fix #1488/remove proxy-headers.conf file

Signed-off-by: Zoey <[email protected]>

Dockerfile

@@ -66,7 +66,7 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:411-python
+FROM zoeyvid/nginx-quic:414-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ENV NODE_ENV=production
 ARG CRS_VER=v4.11.0

README.md

@@ -74,7 +74,7 @@ so that the barrier for entry here is low.
 - fixed smaller issues/bugs
 - other small changes/improvements
 
-## migration
+## migration (currently not working when migrating from upstream 2.12.3)
 - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
 - please delete all certs using dnspod as dns provider and recreate them after migration, since the certbot plugin used was replaced
 - stop nginx-proxy-manager download the latest compose.yaml, adjust your paths (of /etc/letsencrypt and /data) to the ones you used with nginx-proxy-manager and adjust the envs of the compose file how you like it and then deploy it
@@ -216,64 +216,65 @@ upstream service2 {
 ### authentik config example (no guarantee for security of it)
 1. create a custom location / (or the location you want to use), set your proxy settings, then press the gear button and paste the following in the new text field, you may need to adjust the last lines:
 ```
-    auth_request /outpost.goauthentik.io/auth/nginx;
-    auth_request_set $authentik_username $upstream_http_x_authentik_username;
-    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
-    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
-    auth_request_set $authentik_email $upstream_http_x_authentik_email;
-    auth_request_set $authentik_name $upstream_http_x_authentik_name;
-    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
-    proxy_set_header X-authentik-username $authentik_username;
-    proxy_set_header X-authentik-groups $authentik_groups;
-    proxy_set_header X-authentik-entitlements $authentik_entitlements;
-    proxy_set_header X-authentik-email $authentik_email;
-    proxy_set_header X-authentik-name $authentik_name;
-    proxy_set_header X-authentik-uid $authentik_uid;
+auth_request /outpost.goauthentik.io/auth/nginx;
+auth_request_set $authentik_username $upstream_http_x_authentik_username;
+auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+auth_request_set $authentik_email $upstream_http_x_authentik_email;
+auth_request_set $authentik_name $upstream_http_x_authentik_name;
+auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+proxy_set_header X-authentik-username $authentik_username;
+proxy_set_header X-authentik-groups $authentik_groups;
+proxy_set_header X-authentik-entitlements $authentik_entitlements;
+proxy_set_header X-authentik-email $authentik_email;
+proxy_set_header X-authentik-name $authentik_name;
+proxy_set_header X-authentik-uid $authentik_uid;
 
-    auth_request_set $auth_cookie $upstream_http_set_cookie;
-    more_set_headers 'Set-Cookie: $auth_cookie';
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+more_set_headers 'Set-Cookie: $auth_cookie';
 
-    error_page 401 =302 /outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
-    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
-    #error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
-    
-    # This section should be uncommented when the "Send HTTP Basic authentication" option is enabled in the proxy provider
-    #auth_request_set $authentik_auth $upstream_http_authorization;
-    #proxy_set_header Authorization $authentik_auth;
+error_page 401 =302 /outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
+# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+#error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
+
+# This section should be uncommented when the "Send HTTP Basic authentication" option is enabled in the proxy provider
+#auth_request_set $authentik_auth $upstream_http_authorization;
+#proxy_set_header Authorization $authentik_auth;
 ```
 2. create a location with the path `/outpost.goauthentik.io`, this should proxy to your authentik, examples: http://authentik.company:9000/outpost.goauthentik.io (embedded outpost) or http://outpost.company:9000 (manual outpost deployments), then press the gear button and paste the following in the new text field
 ```
-    auth_request_set $auth_cookie $upstream_http_set_cookie;
-    more_set_headers 'Set-Cookie: $auth_cookie';
-    proxy_method GET;
-    proxy_pass_request_body off;
-    proxy_set_header Content-Length "";
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+more_set_headers 'Set-Cookie: $auth_cookie';
+proxy_method GET;
+proxy_pass_request_body off;
+proxy_set_header Content-Length "";
 ```
 
