Release 6.2.12 - See CHANGELOG.md

Author: tiredofit

CHANGELOG.md

@@ -1,3 +1,10 @@
+## 6.2.12 2022-12-05 <dave at tiredofit dot ca>
+
+   ### Changed
+      - Big warning when using Basic Authentication
+      - Indent some nginx configuration
+
+
 ## 6.2.11 2022-11-29 <dave at tiredofit dot ca>
 
    ### Changed

install/assets/functions/10-nginx

@@ -13,12 +13,12 @@ nginx_configure_authentication() {
     case "${NGINX_AUTHENTICATION_TYPE,,}" in
         "basic")
             print_notice "Setting Basic Authentication"
-            user_num=$(printenv | sort | grep -c '\NGINX_AUTHENTICATION_BASIC_USER.*')
+            user_num=$(printenv | sort | grep -c 'NGINX_AUTHENTICATION_BASIC_USER.*')
             for ((i = 1; i <= user_num; i++)); do
                 basic_user=NGINX_AUTHENTICATION_BASIC_USER${i}
                 basic_pass=NGINX_AUTHENTICATION_BASIC_PASS${i}
                 print_warn "Creating User: ${!basic_user}"
-                htpasswd -b -n ${!basic_user:-$NGINX_AUTHENTICATION_BASIC_USER} ${!basic_pass:-$NGINX_AUTHENTICATION_BASIC_PASS} >>/etc/nginx/snippets/authentication/basic_authorized_users
+                htpasswd -b -n ${!basic_user:-$NGINX_AUTHENTICATION_BASIC_USER} ${!basic_pass:-$NGINX_AUTHENTICATION_BASIC_PASS} >> /etc/nginx/snippets/authentication/basic_authorized_users
             done
         ;;
         "ldap" )

install/etc/nginx/snippets/authentication/llng_auth_request

@@ -1,8 +1,8 @@
-### Start LemonLDAP:NG Authentication
-set $original_uri $uri$is_args$args;
-auth_request /lmauth;
-auth_request_set $lmremote_user $upstream_http_lm_remote_user;
-auth_request_set $lmlocation $upstream_http_location;
-auth_request_set $cookie_value $upstream_http_set_cookie;
-add_header Set-Cookie $cookie_value;
-error_page 401 $lmlocation;
+        ### Start LemonLDAP:NG Authentication
+        set $original_uri $uri$is_args$args;
+        auth_request /lmauth;
+        auth_request_set $lmremote_user $upstream_http_lm_remote_user;
+        auth_request_set $lmlocation $upstream_http_location;
+        auth_request_set $cookie_value $upstream_http_set_cookie;
+        add_header Set-Cookie $cookie_value;
+        error_page 401 $lmlocation;

install/etc/nginx/snippets/authentication/llng_location_block

@@ -1,14 +1,14 @@
-  ### LemonLDAP:NG authentication request
-  location = /lmauth {
-    internal;
-    include /etc/nginx/fastcgi_params;
-    fastcgi_pass llng-upstream-pool;
-    fastcgi_param REMOTE_PORT {{NGINX_AUTHENTICATION_LLNG_HANDLER_PORT}};
-    fastcgi_pass_request_body  off;
-    fastcgi_param CONTENT_LENGTH "";
-    fastcgi_param HOST $http_host;
-    fastcgi_param X_ORIGINAL_URI  $original_uri;
-    proxy_http_version 1.1;
-    proxy_set_header Connection "";
-   }
-   ### End LemonLDAP:NG authentication request
+        ### LemonLDAP:NG authentication request
+        location = /lmauth {
+            internal;
+            include /etc/nginx/fastcgi_params;
+            fastcgi_pass llng-upstream-pool;
+            fastcgi_param REMOTE_PORT {{NGINX_AUTHENTICATION_LLNG_HANDLER_PORT}};
+            fastcgi_pass_request_body  off;
+            fastcgi_param CONTENT_LENGTH "";
+            fastcgi_param HOST $http_host;
+            fastcgi_param X_ORIGINAL_URI  $original_uri;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+        }
+        ### End LemonLDAP:NG authentication request

install/etc/nginx/snippets/bot_blocker.conf

@@ -1,7 +1,7 @@
-server_names_hash_bucket_size 256;
-server_names_hash_max_size 4096;
-variables_hash_max_size 4096;
-variables_hash_bucket_size 4096;
-limit_req_zone $binary_remote_addr zone=flood:50m rate=90r/s;
-limit_conn_zone $binary_remote_addr zone=addr:50m;
-include /etc/nginx/snippets/blockbots/globalblacklist.conf;
+    server_names_hash_bucket_size 256;
+    server_names_hash_max_size 4096;
+    variables_hash_max_size 4096;
+    variables_hash_bucket_size 4096;
+    limit_req_zone $binary_remote_addr zone=flood:50m rate=90r/s;
+    limit_conn_zone $binary_remote_addr zone=addr:50m;
+    include /etc/nginx/snippets/blockbots/globalblacklist.conf;

