Merge branch 'jlesage:master' into crowdsec_rework

Author: LePresidente

Dockerfile

@@ -26,7 +26,7 @@ ARG LIBMAXMINDDB_URL=https://github.com/maxmind/libmaxminddb/releases/download/$
 FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
 
 # Get Python cryptography wheel.  It is needed for certbot.
-FROM moonbuggy2000/python-musl-wheels:cryptography38.0.1-py3.10-${TARGETARCH}${TARGETVARIANT} AS mod_cryptography
+FROM moonbuggy2000/python-musl-wheels:cryptography41.0.3-py3.10-${TARGETARCH}${TARGETVARIANT} AS mod_cryptography
 
 # Build UPX.
 FROM --platform=$BUILDPLATFORM alpine:3.16 AS upx
@@ -73,7 +73,7 @@ COPY --from=mod_cryptography / /wheels
 RUN \
     apk --no-cache add build-base curl python3 && \
     curl -# -L "https://bootstrap.pypa.io/get-pip.py" | python3 && \
-    pip install --no-cache-dir --root=/tmp/certbot-install --prefix=/usr --find-links /wheels/ --prefer-binary certbot && \
+    pip install --no-cache-dir --root=/tmp/certbot-install --prefix=/usr --find-links /wheels/ --prefer-binary --only-binary=:all: certbot && \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.so" -exec strip {} ';' && \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.h" -delete && \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.c" -delete && \
@@ -89,7 +89,7 @@ COPY src/cs-openresty-bouncer /build
 RUN /build/build.sh "$CROWDSEC_OPENRESTY_BOUNCER_URL"
 
 # Pull base image.
-FROM jlesage/baseimage:alpine-3.16-v3.4.7
+FROM jlesage/baseimage:alpine-3.16-v3.5.2
 
 ARG NGINX_PROXY_MANAGER_VERSION
 ARG DOCKER_IMAGE_VERSION

README.md

@@ -95,12 +95,13 @@ of this parameter has the format `<VARIABLE_NAME>=<VALUE>`.
 |`USER_ID`| ID of the user the application runs as.  See [User/Group IDs](#usergroup-ids) to better understand when this should be set. | `1000` |
 |`GROUP_ID`| ID of the group the application runs as.  See [User/Group IDs](#usergroup-ids) to better understand when this should be set. | `1000` |
 |`SUP_GROUP_IDS`| Comma-separated list of supplementary group IDs of the application. | (no value) |
-|`UMASK`| Mask that controls how file permissions are set for newly created files. The value of the mask is in octal notation.  By default, the default umask value is `0022`, meaning that newly created files are readable by everyone, but only writable by the owner.  See the online umask calculator at http://wintelguy.com/umask-calc.pl. | `0022` |
+|`UMASK`| Mask that controls how permissions are set for newly created files and folders.  The value of the mask is in octal notation.  By default, the default umask value is `0022`, meaning that newly created files and folders are readable by everyone, but only writable by the owner.  See the online umask calculator at http://wintelguy.com/umask-calc.pl. | `0022` |
 |`LANG`| Set the [locale](https://en.wikipedia.org/wiki/Locale_(computer_software)), which defines the application's language, **if supported**.  Format of the locale is `language[_territory][.codeset]`, where language is an [ISO 639 language code](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes), territory is an [ISO 3166 country code](https://en.wikipedia.org/wiki/ISO_3166-1#Current_codes) and codeset is a character set, like `UTF-8`.  For example, Australian English using the UTF-8 encoding is `en_AU.UTF-8`. | `en_US.UTF-8` |
 |`TZ`| [TimeZone](http://en.wikipedia.org/wiki/List_of_tz_database_time_zones) used by the container.  Timezone can also be set by mapping `/etc/localtime` between the host and the container. | `Etc/UTC` |
 |`KEEP_APP_RUNNING`| When set to `1`, the application will be automatically restarted when it crashes or terminates. | `0` |
 |`APP_NICENESS`| Priority at which the application should run.  A niceness value of -20 is the highest priority and 19 is the lowest priority.  The default niceness value is 0.  **NOTE**: A negative niceness (priority increase) requires additional permissions.  In this case, the container should be run with the docker option `--cap-add=SYS_NICE`. | `0` |
-|`INSTALL_PACKAGES`| Space-separated list of packages to install during the startup of the container.  Packages are installed from the repository of the Linux distribution this container is based on.  **ATTENTION**: Container functionality can be affected when installing a package that overrides existing container files (e.g. binaries). | (no value) |
+|`INSTALL_PACKAGES`| Space-separated list of packages to install during the startup of the container.  List of available packages can be found at https://mirrors.alpinelinux.org.  **ATTENTION**: Container functionality can be affected when installing a package that overrides existing container files (e.g. binaries). | (no value) |
+|`PACKAGES_MIRROR`| Mirror of the repository to use when installing packages. List of mirrors is available at https://mirrors.alpinelinux.org. | (no value) |
 |`CONTAINER_DEBUG`| Set to `1` to enable debug logging. | `0` |
 |`DISABLE_IPV6`| When set to `1`, IPv6 support is disabled.  This is needed when IPv6 is not enabled/supported on the host. | `0` |
 

