Merge branch 'master' of https://github.com/jlesage/docker-nginx-proxy-manager into crowdsec_rework

Author: LePresidente

DOCKERHUB.md

@@ -23,8 +23,9 @@ Nginx or Letsencrypt.
 
 ## Quick Start
 
-**NOTE**: The Docker command provided in this quick start is given as an example
-and parameters should be adjusted to your need.
+**NOTE**:
+    The Docker command provided in this quick start is given as an example
+    and parameters should be adjusted to your need.
 
 Launch the Nginx Proxy Manager docker container with the following command:
 ```shell
@@ -38,6 +39,7 @@ docker run -d \
 ```
 
 Where:
+
   - `/docker/appdata/nginx-proxy-manager`: This is where the application stores its configuration, states, log and any files needing persistency.
 
 Browse to `http://your-host-ip:8181` to access the Nginx Proxy Manager web interface.

Dockerfile

@@ -10,7 +10,7 @@ ARG DOCKER_IMAGE_VERSION=
 # Define software versions.
 ARG OPENRESTY_VERSION=1.21.4.1
 ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.0
-ARG NGINX_PROXY_MANAGER_VERSION=2.9.22
+ARG NGINX_PROXY_MANAGER_VERSION=2.10.4
 ARG NGINX_HTTP_GEOIP2_MODULE_VERSION=3.3
 ARG LIBMAXMINDDB_VERSION=1.5.0
 ARG BCRYPT_TOOL_VERSION=1.1.2

README.md

@@ -45,8 +45,9 @@ Nginx or Letsencrypt.
 
 ## Quick Start
 
-**NOTE**: The Docker command provided in this quick start is given as an example
-and parameters should be adjusted to your need.
+**NOTE**:
+    The Docker command provided in this quick start is given as an example
+    and parameters should be adjusted to your need.
 
 Launch the Nginx Proxy Manager docker container with the following command:
 ```shell
@@ -60,6 +61,7 @@ docker run -d \
 ```
 
 Where:
+
   - `/docker/appdata/nginx-proxy-manager`: This is where the application stores its configuration, states, log and any files needing persistency.
 
 Browse to `http://your-host-ip:8181` to access the Nginx Proxy Manager web interface.
@@ -116,7 +118,7 @@ While this can be useful for the user to adjust the value of environment
 variables to fit its needs, it can also be confusing and dangerous to keep all
 of them.
 
-A good pratice is to set/keep only the variables that are needed for the
+A good practice is to set/keep only the variables that are needed for the
 container to behave as desired in a specific setup.  If the value of variable is
 kept to its default value, it means that it can be removed.  Keep in mind that
 all variables are optional, meaning that none of them is required for the
@@ -137,7 +139,7 @@ Removing environment variables that are not needed provides some advantages:
     on Synology, where an environment variable without value might not be
     allowed.  This behavior is wrong: it's absolutely fine to have a variable
     without value.  In fact, this container does have variables without value by
-    default.  Thus, removing uneeded variables is a good way to prevent
+    default.  Thus, removing unneeded variables is a good way to prevent
     deployment issue on these devices.
 
 ### Data Volumes
@@ -179,20 +181,23 @@ parameter(s) of an existing container.  The general idea is to destroy and
 re-create the container:
 
   1. Stop the container (if it is running):
-```
+```shell
 docker stop nginx-proxy-manager
 ```
+
   2. Remove the container:
-```
+```shell
 docker rm nginx-proxy-manager
 ```
+
   3. Create/start the container using the `docker run` command, by adjusting
      parameters as needed.
 
-**NOTE**: Since all application's data is saved under the `/config` container
-folder, destroying and re-creating a container is not a problem: nothing is lost
-and the application comes back with the same state (as long as the mapping of
-the `/config` folder remains the same).
+**NOTE**:
+    Since all application's data is saved under the `/config` container
+    folder, destroying and re-creating a container is not a problem: nothing is
+    lost and the application comes back with the same state (as long as the
+    mapping of the `/config` folder remains the same).
 
