diff --git a/.github/workflows/action_update-dockerhub-readme.yml b/.github/workflows/action_update-dockerhub-readme.yml
index b7ebb6c98..9f848712a 100644
--- a/.github/workflows/action_update-dockerhub-readme.yml
+++ b/.github/workflows/action_update-dockerhub-readme.yml
@@ -14,7 +14,7 @@ jobs:
name: Push README to Docker Hub
steps:
- name: git checkout
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
ref: main
diff --git a/.github/workflows/scheduled-task_update-sponsors.yml b/.github/workflows/scheduled-task_update-sponsors.yml
index 6461482da..3d1d233b1 100644
--- a/.github/workflows/scheduled-task_update-sponsors.yml
+++ b/.github/workflows/scheduled-task_update-sponsors.yml
@@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout 🛎️
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
- name: Generate Sponsors 💖
uses: JamesIves/github-sponsors-readme-action@v1
diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml
index dbd4d7fa5..7c3a36dd1 100644
--- a/.github/workflows/service_docker-build-and-publish.yml
+++ b/.github/workflows/service_docker-build-and-publish.yml
@@ -39,7 +39,7 @@ jobs:
php-version-map-json: ${{ steps.get-php-versions.outputs.php-version-map-json }}
steps:
- name: Check out code
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
@@ -67,25 +67,25 @@ jobs:
echo "${MATRIX_JSON}" | jq '.'
- name: Upload the php-versions.yml file
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@v6
with:
name: php-versions.yml
path: ${{ inputs.php-versions-file }}
docker-publish:
needs: setup-matrix
- runs-on: depot-ubuntu-24.04-4
+ runs-on: depot-ubuntu-24.04-8
strategy:
matrix: ${{fromJson(needs.setup-matrix.outputs.php-version-map-json)}}
steps:
- name: Check out code.
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
- name: Download PHP Versions file
- uses: actions/download-artifact@v5
+ uses: actions/download-artifact@v7
with:
name: php-versions.yml
path: ./artifacts
diff --git a/scripts/conf/php-versions-base-config.yml b/scripts/conf/php-versions-base-config.yml
index 373f0897d..03394995a 100644
--- a/scripts/conf/php-versions-base-config.yml
+++ b/scripts/conf/php-versions-base-config.yml
@@ -35,42 +35,43 @@ php_versions:
- minor: "8.1"
base_os:
- name: alpine3.21
+ - name: alpine3.22
- name: bookworm
- name: trixie
patch_versions:
- # - 8.1.28 # Pull latest from Official PHP source
+ # - 8.1.34 # Pull latest from Official PHP source
- minor: "8.2"
base_os:
- - name: alpine3.21
- name: alpine3.22
+ - name: alpine3.23
- name: bookworm
- name: trixie
patch_versions:
- # - 8.2.18 # Pull latest from Official PHP source
+ # - 8.2.30 # Pull latest from Official PHP source
- minor: "8.3"
base_os:
- - name: alpine3.21
- name: alpine3.22
+ - name: alpine3.23
- name: bookworm
- name: trixie
patch_versions:
- # - 8.3.6 # Pull latest from Official PHP source
+ # - 8.3.29 # Pull latest from Official PHP source
- minor: "8.4"
base_os:
- - name: alpine3.21
- name: alpine3.22
+ - name: alpine3.23
- name: bookworm
- name: trixie
patch_versions:
- # - 8.4.1 # Pull latest from Official PHP source
+ # - 8.4.16 # Pull latest from Official PHP source
- minor: "8.5"
base_os:
- - name: alpine3.21
- name: alpine3.22
+ - name: alpine3.23
- name: bookworm
- name: trixie
patch_versions:
- # - 8.5.0 # Pull latest from Official PHP source
+ # - 8.5.1 # Pull latest from Official PHP source
operating_systems:
- family: alpine
@@ -94,27 +95,31 @@ operating_systems:
- name: "Alpine 3.20"
version: alpine3.20
number: 3.20
- nginx_version: 1.28.0-r1
+ nginx_version: 1.28.1-r1
- name: "Alpine 3.21"
version: alpine3.21
number: 3.21
- nginx_version: 1.28.0-r1
+ nginx_version: 1.28.1-r1
- name: "Alpine 3.22"
version: alpine3.22
number: 3.22
- nginx_version: 1.28.0-r1
+ nginx_version: 1.28.1-r1
+ - name: "Alpine 3.23"
+ version: alpine3.23
+ number: 3.23
+ nginx_version: 1.28.1-r1
- family: debian
default: true
versions:
- name: "Debian Bullseye"
version: bullseye
number: 11
- nginx_version: 1.28.0-1~bullseye
+ nginx_version: 1.28.1-1~bullseye
- name: "Debian Bookworm"
version: bookworm
number: 12
- nginx_version: 1.28.0-1~bookworm
+ nginx_version: 1.28.1-1~bookworm
- name: "Debian Trixie"
version: trixie
number: 13
- nginx_version: 1.28.0-1~trixie
+ nginx_version: 1.28.1-1~trixie
diff --git a/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer b/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer
index 2d7ddac48..a3c3cfc04 100644
--- a/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer
+++ b/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer
@@ -11,7 +11,7 @@ script_name="docker-php-serversideup-install-php-ext-installer"
############
# Environment variables
############
-PHP_EXT_INSTALLER_VERSION="2.9.18"
+PHP_EXT_INSTALLER_VERSION="2.9.27"
############
# Main
diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
index 43957f476..f572f2501 100644
--- a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
+++ b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
@@ -1,98 +1,83 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
#
-# Disable access to the entire file system except for the directories that
-# are explicitly allowed later.