install/etc/nginx/snippets/compression_brotli.conf

@@ -1,5 +1,5 @@
-brotli on;
-brotli_window {{NGINX_COMPRESSION_BROTLI_WINDOW}};
-brotli_min_length {{NGINX_COMPRESSION_BROTLI_MIN_LENGTH}};
-brotli_comp_level {{NGINX_COMPRESSION_BROTLI_LEVEL}};
-brotli_types {{NGINX_COMPRESSION_BROTLI_TYPES}};
+    brotli on;
+    brotli_window {{NGINX_COMPRESSION_BROTLI_WINDOW}};
+    brotli_min_length {{NGINX_COMPRESSION_BROTLI_MIN_LENGTH}};
+    brotli_comp_level {{NGINX_COMPRESSION_BROTLI_LEVEL}};
+    brotli_types {{NGINX_COMPRESSION_BROTLI_TYPES}};

install/etc/nginx/snippets/compression_gzip.conf

@@ -1,9 +1,9 @@
-gzip on;
-gzip_comp_level {{NGINX_COMPRESSION_GZIP_LEVEL}};
-gzip_http_version {{NGINX_COMPRESSION_GZIP_HTTP_VERSION}};
-gzip_buffers {{NGINX_COMPRESSION_GZIP_BUFFERS}};
-gzip_min_length {{NGINX_COMPRESSION_GZIP_MIN_LENGTH}};
-gzip_proxied {{NGINX_COMPRESSION_GZIP_PROXIED}};
-gzip_types {{NGINX_COMPRESSION_GZIP_TYPES}};
-gzip_disable {{NGINX_COMPRESSION_GZIP_DISABLE}};
-gzip_vary on;
+    gzip on;
+    gzip_comp_level {{NGINX_COMPRESSION_GZIP_LEVEL}};
+    gzip_http_version {{NGINX_COMPRESSION_GZIP_HTTP_VERSION}};
+    gzip_buffers {{NGINX_COMPRESSION_GZIP_BUFFERS}};
+    gzip_min_length {{NGINX_COMPRESSION_GZIP_MIN_LENGTH}};
+    gzip_proxied {{NGINX_COMPRESSION_GZIP_PROXIED}};
+    gzip_types {{NGINX_COMPRESSION_GZIP_TYPES}};
+    gzip_disable {{NGINX_COMPRESSION_GZIP_DISABLE}};
+    gzip_vary on;

install/etc/nginx/snippets/ddos_protection.conf

@@ -1,7 +1,7 @@
-  limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:{{NGINX_DDOS_CONNECTIONS_PER_IP}};
-  limit_req_zone $binary_remote_addr zone=req_limit_per_ip:{{NGINX_DDOS_CONNECTIONS_PER_IP}} rate={{NGINX_DDOS_REQUESTS_PER_IP}};
+    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:{{NGINX_DDOS_CONNECTIONS_PER_IP}};
+    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:{{NGINX_DDOS_CONNECTIONS_PER_IP}} rate={{NGINX_DDOS_REQUESTS_PER_IP}};
 
-  server {
-      limit_conn conn_limit_per_ip 10;
-      limit_req zone=req_limit_per_ip burst=10 nodelay;
-  }
+    server {
+        limit_conn conn_limit_per_ip 10;
+        limit_req zone=req_limit_per_ip burst=10 nodelay;
+    }

install/etc/nginx/snippets/exploit_protection.conf

@@ -11,7 +11,7 @@
     location ~* \.\.\/  { access_log {{NGINX_LOG_BLOCKED_LOCATION}}/{{NGINX_LOG_BLOCKED_FILE}} {{NGINX_LOG_BLOCKED_FORMAT}}; deny all; }
     location ~* ~$ { access_log {{NGINX_LOG_BLOCKED_LOCATION}}/{{NGINX_LOG_BLOCKED_FILE}} {{NGINX_LOG_BLOCKED_FORMAT}}; deny all; }
     location ~* proc/self/environ { access_log {{NGINX_LOG_BLOCKED_LOCATION}}/{{NGINX_LOG_BLOCKED_FILE}} {{NGINX_LOG_BLOCKED_FORMAT}}; deny all; }
-    location ~* /\.(htaccess|htpasswd|svn) { access_log {{NGINX_LOG_BLOCKED_LOCATION}}/{{NGINX_LOG_BLOCKED_FILE}} {{NGINX_LOG_BLOCKED_FORMAT}}; deny all; }
+    location ~* /\.(ci|htaccess|htpasswd|git|svn) { access_log {{NGINX_LOG_BLOCKED_LOCATION}}/{{NGINX_LOG_BLOCKED_FILE}} {{NGINX_LOG_BLOCKED_FORMAT}}; deny all; }
 
     ## Block file injections
     location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log {{NGINX_LOG_BLOCKED_LOCATION}}/{{NGINX_LOG_BLOCKED_FILE}} {{NGINX_LOG_BLOCKED_FORMAT}}; deny all; }

install/etc/nginx/snippets/monitoring.conf

@@ -1,11 +1,11 @@
-  server {
-    listen       73;
-    server_name  127.0.0.1;
+    server {
+        listen 73;
+        server_name 127.0.0.1;
 
-    location /stub_status {
-        stub_status on;
-        access_log off;
-        allow 127.0.0.1;
-        deny all;
-    }
-  }
+        location /stub_status {
+            stub_status on;
+            access_log off;
+            allow 127.0.0.1;
+            deny all;
+        }
+    }