see commit body

zh-lang by @ZhWn
update alpine to 3.22 (includes openssl 3.5)
remove liboqs/oqs-provider sinc eopenssl 3.5 now has mlkem support
dep updates
run internal APIs in unix sockets instead of tcp ports
improve templates (not done yeet)

Signed-off-by: Zoey <zoey@z0ey.de>

Author: renovate[bot]

.github/workflows/docker.yml

@@ -65,6 +65,7 @@ jobs:
           sed -i "s|\"0.0.0\"|\"$version\"|g" frontend/js/i18n/en-lang.json
           sed -i "s|\"0.0.0\"|\"$version\"|g" frontend/js/i18n/de-lang.json
           sed -i "s|\"0.0.0\"|\"$version\"|g" frontend/js/i18n/it-lang.json
+          sed -i "s|\"0.0.0\"|\"$version\"|g" frontend/js/i18n/zh-lang.json
           sed -i "s|\"0.0.0\"|\"$version\"|g" frontend/package.json
           sed -i "s|\"0.0.0\"|\"$version\"|g" backend/package.json
       - name: Build

.github/workflows/spellcheck.yml

@@ -15,4 +15,5 @@ jobs:
         with:
           check_filenames: true
           check_hidden: true
-          skip: .git,.gitignore,yarn.lock,de-lang.json,it-lang.json,showdown.min.js,jquery.min.js,xregexp-all.js
+          skip: .git,.gitignore,yarn.lock,de-lang.json,it-lang.json,zh-lang.json,showdown.min.js,jquery.min.js,xregexp-all.js
+          ignore_words_list: alog

Caddy.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.21.3
+FROM alpine:3.22.0
 RUN apk add --no-cache ca-certificates tzdata
 COPY --from=caddy:2.10.0 /usr/bin/caddy /usr/bin/caddy
 COPY Caddyfile /etc/caddy/Caddyfile

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:labs
-FROM --platform="$BUILDPLATFORM" alpine:3.21.3 AS frontend
+FROM --platform="$BUILDPLATFORM" alpine:3.22.0 AS frontend
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG NODE_ENV=production
 COPY frontend                        /app
@@ -13,7 +13,7 @@ COPY darkmode.css /app/dist/css/darkmode.css
 COPY security.txt /app/dist/.well-known/security.txt
 
 
-FROM --platform="$BUILDPLATFORM" alpine:3.21.3 AS build-backend
+FROM --platform="$BUILDPLATFORM" alpine:3.22.0 AS build-backend
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG NODE_ENV=production \
     TARGETARCH
@@ -28,16 +28,16 @@ RUN apk upgrade --no-cache -a && \
     else yarn install; fi && \
     yarn cache clean && \
     clean-modules --yes
-FROM alpine:3.21.3 AS strip-backend
+FROM alpine:3.22.0 AS strip-backend
 COPY --from=build-backend /app /app
 RUN apk upgrade --no-cache -a && \
     apk add --no-cache ca-certificates binutils file && \
     find /app/node_modules -name "*.node" -type f -exec strip -s {} \; && \
     find /app/node_modules -name "*.node" -type f -exec file {} \;
 
-FROM --platform="$BUILDPLATFORM" alpine:3.21.3 AS crowdsec
+FROM --platform="$BUILDPLATFORM" alpine:3.22.0 AS crowdsec
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-ARG CSNB_VER=v1.1.1
+ARG CSNB_VER=v1.1.2
 WORKDIR /src
 RUN apk upgrade --no-cache -a && \
     apk add --no-cache ca-certificates git build-base && \
@@ -62,10 +62,10 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:485-python
+FROM zoeyvid/nginx-quic:514-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ENV NODE_ENV=production
-ARG CRS_VER=v4.14.0
+ARG CRS_VER=v4.15.0
 
 COPY rootfs /
 COPY --from=strip-backend /app /app

README.md

@@ -1,7 +1,6 @@
 # NPMplus
 
-This is an improved fork of the nginx-proxy-manager and comes as a pre-built docker image that enables you to easily forward to your websites
-running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot. <br>
+This is an improved fork of the nginx-proxy-manager and comes as a pre-built docker image that enables you to easily forward to your websites running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot. <br>
 If you don't need the web GUI of NPMplus, you may also have a look at caddy: https://caddyserver.com
 
