Rework default.conf and ssl.conf

default.conf now conditionally includes .htpasswd ssl.conf includes listen 443
2021-10-16 11:10:40 -05:00 · 2021-10-16 11:10:40 -05:00 · a7f4f67c86
commit a7f4f67c86
parent c30a7193d8
7 changed files with 42 additions and 134 deletions
--- a/4
+++ b/4
@ -130,11 +130,11 @@ RUN \
  echo "**** remove unnecessary fail2ban filters ****" && \
  rm \
    /etc/fail2ban/jail.d/alpine-ssh.conf && \
-  echo "**** copy fail2ban default action and filter to /default ****" && \
+  echo "**** copy fail2ban default action and filter to /defaults ****" && \
  mkdir -p /defaults/fail2ban && \
  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
-  echo "**** copy proxy confs to /default ****" && \
+  echo "**** copy proxy confs to /defaults ****" && \
  mkdir -p /defaults/proxy-confs && \
  curl -o \
    /tmp/proxy.tar.gz -L \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@ -130,11 +130,11 @@ RUN \
  echo "**** remove unnecessary fail2ban filters ****" && \
  rm \
    /etc/fail2ban/jail.d/alpine-ssh.conf && \
-  echo "**** copy fail2ban default action and filter to /default ****" && \
+  echo "**** copy fail2ban default action and filter to /defaults ****" && \
  mkdir -p /defaults/fail2ban && \
  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
-  echo "**** copy proxy confs to /default ****" && \
+  echo "**** copy proxy confs to /defaults ****" && \
  mkdir -p /defaults/proxy-confs && \
  curl -o \
    /tmp/proxy.tar.gz -L \
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@ -130,11 +130,11 @@ RUN \
  echo "**** remove unnecessary fail2ban filters ****" && \
  rm \
    /etc/fail2ban/jail.d/alpine-ssh.conf && \
-  echo "**** copy fail2ban default action and filter to /default ****" && \
+  echo "**** copy fail2ban default action and filter to /defaults ****" && \
  mkdir -p /defaults/fail2ban && \
  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
-  echo "**** copy proxy confs to /default ****" && \
+  echo "**** copy proxy confs to /defaults ****" && \
  mkdir -p /defaults/proxy-confs && \
  curl -o \
    /tmp/proxy.tar.gz -L \
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -88,7 +88,7 @@ app_setup_block: |
  * For `duckdns` validation, either leave the `SUBDOMAINS` variable empty or set it to `wildcard`, and set the `DUCKDNSTOKEN` variable with your duckdns token. Due to a limitation of duckdns, the resulting cert will only cover either main subdomain (ie. `yoursubdomain.duckdns.org`), or sub-subdomains (ie. `*.yoursubdomain.duckdns.org`), but will not both at the same time. You can use our [duckdns image](https://hub.docker.com/r/linuxserver/duckdns/) to update your IP on duckdns.org.
  * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
  * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
-  * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
+  * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
  * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.

  ### Security and password protection
@ -101,7 +101,7 @@ app_setup_block: |

  ### Site config and reverse proxy

-  * The default site config resides at `/config/nginx/site-confs/default`. Feel free to modify this file, and you can add other conf files to this directory. However, if you delete the `default` file, a new default will be created on container start.
+  * The default site config resides at `/config/nginx/site-confs/default.conf`. Feel free to modify this file, and you can add other conf files to this directory. However, if you delete the `default` file, a new default will be created on container start.
  * Preset reverse proxy config files are added for popular apps. See the `README.md` file under `/config/nginx/proxy_confs` for instructions on how to enable them. The preset confs reside in and get imported from [this repo](https://github.com/linuxserver/reverse-proxy-confs).
  * If you wish to hide your site from search engine crawlers, you may find it useful to add this configuration line to your site config, within the server block, above the line where ssl.conf is included
  `add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";`
@ -178,7 +178,7 @@ changelogs:
  - { date: "26.01.21:", desc: "Add support for hetzner dns validation." }
  - { date: "20.01.21:", desc: "Add check for ZeroSSL EAB retrieval." }
  - { date: "08.01.21:", desc: "Add support for getting certs from [ZeroSSL](https://zerossl.com/) via optional `CERTPROVIDER` env var. Update aliyun, domeneshop, inwx and transip dns plugins with the new plugin names. Hide `donoteditthisfile.conf` because users were editing it despite its name. Suppress harmless error when no proxy confs are enabled." }
-  - { date: "03.01.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) /config/nginx/site-confs/default - Add helper pages to aid troubleshooting" }
+  - { date: "03.01.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) /config/nginx/site-confs/default.conf - Add helper pages to aid troubleshooting" }
  - { date: "10.12.20:", desc: "Add support for njalla dns validation" }
  - { date: "09.12.20:", desc: "Check for template/conf updates and notify in the log. Add support for gehirn and sakuracloud dns validation." }
  - { date: "01.11.20:", desc: "Add support for netcup dns validation" }
--- a/root/defaults/default.conf
+++ b/root/defaults/default.conf
@ -1,4 +1,4 @@
-## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
+## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

 error_page 502 /502.html;

