ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-08-02 15:33:32 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

dep updates/close #656

Browse Source
This commit is contained in:
renovate[bot]
2024-03-20 23:20:30 +00:00
committed by Zoey
parent dd038b690a
commit d724439605
6 changed files with 45 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@@ -59,11 +59,11 @@ RUN apk upgrade --no-cache -a && \
FROM zoeyvid/nginx-quic:262
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CRS_VER=v4.0.0
ARG CRS_VER=v4.1.0
COPY rootfs /
COPY --from=zoeyvid/certbot-docker:26 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:374 /usr/local/bin/curl /usr/local/bin/curl
COPY --from=zoeyvid/curl-quic:375 /usr/local/bin/curl /usr/local/bin/curl
RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates tzdata tini \
@@ -133,6 +133,8 @@ ENV PUID=0 \
SKIP_IP_RANGES=false \
LOGROTATE=false \
LOGROTATIONS=3 \
CRT=24 \
IPRT=1 \
GOA=false \
GOACLA="--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string" \
PHP81=false \

2
backend/internal/certificate.js
View File

@@ -25,7 +25,7 @@ function omissions() {
const internalCertificate = {
allowedSslFiles: ['certificate', 'certificate_key', 'intermediate_certificate'],
intervalTimeout: 1000 * 60 * 60, // 1 hour
intervalTimeout: 1000 * 60 * 60 * Number(process.env.CRT),
interval: null,
intervalProcessing: false,

2
backend/internal/ip_ranges.js
View File

@@ -14,7 +14,7 @@ const regIpV6 = /^(([\da-fA-F]+)?:)+\/\d+/;
const internalIpRanges = {
interval_timeout: 1000 * 60 * 60 * 6, // 6 hours
interval_timeout: 1000 * 60 * 60 * Number(process.env.IPRT),
interval: null,
interval_processing: false,
iteration_count: 0,

4
backend/package.json
View File

@@ -11,12 +11,12 @@
"bcrypt": "5.1.1",
"body-parser": "1.20.2",
"compression": "1.7.4",
"express": "4.19.0",
"express": "4.19.1",
"express-fileupload": "1.5.0",
"gravatar": "1.8.2",
"jsonwebtoken": "9.0.2",
"knex": "3.1.0",
"liquidjs": "10.10.1",
"liquidjs": "10.10.2",
"lodash": "4.17.21",
"moment": "2.30.1",
"mysql": "2.18.1",

2
compose.yaml
View File

@@ -37,6 +37,8 @@ services:
# - "SKIP_IP_RANGES=true" # Skip feteching/whitelisting ip ranges from aws and cloudflare, default false
# - "LOGROTATE=true" # Enables writing http access logs to /opt/npm/nginx/access.log, stream access logs to /opt/npm/nginx/stream.log and enables daily logrotation, default false
# - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3
# - "CRT=36" # Set how many hours should be between certbot trying to renew your certs, default 24
# - "IPRT=3" # Set how many hours should be between updating ip ranges from aws and cloudflare, default 1, ignored when SKIP_IP_RANGES is true
# - "GOA=true" # Enables goaccess, overrides LOGROTATE, default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npm/etc/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also use the compose.geoip.yaml
# - "GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string" # Arguments that should be passed to goaccess, default: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/bin/launch.sh#L50 and: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
# - "PHP81=true" # Activate PHP81, default false

