From fb0bb721f7e1597465e7aec7b25de49fd55564ed Mon Sep 17 00:00:00 2001 From: Zoey Date: Mon, 9 Oct 2023 18:38:58 +0200 Subject: [PATCH] rebrand to NPMplus/improve security headers/upsteam changes/dockerlint Signed-off-by: Zoey --- .github/workflows/caddy-latest.yml | 16 +++++-- .github/workflows/caddy.yml | 7 ++- .github/workflows/docker-latest.yml | 18 +++++--- .github/workflows/docker.yml | 23 +++++----- .github/workflows/dockerlint.yml | 27 ++++++++++++ Dockerfile | 41 +++++++++--------- README.md | 38 ++++++---------- backend/db.js | 2 +- backend/doc/api.swagger.json | 2 +- backend/internal/certificate.js | 22 ++++++++-- backend/package.json | 12 ++--- backend/password-reset.js | 4 +- backend/schema/index.json | 4 +- backend/templates/_hsts.conf | 12 ++++- compose.override.yaml | 8 ++-- compose.yaml | 6 +-- .../app-images/logo-text-vertical-grey.png | Bin 13636 -> 14708 bytes frontend/html/index.ejs | 2 +- frontend/html/login.ejs | 2 +- frontend/js/app/nginx/dead/form.ejs | 2 +- frontend/js/app/nginx/proxy/form.ejs | 2 +- frontend/js/app/nginx/redirection/form.ejs | 2 +- frontend/js/app/ui/footer/main.ejs | 2 +- frontend/js/i18n/messages.json | 14 +++--- frontend/package.json | 4 +- global/certbot-dns-plugins.js | 13 +++++- rootfs/bin/aio.sh | 8 ++++ rootfs/bin/launch.sh | 1 + rootfs/bin/start.sh | 12 +++++ rootfs/html/404/index.html | 2 +- rootfs/html/default/index.html | 4 +- 31 files changed, 202 insertions(+), 110 deletions(-) create mode 100644 .github/workflows/dockerlint.yml create mode 100755 rootfs/bin/aio.sh diff --git a/.github/workflows/caddy-latest.yml b/.github/workflows/caddy-latest.yml index 3458dbb26..319c82846 100644 --- a/.github/workflows/caddy-latest.yml +++ b/.github/workflows/caddy-latest.yml @@ -14,6 +14,9 @@ jobs: - name: Convert Username id: un run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT + - name: Convert repository name + id: rn + run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -22,9 +25,14 @@ jobs: password: ${{ github.token }} - name: Push develop to latest run: | - docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }} - docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }} + docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/nginx-proxy-manager:caddy ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/nginx-proxy-manager:caddy ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} + + docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} + docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.run_number }} ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.run_number }} ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} - name: Show Caddy version run: | - docker run --rm --entrypoint caddy ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy version - docker run --rm --entrypoint caddy ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy version + docker run --rm --entrypoint caddy ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy version + docker run --rm --entrypoint caddy ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy version diff --git a/.github/workflows/caddy.yml b/.github/workflows/caddy.yml index 908e23d7c..f2248574b 100644 --- a/.github/workflows/caddy.yml +++ b/.github/workflows/caddy.yml @@ -31,6 +31,9 @@ jobs: - name: Convert Username id: un run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT + - name: Convert repository name + id: rn + run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -46,5 +49,5 @@ jobs: platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6 push: ${{ github.event_name != 'pull_request' }} tags: | - ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }} - ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }} \ No newline at end of file + ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} + ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }} diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml index 8837b7e37..d149e40b4 100644 --- a/.github/workflows/docker-latest.yml +++ b/.github/workflows/docker-latest.yml @@ -14,6 +14,9 @@ jobs: - name: Convert Username id: un run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT + - name: Convert repository name + id: rn + run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -22,11 +25,14 @@ jobs: password: ${{ github.token }} - name: Push develop to latest run: | - docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} - docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.run_number }} ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} - docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} - docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.run_number }} ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} + docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/nginx-proxy-manager:latest ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/nginx-proxy-manager:latest ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} + + docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} + docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.run_number }} ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} + docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.run_number }} ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} - name: Show Nginx version run: | - docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest -V - docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest -V + docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest -V + docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest -V diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 6857cfaa6..18c88469b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -42,6 +42,9 @@ jobs: - name: Convert Username id: un run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT + - name: Convert repository name + id: rn + run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -63,15 +66,15 @@ jobs: platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6 push: ${{ github.event_name != 'pull_request' }} tags: | - ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} - ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} + ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} + ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} build-args: | - "BUILD=${{ github.event.repository.name }}" + "BUILD=${{ steps.rn.outputs.rn }}" - name: show version if: ${{ github.event_name != 'pull_request' }} run: | - docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V - docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V + docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} -V + docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} -V - name: Set PR-Number (PR) if: ${{ github.event_name == 'pull_request' }} id: pr @@ -84,15 +87,15 @@ jobs: file: ./Dockerfile platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6 push: ${{ github.event_name == 'pull_request' }} - tags: ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} + tags: ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }} build-args: | - "BUILD=${{ github.event.repository.name }}" + "BUILD=${{ steps.rn.outputs.rn }}" - name: show version (PR) if: ${{ github.event_name == 'pull_request' }} - run: docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -V + run: docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }} -V - name: add comment (PR) uses: mshick/add-pr-comment@v2 if: ${{ github.event_name == 'pull_request' }} with: - message: "The Docker Image can now be found here: `ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}`" - repo-token: ${{ github.token }} \ No newline at end of file + message: "The Docker Image can now be found here: `ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }}`" + repo-token: ${{ github.token }} diff --git a/.github/workflows/dockerlint.yml b/.github/workflows/dockerlint.yml new file mode 100644 index 000000000..38f5a4dd8 --- /dev/null +++ b/.github/workflows/dockerlint.yml @@ -0,0 +1,27 @@ +name: Dockerlint +on: + push: + pull_request: + workflow_dispatch: +jobs: + docker-lint: + runs-on: ubuntu-latest + name: docker-lint + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Install hadolint + run: | + sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint + sudo chmod +x /usr/bin/hadolint + - name: run lint + run: | + DOCKERFILES="$(find . -name "*Dockerfile*")" + for file in $(echo "$DOCKERFILES" | tr " " "\n"); do + # DL3018 warning: Pin versions in apk add. Instead of `apk add ` use `apk add =` + # DL3013 warning: Pin versions in pip. Instead of `pip install ` use `pip install ==` or `pip install --requirement ` + hadolint "$file" --ignore DL3013 --ignore DL3018 | tee -a hadolint.log + done + if grep -q "DL[0-9]\+\|SC[0-9]\+" hadolint.log; then + exit 1 + fi diff --git a/Dockerfile b/Dockerfile index 4c5ba2430..d935eba3a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -FROM --platform="$BUILDPLATFORM" alpine:3.18.3 as frontend +FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as frontend COPY frontend /build/frontend COPY global/certbot-dns-plugins.js /build/frontend/certbot-dns-plugins.js ARG NODE_ENV=production \ NODE_OPTIONS=--openssl-legacy-provider +WORKDIR /build/frontend RUN apk add --no-cache ca-certificates nodejs yarn git python3 build-base && \ - cd /build/frontend && \ yarn --no-lockfile install && \ yarn --no-lockfile build && \ yarn cache clean --all @@ -12,14 +12,15 @@ COPY darkmode.css /build/frontend/dist/css/darkmode.css COPY security.txt /build/frontend/dist/.well-known/security.txt -FROM --platform="$BUILDPLATFORM" alpine:3.18.3 as backend +FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as backend +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] COPY backend /build/backend COPY global/certbot-dns-plugins.js /build/backend/certbot-dns-plugins.js ARG NODE_ENV=production \ TARGETARCH +WORKDIR /build/backend RUN apk add --no-cache ca-certificates nodejs-current yarn && \ - wget https://gobinaries.com/tj/node-prune -O - | sh && \ - cd /build/backend && \ + wget -q https://gobinaries.com/tj/node-prune -O - | sh && \ if [ "$TARGETARCH" = "amd64" ]; then \ npm_config_target_platform=linux npm_config_target_arch=x64 yarn install --no-lockfile; \ elif [ "$TARGETARCH" = "arm64" ]; then \ @@ -29,31 +30,31 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \ yarn cache clean --all -FROM python:3.11.5-alpine3.18 as certbot +FROM python:3.12.0-alpine3.18 as certbot +ENV PATH="/usr/local/certbot/bin:$PATH" RUN apk add --no-cache ca-certificates build-base libffi-dev && \ python3 -m venv /usr/local/certbot && \ - . /usr/local/certbot/bin/activate && \ pip install --no-cache-dir certbot -FROM --platform="$BUILDPLATFORM" alpine:3.18.3 as crowdsec +FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec +WORKDIR /src RUN apk add --no-cache ca-certificates git build-base && \ git clone --recursive https://github.com/crowdsecurity/cs-nginx-bouncer /src && \ - cd /src && \ make && \ tar xzf crowdsec-nginx-bouncer.tgz && \ mv crowdsec-nginx-bouncer-* crowdsec-nginx-bouncer && \ - cd /src/crowdsec-nginx-bouncer && \ - sed -i "/lua_package_path/d" nginx/crowdsec_nginx.conf && \ - sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" nginx/crowdsec_nginx.conf && \ - sed -i "s|API_KEY=.*|API_KEY=|g" lua-mod/config_example.conf && \ - sed -i "s|ENABLED=.*|ENABLED=false|g" lua-mod/config_example.conf && \ - sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" lua-mod/config_example.conf && \ - sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" lua-mod/config_example.conf && \ - sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" lua-mod/config_example.conf + sed -i "/lua_package_path/d" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \ + sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \ + sed -i "s|API_KEY=.