Merge pull request #133 from linuxserver/conf

update default conf folder

Dockerfile

@@ -139,7 +139,7 @@ RUN \
     /tmp/proxy.tar.gz -C \
     /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** configure nginx ****" && \
-  rm -f /etc/nginx/conf.d/default.conf && \
+  rm -f /etc/nginx/http.d/default.conf && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Dockerfile.aarch64

@@ -139,7 +139,7 @@ RUN \
     /tmp/proxy.tar.gz -C \
     /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** configure nginx ****" && \
-  rm -f /etc/nginx/conf.d/default.conf && \
+  rm -f /etc/nginx/http.d/default.conf && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Dockerfile.armhf

@@ -139,7 +139,7 @@ RUN \
     /tmp/proxy.tar.gz -C \
     /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** configure nginx ****" && \
-  rm -f /etc/nginx/conf.d/default.conf && \
+  rm -f /etc/nginx/http.d/default.conf && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

README.md

@@ -330,6 +330,9 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **24.06.21:** - Update default nginx conf folder.
+* **28.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`.
+* **20.05.21:** - Modify resolver.conf generation to detect and ignore ipv6.
 * **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
 * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
 * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse.

package_versions.txt

@@ -1,6 +1,6 @@
 alpine-baselayout-3.2.0-r8
 alpine-keys-2.2-r0
-apache2-utils-2.4.46-r3
+apache2-utils-2.4.48-r0
 apk-tools-2.12.5-r0
 apr-1.7.0-r0
 apr-util-1.6.1-r7
@@ -12,7 +12,7 @@ c-client-2007f-r11
 ca-certificates-20191127-r5
 ca-certificates-bundle-20191127-r5
 coreutils-8.32-r2
-curl-7.76.1-r0
+curl-7.77.0-r1
 expat-2.2.10-r1
 fail2ban-0.11.1-r4
 freetype-2.10.4-r1
@@ -35,7 +35,7 @@ libbz2-1.0.8-r1
 libc-utils-0.7.2-r3
 libcap-2.46-r0
 libcrypto1.1-1.1.1k-r0
-libcurl-7.76.1-r0
+libcurl-7.77.0-r1
 libedit-20191231.3.1-r1
 libevent-2.1.12-r1
 libffi-3.3-r2
@@ -73,12 +73,12 @@ libtls-standalone-2.9.1-r1
 libunistring-0.9.10-r0
 libuuid-2.36.1-r1
 libwebp-1.1.0-r0
-libx11-1.7.0-r0
+libx11-1.7.1-r0
 libxau-1.0.9-r0
 libxcb-1.14-r1
 libxdmcp-1.1.3-r0
 libxext-1.3.4-r0
-libxml2-2.9.10-r6
+libxml2-2.9.10-r7
 libxpm-3.5.13-r0
 libxslt-1.1.34-r0
 libxt-1.2.1-r0
@@ -87,33 +87,33 @@ linux-pam-1.5.1-r0
 logrotate-3.18.0-r0
 lz4-libs-1.9.2-r0
 memcached-1.6.9-r0
-musl-1.2.2-r0
-musl-utils-1.2.2-r0
-nano-5.4-r1
+musl-1.2.2-r1
+musl-utils-1.2.2-r1
+nano-5.4-r2
 ncurses-libs-6.2_p20210109-r0
 ncurses-terminfo-base-6.2_p20210109-r0
 nettle-3.7.2-r0
 nghttp2-libs-1.42.0-r1
-nginx-1.18.0-r13
-nginx-mod-devel-kit-1.18.0-r13
-nginx-mod-http-brotli-1.18.0-r13
-nginx-mod-http-dav-ext-1.18.0-r13
-nginx-mod-http-echo-1.18.0-r13
-nginx-mod-http-fancyindex-1.18.0-r13
-nginx-mod-http-geoip2-1.18.0-r13
-nginx-mod-http-headers-more-1.18.0-r13
-nginx-mod-http-image-filter-1.18.0-r13
-nginx-mod-http-nchan-1.18.0-r13
-nginx-mod-http-perl-1.18.0-r13
-nginx-mod-http-redis2-1.18.0-r13
-nginx-mod-http-set-misc-1.18.0-r13
-nginx-mod-http-upload-progress-1.18.0-r13
-nginx-mod-http-xslt-filter-1.18.0-r13
-nginx-mod-mail-1.18.0-r13
-nginx-mod-rtmp-1.18.0-r13
-nginx-mod-stream-1.18.0-r13
-nginx-mod-stream-geoip2-1.18.0-r13
-nginx-vim-1.18.0-r13
+nginx-1.18.0-r15
+nginx-mod-devel-kit-1.18.0-r15
+nginx-mod-http-brotli-1.18.0-r15
+nginx-mod-http-dav-ext-1.18.0-r15
+nginx-mod-http-echo-1.18.0-r15
+nginx-mod-http-fancyindex-1.18.0-r15
+nginx-mod-http-geoip2-1.18.0-r15
+nginx-mod-http-headers-more-1.18.0-r15
+nginx-mod-http-image-filter-1.18.0-r15
+nginx-mod-http-nchan-1.18.0-r15
+nginx-mod-http-perl-1.18.0-r15
+nginx-mod-http-redis2-1.18.0-r15
+nginx-mod-http-set-misc-1.18.0-r15
+nginx-mod-http-upload-progress-1.18.0-r15
+nginx-mod-http-xslt-filter-1.18.0-r15
+nginx-mod-mail-1.18.0-r15
+nginx-mod-rtmp-1.18.0-r15
+nginx-mod-stream-1.18.0-r15
+nginx-mod-stream-geoip2-1.18.0-r15
+nginx-vim-1.18.0-r15
 npth-1.6-r0
 oniguruma-6.9.6-r0
 openssl-1.1.1k-r0

