diff --git a/Dockerfile b/Dockerfile index a2c2b239..d8488ee9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,10 +56,10 @@ RUN apk upgrade --no-cache -a && \ echo "#APPSEC_FAILURE_ACTION=deny # see https://github.com/crowdsecurity/lua-cs-bouncer/issues/63" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:259 +FROM zoeyvid/nginx-quic:260 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] -ARG CRS_VER=v4.0/dev +ARG CRS_VER=v4.0.0 COPY rootfs / COPY --from=zoeyvid/certbot-docker:25 /usr/local /usr/local @@ -68,15 +68,16 @@ COPY --from=zoeyvid/curl-quic:370 /usr/local/bin/curl /usr/local/bin/curl RUN apk upgrade --no-cache -a && \ apk add --no-cache ca-certificates tzdata tini \ patch bash nano \ - lua5.1-lzlib \ nodejs-current \ openssl apache2-utils \ + lua5.1-lzlib lua5.1-socket \ coreutils grep jq shadow sudo \ luarocks5.1 wget lua5.1-dev build-base git yarn && \ curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \ git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \ mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \ mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ + mv -v /tmp/coreruleset/plugins /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ mv -v /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \ rm -r /tmp/* && \ luarocks-5.1 install lua-resty-http && \ diff --git a/README.md b/README.md index 734f611e..9f5ed879 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,6 @@ running at home or otherwise, including free TLS, without having to know too muc ## Project Goal - I created this project to fill a personal need to provide users with a easy way to accomplish reverse proxying hosts with TLS termination and it had to be so easy that a monkey could do it. This goal hasn't changed. While there might be advanced options they are optional and the project should be as simple as possible @@ -137,8 +136,12 @@ labels: 10. set LOGROTATE to `true` in your `compose.yaml 11. redeploy the `compose.yaml` -# Use as webserver +# coreruleset plugins +1. Download the `-before.conf`, `-config.conf` and `-after.conf` files of the plugin +2. put them into the `/opt/npm/etc/modsecurity/crs-plugins` folder +3. maybe open the `/opt/npm/etc/modsecurity/crs-plugins/-config.conf` and configure the plugin +# Use as webserver 1. Create a new Proxy Host 2. Set `Scheme` to `https`, `Forward Hostname / IP` to `0.0.0.0`, `Forward Port` to `1` and enable `Websockets Support` (you can also use other values, since these get fully ignored) 3. Maybe set an Access List @@ -179,60 +182,44 @@ location / { 4. create your cert using the npm web ui # Quick Setup - 1. Install Docker and Docker Compose (or portainer) - - [Docker Install documentation](https://docs.docker.com/engine) - [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux) - 2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack): - 3. Bring up your stack by running (or deploy your portainer stack) ```bash docker compose up -d ``` - 4. Log in to the Admin UI - When your docker container is running, connect to it on port `81` for the admin interface. Sometimes this can take a little bit because of the entropy of keys. You may need to open port 81 in your firewall. You may need to use another IP-Address. - [https://127.0.0.1:81](https://127.0.0.1:81) - Default Admin User: ``` Email: admin@example.com Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi ``` - Immediately after logging in with this default user you will be asked to modify your details and change your password. ### prerun patches/scripts (EXPERT option) - if you don't know what this is, ignore it - run order: entrypoint.sh (patches => scripts) => start.sh => launch.sh
if you need to apply patches before NPMplus launches put them under: `/opt/npm/etc/prerun/patches/*.patch` (applied using `patch -p1`)
if you need to run scripts before NPMplus launches put them under: `/opt/npm/etc/prerun/scripts/*.sh` (please add `#!/bin/sh` / `#!/bin/bash` to the top of the script)
you need to create this folders yourself, they will be launches from the `/` folder - **NOTE:** I won't help you creating thoose patches/scripts if you need them you also need to know how to create them ## Contributing - All are welcome to create pull requests for this project, against the `develop` branch. - CI is used in this project. All PR's must pass before being considered. After passing, docker builds for PR's are available on ghcr for manual verifications. ## Contributors/Sponsor upstream NPM - Special thanks to [all of our contributors](https://github.com/NginxProxyManager/nginx-proxy-manager/graphs/contributors). If you want to sponsor them, please see [here](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/master/README.md). - # Please report Bugs first to this fork before reporting them to the upstream Repository - ## Getting Support - 1. [Found a bug?](https://github.com/ZoeyVid/NPMplus/issues) 2. [Discussions](https://github.com/ZoeyVid/NPMplus/discussions)