From 8987ff9c6d8d4ded8cb71f577ed0128ea27f0152 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 12 Oct 2023 01:35:04 +0000 Subject: [PATCH] dep updates/header changes/tls changes Signed-off-by: Zoey - dep updates - upodate nginx/certbot - improve headers - change NPM to NPMplus in launch.sh - when using https backend, only TLSv1 to TLSv1.3 is now allowed, whith secure ciphers --- .github/workflows/js.yml | 2 +- .github/workflows/shellcheck.yml | 2 +- Caddy.Dockerfile | 2 +- Dockerfile | 10 ++-------- README.md | 5 +++-- backend/package.json | 4 ++-- backend/templates/_hsts.conf | 12 ++++++++++++ backend/templates/_listen.conf | 5 ++++- frontend/package.json | 2 +- global/certbot-dns-plugins.js | 7 +++++++ rootfs/bin/launch.sh | 10 +++++----- rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf | 1 - .../usr/local/nginx/conf/conf.d/include/proxy.conf | 6 ++++-- .../local/nginx/conf/conf.d/include/tls-ciphers.conf | 2 +- 14 files changed, 44 insertions(+), 26 deletions(-) diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index 934c4b0d1..40b22a05d 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -10,7 +10,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 19 - name: eslint diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 7b4f7d296..a0d27fc47 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -14,4 +14,4 @@ jobs: with: check_together: 'yes' env: - SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 + SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 -e SC2154 diff --git a/Caddy.Dockerfile b/Caddy.Dockerfile index 6ec69ea21..0eb3c9e26 100644 --- a/Caddy.Dockerfile +++ b/Caddy.Dockerfile @@ -1,3 +1,3 @@ -FROM caddy:2.7.4 +FROM caddy:2.7.5 RUN apk add --no-cache ca-certificates tzdata COPY Caddyfile /etc/caddy/Caddyfile diff --git a/Dockerfile b/Dockerfile index 69f68082c..c8cf869de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,13 +30,6 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \ yarn cache clean --all -FROM python:3.12.0-alpine3.18 as certbot -ENV PATH="/usr/local/certbot/bin:$PATH" -RUN apk add --no-cache ca-certificates build-base libffi-dev && \ - python3 -m venv /usr/local/certbot && \ - pip install --no-cache-dir certbot - - FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec WORKDIR /src RUN apk add --no-cache ca-certificates git build-base && \ @@ -52,8 +45,9 @@ RUN apk add --no-cache ca-certificates git build-base && \ sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf +FROM zoeyvid/certbot-docker:10 as certbot -FROM zoeyvid/nginx-quic:206 +FROM zoeyvid/nginx-quic:210 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] COPY rootfs / RUN apk add --no-cache ca-certificates tzdata tini \ diff --git a/README.md b/README.md index 4d5e2c6b3..79f95fc06 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,12 @@ # NPMplus This project comes as a pre-built docker image that enables you to easily forward to your websites -running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt. +running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot. - [Quick Setup](#quick-setup) + **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.**
**Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.**
diff --git a/backend/package.json b/backend/package.json index d029cb99e..d11e690c3 100644 --- a/backend/package.json +++ b/backend/package.json @@ -16,7 +16,7 @@ "gravatar": "1.8.2", "jsonwebtoken": "9.0.2", "knex": "3.0.1", - "liquidjs": "10.9.2", + "liquidjs": "10.9.3", "lodash": "4.17.21", "moment": "2.29.4", "mysql": "2.18.1", @@ -29,7 +29,7 @@ "author": "Jamie Curnow and ZoeyVid ", "license": "MIT", "devDependencies": { - "eslint": "8.51.0", + "eslint": "8.52.0", "eslint-plugin-align-assignments": "1.1.2" } } diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf index 82664d0f0..a794e638a 100644 --- a/backend/templates/_hsts.conf +++ b/backend/templates/_hsts.conf @@ -1,7 +1,19 @@ {% if certificate and certificate_id > 0 -%} {% if ssl_forced == 1 or ssl_forced == true %} {% if hsts_enabled == 1 or hsts_enabled == true %} + more_clear_headers "Expect-CT"; include conf.d/include/hsts.conf; {% endif %} {% endif %} {% endif %} + +{% unless certificate and certificate_id > 0 -%} +{% unless ssl_forced == 1 or ssl_forced == true %} +{% unless hsts_enabled == 1 or hsts_enabled == true %} + more_clear_headers "Content-Security-Policy"; + + more_clear_headers "Expect-CT"; + more_clear_headers "Strict-Transport-Security"; +{% endunless %} +{% endunless %} +{% endunless %} \ No newline at end of file diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf index 2b5973e51..50b1f1f3b 100644 --- a/backend/templates/_listen.conf +++ b/backend/templates/_listen.conf @@ -10,7 +10,10 @@ listen 443 quic; listen [::]:443 quic; - add_header Alt-Svc 'h3=":443"; ma=86400'; + more_set_headers "Alt-Svc: h3=':443'; ma=86400"; {% endif %} {% endif %} +{% unless hsts_subdomains %} + more_clear_headers "Alt-Svc"; +{% endunless %} server_name {{ domain_names | join: " " }}; diff --git a/frontend/package.json b/frontend/package.json index 6ea27b003..94ea1c690 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -4,7 +4,7 @@ "description": "A beautiful interface for creating Nginx endpoints", "main": "js/index.js", "dependencies": { - "@babel/core": "7.23.0", + "@babel/core": "7.23.2", "babel-core": "6.26.3", "babel-loader": "8.3.0", "babel-preset-env": "1.7.0", diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index d94c3a5af..37c8f88d0 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -331,6 +331,13 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`, full_plugin_name: 'dns-luadns', }, //####################################################// +/** multi: { +* display_name: 'DNS multi', +* package_name: 'certbot-dns-multi', +* credentials: `# see https://github.com/alexzorin/certbot-dns-multi`, +* full_plugin_name: 'dns-multi', +* }, +**/ //####################################################// namecheap: { display_name: 'Namecheap', package_name: 'certbot-dns-namecheap', diff --git a/rootfs/bin/launch.sh b/rootfs/bin/launch.sh index 48e1c0197..0be3e4bb9 100755 --- a/rootfs/bin/launch.sh +++ b/rootfs/bin/launch.sh @@ -2,11 +2,11 @@ echo " ------------------------------------- - _ _ ____ __ __ -| \ | | _ \| \/ | -| \| | |_) | |\/| | -| |\ | __/| | | | -|_| \_|_| |_| |_| + _ _ ___ __ __ _ +| \ || . \| \ \ ___ | | _ _ ___ +| || _/| || . \| || | |[_-[ +|_\_||_| |_|_|_|| _/|_| \__|/__/ + |_| ------------------------------------- Version: $(jq -r .version /app/package.json) Date: $(date) diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf index 58f094bf3..11de7076a 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf @@ -4,5 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; more_set_headers "Content-Security-Policy: upgrade-insecure-requests"; -more_set_headers "Expect-CT: enforce; max-age=86400"; more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; \ No newline at end of file diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf index b6bacc6b1..5ddb173e7 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf @@ -6,7 +6,9 @@ proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; -proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2; -proxy_http_version 1.1; +proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; +proxy_http_version 1.1; +proxy_hide_header Upgrade; proxy_pass $forward_scheme://$server:$port$request_uri; diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf index 42031f826..c467f4cd8 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf @@ -7,6 +7,6 @@ ssl_session_tickets off; ssl_dhparam /etc/tls/dhparam; # intermediate configuration. tweak to your needs. -ssl_protocols TLSv1.3 TLSv1.2; +ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers on;