Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

disable must staple for new instances/dep updates

Browse source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey 2024-06-22 01:26:24 +02:00
parent 22fa2f04ab
commit 67dbf3286a
No known key found for this signature in database
GPG key ID: 02A3919EB4F67328
3 changed files with 8 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
Dockerfile
View file

@ -13,7 +13,7 @@ RUN apk upgrade --no-cache -a && \
yarn --no-lockfile build && \ yarn --no-lockfile build && \
yarn cache clean --all && \ yarn cache clean --all && \
clean-modules --yes && \ clean-modules --yes && \
find /app/dist -name "*.node" -exec file {} \; find /app/dist -name "*.node" -type f -exec file {} \;
COPY darkmode.css /app/dist/css/darkmode.css COPY darkmode.css /app/dist/css/darkmode.css
COPY security.txt /app/dist/.well-known/security.txt COPY security.txt /app/dist/.well-known/security.txt
@ -30,10 +30,10 @@ RUN apk upgrade --no-cache -a && \
yarn global add clean-modules && \ yarn global add clean-modules && \
if [ "$TARGETARCH" = "amd64" ]; then \ if [ "$TARGETARCH" = "amd64" ]; then \
npm_config_target_platform=linux npm_config_target_arch=x64 yarn install --no-lockfile && \ npm_config_target_platform=linux npm_config_target_arch=x64 yarn install --no-lockfile && \
for file in $(find /app/node_modules -name "*.node" -exec file {} \; | grep -v "x86-64" | sed "s|\(.*\):.*|\1|g"); do rm -v "$file"; done; \ for file in $(find /app/node_modules -name "*.node" -type f -exec file {} \; | grep -v "x86-64\|x86_64" | grep "aarch64\|arm64" | sed "s|\([^:]\):.*|\1|g"); do rm -v "$file"; done; \
elif [ "$TARGETARCH" = "arm64" ]; then \ elif [ "$TARGETARCH" = "arm64" ]; then \
npm_config_target_platform=linux npm_config_target_arch=arm64 yarn install --no-lockfile && \ npm_config_target_platform=linux npm_config_target_arch=arm64 yarn install --no-lockfile && \
for file in $(find /app/node_modules -name "*.node" -exec file {} \; | grep -v "aarch64" | sed "s|\(.*\):.*|\1|g"); do rm -v "$file"; done; \ for file in $(find /app/node_modules -name "*.node" -type f -exec file {} \; | grep -v "aarch64\|arm64" | grep "x86-64\|x86_64" | sed "s|\([^:]\):.*|\1|g"); do rm -v "$file"; done; \
fi && \ fi && \
yarn cache clean --all && \ yarn cache clean --all && \
clean-modules --yes clean-modules --yes
@ -41,8 +41,8 @@ FROM alpine:3.20.1 AS strip-backend
COPY --from=build-backend /app /app COPY --from=build-backend /app /app
RUN apk upgrade --no-cache -a && \ RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates binutils file && \ apk add --no-cache ca-certificates binutils file && \
find /app/node_modules -name "*.node" -exec strip -s {} \; && \ find /app/node_modules -name "*.node" -type f -exec strip -s {} \; && \
find /app/node_modules -name "*.node" -exec file {} \; find /app/node_modules -name "*.node" -type f -exec file {} \;
FROM --platform="$BUILDPLATFORM" alpine:3.20.1 AS crowdsec FROM --platform="$BUILDPLATFORM" alpine:3.20.1 AS crowdsec
@ -67,13 +67,13 @@ RUN apk upgrade --no-cache -a && \
sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:294-python FROM zoeyvid/nginx-quic:296-python
SHELL ["/bin/ash", "-eo", "pipefail", "-c"] SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY rootfs / COPY rootfs /
COPY --from=zoeyvid/certbot-docker:42 /usr/local /usr/local COPY --from=zoeyvid/certbot-docker:42 /usr/local /usr/local
COPY --from=zoeyvid/curl-quic:397 /usr/local/bin/curl /usr/local/bin/curl COPY --from=zoeyvid/curl-quic:397 /usr/local/bin/curl /usr/local/bin/curl
ARG CRS_VER=v4.3.0 ARG CRS_VER=v4.4.0
RUN apk upgrade --no-cache -a && \ RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates tzdata tini \ apk add --no-cache ca-certificates tzdata tini \
nodejs \ nodejs \

1
README.md
View file

@ -18,7 +18,6 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br> **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).** <br> **Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).** <br>
**Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br> **Note: ModSecurity overblocking (403 Error)? Please see `/opt/npm/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
**Note: Internal/LAN Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini` before creating your certificates.** <br>
**Note: Other Databases like MariaDB may work, but are unsupported.** <br> **Note: Other Databases like MariaDB may work, but are unsupported.** <br>
**Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br> **Note: access.log/stream.log, logrotate and goaccess are NOT enabled by default bceuase of GDPR, you can enable them in the compose.yaml.** <br>

2
rootfs/etc/tls/certbot.ini
View file

@ -4,7 +4,7 @@ webroot-path = /tmp/acme-challenge
new-key= true new-key= true
key-type = ecdsa key-type = ecdsa
must-staple = true must-staple = false
no-reuse-key = true no-reuse-key = true
rsa-key-size = 4096 rsa-key-size = 4096
elliptic-curve = secp384r1 elliptic-curve = secp384r1