@ -6,20 +6,17 @@ error_page 502 /502.html;
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
-    server_name _;
+
+    location / {
        return 301 https://$host$request_uri;
    }
+}

 # main server block
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
-
    root /config/www;
    index index.html index.htm index.php;

-    server_name _;
-
    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

@ -38,12 +35,14 @@ server {
    #   return 444;
    #}

-    client_max_body_size 0;
-
+    set $htpasswd_file /config/nginx/.htpasswd;
+    set $auth_basic "Restricted";
+    if (!-f $htpasswd_file) {
+        set $auth_basic off;
+    }
    location / {
-        # enable the next two lines for http auth
-        #auth_basic "Restricted";
-        #auth_basic_user_file /config/nginx/.htpasswd;
+        auth_basic $auth_basic;
+        auth_basic_user_file $htpasswd_file;

        # enable the next two lines for ldap auth
        #auth_request /auth;
@ -62,103 +61,11 @@ server {
        include /etc/nginx/fastcgi_params;
    }

-# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
-# notice this is within the same server block as the base
-# don't forget to generate the .htpasswd file as described on docker hub
-#    location ^~ /cp {
-#        auth_basic "Restricted";
-#        auth_basic_user_file /config/nginx/.htpasswd;
-#        include /config/nginx/proxy.conf;
-#        proxy_pass http://192.168.1.50:5050/cp;
-#    }
-
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny  all;
+    }
 }
-
-# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
-# notice this is a new server block, you need a new server block for each subdomain
-#server {
-#    listen 443 ssl http2;
-#    listen [::]:443 ssl http2;
-#
-#    root /config/www;
-#    index index.html index.htm index.php;
-#
-#    server_name cp.*;
-#
-#    include /config/nginx/ssl.conf;
-#
-#    client_max_body_size 0;
-#
-#    location / {
-#        auth_basic "Restricted";
-#        auth_basic_user_file /config/nginx/.htpasswd;
-#        include /config/nginx/proxy.conf;
-#        proxy_pass http://192.168.1.50:5050;
-#    }
-#}
-
-# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
-# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
-# notice this is a new server block, you need a new server block for each subdomain
-#server {
-#    listen 443 ssl http2;
-#    listen [::]:443 ssl http2;
-#
-#    root /config/www;
-#    index index.html index.htm index.php;
-#
-#    server_name heimdall.*;
-#
-#    include /config/nginx/ssl.conf;
-#
-#    include /config/nginx/ldap.conf;
-#
-#    client_max_body_size 0;
-#
-#    location / {
-#        # the next two lines will enable ldap auth along with the included ldap.conf in the server block
-#        auth_request /auth;
-#        error_page 401 =200 /ldaplogin;
-#
-#        include /config/nginx/proxy.conf;
-#        resolver 127.0.0.11 valid=30s;
-#        set $upstream_app heimdall;
-#        set $upstream_port 443;
-#        set $upstream_proto https;
-#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
-#    }
-#}
-
-# sample reverse proxy config for "heimdall" via subdomain, with Authelia
-# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
-# notice this is a new server block, you need a new server block for each subdomain
-#server {
-#    listen 443 ssl http2;
-#    listen [::]:443 ssl http2;
-#
-#    root /config/www;
-#    index index.html index.htm index.php;
-#
-#    server_name heimdall.*;
-#
-#    include /config/nginx/ssl.conf;
-#
-#    include /config/nginx/authelia-server.conf;
-#
-#    client_max_body_size 0;
-#
-#    location / {
-#        # the next line will enable Authelia along with the included authelia-server.conf in the server block
-#        include /config/nginx/authelia-location.conf;
-#
-#        include /config/nginx/proxy.conf;
-#        resolver 127.0.0.11 valid=30s;
-#        set $upstream_app heimdall;
-#        set $upstream_port 443;
-#        set $upstream_proto https;
-#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
-#    }
-#}

 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
--- a/root/defaults/ssl.conf
+++ b/root/defaults/ssl.conf
@ -1,40 +1,41 @@
-## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf

 ### Mozilla Recommendations
-# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+# generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.20.1-r3&config=intermediate&openssl=1.1.1l-r0&guideline=5.6

+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+ssl_certificate /config/keys/letsencrypt/fullchain.pem;
+ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;

+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;

+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;

-
-### Linuxserver.io Defaults
-
-# Certificates
-ssl_certificate /config/keys/letsencrypt/fullchain.pem;
-ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;

-# Diffie-Hellman Parameters
-ssl_dhparam /config/nginx/dhparams.pem;
+### Linuxserver.io Defaults

 # Enable TLS 1.3 early data
 ssl_early_data on;

-# HSTS, remove # from the line below to enable HSTS
-#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
 #add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
--- a/root/etc/cont-init.d/70-templates
+++ b/root/etc/cont-init.d/70-templates
@ -7,7 +7,7 @@ nginx_confs=( \
    ldap.conf \
    nginx.conf \
    proxy.conf \
-    site-confs/default \
+    site-confs/default.conf \
    ssl.conf )

 for i in ${nginx_confs[@]}; do