update swag

2024-08-11 22:18:13 +02:00 · 2024-08-11 22:18:13 +02:00 · 2636be1184
commit 2636be1184
parent 560f291db9
6 changed files with 148 additions and 121 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -148,9 +148,11 @@ services:
      <<: *common-environment
      FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
      DB_HOST: lychee-db
+      DB_CONNECTION: mysql
      DB_USERNAME: lychee
      DB_DATABASE: lychee
      DB_PORT: 3306
+      APP_URL: https://photos.guiotte.fr
    secrets:
      - lychee-db-pw

--- a/swag/nginx/nginx.conf
+++ b/swag/nginx/nginx.conf
@ -1,4 +1,7 @@
-## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable

 user abc;

@ -14,11 +17,13 @@ error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;

+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
 events {
    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
-    # multi_accept on;
 }

 http {
@ -49,101 +54,29 @@ http {
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;

+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

-    # Saves unauthorized log messages to a separate log file
-    map $status $unauthorized {
-        default 0;
-        ~^401  1;
-    }
-    access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
-    
    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;

    # Includes virtual hosts configs.
-    #include /etc/nginx/http.d/*.conf;
-
-    # WARNING: Don't use this directory for virtual hosts anymore.
-    # This include will be moved to the root context in Alpine 3.14.
-    #include /etc/nginx/conf.d/*.conf;
-
-
-    ##
-    # Basic Settings
-    ##
-
-    client_body_buffer_size 128k;
-    keepalive_timeout 65;
-    large_client_header_buffers 4 16k;
-    send_timeout 5m;
-    tcp_nodelay on;
-    types_hash_max_size 2048;
-    variables_hash_max_size 2048;
-    # server_names_hash_bucket_size 64;
-    # server_name_in_redirect off;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-    ##
-    # nginx-naxsi config
-    ##
-    # Uncomment it if you installed nginx-naxsi
-    ##
-
-    #include /etc/nginx/naxsi_core.rules;
-
-    ##
-    # nginx-passenger config
-    ##
-    # Uncomment it if you installed nginx-passenger
-    ##
-
-    #passenger_root /usr;
-    #passenger_ruby /usr/bin/ruby;
-
-    ##
-    # Virtual Host Configs
-    ##
+    include /etc/nginx/http.d/*.conf;
    include /config/nginx/site-confs/*.conf;
-    #Removed lua. Do not remove this comment
 }

-#mail {
-#    # See sample authentication script at:
-#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-#    # auth_http localhost/auth.php;
-#    # pop3_capabilities "TOP" "USER";
-#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-#    server {
-#        listen     localhost:110;
-#        protocol   pop3;
-#        proxy      on;
-#    }
-#
-#    server {
-#        listen     localhost:143;
-#        protocol   imap;
-#        proxy      on;
-#    }
-#}
-
 daemon off;
 pid /run/nginx.pid;
+
--- a/swag/nginx/proxy-confs/lychee.subdomain.conf
+++ b/swag/nginx/proxy-confs/lychee.subdomain.conf
@ -1,9 +1,10 @@
-## Version 2021/05/18
+## Version 2023/05/31
+# make sure that your lychee container is named lychee
 # make sure that your dns has a cname set for lychee

 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;

    server_name photos.*;

@ -11,24 +12,29 @@ server {

    client_max_body_size 0;

-    # enable for ldap auth, fill in ldap details in ldap.conf
-    #include /config/nginx/ldap.conf;
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;

-    # enable for Authelia
+    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

-        # enable the next two lines for ldap auth
-        #auth_request /auth;
-        #error_page 401 =200 /ldaplogin;
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;

-        # enable for Authelia
+        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app lychee;
--- a/swag/nginx/proxy.conf
+++ b/swag/nginx/proxy.conf
@ -1,4 +1,4 @@
-## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample

 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128;
 proxy_headers_hash_max_size 1024;
 proxy_http_version 1.1;
 proxy_read_timeout 240;
-proxy_redirect  http://  $scheme://;
+proxy_redirect http:// $scheme://;
 proxy_send_timeout 240;

 # Proxy Cache and Cookie Settings
@ -26,6 +26,13 @@ proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-Method $request_method;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Original-Method $request_method;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;
+
--- a/swag/nginx/site-confs/default.conf
+++ b/swag/nginx/site-confs/default.conf
@ -0,0 +1,85 @@
+## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+# redirect all traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# main server block
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    root /config/www;
+    index index.html index.htm index.php;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
+
--- a/swag/nginx/ssl.conf
+++ b/swag/nginx/ssl.conf
@ -1,46 +1,40 @@
-## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample

 ### Mozilla Recommendations
-# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7

+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
 ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ssl_session_tickets off;

+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;

+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;

-
-### Linuxserver.io Defaults
-
-# Certificates
-ssl_certificate /config/keys/letsencrypt/fullchain.pem;
-ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
-
-# Diffie-Hellman Parameters
-ssl_dhparam /config/nginx/dhparams.pem;
-
-# Enable TLS 1.3 early data
-ssl_early_data on;
-
-# HSTS, remove # from the line below to enable HSTS
-#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+ssl_trusted_certificate /config/keys/cert.crt;

 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
-#add_header Permissions-Policy "interest-cohort=()";
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+#add_header Permissions-Policy "interest-cohort=()" always;
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 #add_header X-XSS-Protection "1; mode=block" always;
+