Compare commits

..

21 Commits

Author SHA1 Message Date
2a9e573c61 Adjust log message format 2024-12-16 22:45:16 +01:00
8d0ed27851 Process folder /etc/nginx/conf.d for HTTP/HTTPS port migration 2024-12-16 22:09:24 +01:00
c377db5d62 ups, forgot eslint 2024-10-31 16:39:37 +01:00
9844df27de Support for chaning the HTTP and HTTPS port that hosts will listen on
I have seen a few issues that mention that changing the port that nginx
listens on is important (especially when using hostNetwork).

I am not totally convinced that NPM should allow these use-cases but I
was bored enough to implement it anyway.

Related Issue: #4122
2024-10-31 16:14:07 +01:00
25a26d6175 Merge pull request #4112 from prospo/develop
All checks were successful
Close stale issues and PRs / stale (push) Successful in 4s
feat: Add leaseweb to certbot-dns-plugins
2024-10-30 14:40:20 +10:00
17246e418f Merge pull request #4118 from mitossoft-rd/patch-1
Remove variable usage from proxy_pass directive to fix resolution issues
2024-10-30 14:39:48 +10:00
f7d3ca0b07 Cleaning unused variable. 2024-10-28 15:18:54 +03:00
a55de386e7 Fix URL format 2024-10-28 15:15:08 +03:00
e9d4f5b827 Remove variable usage from proxy_pass directive to fix resolution issues
By using a static URL, the backend server can be accessed reliably, avoiding the common 404 errors or "no resolver defined" issues seen when variables are used.
2024-10-28 02:59:23 +03:00
1c1cee3836 feat: Add leaseweb to certbot-dns-plugins 2024-10-25 13:25:09 +00:00
eaf6335694 Merge pull request #4106 from dreik/develop
All checks were successful
Close stale issues and PRs / stale (push) Successful in 4s
http2 directive migration
2024-10-25 08:53:08 +10:00
ffe05ebd41 Merge pull request #4108 from chrismaffey/patch-2
Update put.json
2024-10-25 08:06:50 +10:00
2e9a4f1aed Update put.json
Password can be left blank for updates.  Otherwise you have to reenter the password every time you save the auth list
2024-10-24 17:29:16 +13:00
d17c85e4c8 Merge pull request #4107 from chrismaffey/patch-1
Update _access.conf
2024-10-24 11:31:12 +10:00
dad8d0ca00 Update _access.conf
the pass_auth and satisfy_any properties and now boolean true/false, they do not == 1 so the switching in this template breaks
2024-10-24 14:04:17 +13:00
d7e0558a35 http2 directive
to reduce warns in logs
2024-10-24 01:30:14 +03:00
ee41bb5562 Merge pull request #4078 from Guiorgy/patch-1
All checks were successful
Close stale issues and PRs / stale (push) Successful in 4s
normalize indentations in certbot-dns-plugins.json
2024-10-22 10:14:31 +10:00
0cf6b9caa4 Merge pull request #4084 from ttodua/patch-1
doc(site) - default credentials change
2024-10-22 10:14:11 +10:00
68a9baf206 minor 2024-10-18 15:35:15 +04:00
d92421d098 doc(site) - default credentials change 2024-10-18 15:33:32 +04:00
96c58b203e normalize indentations in certbot-dns-plugins.json 2024-10-17 15:34:04 +04:00
11 changed files with 162 additions and 28 deletions

