From c586da6418e5c458c0813d271aab9d46f95b88c5 Mon Sep 17 00:00:00 2001 From: Zoey Date: Mon, 1 May 2023 16:44:08 +0200 Subject: [PATCH] improve readme/compose-files/dep-updates Signed-off-by: Zoey --- Caddyfile | 2 +- README.md | 60 ++++++++++++++++++++--------------------- compose.override.yaml | 6 ++--- compose.yaml | 62 +++++++++++++++++++++---------------------- frontend/package.json | 2 +- rootfs/bin/start.sh | 7 +++-- 6 files changed, 69 insertions(+), 70 deletions(-) diff --git a/Caddyfile b/Caddyfile index 33422e94..2ab18afe 100644 --- a/Caddyfile +++ b/Caddyfile @@ -4,5 +4,5 @@ } } http://:80 { - redir https://{host}{uri} + redir https://{host}{uri} permanent } diff --git a/README.md b/README.md index 948f5118..175178c0 100644 --- a/README.md +++ b/README.md @@ -39,42 +39,42 @@ so that the barrier for entry here is low. - User management, permissions and audit log -# New Features +# List of new features -- HTTP/3 (QUIC) Support -- Darkmode (have a look at the footer) -- Fix Proxy Hosts, if origin only accepts TLSv1.3 -- Only use TLSv1.2 and TLSv1.3 -- Uses OCSP Stapling - - Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder -- fixed dnspod plugin - - Needs manual migration, please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) for the template) -- Smaller then the original -- Runs the admin interface on port 81 with https -- Default page runs also with https -- Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if you use the npm directly as webserver -- Expose INTERNAL backend api only to localhost -- Easy security headers, see [here](https://github.com/GetPageSpeed/ngx_security_headers) +- Supports HTTP/3 (QUIC) protocol +- Darkmode button in the footer for comfortable viewing +- Fixes proxy to https origin when the origin only accepts TLSv1.3 +- Only enables TLSv1.2 and TLSv1.3 protocols +- Uses OCSP Stapling for enhanced security + - If using custom certificates, upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder (manual migration may be needed) +- Resolved dnspod plugin issue + - To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) +- Smaller docker image with alpine-based distribution +- Admin backend interface runs with https +- Default page also runs with https +- Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if used as webserver +- Exposes INTERNAL backend api only to localhost +- Easy application of security headers using [ngx_security_headers](https://github.com/GetPageSpeed/ngx_security_headers) - Access Log disabled - Error Log written to console -- PHP optinal, you can add php extensions, see aviable packages [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*) -- allows different acme servers -- up to 99 domains per cert allowed -- Brotli can be enabled -- HTTP/2 always enabled -- HTTP/2 upload fixed -- Infinite upload size allowed -- Auto database vacuum (only sqlite) (FULLCLEAN=true) -- Auto certbot old certs clean (FULLCLEAN=true) -- Passwort reset (only sqlite) (`docker exec -it nginx-proxy-manager password-reset.js USER_EMAIL PASSWORD`) -- TLS supported for MariaDB/MySQL, please set the `DB_MYSQL_TLS` env to true. If you use self signed certificates you can upload them for example to `/data/etc/npm/ca.crt` and set the `DB_MYSQL_CA` to `/data/etc/npm/ca.crt` (not tested) -- PUID/GGID support in network mode host (please add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`) -- Option to set IP bindings (multiple instances) in network mode host +- PHP optional, with option to add extensions; available packages can be found [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*) and [here](https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*) +- Allows different acme servers/certbot config file (/opt/npm/tls/certbot/config.ini) +- Supports up to 99 domains per cert +- Brotli compression can be enabled +- HTTP/2 always enabled with fixed upload +- Allows infinite upload size +- Automatic database vacuum (only sqlite) +- Automatic cleaning of old certbot certs (set FULLCLEAN to true) +- Password reset (only sqlite) using `docker exec -it nginx-proxy-manager password-reset.js USER_EMAIL PASSWORD` +- Supports TLS for MariaDB/MySQL; set `DB_MYSQL_TLS` env to true. Self-signed certificates can be uploaded to `/data/etc/npm/ca.crt` and `DB_MYSQL_CA` set to `/data/etc/npm/ca.crt` (not tested) +- Supports PUID/PGID in network mode host; add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` +- Option to set IP bindings for multiple instances in network mode host - Option to change backend port -- See composefile for all options +- See the composefile for all available options +- If you want to redirect all HTTP traffic to HTTPS, you can use the `compose.override.yaml` file. This will also enable `h2c` (unencrypted `HTTP/2`), while keeping `HTTP/1.0` and `HTTP/1.1`. ## Soon -- inbuilt database/redis? +- maybe redis and/or sql databases built in - more ## migration diff --git a/compose.override.yaml b/compose.override.yaml index b718f7d7..02b3a824 100644 --- a/compose.override.yaml +++ b/compose.override.yaml @@ -10,6 +10,6 @@ services: environment: - "TZ=Europe/Berlin" - nginx-proxy-manager: - environment: - - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false \ No newline at end of file + nginx-proxy-manager: + environment: + - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false diff --git a/compose.yaml b/compose.yaml index d2bb9260..7d2b0114 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,33 +1,33 @@ version: "3" services: - nginx-proxy-manager: - container_name: nginx-proxy-manager - image: zoeyvid/nginx-proxy-manager - restart: always - network_mode: host - volumes: - - "/opt/npm:/data" -# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php -# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork - environment: - - "TZ=Europe/Berlin" # set timezone, default UTC -# - "PUID=1000" # set group id, default 0 (root) -# - "PGID=1000" # set user id, default 0 (root) -# - "NIBEP=48693" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host -# - "NPM_PORT=81" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host -# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all -# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all -# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all -# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all -# - "DISABLE_IPV6=true" # disable IPv6, incompatible with IPV6_BINDING, default false -# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, incompatible with NPM_IPV6_BINDING, default false -# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, incompatible with NPM_IPV4_BINDING/NPM_IPV6_BINDING/NPM_DISABLE_IPV6, default false -# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default unset/dummycerts -# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false -# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false -# - "CLEAN=false" # Clean folders, default true -# - "FULLCLEAN=true" # Clean unused config folders, default false -# - "PHP81=true" # Activate PHP81, default false -# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*, default none -# - "PHP82=true" # Activate PHP82, default false -# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*, default none \ No newline at end of file + nginx-proxy-manager: + container_name: nginx-proxy-manager + image: zoeyvid/nginx-proxy-manager + restart: always + network_mode: host + volumes: + - "/opt/npm:/data" +# - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php +# - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork + environment: + - "TZ=Europe/Berlin" # set timezone, default UTC +# - "PUID=1000" # set group id, default 0 (root) +# - "PGID=1000" # set user id, default 0 (root) +# - "NIBEP=48693" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host +# - "NPM_PORT=81" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host +# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all +# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all +# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all +# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all +# - "DISABLE_IPV6=true" # disable IPv6, incompatible with IPV6_BINDING, default false +# - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, incompatible with NPM_IPV6_BINDING, default false +# - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, incompatible with NPM_IPV4_BINDING/NPM_IPV6_BINDING/NPM_DISABLE_IPV6, default false +# - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default unset/dummycerts +# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false +# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false +# - "CLEAN=false" # Clean folders, default true +# - "FULLCLEAN=true" # Clean unused config folders, default false +# - "PHP81=true" # Activate PHP81, default false +# - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php81-*, default none +# - "PHP82=true" # Activate PHP82, default false +# - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see aviable packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17&repo=community&arch=x86_64&name=php82-*, default none diff --git a/frontend/package.json b/frontend/package.json index 789a29d7..621f627e 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -4,7 +4,7 @@ "description": "A beautiful interface for creating Nginx endpoints", "main": "js/index.js", "dependencies": { - "@babel/core": "7.21.5", + "@babel/core": "7.21.8", "babel-core": "6.26.3", "babel-loader": "8.3.0", "babel-preset-env": "1.7.0", diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh index ec08455e..75b52431 100755 --- a/rootfs/bin/start.sh +++ b/rootfs/bin/start.sh @@ -448,10 +448,9 @@ if [ -n "$NPM_CHAIN" ]; then sed -i "s|#ssl_trusted_certificate .*|ssl_trusted_c find /data/nginx -type f -name '*.conf' -exec sed -i "s|80 http2|80|g" {} \; -if [ "$NIBEP" != "48693" ]; then - sed -i "s|48693|$NIBEP|g" /app/index.js - sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf -fi +export NIBEP="${NIBEP:-48693}" +sed -i "s|48693|$NIBEP|g" /app/index.js +sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf if [ -n "$IPV4_BINDING" ]; then sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf