Merge pull request #876 from jc21/develop

v2.8.0

.version

@@ -1 +1 @@
-2.7.0
+2.8.0

README.md

@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.7.0-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.8.0-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
@@ -205,6 +205,56 @@ Special thanks to the following contributors:
 				<br /><sub><b>Philip Mooney</b></sub>
 			</a>
 		</td>
+		<td align="center">
+			<a href="https://github.com/WaterCalm">
+				<img src="https://avatars1.githubusercontent.com/u/23502129?s=400&v=4" width="80px;" alt=""/>
+				<br /><sub><b>WaterCalm</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/lebrou34">
+				<img src="https://avatars1.githubusercontent.com/u/16373103?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>lebrou34</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/lightglitch">
+				<img src="https://avatars0.githubusercontent.com/u/196953?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Mário Franco</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/klutchell">
+				<img src="https://avatars3.githubusercontent.com/u/20458272?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Kyle Harding</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/ahgraber">
+				<img src="https://avatars.githubusercontent.com/u/24922003?s=460&u=8376c9f00af9b6057ba4d2fb03b4f1b20a75277f&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Alex Graber</b></sub>
+			</a>
+		</td>
+	</tr>
+	<tr>
+		<td align="center">
+			<a href="https://github.com/MooBaloo">
+				<img src="https://avatars.githubusercontent.com/u/9493496?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>MooBaloo</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/Shuro">
+				<img src="https://avatars.githubusercontent.com/u/944030?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Shuro</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/lorisbergeron">
+				<img src="https://avatars.githubusercontent.com/u/51918567?s=460&u=778e4ff284b7d7304450f98421c99f79298371fb&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Loris Bergeron</b></sub>
+			</a>
+		</td>
 	</tr>
 </table>
 <!-- markdownlint-enable -->

backend/index.js

@@ -13,7 +13,6 @@ async function appStart () {
 	const internalCertificate = require('./internal/certificate');
 	const internalIpRanges    = require('./internal/ip_ranges');
 
-
 	return migrate.latest()
 		.then(setup)
 		.then(() => {
@@ -43,13 +42,14 @@ async function appStart () {
 		});
 }
 
-async function createDbConfigFromEnvironment(){
+async function createDbConfigFromEnvironment() {
 	return new Promise((resolve, reject) => {
-		const envMysqlHost  = process.env.DB_MYSQL_HOST;
+		const envMysqlHost  = process.env.DB_MYSQL_HOST || null;
-		const envMysqlPort  = process.env.DB_MYSQL_PORT;
+		const envMysqlPort  = process.env.DB_MYSQL_PORT || null;
-		const envMysqlUser  = process.env.DB_MYSQL_USER;
+		const envMysqlUser  = process.env.DB_MYSQL_USER || null;
-		const envMysqlName  = process.env.DB_MYSQL_NAME;
+		const envMysqlName  = process.env.DB_MYSQL_NAME || null;
-		const envSqliteFile = process.env.DB_SQLITE_FILE;
+		const envSqliteFile = process.env.DB_SQLITE_FILE || null;
+
 		if ((envMysqlHost && envMysqlPort && envMysqlUser && envMysqlName) || envSqliteFile) {
 			const fs       = require('fs');
 			const filename = (process.env.NODE_CONFIG_DIR || './config') + '/' + (process.env.NODE_ENV || 'default') + '.json';
@@ -119,7 +119,7 @@ async function createDbConfigFromEnvironment(){
 				}
 			});
 		} else {
-			// resolve();
+			resolve();
 		}
 	});
 }
@@ -130,3 +130,4 @@ try {
 	logger.error(err.message, err);
 	process.exit(1);
 }
+

backend/internal/certificate.js

@@ -615,18 +615,26 @@ const internalCertificate = {
 	checkPrivateKey: (private_key) => {
 		return tempWrite(private_key, '/tmp')
 			.then((filepath) => {
-				let key_type = private_key.includes('-----BEGIN RSA') ? 'rsa' : 'ec';
+				return new Promise((resolve, reject) => {
-				return utils.exec('openssl ' + key_type + ' -in ' + filepath + ' -check -noout 2>&1 ')
+					const failTimeout = setTimeout(() => {
-					.then((result) => {
+						reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
-						if (!result.toLowerCase().includes('key ok') && !result.toLowerCase().includes('key valid') ) {
+					}, 10000);
-							throw new error.ValidationError('Result Validation Error: ' + result);
+					utils
-						}
+						.exec('openssl pkey -in ' + filepath + ' -check -noout 2>&1 ')
-						fs.unlinkSync(filepath);
+						.then((result) => {
-						return true;
+							clearTimeout(failTimeout);
-					}).catch((err) => {
+							if (!result.toLowerCase().includes('key is valid')) {
-						fs.unlinkSync(filepath);
+								reject(new error.ValidationError('Result Validation Error: ' + result));
-						throw new error.ValidationError('Certificate Key is not valid (' + err.message + ')', err);
+							}
-					});
+							fs.unlinkSync(filepath);
+							resolve(true);
+						})
+						.catch((err) => {
+							clearTimeout(failTimeout);
+							fs.unlinkSync(filepath);
+							reject(new error.ValidationError('Certificate Key is not valid (' + err.message + ')', err));
+						});
+				});
 			});
 	},
 

backend/internal/host.js

@@ -106,7 +106,7 @@ const internalHost = {
 					response_object.total_count      += response_object.redirection_hosts.length;
 				}
 
-				if (promises_results[1]) {
+				if (promises_results[2]) {
 					// Dead Hosts
 					response_object.dead_hosts   = internalHost._getHostsWithDomains(promises_results[2], domain_names);
 					response_object.total_count += response_object.dead_hosts.length;
@@ -158,7 +158,7 @@ const internalHost = {
 					}
 				}
 
-				if (promises_results[1]) {
+				if (promises_results[2]) {
 					// Dead Hosts
 					if (internalHost._checkHostnameRecordsTaken(hostname, promises_results[2], ignore_type === 'dead' && ignore_id ? ignore_id : 0)) {
 						is_taken = true;

backend/templates/default.conf

@@ -6,6 +6,11 @@
 {%- else %}
 server {
   listen 80 default;
+{% if ipv6 -%}
+  listen [::]:80;
+{% else -%}
+  #listen [::]:80;
+{% endif %}
   server_name default-host.localhost;
   access_log /data/logs/default_host.log combined;
 {% include "_exploits.conf" %}

backend/yarn.lock

@@ -1548,9 +1548,9 @@ inherits@2.0.3:
   integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=
 
 ini@^1.3.4, ini@^1.3.5, ini@~1.3.0:
-  version "1.3.5"
+  version "1.3.8"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
 
 inquirer@^7.0.0:
   version "7.3.3"

docker/Dockerfile

@@ -13,6 +13,7 @@ ARG BUILD_DATE
 
 ENV SUPPRESS_NO_CONFIG_WARNING=1
 ENV S6_FIX_ATTRS_HIDDEN=1
+ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=1
 ENV NODE_ENV=production
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
@@ -31,18 +32,20 @@ EXPOSE 80
 EXPOSE 81
 EXPOSE 443
 
-COPY docker/rootfs      /
 ADD backend             /app
 ADD frontend/dist       /app/frontend
-COPY global							/app/global
+COPY global             /app/global
 
 WORKDIR /app
 RUN yarn install
 
+# add late to limit cache-busting by modifications
+COPY docker/rootfs      /
+
 # Remove frontend service not required for prod, dev nginx config as well
 RUN rm -rf /etc/services.d/frontend RUN rm -f /etc/nginx/conf.d/dev.conf
 
 VOLUME [ "/data", "/etc/letsencrypt" ]
-CMD [ "/init" ]
+ENTRYPOINT [ "/init" ]
 
 HEALTHCHECK --interval=5s --timeout=3s CMD /bin/check-health

docker/dev/Dockerfile

@@ -27,6 +27,6 @@ EXPOSE 80
 EXPOSE 81
 EXPOSE 443
 
-CMD [ "/init" ]
+ENTRYPOINT [ "/init" ]
 
-HEALTHCHECK --interval=5s --timeout=3s CMD /bin/check-health
+HEALTHCHECK --interval=5s --timeout=3s CMD /bin/check-health

docker/docker-compose.ci.yml

@@ -47,8 +47,8 @@ services:
   cypress-mysql:
     image: ${IMAGE}-cypress:ci-${BUILD_NUMBER}
     build:
-      context: ../
+      context: ../test/
-      dockerfile: test/cypress/Dockerfile
+      dockerfile: cypress/Dockerfile
     environment:
       CYPRESS_baseUrl: "http://fullstack-mysql:81"
     volumes:
@@ -58,8 +58,8 @@ services:
   cypress-sqlite:
     image: ${IMAGE}-cypress:ci-${BUILD_NUMBER}
     build:
-      context: ../
+      context: ../test/
-      dockerfile: test/cypress/Dockerfile
+      dockerfile: cypress/Dockerfile
     environment:
       CYPRESS_baseUrl: "http://fullstack-sqlite:81"
     volumes:

docker/rootfs/etc/cont-init.d/.gitignore

@@ -1,2 +1,3 @@
 *
 !.gitignore
+!*.sh

docker/rootfs/etc/cont-init.d/01_s6-secret-init.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/with-contenv bash
+# ref: https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/01-envfile
+
+# in s6, environmental variables are written as text files for s6 to monitor
+# seach through full-path filenames for files ending in "__FILE"
+for FILENAME in $(find /var/run/s6/container_environment/ | grep "__FILE$"); do
+    echo "[secret-init] Evaluating ${FILENAME##*/} ..."
+
+    # set SECRETFILE to the contents of the full-path textfile
+    SECRETFILE=$(cat ${FILENAME})
+    # SECRETFILE=${FILENAME}
+    # echo "[secret-init] Set SECRETFILE to ${SECRETFILE}"  # DEBUG - rm for prod!
+
+    # if SECRETFILE exists / is not null
+    if [[ -f ${SECRETFILE} ]]; then
+        # strip the appended "__FILE" from environmental variable name ...
+        STRIPFILE=$(echo ${FILENAME} | sed "s/__FILE//g") 
+        # echo "[secret-init] Set STRIPFILE to ${STRIPFILE}"  # DEBUG - rm for prod!
+        
+        # ... and set value to contents of secretfile
+        # since s6 uses text files, this is effectively "export ..."
+        printf $(cat ${SECRETFILE}) > ${STRIPFILE}
+        # echo "[secret-init] Set ${STRIPFILE##*/} to $(cat ${STRIPFILE})"  # DEBUG - rm for prod!"
+        echo "[secret-init] Success! ${STRIPFILE##*/} set from ${FILENAME##*/}"
+
+    else
+        echo "[secret-init] cannot find secret in ${FILENAME}"
+    fi
+done

docker/rootfs/etc/nginx/nginx.conf

@@ -69,6 +69,9 @@ http {
 	real_ip_header X-Real-IP;
 	real_ip_recursive on;
 
+	# Custom
+	include /data/nginx/custom/http_top[.]conf;
+
 	# Files generated by NPM
 	include /etc/nginx/conf.d/*.conf;
 	include /data/nginx/default_host/*.conf;
@@ -84,6 +87,9 @@ http {
 stream {
 	# Files generated by NPM
 	include /data/nginx/stream/*.conf;
+
+	# Custom
+	include /data/nginx/custom/stream[.]conf;
 }
 
