Releases: ZoeyVid/NPMplus
2025-01-11-r3
What's Changed
- fix #1373
How to update
- read the changes above
- repull the docker image
- apply possible changes that maybe effect you from above to your compose.yaml
- redeploy the compose stack
- report any issues you find
Full Changelog: 2025-01-11-r2...2025-01-11-r3
2025-01-11-r2
What's Changed
- fix #1371
- fix all hosts always regenerate on container restart
How to update
- read the changes above
- repull the docker image
- apply possible changes that maybe effect you from above to your compose.yaml
- redeploy the compose stack
- report any issues you find
Full Changelog: 2025-01-10-r1...2025-01-11-r2
2025-01-11-r1
What's Changed
- allow uids/gids set to 99 and above
- fix healthcheck (hotfix from yesterday)
- dep updates
How to update
- read the changes above
- repull the docker image
- apply possible changes that maybe effect you from above to your compose.yaml
- redeploy the compose stack
- report any issues you find
Full Changelog: 2025-01-10-r1...2025-01-11-r1
2025-01-10-r1
Note: All hosts will regenerate when updating to this version
Note: The path where the geoip databases for goaccess are saved has move from etc/goaccess/geoip to goaccess/geoip inside the mounted data folder, if you auto update them, please adjust the path
Note if you used the last alpha, please switch back to the latest tag
What's Changed
- http3 should now be way faster (http3_stream_buffer_size was too small)
- all your hosts will now regenerate once and when you update an env which influences a template
- use liquidjs itself instead of sed to modify persistent hosts and templates based on envs
- slim start.sh because many migrations are now done by simply recreating all hosts
- remove migrations from very old NPMplus versions (migration from upstream NPM still possible)
- allow changing http/https ports
- merge tls-ciphers-no-stapling.conf tls-ciphers.conf into one file
- disable ACME_MUST_STAPLE by default
- new ACME_OCSP_STAPLING env controlling if stapling should happen, currently on, will be disabled end april
- env DB_SQLITE_FILE and env CLEAN are now unsupported
- NPM_DISABLE_IPV6 and GOA_DISABLE_IPV6 are now removed and included in DISABLE_IPV6
- update all stapling files before starting all services
- default host is not mounted anymore and recreated on each container start
- nginxbeautifier now only runs on hosts generation
- fix unresponsive start page (upstream issue, fixed by reverting upstream commit)
- dep updates
- support php84
- update readme
- update security.txt
- merge upstream
- improve folder structure (mainly move all folders inside etc to root data folder)
- watchtower is now allowed to update NPMplus (envs have moved to start.sh)
- frontend now only allows enabling coreruleset if modsec is also enabled
- quic_bpf support (default off, since it needs NPMplus to run as a privileged container)
- NIBEP and GOAIWSP have changed their default values
- streams forwarding_port now allows $server_port as a valid input
- allowed syntax for domain names and stream/proxy forward_host have changed
- added support for INITIAL_DEFAULT_PAGE
- remove kyber (mlkem is supported)
- use freenginx default tls setting when connecting to upstream server
- rename nginx_custom folder to custom_nginx
- unify proxy.conf and proxy-location.conf to proxy-headers.conf
- new dummy certs now use secp384r1 instead of rsa4096
- integrate no-servername files in the normal configs
- allow disabling hsts subdomains via env
- support upstream X_FRAME_OPTIONS env, also change its default from SAMEORIGIN to DENY, add option to not set it
- remove Referrer-Police header (default value when unset is the same as NPMplus used before: strict-origin-when-cross-origin)
- don't expose version when making a (authenticated/unauthenticated) request to NPMplus API (yes I know it is still visible on frontend)
- add ACME_KEY_TYPE env (default and recommended is still ecdsa)
- use #!/usr/bin/env sh instead of #!/bin/sh
- dns secrets are not mounted anymore, since they are saved in the db and rewritten on every container start, so they don't need to be mounted
- certbot is now built together with nginx
How to update
- read the changes above
- repull the docker image
- apply possible changes that maybe effect you from above to your compose.yaml
- redeploy the compose stack
- report any issues you find
Full Changelog: 2024-12-14-r1...2025-01-10-r1
2025-01-03-alpha
Note: this is a prerelease, please back up NPMplus and test it if you can, please report back if something does not work (to see how many people test it, please give at least a reaction if you test and it works)
The following still needs to happen before new latest release:
- compose.yaml remove comments
- create new release (and remember people to switch back to latest now, also remind changing geoip paths)
What's Changed
- all your hosts will now regenerate once and when you update an env which influences a template
- use liquidjs itself instead of sed to modify persistent hosts and templates based on envs
- slim start.sh because many migrations are now done by simply recreating all hosts
- remove migrations from very old NPMplus versions (migration from upstream NPM still possible)
- allow changing http/https ports
- merge tls-ciphers-no-stapling.conf tls-ciphers.conf into one file
- disable ACME_MUST_STAPLE by default
- new ACME_OCSP_STAPLING env controlling if stapling should happen, currently on, will be disabled end april
- env DB_SQLITE_FILE is now unsupported
- NPM_DISABLE_IPV6 and GOA_DISABLE_IPV6 are now removed and included in DISABLE_IPV6
- http3 should now be way faster (http3_stream_buffer_size was too small)
- update all stapling files before starting all services
- default host is not mounted anymore and recreated on each container start
- nginxbeautifier now only runs on hosts generation
- fix unresponsive start page (upstream issue, fixed by reverting upstream commit)
- dep updates
- support php84
- update readme
- update security.txt
- improve folder structure
- frontend now only allows enabling coreruleset if modsec is also enabled
