1
find /data/nginx -type f -name '*.conf' -exec sed -i "s/access_log.*//g" {} \; || exit 1
touch /data/nginx/custom/root.conf \
if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]; then
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem || exit 1
fi
if [ ! -f /data/nginx/default.conf ]; then
cp /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf || exit 1
fi
touch /data/nginx/default.conf \
/data/nginx/html/index.html \
/data/nginx/custom/root.conf \
/data/nginx/custom/events.conf \
/data/nginx/custom/http.conf \
/data/nginx/custom/http_top.conf \
@@ -48,13 +92,15 @@ touch /data/nginx/custom/root.conf \
/data/nginx/custom/server_stream_udp.conf \
/usr/local/nginx/conf/conf.d/include/ip_ranges.conf || exit 1
if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]; then
openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem || exit 1
fi
for folder in $(find /etc -maxdepth 1 -type d -name php*); do cp -Trn $folder /data/php/$(echo $folder| sed "s|/etc/php||g"); done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|user =.*|user = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|group =.*|group = root|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|listen =.*|listen = /dev/$(echo $folder| sed "s|/etc/||g").sock|" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/www.conf; done;
for folder in $(find /etc -maxdepth 1 -type d -name php*); do sed -i "s|include=.*|include=/data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.d/*.conf|g" /data/php/$(echo $folder| sed "s|/etc/php||g")/php-fpm.conf; done;
if [ "$NPM_LISTEN_LOCALHOST" == "true" ]; then
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/production.conf || exit 1
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/production.conf || exit 1
sed -i "s/listen 81/listen 127.0.0.1:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1
sed -i "s/listen \[::\]:81/listen \[::1\]:81/g" /usr/local/nginx/conf/conf.d/npm.conf || exit 1
fi
if [ "$NGINX_LOG_NOT_FOUND" == "true" ]; then
@@ -66,8 +112,32 @@ nginx -T || exit 1
sleep inf || exit 1
fi
while nginx -t 2> /dev/null; do
if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
while (nginx -t 2> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt 2> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt 2> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt 2> /dev/null && cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt 2> /dev/null); do
nginx || exit 1 &
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FOR || exit 1 &
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FOR || exit 1 &
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR || exit 1 &
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR || exit 1 &
node --abort_on_uncaught_exception --max_old_space_size=250 index.js || exit 1 &
wait
done
@@ -76,3 +146,23 @@ if ! nginx -t 2> /dev/null; then
nginx -T || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/7/conf.d php-fpm7 -c /data/php/7 -y /data/php/7/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/8/conf.d php-fpm8 -c /data/php/8 -y /data/php/8/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi
if ! cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt 2> /dev/null; then
cross-env PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FORt || exit 1
sleep inf || exit 1
fi

29
rootfs/usr/local/nginx/conf/conf.d/include/default.conf Normal file
View File

@@ -0,0 +1,29 @@
# ------------------------------------------------------------
# Default Site
# ------------------------------------------------------------
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
listen 443 http3 default_server;
listen [::]:443 http3 default_server;
server_name _;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
alias /html/default/;
}
}

2
rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
View File

@@ -4,7 +4,7 @@ proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host:$server_port;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;

36
rootfs/usr/local/nginx/conf/conf.d/default.conf → rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View File

@@ -1,34 +1,28 @@
server {
listen 81 ssl http2;
listen 81 http3;
listen [::]:81 ssl http2;
listen [::]:81 http3;
listen 80;
listen [::]:80;
server_name nginxproxymanager-default;
include conf.d/include/force-ssl.conf;
include conf.d/include/block-exploits.conf;
include conf.d/include/letsencrypt-acme-challenge.conf;
}
# First 443 Host, which is the default if another default doesn't exist
server {
listen 443 ssl http2;
listen 443 http3;
listen [::]:443 ssl http2;
listen 443 http3;
listen [::]:443 http3;
server_name "";
return 444;
include conf.d/include/force-ssl.conf;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
server_name nginxproxymanager-default;
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
include conf.d/include/ssl-ciphers.conf;
include conf.d/include/block-exploits.conf;
include conf.d/include/letsencrypt-acme-challenge.conf;
location / {
include conf.d/include/letsencrypt-acme-challenge.conf;
root /var/www/html;
}
}

6
rootfs/usr/local/nginx/conf/conf.d/production.conf → rootfs/usr/local/nginx/conf/conf.d/npm.conf
View File

@@ -1,11 +1,11 @@
# Admin Interface
server {
listen 81 ssl http2 default_server;
listen 81 http3 default_server;
listen [::]:81 ssl http2 default_server;
listen [::]:81 http3 default_server;
server_name nginxproxymanager;
server_name _;
ssl_certificate /data/nginx/dummycert.pem;
ssl_certificate_key /data/nginx/dummykey.pem;
include conf.d/include/ssl-ciphers.conf;
@@ -26,7 +26,7 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host:$server_port;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;

27
rootfs/usr/local/nginx/conf/nginx.conf
View File

@@ -36,11 +36,15 @@ http {
gzip_comp_level 9;
resolver localhost;
index index.html Index.html;
fastcgi_index index.php;
index index.php index.html;
error_page 404 =307 $scheme://$host:$server_port;
error_page 497 =301 https://$host:$server_port$request_uri;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
# Default upstream scheme
map $host $forward_scheme {
default http;
@@ -52,6 +56,22 @@ http {
'' close;
}
upstream php7 {
server unix:/dev/php7.sock;
}
upstream php8 {
server unix:/dev/php8.sock;
}
upstream php81 {
server unix:/dev/php81.sock;
}
upstream php82 {
server unix:/dev/php82.sock;
}
# Fancy Index
fancyindex on;
fancyindex_localtime on;
@@ -75,7 +95,10 @@ http {
set_real_ip_from 169.254.0.0/16;
set_real_ip_from fc00::/7;
set_real_ip_from fec0::/10;
include fastcgi.conf;
fastcgi_param HTTP_PROXY "";
include conf.d/include/ip_ranges.conf;
include /data/nginx/default.conf;