From 9bc58646bf344f76ccf4e6969ce3300e36f154ec Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 6 Feb 2025 21:51:10 +0100
Subject: [PATCH] fix #1488/remove proxy-headers.conf file

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Dockerfile                                    |  2 +-
 README.md                                     | 91 ++++++++++---------
 backend/templates/_location.conf              |  7 +-
 backend/templates/proxy_host.conf             |  2 +-
 rootfs/usr/local/bin/start.sh                 |  2 +-
 .../nginx/conf/conf.d/include/goaccess.conf   |  1 +
 rootfs/usr/local/nginx/conf/conf.d/npm.conf   |  1 -
 7 files changed, 54 insertions(+), 52 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0b2770404..ee2fb2aa7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -66,7 +66,7 @@ RUN apk upgrade --no-cache -a && \
     sed -i "s|APPSEC_PROCESS_TIMEOUT=.*|APPSEC_PROCESS_TIMEOUT=10000|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:411-python
+FROM zoeyvid/nginx-quic:414-python
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 ENV NODE_ENV=production
 ARG CRS_VER=v4.11.0
diff --git a/README.md b/README.md
index 09b7819ab..e41ba95b6 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ so that the barrier for entry here is low.
 - fixed smaller issues/bugs
 - other small changes/improvements
 
-## migration
+## migration (currently not working when migrating from upstream 2.12.3)
 - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
 - please delete all certs using dnspod as dns provider and recreate them after migration, since the certbot plugin used was replaced
 - stop nginx-proxy-manager download the latest compose.yaml, adjust your paths (of /etc/letsencrypt and /data) to the ones you used with nginx-proxy-manager and adjust the envs of the compose file how you like it and then deploy it
@@ -216,64 +216,65 @@ upstream service2 {
 ### authentik config example (no guarantee for security of it)
 1. create a custom location / (or the location you want to use), set your proxy settings, then press the gear button and paste the following in the new text field, you may need to adjust the last lines:
 ```
-    auth_request /outpost.goauthentik.io/auth/nginx;
-    auth_request_set $authentik_username $upstream_http_x_authentik_username;
-    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
-    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
-    auth_request_set $authentik_email $upstream_http_x_authentik_email;
-    auth_request_set $authentik_name $upstream_http_x_authentik_name;
-    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
-    proxy_set_header X-authentik-username $authentik_username;
-    proxy_set_header X-authentik-groups $authentik_groups;
-    proxy_set_header X-authentik-entitlements $authentik_entitlements;
-    proxy_set_header X-authentik-email $authentik_email;
-    proxy_set_header X-authentik-name $authentik_name;
-    proxy_set_header X-authentik-uid $authentik_uid;
+auth_request /outpost.goauthentik.io/auth/nginx;
+auth_request_set $authentik_username $upstream_http_x_authentik_username;
+auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+auth_request_set $authentik_email $upstream_http_x_authentik_email;
+auth_request_set $authentik_name $upstream_http_x_authentik_name;
+auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+proxy_set_header X-authentik-username $authentik_username;
+proxy_set_header X-authentik-groups $authentik_groups;
+proxy_set_header X-authentik-entitlements $authentik_entitlements;
+proxy_set_header X-authentik-email $authentik_email;
+proxy_set_header X-authentik-name $authentik_name;
+proxy_set_header X-authentik-uid $authentik_uid;
 
-    auth_request_set $auth_cookie $upstream_http_set_cookie;
-    more_set_headers 'Set-Cookie: $auth_cookie';
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+more_set_headers 'Set-Cookie: $auth_cookie';
 
-    error_page 401 =302 /outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
-    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
-    #error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
-    
-    # This section should be uncommented when the "Send HTTP Basic authentication" option is enabled in the proxy provider
-    #auth_request_set $authentik_auth $upstream_http_authorization;
-    #proxy_set_header Authorization $authentik_auth;
+error_page 401 =302 /outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
+# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+#error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri;
+
+# This section should be uncommented when the "Send HTTP Basic authentication" option is enabled in the proxy provider
+#auth_request_set $authentik_auth $upstream_http_authorization;
+#proxy_set_header Authorization $authentik_auth;
 ```
 2. create a location with the path `/outpost.goauthentik.io`, this should proxy to your authentik, examples: http://authentik.company:9000/outpost.goauthentik.io (embedded outpost) or http://outpost.company:9000 (manual outpost deployments), then press the gear button and paste the following in the new text field
 ```
-    auth_request_set $auth_cookie $upstream_http_set_cookie;
-    more_set_headers 'Set-Cookie: $auth_cookie';
-    proxy_method GET;
-    proxy_pass_request_body off;
-    proxy_set_header Content-Length "";
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+more_set_headers 'Set-Cookie: $auth_cookie';
+proxy_method GET;
+proxy_pass_request_body off;
+proxy_set_header Content-Length "";
 ```
 
