add grpc usptream support/dep updates/merge upstream/armv7 support

Signed-off-by: Zoey <[email protected]>
ZoeyVid · Feb 24, 2025 · 089a358 · 089a358
1 parent c1f888c
commit 089a358
Show file tree

Hide file tree

Showing 35 changed files with 329 additions and 496 deletions.
diff --git a/.github/workflows/caddy.yml b/.github/workflows/caddy.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          platforms: arm64 #all
+          platforms: all
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
@@ -46,7 +46,7 @@ jobs:
         with:
           context: .
           file: ./Caddy.Dockerfile
-          platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
+          platforms: linux/amd64,linux/arm64,linux/arm/v7 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v6
           push: ${{ github.event_name != 'pull_request' }}
           tags: |
             ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          platforms: arm64 #all
+          platforms: all
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
@@ -73,7 +73,7 @@ jobs:
         with:
           context: .
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
+          platforms: linux/amd64,linux/arm64,linux/arm/v7 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v6
           push: ${{ github.event_name != 'pull_request' }}
           tags: |
             ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
@@ -95,7 +95,7 @@ jobs:
         with:
           context: .
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
+          platforms: linux/amd64,linux/arm64,linux/arm/v7 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v6
           push: ${{ github.event_name == 'pull_request' }}
           tags: ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }}
       - name: show version (PR)

diff --git a/Caddy.Dockerfile b/Caddy.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 RUN apk add --no-cache ca-certificates tzdata
 COPY --from=caddy:2.9.1 /usr/bin/caddy /usr/bin/caddy
 COPY Caddyfile /etc/caddy/Caddyfile

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:labs
-FROM --platform="$BUILDPLATFORM" alpine:3.21.2 AS frontend
+FROM --platform="$BUILDPLATFORM" alpine:3.21.3 AS frontend
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG NODE_ENV=production
 COPY frontend                        /app
@@ -13,34 +13,22 @@ COPY darkmode.css /app/dist/css/darkmode.css
 COPY security.txt /app/dist/.well-known/security.txt
 
 
-FROM --platform="$BUILDPLATFORM" alpine:3.21.2 AS build-backend
+FROM alpine:3.21.3 AS backend
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-ARG NODE_ENV=production \
-    TARGETARCH
+ARG NODE_ENV=production
 COPY backend                         /app
 COPY global/certbot-dns-plugins.json /app/certbot-dns-plugins.json
 WORKDIR /app
 RUN apk upgrade --no-cache -a && \
-    apk add --no-cache ca-certificates nodejs yarn file && \
+    apk add --no-cache ca-certificates nodejs yarn npm python3 build-base binutils file && \
     yarn global add clean-modules && \
-    if [ "$TARGETARCH" = "amd64" ]; then \
-     npm_config_arch=x64 npm_config_target_arch=x64 yarn install && \
-      for file in $(find /app/node_modules -name "*.node" -type f -exec file {} \; | grep -v "x86-64\|x86_64" | grep "aarch64\|arm64" | sed "s|\([^:]\):.*|\1|g"); do rm -v "$file"; done; \
-    elif [ "$TARGETARCH" = "arm64" ]; then \
-      npm_config_arch=arm64 npm_config_target_arch=arm64 yarn install && \
-      for file in $(find /app/node_modules -name "*.node" -type f -exec file {} \; | grep -v "aarch64\|arm64" | grep "x86-64\|x86_64" | sed "s|\([^:]\):.*|\1|g"); do rm -v "$file"; done; \
-    fi && \
+    yarn install && \
     yarn cache clean --all && \
-    clean-modules --yes
-FROM alpine:3.21.2 AS strip-backend
-COPY --from=build-backend /app /app
-RUN apk upgrade --no-cache -a && \
-    apk add --no-cache ca-certificates binutils file && \
+    clean-modules --yes && \
     find /app/node_modules -name "*.node" -type f -exec strip -s {} \; && \
     find /app/node_modules -name "*.node" -type f -exec file {} \;
 
-
-FROM --platform="$BUILDPLATFORM" alpine:3.21.2 AS crowdsec
+FROM --platform="$BUILDPLATFORM" alpine:3.21.3 AS crowdsec
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ARG CSNB_VER=v1.0.8
 WORKDIR /src
@@ -66,14 +54,14 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:417-python
+FROM zoeyvid/nginx-quic:436-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ENV NODE_ENV=production
 ARG CRS_VER=v4.11.0
 COPY rootfs /
 
-COPY --from=frontend      /app/dist /html/frontend
-COPY --from=strip-backend /app      /app
+COPY --from=frontend /app/dist /html/frontend
+COPY --from=backend  /app      /app
 WORKDIR /app
 RUN apk upgrade --no-cache -a && \
     apk add --no-cache ca-certificates tzdata tini curl util-linux-misc \
@@ -111,6 +99,5 @@ COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/ban.html
 COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/crowdsec.lua       /usr/local/nginx/lib/lua/crowdsec.lua
 COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/plugins            /usr/local/nginx/lib/lua/plugins
 
