Bot Updating Package Versions

Merge pull request #130 from linuxserver/authelia-patch
update and patch authelia-server.conf for resolver and CVE
2026-03-03 00:43:34 +09:00 · 2021-05-28 23:05:08 +00:00 · 2021-05-28 18:49:04 -04:00 · 2021-05-28 18:24:23 -04:00 · 2021-05-28 18:19:22 -04:00 · 2021-05-28 17:40:28 -04:00
7 changed files with 61 additions and 29 deletions
--- a/README.md
+++ b/README.md
@@ -330,6 +330,8 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

 ## Versions

+* **28.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`.
+* **20.05.21:** - Modify resolver.conf generation to detect and ignore ipv6.
 * **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
 * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
 * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse.
--- a/package_versions.txt
+++ b/package_versions.txt
@@ -12,7 +12,7 @@ c-client-2007f-r11
 ca-certificates-20191127-r5
 ca-certificates-bundle-20191127-r5
 coreutils-8.32-r2
-curl-7.76.1-r0
+curl-7.77.0-r0
 expat-2.2.10-r1
 fail2ban-0.11.1-r4
 freetype-2.10.4-r1
@@ -35,7 +35,7 @@ libbz2-1.0.8-r1
 libc-utils-0.7.2-r3
 libcap-2.46-r0
 libcrypto1.1-1.1.1k-r0
-libcurl-7.76.1-r0
+libcurl-7.77.0-r0
 libedit-20191231.3.1-r1
 libevent-2.1.12-r1
 libffi-3.3-r2
@@ -73,7 +73,7 @@ libtls-standalone-2.9.1-r1
 libunistring-0.9.10-r0
 libuuid-2.36.1-r1
 libwebp-1.1.0-r0
-libx11-1.7.0-r0
+libx11-1.7.1-r0
 libxau-1.0.9-r0
 libxcb-1.14-r1
 libxdmcp-1.1.3-r0
@@ -94,26 +94,26 @@ ncurses-libs-6.2_p20210109-r0
 ncurses-terminfo-base-6.2_p20210109-r0
 nettle-3.7.2-r0
 nghttp2-libs-1.42.0-r1
-nginx-1.18.0-r13
-nginx-mod-devel-kit-1.18.0-r13
-nginx-mod-http-brotli-1.18.0-r13
-nginx-mod-http-dav-ext-1.18.0-r13
-nginx-mod-http-echo-1.18.0-r13
-nginx-mod-http-fancyindex-1.18.0-r13
-nginx-mod-http-geoip2-1.18.0-r13
-nginx-mod-http-headers-more-1.18.0-r13
-nginx-mod-http-image-filter-1.18.0-r13
-nginx-mod-http-nchan-1.18.0-r13
-nginx-mod-http-perl-1.18.0-r13
-nginx-mod-http-redis2-1.18.0-r13
-nginx-mod-http-set-misc-1.18.0-r13
-nginx-mod-http-upload-progress-1.18.0-r13
-nginx-mod-http-xslt-filter-1.18.0-r13
-nginx-mod-mail-1.18.0-r13
-nginx-mod-rtmp-1.18.0-r13
-nginx-mod-stream-1.18.0-r13
-nginx-mod-stream-geoip2-1.18.0-r13
-nginx-vim-1.18.0-r13
+nginx-1.18.0-r14
+nginx-mod-devel-kit-1.18.0-r14
+nginx-mod-http-brotli-1.18.0-r14
+nginx-mod-http-dav-ext-1.18.0-r14
+nginx-mod-http-echo-1.18.0-r14
+nginx-mod-http-fancyindex-1.18.0-r14
+nginx-mod-http-geoip2-1.18.0-r14
+nginx-mod-http-headers-more-1.18.0-r14
+nginx-mod-http-image-filter-1.18.0-r14
+nginx-mod-http-nchan-1.18.0-r14
+nginx-mod-http-perl-1.18.0-r14
+nginx-mod-http-redis2-1.18.0-r14
+nginx-mod-http-set-misc-1.18.0-r14
+nginx-mod-http-upload-progress-1.18.0-r14
+nginx-mod-http-xslt-filter-1.18.0-r14
+nginx-mod-mail-1.18.0-r14
+nginx-mod-rtmp-1.18.0-r14
+nginx-mod-stream-1.18.0-r14
+nginx-mod-stream-geoip2-1.18.0-r14
+nginx-vim-1.18.0-r14
 npth-1.6-r0
 oniguruma-6.9.6-r0
 openssl-1.1.1k-r0
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -151,6 +151,8 @@ app_setup_nginx_reverse_proxy_block: ""

