php-rewrite

[Zoey2936]

Hello, this is not a new release.
I want to rewrite NPMplus in PHP in the near future, this will unify the backend and frontend, but will remove the API, I will try to make it possible to migrate to the rewrite from the "old" Node.js version (not sure with TLS Certificates). Please write Ideas you want into this discussion. The rewritten version will look different from NPMplus does now, CSS will be done by @DavidCraftDev. No I don't know when I will start working on this and when I will be finished with it / when an alpha/beta version will be published. But you can expect that not all changes listed below will be there with the first release.

What will be added/changed/kept?

• API will be removed
• gravatar will be removed, you can upload profile pictures yourself
• Written in PHP (with some composer deps) and CSS based on Tailwind by @DavidCraftDev
  • will also improve dark mode
• Option to further protect login using MFA and optional hcaptcha support
• I will switch to acme.sh add acme.sh #585 (removal of certbot)
• custom CAs in UI
• export/import option Is there any way we could add a built-in export/import feature to simplify backups/migrations? #628
• Geo-blocking Geolocation Blocking #730
• Client Certificate Authentication  #842
• proxy protocol upstreams for stream add proxy_protocol #619
• easier static/php site support in UI
• everything NPMplus currently supports
• try to move all env options to the UI (https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml)
• error/access logs in UI
• Crowdsec BOUNCER config in UI
• coreruleset/crs plugins/modsec in UI
• when cert is deleted, disable tls of all hosts using it
• keep multiuser, but only admin users
• authentik config #726 (reply in thread) button
• php-rewrite #731 (comment)
• your ideas/more

later:

• Language support Multi language support #693
• something like openid/oauth/ldap or so not sure what the best option is, but I want to support a kind of non-local auth
• readd new API
• readd permission system

Unsure:

• instead of using acme.sh and nginx, use caddy instead? not sure... No...
• change licence? Maybe to MPL 2.0 or later or (L/A)GPL 3.0 or later, or keep MIT... Should be possible because nearly all files not created by me will be removed. Yes, will change the Licence to AGPL 3.0

---

This discussion was created from the release php-rewrite.

[Zoey2936]

(Non PHP based version will still be supported at least until the PHP version will be released)

[tobilektri]

Is there a rough timeline for the PHP-based version?
The question comes from the fact that we are considering migrating from NPM to NPMPlus and are wondering whether we should do this now or rather when the PHP version is released.

[Zoey2936]

The first version will may be released in a month or later, not sure.
I will today next week push dep update on nodejs version and an env option for me to install the latest php commit from the PR I will create. I will start working on the authentication/user system first

[Zoey2936]

I will then work on the config and cert creation and then @DavidCraftDev can work on css

[RedCrafter07]

I'd love to see an API, even though you plan to remove it with the rewrite. A few suggestions:

• Add API Tokens

This will remove the requirement for an additional account in the current NPM as a workaround

• Documentation

I don't have to explain this, do I?

• Access control

Permissions for tokens, basically. No need to have a token which has admin access if you only want to change one domain, for example.

• Optional?

Add an option to enable or disable the API for better security. If a person doesn't need it, there's no reason to expose an API

Thanks for the great work you did so far!

[tokar86a]

Option for caching/configure of caching?

[Zoey2936]

not sure, since caching settings are very diffrent depending on you usecase, can you make some recommendations? since I don't know how to configure caching

[tokar86a]

No i dont have any recommendation as i dont know how to configure it. But the vanilla NPM have some caching support. But i am not sure what it is caching.

[Zoey2936]

I removed this caching function of the vanilla, since it caused vulnerability and caused many other bugs

[tokar86a]

I see but this was only a suggestions from my part. As it is a little bit different about how to configure it together whit NPM advance tab.

[gadget78]

this sound like a move that the original NPM has been doing (NPM v3), and since they announced that,
the demise of NPM v2 started and hence why we are all here ...
whats so bad with this type setup, that it gets abandoned for "newer versions/enviroments ? ..
and also why remove the local API ? is this because its ALL replaced by PHP, so really "needed" ?

[Zoey2936]

Remove the API:

• Since I don't want to use a framework like laravel and instead plain PHP, I could either create just an API and a pure HTML webpage connecting to the API OR write everything in PHP and readd an API later, which is easier to me

Why rewrite:

• because I've never learned nodejs in a way that is required to add new features to this
• updating deps of this project like tabler or webpack would be like a rewrite
• I like PHP
• most things added to this project are just done inside the start.sh via env or are renamed options from vanilla NPM
• see this file as an example: the internal value http2_support enabled brotli.... https://github.com/ZoeyVid/NPMplus/blob/develop/backend/templates/_brotli.conf

[Zoey2936]

if you have more questions just ask

[Joly0]

Hey @Zoey2936 i see you have created a draft pr for this and github-actions did create a docker image for it. Is it already possible to test the php rewrite version as a docker container and what about migrating to it from the current version?

