Compare commits

..

10 Commits

Author SHA1 Message Date
LinuxServer-CI 2c22ce9573 Bot Updating Package Versions 2026-07-15 18:14:31 +00:00
Eric Nemchik 0a34712336 Merge pull request #594 from jonathanmajh/patch-1
Update tinyauth-location.conf.sample for Forward Auth
2026-07-11 21:48:18 -05:00
Eric Nemchik 4e7e4f7fee Merge branch 'master' into patch-1 2026-07-11 21:07:22 -05:00
Jonathan Ma e39c6487f7 Update root/defaults/nginx/tinyauth-location.conf.sample
Co-authored-by: Eric Nemchik <eric@nemchik.com>
2026-07-11 12:58:10 -04:00
LinuxServer-CI 493982d27e Bot Updating Templated Files 2026-07-10 22:15:07 +00:00
LinuxServer-CI 1e2b94980c Bot Updating Templated Files 2026-07-10 22:13:20 +00:00
Eric Nemchik b3185a5eff Merge pull request #607 from Sausageroll2077/master
Add CERT_PROFILE support and improve ARI renewal scheduling
2026-07-10 17:11:32 -05:00
Sausageroll2077 e857f808b0 Add CERT_PROFILE support and simplify renewal scheduling
Add CERT_PROFILE env var for Let's Encrypt cert profiles. Run certbot
twice daily via a cron entry with a random delay instead of the previous
sed-based cron randomization. Update changelog.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-11 00:09:29 +02:00
Jonathan Ma 6b1745980a Merge branch 'master' into patch-1 2026-04-23 08:56:57 -04:00
Jonathan Ma 3ffa4aaa77 Update tinyauth-location.conf.sample for Forward Auth
Updated version information and added headers for Forward Auth in the tinyauth NGINX configuration.
2025-12-17 15:28:03 -05:00
7 changed files with 66 additions and 29 deletions
+5 -1
View File
@@ -68,7 +68,7 @@ The architectures supported by this image are:
2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
* `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
* After setup, navigate to `https://example.com` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
* Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
* Certs are checked twice daily using ACME Renewal Information (ARI) to determine the optimal renewal window. If your cert is about to expire, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing.
### Certbot Plugins
@@ -190,6 +190,7 @@ services:
- VALIDATION=http
- SUBDOMAINS=www, #optional
- CERTPROVIDER= #optional
- CERT_PROFILE= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION= #optional
- EMAIL= #optional
@@ -221,6 +222,7 @@ docker run -d \
-e VALIDATION=http \
-e SUBDOMAINS=www, `#optional` \
-e CERTPROVIDER= `#optional` \
-e CERT_PROFILE= `#optional` \
-e DNSPLUGIN=cloudflare `#optional` \
-e PROPAGATION= `#optional` \
-e EMAIL= `#optional` \
@@ -254,6 +256,7 @@ Containers are configured using parameters passed at runtime (such as those abov
| `-e VALIDATION=http` | Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set). |
| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only) |
| `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
| `-e CERT_PROFILE=` | Optionally define a cert profile to use for cert generation. This is useful if you want to use a custom cert profile instead of the default one. Currently only supported for Let's Encrypt. See https://letsencrypt.org/docs/profiles/ |
| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynu`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `hetzner-cloud`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `mijn-host`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
| `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
| `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
@@ -433,6 +436,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions
* **10.07.26:** - Add support for Let's Encrypt cert profiles. Run certbot twice daily with a random delay.
* **19.06.26:** - Add support for mijn.host dns validation.
* **01.06.26:** - Remove obsolete old cert check logic.
* **23.01.26:** - Reorder init to fix proxy conf version checks.
