Release v6.26 (#3162)

.conf/desktop/lxde/lxde-rc.xml

@@ -671,7 +671,6 @@
   # when multiple rules match a window, they will all be applied, in the
   # order that they appear in this list
 
-
     # each element can be left out or set to 'default' to specify to not
     # change that attribute of the window
 

.conf/dps_114/lighttpd.nextcloud.conf

@@ -18,15 +18,16 @@ $HTTP["url"] =~ "^/nextcloud($|/)" {
 	# - Directory listing
 	dir-listing.activate = "disable"
 	# - Cache control and security headers for static resources
-	$HTTP["url"] =~ "^/nextcloud/.*\.(css|js|woff2?|svg|gif)$" {
+	$HTTP["url"] =~ "^/nextcloud/.+[^/]\.(css|js|woff2?|svg|gif|map)$" {
 		setenv.add-response-header += (
 			"Cache-Control" => "public, max-age=15778463",
+			"Referrer-Policy" => "no-referrer",
 			"X-Content-Type-Options" => "nosniff",
-			"X-XSS-Protection" => "1; mode=block",
-			"X-Robots-Tag" => "none",
 			"X-Download-Options" => "noopen",
+			"X-Frame-Options" => "SAMEORIGIN",
 			"X-Permitted-Cross-Domain-Policies" => "none",
-			"Referrer-Policy" => "no-referrer",
+			"X-Robots-Tag" => "none",
+			"X-XSS-Protection" => "1; mode=block",
 		)
 	}
 

.conf/dps_114/nginx.nextcloud.conf

@@ -8,13 +8,13 @@ location ~ ^\/(?:ocm-provider|ocs-provider).* {
 location ^~ /nextcloud {
 
 	# Add headers to serve security related headers
-	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";
-	add_header X-Content-Type-Options nosniff;
-	add_header X-XSS-Protection "1; mode=block";
-	add_header X-Robots-Tag none;
-	add_header X-Download-Options noopen;
-	add_header X-Permitted-Cross-Domain-Policies none;
-	add_header Referrer-Policy no-referrer;
+	add_header Referrer-Policy "no-referrer" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-Download-Options "noopen" always;
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-Permitted-Cross-Domain-Policies "none" always;
+	add_header X-Robots-Tag "none" always;
+	add_header X-XSS-Protection "1; mode=block" always;
 
 	# Remove X-Powered-By, which is an information leak
 	fastcgi_hide_header X-Powered-By;
@@ -46,7 +46,7 @@ location ^~ /nextcloud {
 		deny all;
 	}
 
-	location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
+	location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
 		fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@@ -58,29 +58,28 @@ location ^~ /nextcloud {
 		fastcgi_param front_controller_active true;
 		fastcgi_pass php;
 		fastcgi_intercept_errors on;
-		# Disable on Jessie, because Jessie Nginx does not support this directive
-		#fastcgi_request_buffering off;
+		fastcgi_request_buffering off;
         }
 
-	location ~ ^\/nextcloud\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
+	location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
 		try_files $uri/ =404;
 		index index.php;
 	}
 
 	# Adding the cache control header for js and css files
 	# Make sure it is BELOW the PHP block
-	location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif)$ {
+	location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
 		try_files $uri /nextcloud/index.php$request_uri;
 		add_header Cache-Control "public, max-age=15778463";
 		# Add headers to serve security related headers  (It is intended
 		# to have those duplicated to the ones above)
-		#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";
-		add_header X-Content-Type-Options nosniff;
-		add_header X-XSS-Protection "1; mode=block";
-		add_header X-Robots-Tag none;
-		add_header X-Download-Options noopen;
-		add_header X-Permitted-Cross-Domain-Policies none;
-		add_header Referrer-Policy no-referrer;
+		add_header Referrer-Policy "no-referrer" always;
+		add_header X-Content-Type-Options "nosniff" always;
+		add_header X-Download-Options "noopen" always;
+		add_header X-Frame-Options "SAMEORIGIN" always;
+		add_header X-Permitted-Cross-Domain-Policies "none" always;
+		add_header X-Robots-Tag "none" always;
+		add_header X-XSS-Protection "1; mode=block" always;
 
 		# Optional: Don't log access to assets
 		access_log off;

.conf/dps_47/nginx.owncloud.conf

@@ -59,7 +59,7 @@ location ^~ /owncloud {
 		fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
 		fastcgi_pass php;
 		fastcgi_intercept_errors on;
-		#fastcgi_request_buffering off; #Available since NGINX 1.7.11
+		fastcgi_request_buffering off;
 	}
 
 	location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {

.conf/dps_6/xorg_asustb.conf

@@ -1,20 +1,23 @@
-Section "Device"
+# DietPi X.org config
+# All credits go to Rockchip: https://github.com/rockchip-linux/rk-rootfs-build/blob/master/overlay/etc/X11/xorg.conf.d/20-modesetting.conf
 
