dep updates/enable ssl_dyn_rec_enable/fix nginx in background/remove tempwrite

Signed-off-by: Zoey <zoey@z0ey.de>
2026-03-04 19:18:04 +00:00 · 2023-07-08 17:02:08 +02:00
11 changed files with 70 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
+backend/certbot-dns-plugins.js
+frontend/certbot-dns-plugins.js
+
 # User-specific stuff
 .idea
 desktop.files.json
@@ -780,4 +783,4 @@ node_modules/
 # ignore log files and databases
 *.log
 *.sql
-*.sqlite
+*.sqlite
--- a/2
+++ b/2
@@ -53,7 +53,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
    sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/crowdsec.conf|g" lua-mod/config_example.conf


-FROM zoeyvid/nginx-quic:157
+FROM zoeyvid/nginx-quic:176
 COPY rootfs /
 RUN apk add --no-cache ca-certificates tzdata \
    lua5.1-lzlib \
--- a/README.md
+++ b/README.md
@@ -20,6 +20,9 @@ running at home or otherwise, including free TLS, without having to know too muc
 - [Screenshots](https://nginxproxymanager.com/screenshots)


+# Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork kills nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.
+
+
 ## Project Goal

 I created this project to fill a personal need to provide users with a easy way to accomplish reverse
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -1,7 +1,6 @@
 const _                = require('lodash');
 const fs               = require('fs');
 const https            = require('https');
-const tempWrite        = require('temp-write');
 const moment           = require('moment');
 const logger           = require('../logger').ssl;
 const error            = require('../lib/error');
@@ -11,6 +10,7 @@ const dnsPlugins       = require('../certbot-dns-plugins');
 const internalAuditLog = require('./audit-log');
 const internalNginx    = require('./nginx');
 const archiver         = require('archiver');
+const crypto           = require('crypto');
 const path             = require('path');
 const { isArray }      = require('lodash');

@@ -637,8 +637,10 @@ const internalCertificate = {
 	 * @param {String}  private_key    This is the entire key contents as a string
 	 */
 	checkPrivateKey: (private_key) => {
-		return tempWrite(private_key, '/tmp')
-			.then((filepath) => {
+		const randomName = crypto.randomBytes(8).toString('hex');
+		const filepath   = path.join('/tmp', 'certificate_' + randomName);
+		return fs.writeFileSync(filepath, private_key)
+			.then(() => {
 				return new Promise((resolve, reject) => {
 					const failTimeout = setTimeout(() => {
 						reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
@@ -670,8 +672,10 @@ const internalCertificate = {
 	 * @param {Boolean} [throw_expired]  Throw when the certificate is out of date
 	 */
 	getCertificateInfo: (certificate, throw_expired) => {
-		return tempWrite(certificate, '/tmp')
-			.then((filepath) => {
+		const randomName = crypto.randomBytes(8).toString('hex');
+		const filepath   = path.join('/root', 'certificate_' + randomName);
+		return fs.writeFileSync(filepath, certificate)
+			.then(() => {
 				return internalCertificate.getCertificateInfoFromFile(filepath, throw_expired)
 					.then((certData) => {
 						fs.unlinkSync(filepath);
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -5,6 +5,8 @@ const config = require('../lib/config');
 const utils  = require('../lib/utils');
 const error  = require('../lib/error');

+const NgxPidFilePath = '/usr/local/nginx/logs/nginx.pid';
+
 const internalNginx = {

 	/**
@@ -111,11 +113,21 @@ const internalNginx = {
 	/**
 	 * @returns {Promise}
 	 */
+
 	reload: () => {
 		return internalNginx.test()
 			.then(() => {
-				logger.info('Restarting Nginx');
-				return utils.exec('kill $(cat /usr/local/nginx/logs/nginx.pid); nginx');
+				if (fs.existsSync(NgxPidFilePath)) {
+					const ngxPID = fs.readFileSync(NgxPidFilePath, 'utf8').trim();
+					if (ngxPID.length > 0) {
+						logger.info('Killing Nginx');
+						utils.exec(`kill ${ngxPID}`);
+					}
+				}
+				logger.info('Starting Nginx after three seconds');
+				setTimeout(() => {
+					utils.execfg('nginx');
+				}, 3000);
 			});
 	},

