diff --git a/frontend/js/app/nginx/certificates/form.js b/frontend/js/app/nginx/certificates/form.js
index f743f2186..410e149c6 100644
--- a/frontend/js/app/nginx/certificates/form.js
+++ b/frontend/js/app/nginx/certificates/form.js
@@ -149,10 +149,7 @@ module.exports = Mn.View.extend({
ssl_files.push({name: 'certificate_key', file: this.ui.other_certificate_key[0].files[0]});
}
- if (!this.ui.other_intermediate_certificate[0].files.length || !this.ui.other_intermediate_certificate[0].files[0].size) {
- alert('Intermediate Certificate file is not attached');
- return;
- } else {
+ if (this.ui.other_intermediate_certificate[0].files.length && this.ui.other_intermediate_certificate[0].files[0].size) {
if (this.ui.other_intermediate_certificate[0].files[0].size > this.max_file_size) {
alert('Intermediate Certificate file is too large (> 100kb)');
return;
diff --git a/frontend/js/app/user/form.js b/frontend/js/app/user/form.js
index ef92ec3e9..74fea4035 100644
--- a/frontend/js/app/user/form.js
+++ b/frontend/js/app/user/form.js
@@ -25,10 +25,10 @@ module.exports = Mn.View.extend({
let view = this;
let data = this.ui.form.serializeJSON();
- let show_password = this.model.get('email') === 'admin@example.com';
+ let show_password = (this.model.get('email') === 'admin@example.com' || this.model.get('email') === 'admin@example.org');
- // admin@example.com is not allowed
- if (data.email === 'admin@example.com') {
+ // admin@example.com and admin@example.org is not allowed
+ if (data.email === 'admin@example.com' || data.email === 'admin@example.org') {
this.ui.error.text(App.i18n('users', 'default_error')).show();
this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
return;
diff --git a/frontend/package.json b/frontend/package.json
index 218498905..ead54dc77 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -6,7 +6,7 @@
"dependencies": {
"@babel/core": "7.25.2",
"babel-core": "6.26.3",
- "babel-loader": "8.3.0",
+ "babel-loader": "8.4.1",
"babel-preset-env": "1.7.0",
"backbone": "1.6.0",
"backbone.marionette": "4.1.3",
@@ -28,7 +28,7 @@
"mini-css-extract-plugin": "1.6.2",
"moment": "2.30.1",
"node-sass": "9.0.0",
- "nodemon": "3.1.4",
+ "nodemon": "3.1.7",
"numeral": "2.0.6",
"sass-loader": "10.5.2",
"style-loader": "4.0.0",
diff --git a/rootfs/etc/tls/certbot.ini b/rootfs/etc/tls/certbot.ini
index 300c83438..3202cf058 100644
--- a/rootfs/etc/tls/certbot.ini
+++ b/rootfs/etc/tls/certbot.ini
@@ -4,12 +4,17 @@ webroot-path = /tmp/acme-challenge
new-key= true
key-type = ecdsa
-must-staple = false
+must-staple = true
no-reuse-key = true
rsa-key-size = 4096
elliptic-curve = secp384r1
-# An example of using an alternate ACME server that uses EAB credentials
-# server = https://dv.acme-v02.api.pki.goog/directory
-# eab-kid = somestringofstuffwithoutquotes
-# eab-hmac-key = yaddayaddahexhexnotquoted
+#server = https://acme-v02.api.letsencrypt.org/directory
+
+#server = https://acme.zerossl.com/v2/DV90
+#eab-kid = somestringofstuffwithoutquotes
+#eab-hmac-key = yaddayaddahexhexnotquoted
+
+#server = https://dv.acme-v02.api.pki.goog/directory
+#eab-kid = somestringofstuffwithoutquotes
+#eab-hmac-key = yaddayaddahexhexnotquoted
diff --git a/rootfs/usr/local/bin/aio.sh b/rootfs/usr/local/bin/aio.sh
index a4e2554a2..d75870baf 100755
--- a/rootfs/usr/local/bin/aio.sh
+++ b/rootfs/usr/local/bin/aio.sh
@@ -2,7 +2,7 @@
if [ "$NC_AIO" = "true" ] && [ ! -f /data/etc/aio.lock ]; then
while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done
- curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.com","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
+ curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.org","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
touch /data/etc/aio.lock
echo "The default config for AIO should now be created. Please check the log for any errors and try to resolve them, then delete the aio.lock file and retry."