+Section "Device"
     Identifier  "Rockchip Graphics"
     Driver      "modesetting"
-    Option      "AccelMethod"    "glamor"
+    Option      "AccelMethod"    "exa"
+#    Option      "AccelMethod"    "glamor"
     Option      "DRI"            "2"
-
+    Option      "FlipFB"         "always"
 EndSection
 
-Section "Screen"
-
-    Identifier "Default Screen"
-    SubSection "Display"
-
-        Depth 24
-        Modes "1920x1080" "1280x1024" "1024x768" "800x600"
-
-    EndSubSection
+Section	"Screen"
+    Identifier	"Default Screen"
+    Device	"Rockchip Graphics"
+    Monitor	"Default Monitor"
+EndSection
 
+### Valid values for rotation are "normal", "left", "right"
+Section	"Monitor"
+    Identifier	"Default Monitor"
+    Option	"Rotate" "normal"
 EndSection

.conf/dps_6/xorg_c2.conf

@@ -1,9 +1,9 @@
+# Provided by @Meveric's setup-odroid: http://fuzon.co.uk/meveric/pool/main/s/setup-odroid/
 Section "Device"
+	Identifier	"FBTURBO"
+	Driver		"fbturbo"
+	Option		"fbdev" "/dev/fb0"
 
-        Identifier      "FBTurbo"
-        Driver          "fbturbo"
-        Option          "fbdev" "/dev/fb0"
-        Option          "SwapbuffersWait" "true"
-        #Option          "Rotate" "CCW"
-
+	Option		"SwapbuffersWait" "true"
+	Option		"alpha_swap" "true"
 EndSection

.conf/dps_6/xorg_rk3399.conf

@@ -1,8 +1,23 @@
-Section "Device"
+# DietPi X.org config
+# All credits go to Rockchip: https://github.com/rockchip-linux/rk-rootfs-build/blob/master/overlay/etc/X11/xorg.conf.d/20-modesetting.conf
 
+Section "Device"
     Identifier  "Rockchip Graphics"
     Driver      "modesetting"
-    Option      "AccelMethod"    "glamor"
+    Option      "AccelMethod"    "exa"
+#    Option      "AccelMethod"    "glamor"
     Option      "DRI"            "2"
+    Option      "FlipFB"         "always"
+EndSection
+
+Section	"Screen"
+    Identifier	"Default Screen"
+    Device	"Rockchip Graphics"
+    Monitor	"Default Monitor"
+EndSection
 
+### Valid values for rotation are "normal", "left", "right"
+Section	"Monitor"
+    Identifier	"Default Monitor"
+    Option	"Rotate" "normal"
 EndSection

.conf/dps_85/nginx.default

@@ -4,25 +4,22 @@
 server {
 
 	listen 80 default_server;
+	listen [::]:80 default_server;
 
 	root /var/www;
-	index index.php index.html index.htm;
+	index index.php index.html index.htm index.nginx-debian.html;
 
 	server_name "$hostname";
 
+	include /etc/nginx/sites-dietpi/*.conf;
+
 	location / {
 		try_files $uri $uri/ =404;
 	}
 
 	location ~ \.php(?:$|/) {
-		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-		fastcgi_param PATH_INFO $fastcgi_path_info;
+		include snippets/fastcgi-php.conf;
 		fastcgi_pass php;
-		fastcgi_index index.php;
-		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-		include fastcgi_params;
 	}
 
-	include /etc/nginx/sites-dietpi/*.conf;
-
 }

.conf/dps_93/apache.block_public_admin.conf

@@ -0,0 +1,4 @@
+# Block public access to admin panel
+<Directory ~ /var/www(/html)?/admin>
+	Require ip 127 192.168 10 172.16.0.0/12
+</Directory>

.conf/dps_93/apache.pihole.conf

@@ -0,0 +1,20 @@
+# If the URL starts with /admin, it is the Web interface
+<Directory ~ /var/www(/html)?/admin>
+	# Create a response header for debugging using curl -I
+	Header set X-Pi-hole "The Pi-hole Web interface is working!"
+	Header set X-Frame-Options "deny"
+
+	# Block . files from being served, such as .git, .github, .gitignore
+	<Files ~ "^\.">
+		Require all denied
+	</Files>
+
+</Directory>
+
+# Block public access to blocking page
+<Directory ~ /var/www(/html)?/pihole>
+	Require ip 127 192.168 10 172.16.0.0/12
+</Directory>
+
+# Enable blocking page via 404 handler
+#ErrorDocument 404 /html/pihole/index.php