+20 -20
View File
@@ -1,13 +1,13 @@
NAME VERSION TYPE
Simple Launcher 1.1.0.14 binary (+5 duplicates)
acl-libs 2.3.2-r1 apk
acme 5.6.0 python
acme 5.7.0 python
alpine-baselayout 3.7.0-r0 apk
alpine-baselayout-data 3.7.0-r0 apk
alpine-keys 2.5-r0 apk
alpine-release 3.22.5-r0 apk
annotated-types 0.7.0 python
anyio 4.14.1 python
anyio 4.14.2 python
aom-libs 3.12.1-r0 apk
apache2-utils 2.4.68-r0 apk
apk-tools 2.14.10-r0 apk
@@ -23,8 +23,8 @@ azure-mgmt-dns 9.0.0 python
backports-tarfile 1.2.0 python
bash 5.2.37-r0 apk
beautifulsoup4 4.15.0 python
boto3 1.43.46 python
botocore 1.43.46 python
boto3 1.43.48 python
botocore 1.43.48 python
brotli-libs 1.1.0-r2 apk
bs4 0.0.2 python
busybox 1.37.0-r20 apk
@@ -34,18 +34,18 @@ c-client 2007f-r15 apk
ca-certificates 20260611-r0 apk
ca-certificates-bundle 20260611-r0 apk
catatonit 0.2.1-r0 apk
certbot 5.6.0 python
certbot 5.7.0 python
certbot-dns-acmedns 0.1.0 python
certbot-dns-aliyun 2.0.0 python
certbot-dns-azure 1.5.0 python
certbot-dns-bunny 3.0.0 python
certbot-dns-cloudflare 5.6.0 python
certbot-dns-cloudflare 5.7.0 python
certbot-dns-cpanel 0.4.0 python
certbot-dns-desec 1.3.2 python
certbot-dns-digitalocean 5.6.0 python
certbot-dns-digitalocean 5.7.0 python
certbot-dns-directadmin 1.0.15 python
certbot-dns-dnsimple 5.6.0 python
certbot-dns-dnsmadeeasy 5.6.0 python
certbot-dns-dnsimple 5.7.0 python
certbot-dns-dnsmadeeasy 5.7.0 python
certbot-dns-dnspod 0.1.0 python
certbot-dns-do 0.31.0 python
certbot-dns-domeneshop 0.2.9 python
@@ -53,29 +53,29 @@ certbot-dns-dreamhost 1.0 python
certbot-dns-duckdns 1.8.0 python
certbot-dns-dynudns 0.0.6 python
certbot-dns-freedns 0.2.0 python
certbot-dns-gehirn 5.6.0 python
certbot-dns-gehirn 5.7.0 python
certbot-dns-glesys 2.1.0 python
certbot-dns-godaddy 2.8.0 python
certbot-dns-google 5.6.0 python
certbot-dns-google 5.7.0 python
certbot-dns-he 1.0.0 python
certbot-dns-hetzner 4.0.0 python
certbot-dns-hetzner-cloud 1.0.5 python
certbot-dns-infomaniak 0.2.4 python
certbot-dns-inwx 3.0.3 python
certbot-dns-ionos 2024.11.9 python
certbot-dns-linode 5.6.0 python
certbot-dns-linode 5.7.0 python
certbot-dns-loopia 1.0.1 python
certbot-dns-luadns 5.6.0 python
certbot-dns-luadns 5.7.0 python
certbot-dns-mijn-host 0.0.9 python
certbot-dns-namecheap 1.0.0 python
certbot-dns-netcup 2.0.3 python
certbot-dns-njalla 2.0.2 python
certbot-dns-nsone 5.6.0 python
certbot-dns-ovh 5.6.0 python
certbot-dns-nsone 5.7.0 python
certbot-dns-ovh 5.7.0 python
certbot-dns-porkbun 0.11.0 python
certbot-dns-rfc2136 5.6.0 python
certbot-dns-route53 5.6.0 python
certbot-dns-sakuracloud 5.6.0 python
certbot-dns-rfc2136 5.7.0 python
certbot-dns-route53 5.7.0 python
certbot-dns-sakuracloud 5.7.0 python
certbot-dns-standalone 1.2.1 python
certbot-dns-transip 0.5.2 python
certbot-dns-vultr 1.1.0 python
@@ -87,7 +87,7 @@ cli UNKNOWN binary
cli-32 UNKNOWN binary
cli-64 UNKNOWN binary
cli-arm64 UNKNOWN binary
cloudflare 5.4.0 python
cloudflare 5.5.0 python
composer 2.10.2 binary
configargparse 1.7 python
configobj 5.0.8 python
@@ -124,7 +124,7 @@ gnupg-wks-client 2.4.9-r0 apk
gnutls 3.8.13-r0 apk
google-api-core 2.30.3 python
google-api-python-client 2.198.0 python
google-auth 2.55.2 python
google-auth 2.56.0 python
google-auth-httplib2 0.4.0 python
googleapis-common-protos 1.75.0 python
gpg 2.4.9-r0 apk
+3 -1
View File
@@ -32,6 +32,7 @@ opt_param_usage_include_env: true
opt_param_env_vars:
- {env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)"}
- {env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt."}
- {env_var: "CERT_PROFILE", env_value: "", desc: "Optionally define a cert profile to use for cert generation. This is useful if you want to use a custom cert profile instead of the default one. Currently only supported for Let's Encrypt. See https://letsencrypt.org/docs/profiles/ "}
- {env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynu`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `hetzner-cloud`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `mijn-host`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`."}
- {env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins."}
- {env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)."}
@@ -65,7 +66,7 @@ app_setup_block: |
2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
* `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
* After setup, navigate to `https://example.com` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
* Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
* Certs are checked twice daily using ACME Renewal Information (ARI) to determine the optimal renewal window. If your cert is about to expire, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing.
