dep updates/add NGINX_WORKER_PROCESSES env/support ocsp stapling for …

…custom certs

Signed-off-by: Zoey <[email protected]>

.gitignore

@@ -297,7 +297,7 @@ dist/
 downloads/
 eggs/
 .eggs/
-lib/
+#lib/
 lib64/
 parts/
 sdist/

Dockerfile

@@ -66,7 +66,7 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:375-python
+FROM zoeyvid/nginx-quic:384-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ENV NODE_ENV=production
 ARG CRS_VER=v4.10.0
@@ -86,6 +86,7 @@ RUN apk upgrade --no-cache -a && \
 #    curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \
 #    ln -s /usr/local/acme.sh/acme.sh /usr/local/bin/acme.sh && \
     curl https://raw.githubusercontent.com/tomwassenberg/certbot-ocsp-fetcher/refs/heads/main/certbot-ocsp-fetcher -o /usr/local/bin/certbot-ocsp-fetcher.sh && \
+    sed -i "s|/live||g" /usr/local/bin/certbot-ocsp-fetcher.sh && \
     chmod +x /usr/local/bin/certbot-ocsp-fetcher.sh && \
     git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \
     mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \

backend/internal/nginx.js

@@ -79,8 +79,12 @@ const internalNginx = {
 
 	reload: () => {
 		if (process.env.ACME_OCSP_STAPLING === 'true') {
-			return utils
-				.execFile('certbot-ocsp-fetcher.sh', ['-c', '/data/tls/certbot', '-o', '/data/tls/certbot/live', '--no-reload-webserver', '--quiet'])
+			utils
+				.execFile('certbot-ocsp-fetcher.sh', ['-c', '/data/tls/certbot/live', '-o', '/data/tls/certbot/live', '--no-reload-webserver', '--quiet'])
+				.catch(() => {})
+				.finally(() => {
+					utils.execFile('certbot-ocsp-fetcher.sh', ['-c', '/data/tls/custom', '-o', '/data/tls/custom', '--no-reload-webserver', '--quiet']);
+				})
 				.catch(() => {})
 				.finally(() => {
 					logger.info('Reloading Nginx');

backend/internal/proxy-host.js

@@ -315,7 +315,7 @@ const internalProxyHost = {
 			.then(() => {
 				return internalProxyHost.get(access, {
 					id: data.id,
-					expand: ['certificate', 'owner', 'access_list'],
+					expand: ['certificate', 'owner', 'access_list.[clients,items]'],
 				});
 			})
 			.then((row) => {
@@ -413,7 +413,7 @@ const internalProxyHost = {
 		return access
 			.can('proxy_hosts:list')
 			.then((access_data) => {
-				let query = proxyHostModel.query().where('is_deleted', 0).groupBy('id').allowGraph('[owner,access_list,certificate]').orderBy(castJsonIfNeed('domain_names'), 'ASC');
+				let query = proxyHostModel.query().where('is_deleted', 0).groupBy('id').allowGraph('[owner,access_list.[clients,items],certificate]').orderBy(castJsonIfNeed('domain_names'), 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 					query.andWhere('owner_user_id', access.token.getUserId(1));

backend/lib/utils.js

@@ -1,7 +1,6 @@
 const _ = require('lodash');
 const fs = require('fs');
 const crypto = require('crypto');
-const spawn = require('child_process').spawn;
 const execFile = require('child_process').execFile;
 const { Liquid } = require('liquidjs');
 const logger = require('../logger').global;
@@ -45,33 +44,6 @@ module.exports = {
 		return stdout;
 	},
 
-	/**
-	 * @param   {String} cmd
-	 * @param   {Array}  args
-	 */
-	execfg: function (cmd, args) {
-		return new Promise((resolve, reject) => {
-			logger.debug('CMD: ' + cmd + ' ' + (args ? args.join(' ') : ''));
-			const childProcess = spawn(cmd, args, {
-				shell: true,
-				detached: true,
-				stdio: 'inherit',
-			});
-
-			childProcess.on('error', (err) => {
-				reject(err);
-			});
-
-			childProcess.on('close', (code) => {
-				if (code !== 0) {
-					reject(new Error(`Command '${cmd}' exited with code ${code}`));
-				} else {
-					resolve();
-				}
-			});
-		});
-	},
-
 	/**
 	 * Used in objection query builder
 	 *