readme-vars.yml

@@ -151,6 +151,9 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "24.06.21:", desc: "Update default nginx conf folder." }
+  - { date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`." }
+  - { date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6." }
   - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
   - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
   - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }

root/defaults/authelia-server.conf

@@ -1,16 +1,19 @@
-## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
+## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 
 location ^~ /authelia {
     include /config/nginx/proxy.conf;
-    resolver 127.0.0.11 valid=30s;
+    include /config/nginx/resolver.conf;
     set $upstream_authelia authelia;
     proxy_pass http://$upstream_authelia:9091;
 }
 
 location = /authelia/api/verify {
     internal;
-    resolver 127.0.0.11 valid=30s;
+    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
+        return 401;
+    }
+    include /config/nginx/resolver.conf;
     set $upstream_authelia authelia;
     proxy_pass_request_body off;
     proxy_pass http://$upstream_authelia:9091;

root/defaults/default

@@ -41,6 +41,17 @@ server {
     client_max_body_size 0;
 
     location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable the next two lines for ldap auth
+        #auth_request /auth;
+        #error_page 401 =200 /ldaplogin;
+
+        # enable for Authelia
+        #include /config/nginx/authelia-location.conf;
+
         try_files $uri $uri/ /index.html /index.php?$args =404;
     }
 
@@ -151,3 +162,5 @@ server {
 
 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;

root/defaults/proxy.conf

@@ -15,7 +15,6 @@ proxy_send_timeout 240;
 
 # Proxy Cache and Cookie Settings
 proxy_cache_bypass $cookie_session;
-proxy_cache_path cache/ keys_zone=auth_cache:10m;
 #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
 proxy_no_cache $cookie_session;
 

root/etc/cont-init.d/50-config

@@ -81,9 +81,17 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 [[ ! -f /config/www/502.html ]] &&
     cp /defaults/502.html /config/www/502.html
 
-# Set resolver
+# Set resolver, ignore ipv6 addresses
 if ! grep -q 'resolver' /config/nginx/resolver.conf; then
-    RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    for i in ${RESOLVERRAW}; do
+        if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then
+            RESOLVER="${RESOLVER} ${i}"
+        fi
+    done
+    if [ -z "${RESOLVER}" ]; then
+        RESOLVER="127.0.0.11"
+    fi
     echo "Setting resolver to ${RESOLVER}"
     echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
 fi
@@ -101,6 +109,11 @@ if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
     sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
 fi
 
+# patch authelia-server.conf for CVE-2021-32637
+if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
+    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
+fi
+
 # copy pre-generated dhparams or generate if needed
 [[ ! -f /config/nginx/dhparams.pem ]] && \
     cp /defaults/dhparams.pem /config/nginx/dhparams.pem