dep updates/enable ssl_dyn_rec_enable/fix nginx in background/remove …

…tempwrite

Signed-off-by: Zoey <zoey@z0ey.de>

.gitignore

@@ -1,3 +1,6 @@
+backend/certbot-dns-plugins.js
+frontend/certbot-dns-plugins.js
+
 # User-specific stuff
 .idea
 desktop.files.json
@@ -780,4 +783,4 @@ node_modules/
 # ignore log files and databases
 *.log
 *.sql
-*.sqlite
+*.sqlite

Dockerfile

@@ -53,7 +53,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
  sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/crowdsec.conf|g" lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:157
+FROM zoeyvid/nginx-quic:176
 COPY rootfs /
 RUN apk add --no-cache ca-certificates tzdata \
  lua5.1-lzlib \

README.md

@@ -20,6 +20,9 @@ running at home or otherwise, including free TLS, without having to know too muc
 - [Screenshots](https://nginxproxymanager.com/screenshots)
 
 
+# Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.
+
+
 ## Project Goal
 
 I created this project to fill a personal need to provide users with a easy way to accomplish reverse

backend/internal/certificate.js

@@ -1,7 +1,6 @@
 const _ = require('lodash');
 const fs = require('fs');
 const https = require('https');
-const tempWrite = require('temp-write');
 const moment = require('moment');
 const logger = require('../logger').ssl;
 const error = require('../lib/error');
@@ -11,6 +10,7 @@ const dnsPlugins = require('../certbot-dns-plugins');
 const internalAuditLog = require('./audit-log');
 const internalNginx = require('./nginx');
 const archiver = require('archiver');
+const crypto = require('crypto');
 const path = require('path');
 const { isArray } = require('lodash');
 
@@ -637,8 +637,10 @@ const internalCertificate = {
  * @param {String} private_key This is the entire key contents as a string
  */
  checkPrivateKey: (private_key) => {
- return tempWrite(private_key, '/tmp')
- .then((filepath) => {
+ const randomName = crypto.randomBytes(8).toString('hex');
+ const filepath = path.join('/tmp', 'certificate_' + randomName);
+ return fs.writeFileSync(filepath, private_key)
+ .then(() => {
  return new Promise((resolve, reject) => {
  const failTimeout = setTimeout(() => {
  reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
@@ -670,8 +672,10 @@ const internalCertificate = {
  * @param {Boolean} [throw_expired] Throw when the certificate is out of date
  */
  getCertificateInfo: (certificate, throw_expired) => {
- return tempWrite(certificate, '/tmp')
- .then((filepath) => {
+ const randomName = crypto.randomBytes(8).toString('hex');
+ const filepath = path.join('/root', 'certificate_' + randomName);
+ return fs.writeFileSync(filepath, certificate)
+ .then(() => {
  return internalCertificate.getCertificateInfoFromFile(filepath, throw_expired)
  .then((certData) => {
  fs.unlinkSync(filepath);

backend/internal/nginx.js

@@ -5,6 +5,8 @@ const config = require('../lib/config');
 const utils = require('../lib/utils');
 const error = require('../lib/error');
 
+const NgxPidFilePath = '/usr/local/nginx/logs/nginx.pid';
+
 const internalNginx = {
 
  /**
@@ -111,11 +113,21 @@ const internalNginx = {
  /**
  * @returns {Promise}
  */
+
  reload: () => {
  return internalNginx.test()
  .then(() => {
- logger.info('Restarting Nginx');
- return utils.exec('kill $(cat /usr/local/nginx/logs/nginx.pid); nginx');
+ if (fs.existsSync(NgxPidFilePath)) {
+ const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim();
+ if (ngxPID.length > 0) {
+ logger.info('Killing Nginx');
+ utils.exec(`kill ${ngxPID}`);
+ }
+ }
+ logger.info('Starting Nginx after three seconds');
+ setTimeout(() => {
+ utils.execfg('nginx');
+ }, 3000);
  });
  },
 

backend/lib/config.js

@@ -96,7 +96,7 @@ const generateKeys = () => {
  try {
  fs.writeFileSync(keysFile, JSON.stringify(keys, null, 2));
  } catch (err) {
- logger.error('Could not write JWT key pair to config file: ' + keysFile + ': ' . err.message);
+ logger.error('Could not write JWT key pair to config file: ' + keysFile + ': ' + err.message);
  process.exit(1);
  }
  logger.info('Wrote JWT key pair to config file: ' + keysFile);

backend/lib/utils.js

@@ -1,5 +1,6 @@
 const _ = require('lodash');
 const exec = require('child_process').exec;
+const spawn = require('child_process').spawn;
 const execFile = require('child_process').execFile;
 const { Liquid } = require('liquidjs');
 const logger = require('../logger').global;
@@ -22,6 +23,33 @@ module.exports = {
  });
  },
 
+ /**
+ * @param {String} cmd
+ * @returns {Promise}
+ */
+ execfg: function (cmd) {
+ return new Promise((resolve, reject) => {
+ const childProcess = spawn(cmd, {
+ shell: true,
+ detached: true,
+ stdio: 'inherit' // Use the same stdio as the current process
+ });
+
+ childProcess.on('error', (err) => {
+ reject(err);
+ });
+
+ childProcess.on('close', (code) => {
+ if (code !== 0) {
+ reject(new Error(`Command '${cmd}' exited with code ${code}`));
+ } else {
+ resolve();
+ }
+ });
+ });
+ },
+
+
  /**
  * @param {String} cmd
  * @param {Array} args

backend/package.json

@@ -14,23 +14,25 @@
  "express": "4.18.2",
  "express-fileupload": "1.4.0",
  "gravatar": "1.8.2",
- "jsonwebtoken": "9.0.0",
+ "jsonwebtoken": "9.0.1",
  "knex": "2.4.2",
- "liquidjs": "10.8.2",
+ "liquidjs": "10.8.4",
  "lodash": "4.17.21",
  "moment": "2.29.4",
  "mysql": "2.18.1",
  "node-rsa": "1.1.1",
- "objection": "3.0.1",
+ "objection": "3.0.4",
  "path": "0.12.7",
  "signale": "1.4.0",
- "sqlite3": "5.1.6",
- "temp-write": "4.0.0"
+ "sqlite3": "5.1.6"
+ },
+ "resolutions": {
+ "semver": "7.5.4"
  },
  "author": "Jamie Curnow <jc@jc21.com>",
  "license": "MIT",
  "devDependencies": {
- "eslint": "8.42.0",
+ "eslint": "8.44.0",
  "eslint-plugin-align-assignments": "1.1.2"
  }
 }

frontend/package.json

@@ -4,7 +4,7 @@
  "description": "A beautiful interface for creating Nginx endpoints",
  "main": "js/index.js",
  "dependencies": {
- "@babel/core": "7.22.5",
+ "@babel/core": "7.22.8",
  "babel-core": "6.26.3",
  "babel-loader": "8.3.0",
  "babel-preset-env": "1.7.0",

rootfs/bin/launch.sh

@@ -35,7 +35,6 @@ if [ "$PHP82" = "true" ]; then
  fi
 fi
 
-nginx &
 if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
 if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
 index.js &

rootfs/usr/local/nginx/conf/nginx.conf

@@ -42,6 +42,7 @@ http {
  http2 on;
  http3 on;
  quic_retry on;
+ ssl_dyn_rec_enable on;
 
  #resolver ;
  fastcgi_index index.php;