diff --git a/Dockerfile b/Dockerfile index 3978fcf16..a0dd5f892 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,20 +73,34 @@ RUN apk upgrade --no-cache -a && \ FROM zoeyvid/nginx-quic:350-python SHELL ["/bin/ash", "-eo", "pipefail", "-c"] -COPY rootfs / -COPY --from=zoeyvid/certbot-docker:59 /usr/local /usr/local -COPY --from=zoeyvid/curl-quic:423 /usr/local/bin/curl /usr/local/bin/curl + +# until https://github.com/certbot/certbot/issues/9967 is closed +ENV PYTHONWARNINGS=ignore + +COPY rootfs / +COPY --from=zoeyvid/certbot-docker:60 /usr/local /usr/local +COPY --from=zoeyvid/curl-quic:423 /usr/local/bin/curl /usr/local/bin/curl + +COPY --from=strip-backend /app /app +COPY --from=frontend /app/dist /html/frontend + +COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/plugins /usr/local/nginx/lib/lua/plugins +COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/crowdsec.lua /usr/local/nginx/lib/lua/crowdsec.lua +COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/ban.html /usr/local/nginx/conf/conf.d/include/ban.html +COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/captcha.html /usr/local/nginx/conf/conf.d/include/captcha.html +COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf /usr/local/nginx/conf/conf.d/include/crowdsec.conf +COPY --from=crowdsec /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf ARG CRS_VER=v4.8.0 RUN apk upgrade --no-cache -a && \ apk add --no-cache ca-certificates tzdata tini \ - nodejs \ - bash nano \ - logrotate \ + bash nano nodejs \ + logrotate goaccess fcgi \ lua5.1-lzlib lua5.1-socket \ coreutils grep findutils jq shadow su-exec \ luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \ - curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \ +# curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online --home /usr/local/acme.sh --nocron && \ +# ln -s /usr/local/acme.sh/acme.sh /usr/local/bin/acme.sh && \ curl https://raw.githubusercontent.com/tomwassenberg/certbot-ocsp-fetcher/refs/heads/main/certbot-ocsp-fetcher -o /usr/local/bin/certbot-ocsp-fetcher.sh && \ chmod +x /usr/local/bin/certbot-ocsp-fetcher.sh && \ git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \ @@ -100,18 +114,7 @@ RUN apk upgrade --no-cache -a && \ luarocks-5.1 install lua-resty-string && \ luarocks-5.1 install lua-resty-openssl && \ yarn global add nginxbeautifier && \ - apk del --no-cache luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn - -COPY --from=strip-backend /app /app -COPY --from=frontend /app/dist /html/frontend -COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/plugins /usr/local/nginx/lib/lua/plugins -COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/crowdsec.lua /usr/local/nginx/lib/lua/crowdsec.lua -COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/ban.html /usr/local/nginx/conf/conf.d/include/ban.html -COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/captcha.html /usr/local/nginx/conf/conf.d/include/captcha.html -COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf /usr/local/nginx/conf/conf.d/include/crowdsec.conf -COPY --from=crowdsec /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf - -RUN ln -s /usr/local/acme.sh/acme.sh /usr/local/bin/acme.sh && \ + apk del --no-cache luarocks5.1 lua5.1-dev lua5.1-sec build-base git yarn && \ ln -s /app/password-reset.js /usr/local/bin/password-reset.js && \ ln -s /app/sqlite-vaccum.js /usr/local/bin/sqlite-vaccum.js && \ ln -s /app/index.js /usr/local/bin/index.js @@ -121,9 +124,6 @@ ENV NODE_ENV=production \ NODE_CONFIG_DIR=/data/etc/npm \ DB_SQLITE_FILE=/data/etc/npm/database.sqlite -# until https://github.com/certbot/certbot/issues/9967 is closed -ENV PYTHONWARNINGS=ignore - ENV ACME_SERVER="https://acme-v02.api.letsencrypt.org/directory" \ PUID=0 \ PGID=0 \ diff --git a/backend/package.json b/backend/package.json index 445c07bc1..927b94a5b 100644 --- a/backend/package.json +++ b/backend/package.json @@ -11,8 +11,8 @@ "batchflow": "0.4.0", "bcrypt": "5.1.1", "better-sqlite3": "11.5.0", - "body-parser": "2.0.1", - "compression": "1.7.4", + "body-parser": "2.0.2", + "compression": "1.7.5", "express": "4.21.1", "express-fileupload": "1.5.1", "gravatar": "1.8.2", @@ -31,8 +31,8 @@ "license": "MIT", "devDependencies": { "@apidevtools/swagger-parser": "10.1.0", - "@eslint/js": "9.13.0", - "eslint": "9.13.0", + "@eslint/js": "9.14.0", + "eslint": "9.14.0", "eslint-config-prettier": "9.1.0", "eslint-plugin-prettier": "5.2.1", "globals": "15.11.0", diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs index 168248de1..78ce92946 100644 --- a/frontend/js/app/nginx/dead/form.ejs +++ b/frontend/js/app/nginx/dead/form.ejs @@ -8,7 +8,7 @@
diff --git a/frontend/js/app/nginx/dead/list/main.ejs b/frontend/js/app/nginx/dead/list/main.ejs index e018a74b0..1ca4cd395 100644 --- a/frontend/js/app/nginx/dead/list/main.ejs +++ b/frontend/js/app/nginx/dead/list/main.ejs @@ -1,7 +1,7 @@   <%- i18n('str', 'source') %> - <%- i18n('str', 'ssl') %> + <%- i18n('str', 'tls') %> <%- i18n('str', 'status') %> <% if (canManage) { %>   diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs index b3465040c..e0f104d1f 100644 --- a/frontend/js/app/nginx/proxy/form.ejs +++ b/frontend/js/app/nginx/proxy/form.ejs @@ -9,7 +9,7 @@
diff --git a/frontend/js/app/nginx/proxy/list/main.ejs b/frontend/js/app/nginx/proxy/list/main.ejs index 6de5b9c68..b6dec637f 100644 --- a/frontend/js/app/nginx/proxy/list/main.ejs +++ b/frontend/js/app/nginx/proxy/list/main.ejs @@ -2,7 +2,7 @@   <%- i18n('str', 'source') %> <%- i18n('str', 'destination') %> - <%- i18n('str', 'ssl') %> + <%- i18n('str', 'tls') %> <%- i18n('str', 'access') %> <%- i18n('str', 'status') %> <% if (canManage) { %> diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs index ce1da7e67..2a3727c89 100644 --- a/frontend/js/app/nginx/redirection/form.ejs +++ b/frontend/js/app/nginx/redirection/form.ejs @@ -8,7 +8,7 @@
diff --git a/frontend/js/app/nginx/redirection/list/main.ejs b/frontend/js/app/nginx/redirection/list/main.ejs index 8b6930d60..d2dedb8b5 100644 --- a/frontend/js/app/nginx/redirection/list/main.ejs +++ b/frontend/js/app/nginx/redirection/list/main.ejs @@ -4,7 +4,7 @@ <%- i18n('redirection-hosts', 'forward-http-status-code') %> <%- i18n('redirection-hosts', 'forward-scheme') %> <%- i18n('str', 'destination') %> - <%- i18n('str', 'ssl') %> + <%- i18n('str', 'tls') %> <%- i18n('str', 'status') %> <% if (canManage) { %>   diff --git a/frontend/js/i18n/de-lang.json b/frontend/js/i18n/de-lang.json index 07b394f46..09c56a61f 100644 --- a/frontend/js/i18n/de-lang.json +++ b/frontend/js/i18n/de-lang.json @@ -95,6 +95,7 @@ "delete": "Löschen" }, "tls": { + "letsencrypt": "Certbot", "certbot": "Certbot", "other": "Individuell", "none": "Nur HTTP", @@ -268,9 +269,11 @@ "certificate": "Zertifikat", "access-list": "Zugriffsliste", "created": "Erstellt {name}", + "updated": "Aktualisiert {name}", "deleted": "Gelöscht {name}", "enabled": "Aktiviert {name}", "disabled": "Deaktiviert {name}", + "renewed": "Erneuert {name}", "meta-title": "Details zur Veranstaltung", "view-meta": "Details anzeigen", "date": "Date", diff --git a/frontend/js/i18n/en-lang.json b/frontend/js/i18n/en-lang.json index 81a2a04ac..b37ca115a 100644 --- a/frontend/js/i18n/en-lang.json +++ b/frontend/js/i18n/en-lang.json @@ -95,6 +95,7 @@ "delete": "Delete" }, "tls": { + "letsencrypt": "Certbot", "certbot": "Certbot", "other": "Custom", "none": "HTTP only", @@ -268,9 +269,11 @@ "certificate": "Certificate", "access-list": "Access List", "created": "Created {name}", + "updated": "Updated {name}", "deleted": "Deleted {name}", "enabled": "Enabled {name}", "disabled": "Disabled {name}", + "renewed": "Renewed {name}", "meta-title": "Details for Event", "view-meta": "View Details", "date": "Date", diff --git a/rootfs/etc/logrotate b/rootfs/etc/logrotate index 1074e1ea0..eb5684eac 100644 --- a/rootfs/etc/logrotate +++ b/rootfs/etc/logrotate @@ -5,8 +5,10 @@ notifempty compress sharedscripts + prerotate + if [ -n "$(pgrep goaccess)" ]; then pkill goaccess; fi + endscript postrotate if [ -s /usr/local/nginx/logs/nginx.pid ]; then nginx -s reload; fi - kill "$(pgrep goaccess)" endscript } diff --git a/rootfs/usr/local/bin/launch.sh b/rootfs/usr/local/bin/launch.sh index e32d69153..c4923f22b 100755 --- a/rootfs/usr/local/bin/launch.sh +++ b/rootfs/usr/local/bin/launch.sh @@ -70,13 +70,13 @@ if [ ! -d /data/tls/certbot/accounts/"$(echo "$ACME_SERVER" | sed "s|^https\?:// fi fi +touch /data/etc/logrotate.lock if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi & if [ "$PHP83" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/83/conf.d php-fpm83 -c /data/php/83 -y /data/php/83/php-fpm.conf -FOR; fi & -if [ "$LOGROTATE" = "true" ] && [ "$GOA" = "false" ]; then sleep 1m; while true; do logrotate --verbose --state /data/etc/logrotate.status /etc/logrotate; sleep 25h; done; fi & -if [ "$LOGROTATE" = "true" ] && [ "$GOA" = "true" ]; then sleep 1m; while true; do killall goaccess; sleep 10s; logrotate --verbose --state /data/etc/logrotate.status /etc/logrotate; sleep 25h; done; fi & +if [ "$LOGROTATE" = "true" ]; then while true; do touch /data/etc/logrotate.lock; logrotate --verbose --state /data/etc/logrotate.state /etc/logrotate; rm /data/etc/logrotate.lock; sleep 25h; done; fi & # shellcheck disable=SC2086 -if [ "$GOA" = "true" ]; then while true; do goaccess --no-global-config --num-tests=0 --tz="$TZ" --date-format="%d/%b/%Y" --time-format="%H:%M:%S" --log-format='[%d:%t %^] %v %h %T "%r" %s %b %b %R %u' --no-ip-validation --addr=127.0.0.1 --port="$GOAIWSP" \ - -f /data/nginx/access.log --real-time-html -o /tmp/goa/index.html --persist --restore --db-path=/data/etc/goaccess/data -b /etc/goaccess/browsers.list -b /etc/goaccess/podcast.list $GOACLA; done; fi & +if [ "$GOA" = "true" ]; then while true; do if [ ! -f /data/etc/logrotate.lock ]; then goaccess --no-global-config --num-tests=0 --tz="$TZ" --date-format="%d/%b/%Y" --time-format="%H:%M:%S" --log-format='[%d:%t %^] %v %h %T "%r" %s %b %b %R %u' --no-ip-validation \ + --addr=127.0.0.1 --port="$GOAIWSP" -f /data/nginx/access.log --real-time-html -o /tmp/goa/index.html --persist --restore --db-path=/data/etc/goaccess/data -b /etc/goaccess/browsers.list -b /etc/goaccess/podcast.list $GOACLA; else