ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-03 07:53:39 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

dep updates/nginxbeautifier/fix quic/http3

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
renovate[bot]
2023-06-03 01:53:53 +00:00
committed by Zoey
parent cabf78faa8
commit cd058f1382
15 changed files with 93 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@@ -1,55 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: bug
assignees: ''
---
<!--
Are you in the right place?
- If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
- If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
- If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.*
-->
**Checklist**
- Have you pulled and found the error with `zoeyvid/nginx-proxy-manager:latest` docker image?
- Yes / No
- Are you sure you're not using someone else's docker image?
- Yes / No
- Have you searched for similar issues (both open and closed)?
- Yes / No
**Describe the bug**
<!-- A clear and concise description of what the bug is. -->
**Nginx Proxy Manager Version**
<!-- What version of Nginx Proxy Manager is reported on the login page? -->
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
<!-- A clear and concise description of what you expected to happen. -->
**Screenshots**
<!-- If applicable, add screenshots to help explain your problem. -->
**Operating System**
<!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. -->
**Additional context**
<!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. -->

18
.github/ISSUE_TEMPLATE/dns_challenge_request.md vendored
View File

@@ -1,18 +0,0 @@
---
name: DNS challenge provider request
about: Suggest a new provider to be available for a certificate DNS challenge
title: ''
labels: dns provider request
assignees: ''
---
**What provider would you like to see added to NPM?**
<!-- What is this provider called? -->
**Have you checked if a certbot plugin exists?**
<!--
Currently NPM only supports DNS challenge providers for which a certbot plugin exists.
You can visit pypi.org, and search for a package with the name `certbot-dns-<privider>`.
-->

32
.github/ISSUE_TEMPLATE/feature_request.md vendored
View File

@@ -1,32 +0,0 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: ''
---
<!--
Are you in the right place?
- If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
- If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
- If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.*
-->
**Is your feature request related to a problem? Please describe.**
<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
**Describe the solution you'd like**
<!-- A clear and concise description of what you want to happen. -->
**Describe alternatives you've considered**
<!-- A clear and concise description of any alternative solutions or features you've considered. -->
**Additional context**
<!-- Add any other context or screenshots about the feature request here. -->

