Merge branch 'master' of https://github.com/LePresidente/docker-nginx-proxy-manager into crowdsec_rework

LePresidente · LePresidente · commit 61fb0e52ee19 · 2024-07-24T10:33:06.000+02:00
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -100,22 +100,22 @@ jobs:
           #echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: arm,arm64,ppc64le,mips64,s390x
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
         if: ${{ steps.prep.outputs.is_release == 'yes' }}
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: ${{ steps.prep.outputs.is_release == 'yes' }}
           provenance: false
@@ -132,12 +132,12 @@ jobs:
           docker buildx imagetools inspect ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.prep.outputs.version }}
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: ${{ steps.prep.outputs.release_type == 'standard' }}
 
       - name: Dockerhub description
         if: ${{ steps.prep.outputs.release_type == 'standard' }}
-        uses: peter-evans/dockerhub-description@v3
+        uses: peter-evans/dockerhub-description@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,7 @@ ARG DOCKER_IMAGE_VERSION=
 # Define software versions.
 ARG OPENRESTY_VERSION=1.19.9.1
 ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.2
-ARG NGINX_PROXY_MANAGER_VERSION=2.10.4
+ARG NGINX_PROXY_MANAGER_VERSION=2.11.3
 ARG NGINX_HTTP_GEOIP2_MODULE_VERSION=3.3
 ARG LIBMAXMINDDB_VERSION=1.5.0
 ARG BCRYPT_TOOL_VERSION=1.1.2
@@ -89,7 +89,7 @@ COPY src/cs-openresty-bouncer /build
 RUN /build/build.sh "$CROWDSEC_OPENRESTY_BOUNCER_URL"
 
 # Pull base image.
-FROM jlesage/baseimage:alpine-3.16-v3.5.2
+FROM jlesage/baseimage:alpine-3.16-v3.6.2
 
 ARG NGINX_PROXY_MANAGER_VERSION
 ARG DOCKER_IMAGE_VERSION
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2024 Jocelyn Le Sage
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
diff --git a/README.md b/README.md
@@ -1,3 +1,39 @@
+## Note
+
+This is a drop in replacement for [jlesage/nginx-proxy-manager](https://hub.docker.com/r/jlesage/nginx-proxy-manager)
+
+This fork includes the [OpenResty Crowdsec Bouncer](https://github.com/crowdsecurity/cs-openresty-bouncer)
+
+Please see the [crowdsec_support](https://github.com/LePresidente/docker-nginx-proxy-manager/tree/crowdsec_support) branch for the changes as 
+
+Docker images hosted on dockerhub.
+
+https://hub.docker.com/r/lepresidente/nginx-proxy-manager
+
+| TAG       | cs-openresty-bouncer version|
+|-----------|-----------------------------|
+| latest    | 0.1.10 (PreRelease)          |
+
+
+Instructions to use:
+Starting the container at this point will start Nginx-Proxy-Manager as before but will create a new file in /config/crowdsec/ called crowdsec-openresty-bouncer.conf
+
+You will need to edit this file with at least the following changes then restart the container.
+
+```
+ENABLED=true
+API_URL=http://<crowdsecserver>:8080
+API_KEY=<APIKEY>
+```
+
+the crowdsec api key can be generated on the crowdsec instance using the following command 
+
+```
+cscli bouncers add npm-proxy
+```
+
+Currently this is a side project and I will try keep this up to date
+
 # Docker container for Nginx Proxy Manager
 [![Release](https://img.shields.io/github/release/jlesage/docker-nginx-proxy-manager.svg?logo=github&style=for-the-badge)](https://github.com/jlesage/docker-nginx-proxy-manager/releases/latest)
 [![Docker Image Size](https://img.shields.io/docker/image-size/jlesage/nginx-proxy-manager/latest?logo=docker&style=for-the-badge)](https://hub.docker.com/r/jlesage/nginx-proxy-manager/tags)
@@ -79,15 +115,15 @@ docker run [-d] \
 
 | Parameter | Description |
 |-----------|-------------|
-| -d        | Run the container in the background.  If not set, the container runs in the foreground. |
-| -e        | Pass an environment variable to the container.  See the [Environment Variables](#environment-variables) section for more details. |
-| -v        | Set a volume mapping (allows to share a folder/file between the host and the container).  See the [Data Volumes](#data-volumes) section for more details. |
-| -p        | Set a network port mapping (exposes an internal container port to the host).  See the [Ports](#ports) section for more details. |
+| -d        | Run the container in the background. If not set, the container runs in the foreground. |
+| -e        | Pass an environment variable to the container. See the [Environment Variables](#environment-variables) section for more details. |
+| -v        | Set a volume mapping (allows to share a folder/file between the host and the container). See the [Data Volumes](#data-volumes) section for more details. |
+| -p        | Set a network port mapping (exposes an internal container port to the host). See the [Ports](#ports) section for more details. |
 
