2025-01-03-alpha

Note: this is a prerelease, please back up NPMplus and test it if you can, please report back if something does not work (to see how many people test it, please give at least a reaction if you test and it works)

The following still needs to happen before new latest release:

• merge upstream
• compose.yaml remove comments
• create new release (and remember people to switch back to latest now)

What's Changed

• all your hosts will now regenerate once and when you update an env which influences a template
• use liquidjs itself instead of sed to modify persistent hosts and templates based on envs
• slim start.sh because many migrations are now done by simply recreating all hosts
• remove migrations from very old NPMplus versions (migration from upstream NPM still possible)
• allow changing http/https ports
• merge tls-ciphers-no-stapling.conf tls-ciphers.conf into one file
• disable ACME_MUST_STAPLE by default
• new ACME_OCSP_STAPLING env controlling if stapling should happen, currently on, will be disabled end april
• env DB_SQLITE_FILE is now unsupported
• NPM_DISABLE_IPV6 and GOA_DISABLE_IPV6 are now removed and included in DISABLE_IPV6
• http3 should now be way faster (http3_stream_buffer_size was too small)
• update all stapling files before starting all services
• default host is not mounted anymore and recreated on each container start
• nginxbeautifier now only runs on hosts generation
• fix unresponsive start page (upstream issue, fixed by reverting upstream commit)
• dep updates
• support php84
• update readme
• update security.txt
• improve folder structure
• frontend now only allows enabling coreruleset if modsec is also enabled
• quic_bpf support (default off, since it needs NPMplus to run as a privileged container)
• NIBEP and GOAIWSP have switched their default values
• streams forwarding_port now allows $server_port as a valid input
• allowed syntax for domain names and stream/proxy forward_host have changed
• added support for INITIAL_DEFAULT_PAGE
• remove kyber (mlkem is supported)
• use freenginx default tls setting when connecting to upstream server
• rename nginx_custom folder to custom_nginx
• unify proxy.conf and proxy-location.conf to proxy.conf
• new dummy certs now use secp384r1 instead of rsa4096
• integrate no-servername files in the normal configs
• allow disabling hsts subdomains via env
• support upstream X_FRAME_OPTIONS env, also change its default from SAMEORIGIN to DENY, add option to not set it
• remove Referrer-Police header (default value when unset is the same as NPMplus used before: strict-origin-when-cross-origin)
• don't expose version when making a (authenticated/unauthenticated) request to NPMplus API
• add ACME_KEY_TYPE env (default and recommended is still ecdsa)
• use #!/usr/bin/env sh instead of #!/bin/sh
• dns secrets are not mounted anymore, since they are saved in the db and rewritten on every container start, so they don't need to be mounted
• certbot is now built together with nginx

How to test

• Read the changes above
• change the tag in your compose yaml from latest/nothing to develop
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-12-14-r1...2025-01-03-alpha

2024-12-14-r1

What's Changed

• ACME_SERVER and ACME_MUST_STAPLE values will now also apply when renewing existing certs
• update alpine to 3.21
• update crs to 4.9.0
• use alpine curl instead of my own curl-quic build
• other small dep updates
• upstream merges (fix NginxProxyManager#4168, implement NginxProxyManager#4163)
• 404 page is now called dead page and should return 404
• readd DNS propagation delay
• default mime type is now application/octet-stream (means download)

How to update

• NOTE: watchtwoer does NOT update NPMplus
• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-11-25-r1...2024-12-14-r1

Important information about Certificates/CAs/OCSP Must-Staple

Note: This is not a new release but an important information

Let's Encrypt has made an announcement today which has a huge impact on NPMplus, you can read it here: https://letsencrypt.org/2024/12/05/ending-ocsp

If you have any question/ideas etc. on this topic, please write a comment

What is OCSP/CRLs?

• first: OCSP, OCSP Stapling and OCSP Must-Staple are different things.