backend/package.json

@@ -10,7 +10,7 @@
     "archiver": "7.0.1",
     "batchflow": "0.4.0",
     "bcrypt": "5.1.1",
-    "better-sqlite3": "11.7.2",
+    "better-sqlite3": "11.8.1",
     "body-parser": "2.0.2",
     "compression": "1.7.5",
     "express": "4.21.2",
@@ -34,8 +34,8 @@
     "@apidevtools/swagger-parser": "10.1.1",
     "@eslint/js": "9.18.0",
     "eslint": "9.18.0",
-    "eslint-config-prettier": "9.1.0",
-    "eslint-plugin-prettier": "5.2.1",
+    "eslint-config-prettier": "10.0.1",
+    "eslint-plugin-prettier": "5.2.2",
     "globals": "15.14.0",
     "prettier": "3.4.2"
   },

backend/schema/components/proxy-host-object.json

@@ -114,7 +114,7 @@
 					},
 					"forward_path": {
 						"type": "string",
-						"pattern": "^($|/.+$)"
+						"pattern": "^($|/.*$)"
 					},
 					"advanced_config": {
 						"type": "string"

backend/templates/_certificates.conf

@@ -12,5 +12,10 @@
   # Custom TLS
   ssl_certificate /data/tls/custom/npm-{{ certificate_id }}/fullchain.pem;
   ssl_certificate_key /data/tls/custom/npm-{{ certificate_id }}/privkey.pem;
+  {% if env.ACME_OCSP_STAPLING == "true" %}
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_stapling_file /data/tls/custom/npm-{{ certificate_id }}.der;
+  {% endif %}
 {% endif %}
 {% endif %}

compose.yaml

@@ -45,6 +45,7 @@ services:
 #      - "NGINX_HSTS_SUBDMAINS=false" # when enabling security headers, also enable hsts for subdomains, default true
 #      - "X_FRAME_OPTIONS=sameorigin" # value to use for the X-Frame-Options header when enabling security headers, valid is deny, sameorigin and none (means unset), default deny, since this applies to all hosts I recommend you to instead keep the default and only change it for hosts which need it using the advanced config and more_set_headers
 #      - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy_buffering/proxy_request_buffering options of nginx, default false, may not work if you use crowdsec/appsec
+#      - "NGINX_WORKER_PROCESSES=8" value of worker_processes, default and recommended: auto
 #      - "DISABLE_NGINX_BEAUTIFIER=true" # disables nginxbeautifier, useful when it fails parsing non-standard configs, default false
 #      - "FULLCLEAN=true" # Clean unused config folders, default false
 #      - "SKIP_IP_RANGES=true" # Skip feteching/whitelisting ip ranges from aws and cloudflare, default false

frontend/js/i18n/de-lang.json

@@ -256,7 +256,7 @@
     "no-wildcard-without-dns": "Zertifikat kann nicht für Wildcard-Domains angefordert werden, wenn keine DNS-Challenge verwendet wird",
     "none": "Nur HTTP",
     "other": "Individuell",
-    "passphrase-protection-support-info": "Schlüsseldateien, die mit einer Passphrase geschützt sind, werden nicht unterstützt. OCSP Stapling wird bei Custom Zertifikaten nicht untersützt.",
+    "passphrase-protection-support-info": "Schlüsseldateien, die mit einer Passphrase geschützt sind, werden nicht unterstützt.",
     "processing-info": "Verarbeitung... Dies kann ein paar Minuten dauern.",
     "propagation-seconds": "Ausbreitung in Sekunden",
     "propagation-seconds-info": "Leer lassen, um den Standardwert des Plugins zu verwenden. Anzahl der Sekunden, die auf die DNS-Verbreitung gewartet werden soll.",

frontend/js/i18n/en-lang.json

@@ -256,7 +256,7 @@
     "no-wildcard-without-dns": "Cannot request Certificate for wildcard domains when not using DNS challenge",
     "none": "HTTP only",
     "other": "Custom",
-    "passphrase-protection-support-info": "Key files protected with a passphrase are not supported. OCSP Stapling is not supported on custom certificates.",
+    "passphrase-protection-support-info": "Key files protected with a passphrase are not supported.",
     "processing-info": "Processing... This might take a few minutes.",
     "propagation-seconds": "Propagation Seconds",
     "propagation-seconds-info": "Leave empty to use the plugins default value. Number of seconds to wait for DNS propagation.",