*|API_KEY=|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ + sed -i "s|ENABLED=.*|ENABLED=false|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ + sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ + sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ + sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:197 +FROM zoeyvid/nginx-quic:205 +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] COPY rootfs / RUN apk add --no-cache ca-certificates tzdata tini \ lua5.1-lzlib \ @@ -61,8 +62,8 @@ RUN apk add --no-cache ca-certificates tzdata tini \ openssl apache2-utils \ coreutils grep jq curl shadow sudo \ luarocks5.1 wget lua5.1-dev build-base git yarn && \ - wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ - wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \ + wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ + wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \ sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ echo "Include /data/etc/modsecurity/modsecurity.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \ cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \ diff --git a/README.md b/README.md index b56fd3818..5a9ee9fe9 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,5 @@ -

- - -

+# NPMplus This project comes as a pre-built docker image that enables you to easily forward to your websites running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt. @@ -20,7 +8,7 @@ running at home or otherwise, including free TLS, without having to know too muc - [Screenshots](https://nginxproxymanager.com/screenshots) -**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.**
+**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.**
**Note: NO armv7 support.**
**Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.**
**Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).**
@@ -54,12 +42,12 @@ so that the barrier for entry here is low. # List of new features - Supports HTTP/3 (QUIC) protocol. -- Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/nginx-proxy-manager#crowdsec) to enable it. +- Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it. - Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder. - If the core ruleset blocks valid requests, please check the `/data/etc/modsecurity/crs-setup.conf` file. - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH). - Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM). - - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283. + - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283. - Darkmode button in the footer for comfortable viewing (CSS done by [@theraw](https://github.com/theraw)) - Fixes proxy to https origin when the origin only accepts TLSv1.3 - Only enables TLSv1.2 and TLSv1.3 protocols @@ -67,13 +55,13 @@ so that the barrier for entry here is low. - Uses OCSP Stapling for enhanced security - If using custom certificates, upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder (manual migration may be needed) - Resolved dnspod plugin issue - - To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) + - To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/NPMplus/blob/develop/global/certbot-dns-plugins.js) - Smaller docker image with alpine-based distribution - Admin backend interface runs with https - Default page also runs with https - Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if used as webserver - Exposes INTERNAL backend api only to localhost -- Easy application of security headers using [ngx_security_headers](https://github.com/GetPageSpeed/ngx_security_headers) +- Basic security headers are added if you enable HSTS (HSTS has always subdomains and preload enabled) - Access Log disabled - Error Log written to console - `Server` response header hidden @@ -85,7 +73,7 @@ so that the barrier for entry here is low. - Allows infinite upload size - Automatic database vacuum (only sqlite) - Automatic cleaning of old certbot certs (set FULLCLEAN to true) -- Password reset (only sqlite) using `docker exec -it nginx-proxy-manager password-reset.js USER_EMAIL PASSWORD` +- Password reset (only sqlite) using `docker exec -it npmplus password-reset.js USER_EMAIL PASSWORD` - Supports TLS for MariaDB/MySQL; set `DB_MYSQL_TLS` env to true. Self-signed certificates can be uploaded to `/data/etc/npm/ca.crt` and `DB_MYSQL_CA` set to `/data/etc/npm/ca.crt` (not tested) - Supports PUID/PGID in network mode host; add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` - Option to set IP bindings for multiple instances in network mode host @@ -101,7 +89,7 @@ so that the barrier for entry here is low. - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back - if you use custom certificates, you need to upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder - some buttons have changed, check if they are still correct -- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) for the template) +- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/npmplus/blob/develop/global/certbot-dns-plugins.js) for the template) - since this fork has dependency on `network_mode: host`, please don't forget to open port 80 and 443 (and maybe 81) in your firewall # Crowdsec @@ -168,9 +156,9 @@ location / { ```yml version: "3" services: - nginx-proxy-manager: - container_name: nginx-proxy-manager - image: zoeyvid/nginx-proxy-manager + npmplus: + container_name: npmplus + image: zoeyvid/npmplus restart: always network_mode: host volumes: @@ -234,8 +222,8 @@ If you want to sponsor them, please see [here](https://github.com/NginxProxyMana ## Getting Support -1. [Found a bug?](https://github.com/ZoeyVid/nginx-proxy-manager/issues) -2. [Discussions](https://github.com/ZoeyVid/nginx-proxy-manager/discussions) +1. [Found a bug?](https://github.com/ZoeyVid/NPMplus/issues) +2. [Discussions](https://github.com/ZoeyVid/NPMplus/discussions)