View File

@ -5,6 +5,20 @@ const config = require('../lib/config');
const utils = require('../lib/utils'); const utils = require('../lib/utils');
const error = require('../lib/error'); const error = require('../lib/error');
/**
*
* @param {int} user_port
* @param {int} default_port
* @returns {int} port
*/
const validatePort = (user_port, default_port) => {
if (isNaN(user_port) || user_port < 1 || user_port > 65535) {
console.error(`Environment variable HTTP_PORT must be an integer between 1 and 65535 (got: ${user_port}). Using default port ${default_port}`);
return default_port;
}
return user_port;
};
const internalNginx = { const internalNginx = {
/** /**
@ -232,8 +246,10 @@ const internalNginx = {
locationsPromise = Promise.resolve(); locationsPromise = Promise.resolve();
} }
// Set the IPv6 setting for the host // Set the IPv6 and port setting for the host
host.ipv6 = internalNginx.ipv6Enabled(); host.ipv6 = internalNginx.ipv6Enabled();
host.http_port = internalNginx.httpPort();
host.https_port = internalNginx.httpsPort();
locationsPromise.then(() => { locationsPromise.then(() => {
renderEngine renderEngine
@ -287,7 +303,9 @@ const internalNginx = {
return; return;
} }
certificate.ipv6 = internalNginx.ipv6Enabled(); certificate.ipv6 = internalNginx.ipv6Enabled();
certificate.http_port = internalNginx.httpPort();
certificate.https_port = internalNginx.httpsPort();
renderEngine renderEngine
.parseAndRender(template, certificate) .parseAndRender(template, certificate)
@ -432,7 +450,30 @@ const internalNginx = {
} }
return true; return true;
},
/**
* @returns {integer}
*/
httpPort: function () {
if (typeof process.env.HTTP_PORT !== 'undefined') {
let httpPort = parseInt(process.env.HTTP_PORT);
return validatePort(httpPort, 443);
}
return 80;
},
/**
* @returns {integer}
*/
httpsPort: function () {
if (typeof process.env.HTTPS_PORT !== 'undefined') {
let httpPort = parseInt(process.env.HTTPS_PORT);
return validatePort(httpPort, 443);
}
return 80;
} }
}; };
module.exports = internalNginx; module.exports = internalNginx;

View File

@ -49,8 +49,7 @@
"minLength": 1 "minLength": 1
}, },
"password": { "password": {
"type": "string", "type": "string"
"minLength": 1
} }
} }
} }

View File

@ -4,7 +4,7 @@
auth_basic "Authorization required"; auth_basic "Authorization required";
auth_basic_user_file /data/access/{{ access_list_id }}; auth_basic_user_file /data/access/{{ access_list_id }};
{% if access_list.pass_auth == 0 %} {% if access_list.pass_auth == 0 or access_list.pass_auth == true %}
proxy_set_header Authorization ""; proxy_set_header Authorization "";
{% endif %} {% endif %}
@ -17,7 +17,7 @@
deny all; deny all;
# Access checks must... # Access checks must...
{% if access_list.satisfy_any == 1 %} {% if access_list.satisfy_any == 1 or access_list.satisfy_any == true %}
satisfy any; satisfy any;
{% else %} {% else %}
satisfy all; satisfy all;

View File

@ -1,15 +1,20 @@
listen 80; listen {{ http_port }};
{% if ipv6 -%} {% if ipv6 -%}
listen [::]:80; listen [::]:{{ http_port }};
{% else -%} {% else -%}
#listen [::]:80; #listen [::]:{{ http_port }};
{% endif %} {% endif %}
{% if certificate -%} {% if certificate -%}
listen 443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %}; listen {{ https_port }} ssl;
{% if ipv6 -%} {% if ipv6 -%}
listen [::]:443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %}; listen [::]:{{ https_port }} ssl;
{% else -%} {% else -%}
#listen [::]:443; #listen [::]:{{ https_port }};
{% endif %} {% endif %}
{% endif %} {% endif %}
server_name {{ domain_names | join: " " }}; server_name {{ domain_names | join: " " }};
{% if http2_support == 1 or http2_support == true %}
http2 on;
{% else -%}
http2 off;
{% endif %}

View File

@ -7,11 +7,7 @@
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
set $proxy_forward_scheme {{ forward_scheme }}; proxy_pass {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};
set $proxy_server "{{ forward_host }}";
set $proxy_port {{ forward_port }};
proxy_pass $proxy_forward_scheme://$proxy_server:$proxy_port{{ forward_path }};
{% include "_access.conf" %} {% include "_access.conf" %}
{% include "_assets.conf" %} {% include "_assets.conf" %}

