dep updates/header changes/tls changes

Signed-off-by: Zoey <[email protected]>

- dep updates
- upodate nginx/certbot
- improve headers
- change NPM to NPMplus in launch.sh
- when using https backend, only TLSv1 to TLSv1.3 is now allowed, whith secure ciphers

.github/workflows/js.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 19
       - name: eslint

.github/workflows/shellcheck.yml

@@ -14,4 +14,4 @@ jobs:
         with:
           check_together: 'yes'
         env:
-          SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153
+          SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 -e SC2154

Caddy.Dockerfile

@@ -1,3 +1,3 @@
-FROM caddy:2.7.4
+FROM caddy:2.7.5
 RUN apk add --no-cache ca-certificates tzdata
 COPY Caddyfile /etc/caddy/Caddyfile

Dockerfile

@@ -30,13 +30,6 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
     yarn cache clean --all
 
 
-FROM python:3.12.0-alpine3.18 as certbot
-ENV PATH="/usr/local/certbot/bin:$PATH"
-RUN apk add --no-cache ca-certificates build-base libffi-dev && \
-    python3 -m venv /usr/local/certbot && \
-    pip install --no-cache-dir certbot
-
-
 FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec
 WORKDIR /src
 RUN apk add --no-cache ca-certificates git build-base && \
@@ -52,8 +45,9 @@ RUN apk add --no-cache ca-certificates git build-base && \
     sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
     sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
+FROM zoeyvid/certbot-docker:10 as certbot
 
-FROM zoeyvid/nginx-quic:206
+FROM zoeyvid/nginx-quic:210
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 COPY rootfs /
 RUN apk add --no-cache ca-certificates tzdata tini \

README.md

@@ -2,11 +2,12 @@
 # NPMplus
 
 This project comes as a pre-built docker image that enables you to easily forward to your websites
-running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
+running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot.
 
 - [Quick Setup](#quick-setup)
+<!---
 - [Screenshots](https://nginxproxymanager.com/screenshots)
-
+--->
 
 **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
 **Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>

backend/package.json

@@ -16,7 +16,7 @@
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
     "knex": "3.0.1",
-    "liquidjs": "10.9.2",
+    "liquidjs": "10.9.3",
     "lodash": "4.17.21",
     "moment": "2.29.4",
     "mysql": "2.18.1",
@@ -29,7 +29,7 @@
   "author": "Jamie Curnow <[email protected]> and ZoeyVid <[email protected]>",
   "license": "MIT",
   "devDependencies": {
-    "eslint": "8.51.0",
+    "eslint": "8.52.0",
     "eslint-plugin-align-assignments": "1.1.2"
   }
 }

backend/templates/_hsts.conf

@@ -1,7 +1,19 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
+  more_clear_headers "Expect-CT";
   include conf.d/include/hsts.conf;
 {% endif %}
 {% endif %}
 {% endif %}
+
+{% unless certificate and certificate_id > 0 -%}
+{% unless ssl_forced == 1 or ssl_forced == true %}
+{% unless hsts_enabled == 1 or hsts_enabled == true %}
+  more_clear_headers "Content-Security-Policy";
+
+  more_clear_headers "Expect-CT";
+  more_clear_headers "Strict-Transport-Security";
+{% endunless  %}
+{% endunless  %}
+{% endunless  %}

backend/templates/_listen.conf

@@ -10,7 +10,10 @@
   listen 443 quic;
   listen [::]:443 quic;
 
-  add_header Alt-Svc 'h3=":443"; ma=86400';
+  more_set_headers "Alt-Svc: h3=':443'; ma=86400";
 {% endif %}
 {% endif %}
+{% unless hsts_subdomains %}
+  more_clear_headers "Alt-Svc";
+{% endunless %}
   server_name {{ domain_names | join: " " }};

frontend/package.json

@@ -4,7 +4,7 @@
   "description": "A beautiful interface for creating Nginx endpoints",
   "main": "js/index.js",
   "dependencies": {
-    "@babel/core": "7.23.0",
+    "@babel/core": "7.23.2",
     "babel-core": "6.26.3",
     "babel-loader": "8.3.0",
     "babel-preset-env": "1.7.0",

global/certbot-dns-plugins.js

@@ -331,6 +331,13 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
 		full_plugin_name: 'dns-luadns',
 	},
 	//####################################################//
+/**	multi: {
+*		display_name:        'DNS multi',
+*		package_name:        'certbot-dns-multi',
+*		credentials:         `# see https://github.com/alexzorin/certbot-dns-multi`,
+*		full_plugin_name: 'dns-multi',
+*/	},
+	//####################################################//
 	namecheap: {
 		display_name:        'Namecheap',
 		package_name:        'certbot-dns-namecheap',

rootfs/bin/launch.sh

@@ -2,11 +2,11 @@
 
 echo "
 -------------------------------------
- _   _ ____  __  __
-| \ | |  _ \|  \/  |
-|  \| | |_) | |\/| |
-| |\  |  __/| |  | |
-|_| \_|_|   |_|  |_|
+ _ _  ___  __ __       _          
+| \ || . \|  \  \ ___ | | _ _  ___
+|   ||  _/|     || . \| || | |[_-[
+|_\_||_|  |_|_|_||  _/|_| \__|/__/
+                 |_|               
 -------------------------------------
 Version:  $(jq -r .version /app/package.json)
 Date:     $(date)

rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf

@@ -4,5 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff";
 more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
 more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
 
-more_set_headers "Expect-CT: enforce; max-age=86400";
 more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";

rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf

@@ -6,7 +6,9 @@ proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header Accept-Encoding "";
 proxy_set_header Host $host;
 
-proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
-proxy_http_version 1.1;
+proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
 
+proxy_http_version 1.1;
+proxy_hide_header Upgrade;
 proxy_pass $forward_scheme://$server:$port$request_uri;

rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf

@@ -7,6 +7,6 @@ ssl_session_tickets off;
 ssl_dhparam /etc/tls/dhparam;
 
 # intermediate configuration. tweak to your needs.
-ssl_protocols TLSv1.3 TLSv1.2;
+ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers on;