fi
diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh
index b06c8b754..b4612d35c 100755
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@@ -387,7 +387,6 @@ fi
if [ "$LOGROTATE" = "true" ]; then
- apk add --no-cache logrotate
sed -i "s|rotate [0-9]\+|rotate $LOGROTATIONS|g" /etc/logrotate
touch /data/nginx/access.log \
/data/nginx/stream.log
@@ -433,7 +432,7 @@ if [ -s /data/nginx/default_host/site.conf ]; then
fi
if [ -s /data/nginx/default_www/index.html ]; then
- mv -vn /data/nginx/default_www/index.html /data/nginx/html/index.html
+ mv -vn /data/nginx/default_www/index.html /data/etc/html/index.html
fi
if [ -s /data/nginx/dummycert.pem ]; then
@@ -461,7 +460,7 @@ if [ -n "$(ls -A /data/nginx/access 2> /dev/null)" ]; then
fi
if [ -n "$(ls -A /etc/letsencrypt 2> /dev/null)" ]; then
- mv -vn /etc/letsencrypt/* /data/tls/certbot
+ cp -van /etc/letsencrypt/* /data/tls/certbot
fi
if [ -n "$(ls -A /data/letsencrypt 2> /dev/null)" ]; then
@@ -504,7 +503,8 @@ if [ "$CLEAN" = "true" ]; then
/data/ssl \
/data/logs \
/data/error.log \
- /data/nginx/error.log
+ /data/nginx/error.log \
+ /data/nginx/ip_ranges.conf
rm -vf /data/tls/certbot/crs/*.pem
rm -vf /data/tls/certbot/keys/*.pem
@@ -531,12 +531,8 @@ if [ "$FULLCLEAN" = "true" ]; then
fi
fi
-if [ "$SKIP_IP_RANGES" = "true" ]; then
- rm -vf /data/nginx/ip_ranges.conf
-fi
-
-touch /data/etc/html/index.html \
- /data/nginx/ip_ranges.conf \
+touch /tmp/ip_ranges.conf \
+ /data/etc/html/index.html \
/data/nginx/custom/events.conf \
/data/nginx/custom/http.conf \
/data/nginx/custom/http_top.conf \
@@ -591,6 +587,8 @@ find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling/d" {} \;
find /data/nginx -type f -name '*.conf' -not -path "/data/nginx/custom/*" -exec sed -i "/ssl_stapling_verify/d" {} \;
+sed -i "/ssl_stapling/d" /data/nginx/default.conf
+sed -i "/ssl_stapling_verify/d" /data/nginx/default.conf
if [ ! -s /data/etc/modsecurity/modsecurity-default.conf ]; then
cp -van /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
@@ -618,124 +616,6 @@ cp -a /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUS
cp -va /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/* /data/etc/modsecurity/crs-plugins
-if [ "$DEFAULT_CERT_ID" = "0" ]; then
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "no DEFAULT_CERT_ID set, using dummycerts."
-else
- if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
- if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
- echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "using dummycerts."
- else
- export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
- echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
-
- if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
- echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "using dummycerts."
- else
- export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
- echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
-
- if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
- echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
- else
- export DEFAULT_CHAIN=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/chain.pem
- echo "DEFAULT_CHAIN set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/chain.pem"
- fi
- fi
- fi
-
- elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
- if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
- echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "using dummycerts."
- else
- export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
- echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
-
- if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
- echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "using dummycerts."
- else
- export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
- echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
-
- if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem ]; then
- echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem does not exist, running without it"
- else
- export DEFAULT_CHAIN=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/chain.pem
- echo "DEFAULT_CHAIN set to /data/tls/custom/npm-$DEFAULT_CERT_ID/chain.pem"
- fi
- fi
- fi
-
- else
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts."
- fi
-fi
-
-if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "something went wrong, using dummycerts."
-fi
-if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
- export DEFAULT_CERT=/data/tls/dummycert.pem
- export DEFAULT_KEY=/data/tls/dummykey.pem
- echo "something went wrong, using dummycerts."