OCSP:

• With OCSP the client (Browser), asks the CA (Let's Encrypt) if the Certificate used by the web server was revoked
• This is a check done between CA and Client, NPMplus has no influence on this
• Revocation will be detected by the client if the client (re)checks for it (recheck because of cache which could exist)
• privacy problems since the CA knows things which it should not (can be disabled in Firefox/thunderbird settings, not sure about other clients, chrome doesn't even support this)
  => useful, but with a privacy problem, maybe takes some time to be detected because of cache
• https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

OCSP Stapling without Must-Staple:

• your 30 days cert is valid on its own, but it is additionally verified by a “second certificate”
• always enabled for all certbot certs of NPMplus (also for migrated instances and also if you disable must-staple)
• the “second certificate” is valid only for 7 days
• the “second certificate” is requested by the web server from the CA (since nginx implementation is not the best, NPMplus uses certbot-ocsp-fetcher for this)
• no privacy problem since browser only talks to the web sever and not to the CA
• BUT: if the cert is compromised, the cert can still be used WITHOUT OCSP Stapling and through that revocation is not be detected by the client (if the client doesn't detect trough other ways client-CA OSCP/CRLs)
  => useless without must staple, see below
• https://en.wikipedia.org/wiki/OCSP_stapling

OCSP Stapling with Must-Staple:

• same as above, but your 30 days cert is NOT valid on its own, it needs a “second certificate” to be valid
• this requirement is part of the cert itself (so not removable) and added while creating the cert (must-staple requirement is enabled by default with NPMplus for all certbot certs, but can be disabled via ENV)
• Revocation will be detected as soon as the “second certificate” expires and if the client support must-staple
  => useful, if supported by the client, maybe takes some time to be detected because of validity of “second certificate”
• https://en.wikipedia.org/wiki/OCSP_stapling

CRLs

• the older technology to detect revocation
• CAs publish huge lists containing information about all revoked (and by date still valid) certificates and chrome/Firefox/thunderbird download collections of these lists
• Problem: because of size, lists may not contain all revoked certs
  => depends: if the revocation information of your cert is not included, then it is useless, otherwise it is ok
• https://en.wikipedia.org/wiki/Certificate_revocation_list

My opinion on this (I mostly talk about Must-Staple)

• first I understand that they remove OCSP because of the costs they have through it and because of the privacy concern
• BUT I don't understand that they remove Must-Staple support, it is better then CRL
• They argue that most web servers have no good implementation for this, which is not fully true, like caddy which has good support for this or NPMplus itself through the certbot-ocsp-fetcher script ((free)nginx own implementation is not the best) ⇒ I don't think that this argument is big enough to revert to CRLs
• The argument with the client is sadly true, since chrome (and it forks) doesn't support must-staple, so the only big clients remaining are Firefox/thunderbird (not sure about WebKit/safari and other big mail clients like outlook)

What now?

• I must say, there is no good solution:
  • Moving to ZeroSSL would be an option, but they have no CRLs support, which is important for chromium (and forks)
  • Staying with Let's Encrypt would mean to lose Must Staple functionality
• But since a decision needs to be made and chrome is very important, I will stay with Let's Encrypt by default and instead change the default value of ACME_MUST_STAPLE, maybe stapling needs to be fully removed even if your custom CA supports it, but I will try to find a way to prevent this
• If ZeroSSL or any other public ACME supporting CA will have support for OCSP Stapling/Must-Staple and CRLs, then this will become the new default CA

When will the change happen?

• Before January 30, 2025 (the day Must-Staple will stop working for new instances)
• I have no date exactly, but I will try to have some releases until this change:
  • at least on release mentioning this change in its changelog, in a few days
  • in between (or maybe with the next release), I will sync the value of ACME_MUST_STAPLE with all renewal configs of certbot cert to make sure that certs which get renewed will have the same setting as the env (maybe I will also sync the ACME_SERVER env)
  • and at some point ACME_MUST_STAPLE will be changed to false by default (and stapling may be removed) - maybe still in December
• ENVs set by you will not be overridden

2024-11-25-r1

Note: NPMplus has its own place at Reddit since a few months: https://www.reddit.com/r/NPMplus (very empty there), but I still prefer reporting anything over GitHub to have anything at one place

What's Changed

• NOTE: Breaking changes in release 2024-10-21-r1, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
• dep updates
• readme changes
• ACME_MUST_STAPLE and ACME_SERVER_TLS_VERIFY options (see compose.yaml)
• Stop GoAccess errors by @Sproglet in #1245
• close #965 by merging NginxProxyManager#4187
• merge upstream (only this PR was merged: NginxProxyManager#4179)
• fix updating streams (untested, but should work, if not please open an issue)
• Note: if you want NPMplus in your language, please see the readme on how to contribute a translation
  