 ### Environment Variables
 
 To customize some properties of the container, the following environment
-variables can be passed via the `-e` parameter (one for each variable).  Value
+variables can be passed via the `-e` parameter (one for each variable). Value
 of this parameter has the format `<VARIABLE_NAME>=<VALUE>`.
 
 | Variable       | Description                                  | Default |
@@ -108,7 +144,7 @@ of this parameter has the format `<VARIABLE_NAME>=<VALUE>`.
 #### Deployment Considerations
 
 Many tools used to manage Docker containers extract environment variables
-defined by the Docker image and use them to create/deploy the container.  For
+defined by the Docker image and use them to create/deploy the container. For
 example, this is done by:
   - The Docker application on Synology NAS
   - The Container Station on QNAP NAS
@@ -120,33 +156,33 @@ variables to fit its needs, it can also be confusing and dangerous to keep all
 of them.
 
 A good practice is to set/keep only the variables that are needed for the
-container to behave as desired in a specific setup.  If the value of variable is
-kept to its default value, it means that it can be removed.  Keep in mind that
+container to behave as desired in a specific setup. If the value of variable is
+kept to its default value, it means that it can be removed. Keep in mind that
 all variables are optional, meaning that none of them is required for the
 container to start.
 
 Removing environment variables that are not needed provides some advantages:
 
-  - Prevents keeping variables that are no longer used by the container.  Over
+  - Prevents keeping variables that are no longer used by the container. Over
     time, with image updates, some variables might be removed.
-  - Allows the Docker image to change/fix a default value.  Again, with image
+  - Allows the Docker image to change/fix a default value. Again, with image
     updates, the default value of a variable might be changed to fix an issue,
     or to better support a new feature.
   - Prevents changes to a variable that might affect the correct function of
-    the container.  Some undocumented variables, like `PATH` or `ENV`, are
-    required to be exposed, but are not meant to be changed by users.  However,
+    the container. Some undocumented variables, like `PATH` or `ENV`, are
+    required to be exposed, but are not meant to be changed by users. However,
     container management tools still show these variables to users.
   - There is a bug with the Container Station on QNAP and the Docker application
     on Synology, where an environment variable without value might not be
-    allowed.  This behavior is wrong: it's absolutely fine to have a variable
-    without value.  In fact, this container does have variables without value by
-    default.  Thus, removing unneeded variables is a good way to prevent
+    allowed. This behavior is wrong: it's absolutely fine to have a variable
+    without value. In fact, this container does have variables without value by
+    default. Thus, removing unneeded variables is a good way to prevent
     deployment issue on these devices.
 
 ### Data Volumes
 
-The following table describes data volumes used by the container.  The mappings
-are set via the `-v` parameter.  Each mapping is specified with the following
+The following table describes data volumes used by the container. The mappings
+are set via the `-v` parameter. Each mapping is specified with the following
 format: `<HOST_DIR>:<CONTAINER_DIR>[:PERMISSIONS]`.
 
 | Container path  | Permissions | Description |
@@ -158,8 +194,8 @@ format: `<HOST_DIR>:<CONTAINER_DIR>[:PERMISSIONS]`.
 Here is the list of ports used by the container.
 
 When using the default bridge network, ports can be mapped to the host via the
-`-p` parameter (one per port mapping).  Each mapping is defined with the
-following format: `<HOST_PORT>:<CONTAINER_PORT>`.  The port number used inside
+`-p` parameter (one per port mapping). Each mapping is defined with the
+following format: `<HOST_PORT>:<CONTAINER_PORT>`. The port number used inside
 the container might not be changeable, but you are free to use any port on the
 host side.
 
@@ -178,7 +214,7 @@ As can be seen, environment variables, volume and port mappings are all specifie
 while creating the container.
 
