From 8abdf117bb018ca42310ac36f3201f69b744682d Mon Sep 17 00:00:00 2001 From: thespad Date: Thu, 17 Jul 2025 16:23:54 +0100 Subject: [PATCH 1/2] Rebase to 3.22 --- .editorconfig | 0 .github/CONTRIBUTING.md | 0 .github/FUNDING.yml | 0 .github/ISSUE_TEMPLATE/config.yml | 0 .github/ISSUE_TEMPLATE/issue.bug.yml | 0 .github/ISSUE_TEMPLATE/issue.feature.yml | 0 .github/workflows/call_issue_pr_tracker.yml | 0 .github/workflows/call_issues_cron.yml | 0 .github/workflows/external_trigger.yml | 0 .../workflows/external_trigger_scheduler.yml | 0 .github/workflows/greetings.yml | 0 .../workflows/package_trigger_scheduler.yml | 0 .github/workflows/permissions.yml | 0 Dockerfile | 22 +++++++++++-------- Dockerfile.aarch64 | 22 +++++++++++-------- LICENSE | 0 README.md | 4 ++++ readme-vars.yml | 4 ++++ 18 files changed, 34 insertions(+), 18 deletions(-) mode change 100755 => 100644 .editorconfig mode change 100755 => 100644 .github/CONTRIBUTING.md mode change 100755 => 100644 .github/FUNDING.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/config.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/issue.bug.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/issue.feature.yml mode change 100755 => 100644 .github/workflows/call_issue_pr_tracker.yml mode change 100755 => 100644 .github/workflows/call_issues_cron.yml mode change 100755 => 100644 .github/workflows/external_trigger.yml mode change 100755 => 100644 .github/workflows/external_trigger_scheduler.yml mode change 100755 => 100644 .github/workflows/greetings.yml mode change 100755 => 100644 .github/workflows/package_trigger_scheduler.yml mode change 100755 => 100644 .github/workflows/permissions.yml mode change 100755 => 100644 LICENSE diff --git a/.editorconfig b/.editorconfig old mode 100755 new mode 100644 diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md old mode 100755 new mode 100644 diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/call_issues_cron.yml b/.github/workflows/call_issues_cron.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml old mode 100755 new mode 100644 diff --git a/Dockerfile b/Dockerfile index 85cdbf4..f0d03d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.22 # set version label ARG BUILD_DATE @@ -12,13 +12,13 @@ LABEL maintainer="aptalca" RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ - php83-dom \ - php83-intl \ - php83-opcache \ - php83-pdo_mysql \ - php83-pdo_pgsql \ - php83-pdo_sqlite \ - php83-tokenizer && \ + php84-dom \ + php84-intl \ + php84-opcache \ + php84-pdo_mysql \ + php84-pdo_pgsql \ + php84-pdo_sqlite \ + php84-tokenizer && \ echo "**** configure nginx ****" && \ echo 'fastcgi_param PHP_AUTH_USER $remote_user; # Heimdall user authorization' >> \ /etc/nginx/fastcgi_params && \ @@ -26,7 +26,11 @@ RUN \ /etc/nginx/fastcgi_params && \ echo "**** configure php opcache ****" && \ echo 'opcache.validate_timestamps=0' >> \ - /etc/php83/conf.d/00_opcache.ini && \ + /etc/php84/conf.d/00_opcache.ini && \ + echo "**** configure php-fpm to pass env vars ****" && \ + sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php84/php-fpm.d/www.conf && \ + if ! grep -qxF 'clear_env = no' /etc/php84/php-fpm.d/www.conf; then echo 'clear_env = no' >> /etc/php84/php-fpm.d/www.conf; fi && \ + echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php84/php-fpm.conf && \ echo "**** install heimdall ****" && \ mkdir -p \ /heimdall && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index e1fc0ea..eb24171 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.22 # set version label ARG BUILD_DATE @@ -12,13 +12,13 @@ LABEL maintainer="aptalca" RUN \ echo "**** install runtime packages ****" && \ apk add --no-cache \ - php83-dom \ - php83-intl \ - php83-opcache \ - php83-pdo_mysql \ - php83-pdo_pgsql \ - php83-pdo_sqlite \ - php83-tokenizer && \ + php84-dom \ + php84-intl \ + php84-opcache \ + php84-pdo_mysql \ + php84-pdo_pgsql \ + php84-pdo_sqlite \ + php84-tokenizer && \ echo "**** configure nginx ****" && \ echo 'fastcgi_param PHP_AUTH_USER $remote_user; # Heimdall