  
• Note: 2 hours after this release I made a hotfix for the certbot command and merged upstream changes (forbid port 80, 81 and 443 as stream output ports)

How to update

• NOTE: watchtwoer does NOT update NPMplus
• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-11-02-r1...2024-11-25-r1

2024-11-02-r1

What's Changed

• NOTE: Breaking changes in release 2024-10-21-r1, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
• fix #1185 (comment) (workarround mentioned in thread not needed anymore)
• dep updates
• add multi language support through @lateautumn233, if you want to add a language, see this commit as an example: a026b42
• add lang de
• upstream merges (leaseweb dns support and revert proxy_pass in a location block to use static values instead of static vars)
• improve goaccess start and behaiviuor while rotating logs
• include goaccess and fcgi package in the image (like logrotate), so they don't need to be downloaded each container recreation (so only php-fpm/php packages need to be downloaded if needed)
• fix GeoLite2-City being ignored by goaccess
• fix goaccess ip binding after container restart
• remove unsed acme.sh script (will be added back if NPMplus maybe switches to it)

How to update

• NOTE: watchtwoer does NOT update NPMplus
• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-24-r1...2024-11-02-r1

2024-10-24-r1

Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1

What's Changed

• fix #1185 (comment)

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-23-r1...2024-10-24-r1

2024-10-23-r1

Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1

What's Changed

• doc updates
• dep updates
• merge #1182 by @Sproglet (keep goaccess data after rotating logs)
• run ocsp script before testing nginx config
• fix updates from older versions
• remove useless headers
• move some files
• change chipper order

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-22-r1...2024-10-23-r1

2024-10-22-r1

Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1

What's Changed

• fix launch of nginx if certbot-ocsp-fetcher.sh fails
• merge upstream (no real changes, formatting of certbot-dns-plugins.json and add some upstreams envs to compose.yaml)
• dep updates

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-21-r1...2024-10-22-r1

2024-10-21-r1

Breaking changes in host names and custom acme servers, fixed upstreams CVEs, please report any issues you find

What's Changed

• merge upstream (including CVE fixes - shell/command injection while creating certificates - permission to create certs was required to exploit)
  • Note: upstream fixed this by adding regex checks in API endpoint (is included), this may break new hosts/your hosts if you update them, and you are using regex inside your host names
  • Note: I added a second fix by switching from ('child_process').exec to require('child_process').execFile, this should prevent this kind of injection completely, so the regex change from upstream should be safe to revert if needed
  • I also fixed some small upstream bugs which I already noticed while testing, so there are probably more through new regex checks
• dep updates
• generate nginx access lists using node module instead of apache2-utils
• for new instances, fix appsec file upload: increase appsec timeouts, I recommend that you create a backup of your /opt/npm/etc/crowdsec/crowdsec.conf config file, delete it, then restart NPMplus (so the file gets recreated) and you then configure it again, so you have the new timeouts
• reload nginx after certbot-ocsp-fetcher.sh finished
• custom certbot.ini support REMOVED, if you want to use a custom acme server please do this using the new envs you can find in the compose.yaml
• fix disabling ipv6
• nginx/custom is now nginx_custom (from sub folder to new folder)
• you no longer need to enter your email while creating certs (please do this in compose.yaml)
• DNS propagation delay support removed
• fixed duplicating '#' in nginx.conf in rootless mode
• allow backend to compress
• improve default ssl_ecdh_curve (enable X25519MLKEM768)
• also disable proxy_request_buffering if you disable proxy buffering using env
• limit mine types to compress (text/images/auido) - if you have ideas if something is missing or should not be compressed please open a discussion (currently: text/html text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio)

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-05-r1...2024-10-21-r1

2024-10-05-r1

What's Changed

• if you didn't upgraded yeet to last release 2024-10-02-r1 (2.11.3+bb09562), please first read the changelogs of that release
• hide a warning until certbot/certbot#9967 is closed
• I forget to mention the following in the last release: migration of tls certificates from NPM to NPMplus is finally fixed

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack

Full Changelog: 2024-10-02-r1...2024-10-05-r1