 ### authelia config example (no guarantee for security of it)
 1. create a custom location / (or the location you want to use), set your proxy settings, then press the gear button and paste the following in the new text field, you may need to adjust the last lines:
 ```
-    auth_request /internal/authelia/authz;
-    auth_request_set $user $upstream_http_remote_user;
-    auth_request_set $groups $upstream_http_remote_groups;
-    auth_request_set $name $upstream_http_remote_name;
-    auth_request_set $email $upstream_http_remote_email;
-    proxy_set_header Remote-User $user;
-    proxy_set_header Remote-Groups $groups;
-    proxy_set_header Remote-Email $email;
-    proxy_set_header Remote-Name $name;
+auth_request /internal/authelia/authz;
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Name $name;
 
-    # Modern Method:
-    auth_request_set $redirection_url $upstream_http_location;
-    error_page 401 =302 $redirection_url;
-    # Legacy Method: 
-    #error_page 401 =302 https://auth.example.com/?rd=$scheme://$host$request_uri; # change auth.example.com to match your authelia domain
+# Modern Method:
+auth_request_set $redirection_url $upstream_http_location;
+error_page 401 =302 $redirection_url;
+# Legacy Method: 
+#error_page 401 =302 https://auth.example.com/?rd=$scheme://$host$request_uri; # change auth.example.com to match your authelia domain
 ```
 2. create a location with the path `/internal/authelia/authz`, this should proxy to your authelia, example `http://<ip>:<port>/api/verify`, then press the gear button and paste the following in the new text field
 ```
-    proxy_method GET;
-    proxy_pass_request_body off;
-    proxy_set_header Content-Length "";
+internal;
+proxy_method GET;
+proxy_pass_request_body off;
+proxy_set_header Content-Length "";
 ```
 
 ### prerun scripts (EXPERT option) - if you don't know what this is, ignore it

backend/templates/_location.conf

@@ -13,8 +13,6 @@ location {{ path }} {
   set $server         "{{ forward_host }}";
   set $port           "{{ forward_port }}";
   set $forward_path   "{{ forward_path }}";
-
-  {{ advanced_config }}
 
   {% if allow_websocket_upgrade %}
   proxy_http_version 1.1;
@@ -23,5 +21,8 @@ location {{ path }} {
   {% endif %}
 
   include conf.d/include/proxy-headers.conf;
-  proxy_pass $forward_scheme://$server{% if forward_port != null %}:$port{% endif %}{% if forward_path != null %}$forward_path{% else %}$request_uri{% endif %};
+
+  {{ advanced_config }}
+
+  proxy_pass {{ forward_scheme }}://{{ forward_host }}{% if forward_port != null %}:{{ forward_port }}{% endif %}{% if forward_path != null %}{{ forward_path }}{% else %}$request_uri{% endif %};
 }

backend/templates/proxy_host.conf

@@ -45,7 +45,7 @@ server {
     {% endif %}
 
     include conf.d/include/proxy-headers.conf;
-    proxy_pass $forward_scheme://$server{% if forward_port != null %}:$port{% endif %}{% if forward_path != null %}$forward_path{% else %}$request_uri{% endif %};
+    proxy_pass {{ forward_scheme }}://{{ forward_host }}{% if forward_port != null %}:{{ forward_port }}{% endif %}{% if forward_path != null %}{{ forward_path }}{% else %}$request_uri{% endif %};
   }
 {% endif %}
 

rootfs/usr/local/bin/start.sh

@@ -485,7 +485,7 @@ if [ -n "$INITIAL_DEFAULT_PAGE" ] && ! echo "$INITIAL_DEFAULT_PAGE" | grep -q "^
 fi
 
 
-export TV="3"
+export TV="4"
 if [ ! -s /data/npmplus/env.sha512sum ] || [ "$(cat /data/npmplus/env.sha512sum)" != "$( (grep "env\.[A-Z0-9_]\+" -roh /app/templates | sed "s|env.||g" | sort | uniq | xargs printenv; echo "$TV") | tr -d "\n" | sha512sum | cut -d" " -f1)" ]; then
     echo "At least one env or the template version changed, all hosts will be regenerated."
     export REGENERATE_ALL="true"

rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf

@@ -12,6 +12,7 @@ server {
     return 444;
 }
 
+# based on https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf
 server {
     listen 0.0.0.0:91 ssl default_server;
     listen [::]:91 ssl default_server;

rootfs/usr/local/nginx/conf/conf.d/npm.conf

@@ -34,7 +34,6 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
         include conf.d/include/proxy-headers.conf;
-
         proxy_pass http://127.0.0.1:48681/;
     }