 # changelog
 changelogs:
+  - { date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`." }
+  - { date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6." }
  - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
  - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
  - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }
--- a/root/defaults/authelia-server.conf
+++ b/root/defaults/authelia-server.conf
@@ -1,16 +1,19 @@
-## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
+## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia

 location ^~ /authelia {
    include /config/nginx/proxy.conf;
-    resolver 127.0.0.11 valid=30s;
+    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
    proxy_pass http://$upstream_authelia:9091;
 }

 location = /authelia/api/verify {
    internal;
-    resolver 127.0.0.11 valid=30s;
+    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
+        return 401;
+    }
+    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
    proxy_pass_request_body off;
    proxy_pass http://$upstream_authelia:9091;
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -41,6 +41,17 @@ server {
    client_max_body_size 0;

    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable the next two lines for ldap auth
+        #auth_request /auth;
+        #error_page 401 =200 /ldaplogin;
+
+        # enable for Authelia
+        #include /config/nginx/authelia-location.conf;
+
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

@@ -151,3 +162,5 @@ server {

 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/root/defaults/proxy.conf
+++ b/root/defaults/proxy.conf
@@ -15,7 +15,6 @@ proxy_send_timeout 240;

 # Proxy Cache and Cookie Settings
 proxy_cache_bypass $cookie_session;
-proxy_cache_path cache/ keys_zone=auth_cache:10m;
 #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
 proxy_no_cache $cookie_session;

--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -81,9 +81,17 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 [[ ! -f /config/www/502.html ]] &&
    cp /defaults/502.html /config/www/502.html

-# Set resolver
+# Set resolver, ignore ipv6 addresses
 if ! grep -q 'resolver' /config/nginx/resolver.conf; then
-    RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    for i in ${RESOLVERRAW}; do
+        if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then
+            RESOLVER="${RESOLVER} ${i}"
+        fi
+    done
+    if [ -z "${RESOLVER}" ]; then
+        RESOLVER="127.0.0.11"
+    fi
    echo "Setting resolver to ${RESOLVER}"
    echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
 fi
@@ -101,6 +109,11 @@ if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
    sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
 fi

+# patch authelia-server.conf for CVE-2021-32637
+if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
+    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
+fi
+
 # copy pre-generated dhparams or generate if needed
 [[ ! -f /config/nginx/dhparams.pem ]] && \
    cp /defaults/dhparams.pem /config/nginx/dhparams.pem
Author	SHA1	Message	Date
LinuxServer-CI	0546211470	Bot Updating Package Versions	2021-05-28 23:05:08 +00:00
aptalca	056f27437e	Merge pull request #130 from linuxserver/authelia-patch update and patch authelia-server.conf for resolver and CVE	2021-05-28 18:49:04 -04:00
aptalca	7437478c3a	use single quotes	2021-05-28 18:24:23 -04:00
aptalca	020ab44638	force patch authelia-server.conf	2021-05-28 18:19:22 -04:00
aptalca	224abb686d	update authelia-server.conf for resolver and CVE	2021-05-28 17:40:28 -04:00
LinuxServer-CI	413942d1fe	Bot Updating Package Versions	2021-05-27 07:09:04 +01:00
Eric Nemchik	a8f98a205f	Merge pull request #127 from linuxserver/resolver update resolver logic	2021-05-20 22:29:04 -05:00
aptalca	aa94da0665	update resolver logic	2021-05-20 17:11:51 -04:00
LinuxServer-CI	31d9e9af85	Bot Updating Package Versions	2021-05-20 05:42:11 +00:00
aptalca	012e729f49	emergency fixes to default and proxy.conf	2021-05-18 11:47:01 -04:00