 - [Quick Setup](#quick-setup)
@@ -31,7 +30,7 @@ so that the barrier for entry here is low.
 - Supports HTTP/3 (QUIC) protocol, requires you to expose https with udp.
 - Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it.
 - goaccess included, see compose.yaml to enable, runs by default on `https://<ip>:91` (nginx config from [here](https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf))
-- Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npmplus/modsecurity` folder (no support from me, you need to write the rules yourself - for CoreRuleSet I can try to help you).
+- Supports ModSecurity (which tends to overblocking), with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npmplus/modsecurity` folder (no support from me, you need to write the rules yourself - for CoreRuleSet I can try to help you).
   - By default NPMplus UI does not work when you proxy NPMplus through NPMplus and you have CoreRuleSet enabled, see below
   - ModSecurity by default blocks uploads of big files, you need to edit its config to fix this, but it can use a lot of resources to scan big files by ModSecurity
   - ModSecurity overblocking (403 Error) when using CoreRuleSet? Please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning) and edit the `/opt/npmplus/modsecurity/crs-setup.conf` file.
@@ -58,8 +57,7 @@ so that the barrier for entry here is low.
 - `Server` response header hidden
 - PHP optional, with option to add extensions; available packages can added using envs in the compose file, recommended to be used together with PUID/PGID
 - Allows different acme servers using env
-- Supports up to 99 domains per cert
-- Brotli compression can be enabled
+- Supports Brotli compression
 - punycode domain support
 - HTTP/2 always enabled with fixed upload
 - Allows infinite upload size (may be limited if you use ModSecurity)
@@ -107,18 +105,20 @@ The default admin password will be logged to the NPMplus docker logs <br>
 Immediately after logging in with this default user you will be asked to modify your details and change your password. <br>
 
 # Crowdsec
-Note: Using Immich behind NPMplus with enabled appsec causes issues, see here: [#1241](https://github.com/ZoeyVid/NPMplus/discussions/1241)
+Note: Using Immich behind NPMplus with enabled appsec causes issues, see here: [#1241](https://github.com/ZoeyVid/NPMplus/discussions/1241) <br>
+Note: If you don't [disable sharing in crowdsec](https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration/#sharing), you need to mention that [this](https://docs.crowdsec.net/docs/central_api/intro/#signal-meta-data) is sent to crowdsec in your privacy policy.
 1. Install crowdsec and the ZoeyVid/npmplus collection for example by using crowdsec container at the end of the compose.yaml
 2. set LOGROTATE to `true` in your `compose.yaml` and redeploy
 3. open `/opt/crowdsec/conf/acquis.d/npmplus.yaml` (path may be different depending how you installed crowdsec) and fill it with:
 ```yaml
 filenames:
-  - /opt/npmplus/nginx/*.log
+  - /opt/npmplus/nginx/access.log
+  - /opt/npmplus/nginx/error.log
 labels:
   type: npmplus
 ---
 filenames:
-  - /opt/npmplus/nginx/*.log
+  - /opt/npmplus/nginx/error.log
 labels:
   type: modsecurity
 ---
@@ -227,7 +227,7 @@ proxy_set_header X-authentik-uid $authentik_uid;
 #auth_request_set $authentik_auth $upstream_http_authorization;
 #proxy_set_header Authorization $authentik_auth;
 ```
-2. create a location with the path `/outpost.goauthentik.io`, this should proxy to your authentik, examples: http://authentik.company:9000/outpost.goauthentik.io (embedded outpost) or http://outpost.company:9000 (manual outpost deployments), then press the gear button and paste the following in the new text field
+2. create a location with the path `/outpost.goauthentik.io`, this should proxy to your authentik, examples: `http://authentik.company:9000/outpost.goauthentik.io` (embedded outpost) or `http://outpost.company:9000` (manual outpost deployments), then press the gear button and paste the following in the new text field
 ```
 auth_request_set $auth_cookie $upstream_http_set_cookie;
 more_set_headers 'Set-Cookie: $auth_cookie';
@@ -273,6 +273,37 @@ proxy_pass_request_body off;
 proxy_set_header Content-Length "";
 ```
 