 The following steps describe the method used to add, remove or update
-parameter(s) of an existing container.  The general idea is to destroy and
+parameter(s) of an existing container. The general idea is to destroy and
 re-create the container:
 
   1. Stop the container (if it is running):
@@ -205,7 +241,7 @@ docker rm nginx-proxy-manager
 Here is an example of a `docker-compose.yml` file that can be used with
 [Docker Compose](https://docs.docker.com/compose/overview/).
 
-Make sure to adjust according to your needs.  Note that only mandatory network
+Make sure to adjust according to your needs. Note that only mandatory network
 ports are part of the example.
 
 ```yaml
@@ -223,11 +259,11 @@ services:
 
 ## Docker Image Versioning
 
-Each release of a Docker image is versioned.  Prior to october 2022, the
+Each release of a Docker image is versioned. Prior to october 2022, the
 [semantic versioning](https://semver.org) was used as the versioning scheme.
 
 Since then, versioning scheme changed to
-[calendar versioning](https://calver.org).  The format used is `YY.MM.SEQUENCE`,
+[calendar versioning](https://calver.org). The format used is `YY.MM.SEQUENCE`,
 where:
   - `YY` is the zero-padded year (relative to year 2000).
   - `MM` is the zero-padded month.
@@ -238,10 +274,10 @@ where:
 
 Because features are added, issues are fixed, or simply because a new version
 of the containerized application is integrated, the Docker image is regularly
-updated.  Different methods can be used to update the Docker image.
+updated. Different methods can be used to update the Docker image.
 
 The system used to run the container may have a built-in way to update
-containers.  If so, this could be your primary way to update Docker images.
+containers. If so, this could be your primary way to update Docker images.
 
 An other way is to have the image be automatically updated with [Watchtower].
 Watchtower is a container-based solution for automating Docker image updates.
@@ -279,12 +315,12 @@ container image.
   2.  Click on *Registry* in the left pane.
   3.  In the search bar, type the name of the container (`jlesage/nginx-proxy-manager`).
   4.  Select the image, click *Download* and then choose the `latest` tag.
-  5.  Wait for the download to complete.  A  notification will appear once done.
+  5.  Wait for the download to complete. A notification will appear once done.
   6.  Click on *Container* in the left pane.
   7.  Select your Nginx Proxy Manager container.
   8.  Stop it by clicking *Action*->*Stop*.
   9.  Clear the container by clicking *Action*->*Reset* (or *Action*->*Clear* if
-      you don't have the latest *Docker* application).  This removes the
+      you don't have the latest *Docker* application). This removes the
       container while keeping its configuration.
   10. Start the container again by clicking *Action*->*Start*. **NOTE**:  The
       container may temporarily disappear from the list while it is re-created.
@@ -300,8 +336,8 @@ For unRAID, a container image can be updated by following these steps:
 ## User/Group IDs
 
 When using data volumes (`-v` flags), permissions issues can occur between the
-host and the container.  For example, the user within the container may not
-exist on the host.  This could prevent the host from properly accessing files
+host and the container. For example, the user within the container may not
+exist on the host. This could prevent the host from properly accessing files
 and folders on the shared volume.
 
 To avoid any problem, you can specify the user the application should run as.
diff --git a/appdefs.yml b/appdefs.yml
@@ -98,6 +98,11 @@ app:
             - `CONTAINER_NAME` is the name of the running container.
             - `USER_EMAIL` is the email of the address to reset the password.
   changelog:
+    - version: 24.07.1
+      date: 2024-07-05
+      changes:
+        - 'Updated Nginx Proxy Manager to version 2.11.3.'
+        - 'Updated baseimage to version 3.6.2.'
     - version: 23.12.2
       date: 2023-12-20
       changes:
diff --git a/rootfs/startapp.sh b/rootfs/startapp.sh
@@ -9,3 +9,5 @@ export SUPPRESS_NO_CONFIG_WARNING=1
 
 cd /opt/nginx-proxy-manager
 exec node --abort_on_uncaught_exception --max_old_space_size=250 index.js