appdefs.yml

@@ -12,6 +12,7 @@ app:
   name: nginx-proxy-manager
   friendly_name: Nginx Proxy Manager
   gui_type: web
+  base_os: alpine
   gui_port: 8181
   project:
     description: |-
@@ -97,6 +98,22 @@ app:
             - `CONTAINER_NAME` is the name of the running container.
             - `USER_EMAIL` is the email of the address to reset the password.
   changelog:
+    - version: 23.12.2
+      date: 2023-12-20
+      changes:
+        - 'Fixed warning message about uninitialized variable.'
+    - version: 23.12.1
+      date: 2023-12-15
+      changes:
+        - 'Fixed PowerDNS DNS provider plugin installation.'
+        - 'Fixed issue where HTTP2 support would always be enabled.'
+        - 'Fixed server reachability test.'
+        - 'Updated baseimage to version 3.5.2, which brings the following changes:'
+        - '2:Mirror for packages installation can be set via the `PACKAGES_MIRROR` environment variable.'
+        - '2:Improved the way the `take-ownership` script is working.'
+        - '2:Readiness and minimum running time checks should not be done for a service defined with an interval.'
+        - '2:Raise an error when a synched service fails to start.'
+        - '2:Minimum running time check of a service was using an incorrect way to verify if process is still alive.'
     - version: 23.08.1
       date: 2023-08-04
       changes:

src/nginx-proxy-manager/build.sh

@@ -76,6 +76,9 @@ sed -i "s/\"version\": \"0.0.0\",/\"version\": \"${NGINX_PROXY_MANAGER_VERSION}\
 log "Patching Nginx Proxy Manager backend..."
 patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/pip-install.patch
 patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/remove-certbot-dns-oci.patch
+patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/powerdns-fix.patch
+patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/http2-support-fix.patch
+patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/reachability-test-fix.patch
 
 cp -r /tmp/nginx-proxy-manager /app
 

src/nginx-proxy-manager/http2-support-fix.patch

@@ -0,0 +1,14 @@
+--- a/backend/templates/_listen.conf	2023-12-09 10:51:50.551616517 -0500
++++ b/backend/templates/_listen.conf	2023-12-09 10:52:16.259672036 -0500
+@@ -5,9 +5,9 @@
+   #listen [::]:80;
+ {% endif %}
+ {% if certificate -%}
+-  listen 443 ssl{% if http2_support %} http2{% endif %};
++  listen 443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
+ {% if ipv6 -%}
+-  listen [::]:443 ssl{% if http2_support %} http2{% endif %};
++  listen [::]:443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
+ {% else -%}
+   #listen [::]:443;
+ {% endif %}