.conf/dps_93/lighttpd.block_public_admin.conf

@@ -0,0 +1,6 @@
+# Block non-LAN access to Pi-hole admin panel
+$HTTP["url"] =~ "^(/html)?/admin(/|$)" {
+	$HTTP["remoteip"] !~ "^1(27|92\.168|0|72\.(1[6-9]|2[0-9]|3[0-1]))\." {
+		url.access-deny = ("")
+	}
+}

.conf/dps_93/lighttpd.pihole.conf

@@ -0,0 +1,32 @@
+# Based on: https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian
+
+# If the URL starts with /admin, it is the Web interface
+$HTTP["url"] =~ "^(/html)?/admin/" {
+	# Create a response header for debugging using curl -I
+	setenv.add-response-header = (
+		"X-Pi-hole" => "The Pi-hole Web interface is working!",
+		"X-Frame-Options" => "DENY"
+	)
+
+	$HTTP["url"] =~ "\.ttf$" {
+		# Allow Block Page access to local fonts
+		setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
+	}
+}
+
+# Block . files from being served, such as .git, .github, .gitignore
+$HTTP["url"] =~ "^(/html)?/admin/\." {
+	url.access-deny = ("")
+}
+
+# If it's a request to Pi-hole blocking page...
+$HTTP["url"] =~ "^(/html)?/pihole/" {
+	# ... and the request isn't local
+	$HTTP["remoteip"] !~ "^1(27|92\.168|0|72\.(1[6-9]|2[0-9]|3[0-1]))\." {
+		# block!
+		url.access-deny = ("")
+	}
+}
+
+# Enable blocking page via 404 handler
+#server.error-handler-404 = "/html/pihole/index.php"

.conf/dps_93/nginx.block_public_admin.conf

@@ -0,0 +1,9 @@
+# Block public access to Pi-hole admin panel
+# Location: /etc/nginx/sites-dietpi/dietpi-pihole-block_public_admin.{on,off}
+# - Enable with file ending .on
+# - Disable with file ending .off
+allow 127.0.0.0/8;
+allow 192.168.0.0/16;
+allow 10.0.0.0/8;
+allow 172.16.0.0/12;
+deny all;

.conf/dps_93/nginx.pihole.conf

@@ -0,0 +1,39 @@
+# Admin panel
+location ~ ^(?:/html|)/admin(?:$|/) {
+	# Block public access to admin page, if enabled
+	# - To enable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.off dietpi-pihole-block_public_admin.on
+	# - To disable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.on dietpi-pihole-block_public_admin.off
+	include sites-dietpi/dietpi-pihole-block_public_admin.*on;
+	# Block . files from being served, such as .git, .github, .gitignore
+	location ~ ^(?:/html|)/admin/\. {
+		deny all;
+	}
+	# Create a response header for debugging using curl -I
+	add_header X-Pi-hole "The Pi-hole Web interface is working!";
+	add_header X-Frame-Options "DENY";
+	# Standard PHP handler block
+	try_files $uri $uri/ =404;
+	location ~ ^(?:/html|)/admin/.+\.php(?:$|/) {
+		fastcgi_pass php;
+		include snippets/fastcgi-php.conf;
+	}
+}
+
+# Blocking page
+location ~ ^(?:/html|)/pihole(?:$|/) {
+	# Block public access to blocking page by default
+	allow 127.0.0.0/8;
+	allow 192.168.0.0/16;
+	allow 10.0.0.0/8;
+	allow 172.16.0.0/12;
+	deny all;
+	# Standard PHP handler block
+	try_files $uri $uri/ =404;
+	location ~ ^(?:/html|)/pihole/.+\.php(?:$|/) {
+		fastcgi_pass php;
+		include snippets/fastcgi-php.conf;
+	}
+}
+
+# Enable blocking page via 404 handler
+#error_page 404 /html/pihole/index.php;

.conf/dps_94/conf

@@ -2,7 +2,6 @@
 # File Location
 # /etc/proftpd/proftpd.conf
 
-
 # Includes DSO modules
 Include /etc/proftpd/modules.conf
 

.conf/dps_98/haproxy.service

@@ -18,7 +18,6 @@ EXTRAOPTS=
 
 . /lib/lsb/init-functions
 
-
 haproxy_start()
 {
         start-stop-daemon --start --pidfile "$PIDFILE" \
@@ -64,7 +63,6 @@ haproxy_status()
         return 0
 }
 
-
 case "$1" in
 start)
         log_daemon_msg "Starting haproxy" "haproxy"