-fi
-
-if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
- if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
- rm -vrf /data/tls/dummycert.pem \
- /data/tls/dummykey.pem
- openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
- fi
-else
- rm -vrf /data/tls/dummycert.pem \
- /data/tls/dummykey.pem
-fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /app/templates/default.conf; fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/default.conf; fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf; fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm.conf; fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf; fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf; fi
-
-sed -i "s|#\?ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
-sed -i "s|#\?ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|#\?ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf; fi
-
sed -i "s|48693|$NIBEP|g" /app/index.js
sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
@@ -844,11 +724,6 @@ else
sed -i "s|access_log /data/nginx/stream.log proxy;|access_log off; # stream|g" /usr/local/nginx/conf/nginx.conf
fi
-if [ ! -s /data/nginx/default.conf ]; then
- cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
-fi
-sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
-
if [ ! -s /data/tls/certbot/config.ini ]; then
cp -van /etc/tls/certbot.ini /data/tls/certbot/config.ini
fi
@@ -878,14 +753,174 @@ else
rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
fi
+
+if [ "$DEFAULT_CERT_ID" = "0" ]; then
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "no DEFAULT_CERT_ID set, using dummycerts."
+else
+ if [ -d "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID" ]; then
+ if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
+ echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "using dummycerts."
+ else
+ export DEFAULT_CERT=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/fullchain.pem
+ echo "DEFAULT_CERT set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/fullchain.pem"
+
+ if [ ! -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
+ echo "/data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "using dummycerts."
+ else
+ export DEFAULT_KEY=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID"/privkey.pem
+ echo "DEFAULT_KEY set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID/privkey.pem"
+
+ if [ -s /data/tls/certbot/live/npm-"$DEFAULT_CERT_ID".der ]; then
+ export DEFAULT_STAPLING_FILE=/data/tls/certbot/live/npm-"$DEFAULT_CERT_ID".der
+ echo "DEFAULT_STAPLING_FILE set to /data/tls/certbot/live/npm-$DEFAULT_CERT_ID.der"
+ fi
+ fi
+ fi
+
+ elif [ -d "/data/tls/custom/npm-$DEFAULT_CERT_ID" ]; then
+ if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem ]; then
+ echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "using dummycerts."
+ else
+ export DEFAULT_CERT=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/fullchain.pem
+ echo "DEFAULT_CERT set to /data/tls/custom/npm-$DEFAULT_CERT_ID/fullchain.pem"
+
+ if [ ! -s /data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem ]; then
+ echo "/data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem does not exist"
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "using dummycerts."
+ else
+ export DEFAULT_KEY=/data/tls/custom/npm-"$DEFAULT_CERT_ID"/privkey.pem
+ echo "DEFAULT_KEY set to /data/tls/custom/npm-$DEFAULT_CERT_ID/privkey.pem"
+ fi
+ fi
+
+ else
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "cert with ID $DEFAULT_CERT_ID does not exist, using dummycerts."
+ fi
+fi
+
+if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" != "/data/tls/dummykey.pem" ]; then
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "something went wrong, using dummycerts."
+fi
+if [ "$DEFAULT_CERT" != "/data/tls/dummycert.pem" ] && [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
+ export DEFAULT_CERT=/data/tls/dummycert.pem
+ export DEFAULT_KEY=/data/tls/dummykey.pem
+ echo "something went wrong, using dummycerts."