### Certbot Plugins
@@ -219,6 +220,7 @@ init_diagram: |
"swag:latest" <- Base Images
# changelog
changelogs:
- {date: "10.07.26:", desc: "Add support for Let's Encrypt cert profiles. Run certbot twice daily with a random delay."}
- {date: "19.06.26:", desc: "Add support for mijn.host dns validation."}
- {date: "01.06.26:", desc: "Remove obsolete old cert check logic."}
- {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
@@ -1,4 +1,4 @@
## Version 2025/06/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/tinyauth-location.conf.sample
## Version 2025/12/17 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/tinyauth-location.conf.sample
# Make sure that your tinyauth container is in the same user defined bridge network and is named tinyauth
# Rename /config/nginx/proxy-confs/tinyauth.subdomain.conf.sample to /config/nginx/proxy-confs/tinyauth.subdomain.conf
@@ -7,3 +7,17 @@ auth_request /tinyauth;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
error_page 401 = @tinyauth_login;
## Translate the user information response headers from the auth subrequest into variables
auth_request_set $email $upstream_http_remote_email;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $user $upstream_http_remote_user;
## Inject the user information into the request made to the actual upstream
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-User $user;
## Can be extended with more custom headers https://tinyauth.app/docs/reference/headers#nginxnginx-proxy-manager
+1 -1
View File
@@ -5,4 +5,4 @@
0 3 * * 6 run-parts /etc/periodic/weekly
0 5 1 * * run-parts /etc/periodic/monthly
8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/renewal.log 2>&1
0 */12 * * * sleep $((60 + $RANDOM % 230)); /app/le-renew.sh >> /config/log/letsencrypt/renewal.log 2>&1
@@ -12,12 +12,13 @@ EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
VALIDATION=${VALIDATION}\\n\
CERTPROVIDER=${CERTPROVIDER}\\n\
CERT_PROFILE=${CERT_PROFILE}\\n\
DNSPLUGIN=${DNSPLUGIN}\\n\
EMAIL=${EMAIL}\\n\
STAGING=${STAGING}\\n"
# Sanitize variables
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER CERT_PROFILE)
for i in "${SANED_VARS[@]}"; do
export echo "${i}"="${!i//\"/}"
export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
@@ -80,7 +81,7 @@ if [[ -f "/config/donoteditthisfile.conf" ]]; then
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi
if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\" ORIGCERT_PROFILE=\"${CERT_PROFILE}\"" >/config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf"
fi
@@ -186,7 +187,8 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
[[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
[[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]] ||
[[ ! "${CERT_PROFILE}" = "${ORIGCERT_PROFILE}" ]]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]]; then
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
@@ -204,7 +206,7 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
fi
# saving new variables
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\" ORIGCERT_PROFILE=\"${CERT_PROFILE}\"" >/config/.donoteditthisfile.conf
# if zerossl is selected or staging is set to true, use the relevant server
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
@@ -227,6 +229,21 @@ fi
set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
# set certificate profile (e.g. "shortlived" for 6-day certs, "classic" for 90-day)
# Profiles are a Let's Encrypt ACME feature; ZeroSSL ignores it.
if [[ -n "${CERT_PROFILE}" ]]; then
if [[ "${CERTPROVIDER}" = "zerossl" ]]; then
echo "ZeroSSL does not support ACME profiles, ignoring CERT_PROFILE variable"
sed -i "/^preferred-profile\b/d" /config/etc/letsencrypt/cli.ini
else
echo "Requesting certificate with profile: ${CERT_PROFILE}"
set_ini_value "preferred-profile" "${CERT_PROFILE}" /config/etc/letsencrypt/cli.ini
fi
else
# remove if previously set so going back to default works
sed -i "/^preferred-profile\b/d" /config/etc/letsencrypt/cli.ini
fi
# figuring out domain only vs domain & subdomains vs subdomains only
DOMAINS_ARRAY=()
if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
+1 -1
View File
@@ -3,7 +3,7 @@
# Check if the cert is expired or expires within a day, if so, renew
if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts."
else
echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."
/app/le-renew.sh