php POST max size and custom HTTPS cert

2020-08-01 15:55:52 +02:00 · 2020-08-01 15:55:52 +02:00 · 76bd069f25
commit 76bd069f25
parent 1d6ab7275f
6 changed files with 49 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -180,6 +180,21 @@ Values : *yes* | *no*
 Default value : *yes*  
 If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.  

+`USE_CUSTOM_HTTPS` 
+Values : *yes* | *no*  
+Default value : *no*  
+If set to yes, HTTPS will be enabled with certificate/key of your choice.  
+
+`CUSTOM_HTTPS_CERT`  
+Values : *\<any valid path inside the container\>*  
+Default value :  
+Full path of the certificate file to use when `USE_CUSTOM_HTTPS` is set to yes.  
+
+`CUSTOM_HTTPS_KEY`  
+Values : *\<any valid path inside the container\>*  
+Default value :  
+Full path of the key file to use when `USE_CUSTOM_HTTPS` is set to yes.  
+
 ## ModSecurity
 `USE_MODSECURITY`  
 Values : *yes* | *no*  
@ -296,7 +311,7 @@ Default value : *yes*
 If set to yes, allows clients to upload files.

 `PHP_UPLOAD_MAX_FILESIZE`  
-Values : *<size in bytes>* | *XM*  
+Values : *\<size in bytes\>* | *XM*  
 Default value : *10M*  
 Sets the maximum file size allowed when uploading files.

@ -330,7 +345,7 @@ The time interval, in seconds, to search for "strange" HTTP status codes.

 `FAIL2BAN_MAXRETRY`  
 Values : *\<any positive integer\>*  
-Default : value : *10*  
+Default : value : *20*  
 The number of "strange" HTTP status codes to find between the time interval.

 ## ClamAV
@ -370,13 +385,11 @@ ENV WRITE_ACCESS yes
 ```

 # TODO
- nginx compile flags
- x86 and ARM versions
 - README improve
 - docker tags
 - Tutorials
 - Full documentation
+- nginx compile flags
 - Antibot with recaptcha v3
- Custom TLS certificates
 - HSTS preload, HPKP
 - Web UI
--- a/compile.sh
+++ b/compile.sh
@ -1,4 +1,4 @@
-#/bin/sh
+#!/bin/sh

 NTASK=$(($(nproc)*2))

--- a/confs/custom-https.conf
+++ b/confs/custom-https.conf
@ -0,0 +1,7 @@
+listen 0.0.0.0:443 ssl %HTTP2%;
+ssl_certificate %HTTPS_CUSTOM_CERT%;
+ssl_certificate_key %HTTPS_CUSTOM_KEY%;
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+%STRICT_TRANSPORT_SECURITY%
--- a/confs/php.ini
+++ b/confs/php.ini
@ -691,7 +691,7 @@ auto_globals_jit = On
 ; Its value may be 0 to disable the limit. It is ignored if POST data reading
 ; is disabled through enable_post_data_reading.
 ; http://php.net/post-max-size
-post_max_size = 8M
+post_max_size = %PHP_POST_MAX_SIZE%

 ; Automatically add files before PHP document.
 ; http://php.net/auto-prepend-file
--- a/confs/server.conf
+++ b/confs/server.conf
@ -1,6 +1,7 @@
 server {
 	%LISTEN_HTTP%
 	%AUTO_LETS_ENCRYPT%
+	%CUSTOM_HTTPS%
 	%REDIRECT_HTTP_TO_HTTPS%
 	server_name %SERVER_NAME%;
 	%DISABLE_DEFAULT_SERVER%
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -77,6 +77,7 @@ PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN-no}"
 PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE-no}"
 PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS-yes}"
 PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE-10M}"
+PHP_POST_MAX_SIZE="${PHP_POST_MAX_SIZE-10M}"
 PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
 USE_MODSECURITY="${USE_MODSECURITY-yes}"
 USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
@ -99,6 +100,7 @@ AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
 AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-/}"
 AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
 AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
+USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"

 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@ -146,6 +148,7 @@ if [ "$USE_PHP" = "yes" ] ; then
 	fi
 	replace_in_file "/etc/php7/php.ini" "%PHP_UPLOAD_MAX_FILESIZE%" "$PHP_UPLOAD_MAX_FILESIZE"
 	replace_in_file "/etc/php7/php.ini" "%PHP_DISABLE_FUNCTIONS%" "$PHP_DISABLE_FUNCTIONS"
+	replace_in_file "/etc/php7/php.ini" "%PHP_POST_MAX_SIZE%" "$PHP_POST_MAX_SIZE"
 else
 	replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
 fi
@ -245,7 +248,23 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 else
 	replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
 fi
-
+if [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" "include /etc/nginx/custom-https.conf;"
+	if [ "$HTTP2" = "yes" ] ; then
+		replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" "http2"
+	else
+		replace_in_file "/etc/nginx/custom-https.conf" "%HTTP2%" ""
+	fi
+	if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
+		replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
+	else
+		replace_in_file "/etc/nginx/custom-https.conf" "%STRICT_TRANSPORT_SECURITY%" ""
+	fi
+	replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_CERT%" "$HTTPS_CUSTOM_CERT"
+	replace_in_file "/etc/nginx/custom-https.conf" "%HTTPS_CUSTOM_KEY%" "$HTTPS_CUSTOM_KEY"
+else
+	replace_in_file "/etc/nginx/server.conf" "%CUSTOM_HTTPS%" ""
+fi
 if [ "$LISTEN_HTTP" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
 else