43
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM --platform="$BUILDPLATFORM" alpine:3.18.0 as frontend FROM --platform="$BUILDPLATFORM" alpine:3.18.2 as frontend
COPY frontend /build/frontend COPY frontend /build/frontend
COPY global/certbot-dns-plugins.js /build/frontend/certbot-dns-plugins.js COPY global/certbot-dns-plugins.js /build/frontend/certbot-dns-plugins.js
ARG NODE_ENV=production \ ARG NODE_ENV=production \
@@ -12,7 +12,7 @@ COPY darkmode.css /build/frontend/dist/css/darkmode.css
COPY security.txt /build/frontend/dist/.well-known/security.txt COPY security.txt /build/frontend/dist/.well-known/security.txt
FROM --platform="$BUILDPLATFORM" alpine:3.18.0 as backend FROM --platform="$BUILDPLATFORM" alpine:3.18.2 as backend
COPY backend /build/backend COPY backend /build/backend
COPY global/certbot-dns-plugins.js /build/backend/certbot-dns-plugins.js COPY global/certbot-dns-plugins.js /build/backend/certbot-dns-plugins.js
ARG NODE_ENV=production \ ARG NODE_ENV=production \
@@ -29,14 +29,14 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
yarn cache clean --all yarn cache clean --all
FROM python:3.11.3-alpine3.18 as certbot FROM python:3.11.4-alpine3.18 as certbot
RUN apk add --no-cache ca-certificates build-base libffi-dev && \ RUN apk add --no-cache ca-certificates build-base libffi-dev && \
python3 -m venv /usr/local/certbot && \ python3 -m venv /usr/local/certbot && \
. /usr/local/certbot/bin/activate && \ . /usr/local/certbot/bin/activate && \
pip install --no-cache-dir certbot pip install --no-cache-dir certbot
FROM --platform="$BUILDPLATFORM" alpine:3.18.0 as crowdsec FROM --platform="$BUILDPLATFORM" alpine:3.18.2 as crowdsec
RUN apk add --no-cache ca-certificates git build-base && \ RUN apk add --no-cache ca-certificates git build-base && \
git clone --recursive https://github.com/crowdsecurity/cs-nginx-bouncer /src && \ git clone --recursive https://github.com/crowdsecurity/cs-nginx-bouncer /src && \
cd /src && \ cd /src && \
@@ -53,14 +53,14 @@ RUN apk add --no-cache ca-certificates git build-base && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/crowdsec.conf|g" lua-mod/config_example.conf sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/crowdsec.conf|g" lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:142 FROM zoeyvid/nginx-quic:157
COPY rootfs / COPY rootfs /
RUN apk add --no-cache ca-certificates tzdata \ RUN apk add --no-cache ca-certificates tzdata \
lua5.1-lzlib \ lua5.1-lzlib \
nodejs-current \ nodejs-current \
openssl apache2-utils \ openssl apache2-utils \
coreutils grep jq curl shadow sudo \ coreutils grep jq curl shadow sudo \
luarocks5.1 wget lua5.1-dev build-base git && \ luarocks5.1 wget lua5.1-dev build-base git yarn && \
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \
sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
@@ -82,25 +82,26 @@ RUN apk add --no-cache ca-certificates tzdata \
sed -i '/#/!d' /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \ sed -i '/#/!d' /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
mv /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf && \ mv /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf && \
mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \ mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
git clone --recursive https://github.com/coreruleset/phpmyadmin-rule-exclusions-plugin /tmp/phpmyadmin-rule-exclusions-plugin && \ #git clone --recursive https://github.com/coreruleset/phpmyadmin-rule-exclusions-plugin /tmp/phpmyadmin-rule-exclusions-plugin && \
git clone --recursive https://github.com/coreruleset/nextcloud-rule-exclusions-plugin /tmp/nextcloud-rule-exclusions-plugin && \ #git clone --recursive https://github.com/coreruleset/nextcloud-rule-exclusions-plugin /tmp/nextcloud-rule-exclusions-plugin && \
git clone --recursive https://github.com/coreruleset/wordpress-rule-exclusions-plugin /tmp/wordpress-rule-exclusions-plugin && \ #git clone --recursive https://github.com/coreruleset/wordpress-rule-exclusions-plugin /tmp/wordpress-rule-exclusions-plugin && \
git clone --recursive https://github.com/coreruleset/cpanel-rule-exclusions-plugin /tmp/cpanel-rule-exclusions-plugin && \ #git clone --recursive https://github.com/coreruleset/cpanel-rule-exclusions-plugin /tmp/cpanel-rule-exclusions-plugin && \
git clone --recursive https://github.com/coreruleset/body-decompress-plugin /tmp/body-decompress-plugin && \ #git clone --recursive https://github.com/coreruleset/body-decompress-plugin /tmp/body-decompress-plugin && \
git clone --recursive https://github.com/coreruleset/auto-decoding-plugin /tmp/auto-decoding-plugin && \ #git clone --recursive https://github.com/coreruleset/auto-decoding-plugin /tmp/auto-decoding-plugin && \
git clone --recursive https://github.com/coreruleset/google-oauth2-plugin /tmp/google-oauth2-plugin && \ #git clone --recursive https://github.com/coreruleset/google-oauth2-plugin /tmp/google-oauth2-plugin && \
mv /tmp/coreruleset/plugins /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ mv /tmp/coreruleset/plugins /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/phpmyadmin-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/phpmyadmin-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/nextcloud-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/nextcloud-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/wordpress-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/wordpress-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/cpanel-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/cpanel-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/body-decompress-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/body-decompress-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/auto-decoding-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/auto-decoding-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
mv /tmp/google-oauth2-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \ #mv /tmp/google-oauth2-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
rm -r /tmp/* && \ rm -r /tmp/* && \
luarocks-5.1 install lua-resty-http && \ luarocks-5.1 install lua-resty-http && \
luarocks-5.1 install lua-cjson && \ luarocks-5.1 install lua-cjson && \
apk del --no-cache luarocks5.1 wget lua5.1-dev build-base git yarn global add nginxbeautifier && \
apk del --no-cache luarocks5.1 wget lua5.1-dev build-base git yarn
COPY --from=backend /build/backend /app COPY --from=backend /build/backend /app
COPY --from=frontend /build/frontend/dist /app/frontend COPY --from=frontend /build/frontend/dist /app/frontend

