Merge pull request #4179 from tametsi/develop

Return generic auth error to prevent user enumeration attacks
2025-06-18 18:16:26 +00:00 · 2024-11-23 22:39:37 +10:00 · 2024-11-22 10:37:09 +01:00 · 2024-10-30 14:40:20 +10:00 · 2024-10-30 14:39:48 +10:00 · 2024-10-28 15:18:54 +03:00
8 changed files with 49 additions and 25 deletions
--- a/10
+++ b/10
@ -43,7 +43,7 @@ pipeline {
 					steps {
 						script {
 							// Defaults to the Branch name, which is applies to all branches AND pr's
-							buildxPushTags = "-t docker.io/jc21/${IMAGE}:github-${BRANCH_LOWER}"
+							buildxPushTags = "-t docker.io/nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}"
 						}
 					}
 				}
@ -203,7 +203,13 @@ pipeline {
 					}
 					steps {
 						script {
-							npmGithubPrComment("Docker Image for build ${BUILD_NUMBER} is available on [DockerHub](https://cloud.docker.com/repository/docker/jc21/${IMAGE}) as `jc21/${IMAGE}:github-${BRANCH_LOWER}`\n\n**Note:** ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.", true)
+							npmGithubPrComment("""Docker Image for build ${BUILD_NUMBER} is available on
+[DockerHub](https://cloud.docker.com/repository/docker/nginxproxymanager/${IMAGE}-dev)
+as `nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}`
+
+**Note:** ensure you backup your NPM instance before testing this image! Especially if there are database changes
+**Note:** this is a different docker image namespace than the official image
+""", true)
 						}
 					}
 				}
--- a/backend/internal/token.js
+++ b/backend/internal/token.js
@ -5,6 +5,8 @@ const authModel  = require('../models/auth');
 const helpers    = require('../lib/helpers');
 const TokenModel = require('../models/token');

+const ERROR_MESSAGE_INVALID_AUTH = 'Invalid email or password';
+
 module.exports = {

 	/**
@ -69,15 +71,15 @@ module.exports = {
 													};
 												});
 										} else {
-											throw new error.AuthError('Invalid password');
+											throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 										}
 									});
 							} else {
-								throw new error.AuthError('No password auth for user');
+								throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 							}
 						});
 				} else {
-					throw new error.AuthError('No relevant user found');
+					throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 				}
 			});
 	},
--- a/backend/schema/paths/nginx/access-lists/listID/put.json
+++ b/backend/schema/paths/nginx/access-lists/listID/put.json
@ -49,8 +49,7 @@
 										"minLength": 1
 									},
 									"password": {
-										"type": "string",
-										"minLength": 1
+										"type": "string"
 									}
 								}
 							}
--- a/backend/templates/_access.conf
+++ b/backend/templates/_access.conf
@ -4,7 +4,7 @@
    auth_basic            "Authorization required";
    auth_basic_user_file  /data/access/{{ access_list_id }};

-    {% if access_list.pass_auth == 0 %}
+    {% if access_list.pass_auth == 0 or access_list.pass_auth == true %}
    proxy_set_header Authorization "";
    {% endif %}

@ -17,7 +17,7 @@
    deny all;

    # Access checks must...
-    {% if access_list.satisfy_any == 1 %}
+    {% if access_list.satisfy_any == 1 or access_list.satisfy_any == true %}
    satisfy any;
    {% else %}
    satisfy all;
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@ -5,11 +5,16 @@
  #listen [::]:80;
 {% endif %}
 {% if certificate -%}
-  listen 443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
+  listen 443 ssl;
 {% if ipv6 -%}
-  listen [::]:443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
+  listen [::]:443 ssl;
 {% else -%}
  #listen [::]:443;
 {% endif %}
 {% endif %}
  server_name {{ domain_names | join: " " }};
+{% if http2_support == 1 or http2_support == true %}
+  http2 on;
+{% else -%}
+  http2 off;
+{% endif %}
--- a/backend/templates/_location.conf
+++ b/backend/templates/_location.conf
@ -7,11 +7,7 @@
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;

-    set $proxy_forward_scheme {{ forward_scheme }};
-    set $proxy_server         "{{ forward_host }}";
-    set $proxy_port           {{ forward_port }};
-
-    proxy_pass       $proxy_forward_scheme://$proxy_server:$proxy_port{{ forward_path }};
+    proxy_pass       {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};

    {% include "_access.conf" %}
    {% include "_assets.conf" %}
--- a/docs/src/setup/index.md
+++ b/docs/src/setup/index.md
@ -137,5 +137,13 @@ Email:    admin@example.com
 Password: changeme
 ```

-Immediately after logging in with this default user you will be asked to modify your details and change your password.
+Immediately after logging in with this default user you will be asked to modify your details and change your password. You can change defaults with:
+
+
+```
+    environment:
+      INITIAL_ADMIN_EMAIL: my@example.com
+      INITIAL_ADMIN_PASSWORD: mypassword1
+```
+

--- a/global/certbot-dns-plugins.json
+++ b/global/certbot-dns-plugins.json
@ -7,7 +7,7 @@
 		"credentials": "dns_acmedns_api_url = http://acmedns-server/\ndns_acmedns_registration_file = /data/acme-registration.json",
 		"full_plugin_name": "dns-acmedns"
 	},
-    "active24":{
+	"active24":{
 		"name": "Active24",
 		"package_name": "certbot-dns-active24",
 		"version": "~=1.5.1",
@ -303,6 +303,14 @@
 		"credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>",
 		"full_plugin_name": "dns-joker"
 	},
+	"leaseweb": {
+		"name": "LeaseWeb",
+		"package_name": "certbot-dns-leaseweb",
+		"version": "~=1.0.1",
+		"dependencies": "",
+		"credentials": "dns_leaseweb_api_token = 01234556789",
+		"full_plugin_name": "dns-leaseweb"
+	},
 	"linode": {
 		"name": "Linode",
 		"package_name": "certbot-dns-linode",
@ -424,13 +432,13 @@
 		"full_plugin_name": "dns-rfc2136"
 	},
 	"rockenstein": {
-                "name": "rockenstein AG",
-                "package_name": "certbot-dns-rockenstein",
-                "version": "~=1.0.0",
-                "dependencies": "",
-                "credentials": "dns_rockenstein_token=<token>",
-                "full_plugin_name": "dns-rockenstein"
-        },
+		"name": "rockenstein AG",
+		"package_name": "certbot-dns-rockenstein",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_rockenstein_token=<token>",
+		"full_plugin_name": "dns-rockenstein"
+	},
 	"route53": {
 		"name": "Route 53 (Amazon)",
 		"package_name": "certbot-dns-route53",
Author	SHA1	Message	Date
jc21	07a4e5791f	Merge pull request #4179 from tametsi/develop All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details Return generic auth error to prevent user enumeration attacks	2024-11-23 22:39:37 +10:00
tametsi	640a1eeb68	Return generic auth error to prevent user enumeration attacks On invalid user/password error the error message "Invalid email or password" is returned. Thereby, no information about the existence of the user is given.	2024-11-22 10:37:09 +01:00
jc21	25a26d6175	Merge pull request #4112 from prospo/develop All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details feat: Add leaseweb to certbot-dns-plugins	2024-10-30 14:40:20 +10:00
jc21	17246e418f	Merge pull request #4118 from mitossoft-rd/patch-1 Remove variable usage from proxy_pass directive to fix resolution issues	2024-10-30 14:39:48 +10:00
mitossoft-rd	f7d3ca0b07	Cleaning unused variable.	2024-10-28 15:18:54 +03:00
mitossoft-rd	a55de386e7	Fix URL format	2024-10-28 15:15:08 +03:00
mitossoft-rd	e9d4f5b827	Remove variable usage from proxy_pass directive to fix resolution issues By using a static URL, the backend server can be accessed reliably, avoiding the common 404 errors or "no resolver defined" issues seen when variables are used.	2024-10-28 02:59:23 +03:00
Emil	1c1cee3836	feat: Add leaseweb to certbot-dns-plugins	2024-10-25 13:25:09 +00:00
jc21	eaf6335694	Merge pull request #4106 from dreik/develop All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details http2 directive migration	2024-10-25 08:53:08 +10:00
jc21	ffe05ebd41	Merge pull request #4108 from chrismaffey/patch-2 Update put.json	2024-10-25 08:06:50 +10:00
Chris Maffey	2e9a4f1aed	Update put.json Password can be left blank for updates. Otherwise you have to reenter the password every time you save the auth list	2024-10-24 17:29:16 +13:00
jc21	d17c85e4c8	Merge pull request #4107 from chrismaffey/patch-1 Update _access.conf	2024-10-24 11:31:12 +10:00
Chris Maffey	dad8d0ca00	Update _access.conf the pass_auth and satisfy_any properties and now boolean true/false, they do not == 1 so the switching in this template breaks	2024-10-24 14:04:17 +13:00
Sergey 'dreik' Kolesnik	d7e0558a35	http2 directive to reduce warns in logs	2024-10-24 01:30:14 +03:00
jc21	ee41bb5562	Merge pull request #4078 from Guiorgy/patch-1 All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details normalize indentations in certbot-dns-plugins.json	2024-10-22 10:14:31 +10:00
jc21	0cf6b9caa4	Merge pull request #4084 from ttodua/patch-1 doc(site) - default credentials change	2024-10-22 10:14:11 +10:00
T. Todua	68a9baf206	minor	2024-10-18 15:35:15 +04:00
T. Todua	d92421d098	doc(site) - default credentials change	2024-10-18 15:33:32 +04:00
Guiorgy	96c58b203e	normalize indentations in certbot-dns-plugins.json	2024-10-17 15:34:04 +04:00
Jamie Curnow	d499e2bfef	Push PR and github branch builds to separate docker image All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details	2024-10-17 10:00:12 +10:00