- quic_bpf support (default off, since it needs NPMplus to run as a privileged container)
- NIBEP and GOAIWSP have switched their default values
- streams forwarding_port now allows $server_port as a valid input
- allowed syntax for domain names and stream/proxy forward_host have changed
- added support for INITIAL_DEFAULT_PAGE
- remove kyber (mlkem is supported)
- use freenginx default tls setting when connecting to upstream server
- rename nginx_custom folder to custom_nginx
- unify proxy.conf and proxy-location.conf to proxy.conf
- new dummy certs now use secp384r1 instead of rsa4096
- integrate no-servername files in the normal configs
- allow disabling hsts subdomains via env
- support upstream X_FRAME_OPTIONS env, also change its default from SAMEORIGIN to DENY, add option to not set it
- remove Referrer-Police header (default value when unset is the same as NPMplus used before: strict-origin-when-cross-origin)
- don't expose version when making a (authenticated/unauthenticated) request to NPMplus API
- add ACME_KEY_TYPE env (default and recommended is still ecdsa)
- use #!/usr/bin/env sh instead of #!/bin/sh
- dns secrets are not mounted anymore, since they are saved in the db and rewritten on every container start, so they don't need to be mounted
- certbot is now built together with nginx
How to test
- Read the changes above
- change the tag in your compose yaml from latest/nothing to develop
- redeploy the compose stack
- report any issues you find
Full Changelog: 2024-12-14-r1...2025-01-03-alpha
2024-12-14-r1
What's Changed
- ACME_SERVER and ACME_MUST_STAPLE values will now also apply when renewing existing certs
- update alpine to 3.21
- update crs to 4.9.0
- use alpine curl instead of my own curl-quic build
- other small dep updates
- upstream merges (fix NginxProxyManager#4168, implement NginxProxyManager#4163)
- 404 page is now called dead page and should return 404
- readd DNS propagation delay
- default mime type is now application/octet-stream (means download)
How to update
- NOTE: watchtwoer does NOT update NPMplus
- Read the changes above
- Pull the zoeyvid/npmplus:latest image
- apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
- redeploy the compose stack
- report any issues you find
Full Changelog: 2024-11-25-r1...2024-12-14-r1
Important information about Certificates/CAs/OCSP Must-Staple
Note: This is not a new release but an important information
Let's Encrypt has made an announcement today which has a huge impact on NPMplus, you can read it here: https://letsencrypt.org/2024/12/05/ending-ocsp
If you have any question/ideas etc. on this topic, please write a comment
What is OCSP/CRLs?
- first: OCSP, OCSP Stapling and OCSP Must-Staple are different things.
OCSP:
- With OCSP the client (Browser), asks the CA (Let's Encrypt) if the Certificate used by the web server was revoked
- This is a check done between CA and Client, NPMplus has no influence on this
- Revocation will be detected by the client if the client (re)checks for it (recheck because of cache which could exist)
- privacy problems since the CA knows things which it should not (can be disabled in Firefox/thunderbird settings, not sure about other clients, chrome doesn't even support this)
=> useful, but with a privacy problem, maybe takes some time to be detected because of cache - https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
OCSP Stapling without Must-Staple:
- your 30 days cert is valid on its own, but it is additionally verified by a “second certificate”
- always enabled for all certbot certs of NPMplus (also for migrated instances and also if you disable must-staple)
- the “second certificate” is valid only for 7 days
- the “second certificate” is requested by the web server from the CA (since nginx implementation is not the best, NPMplus uses certbot-ocsp-fetcher for this)
- no privacy problem since browser only talks to the web sever and not to the CA
- BUT: if the cert is compromised, the cert can still be used WITHOUT OCSP Stapling and through that revocation is not be detected by the client (if the client doesn't detect trough other ways client-CA OSCP/CRLs)
=> useless without must staple, see below - https://en.wikipedia.org/wiki/OCSP_stapling
OCSP Stapling with Must-Staple:
- same as above, but your 30 days cert is NOT valid on its own, it needs a “second certificate” to be valid
- this requirement is part of the cert itself (so not removable) and added while creating the cert (must-staple requirement is enabled by default with NPMplus for all certbot certs, but can be disabled via ENV)
- Revocation will be detected as soon as the “second certificate” expires and if the client support must-staple
=> useful, if supported by the client, maybe takes some time to be detected because of validity of “second certificate” - https://en.wikipedia.org/wiki/OCSP_stapling
CRLs
- the older technology to detect revocation
- CAs publish huge lists containing information about all revoked (and by date still valid) certificates and chrome/Firefox/thunderbird download collections of these lists
- Problem: because of size, lists may not contain all revoked certs
=> depends: if the revocation information of your cert is not included, then it is useless, otherwise it is ok - https://en.wikipedia.org/wiki/Certificate_revocation_list
My opinion on this (I mostly talk about Must-Staple)
- first I understand that they remove OCSP because of the costs they have through it and because of the privacy concern
- BUT I don't understand that they remove Must-Staple support, it is better then CRL
- They argue that most web servers have no good implementation for this, which is not fully true, like caddy which has good support for this or NPMplus itself through the certbot-ocsp-fetcher script ((free)nginx own implementation is not the best) ⇒ I don't think that this argument is big enough to revert to CRLs
- The argument with the client is sadly true, since chrome (and it forks) doesn't support must-staple, so the only big clients remaining are Firefox/thunderbird (not sure about WebKit/safari and other big mail clients like outlook)
What now?
