Bot Updating Package Versions

WebSocket proxying

.github/workflows/greetings.yml

@@ -1,6 +1,6 @@
 name: Greetings
 
-on: [pull_request, issues]
+on: [pull_request_target, issues]
 
 jobs:
   greeting:

README.md

@@ -35,7 +35,7 @@ Find us at:
 [![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-swag%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/)
 [![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Flsio-ci.ams3.digitaloceanspaces.com%2Flinuxserver%2Fswag%2Flatest%2Fci-status.yml)](https://lsio-ci.ams3.digitaloceanspaces.com/linuxserver/swag/latest/index.html)
 
-SWAG - Secure Web-server And Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes. It also contains fail2ban for intrusion prevention.
+SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes. It also contains fail2ban for intrusion prevention.
 
 [![swag](https://github.com/linuxserver/docker-templates/raw/master/linuxserver.io/img/swag.gif)](https://linuxserver.io)
 
@@ -177,13 +177,16 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel
  
 ## Application Setup
 
-### Migrating from the old `linuxserver/letsencrypt` image
-* If using docker cli:
-  * Stop and remove existing container via `docker stop letsencrypt` and `docker rm letsencrypt`
-  * Create new container using the sample on this page (container name: `swag`, image name: `linuxserver/swag`)
-* If using docker compose:
-  * Edit the compose yaml to change the image to `linuxserver/swag` and change the service and container names to `swag`
-  * Issue `docker-compose up -d --remove-orphans`
+> ### Migrating from the old `linuxserver/letsencrypt` image
+> * If using docker cli:
+>   * Stop and remove existing container via `docker stop letsencrypt` and `docker rm letsencrypt`
+>   * Create new container using the sample on this page (container name: `swag`, image name: `linuxserver/swag`)
+> * If using docker compose:
+>   * Edit the compose yaml to change the image to `linuxserver/swag` and change the service and container names to `swag`
+>   * Issue `docker-compose up -d --remove-orphans`
+>   * If you don't want to or can't use the option `--remove-orphans`, then you can first do `docker-compose down`, then edit the compose yaml as above, and then issue `docker-compose up -d`
+
+> Make sure to also update any references to this container by name. For instance, Nextcloud's `config.php` references this container in its `trusted_proxies` directive, which would have to be updated to `swag`.
 ### Validation and initial setup
 * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
 * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
@@ -228,6 +231,18 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
 * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
 * A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands
+### Updating configs
+* This container creates a number of configs for nginx, proxy samples, etc.
+* Config updates are noted in the changelog but not automatically applied to your files.
+* If you have modified a file with noted changes in the changelog:
+  1. Keep your existing configs as is (not broken, don't fix)
+  2. Review our repository commits and apply the new changes yourself
+  3. Delete the modified config file with listed updates, restart the container, reapply your changes
+* If you have NOT modified a file with noted changes in the changelog:
+  1. Delete the config file with listed updates, restart the container, reapply your changes
+* Proxy sample updates are not listed in the changelog. See the changes here: [https://github.com/linuxserver/reverse-proxy-confs/commits/master](https://github.com/linuxserver/reverse-proxy-confs/commits/master)
+* Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
+* You can check the new sample and adjust your active config as needed.
 
 
 ## Docker Mods
@@ -300,4 +315,5 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **01.09.20:** - Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets.
 * **03.08.20:** - Initial release.