60
rootfs/usr/local/bin/start.sh
View File

@@ -171,6 +171,16 @@ if [ -n "$LOGROTATE" ] && ! echo "$LOGROTATIONS" | grep -q "^[0-9]\+$"; then
sleep inf
fi
if ! echo "$CRT" | grep -q "^[0-9]\+$"; then
echo "CRT needs to be a number."
sleep inf
fi
if ! echo "$IPRT" | grep -q "^[0-9]\+$"; then
echo "IPRT needs to be a number."
sleep inf
fi
if ! echo "$GOA" | grep -q "^true$\|^false$"; then
echo "GOA needs to be true or false."
sleep inf
@@ -291,7 +301,7 @@ if [ "$PHP81" = "true" ]; then
fi
mkdir -vp /data/php
cp -vrnT /etc/php81 /data/php/81
cp -varnT /etc/php81 /data/php/81
sed -i "s|listen =.*|listen = /run/php81.sock|" /data/php/81/php-fpm.d/www.conf
sed -i "s|;error_log =.*|error_log = /proc/self/fd/2|g" /data/php/81/php-fpm.conf
sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf
@@ -324,7 +334,7 @@ if [ "$PHP82" = "true" ]; then
fi
mkdir -vp /data/php
cp -vrnT /etc/php82 /data/php/82
cp -varnT /etc/php82 /data/php/82
sed -i "s|listen =.*|listen = /run/php82.sock|" /data/php/82/php-fpm.d/www.conf
sed -i "s|;error_log =.*|error_log = /proc/self/fd/2|g" /data/php/82/php-fpm.conf
sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf
@@ -357,7 +367,7 @@ if [ "$PHP83" = "true" ]; then
fi
mkdir -vp /data/php
cp -vrnT /etc/php83 /data/php/83
cp -varnT /etc/php83 /data/php/83
sed -i "s|listen =.*|listen = /run/php83.sock|" /data/php/83/php-fpm.d/www.conf
sed -i "s|;error_log =.*|error_log = /proc/self/fd/2|g" /data/php/83/php-fpm.conf
sed -i "s|include=.*|include=/data/php/83/php-fpm.d/*.conf|g" /data/php/83/php-fpm.conf
@@ -437,7 +447,7 @@ if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then
fi
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
mv -v /etc/letsencrypt/* /data/tls/certbot
mv -vn /etc/letsencrypt/* /data/tls/certbot
fi
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
@@ -544,30 +554,30 @@ find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \;
if [ ! -s /data/etc/modsecurity/modsecurity-default.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
cp -van /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
fi
cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf.example
cp -a /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf.example
if [ -s /data/etc/modsecurity/modsecurity.conf ]; then
mv -v /data/etc/modsecurity/modsecurity.conf /data/etc/modsecurity/modsecurity-extra.conf
fi
if [ ! -s /data/etc/modsecurity/crs-setup.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
cp -van /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
fi
cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
cp -a /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
if [ ! -s /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp -van /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
fi
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
cp -a /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cp -van /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
fi
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
cp -a /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
cp -v /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins
cp -va /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins
if [ "$DEFAULT_CERT_ID" = "0" ]; then
export DEFAULT_CERT=/data/tls/dummycert.pem
@@ -790,34 +800,34 @@ else
fi
if [ ! -s /data/nginx/default.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
fi
sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ ! -s /data/tls/certbot/config.ini ]; then
cp -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini
cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
fi
cp /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
cp -a /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
if [ ! -s /data/etc/crowdsec/ban.html ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html
cp -van /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html
fi
cp /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html.example
cp -a /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html.example
if [ ! -s /data/etc/crowdsec/captcha.html ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html
cp -van /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html
fi
cp /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html.example
cp -a /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html.example
if [ ! -s /data/etc/crowdsec/crowdsec.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf
cp -van /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf
fi
cp /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf.example
cp -a /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf.example
sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf
if grep -iq "^ENABLED[ ]*=[ ]*true$" /data/etc/crowdsec/crowdsec.conf; then
if [ ! -s /usr/local/nginx/conf/conf.d/crowdsec.conf ]; then
cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf
cp -van /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf
fi
else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
@@ -831,8 +841,8 @@ if [ "$GOA" = "true" ]; then
apk add --no-cache goaccess
mkdir -vp /data/etc/goaccess/data \
/data/etc/goaccess/geoip
cp -vn /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf
cp -vn /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
cp -van /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf
cp -van /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
elif [ "$FULLCLEAN" = "true" ]; then
rm -vrf /data/etc/goaccess
fi