sleep 10s; fi; done; fi & aio.sh & index.js diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh index 5342708c2..0237bd082 100755 --- a/rootfs/usr/local/bin/start.sh +++ b/rootfs/usr/local/bin/start.sh @@ -267,8 +267,16 @@ if [ "$GOA" = "true" ] && [ "$LOGROTATE" = "false" ]; then sleep inf fi -if [ -s /data/etc/goaccess/geoip/GeoLite2-Country.mmdb ] && [ -s /data/etc/goaccess/geoip/GeoLite2-City.mmdb ] && [ -s /data/etc/goaccess/geoip/GeoLite2-ASN.mmdb ] && echo "$GOACLA" | grep -vq "geoip-database"; then - export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-Country.mmdb --geoip-database=/data/etc/goaccess/geoip/GeoLite2-City.mmdb --geoip-database=/data/etc/goaccess/geoip/GeoLite2-ASN.mmdb" +if echo "$GOACLA" | grep -vq "geoip-database"; then + if [ -s /data/etc/goaccess/geoip/GeoLite2-City.mmdb ]; then + export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-City.mmdb" + fi + if [ -s /data/etc/goaccess/geoip/GeoLite2-Country.mmdb ]; then + export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-Country.mmdb" + fi + if [ -s /data/etc/goaccess/geoip/GeoLite2-ASN.mmdb ]; then + export GOACLA="$GOACLA --geoip-database=/data/etc/goaccess/geoip/GeoLite2-ASN.mmdb" + fi fi if [ -n "$GOACLA" ] && ! echo "$GOACLA" | grep -q "^-[a-zA-Z0-9 =/_.-]\+$"; then @@ -403,28 +411,20 @@ elif [ "$FULLCLEAN" = "true" ]; then rm -vrf /data/php/83 fi -if [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; then - - apk add --no-cache fcgi - +if { [ "$PHP82" = "true" ] || [ "$PHP83" = "true" ]; } && [ -n "$PHP_APKS" ]; then # From https://github.com/nextcloud/all-in-one/pull/1377/files - if [ -n "$PHP_APKS" ]; then - for apk in $(echo "$PHP_APKS" | tr " " "\n"); do - - if ! echo "$apk" | grep -q "^php-.*$"; then - echo "$apk is a non allowed value." - echo "It needs to start with \"php-\"." - echo "It is set to \"$apk\"." - sleep inf - fi - - echo "Installing $apk via apk..." - if ! apk add --no-cache "$apk" > /dev/null 2>&1; then - echo "The apk \"$apk\" was not installed!" - fi - - done - fi + for apk in $(echo "$PHP_APKS" | tr " " "\n"); do + if ! echo "$apk" | grep -q "^php-.*$"; then + echo "$apk is a non allowed value." + echo "It needs to start with \"php-\"." + echo "It is set to \"$apk\"." + sleep inf + fi + echo "Installing $apk via apk..." + if ! apk add --no-cache "$apk" > /dev/null 2>&1; then + echo "The apk \"$apk\" was not installed!" + fi + done fi @@ -469,6 +469,10 @@ if [ -s /data/database.sqlite ] && [ "$DB_SQLITE_FILE" != "/data/database.sqlite mv -vn /data/database.sqlite "$DB_SQLITE_FILE" fi +if [ -s /data/etc/logrotate.status ]; then + mv -vn /data/etc/logrotate.status /data/etc/logrotate.state +fi + if [ -s /data/keys.json ]; then mv -vn /data/keys.json /data/etc/npm/keys.json fi @@ -982,10 +986,9 @@ fi sed -i "s|quic default_server|quic reuseport default_server|g" /data/nginx/default.conf if [ "$GOA" = "true" ]; then - apk add --no-cache goaccess mkdir -vp /data/etc/goaccess/data /data/etc/goaccess/geoip - cp -van /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf - cp -van /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf + cp -va /usr/local/nginx/conf/conf.d/include/goaccess.conf /usr/local/nginx/conf/conf.d/goaccess.conf + cp -va /usr/local/nginx/conf/conf.d/include/goaccess-no-server-name.conf /usr/local/nginx/conf/conf.d/goaccess-no-server-name.conf elif [ "$FULLCLEAN" = "true" ]; then rm -vrf /data/etc/goaccess fi