-
 ENTRYPOINT ["tini", "--", "entrypoint.sh"]
 HEALTHCHECK CMD healthcheck.sh
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ If you don't need the web GUI of NPMplus, you may also have a look at caddy: htt
 
 - [Quick Setup](#quick-setup)
 
-**Note: no armv7, route53 and aws cloudfront ip ranges support.** <br>
+**Note: no route53 and aws cloudfront ip ranges support.** <br>
 **Note: other Databases like MariaDB/MySQL or PostgreSQL may work, but are unsupported, have no advantage over SQLite and are not recommended.** <br>
 **Note: remember to expose udp for the https port and to add your domain to the hsts preload list if you use security headers: https://hstspreload.org** <br>
 
@@ -30,7 +30,7 @@ so that the barrier for entry here is low.
 
 - Supports HTTP/3 (QUIC) protocol, requires you to expose https with udp.
 - Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it.
-- goaccess included, see compose.yaml to enable, runs by default on https://<ip>:91 (nginx config from [here](https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf))
+- goaccess included, see compose.yaml to enable, runs by default on `https://<ip>:91` (nginx config from [here](https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf))
 - Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npmplus/modsecurity` folder (no support from me, you need to write the rules yourself - for CoreRuleSet I can try to help you).
   - By default NPMplus UI does not work when you proxy NPMplus through NPMplus and you have CoreRuleSet enabled, see below
   - ModSecurity by default blocks uploads of big files, you need to edit its config to fix this, but it can use a lot of resources to scan big files by ModSecurity
@@ -74,12 +74,13 @@ so that the barrier for entry here is low.
 - fixed smaller issues/bugs
 - other small changes/improvements
 
-## migration (currently not working when migrating from upstream 2.12.3)
+## migration
 - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
 - please delete all certs using dnspod as dns provider and recreate them after migration, since the certbot plugin used was replaced
 - stop nginx-proxy-manager download the latest compose.yaml, adjust your paths (of /etc/letsencrypt and /data) to the ones you used with nginx-proxy-manager and adjust the envs of the compose file how you like it and then deploy it
 - you can now remove the /etc/letsencrypt mount, since it was moved to /data while migration, and redeploy the compose file
 - since many buttons changed, please check if they are still correct for every host you have.
+- if you proxy NPM(plus) through NPM(plus) make sure to change the scheme vom http to https
 - maybe setup crowdsec (see below)
 - please report all (migration) issues you may have
 