[Zoey2936]

currently you can login and see the php info page. I'm currently working on the migration. The config creation is the easiest part and will be done at the end. So the image runs, but does nothing usefull and throws errors while starting

[Dialgatrainer02]

If you are still talking feature requests, Can you make the a declarative config to allow for easier automation? Like setting username and password in config instead of having to log in and change it via the gui. And other options like that for the other features. I wish to automate nonplus in ansible which is a big challenge ATM due to having to use the API and having things stored in databases rather than reading from config files.

[Zoey2936]

Sorry, but I will stay with sqlite

[Dialgatrainer02]

How much of npm relies on sqlite for configuration. If I manually edit the dB (eg to add a proxy host )will the nginx files be made accordingly. I am unfamiliar with the npm code based especially the rewrite. Can I effectively emulated gui actions by writing to the database manually.

[Zoey2936]

even if you run a sqlite query manually, it still would not automatically create the nginx config

[Dialgatrainer02]

Okay. I might just go raw nginx plus cert bit then as config files are infinitely easier to manage. Thank you for your time and I'll probably still use npmplus in testing.

[Joly0]

Wouldnt a proper api help with this? Afaik this is planned for later

[Dialgatrainer02]

Yeah I can automate the API calls provided it's rest like. I thought this was going away though but that would definitely work.

[Raxiel1987]

Rewrite in php you mean outside of docker? Or it will "update" the docker version?

And all the hosts i have configured now can be imported ?

[Zoey2936]

Import will then be possible, it will still be docker based, but you can also install it without docker, but it is not and will not documented

[Raxiel1987]

ok thanks i'm waiting for it :D

[HomemadeAdvanced]

It would be nice if the Diffie-Hellmann encryption would be added to the NPM.

An option to implement it would be a slider in the GUI or something like that, so that you could add more security to the communication between server and client. Recommended is a key length of 4096 but on slow hardware like a RaspberryPi it can be really slow. Maybe a DropDown Menu where you can set the strength of encryption and estimated time and/or hardware could be an option.
Another option is to set this feature as default but it needs some time to generate the params on weak hardware.

In the past missing dhparam in NPM was the main reason why I have not used the NPM in the past and had to do SSL manually because of better encryption.

An alternative way could be to add a description how to add dhparam manually without a GUI.

Let me know what you think about it.
Thanks in advance and greetings from Germany:)

[Zoey2936]

It should already be done:

NPMplus/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf

Line 9 in 3b3305f

ssl_dhparam /etc/tls/dhparam;

[HomemadeAdvanced]

Thanks, I have looked it up and there is an 8192bit Diffie-Hellmann encryption which should be enough.

[HomemadeAdvanced]

Set more Security Headers, either under Custom locations or with slider to enable them:

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy no-referrer always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Permissions-Policy "interest-cohort=()";
fastcgi_hide_header X-Powered-By;

[Zoey2936]

NPMplus makes sure that there are no headers twice, also you can disable headers per host inside the UI

[HomemadeAdvanced]

Nextcloud says that the headers are set twice and this warning was in the past correct when I set them in Original NPM and in Nginx in front of Nextcloud. Then I deleted the headers in Nginx config and only set the headers within the Custom locations tab and the error was gone. Now I switched to NPMplus and inserted the headers as before under custom locations and the warning is back again. So I don't really know if NPMplus checks this but I think I have not configured something wrong.
Where can I disable headers inside the UI, I have not find any option to do so.

Thanks in advance.

[Zoey2936]

If you set headers by hand, then this is not a problem of npmplus, but you can try this instead of add_header: https://github.com/openresty/headers-more-nginx-module?tab=readme-ov-file#more_set_headers

[HomemadeAdvanced]

This should do the job, thanks.

[HomemadeAdvanced]

It was actually a Nextcloud issue. If someone runs into the same issue take a look here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html

[Joly0]

Hey, i would like to see the option to add access lists to only specific locations in a site. For example i have a website with a webui and an api. I add a location for / and one for /api. The webui has its own authentication, so i dont need any additional authentication through access lists, but the api needs one (for example using a bearer token), i would have to manually configure this in the advanced location settings. Would be easier to apply an access list to a locatipn in a site.

[Zoey2936]

I will add it to the list