+### tinyauth config example (no guarantee for security of it)
+1. create a custom location / (or the location you want to use), set your proxy settings, then press the gear button and paste the following in the new text field:
+```
+auth_request /tinyauth;
+error_page 401 = @tinyauth_login;
+```
+2. create a location with the path `/tinyauth`, this should proxy to your tinyauth, example: `http://<ip>:<port>/api/auth/nginx`
+3. paste the following in the advanced config tab, you may need to adjust the last lines:
+```
+location @tinyauth_login {
+    internal;
+    return 302 http://tinyauth.example.com/login?redirect_uri=$scheme://$host$request_uri; # Make sure to replace the http://tinyauth.example.com with your own app URL
+}
+```
+
+### Hints for Your Privacy Policy
+**Note: This is not legal advice. The following points are intended to give you hints and help you identify areas that may be relevant to your privacy policy. This list may not be complete or correct.**
+1. NPMplus **always** writes the nginx error logs to your Docker logs; it uses the error level “warn” (so every error nginx and the nginx modules mark as error level “warn” or higher will be logged), as it contains user information (like IPs) you should mention it in your privacy policy. With the default installation no user data should leave your system because of NPMplus (except for data sent to your backends, as this is the task of a reverse proxy), this should be the only data created by NPMplus containing user information by default.
+2. If you enable `LOGROTATE` the access and error (also level “warn”) logs will be written to your disk and rotated every 25 hours and deleted based on your set number of set rotations. The access logs use these formats: [http](https://github.com/ZoeyVid/NPMplus/blob/c6a2df722390eb3f4377c603e16587fe8c74e54f/rootfs/usr/local/nginx/conf/nginx.conf#L30) and [stream](https://github.com/ZoeyVid/NPMplus/blob/c6a2df722390eb3f4377c603e16587fe8c74e54f/rootfs/usr/local/nginx/conf/nginx.conf#L249). These include user information (like IPs), so make sure to also mention that these exist and what you are doing with them.
+3. If you use crowdsec, and you do **not** [disable sharing in crowdsec](https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration/#sharing), you need to mention that [this](https://docs.crowdsec.net/docs/central_api/intro/#signal-meta-data) is sent to crowdsec in your privacy policy.
+4. If you block IPs like for example through access lists, geoip and/or crowdsec block lists, then you may also need to be mention this.
+5. If GoAccess is enabled, it processes access logs to generate statistics, which are saved on disk for a time you can configure. These statistics include user information (like IPs), so make sure to also mention this.
+6. If you use the PHP-FPM option, error logs from PHP-FPM will also be written to Docker logs. These include user information (like IPs), so make sure to also mention this.
+7. If you use open-appsec `NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE`, you should also include information about it; since I don't use it myself, I can't give you further hints.
+8. If you collect any user information (like through other custom nginx modules, modules you can load via env, lua scripts, ...), also mention it.
+10. If you use the caddy http to https redirect container, you should also mention the data collected by it, since it will also collect (error) logs.
+11. If you do any extra custom/advanced configuration/modification, which is in someway related to the users data, then yes, keep in mind to also mention this.
+12. Anything else you do with the users data, should also be mentioned. (Like what you backend does or any other proxies in front of NPMplus, how data is stored, how long, ads, analytic tools, how data is handled if they contact your, etc.)
+13. I think this does not need to be mentioned, but you can mention it if you want to be sure (does not apply if you use letsencrypt, they don't support OCSP anymore): some clients (like firefox) send OCSP requests to your CA by default if the CA adds OCSP-URLs to your cert (can be disabled by the users in firefox), I think this does not need to be mentioned as no data goes to you, but directly to the CA and the client initiates this check by itself and is not ask or required by you to do this, your cert just says the the client can check this if it wants
+14. Also optional and should no be required, I think: some information about the data saved by the nameservers running your domain, should not be required I think, since nearly always there is a provider between the users and your nameserver which acts like a proxy so the dns requests of your users will be hidden as theier provider, which instead should explain theier users how they handle data as "dns proxy"
+
 ### prerun scripts (EXPERT option) - if you don't know what this is, ignore it
 if you need to run scripts before NPMplus launches put them under: `/opt/npmplus/prerun/*.sh` (please add `#!/usr/bin/env sh` / `#!/usr/bin/env bash` to the top of the script) you need to create this folder yourself, also enable the env
 

backend/index.js

@@ -21,8 +21,8 @@ async function appStart() {
 			internalCertificate.initTimer();
 			internalIpRanges.initTimer();
 
-			const server = app.listen(Number(process.env.NIBEP), '127.0.0.1', () => {
-				logger.info('Backend PID ' + process.pid + ' listening on port ' + process.env.NIBEP);
+			const server = app.listen('/run/npmplus.sock', () => {
+				logger.info('Backend PID ' + process.pid + ' listening on unix socket');
 
 				process.on('SIGTERM', () => {
 					logger.info('PID ' + process.pid + ' received SIGTERM');

backend/internal/ip_ranges.js

@@ -104,7 +104,7 @@ const internalIpRanges = {
 			let template = null;
 			const filename = '/tmp/ip_ranges.conf';
 			try {
-				template = fs.readFileSync('/app/templates/ip_ranges.conf', { encoding: 'utf8' });
+				template = fs.readFileSync('/app/templates/_ip_ranges.conf', { encoding: 'utf8' });
 			} catch (err) {
 				reject(new error.ConfigurationError(err.message));
 				return;

backend/package.json

@@ -4,7 +4,7 @@
   "description": "A beautiful interface for creating Nginx endpoints",
   "main": "index.js",
   "dependencies": {
-    "@apidevtools/json-schema-ref-parser": "12.0.2",
+    "@apidevtools/json-schema-ref-parser": "13.0.5",
     "ajv": "8.17.1",
     "apache-md5": "1.1.8",
     "archiver": "7.0.1",
@@ -23,7 +23,7 @@
     "moment": "2.30.1",
     "mysql2": "3.14.1",
     "node-rsa": "1.1.1",
-    "openid-client": "6.5.0",
+    "openid-client": "6.5.1",
     "objection": "3.1.5",
     "path": "0.12.7",
     "pg": "8.16.0",
@@ -33,12 +33,12 @@
   "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
   "license": "MIT",
   "devDependencies": {
-    "@apidevtools/swagger-parser": "10.1.1",
-    "@eslint/js": "9.27.0",
-    "eslint": "9.27.0",
+    "@apidevtools/swagger-parser": "11.0.1",
+    "@eslint/js": "9.29.0",
+    "eslint": "9.29.0",
     "eslint-config-prettier": "10.1.5",
-    "eslint-plugin-prettier": "5.4.0",
-    "globals": "16.1.0",
+    "eslint-plugin-prettier": "5.4.1",
+    "globals": "16.2.0",
     "prettier": "3.5.3"
   },
   "scripts": {