@@ -252,7 +253,7 @@ location @goauthentik_proxy_signin {
     add_header Set-Cookie $auth_cookie;
     return 302 /outpost.goauthentik.io/start?rd=$request_uri;
     # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
-    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
 }
 ```
 

diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
@@ -16,7 +16,7 @@ const internalAuditLog = require('./audit-log');
 const internalNginx = require('./nginx');
 
 const certbotCommand = 'certbot';
-const certbotArgs = ['--logs-dir', '/tmp/certbot-log', '--work-dir', '/tmp/certbot-work', '--config-dir', '/data/tls/certbot', '--config', '/etc/certbot.ini', '--agree-tos', '--non-interactive', '--no-eff-email', '--register-unsafely-without-email', ...(process.env.ACME_SERVER_TLS_VERIFY === 'false' ? ['--no-verify-ssl'] : [])];
+const certbotArgs = ['--logs-dir', '/tmp/certbot-log', '--work-dir', '/tmp/certbot-work', '--config-dir', '/data/tls/certbot', '--config', '/etc/certbot.ini', '--agree-tos', '--non-interactive', '--no-eff-email', ...(process.env.ACME_SERVER_TLS_VERIFY === 'false' ? ['--no-verify-ssl'] : [])];
 
 function omissions() {
 	return ['is_deleted', 'owner.is_deleted'];
@@ -829,11 +829,9 @@ const internalCertificate = {
 									object_id: updated_certificate.id,
 									meta: updated_certificate,
 								})
-								.then(() => {
-									return updated_certificate;
-								})
 								.then(() => {
 									internalNginx.reload();
+									return updated_certificate;
 								});
 						});
 				} else {

diff --git a/backend/migrations/20240427161436_stream_ssl.js b/backend/migrations/20240427161436_stream_ssl.js
@@ -1,5 +1,5 @@
 const migrate_name = 'stream_ssl';
-const logger       = require('../logger').migrate;
+const logger = require('../logger').migrate;
 
 /**
  * Migrate
@@ -12,9 +12,10 @@ const logger       = require('../logger').migrate;
 exports.up = function (knex) {
 	logger.info('[' + migrate_name + '] Migrating Up...');
 
-	return knex.schema.table('stream', (table) => {
-		table.integer('certificate_id').notNull().unsigned().defaultTo(0);
-	})
+	return knex.schema
+		.table('stream', (table) => {
+			table.integer('certificate_id').notNull().unsigned().defaultTo(0);
+		})
 		.then(function () {
 			logger.info('[' + migrate_name + '] stream Table altered');
 		});
@@ -29,9 +30,10 @@ exports.up = function (knex) {
 exports.down = function (knex) {
 	logger.info('[' + migrate_name + '] Migrating Down...');
 
-	return knex.schema.table('stream', (table) => {
-		table.dropColumn('certificate_id');
-	})
+	return knex.schema
+		.table('stream', (table) => {
+			table.dropColumn('certificate_id');
+		})
 		.then(function () {
 			logger.info('[' + migrate_name + '] stream Table altered');
 		});

diff --git a/backend/package.json b/backend/package.json
@@ -4,40 +4,40 @@
   "description": "A beautiful interface for creating Nginx endpoints",
   "main": "index.js",
   "dependencies": {
-    "@apidevtools/json-schema-ref-parser": "11.9.0",
+    "@apidevtools/json-schema-ref-parser": "11.9.1",
     "apache-md5": "1.1.8",
     "ajv": "8.17.1",
     "archiver": "7.0.1",
     "batchflow": "0.4.0",
     "bcrypt": "5.1.1",
     "better-sqlite3": "11.8.1",
-    "body-parser": "2.0.2",
-    "compression": "1.7.5",
+    "body-parser": "2.1.0",
+    "compression": "1.8.0",
     "express": "4.21.2",
     "express-fileupload": "1.5.1",
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
     "knex": "3.1.0",
-    "liquidjs": "10.20.3",
+    "liquidjs": "10.21.0",
     "lodash": "4.17.21",
     "moment": "2.30.1",
     "mysql2": "3.12.0",
     "node-rsa": "1.1.1",
     "objection": "3.1.5",
     "path": "0.12.7",
-    "pg": "8.13.1",
+    "pg": "8.13.3",
     "signale": "1.4.0"
   },
   "author": "Jamie Curnow <[email protected]> and ZoeyVid <[email protected]>",
   "license": "MIT",
   "devDependencies": {
     "@apidevtools/swagger-parser": "10.1.1",
-    "@eslint/js": "9.20.0",
-    "eslint": "9.20.0",
+    "@eslint/js": "9.21.0",
+    "eslint": "9.21.0",
     "eslint-config-prettier": "10.0.1",
     "eslint-plugin-prettier": "5.2.3",
-    "globals": "15.14.0",
-    "prettier": "3.5.0"
+    "globals": "16.0.0",
+    "prettier": "3.5.2"
   },
   "scripts": {
     "validate-schema": "node validate-schema.js"

diff --git a/backend/schema/components/proxy-host-object.json b/backend/schema/components/proxy-host-object.json
@@ -81,7 +81,7 @@
 		},
 		"forward_scheme": {
 			"type": "string",
-			"enum": ["http", "https"]
+			"enum": ["http", "https", "grpc", "grpcs"]
 		},
 		"enabled": {
 			"$ref": "../common.json#/properties/enabled"

diff --git a/backend/templates/_certificates_stream.conf b/backend/templates/_certificates_stream.conf
diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf
@@ -1,3 +1,13 @@
+{% assign path_first_char = path | slice: 0 -%}
+{% assign path_last_char = path | slice: -1 -%}
+
+{% if path != "/" and path_first_char == "/" and path_last_char == "/" %}
+location {{ path | remove_last: "/" }} {
+    absolute_redirect off;
+    return 301 {{ path }}/;
+}
+{% endif %}
+
 location {{ path }} {
   set $forward_scheme "{{ forward_scheme }}";
   set $server         "{{ forward_host }}";

diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
@@ -43,9 +43,14 @@ server {
     proxy_set_header Upgrade    $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
     {% endif %}
-
+
+    {% if forward_scheme == "grpc" or forward_scheme == "grpcs" %}
+    include conf.d/include/grpc-headers.conf;
+    grpc_pass {{ forward_scheme }}://{{ forward_host }}{% if forward_port != null %}:{{ forward_port }}{% endif %}{% if forward_path != null %}{{ forward_path }}{% else %}$request_uri{% endif %};
+    {% else %}
     include conf.d/include/proxy-headers.conf;
     proxy_pass {{ forward_scheme }}://{{ forward_host }}{% if forward_port != null %}:{{ forward_port }}{% endif %}{% if forward_path != null %}{{ forward_path }}{% else %}$request_uri{% endif %};
+    {% endif %}
   }
 {% endif %}