View File

@ -33,6 +33,8 @@ services:
DB_MYSQL_NAME: 'npm' DB_MYSQL_NAME: 'npm'
# DB_SQLITE_FILE: "/data/database.sqlite" # DB_SQLITE_FILE: "/data/database.sqlite"
# DISABLE_IPV6: "true" # DISABLE_IPV6: "true"
# HTTP_PORT: "1234"
# HTTPS_PORT: "5678"
# Required for DNS Certificate provisioning testing: # Required for DNS Certificate provisioning testing:
LE_SERVER: 'https://ca.internal/acme/acme/directory' LE_SERVER: 'https://ca.internal/acme/acme/directory'
REQUESTS_CA_BUNDLE: '/etc/ssl/certs/NginxProxyManager.crt' REQUESTS_CA_BUNDLE: '/etc/ssl/certs/NginxProxyManager.crt'

View File

@ -18,5 +18,6 @@ fi
. /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
. /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
. /etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh . /etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
. /etc/s6-overlay/s6-rc.d/prepare/55-http-https-port.sh
. /etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh . /etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh
. /etc/s6-overlay/s6-rc.d/prepare/90-banner.sh . /etc/s6-overlay/s6-rc.d/prepare/90-banner.sh

View File

@ -0,0 +1,62 @@
#!/command/with-contenv bash
# shellcheck shell=bash
# This command reads the `HTTP_PORT` and `HTTPS_PORT` env vars and will rerender
# the nginx files to the port defined in these variables
set -e
log_info 'HTTP_PORT ...'
DEFAULT_HTTP_PORT="80"
DEFAULT_HTTPS_PORT="443"
# Make sure HTTP_PORT and HTTPS_PORT are set correctly
case "$HTTP_PORT" in
''|*[!0-9]*)
echo "Could not parse HTTP_PORT as integer (got \"$HTTP_PORT\")."
echo "Using default http port \"$DEFAULT_HTTP_PORT\""
HTTP_PORT="$DEFAULT_HTTP_PORT"
;;
*) true ;;
esac
if [ "$HTTP_PORT" -lt "1" ] || [ "$HTTP_PORT" -gt "65535" ]; then
echo "HTTP_PORT must be between 1 and 65535 (got \"$HTTP_PORT\")."
echo "Using default http port \"$DEFAULT_HTTP_PORT\""
HTTP_PORT="$DEFAULT_HTTP_PORT"
fi
case "$HTTPS_PORT" in
''|*[!0-9]*)
echo "Could not parse HTTPS_PORT as integer (got \"$HTTPS_PORT\")."
echo "Using default https port \"$DEFAULT_HTTPS_PORT\""
HTTPS_PORT="$DEFAULT_HTTPS_PORT"
;;
*) true ;;
esac
if [ "$HTTPS_PORT" -lt "1" ] || [ "$HTTPS_PORT" -gt "65535" ]; then
echo "HTTPS_PORT must be between 1 and 65535 (got \"$HTTPS_PORT\")."
echo "Using default https port \"$DEFAULT_HTTPS_PORT\""
HTTPS_PORT="$DEFAULT_HTTPS_PORT"
fi
process_folder () {
FILES=$(find "$1" -type f -name "*.conf")
HTTP_SED_REGEX='/ssl/! s/listen (\[::\]:)?[0-9]+/listen \1'$HTTP_PORT'/g'
HTTPS_SED_REGEX='/ssl/ s/listen (\[::\]:)?[0-9]+/listen \1'$HTTPS_PORT'/g'
echo "Setting HTTP listen port to $HTTP_PORT and HTTPS listen port to $HTTPS_PORT in: $1"
for FILE in $FILES
do
echo "- ${FILE}"
echo "$(sed -E "$HTTP_SED_REGEX" "$FILE")" > $FILE
echo "$(sed -E "$HTTPS_SED_REGEX" "$FILE")" > $FILE
done
# ensure the files are still owned by the npm user
chown -R "$PUID:$PGID" "$1"
}
process_folder /etc/nginx/conf.d
process_folder /data/nginx

