diff --git a/Caddy.Dockerfile b/Caddy.Dockerfile index d1f336e829..ed7931b81a 100644 --- a/Caddy.Dockerfile +++ b/Caddy.Dockerfile @@ -1,6 +1,6 @@ FROM caddy:2.7.6 as caddy -FROM alpine:3.19.0 +FROM alpine:3.19.1 RUN apk add --no-cache ca-certificates tzdata COPY --from=caddy /usr/bin/caddy /usr/bin/caddy COPY Caddyfile /etc/caddy/Caddyfile diff --git a/Dockerfile b/Dockerfile index a70c7f51aa..0a199a13b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform="$BUILDPLATFORM" alpine:3.19.0 as frontend +FROM --platform="$BUILDPLATFORM" alpine:3.19.1 as frontend COPY frontend /build/frontend COPY global/certbot-dns-plugins.json /build/frontend/certbot-dns-plugins.json ARG NODE_ENV=production \ @@ -12,7 +12,7 @@ COPY darkmode.css /build/frontend/dist/css/darkmode.css COPY security.txt /build/frontend/dist/.well-known/security.txt -FROM --platform="$BUILDPLATFORM" alpine:3.19.0 as backend +FROM --platform="$BUILDPLATFORM" alpine:3.19.1 as backend SHELL ["/bin/ash", "-eo", "pipefail", "-c"] COPY backend /build/backend COPY global/certbot-dns-plugins.json /build/backend/certbot-dns-plugins.json @@ -30,7 +30,7 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \ yarn cache clean --all -FROM --platform="$BUILDPLATFORM" alpine:3.19.0 as crowdsec +FROM --platform="$BUILDPLATFORM" alpine:3.19.1 as crowdsec ARG CSNB_VER=v1.0.6-rc5 @@ -48,13 +48,13 @@ RUN apk add --no-cache ca-certificates git build-base && \ sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:243 +FROM zoeyvid/nginx-quic:247 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] ARG CRS_VER=v4.0/dev COPY rootfs / -COPY --from=zoeyvid/certbot-docker:19 /usr/local /usr/local +COPY --from=zoeyvid/certbot-docker:20 /usr/local /usr/local COPY --from=zoeyvid/curl-quic:364 /usr/local/bin/curl /usr/local/bin/curl RUN apk add --no-cache ca-certificates tzdata tini \ diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh index 088c93852a..abb42baa66 100755 --- a/rootfs/usr/local/bin/start.sh +++ b/rootfs/usr/local/bin/start.sh @@ -278,6 +278,7 @@ if [ "$PHP81" = "true" ]; then mkdir -vp /data/php cp -vrnT /etc/php81 /data/php/81 sed -i "s|listen =.*|listen = /run/php81.sock|" /data/php/81/php-fpm.d/www.conf + sed -i "s|;error_log =|error_log = /proc/self/fd/2|g" /data/php/81/php-fpm.conf sed -i "s|include=.*|include=/data/php/81/php-fpm.d/*.conf|g" /data/php/81/php-fpm.conf elif [ "$FULLCLEAN" = "true" ]; then @@ -310,6 +311,7 @@ if [ "$PHP82" = "true" ]; then mkdir -vp /data/php cp -vrnT /etc/php82 /data/php/82 sed -i "s|listen =.*|listen = /run/php82.sock|" /data/php/82/php-fpm.d/www.conf + sed -i "s|;error_log =|error_log = /proc/self/fd/2|g" /data/php/82/php-fpm.conf sed -i "s|include=.*|include=/data/php/82/php-fpm.d/*.conf|g" /data/php/82/php-fpm.conf elif [ "$FULLCLEAN" = "true" ]; then @@ -342,6 +344,7 @@ if [ "$PHP83" = "true" ]; then mkdir -vp /data/php cp -vrnT /etc/php83 /data/php/83 sed -i "s|listen =.*|listen = /run/php83.sock|" /data/php/83/php-fpm.d/www.conf + sed -i "s|;error_log =|error_log = /proc/self/fd/2|g" /data/php/83/php-fpm.conf sed -i "s|include=.*|include=/data/php/83/php-fpm.d/*.conf|g" /data/php/83/php-fpm.conf elif [ "$FULLCLEAN" = "true" ]; then diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf b/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf index 94a39d650d..b99cccf3de 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf @@ -6,6 +6,7 @@ proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; +proxy_set_header Early-Data $ssl_early_data; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf index d0d0c8b5c0..e0bbaf86de 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf @@ -6,6 +6,7 @@ proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; +proxy_set_header Early-Data $ssl_early_data; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf index c467f4cd87..698e2cce74 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf @@ -1,3 +1,5 @@ +ssl_early_data on; + ssl_stapling on; ssl_stapling_verify on;