2
README.md
View File

@@ -52,7 +52,7 @@ so that the barrier for entry here is low.
- Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH). - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH).
- Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM). - Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM).
- Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and relaunches it. This can result in a 502 error when you update your hosts - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and relaunches it. This can result in a 502 error when you update your hosts
- Darkmode button in the footer for comfortable viewing (CSS done by https://github.com/theraw) - Darkmode button in the footer for comfortable viewing (CSS done by [@theraw](https://github.com/theraw))
- Fixes proxy to https origin when the origin only accepts TLSv1.3 - Fixes proxy to https origin when the origin only accepts TLSv1.3
- Only enables TLSv1.2 and TLSv1.3 protocols - Only enables TLSv1.2 and TLSv1.3 protocols
- Faster creation of TLS certificates can be achieved by eliminating unnecessary Nginx reloads and configuration creations. - Faster creation of TLS certificates can be achieved by eliminating unnecessary Nginx reloads and configuration creations.

4
backend/package.json
View File

@@ -16,7 +16,7 @@
"gravatar": "1.8.2", "gravatar": "1.8.2",
"jsonwebtoken": "9.0.0", "jsonwebtoken": "9.0.0",
"knex": "2.4.2", "knex": "2.4.2",
"liquidjs": "10.7.1", "liquidjs": "10.8.2",
"lodash": "4.17.21", "lodash": "4.17.21",
"moment": "2.29.4", "moment": "2.29.4",
"mysql": "2.18.1", "mysql": "2.18.1",
@@ -30,7 +30,7 @@
"author": "Jamie Curnow <jc@jc21.com>", "author": "Jamie Curnow <jc@jc21.com>",
"license": "MIT", "license": "MIT",
"devDependencies": { "devDependencies": {
"eslint": "8.40.0", "eslint": "8.42.0",
"eslint-plugin-align-assignments": "1.1.2" "eslint-plugin-align-assignments": "1.1.2"
} }
} }

7
backend/templates/_listen.conf
View File

@@ -2,14 +2,13 @@
listen [::]:80; listen [::]:80;
{% if certificate %} {% if certificate %}
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
{% if hsts_subdomains %} {% if hsts_subdomains %}
listen 443 quic; listen 443 quic;
listen [::]:443 quic; listen [::]:443 quic;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on;
{% endif %} {% endif %}
{% endif %} {% endif %}
server_name {{ domain_names | join: " " }}; server_name {{ domain_names | join: " " }};

10
backend/templates/default.conf
View File

@@ -5,11 +5,11 @@ server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
listen 443 ssl http2 default_server; listen 443 ssl default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl default_server;
listen 443 quic default_server; listen 443 quic reuseport default_server;
listen [::]:443 quic default_server; listen [::]:443 quic reuseport default_server;
server_name _; server_name _;
@@ -18,7 +18,7 @@ server {
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf; include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on; http3 on;
#ssl_certificate ; #ssl_certificate ;

2
frontend/package.json
View File

@@ -4,7 +4,7 @@
"description": "A beautiful interface for creating Nginx endpoints", "description": "A beautiful interface for creating Nginx endpoints",
"main": "js/index.js", "main": "js/index.js",
"dependencies": { "dependencies": {
"@babel/core": "7.22.1", "@babel/core": "7.22.5",
"babel-core": "6.26.3", "babel-core": "6.26.3",
"babel-loader": "8.3.0", "babel-loader": "8.3.0",
"babel-preset-env": "1.7.0", "babel-preset-env": "1.7.0",