View File

@ -164,6 +164,18 @@ The easy fix is to add a Docker environment variable to the Nginx Proxy Manager
DISABLE_IPV6: 'true' DISABLE_IPV6: 'true'
``` ```
## Chaning the HTTP and HTTPS Listen Port
If you are unable to configure the port mapping within Docker (eg. when using
`hostNetwork: true`) you can change the port that proxy-hosts and
redirection-hosts listen on by setting the environment variables `HTTP_PORT` and
`HTTPS_PORT`:
```yml
environment:
HTTP_PORT: "1234"
HTTPS_PORT: "5678"
```
## Custom Nginx Configurations ## Custom Nginx Configurations

View File

@ -137,5 +137,13 @@ Email: admin@example.com
Password: changeme Password: changeme
``` ```
Immediately after logging in with this default user you will be asked to modify your details and change your password. Immediately after logging in with this default user you will be asked to modify your details and change your password. You can change defaults with:
```
environment:
INITIAL_ADMIN_EMAIL: my@example.com
INITIAL_ADMIN_PASSWORD: mypassword1
```

View File

@ -7,7 +7,7 @@
"credentials": "dns_acmedns_api_url = http://acmedns-server/\ndns_acmedns_registration_file = /data/acme-registration.json", "credentials": "dns_acmedns_api_url = http://acmedns-server/\ndns_acmedns_registration_file = /data/acme-registration.json",
"full_plugin_name": "dns-acmedns" "full_plugin_name": "dns-acmedns"
}, },
"active24":{ "active24":{
"name": "Active24", "name": "Active24",
"package_name": "certbot-dns-active24", "package_name": "certbot-dns-active24",
"version": "~=1.5.1", "version": "~=1.5.1",
@ -194,7 +194,7 @@
"freedns": { "freedns": {
"name": "FreeDNS", "name": "FreeDNS",
"package_name": "certbot-dns-freedns", "package_name": "certbot-dns-freedns",
"version": "~=0.2.0", "version": "~=0.1.0",
"dependencies": "", "dependencies": "",
"credentials": "dns_freedns_username = myremoteuser\ndns_freedns_password = verysecureremoteuserpassword", "credentials": "dns_freedns_username = myremoteuser\ndns_freedns_password = verysecureremoteuserpassword",
"full_plugin_name": "dns-freedns" "full_plugin_name": "dns-freedns"
@ -303,6 +303,14 @@
"credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>", "credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>",
"full_plugin_name": "dns-joker" "full_plugin_name": "dns-joker"
}, },
"leaseweb": {
"name": "LeaseWeb",
"package_name": "certbot-dns-leaseweb",
"version": "~=1.0.1",
"dependencies": "",
"credentials": "dns_leaseweb_api_token = 01234556789",
"full_plugin_name": "dns-leaseweb"
},
"linode": { "linode": {
"name": "Linode", "name": "Linode",
"package_name": "certbot-dns-linode", "package_name": "certbot-dns-linode",
@ -424,13 +432,13 @@
"full_plugin_name": "dns-rfc2136" "full_plugin_name": "dns-rfc2136"
}, },
"rockenstein": { "rockenstein": {
"name": "rockenstein AG", "name": "rockenstein AG",
"package_name": "certbot-dns-rockenstein", "package_name": "certbot-dns-rockenstein",
"version": "~=1.0.0", "version": "~=1.0.0",
"dependencies": "", "dependencies": "",
"credentials": "dns_rockenstein_token=<token>", "credentials": "dns_rockenstein_token=<token>",
"full_plugin_name": "dns-rockenstein" "full_plugin_name": "dns-rockenstein"
}, },
"route53": { "route53": {
"name": "Route 53 (Amazon)", "name": "Route 53 (Amazon)",
"package_name": "certbot-dns-route53", "package_name": "certbot-dns-route53",