From 5e9619beef7512add5ecb1f2d92f66f92397f745 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 21:24:37 +0000 Subject: [PATCH] close #782/update coreruleset/switch to freenginx/dep updates/remove aws cloudfront ips/block apache files Signed-off-by: Zoey --- Dockerfile | 4 +-- README.md | 2 +- backend/internal/ip_ranges.js | 25 +------------------ backend/package.json | 8 +++--- backend/templates/ip_ranges.conf | 10 +++++++- renovate.json | 2 +- .../conf/conf.d/include/acme-challenge.conf | 4 +++ 7 files changed, 22 insertions(+), 33 deletions(-) diff --git a/Dockerfile b/Dockerfile index bc4e23a46..8bbac51b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,10 +58,10 @@ RUN apk upgrade --no-cache -a && \ echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \ sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:271 +FROM zoeyvid/nginx-quic:python-275 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] -ARG CRS_VER=v4.1.0 +ARG CRS_VER=v4.2.0 COPY rootfs / COPY --from=zoeyvid/certbot-docker:34 /usr/local /usr/local diff --git a/README.md b/README.md index 0a6cb2dc4..7b88df72c 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ running at home or otherwise, including free TLS, without having to know too muc **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.**
---> **Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.**
-**Note: NO armv7 and route53 support.**
+**Note: NO armv7, route53 and aws cloudfront ip ranges support.**
**Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.**
**Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).**
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!**
diff --git a/backend/internal/ip_ranges.js b/backend/internal/ip_ranges.js index 19b1f6bf3..4518db872 100644 --- a/backend/internal/ip_ranges.js +++ b/backend/internal/ip_ranges.js @@ -5,7 +5,6 @@ const error = require('../lib/error'); const utils = require('../lib/utils'); const internalNginx = require('./nginx'); -const CLOUDFRONT_URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json'; const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4'; const CLOUDFARE_V6_URL = 'https://www.cloudflare.com/ips-v6'; @@ -57,29 +56,7 @@ const internalIpRanges = { let ip_ranges = []; return internalIpRanges - .fetchUrl(CLOUDFRONT_URL) - .then((cloudfront_data) => { - const data = JSON.parse(cloudfront_data); - - if (data && typeof data.prefixes !== 'undefined') { - data.prefixes.map((item) => { - if (item.service === 'CLOUDFRONT') { - ip_ranges.push(item.ip_prefix); - } - }); - } - - if (data && typeof data.ipv6_prefixes !== 'undefined') { - data.ipv6_prefixes.map((item) => { - if (item.service === 'CLOUDFRONT') { - ip_ranges.push(item.ipv6_prefix); - } - }); - } - }) - .then(() => { - return internalIpRanges.fetchUrl(CLOUDFARE_V4_URL); - }) + .fetchUrl(CLOUDFARE_V4_URL) .then((cloudfare_data) => { const items = cloudfare_data.split('\n').filter((line) => regIpV4.test(line)); ip_ranges = [...ip_ranges, ...items]; diff --git a/backend/package.json b/backend/package.json index c2692aeef..6dd3e39af 100644 --- a/backend/package.json +++ b/backend/package.json @@ -4,7 +4,7 @@ "description": "A beautiful interface for creating Nginx endpoints", "main": "index.js", "dependencies": { - "@apidevtools/json-schema-ref-parser": "11.5.5", + "@apidevtools/json-schema-ref-parser": "11.6.1", "ajv": "6.12.6", "archiver": "7.0.1", "batchflow": "0.4.0", @@ -16,7 +16,7 @@ "gravatar": "1.8.2", "jsonwebtoken": "9.0.2", "knex": "3.1.0", - "liquidjs": "10.11.0", + "liquidjs": "10.11.1", "lodash": "4.17.21", "moment": "2.30.1", "mysql": "2.18.1", @@ -29,8 +29,8 @@ "author": "Jamie Curnow and ZoeyVid ", "license": "MIT", "devDependencies": { - "@eslint/js": "9.0.0", - "eslint": "9.0.0", + "@eslint/js": "9.1.1", + "eslint": "9.1.1", "eslint-config-prettier": "9.1.0", "eslint-plugin-prettier": "5.1.3", "globals": "15.0.0", diff --git a/backend/templates/ip_ranges.conf b/backend/templates/ip_ranges.conf index 8ede2bd99..ee7db9359 100644 --- a/backend/templates/ip_ranges.conf +++ b/backend/templates/ip_ranges.conf @@ -1,3 +1,11 @@ {% for range in ip_ranges %} set_real_ip_from {{ range }}; -{% endfor %} \ No newline at end of file +{% endfor %} + +map $http_cf_connecting_ip $real_ip { + "" $http_x_real_ip; + default $http_cf_connecting_ip; +} + +more_set_input_headers "X-IP: $real_ip"; +real_ip_header X-IP; diff --git a/renovate.json b/renovate.json index 0897d9b39..242772694 100644 --- a/renovate.json +++ b/renovate.json @@ -2,7 +2,7 @@ "extends": [ "config:base" ], - "baseBranches": [], + "baseBranches": ["develop", "php"], "includeForks": true, "automerge": false, "branchPrefix": "renovate-deps-update-", diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf b/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf index fcad5607e..978f6dcec 100644 --- a/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf +++ b/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf @@ -16,3 +16,7 @@ location = /nftd { location /nftd/ { alias /nftd/; } + +location ~ /\.ht { + deny all; +}