package_versions.txt

@@ -1,6 +1,6 @@
 alpine-baselayout-3.2.0-r7
 alpine-keys-2.2-r0
-apache2-utils-2.4.43-r0
+apache2-utils-2.4.46-r0
 apk-tools-2.10.5-r1
 apr-1.7.0-r0
 apr-util-1.6.1-r6
@@ -20,13 +20,13 @@ freetype-2.10.2-r0
 gdbm-1.13-r1
 git-2.26.2-r0
 git-perl-2.26.2-r0
-glib-2.64.4-r0
+glib-2.64.5-r0
 gmp-6.2.0-r0
 gnupg-2.2.20-r0
-gnutls-3.6.14-r0
+gnutls-3.6.15-r0
 icu-libs-67.1-r0
-ip6tables-1.8.4-r1
-iptables-1.8.4-r1
+ip6tables-1.8.4-r2
+iptables-1.8.4-r2
 libacl-2.2.53-r0
 libassuan-2.5.3-r0
 libattr-2.4.48-r0
@@ -58,7 +58,7 @@ libmnl-1.0.4-r0
 libmount-2.35.2-r0
 libnftnl-libs-1.1.6-r0
 libpng-1.6.37-r1
-libpq-12.3-r2
+libpq-12.4-r0
 libproc-3.3.16-r0
 libressl3.1-libcrypto-3.1.2-r0
 libressl3.1-libssl-3.1.2-r0
@@ -74,7 +74,7 @@ libtls-standalone-2.9.1-r1
 libunistring-0.9.10-r0
 libuuid-2.35.2-r0
 libwebp-1.1.0-r0
-libx11-1.6.11-r0
+libx11-1.6.12-r0
 libxau-1.0.9-r0
 libxcb-1.14-r1
 libxdmcp-1.1.3-r0
@@ -123,54 +123,54 @@ pcre2-10.35-r0
 perl-5.30.3-r0
 perl-error-0.17029-r0
 perl-git-2.26.2-r0
-php7-7.3.21-r0
-php7-bcmath-7.3.21-r0
-php7-bz2-7.3.21-r0
-php7-common-7.3.21-r0
-php7-ctype-7.3.21-r0
-php7-curl-7.3.21-r0
-php7-dom-7.3.21-r0
-php7-exif-7.3.21-r0
-php7-fileinfo-7.3.20-r0
-php7-fpm-7.3.20-r0
-php7-ftp-7.3.21-r0
-php7-gd-7.3.21-r0
-php7-iconv-7.3.21-r0
-php7-imap-7.3.21-r0
-php7-intl-7.3.21-r0
-php7-json-7.3.21-r0
-php7-ldap-7.3.21-r0
-php7-mbstring-7.3.21-r0
-php7-mysqli-7.3.21-r0
-php7-mysqlnd-7.3.21-r0
-php7-opcache-7.3.21-r0
-php7-openssl-7.3.21-r0
-php7-pdo-7.3.21-r0
-php7-pdo_mysql-7.3.21-r0
-php7-pdo_odbc-7.3.21-r0
-php7-pdo_pgsql-7.3.21-r0
-php7-pdo_sqlite-7.3.21-r0
-php7-pear-7.3.21-r0
+php7-7.3.22-r0
+php7-bcmath-7.3.22-r0
+php7-bz2-7.3.22-r0
+php7-common-7.3.22-r0
+php7-ctype-7.3.22-r0
+php7-curl-7.3.22-r0
+php7-dom-7.3.22-r0
+php7-exif-7.3.22-r0
+php7-fileinfo-7.3.22-r0
+php7-fpm-7.3.22-r0
+php7-ftp-7.3.22-r0
+php7-gd-7.3.22-r0
+php7-iconv-7.3.22-r0
+php7-imap-7.3.22-r0
+php7-intl-7.3.22-r0
+php7-json-7.3.22-r0
+php7-ldap-7.3.22-r0
+php7-mbstring-7.3.22-r0
+php7-mysqli-7.3.22-r0
+php7-mysqlnd-7.3.22-r0
+php7-opcache-7.3.22-r0
+php7-openssl-7.3.22-r0
+php7-pdo-7.3.22-r0
+php7-pdo_mysql-7.3.22-r0
+php7-pdo_odbc-7.3.22-r0
+php7-pdo_pgsql-7.3.22-r0
+php7-pdo_sqlite-7.3.22-r0
+php7-pear-7.3.22-r0
 php7-pecl-apcu-5.1.18-r0
 php7-pecl-igbinary-3.1.4-r0
 php7-pecl-mcrypt-1.0.3-r0
 php7-pecl-memcached-3.1.5-r0
 php7-pecl-redis-5.2.2-r1
-php7-pgsql-7.3.21-r0
-php7-phar-7.3.21-r0
-php7-posix-7.3.21-r0
-php7-session-7.3.21-r0
-php7-simplexml-7.3.20-r0
-php7-soap-7.3.21-r0
-php7-sockets-7.3.21-r0
-php7-sodium-7.3.21-r0
-php7-sqlite3-7.3.21-r0
-php7-tokenizer-7.3.21-r0
-php7-xml-7.3.21-r0
-php7-xmlreader-7.3.21-r0
-php7-xmlrpc-7.3.21-r0
-php7-xmlwriter-7.3.20-r0
-php7-zip-7.3.21-r0
+php7-pgsql-7.3.22-r0
+php7-phar-7.3.22-r0
+php7-posix-7.3.22-r0
+php7-session-7.3.22-r0
+php7-simplexml-7.3.22-r0
+php7-soap-7.3.22-r0
+php7-sockets-7.3.22-r0
+php7-sodium-7.3.22-r0
+php7-sqlite3-7.3.22-r0
+php7-tokenizer-7.3.22-r0
+php7-xml-7.3.22-r0
+php7-xmlreader-7.3.22-r0
+php7-xmlrpc-7.3.22-r0
+php7-xmlwriter-7.3.22-r0
+php7-zip-7.3.22-r0
 pinentry-1.1.0-r2
 popt-1.16-r7
 procps-3.3.16-r0

