mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-08-02 15:33:32 +00:00
@@ -53,7 +53,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
|
||||
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
|
||||
|
||||
|
||||
FROM zoeyvid/nginx-quic:205
|
||||
FROM zoeyvid/nginx-quic:206
|
||||
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
|
||||
COPY rootfs /
|
||||
RUN apk add --no-cache ca-certificates tzdata tini \
|
||||
|
@@ -271,55 +271,6 @@ const internalNginx = {
|
||||
});
|
||||
},
|
||||
|
||||
/**
|
||||
* This generates a temporary nginx config listening on port 80 for the domain names listed
|
||||
* in the certificate setup. It allows the certbot acme challenge to be requested by certbot
|
||||
* when requesting a certificate without having a hostname set up already.
|
||||
*
|
||||
* @param {Object} certificate
|
||||
* @returns {Promise}
|
||||
*/
|
||||
generateLetsEncryptRequestConfig: (certificate) => {
|
||||
if (config.debug()) {
|
||||
logger.info('Generating certbot Request Config:', certificate);
|
||||
}
|
||||
|
||||
const renderEngine = utils.getRenderEngine();
|
||||
|
||||
return new Promise((resolve, reject) => {
|
||||
let template = null;
|
||||
let filename = '/usr/local/nginx/conf/conf.d/certbot_' + certificate.id + '.conf';
|
||||
|
||||
try {
|
||||
template = fs.readFileSync(__dirname + '/../templates/certbot-request.conf', {encoding: 'utf8'});
|
||||
} catch (err) {
|
||||
reject(new error.ConfigurationError(err.message));
|
||||
return;
|
||||
}
|
||||
|
||||
certificate.ipv6 = internalNginx.ipv6Enabled();
|
||||
|
||||
renderEngine
|
||||
.parseAndRender(template, certificate)
|
||||
.then((config_text) => {
|
||||
fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
|
||||
|
||||
if (config.debug()) {
|
||||
logger.success('Wrote config:', filename, config_text);
|
||||
}
|
||||
|
||||
resolve(true);
|
||||
})
|
||||
.catch((err) => {
|
||||
if (config.debug()) {
|
||||
logger.warn('Could not write ' + filename + ':', err.message);
|
||||
}
|
||||
|
||||
reject(new error.ConfigurationError(err.message));
|
||||
});
|
||||
});
|
||||
},
|
||||
|
||||
/**
|
||||
* A simple wrapper around unlinkSync that writes to the logger
|
||||
*
|
||||
@@ -343,19 +294,6 @@ const internalNginx = {
|
||||
return host_type.replace(new RegExp('-', 'g'), '_');
|
||||
},
|
||||
|
||||
/**
|
||||
* This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig`
|
||||
*
|
||||
* @param {Object} certificate
|
||||
* @returns {Promise}
|
||||
*/
|
||||
deleteLetsEncryptRequestConfig: (certificate) => {
|
||||
const config_file = '/usr/local/nginx/conf/conf.d/letsencrypt_' + certificate.id + '.conf';
|
||||
return new Promise((resolve/*, reject*/) => {
|
||||
internalNginx.deleteFile(config_file);
|
||||
resolve();
|
||||
});
|
||||
},
|
||||
|
||||
/**
|
||||
* @param {String} host_type
|
||||
|
@@ -1,17 +1,7 @@
|
||||
{% if certificate and certificate_id > 0 -%}
|
||||
{% if ssl_forced == 1 or ssl_forced == true %}
|
||||
{% if hsts_enabled == 1 or hsts_enabled == true %}
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests" always;
|
||||
|
||||
add_header Expect-CT "enforce; max-age=86400" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
|
||||
add_header Cross-Origin-Embedder-Policy-Report-Only "require-corp; report-to='default'" always;
|
||||
add_header Cross-Origin-Opener-Policy-Report-Only "same-origin-allow-popups; report-to='default'" always;
|
||||
include conf.d/include/hsts.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
@@ -1,4 +1,4 @@
|
||||
listen unix:/run/nginx.sock;
|
||||
listen unix:/run/nginx-{{ id }}.sock;
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
@@ -1,18 +0,0 @@
|
||||
{% include "_header_comment.conf" %}
|
||||
|
||||
server {
|
||||
listen unix:/run/nginx.sock;
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ domain_names | join: " " }};
|
||||
|
||||
include conf.d/include/acme-challenge.conf;
|
||||
include conf.d/include/block-exploits.conf;
|
||||
|
||||
location / {
|
||||
include conf.d/include/acme-challenge.conf;
|
||||
return 404;
|
||||
}
|
||||
}
|
@@ -2,8 +2,6 @@
|
||||
# Default Site
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen unix:/run/nginx.sock default_server;
|
||||
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 15 KiB |
@@ -2,8 +2,6 @@
|
||||
# Default Site
|
||||
# ------------------------------------------------------------
|
||||
server {
|
||||
listen unix:/run/nginx.sock default_server;
|
||||
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
|
8
rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
Normal file
8
rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
Normal file
@@ -0,0 +1,8 @@
|
||||
more_set_headers "X-XSS-Protection: 0";
|
||||
more_set_headers "X-Frame-Options: SAMEORIGIN";
|
||||
more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
|
||||
more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
|
||||
|
||||
more_set_headers "Expect-CT: enforce; max-age=86400";
|
||||
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
|
@@ -1,6 +1,4 @@
|
||||
server {
|
||||
listen unix:/run/nginx.sock;
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
|
@@ -23,7 +23,11 @@ http {
|
||||
lua_package_path "/usr/local/nginx/lib/lua/?.lua;;";
|
||||
|
||||
server_tokens off;
|
||||
hide_server_tokens on;
|
||||
more_clear_headers "Server";
|
||||
more_clear_headers "X-Powered-By";
|
||||
more_clear_headers "X-Page-Speed";
|
||||
more_clear_headers "X-Varnish";
|
||||
|
||||
aio threads;
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
|
Reference in New Issue
Block a user