 ## Docker Compose File
 
@@ -245,17 +250,20 @@ Watchtower will seamlessly perform the necessary steps to update the container.
 Finally, the Docker image can be manually updated with these steps:
 
   1. Fetch the latest image:
-```
+```shell
 docker pull jlesage/nginx-proxy-manager
 ```
+
   2. Stop the container:
-```
+```shell
 docker stop nginx-proxy-manager
 ```
+
   3. Remove the container:
-```
+```shell
 docker rm nginx-proxy-manager
 ```
+
   4. Create and start the container using the `docker run` command, with the
 the same parameters that were used when it was deployed initially.
 
@@ -306,7 +314,7 @@ user owning the data volume on the host:
     id <username>
 
 Which gives an output like this one:
-```
+```text
 uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),4(adm),24(cdrom),27(sudo),46(plugdev),113(lpadmin)
 ```
 
@@ -318,7 +326,7 @@ be given the container.
 Assuming that container's ports are mapped to the same host's ports, the
 interface of the application can be accessed with a web browser at:
 
-```
+```text
 http://<HOST IP ADDR>:8181
 ```
 

appdefs.yml

@@ -97,6 +97,10 @@ app:
             - `CONTAINER_NAME` is the name of the running container.
             - `USER_EMAIL` is the email of the address to reset the password.
   changelog:
+    - version: 23.08.1
+      date: 2023-08-04
+      changes:
+        - 'Updated Nginx Proxy Manager to version 2.10.4.'
     - version: 23.04.1
       date: 2023-04-07
       changes:

rootfs/opt/nginx-proxy-manager/bin/handle-ipv6-setting

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# This command reads the `DISABLE_IPV6` env var and will either enable
+# or disable ipv6 in all nginx configs based on this setting.
+
+# Lowercase
+DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
+
+FOLDER=$1
+if [ "$FOLDER" == "" ]; then
+	echo "$0 requires a absolute folder path as the first argument!"
+	exit 1
+fi
+
+FILES=$(find "$FOLDER" -type f -name "*.conf")
+SED_REGEX=
+
+if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ]; then
+	# IPV6 is disabled
+	echo "Disabling IPV6 in hosts in: $1"
+	SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'
+else
+	# IPV6 is enabled
+	echo "Enabling IPV6 in hosts in: $1"
+	SED_REGEX='s/^(\s*)#listen \[::\]/\1listen [::]/g'
+fi
+
+for FILE in $FILES
+do
+	echo "- ${FILE}"
+	echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE
+done

src/nginx-proxy-manager/build.sh

@@ -75,6 +75,7 @@ sed -i "s/\"version\": \"0.0.0\",/\"version\": \"${NGINX_PROXY_MANAGER_VERSION}\
 
 log "Patching Nginx Proxy Manager backend..."
 patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/pip-install.patch
+patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/remove-certbot-dns-oci.patch
 
 cp -r /tmp/nginx-proxy-manager /app
 
@@ -122,7 +123,6 @@ cp -rv /app/frontend/dist $ROOTFS/opt/nginx-proxy-manager/frontend
 cp -rv /app/global $ROOTFS/opt/nginx-proxy-manager/global
 
 mkdir $ROOTFS/opt/nginx-proxy-manager/bin
-cp -rv /tmp/nginx-proxy-manager/docker/rootfs/bin/handle-ipv6-setting $ROOTFS/opt/nginx-proxy-manager/bin/
 cp -rv /tmp/nginx-proxy-manager/docker/rootfs/etc/nginx $ROOTFS/etc/
 cp -rv /tmp/nginx-proxy-manager/docker/rootfs/var/www $ROOTFS/var/
 cp -rv /tmp/nginx-proxy-manager/docker/rootfs/etc/letsencrypt.ini $ROOTFS/etc/
@@ -157,7 +157,7 @@ sed -i 's|:443;|:4443;|' $ROOTFS/opt/nginx-proxy-manager/templates/_listen.conf