15
rootfs/bin/start.sh
View File

@@ -285,12 +285,14 @@ if [ "$FULLCLEAN" = "true" ]; then
certbot-cleaner.sh certbot-cleaner.sh
fi fi
find /data/nginx -type f -name '*.conf' -exec sed -i "s|80 http2|80|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s| http2||g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|\(listen .*\) http3|\1 quic|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|\(listen .*\) http3|\1 quic|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|quic reuseport;|quic;|g" {} \;
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/access|/data/nginx/access|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/access|/data/etc/access|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/access|/data/etc/access|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/nginx/html/|/data/etc/html/|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/data/custom_ssl|/data/tls/custom|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|/etc/letsencrypt|/data/tls/certbot|g" {} \;
@@ -308,6 +310,7 @@ find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/f
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/ssl-ciphers.conf;|include conf.d/include/tls-ciphers.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "s|include conf.d/include/letsencrypt-acme-challenge.conf;|include conf.d/include/acme-challenge.conf;|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "/http3/d" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "/Asset Caching/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/Asset Caching/d" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "/assets.conf/d" {} \; find /data/nginx -type f -name '*.conf' -exec sed -i "/assets.conf/d" {} \;
@@ -555,6 +558,12 @@ sed -i "s|ssl_certificate .*|ssl_certificate $NPM_CERT;|g" /data/nginx/default.c
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf sed -i "s|ssl_certificate_key .*|ssl_certificate_key $NPM_KEY;|g" /data/nginx/default.conf
if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf; fi if [ -n "$NPM_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $NPM_CHAIN;|g" /data/nginx/default.conf; fi
find /data/nginx -type f -name '*.conf' -exec sed -i "s|add_header alt-svc 'h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400';|add_header Alt-Svc 'h3=\":443\"; ma=86400';|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "s|add_header alt-svc 'h3=\":443\";|add_header Alt-Svc 'h3=\":443\"; ma=86400';|g" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "/ma=86400, h3-29=\":443\";/d" {} \;
find /data/nginx -type f -name '*.conf' -exec sed -i "/^[[:space:]]*ma=86400';[[:space:]]*$/d" {} \;
nginxbeautifier -s 4 -r /data/nginx
chmod -R 770 /data/tls \ chmod -R 770 /data/tls \
/data/etc/npm \ /data/etc/npm \
@@ -585,7 +594,7 @@ if [ "$PUID" != "0" ]; then
/usr/local/nginx \ /usr/local/nginx \
/data \ /data \
/tmp /tmp
sed -i "s|user root;|#user root;|g" /usr/local/nginx/conf/nginx.conf sed -i "s|user root;|#user root;|g" /usr/local/nginx/conf/nginx.conf
sudo -Eu npm launch.sh sudo -Eu npm launch.sh
else else
chown -R 0:0 /usr/local/certbot \ chown -R 0:0 /usr/local/certbot \

44
rootfs/usr/local/nginx/conf/conf.d/include/default.conf
View File

@@ -2,31 +2,31 @@
# Default Site # Default Site
# ------------------------------------------------------------ # ------------------------------------------------------------
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
listen 443 ssl http2 default_server; listen 443 ssl default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl default_server;
listen 443 quic default_server; listen 443 quic reuseport default_server;
listen [::]:443 quic default_server; listen [::]:443 quic reuseport default_server;
server_name _; server_name _;
include conf.d/include/brotli.conf; include conf.d/include/brotli.conf;
include conf.d/include/force-ssl.conf; include conf.d/include/force-ssl.conf;
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/acme-challenge.conf;
include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
http3 on;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
location / {
include conf.d/include/acme-challenge.conf; include conf.d/include/acme-challenge.conf;
alias /html/default/; include conf.d/include/block-exploits.conf;
} add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on;
#ssl_certificate ;
#ssl_certificate_key ;
#ssl_trusted_certificate ;
location / {
include conf.d/include/acme-challenge.conf;
alias /html/default/;
}
} }

6
rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
View File

@@ -2,8 +2,8 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
listen 443 quic; listen 443 quic;
listen [::]:443 quic; listen [::]:443 quic;
@@ -15,7 +15,7 @@ server {
include conf.d/include/force-tls.conf; include conf.d/include/force-tls.conf;
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on; http3 on;
#ssl_certificate ; #ssl_certificate ;