renovate.json

@@ -1,9 +1,12 @@
 {
   "extends": [
-    "config:base"
+    "config:recommended"
   ],
-  "baseBranches": ["develop", "php"],
-  "includeForks": true,
+  "baseBranches": [
+    "develop",
+    "php"
+  ],
+  "forkProcessing": "enabled",
   "automerge": false,
   "branchPrefix": "renovate-deps-update-",
   "rangeStrategy": "pin",

rootfs/usr/local/bin/launch.sh

@@ -71,7 +71,8 @@ if [ ! -d /data/tls/certbot/accounts/"$(echo "$ACME_SERVER" | sed "s|^https\?://
 fi
 
 if [ "$ACME_OCSP_STAPLING" = "true" ]; then
-    certbot-ocsp-fetcher.sh -c /data/tls/certbot -o /data/tls/certbot/live --no-reload-webserver || true
+    certbot-ocsp-fetcher.sh -c /data/tls/certbot/live -o /data/tls/certbot/live --no-reload-webserver --force-update || true
+    certbot-ocsp-fetcher.sh -c /data/tls/custom -o /data/tls/custom --no-reload-webserver --force-update || true
     echo
 fi
 if [ "$LOGROTATE" = "true" ]; then touch /data/logrotate.lock; else rm -f /data/logrotate.lock; fi

rootfs/usr/local/bin/start.sh

@@ -71,6 +71,7 @@ export NGINX_404_REDIRECT="${NGINX_404_REDIRECT:-false}"
 export NGINX_HSTS_SUBDMAINS="${NGINX_HSTS_SUBDMAINS:-true}"
 export X_FRAME_OPTIONS="${X_FRAME_OPTIONS:-deny}"
 export NGINX_DISABLE_PROXY_BUFFERING="${NGINX_DISABLE_PROXY_BUFFERING:-false}"
+export NGINX_WORKER_PROCESSES="${NGINX_WORKER_PROCESSES:-auto}"
 export DISABLE_NGINX_BEAUTIFIER="${DISABLE_NGINX_BEAUTIFIER:-false}"
 export FULLCLEAN="${FULLCLEAN:-false}"
 export SKIP_IP_RANGES="${SKIP_IP_RANGES:-false}"
@@ -327,6 +328,11 @@ if ! echo "$NGINX_DISABLE_PROXY_BUFFERING" | grep -q "^true$\|^false$"; then
     sleep inf
 fi
 
+if ! echo "$NGINX_WORKER_PROCESSES" | grep -q "^auto$\|^[0-9]\+$"; then
+    echo "NGINX_WORKER_PROCESSES needs to be auto or a number."
+    sleep inf
+fi
+
 if ! echo "$DISABLE_NGINX_BEAUTIFIER" | grep -q "^true$\|^false$"; then
     echo "DISABLE_NGINX_BEAUTIFIER needs to be true or false."
     sleep inf
@@ -473,7 +479,7 @@ if [ "$NC_AIO" = "true" ]; then
 fi
 
 
-export TV="1"
+export TV="2"
 if [ ! -s /data/npmplus/env.sha512sum ] || [ "$(cat /data/npmplus/env.sha512sum)" != "$( (grep "env\.[A-Z0-9_]\+" -roh /app/templates | sed "s|env.||g" | sort | uniq | xargs printenv; echo "$TV") | tr -d "\n" | sha512sum | cut -d" " -f1)" ]; then
     echo "At least one env or the template version changed, all hosts will be regenerated."
     export REGENERATE_ALL="true"
@@ -893,6 +899,9 @@ if [ "$NGINX_DISABLE_PROXY_BUFFERING" = "true" ]; then
     sed -i "s|proxy_buffering.*|proxy_buffering off;|g" /usr/local/nginx/conf/nginx.conf
     sed -i "s|proxy_request_buffering.*|proxy_request_buffering off;|g" /usr/local/nginx/conf/nginx.conf
 fi
+if [ "$NGINX_WORKER_PROCESSES" != "auto" ]; then
+    sed -i "s|worker_processes.*|worker_processes $NGINX_WORKER_PROCESSES;|g" /usr/local/nginx/conf/nginx.conf
+fi
 if [ "$NGINX_HSTS_SUBDMAINS" = "false" ]; then
     sed -i "s|includeSubDomains; ||g" /usr/local/nginx/conf/nginx.conf
 fi