+fi
+
+if [ "$DEFAULT_CERT" = "/data/tls/dummycert.pem" ] || [ "$DEFAULT_KEY" = "/data/tls/dummykey.pem" ]; then
+ if [ ! -s /data/tls/dummycert.pem ] || [ ! -s /data/tls/dummykey.pem ]; then
+ rm -vrf /data/tls/dummycert.pem /data/tls/dummykey.pem
+ openssl req -new -newkey rsa:4096 -days 365000 -nodes -x509 -subj '/CN=*' -sha256 -keyout /data/tls/dummykey.pem -out /data/tls/dummycert.pem
+ fi
+else
+ rm -vrf /data/tls/dummycert.pem /data/tls/dummykey.pem
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /app/templates/default.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /app/templates/default.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /app/templates/default.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /app/templates/default.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /app/templates/default.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /app/templates/default.conf
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/default.conf
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/no-server-name.conf
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/npm.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/npm.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/npm.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/npm.conf
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/goaccess.conf
+fi
+
+sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+fi
+
sed -i "s|ssl_certificate .*|ssl_certificate $DEFAULT_CERT;|g" /data/nginx/default.conf
sed -i "s|ssl_certificate_key .*|ssl_certificate_key $DEFAULT_KEY;|g" /data/nginx/default.conf
-if [ -n "$DEFAULT_CHAIN" ]; then sed -i "s|ssl_trusted_certificate .*|ssl_trusted_certificate $DEFAULT_CHAIN;|g" /data/nginx/default.conf; fi
+if [ -n "$DEFAULT_STAPLING_FILE" ]; then
+ sed -i "s|tls-ciphers-no-stapling.conf;|tls-ciphers.conf;|g" /data/nginx/default.conf
+ sed -i "s|#\?ssl_stapling_file .*|ssl_stapling_file $DEFAULT_STAPLING_FILE;|g" /data/nginx/default.conf
+else
+ sed -i "s|tls-ciphers.conf;|tls-ciphers-no-stapling.conf;|g" /data/nginx/default.conf
+ sed -i "s|#\?ssl_stapling_file .*|#ssl_stapling_file ;|g" /data/nginx/default.conf
+fi
+
+if [ ! -s /data/nginx/default.conf ]; then
+ cp -van /usr/local/nginx/conf/conf.d/include/default.conf /data/nginx/default.conf
+fi
+sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf
if [ "$GOA" = "true" ]; then
apk add --no-cache goaccess
- mkdir -vp /data/etc/goaccess/data \
- /data/etc/goaccess/geoip
+ mkdir -vp /data/etc/goaccess/data /data/etc/goaccess/geoip
cp -van /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf
cp -van /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf
elif [ "$FULLCLEAN" = "true" ]; then
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/always.conf b/rootfs/usr/local/nginx/conf/conf.d/include/always.conf
index 2c971bb95..f8cd08a9a 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/always.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/always.conf
@@ -22,16 +22,3 @@ location /fancyindex/ {
location ~ /\.ht {
deny all;
}
-
-location ~ /\.git {
- deny all;
-}
-
-
-if ($blocked_user_agent) {
- return 403;
-}
-
-if ($blocked_query_string) {
- return 403;
-}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
index 02e31a80c..796cb3423 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
@@ -19,9 +19,9 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
- #ssl_certificate ;
- #ssl_certificate_key ;
- #ssl_trusted_certificate ;
+ ssl_certificate ;
+ ssl_certificate_key ;
+ #ssl_stapling_file ;
location / {
include conf.d/include/always.conf;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf b/rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf
index 5fd4810f8..1f766afaf 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/force-tls.conf
@@ -1,3 +1,10 @@
+# Check if the original scheme is HTTP
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
+
+# Check if the request was forwarded with HTTP protocol
+# This is necessary when behind a proxy like Cloudflare
+if ($http_x_forwarded_proto = "http") {
+ return 301 https://$host$request_uri;
+}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
index ddeb65696..663cca6ea 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf
@@ -11,7 +11,7 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
- #ssl_certificate ;
- #ssl_certificate_key ;
- #ssl_trusted_certificate ;
+ ssl_certificate ;
+ ssl_certificate_key ;
+ #ssl_stapling_file ;
}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf b/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
index 9a834c215..f54b35f07 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
@@ -12,9 +12,9 @@ server {
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
- #ssl_certificate ;
- #ssl_certificate_key ;
- #ssl_trusted_certificate ;
+ ssl_certificate ;
+ ssl_certificate_key ;
+ #ssl_stapling_file ;
location / {
include conf.d/include/always.conf;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
new file mode 100644
index 000000000..b5c906573
--- /dev/null
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers-no-stapling.conf
@@ -0,0 +1,16 @@
+ssl_early_data on;
+
+ssl_stapling off;
+ssl_stapling_verify off;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+
+ssl_dhparam /etc/tls/dhparam;
+ssl_protocols TLSv1.2 TLSv1.3;
+
+ssl_ecdh_curve p384_mlkem768:x25519_mlkem768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
+
+ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
index 698e2cce7..c67393450 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
@@ -4,11 +4,13 @@ ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
-ssl_session_tickets off;
-ssl_dhparam /etc/tls/dhparam;
+ssl_session_cache shared:SSL:10m;
-# intermediate configuration. tweak to your needs.