src/nginx-proxy-manager/powerdns-fix.patch

@@ -0,0 +1,13 @@
+Workaround for PowerDNS plugin, where its PyYAML dependency nstallation fails.
+See https://github.com/yaml/pyyaml/issues/736
+--- a/global/certbot-dns-plugins.js	2023-12-09 10:19:09.655563943 -0500
++++ b/global/certbot-dns-plugins.js	2023-12-09 10:19:28.471600576 -0500
+@@ -486,7 +486,7 @@
+ 		display_name:        'PowerDNS',
+ 		package_name:        'certbot-dns-powerdns',
+ 		version_requirement: '~=0.2.0',
+-		dependencies:        '',
++		dependencies:        'pyyaml==5.3.1',
+ 		credentials:         `dns_powerdns_api_url = https://api.mypowerdns.example.org
+ dns_powerdns_api_key = AbCbASsd!@34`,
+ 		full_plugin_name: 'dns-powerdns',

src/nginx-proxy-manager/reachability-test-fix.patch

@@ -0,0 +1,70 @@
+Fixes for the server reachability test.
+    - Do not apply HTTPs redirection for challenge used by the test.
+    - Set the `User-Agent` to avoid 403 answer from site24x7.com.
+    - Handle JSON parsing failure of the received body.
+    - Better handling of different error cases.
+
+diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
+index f68ef30..ecbb4bf 100644
+--- a/backend/internal/certificate.js
++++ b/backend/internal/certificate.js
+@@ -1167,6 +1167,7 @@ const internalCertificate = {
+ 			const options  = {
+ 				method:  'POST',
+ 				headers: {
++					'User-Agent':     'Mozilla/5.0',
+ 					'Content-Type':   'application/x-www-form-urlencoded',
+ 					'Content-Length': Buffer.byteLength(formBody)
+ 				}
+@@ -1179,12 +1180,22 @@ const internalCertificate = {
+ 
+ 					res.on('data', (chunk) => responseBody = responseBody + chunk);
+ 					res.on('end', function () {
+-						const parsedBody = JSON.parse(responseBody + '');
+-						if (res.statusCode !== 200) {
+-							logger.warn(`Failed to test HTTP challenge for domain ${domain}`, res);
++						try {
++							const parsedBody = JSON.parse(responseBody + '');
++							if (res.statusCode !== 200) {
++								logger.warn(`Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned: ${parsedBody.message}`);
++								resolve(undefined);
++							} else {
++								resolve(parsedBody);
++							}
++						} catch (err) {
++							if (res.statusCode !== 200) {
++								logger.warn(`Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned`);
++							} else {
++								logger.warn(`Failed to test HTTP challenge for domain ${domain} because response failed to be parsed: ${err.message}`);
++							}
+ 							resolve(undefined);
+ 						}
+-						resolve(parsedBody);
+ 					});
+ 				});
+ 
+@@ -1198,6 +1209,9 @@ const internalCertificate = {
+ 			if (!result) {
+ 				// Some error occurred while trying to get the data
+ 				return 'failed';
++			} else if (result.error) {
++				logger.info(`HTTP challenge test failed for domain ${domain} because error was returned: ${result.error.msg}`);
++				return `other:${result.error.msg}`;
+ 			} else if (`${result.responsecode}` === '200' && result.htmlresponse === 'Success') {
+ 				// Server exists and has responded with the correct data
+ 				return 'ok';
+diff --git a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+index 15f0d28..aa52f33 100644
+--- a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
++++ b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+@@ -1,3 +1,10 @@
++set $test "";
+ if ($scheme = "http") {
++	set $test "H";
++}
++if ($request_uri = /.well-known/acme-challenge/test-challenge) {
++	set $test "${test}T";
++}
++if ($test = H) {
+ 	return 301 https://$host$request_uri;
+ }