diff --git a/CHANGELOG.md b/CHANGELOG.md index 79911c6..34c1d9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,17 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v1.6.3...HEAD) +## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v1.6.5...HEAD) + +## [1.6.5](https://github.com/passbolt/passbolt_docker/compare/v1.6.3...v1.6.5) - 2017-09-14 + +- Refer to [passbolt_api CHANGELOG](https://github.com/passbolt/passbolt_api/blob/master/CHANGELOG.md) for a list of new features and fixes. + +### Fixed +- PASSBOLT-2406: change to LABEL, add docker-compose file for testing [#69](https://github.com/passbolt/passbolt_docker/pull/69) +- PASSBOLT-2407: Check for email cron before setting it [#63](https://github.com/passbolt/passbolt_docker/issues/63) +- PASSBOLT-2408: Strict Transport Security (HSTS) Invalid Server provided more than one HSTS header [#65](https://github.com/passbolt/passbolt_docker/issues/65) +- PASSBOLT-2410: nginx config sub optimal [#66](https://github.com/passbolt/passbolt_docker/issues/66) ## [1.6.3](https://github.com/passbolt/passbolt_docker/compare/v1.6.2+1...v1.6.3) - 2017-08-31 diff --git a/Dockerfile b/Dockerfile index e459854..fc8bd9f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ FROM alpine:3.6 -MAINTAINER diego@passbolt.com +LABEL maintainer="diego@passbolt.com" -ENV PASSBOLT_VERSION 1.6.3 +ENV PASSBOLT_VERSION 1.6.5 ENV PASSBOLT_URL https://github.com/passbolt/passbolt_api/archive/v${PASSBOLT_VERSION}.tar.gz ARG BASE_PHP_DEPS="php5-curl \ @@ -54,11 +54,11 @@ RUN apk add --no-cache $BASE_PHP_DEPS \ RUN apk add --no-cache $PHP_GNUPG_DEPS \ && ln -s /usr/bin/php5 /usr/bin/php \ && ln -s /usr/bin/phpize5 /usr/bin/phpize \ - #https://bugs.alpinelinux.org/issues/5378 && sed -i "s/ -n / /" $(which pecl) \ - && pecl install gnupg memcache \ - && echo "extension=memcache.so" > /etc/php5/conf.d/memcache.ini \ + && pecl install gnupg \ + && pecl install redis \ && echo "extension=gnupg.so" > /etc/php5/conf.d/gnupg.ini \ + && echo "extension=redis.so" > /etc/php5/conf.d/redis.ini \ && apk del $PHP_GNUPG_DEPS \ && curl -sS https://getcomposer.org/installer | php \ && mv composer.phar /usr/local/bin/composer \ diff --git a/bin/docker-entrypoint.sh b/bin/docker-entrypoint.sh index e3645f2..201a0d5 100755 --- a/bin/docker-entrypoint.sh +++ b/bin/docker-entrypoint.sh @@ -166,12 +166,14 @@ email_cron_job() { mkdir -p $cron_task_dir - echo "* * * * * run-parts $cron_task_dir" >> $root_crontab + if ! grep $cron_task_dir $root_crontab > /dev/null; then + echo "* * * * * run-parts $cron_task_dir" >> $root_crontab + fi echo "#!/bin/sh" > $cron_task chmod +x $cron_task echo "su -c \"$process_email\" -ls /bin/bash nginx" >> $cron_task - crond -f -c /etc/crontabs + crond -f -c /etc/crontabs & } @@ -209,6 +211,7 @@ install php-fpm5 -nginx -g "pid /tmp/nginx.pid; daemon off;" & - email_cron_job + +nginx -g "pid /tmp/nginx.pid; daemon off;" + diff --git a/conf/passbolt.conf b/conf/passbolt.conf index af68783..c48a17a 100644 --- a/conf/passbolt.conf +++ b/conf/passbolt.conf @@ -53,12 +53,11 @@ server { ssl on; ssl_certificate /etc/ssl/certs/certificate.crt; ssl_certificate_key /etc/ssl/certs/certificate.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; - ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_session_tickets off; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; - add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -73,9 +72,6 @@ server { # This header enables the Cross-site scripting (XSS) filter add_header X-XSS-Protection "1; mode=block"; - # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - location / { try_files $uri $uri/ /index.php?$args; index index.php;