- I must say, there is no good solution:
- Moving to ZeroSSL would be an option, but they have no CRLs support, which is important for chromium (and forks)
- Staying with Let's Encrypt would mean to lose Must Staple functionality
- But since a decision needs to be made and chrome is very important, I will stay with Let's Encrypt by default and instead change the default value of ACME_MUST_STAPLE, maybe stapling needs to be fully removed even if your custom CA supports it, but I will try to find a way to prevent this
- If ZeroSSL or any other public ACME supporting CA will have support for OCSP Stapling/Must-Staple and CRLs, then this will become the new default CA
When will the change happen?
- Before January 30, 2025 (the day Must-Staple will stop working for new instances)
- I have no date exactly, but I will try to have some releases until this change:
- at least on release mentioning this change in its changelog, in a few days
- in between (or maybe with the next release), I will sync the value of ACME_MUST_STAPLE with all renewal configs of certbot cert to make sure that certs which get renewed will have the same setting as the env (maybe I will also sync the ACME_SERVER env)
- and at some point ACME_MUST_STAPLE will be changed to false by default (and stapling may be removed) - maybe still in December
- ENVs set by you will not be overridden
2024-11-25-r1
Note: NPMplus has its own place at Reddit since a few months: https://www.reddit.com/r/NPMplus (very empty there), but I still prefer reporting anything over GitHub to have anything at one place
What's Changed
- NOTE: Breaking changes in release 2024-10-21-r1, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
- dep updates
- readme changes
- ACME_MUST_STAPLE and ACME_SERVER_TLS_VERIFY options (see compose.yaml)
- Stop GoAccess errors by @Sproglet in #1245
- close #965 by merging NginxProxyManager#4187
- merge upstream (only this PR was merged: NginxProxyManager#4179)
- fix updating streams (untested, but should work, if not please open an issue)
- Note: if you want NPMplus in your language, please see the readme on how to contribute a translation
- Note: 2 hours after this release I made a hotfix for the certbot command and merged upstream changes (forbid port 80, 81 and 443 as stream output ports)
How to update
- NOTE: watchtwoer does NOT update NPMplus
- Read the changes above
- Pull the zoeyvid/npmplus:latest image
- apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
- redeploy the compose stack
- report any issues you find
Full Changelog: 2024-11-02-r1...2024-11-25-r1
2024-11-02-r1
What's Changed
- NOTE: Breaking changes in release 2024-10-21-r1, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
- fix #1185 (comment) (workarround mentioned in thread not needed anymore)
- dep updates
- add multi language support through @lateautumn233, if you want to add a language, see this commit as an example: a026b42
- add lang de
- upstream merges (leaseweb dns support and revert proxy_pass in a location block to use static values instead of static vars)
- improve goaccess start and behaiviuor while rotating logs
- include goaccess and fcgi package in the image (like logrotate), so they don't need to be downloaded each container recreation (so only php-fpm/php packages need to be downloaded if needed)
- fix GeoLite2-City being ignored by goaccess
- fix goaccess ip binding after container restart
- remove unsed acme.sh script (will be added back if NPMplus maybe switches to it)
How to update
- NOTE: watchtwoer does NOT update NPMplus
- Read the changes above
- Pull the zoeyvid/npmplus:latest image
- apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
- redeploy the compose stack
- report any issues you find
Full Changelog: 2024-10-24-r1...2024-11-02-r1
2024-10-24-r1
Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
What's Changed
- fix #1185 (comment)
How to update
- Read the changes above
- Pull the zoeyvid/npmplus:latest image
- apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
- redeploy the compose stack
- report any issues you find
Full Changelog: 2024-10-23-r1...2024-10-24-r1