 # Custom

docs/README.md

@@ -66,7 +66,7 @@ services:
       - ./data:/data
       - ./letsencrypt:/etc/letsencrypt
   db:
-    image: 'jc21/mariadb-aria:10.4'
+    image: 'jc21/mariadb-aria:latest'
     environment:
       MYSQL_ROOT_PASSWORD: 'npm'
       MYSQL_DATABASE: 'npm'

docs/advanced-config/README.md

@@ -1,5 +1,66 @@
 # Advanced Configuration
 
+## Docker Secrets
+
+This image supports the use of Docker secrets to import from file and keep sensitive usernames or passwords from being passed or preserved in plaintext.
+
+You can set any environment variable from a file by appending `__FILE` (double-underscore FILE) to the environmental variable name.
+
+```yml
+version: "3.7"
+
+secrets:
+  # Secrets are single-line text files where the sole content is the secret
+  # Paths in this example assume that secrets are kept in local folder called ".secrets"
+  DB_ROOT_PWD:
+    file: .secrets/db_root_pwd.txt
+  MYSQL_PWD:
+    file: .secrets/mysql_pwd.txt
+
+services:
+  app:
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: always
+    ports:
+      # Public HTTP Port:
+      - '80:80'
+      # Public HTTPS Port:
+      - '443:443'
+      # Admin Web Port:
+      - '81:81'
+    environment:
+      # These are the settings to access your db
+      DB_MYSQL_HOST: "db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      # DB_MYSQL_PASSWORD: "npm"  # use secret instead
+      DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD 
+      DB_MYSQL_NAME: "npm"
+      # If you would rather use Sqlite uncomment this
+      # and remove all DB_MYSQL_* lines above
+      # DB_SQLITE_FILE: "/data/database.sqlite"
+      # Uncomment this if IPv6 is not enabled on your host
+      # DISABLE_IPV6: 'true'
+    volumes:
+      - ./data:/data
+      - ./letsencrypt:/etc/letsencrypt
+    depends_on:
+      - db
+  db:
+    image: jc21/mariadb-aria
+    restart: always
+    environment:
+      # MYSQL_ROOT_PASSWORD: "npm"  # use secret instead
+      MYSQL_ROOT_PASSWORD__FILE: /run/secrets/DB_ROOT_PWD
+      MYSQL_DATABASE: "npm"
+      MYSQL_USER: "npm"
+      # MYSQL_PASSWORD: "npm"  # use secret instead
+      MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD 
+    volumes:
+      - ./data/mysql:/var/lib/mysql
+```
+
+
 ## Disabling IPv6
 
 On some docker hosts IPv6 may not be enabled. In these cases, the following message may be seen in the log:
@@ -24,6 +85,7 @@ You can add your custom configuration snippet files at `/data/nginx/custom` as f
 
  - `/data/nginx/custom/root.conf`: Included at the very end of nginx.conf
  - `/data/nginx/custom/http.conf`: Included at the end of the main http block
+ - `/data/nginx/custom/stream.conf`: Included at the end of the main stream block
  - `/data/nginx/custom/server_proxy.conf`: Included at the end of every proxy server block
  - `/data/nginx/custom/server_redirect.conf`: Included at the end of every redirection server block
  - `/data/nginx/custom/server_stream.conf`: Included at the end of every stream server block

docs/setup/README.md

@@ -51,7 +51,7 @@ services:
     depends_on:
       - db
   db:
-    image: jc21/mariadb-aria:10.4
+    image: 'jc21/mariadb-aria:latest'
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: 'npm'

docs/yarn.lock

@@ -5125,9 +5125,9 @@ inherits@2.0.3:
   integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=
 
 ini@^1.3.5, ini@~1.3.0:
-  version "1.3.5"
+  version "1.3.8"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
 
 internal-ip@^4.3.0:
   version "4.3.0"

frontend/js/app/nginx/certificates/form.ejs

@@ -129,6 +129,9 @@
                     </div>
                 <% } else if (provider === 'other') { %>
                     <!-- Other -->
+                    <div class="col-sm-12 col-md-12">
+                        <div class="text-blue mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'passphrase-protection-support-info') %></div>
+                    </div>
                     <div class="col-sm-12 col-md-12">
                         <div class="form-group">
                             <label class="form-label"><%- i18n('str', 'name') %> <span class="form-required">*</span></label>