--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -96,7 +96,7 @@ const generateKeys = () => {
 	try {
 		fs.writeFileSync(keysFile, JSON.stringify(keys, null, 2));
 	} catch (err) {
-		logger.error('Could not write JWT key pair to config file: ' + keysFile + ': ' . err.message);
+		logger.error('Could not write JWT key pair to config file: ' + keysFile + ': ' + err.message);
 		process.exit(1);
 	}
 	logger.info('Wrote JWT key pair to config file: ' + keysFile);
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@@ -1,5 +1,6 @@
 const _          = require('lodash');
 const exec       = require('child_process').exec;
+const spawn      = require('child_process').spawn;
 const execFile   = require('child_process').execFile;
 const { Liquid } = require('liquidjs');
 const logger     = require('../logger').global;
@@ -22,6 +23,33 @@ module.exports = {
 		});
 	},

+	/**
+	 * @param   {String} cmd
+	 * @returns {Promise}
+	 */
+	execfg: function (cmd) {
+		return new Promise((resolve, reject) => {
+			const childProcess = spawn(cmd, {
+				shell:    true,
+				detached: true,
+				stdio:    'inherit' // Use the same stdio as the current process
+			});
+
+			childProcess.on('error', (err) => {
+				reject(err);
+			});
+
+			childProcess.on('close', (code) => {
+				if (code !== 0) {
+					reject(new Error(`Command '${cmd}' exited with code ${code}`));
+				} else {
+					resolve();
+				}
+			});
+		});
+	},
+
+
 	/**
 	 * @param   {String} cmd
 	 * @param   {Array}  args
--- a/backend/package.json
+++ b/backend/package.json
@@ -14,23 +14,25 @@
    "express": "4.18.2",
    "express-fileupload": "1.4.0",
    "gravatar": "1.8.2",
-    "jsonwebtoken": "9.0.0",
+    "jsonwebtoken": "9.0.1",
    "knex": "2.4.2",
-    "liquidjs": "10.8.2",
+    "liquidjs": "10.8.4",
    "lodash": "4.17.21",
    "moment": "2.29.4",
    "mysql": "2.18.1",
    "node-rsa": "1.1.1",
-    "objection": "3.0.1",
+    "objection": "3.0.4",
    "path": "0.12.7",
    "signale": "1.4.0",
-    "sqlite3": "5.1.6",
-    "temp-write": "4.0.0"
+    "sqlite3": "5.1.6"
+  },
+  "resolutions": {
+    "semver": "7.5.4"
  },
  "author": "Jamie Curnow <jc@jc21.com>",
  "license": "MIT",
  "devDependencies": {
-    "eslint": "8.42.0",
+    "eslint": "8.44.0",
    "eslint-plugin-align-assignments": "1.1.2"
  }
 }
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -4,7 +4,7 @@
  "description": "A beautiful interface for creating Nginx endpoints",
  "main": "js/index.js",
  "dependencies": {
-    "@babel/core": "7.22.5",
+    "@babel/core": "7.22.8",
    "babel-core": "6.26.3",
    "babel-loader": "8.3.0",
    "babel-preset-env": "1.7.0",
--- a/rootfs/bin/launch.sh
+++ b/rootfs/bin/launch.sh
@@ -35,7 +35,6 @@ if [ "$PHP82" = "true" ]; then
    fi
 fi

-nginx &
 if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
 if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
 index.js &
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -42,6 +42,7 @@ http {
    http2 on;
    http3 on;
    quic_retry on;
+    ssl_dyn_rec_enable on;

    #resolver ;
    fastcgi_index index.php;