 sed -i 's|-g "error_log off;"||' $ROOTFS/opt/nginx-proxy-manager/internal/nginx.js
 
 # Remove the `user` directive, since we want nginx to run as non-root.
-sed -i 's|user root;|#user root;|' $ROOTFS/etc/nginx/nginx.conf
+sed -i 's|user npm;|#user npm;|' $ROOTFS/etc/nginx/nginx.conf
 
 # Change client_body_temp_path.
 sed -i 's|/tmp/nginx/body|/var/tmp/nginx/body|' $ROOTFS/etc/nginx/nginx.conf
@@ -190,10 +190,6 @@ ln -s /config/production.json $ROOTFS/opt/nginx-proxy-manager/config/production.
 # Make sure letsencrypt certificates are stored in persistent volume.
 ln -s /config/letsencrypt $ROOTFS/etc/letsencrypt
 
-# Make sure some default certbot directories are stored in persistent volume.
-ln -s /config/letsencrypt-workdir $ROOTFS/var/lib/letsencrypt
-ln -s /config/log/letsencrypt $ROOTFS/var/log/letsencrypt
-
 # Cleanup.
 find $ROOTFS/opt/nginx-proxy-manager -name "*.h" -delete
 find $ROOTFS/opt/nginx-proxy-manager -name "*.cc" -delete

src/nginx-proxy-manager/pip-install.patch

@@ -6,8 +6,8 @@ index da104a2..730d826 100644
  		const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
  		const credentialsCmd     = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'';
  		// we call `. /opt/certbot/bin/activate` (`.` is alternative to `source` in dash) to access certbot venv
--		let prepareCmd = '. /opt/certbot/bin/activate && pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies + ' && deactivate';
-+		let prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies;
+-		const prepareCmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies + ' && deactivate';
++		const prepareCmd = 'pip install --no-cache-dir ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies;
 
  		// Whether the plugin has a --<name>-credentials argument
  		const hasConfigArg = certificate.meta.dns_provider !== 'route53';
@@ -19,8 +19,8 @@ index a4b51c9..6d3d3e3 100644
  				});
 
  				if (plugins.length) {
--					const install_cmd = '. /opt/certbot/bin/activate && pip install ' + plugins.join(' ') + ' && deactivate';
-+					const install_cmd = 'pip install ' + plugins.join(' ');
+-					const install_cmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + plugins.join(' ') + ' && deactivate';
++					const install_cmd = 'pip install --no-cache-dir ' + plugins.join(' ');
  					promises.push(utils.exec(install_cmd));
  				}
 

src/nginx-proxy-manager/remove-certbot-dns-oci.patch

@@ -0,0 +1,25 @@
+Because of the Oracle Cloud Infrastructure DNS plugin dependencies, installing
+it causes certbot to be downgraded, which then break any execution of certbot.
+--- a/global/certbot-dns-plugins.js
++++ b/global/certbot-dns-plugins.js
+@@ -437,20 +437,6 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
+ 		full_plugin_name:    'dns-nsone',
+ 	},
+ 	//####################################################//
+-	oci: {
+-		display_name:    'Oracle Cloud Infrastructure DNS',
+-		package_name:    'certbot-dns-oci',
+-		package_version: '0.3.6',
+-		dependencies:    'oci',
+-		credentials:     `[DEFAULT]
+-user = ocid1.user.oc1...
+-fingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
+-tenancy = ocid1.tenancy.oc1...
+-region = us-ashburn-1
+-key_file = ~/.oci/oci_api_key.pem`,
+-		full_plugin_name: 'dns-oci',
+-	},
+-	//####################################################//
+ 	online: {
+ 		display_name:        'Online',
+ 		package_name:        'certbot-dns-online',