nginx/dep updates/allow adding crs plugins

Signed-off-by: Zoey <zoey@z0ey.de>
2025-08-03 16:03:38 +00:00 · 2024-02-13 10:41:21 +00:00
parent e666935cd9
commit c07ecc3239
5 changed files with 19 additions and 22 deletions
--- a/7
+++ b/7
@@ -56,10 +56,10 @@ RUN apk upgrade --no-cache -a && \
    echo "#APPSEC_FAILURE_ACTION=deny # see https://github.com/crowdsecurity/lua-cs-bouncer/issues/63" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
-FROM zoeyvid/nginx-quic:259
+FROM zoeyvid/nginx-quic:260
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-ARG CRS_VER=v4.0/dev
+ARG CRS_VER=v4.0.0
 COPY rootfs /
 COPY --from=zoeyvid/certbot-docker:25  /usr/local          /usr/local
@@ -68,15 +68,16 @@ COPY --from=zoeyvid/curl-quic:370      /usr/local/bin/curl /usr/local/bin/curl
 RUN apk upgrade --no-cache -a && \
    apk add --no-cache ca-certificates tzdata tini \
    patch bash nano \
    lua5.1-lzlib \
    nodejs-current \
    openssl apache2-utils \
    lua5.1-lzlib lua5.1-socket \
    coreutils grep jq shadow sudo \
    luarocks5.1 wget lua5.1-dev build-base git yarn && \
    curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \
    git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \
    mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
    mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
    mv -v /tmp/coreruleset/plugins /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
    mv -v /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
    rm -r /tmp/* && \
    luarocks-5.1 install lua-resty-http && \
--- a/README.md
+++ b/README.md
@@ -24,7 +24,6 @@ running at home or otherwise, including free TLS, without having to know too muc
 ## Project Goal
 I created this project to fill a personal need to provide users with a easy way to accomplish reverse
 proxying hosts with TLS termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
 While there might be advanced options they are optional and the project should be as simple as possible
@@ -137,8 +136,12 @@ labels:
 10. set LOGROTATE to `true` in your `compose.yaml
 11. redeploy the `compose.yaml`
-# Use as webserver
+# coreruleset plugins
 1. Download the `<plugin-name>-before.conf`, `<plugin-name>-config.conf` and `<plugin-name>-after.conf` files of the plugin
 2. put them into the `/opt/npm/etc/modsecurity/crs-plugins` folder
 3. maybe open the `/opt/npm/etc/modsecurity/crs-plugins/<plugin-name>-config.conf` and configure the plugin
 # Use as webserver
 1. Create a new Proxy Host
 2. Set `Scheme` to `https`, `Forward Hostname / IP` to `0.0.0.0`, `Forward Port` to `1` and enable `Websockets Support` (you can also use other values, since these get fully ignored)
 3. Maybe set an Access List
@@ -179,60 +182,44 @@ location / {
 4. create your cert using the npm web ui
 # Quick Setup
 1. Install Docker and Docker Compose (or portainer)
 - [Docker Install documentation](https://docs.docker.com/engine)
 - [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux)
 2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):
 3. Bring up your stack by running (or deploy your portainer stack)
 ```bash
 docker compose up -d
 ```
 4. Log in to the Admin UI
 When your docker container is running, connect to it on port `81` for the admin interface.
 Sometimes this can take a little bit because of the entropy of keys.
 You may need to open port 81 in your firewall.
 You may need to use another IP-Address.
 [https://127.0.0.1:81](https://127.0.0.1:81)
 Default Admin User:
 ```
 Email:    admin@example.com
 Password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi
 ```
 Immediately after logging in with this default user you will be asked to modify your details and change your password.
 ### prerun patches/scripts (EXPERT option) - if you don't know what this is, ignore it
 run order: entrypoint.sh (patches => scripts) => start.sh => launch.sh <br>
 if you need to apply patches before NPMplus launches put them under: `/opt/npm/etc/prerun/patches/*.patch` (applied using `patch -p1`) <br>
 if you need to run scripts before NPMplus launches put them under: `/opt/npm/etc/prerun/scripts/*.sh` (please add `#!/bin/sh` / `#!/bin/bash` to the top of the script) <br>
 you need to create this folders yourself, they will be launches from the `/` folder - **NOTE:** I won't help you creating thoose patches/scripts if you need them you also need to know how to create them
 ## Contributing
 All are welcome to create pull requests for this project, against the `develop` branch.
 CI is used in this project. All PR's must pass before being considered. After passing,
 docker builds for PR's are available on ghcr for manual verifications.
 ## Contributors/Sponsor upstream NPM
 Special thanks to [all of our contributors](https://github.com/NginxProxyManager/nginx-proxy-manager/graphs/contributors).
 If you want to sponsor them, please see [here](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/master/README.md).
 # Please report Bugs first to this fork before reporting them to the upstream Repository
 ## Getting Support
 1. [Found a bug?](https://github.com/ZoeyVid/NPMplus/issues)
 2. [Discussions](https://github.com/ZoeyVid/NPMplus/discussions)
 <!---
--- a/backend/package.json
+++ b/backend/package.json
@@ -21,7 +21,7 @@
    "moment": "2.30.1",
    "mysql": "2.18.1",
    "node-rsa": "1.1.1",
-    "objection": "3.1.3",
+    "objection": "3.1.4",
    "path": "0.12.7",
    "signale": "1.4.0",
    "sqlite3": "5.1.6"
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@@ -381,6 +381,7 @@ mkdir -vp /data/tls/certbot/credentials \
          /data/etc/access \
          /data/etc/crowdsec \
          /data/etc/modsecurity \
          /data/etc/modsecurity/crs-plugins \
          /data/nginx/redirection_host \
          /data/nginx/proxy_host \
          /data/nginx/dead_host \
@@ -550,6 +551,7 @@ if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.exam
 fi
 cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
 cp -v /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins
 if [ "$DEFAULT_CERT_ID" = "0" ]; then
    export DEFAULT_CERT=/data/tls/dummycert.pem
--- a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
@@ -1,6 +1,13 @@
 Include /data/etc/modsecurity/modsecurity-default.conf
 Include /data/etc/modsecurity/modsecurity-extra.conf
 Include /data/etc/modsecurity/crs-setup.conf
 Include /data/etc/modsecurity/crs-plugins/*-config.conf
 Include /data/etc/modsecurity/crs-plugins/*-before.conf
 Include /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
 Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf
 Include /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 Include /data/etc/modsecurity/crs-plugins/*-after.conf