10
rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf
View File

@@ -1,9 +1,7 @@
server { server {
listen 81 ssl http2; http3 off;
listen 81 quic; listen 81 ssl;
listen [::]:81 ssl;
listen [::]:81 ssl http2;
listen [::]:81 quic;
server_name ""; server_name "";
return 444; return 444;
@@ -12,8 +10,6 @@ server {
include conf.d/include/force-tls.conf; include conf.d/include/force-tls.conf;
include conf.d/include/tls-ciphers.conf; include conf.d/include/tls-ciphers.conf;
include conf.d/include/block-exploits.conf; include conf.d/include/block-exploits.conf;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
http3 on;
#ssl_certificate ; #ssl_certificate ;
#ssl_certificate_key ; #ssl_certificate_key ;

16
rootfs/usr/local/nginx/conf/conf.d/npm.conf
View File

@@ -1,11 +1,7 @@
server { server {
listen 81 ssl http2 default_server; http3 off;
listen 81 quic default_server; listen 81 ssl default_server;
listen [::]:81 ssl default_server;
listen [::]:81 ssl http2 default_server;
listen [::]:81 quic default_server;
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
http3 on;
server_name _; server_name _;
include conf.d/include/brotli.conf; include conf.d/include/brotli.conf;
@@ -15,7 +11,7 @@ server {
modsecurity on; modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf; modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
#ssl_certificate ; #ssl_certificate ;
#ssl_certificate_key ; #ssl_certificate_key ;
#ssl_trusted_certificate ; #ssl_trusted_certificate ;
@@ -26,7 +22,7 @@ server {
location /api/ { location /api/ {
proxy_pass http://127.0.0.1:48693/; proxy_pass http://127.0.0.1:48693/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Early-Data $ssl_early_data; proxy_set_header Early-Data $ssl_early_data;
@@ -35,7 +31,7 @@ server {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding ""; proxy_set_header Accept-Encoding "";
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;

22
rootfs/usr/local/nginx/conf/nginx.conf
View File

@@ -17,11 +17,11 @@ events {
http { http {
log_not_found off; log_not_found off;
access_log /dev/null; access_log /dev/null;
include mime.types; include mime.types;
default_type text/plain; default_type text/plain;
lua_package_path "/usr/local/nginx/lib/lua/?.lua;;"; lua_package_path "/usr/local/nginx/lib/lua/?.lua;;";
server_tokens off; server_tokens off;
hide_server_tokens on; hide_server_tokens on;
aio threads; aio threads;
@@ -39,20 +39,24 @@ http {
gunzip on; gunzip on;
gzip_static on; gzip_static on;
http2 on;
http3 on;
quic_retry on;
#resolver ; #resolver ;
fastcgi_index index.php; fastcgi_index index.php;
index index.php index.html; index index.php index.html;
error_page 404 =307 $scheme://$host:$server_port; error_page 404 =307 $scheme://$host:$server_port;
error_page 497 =301 https://$host:$server_port$request_uri; error_page 497 =301 https://$host:$server_port$request_uri;
proxy_read_timeout 86400s; proxy_read_timeout 86400s;
proxy_headers_hash_max_size 1024; proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128; proxy_headers_hash_bucket_size 128;
limit_req_zone $binary_remote_addr zone=one:10m rate=180r/s; limit_req_zone $binary_remote_addr zone=one:10m rate=180r/s;
limit_req zone=one burst=1800; limit_req zone=one burst=1800;
# Default upstream scheme # Default upstream scheme
map $host $forward_scheme { map $host $forward_scheme {
default http; default http;
@@ -71,7 +75,7 @@ http {
upstream php82 { upstream php82 {
server unix:/dev/php82.sock; server unix:/dev/php82.sock;
} }
# Fancy Index # Fancy Index
fancyindex on; fancyindex on;
fancyindex_localtime on; fancyindex_localtime on;
@@ -95,11 +99,11 @@ http {
set_real_ip_from 169.254.0.0/16; set_real_ip_from 169.254.0.0/16;
set_real_ip_from fc00::/7; set_real_ip_from fc00::/7;
set_real_ip_from fec0::/10; set_real_ip_from fec0::/10;
include fastcgi.conf; include fastcgi.conf;
include /data/nginx/ip_ranges.conf; include /data/nginx/ip_ranges.conf;
include /data/nginx/default.conf; include /data/nginx/default.conf;
include conf.d/*.conf; include conf.d/*.conf;