Infra-Mirrors/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2024-10-01 01:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #130 from linuxserver/authelia-patch

Browse Source 
update and patch authelia-server.conf for resolver and CVE
This commit is contained in:
aptalca 2021-05-28 18:49:04 -04:00 committed by GitHub
commit 056f27437e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions
* **28.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`.
* **20.05.21:** - Modify resolver.conf generation to detect and ignore ipv6.
* **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
* **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.

1
readme-vars.yml
View File

@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: ""
# changelog
changelogs:
- { date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`." }
- { date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6." }
- { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
- { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }

9
root/defaults/authelia-server.conf
View File

@ -1,16 +1,19 @@
## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
location ^~ /authelia {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
include /config/nginx/resolver.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
}
location = /authelia/api/verify {
internal;
resolver 127.0.0.11 valid=30s;
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401;
}
include /config/nginx/resolver.conf;
set $upstream_authelia authelia;
proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091;

5
root/etc/cont-init.d/50-config
View File

@ -109,6 +109,11 @@ if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
fi
# patch authelia-server.conf for CVE-2021-32637
if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
fi
# copy pre-generated dhparams or generate if needed
[[ ! -f /config/nginx/dhparams.pem ]] && \
cp /defaults/dhparams.pem /config/nginx/dhparams.pem