 ### authelia config example (no guarantee for security of it)
 1. create a custom location / (or the location you want to use), set your proxy settings, then press the gear button and paste the following in the new text field, you may need to adjust the last lines:
 ```
-    auth_request /internal/authelia/authz;
-    auth_request_set $user $upstream_http_remote_user;
-    auth_request_set $groups $upstream_http_remote_groups;
-    auth_request_set $name $upstream_http_remote_name;
-    auth_request_set $email $upstream_http_remote_email;
-    proxy_set_header Remote-User $user;
-    proxy_set_header Remote-Groups $groups;
-    proxy_set_header Remote-Email $email;
-    proxy_set_header Remote-Name $name;
+auth_request /internal/authelia/authz;
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Name $name;
 
-    # Modern Method:
-    auth_request_set $redirection_url $upstream_http_location;
-    error_page 401 =302 $redirection_url;
-    # Legacy Method: 
-    #error_page 401 =302 https://auth.example.com/?rd=$scheme://$host$request_uri; # change auth.example.com to match your authelia domain
+# Modern Method:
+auth_request_set $redirection_url $upstream_http_location;
+error_page 401 =302 $redirection_url;
+# Legacy Method: 
+#error_page 401 =302 https://auth.example.com/?rd=$scheme://$host$request_uri; # change auth.example.com to match your authelia domain
 ```
 2. create a location with the path `/internal/authelia/authz`, this should proxy to your authelia, example `http://<ip>:<port>/api/verify`, then press the gear button and paste the following in the new text field
 ```
-    proxy_method GET;
-    proxy_pass_request_body off;
-    proxy_set_header Content-Length "";
+internal;
+proxy_method GET;
+proxy_pass_request_body off;
+proxy_set_header Content-Length "";
 ```
 
 ### prerun scripts (EXPERT option) - if you don't know what this is, ignore it
diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf
index faec346a6..cb31b7796 100644
--- a/backend/templates/_location.conf
+++ b/backend/templates/_location.conf
@@ -13,8 +13,6 @@ location {{ path }} {
   set $server         "{{ forward_host }}";
   set $port           "{{ forward_port }}";
   set $forward_path   "{{ forward_path }}";
-  
-  {{ advanced_config }}
     
   {% if allow_websocket_upgrade %}
   proxy_http_version 1.1;
@@ -23,5 +21,8 @@ location {{ path }} {
   {% endif %}
 
   include conf.d/include/proxy-headers.conf;
-  proxy_pass $forward_scheme://$server{% if forward_port != null %}:$port{% endif %}{% if forward_path != null %}$forward_path{% else %}$request_uri{% endif %};
+
+  {{ advanced_config }}
+  
+  proxy_pass {{ forward_scheme }}://{{ forward_host }}{% if forward_port != null %}:{{ forward_port }}{% endif %}{% if forward_path != null %}{{ forward_path }}{% else %}$request_uri{% endif %};
 }
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
index a6937ef05..f8b89d9aa 100644
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@@ -45,7 +45,7 @@ server {
     {% endif %}
 
     include conf.d/include/proxy-headers.conf;
-    proxy_pass $forward_scheme://$server{% if forward_port != null %}:$port{% endif %}{% if forward_path != null %}$forward_path{% else %}$request_uri{% endif %};
+    proxy_pass {{ forward_scheme }}://{{ forward_host }}{% if forward_port != null %}:{{ forward_port }}{% endif %}{% if forward_path != null %}{{ forward_path }}{% else %}$request_uri{% endif %};
   }
 {% endif %}
 
diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh
index ab29cd225..9fabfb364 100755
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@@ -485,7 +485,7 @@ if [ -n "$INITIAL_DEFAULT_PAGE" ] && ! echo "$INITIAL_DEFAULT_PAGE" | grep -q "^
 fi
 
 
-export TV="3"
+export TV="4"
 if [ ! -s /data/npmplus/env.sha512sum ] || [ "$(cat /data/npmplus/env.sha512sum)" != "$( (grep "env\.[A-Z0-9_]\+" -roh /app/templates | sed "s|env.||g" | sort | uniq | xargs printenv; echo "$TV") | tr -d "\n" | sha512sum | cut -d" " -f1)" ]; then
     echo "At least one env or the template version changed, all hosts will be regenerated."
     export REGENERATE_ALL="true"
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf b/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
index 2f718e25b..323151db2 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/goaccess.conf
@@ -12,6 +12,7 @@ server {
     return 444;
 }
 
+# based on https://github.com/xavier-hernandez/goaccess-for-nginxproxymanager/blob/main/resources/nginx/nginx.conf
 server {
     listen 0.0.0.0:91 ssl default_server;
     listen [::]:91 ssl default_server;
diff --git a/rootfs/usr/local/nginx/conf/conf.d/npm.conf b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
index 2c9662913..5a1b9ac7c 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
@@ -34,7 +34,6 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
         include conf.d/include/proxy-headers.conf;
-
         proxy_pass http://127.0.0.1:48681/;
     }