user authorization' >> \ /etc/nginx/fastcgi_params && \ @@ -26,7 +26,11 @@ RUN \ /etc/nginx/fastcgi_params && \ echo "**** configure php opcache ****" && \ echo 'opcache.validate_timestamps=0' >> \ - /etc/php83/conf.d/00_opcache.ini && \ + /etc/php84/conf.d/00_opcache.ini && \ + echo "**** configure php-fpm to pass env vars ****" && \ + sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php84/php-fpm.d/www.conf && \ + if ! grep -qxF 'clear_env = no' /etc/php84/php-fpm.d/www.conf; then echo 'clear_env = no' >> /etc/php84/php-fpm.d/www.conf; fi && \ + echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php84/php-fpm.conf && \ echo "**** install heimdall ****" && \ mkdir -p \ /heimdall && \ diff --git a/LICENSE b/LICENSE old mode 100755 new mode 100644 diff --git a/README.md b/README.md index 90af355..7861f9d 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,7 @@ services: - PUID=1000 - PGID=1000 - TZ=Etc/UTC + - ALLOW_INTERNAL_REQUESTS=false #optional volumes: - /path/to/heimdall/config:/config ports: @@ -110,6 +111,7 @@ docker run -d \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ + -e ALLOW_INTERNAL_REQUESTS=false `#optional` \ -p 80:80 \ -p 443:443 \ -v /path/to/heimdall/config:/config \ @@ -128,6 +130,7 @@ Containers are configured using parameters passed at runtime (such as those abov | `-e PUID=1000` | for UserID - see below for explanation | | `-e PGID=1000` | for GroupID - see below for explanation | | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). | +| `-e ALLOW_INTERNAL_REQUESTS=false` | By default, Heimdall blocks requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses. | | `-v /config` | Persistent config files | ## Environment variables from files (Docker secrets) @@ -292,6 +295,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **17.07.25:** - Rebase to Alpine 3.20. * **27.06.24:** - Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings. * **07.03.24:** - Enable the opcache and disable file revalidation. * **06.03.24:** - Existing users should update: site-confs/default.conf - Cleanup default site conf. diff --git a/readme-vars.yml b/readme-vars.yml index c4b8208..3a3438d 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -30,6 +30,9 @@ param_usage_include_ports: true param_ports: - {external_port: "80", internal_port: "80", port_desc: "http gui"} - {external_port: "443", internal_port: "443", port_desc: "https gui"} +opt_param_usage_include_env: true +opt_param_env_vars: + - {env_var: "ALLOW_INTERNAL_REQUESTS", env_value: "false", desc: "By default, Heimdall blocks requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses."} # application setup block app_setup_block_enabled: true app_setup_block: | @@ -99,6 +102,7 @@ init_diagram: | "heimdall:development" <- Base Images # changelog changelogs: + - {date: "17.07.25:", desc: "Rebase to Alpine 3.22, enable PHP environment passthrough."} - {date: "27.06.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."} - {date: "07.03.24:", desc: "Enable the opcache and disable file revalidation."} - {date: "06.03.24:", desc: "Existing users should update: site-confs/default.conf - Cleanup default site conf."} From 7ede2d01f9ed7f5d09d636c1d4506c6fb0ca504c Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 20 Jul 2025 15:54:07 +0100 Subject: [PATCH 2/2] Wording --- readme-vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme-vars.yml b/readme-vars.yml index 3a3438d..5eb27eb 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -32,7 +32,7 @@ param_ports: - {external_port: "443", internal_port: "443", port_desc: "https gui"} opt_param_usage_include_env: true opt_param_env_vars: - - {env_var: "ALLOW_INTERNAL_REQUESTS", env_value: "false", desc: "By default, Heimdall blocks requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses."} + - {env_var: "ALLOW_INTERNAL_REQUESTS", env_value: "false", desc: "By default, Heimdall blocks lookup requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses."} # application setup block app_setup_block_enabled: true app_setup_block: |