diff --git a/readme-vars.yml b/readme-vars.yml index f70dac3..ceb4404 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -155,7 +155,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: - - { date: "27.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Use standard nginx.conf from lsio alpine nginx base image." } + - { date: "25.11.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Use standard nginx.conf from lsio alpine nginx base image." } - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." } - { date: "20.11.21:", desc: "Added support for dnspod validation." } - { date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation." } diff --git a/root/defaults/dhparams.pem b/root/defaults/dhparams.pem deleted file mode 100644 index eed4c41..0000000 --- a/root/defaults/dhparams.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 -7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 -nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e -8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx -iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K -zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= ------END DH PARAMETERS----- \ No newline at end of file diff --git a/root/defaults/authelia-location.conf b/root/defaults/nginx/location-confs/authelia-location.conf.sample similarity index 89% rename from root/defaults/authelia-location.conf rename to root/defaults/nginx/location-confs/authelia-location.conf.sample index e3c1e98..12ac7f6 100644 --- a/root/defaults/authelia-location.conf +++ b/root/defaults/nginx/location-confs/authelia-location.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-location.conf +## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/location-confs/authelia-location.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that the authelia configuration.yml has 'path: "authelia"' defined diff --git a/root/defaults/proxy.conf b/root/defaults/nginx/location-confs/proxy.conf.sample similarity index 92% rename from root/defaults/proxy.conf rename to root/defaults/nginx/location-confs/proxy.conf.sample index f536be0..b98667e 100644 --- a/root/defaults/proxy.conf +++ b/root/defaults/nginx/location-confs/proxy.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf +## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/location-confs/proxy.conf.sample # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; diff --git a/root/defaults/authelia-server.conf b/root/defaults/nginx/server-confs/authelia-server.conf.sample similarity index 93% rename from root/defaults/authelia-server.conf rename to root/defaults/nginx/server-confs/authelia-server.conf.sample index 8bd63d0..3690528 100644 --- a/root/defaults/authelia-server.conf +++ b/root/defaults/nginx/server-confs/authelia-server.conf.sample @@ -1,8 +1,8 @@ -## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf +## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/authelia-server.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia location ^~ /authelia { - include /config/nginx/proxy.conf; + include /config/nginx/location-confs/*.conf; include /config/nginx/resolver.conf; set $upstream_authelia authelia; proxy_pass http://$upstream_authelia:9091; diff --git a/root/defaults/geoip2.conf b/root/defaults/nginx/server-confs/geoip2.conf.sample similarity index 88% rename from root/defaults/geoip2.conf rename to root/defaults/nginx/server-confs/geoip2.conf.sample index 846c5b5..35e6bcd 100644 --- a/root/defaults/geoip2.conf +++ b/root/defaults/nginx/server-confs/geoip2.conf.sample @@ -1,4 +1,4 @@ -## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf +## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/geoip2.conf.sample # To enable, uncommment the Geoip2 config line in nginx.conf # Add the -e MAXMINDDB_LICENSE_KEY= to automatically download the Geolite2 database. # A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup @@ -77,16 +77,9 @@ geo $allow_list { # # server_name unifi.*; # -# include /config/nginx/ssl.conf; +# include /config/nginx/server-confs/*.conf; # # client_max_body_size 0; -# -# # enable for ldap auth, fill in ldap details in ldap.conf -# #include /config/nginx/ldap.conf; -# -# # enable for Authelia -# #include /config/nginx/authelia-server.conf; - # # Allow lan access if default is set to no # if ($allow_list = yes) { @@ -108,10 +101,7 @@ geo $allow_list { # #auth_request /auth; # #error_page 401 =200 /ldaplogin; # -# # enable for Authelia -# #include /config/nginx/authelia-location.conf; -# -# include /config/nginx/proxy.conf; +# include /config/nginx/location-confs/*.conf; # resolver 127.0.0.11 valid=30s; # set $upstream_app unifi-controller; # set $upstream_port 8443; diff --git a/root/defaults/ldap.conf b/root/defaults/nginx/server-confs/ldap.conf.sample similarity index 98% rename from root/defaults/ldap.conf rename to root/defaults/nginx/server-confs/ldap.conf.sample index 90120c7..fd44aa3 100644 --- a/root/defaults/ldap.conf +++ b/root/defaults/nginx/server-confs/ldap.conf.sample @@ -1,4 +1,4 @@ -## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ldap.conf +## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ldap.conf.sample ## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth ## see the heimdall example in the default site config for info on enabling ldap auth ## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth diff --git a/root/defaults/ssl.conf b/root/defaults/nginx/server-confs/ssl.conf.sample similarity index 96% rename from root/defaults/ssl.conf rename to root/defaults/nginx/server-confs/ssl.conf.sample index b9b9d3c..b2b7c74 100644 --- a/root/defaults/ssl.conf +++ b/root/defaults/nginx/server-confs/ssl.