readme-vars.yml

@@ -4,7 +4,7 @@
 project_name: swag
 project_url: "https://linuxserver.io"
 project_logo: "https://github.com/linuxserver/docker-templates/raw/master/linuxserver.io/img/swag.gif"
-project_blurb: "SWAG - Secure Web-server And Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes. It also contains fail2ban for intrusion prevention."
+project_blurb: "SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes. It also contains fail2ban for intrusion prevention."
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
 
 project_blurb_optional_extras_enabled: false
@@ -76,13 +76,16 @@ optional_block_1_items: ""
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  ### Migrating from the old `linuxserver/letsencrypt` image
-  * If using docker cli:
-    * Stop and remove existing container via `docker stop letsencrypt` and `docker rm letsencrypt`
-    * Create new container using the sample on this page (container name: `swag`, image name: `linuxserver/swag`)
-  * If using docker compose:
-    * Edit the compose yaml to change the image to `linuxserver/swag` and change the service and container names to `swag`
-    * Issue `docker-compose up -d --remove-orphans`
+  > ### Migrating from the old `linuxserver/letsencrypt` image
+  > * If using docker cli:
+  >   * Stop and remove existing container via `docker stop letsencrypt` and `docker rm letsencrypt`
+  >   * Create new container using the sample on this page (container name: `swag`, image name: `linuxserver/swag`)
+  > * If using docker compose:
+  >   * Edit the compose yaml to change the image to `linuxserver/swag` and change the service and container names to `swag`
+  >   * Issue `docker-compose up -d --remove-orphans`
+  >   * If you don't want to or can't use the option `--remove-orphans`, then you can first do `docker-compose down`, then edit the compose yaml as above, and then issue `docker-compose up -d`
+
+  > Make sure to also update any references to this container by name. For instance, Nextcloud's `config.php` references this container in its `trusted_proxies` directive, which would have to be updated to `swag`.
   ### Validation and initial setup
   * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
   * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
@@ -127,10 +130,23 @@ app_setup_block: |
   * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
   * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
   * A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands
+  ### Updating configs
+  * This container creates a number of configs for nginx, proxy samples, etc.
+  * Config updates are noted in the changelog but not automatically applied to your files.
+  * If you have modified a file with noted changes in the changelog:
+    1. Keep your existing configs as is (not broken, don't fix)
+    2. Review our repository commits and apply the new changes yourself
+    3. Delete the modified config file with listed updates, restart the container, reapply your changes
+  * If you have NOT modified a file with noted changes in the changelog:
+    1. Delete the config file with listed updates, restart the container, reapply your changes
+  * Proxy sample updates are not listed in the changelog. See the changes here: [https://github.com/linuxserver/reverse-proxy-confs/commits/master](https://github.com/linuxserver/reverse-proxy-confs/commits/master)
+  * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
+  * You can check the new sample and adjust your active config as needed.
 
 app_setup_nginx_reverse_proxy_snippet: false
 app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
-  - { date: "03.08.20:", desc: "Initial release." }
+  - { date: "01.09.20:", desc: "Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets." }
+  - { date: "03.08.20:", desc: "Initial release." }

root/defaults/nginx.conf

@@ -1,4 +1,4 @@
-## Version 2019/12/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2020/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
 
 user abc;
 worker_processes 4;
@@ -23,7 +23,7 @@ http {
 	types_hash_max_size 2048;
 	variables_hash_max_size 2048;
 	large_client_header_buffers 4 16k;
-	
+
 	# server_tokens off;
 
 	# server_names_hash_bucket_size 64;
@@ -72,6 +72,14 @@ http {
 	#passenger_root /usr;
 	#passenger_ruby /usr/bin/ruby;
 
+	##
+	# WebSocket proxying
+	##
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		''      close;
+	}
+
 	##
 	# Virtual Host Configs
 	##

root/defaults/proxy.conf

@@ -1,4 +1,4 @@
-## Version 2019/10/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2020/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
 
 client_body_buffer_size 128k;
 
@@ -23,7 +23,8 @@ proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_redirect  http://  $scheme://;
 proxy_http_version 1.1;
-proxy_set_header Connection "";
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
 #proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
 proxy_cache_bypass $cookie_session;
 proxy_no_cache $cookie_session;