+
+# vim:ft=sh:ts=4:sw=4:et:sts=4
diff --git a/src/nginx-proxy-manager/build.sh b/src/nginx-proxy-manager/build.sh
@@ -74,11 +74,14 @@ sed -i "s/\"version\": \"0.0.0\",/\"version\": \"${NGINX_PROXY_MANAGER_VERSION}\
 sed -i "s/\"version\": \"0.0.0\",/\"version\": \"${NGINX_PROXY_MANAGER_VERSION}\",/" /tmp/nginx-proxy-manager/backend/package.json
 
 log "Patching Nginx Proxy Manager backend..."
-patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/pip-install.patch
-patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/remove-certbot-dns-oci.patch
-patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/powerdns-fix.patch
-patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/http2-support-fix.patch
-patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/reachability-test-fix.patch
+PATCHES="
+    pip-install.patch
+    remove-certbot-dns-oci.patch
+"
+for P in $PATCHES; do
+    echo "Applying $P..."
+    patch -p1 -d /tmp/nginx-proxy-manager < "$SCRIPT_DIR"/"$P"
+done
 
 cp -r /tmp/nginx-proxy-manager /app
 
@@ -166,7 +169,7 @@ sed -i 's|user npm;|#user npm;|' $ROOTFS/etc/nginx/nginx.conf
 sed -i 's|/tmp/nginx/body|/var/tmp/nginx/body|' $ROOTFS/etc/nginx/nginx.conf
 
 # Fix the logrotate config.
-sed -i 's|root root|app app|' $ROOTFS/etc/logrotate.d/nginx-proxy-manager
+sed -i 's|npm npm|app app|' $ROOTFS/etc/logrotate.d/nginx-proxy-manager
 sed -i 's|/run/nginx.pid|/run/nginx/nginx.pid|' $ROOTFS/etc/logrotate.d/nginx-proxy-manager
 sed -i 's|logrotate /etc/logrotate.d/nginx-proxy-manager|logrotate -s /config/logrotate.status /etc/logrotate.d/nginx-proxy-manager|' $ROOTFS/opt/nginx-proxy-manager/setup.js
 sed -i 's|/data/logs/\*/access.log|/data/logs/access.log|' $ROOTFS/etc/logrotate.d/nginx-proxy-manager
diff --git a/src/nginx-proxy-manager/http2-support-fix.patch b/src/nginx-proxy-manager/http2-support-fix.patch
diff --git a/src/nginx-proxy-manager/pip-install.patch b/src/nginx-proxy-manager/pip-install.patch
@@ -1,26 +1,11 @@
-diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
-index da104a2..730d826 100644
---- a/backend/internal/certificate.js
-+++ b/backend/internal/certificate.js
-@@ -871,7 +871,7 @@ const internalCertificate = {
- 		const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
- 		const credentialsCmd     = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'';
- 		// we call `. /opt/certbot/bin/activate` (`.` is alternative to `source` in dash) to access certbot venv
--		const prepareCmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies + ' && deactivate';
-+		const prepareCmd = 'pip install --no-cache-dir ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies;
- 
- 		// Whether the plugin has a --<name>-credentials argument
- 		const hasConfigArg = certificate.meta.dns_provider !== 'route53';
-diff --git a/backend/setup.js b/backend/setup.js
-index a4b51c9..6d3d3e3 100644
---- a/backend/setup.js
-+++ b/backend/setup.js
-@@ -189,7 +189,7 @@ const setupCertbotPlugins = () => {
- 				});
- 
- 				if (plugins.length) {
--					const install_cmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + plugins.join(' ') + ' && deactivate';
-+					const install_cmd = 'pip install --no-cache-dir ' + plugins.join(' ');
- 					promises.push(utils.exec(install_cmd));
- 				}
+--- a/backend/lib/certbot.js
++++ b/backend/lib/certbot.js
+@@ -63,7 +63,7 @@
+ 		plugin.version      = plugin.version.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
+ 		plugin.dependencies = plugin.dependencies.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
  
+-		const cmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + plugin.dependencies + ' ' + plugin.package_name + plugin.version + ' ' + ' && deactivate';
++		const cmd = 'pip install --no-cache-dir ' + plugin.dependencies + ' ' + plugin.package_name + plugin.version;
+ 		return utils.exec(cmd)
+ 			.then((result) => {
+ 				logger.complete(`Installed ${pluginKey}`);
diff --git a/src/nginx-proxy-manager/powerdns-fix.patch b/src/nginx-proxy-manager/powerdns-fix.patch
diff --git a/src/nginx-proxy-manager/reachability-test-fix.patch b/src/nginx-proxy-manager/reachability-test-fix.patch
diff --git a/src/nginx-proxy-manager/remove-certbot-dns-oci.patch b/src/nginx-proxy-manager/remove-certbot-dns-oci.patch