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf +## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ssl.conf.sample ### Mozilla Recommendations # generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration diff --git a/root/defaults/default.conf b/root/defaults/nginx/site-confs/default.conf.sample similarity index 68% rename from root/defaults/default.conf rename to root/defaults/nginx/site-confs/default.conf.sample index 40d34b3..f72a9ce 100644 --- a/root/defaults/default.conf +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,4 +1,4 @@ -## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default +## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample error_page 502 /502.html; @@ -18,22 +18,9 @@ server { index index.html index.htm index.php; # enable subfolder method reverse proxy confs - include /config/nginx/proxy-confs/*.subfolder.conf; + include /config/nginx/subfolder-confs/*.subfolder.conf; - # all ssl related config moved to ssl.conf - include /config/nginx/ssl.conf; - - # enable for ldap auth - #include /config/nginx/ldap.conf; - - # enable for Authelia - #include /config/nginx/authelia-server.conf; - - # enable for geo blocking - # See /config/nginx/geoip2.conf for more information. - #if ($allowed_country = no) { - # return 444; - #} + include /config/nginx/server-confs/*.conf; set $htpasswd_file /config/nginx/.htpasswd; set $auth_basic "Restricted"; @@ -49,7 +36,7 @@ server { #error_page 401 =200 /ldaplogin; # enable for Authelia - #include /config/nginx/authelia-location.conf; + #include /config/nginx/location-confs/authelia-location.conf; try_files $uri $uri/ /index.html /index.php?$args =404; } @@ -68,6 +55,6 @@ server { } # enable subdomain method reverse proxy confs -include /config/nginx/proxy-confs/*.subdomain.conf; +include /config/nginx/subdomain-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/root/defaults/502.html b/root/defaults/www/502.html similarity index 100% rename from root/defaults/502.html rename to root/defaults/www/502.html diff --git a/root/defaults/index.html b/root/defaults/www/index.html similarity index 100% rename from root/defaults/index.html rename to root/defaults/www/index.html diff --git a/root/etc/cont-init.d/25-migrate-confs b/root/etc/cont-init.d/25-migrate-confs new file mode 100644 index 0000000..23130a1 --- /dev/null +++ b/root/etc/cont-init.d/25-migrate-confs @@ -0,0 +1,6 @@ +#!/usr/bin/with-contenv bash + +# shellcheck source=/dev/null +source /defaults/migrate.sh + +migrate "/config/nginx/proxy.conf" "/config/nginx/location-confs/proxy.conf" diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 4d29100..0a09f55 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -44,9 +44,6 @@ ln -s /config/etc/letsencrypt /etc/letsencrypt cp -n /defaults/dns-conf/* /config/dns-conf/ chown -R abc:abc /config/dns-conf -# copy reverse proxy configs -cp -R /defaults/proxy-confs /config/nginx/ - # copy/update the fail2ban config defaults to/in /config cp -R /defaults/fail2ban/filter.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/ @@ -66,18 +63,12 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local # copy crontab and proxy defaults if needed [[ ! -f /config/crontabs/root ]] && \ cp /etc/crontabs/root /config/crontabs/ -[[ ! -f /config/nginx/proxy.conf ]] && \ - cp /defaults/proxy.conf /config/nginx/proxy.conf -[[ ! -f /config/nginx/ldap.conf ]] && \ - cp /defaults/ldap.conf /config/nginx/ldap.conf -[[ ! -f /config/nginx/authelia-server.conf ]] && \ - cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf -[[ ! -f /config/nginx/authelia-location.conf ]] && \ - cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf -[[ ! -f /config/nginx/geoip2.conf ]] && \ - cp /defaults/geoip2.conf /config/nginx/geoip2.conf -[[ ! -f /config/www/502.html ]] && - cp /defaults/502.html /config/www/502.html +[[ ! -f /config/nginx/location-confs/proxy.conf ]] && \ + cp /defaults/nginx/location-confs/proxy.conf.sample /config/nginx/location-confs/proxy.conf +[[ ! -f /config/nginx/server-confs/ssl.conf ]] && \ + cp /defaults/nginx/server-confs/ssl.conf.sample /config/nginx/server-confs/ssl.conf +[[ ! -f /config/www/502.html ]] && \ + cp /defaults/www/502.html /config/www/502.html # remove lua bits from nginx.conf if not done before if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then @@ -86,8 +77,8 @@ if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then fi # patch authelia-server.conf for CVE-2021-32637 -if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then - sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf +if [[ -f /config/nginx/server-confs/authelia-server.conf ]] && ! grep -q 'if ($request_uri ~' /config/nginx/server-confs/authelia-server.conf; then + sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/server-confs/authelia-server.conf fi # check to make sure DNSPLUGIN is selected if dns validation is used diff --git a/root/etc/cont-init.d/70-templates b/root/etc/cont-init.d/70-templates index 0bb6cad..bdc2826 100644 --- a/root/etc/cont-init.d/70-templates +++ b/root/etc/cont-init.d/70-templates @@ -1,5 +1,9 @@ #!/usr/bin/with-contenv bash +# NEEDS TO BE REWORKED FOR NEW STRUCTURE +## Should cycle through all *.sample files in /defaults/nginx/ (instead of hardcoded list) +## Should be moved into the alpine nginx base image + nginx_confs=( \ authelia-location.conf \ authelia-server.conf \