frontend/js/i18n/messages.json

@@ -112,7 +112,8 @@
       "stored-as-plaintext-info": "This data will be stored as plaintext in the database and in a file!",
       "propagation-seconds": "Propagation Seconds",
       "propagation-seconds-info": "Leave empty to use the plugins default value. Number of seconds to wait for DNS propagation.",
-      "processing-info": "Processing... This might take a few minutes."
+      "processing-info": "Processing... This might take a few minutes.",
+      "passphrase-protection-support-info": "Key files protected with a passphrase are not supported."
     },
     "proxy-hosts": {
       "title": "Proxy Hosts",

global/certbot-dns-plugins.js

@@ -20,6 +20,16 @@
  */
 
 module.exports = {
+	aliyun: {
+		display_name:    'Aliyun',
+		package_name:    'certbot-dns-aliyun',
+		package_version: '0.38.1',
+		dependencies:    '',
+		credentials:     `certbot_dns_aliyun:dns_aliyun_access_key = 12345678
+certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`,
+		full_plugin_name: 'certbot-dns-aliyun:dns-aliyun',
+	},
+	//####################################################//
 	cloudflare: {
 		display_name:    'Cloudflare',
 		package_name:    'certbot-dns-cloudflare',
@@ -110,6 +120,15 @@ certbot_dns_dnspod:dns_dnspod_api_token = "DNSPOD-API-TOKEN"`,
 		full_plugin_name: 'certbot-dns-dnspod:dns-dnspod',
 	},
 	//####################################################//
+	gandi: {
+		display_name:     'Gandi Live DNS',
+		package_name:     'certbot_plugin_gandi',
+		package_version:  '1.2.5',
+		dependencies:     '',
+		credentials:      'certbot_plugin_gandi:dns_api_key = APIKEY',
+		full_plugin_name: 'certbot-plugin-gandi:dns',
+	},
+	//####################################################//
 	google: {
 		display_name:    'Google',
 		package_name:    'certbot-dns-google',
@@ -272,4 +291,15 @@ aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
 		credentials:      'certbot_dns_vultr:dns_vultr_key = YOUR_VULTR_API_KEY',
 		full_plugin_name: 'certbot-dns-vultr:dns-vultr',
 	},
-};
+	//####################################################//
+	eurodns: {
+		display_name:    'EuroDNS',
+		package_name:    'certbot-dns-eurodns',
+		package_version: '0.0.4',
+		dependencies:    '',
+		credentials:     `dns_eurodns_applicationId = myuser
+dns_eurodns_apiKey = mysecretpassword
+dns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy`,
+		full_plugin_name: 'certbot-dns-eurodns:dns-eurodns',
+	},
+};

test/.dockerignore

@@ -0,0 +1 @@
+node_modules

test/cypress/Dockerfile

@@ -1,6 +1,11 @@
-FROM cypress/included:4.12.1
+FROM cypress/included:5.6.0
 
-COPY --chown=1000 ./test /test
+COPY --chown=1000 ./ /test
+
+# mkcert
+ENV MKCERT=1.4.2
+RUN wget -O /usr/bin/mkcert "https://github.com/FiloSottile/mkcert/releases/download/v${MKCERT}/mkcert-v${MKCERT}-linux-amd64" \
+	&& chmod +x /usr/bin/mkcert
 
 WORKDIR /test
 RUN yarn install

test/package.json

@@ -7,7 +7,7 @@
 		"@jc21/cypress-swagger-validation": "^0.0.9",
 		"@jc21/restler": "^3.4.0",
 		"chalk": "^4.1.0",
-		"cypress": "^4.12.1",
+		"cypress": "^5.6.0",
 		"cypress-multi-reporters": "^1.4.0",
 		"cypress-plugin-retries": "^1.5.2",
 		"eslint": "^7.6.0",

test/yarn.lock

@@ -1293,9 +1293,9 @@ inherits@2, inherits@^2.0.3, inherits@~2.0.3:
   integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
 
 ini@^1.3.5:
-  version "1.3.5"
+  version "1.3.8"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
 
 is-arguments@^1.0.4:
   version "1.0.4"