+ssl_dhparam /etc/tls/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+
+ssl_ecdh_curve p384_mlkem768:x25519_mlkem768:p384_kyber768:x25519_kyber768:secp384r1:x25519:prime256v1;
+
ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
index 588ab93fd..63090e648 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
@@ -18,7 +18,7 @@ server {
add_header Alt-Svc 'h3=":443"; ma=86400';
http3 on;
- #ssl_certificate ;
- #ssl_certificate_key ;
- #ssl_trusted_certificate ;
+ ssl_certificate ;
+ ssl_certificate_key ;
+ #ssl_stapling_file ;
}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf b/rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf
index 457a238f2..90e833948 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/npm-no-server-name.conf
@@ -11,7 +11,7 @@ server {
include conf.d/include/tls-ciphers.conf;
include conf.d/include/always.conf;
- #ssl_certificate ;
- #ssl_certificate_key ;
- #ssl_trusted_certificate ;
+ ssl_certificate ;
+ ssl_certificate_key ;
+ #ssl_stapling_file ;
}
diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm.conf b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
index 2fb87fc43..334b10359 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
@@ -12,9 +12,9 @@ server {
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
- #ssl_certificate ;
- #ssl_certificate_key ;
- #ssl_trusted_certificate ;
+ ssl_certificate ;
+ ssl_certificate_key ;
+ #ssl_stapling_file ;
location /api {
proxy_set_header Upgrade $http_upgrade;
diff --git a/rootfs/usr/local/nginx/conf/exploits.conf b/rootfs/usr/local/nginx/conf/exploits.conf
deleted file mode 100644
index bddb4e1b8..000000000
--- a/rootfs/usr/local/nginx/conf/exploits.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-map $query_string $blocked_query_string {
- default 0;
- "~*union.*select.*\(" 1;
- "~*union.*all.*select.*" 1;
- "~*concat.*\(" 1;
- "~*[a-zA-Z0-9_]=(\.\.//?)+" 1;
- "~*[a-zA-Z0-9_]=/([a-z0-9_.]//?)+" 1;
- "~*(<|%3C).*script.*(>|%3E)" 1;
- "~*GLOBALS(=|\[|\%[0-9A-Z]{0,2})" 1;
- "~*_REQUEST(=|\[|\%[0-9A-Z]{0,2})" 1;
- "~*proc/self/environ" 1;
- "~*mosConfig_[a-zA-Z_]{1,21}(=|\%3D)" 1;
- "~*base64_(en|de)code\(.*\)" 1;
-}
-
-map $http_user_agent $blocked_user_agent {
- default 0;
- "~*Google-Extended" 1;
- "~*GPTBot" 1;
- "~*ChatGPT-User" 1;
- "~*CCBot" 1;
-}
\ No newline at end of file
diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf
index 0b7b3aa85..28ae14d5b 100644
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -28,6 +28,8 @@ http {
more_clear_headers "X-Page-Speed";
more_clear_headers "X-Varnish";
+ server_names_hash_bucket_size 64;
+
aio threads;
sendfile on;
tcp_nopush on;
@@ -86,8 +88,6 @@ http {
websocket "socket";
}
- include exploits.conf;
-
upstream php82 {
server unix:/run/php82.sock;
}
@@ -107,7 +107,7 @@ http {
fancyindex_default_sort name;
fancyindex_hide_parent_dir off;
fancyindex_directories_first on;
- fancyindex_time_format "%d-%m-%Y %T";
+ fancyindex_time_format "%Y-%m-%d %T";
fancyindex_ignore "fancyindex";
fancyindex_header "/fancyindex/header.html";
fancyindex_footer "/fancyindex/footer.html";
@@ -123,7 +123,7 @@ http {
include fastcgi.conf;
- include /data/nginx/ip_ranges.conf;
+ include /tmp/ip_ranges.conf;
include /data/nginx/default.conf;
include conf.d/*.conf;