+# H5BP Server Configs (Apache)
+# https://github.com/h5bp/server-configs-apache
#
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+# OWASP Secure Headers Project
+# https://owasp.org/www-project-secure-headers/
#
-#
-# AllowOverride None
-# Require all denied
-#
-
+# RFC 8615 - Well-Known URIs
+# https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
+# ------------------------------------------------------------------------------
+# | Server Software Information |
+# ------------------------------------------------------------------------------
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of: Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-# ServerTokens OS
-# #ServerTokens Full
+# Minimize information sent about the server
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
ServerTokens Prod
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of: On | Off | EMail
+# Disable server signature on error pages
+# https://httpd.apache.org/docs/current/mod/core.html#serversignature
ServerSignature Off
-# ServerSignature On
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of: On | Off | extended
+# Disable TRACE HTTP method to prevent XST attacks
+# https://owasp.org/www-community/attacks/Cross_Site_Tracing
TraceEnable Off
-#TraceEnable On
-#
-# Forbid access to version control directories
-#
-# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
-#
-
- Require all denied
+# ------------------------------------------------------------------------------
+# | Security Headers |
+# ------------------------------------------------------------------------------
+
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
+Header always set X-Frame-Options "SAMEORIGIN"
+
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
+Header always set X-Content-Type-Options "nosniff"
+
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+# ------------------------------------------------------------------------------
+# | File Access Restrictions |
+# ------------------------------------------------------------------------------
+
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+
+ Require all denied
+
+
+# Block access to all hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-apache
+
+ Require all denied
-# Prevent Apache from serving Gitlab files
-
- Require all denied
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
+
+ Require all denied
# Disable XML-RPC on all wordpress sites
Require all denied
# allow from xxx.xxx.xxx.xxx
-
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Frame-Options: "sameorigin"
-
-#
-# Referrer policy
-#
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-#
-# Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#
-#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
-
-#
-# Strict-Transport-Security Policy (set HSTS)
-#
-Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
\ No newline at end of file
+
\ No newline at end of file
diff --git a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
index e90562983..19986ee33 100644
--- a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
+++ b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf
@@ -1,24 +1,51 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
+#
+# H5BP Server Configs (nginx)
+# https://github.com/h5bp/server-configs-nginx
#
-# Security Headers
+# OWASP Secure Headers Project
+# https://owasp.org/www-project-secure-headers/
#
+# RFC 8615 - Well-Known URIs
+# https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
-# Prevent IFRAME spoofing attacks
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
add_header X-Frame-Options "SAMEORIGIN" always;
-# Prevent MIME attacks
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
add_header X-Content-Type-Options "nosniff" always;
-# Prevent Referrer URL from being leaked
-add_header Referrer-Policy "no-referrer-when-downgrade" always;
-
-# Configure Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-# Enable HSTS
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-# Prevent access to . files (the well-known directory)
+# ------------------------------------------------------------------------------
+# | File Access Restrictions |
+# ------------------------------------------------------------------------------
+
+# Block access to hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-nginx
location ~ /\.(?!well-known) {
deny all;
+}
+
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx
+location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ {
+ deny all;
}
\ No newline at end of file
diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
index 1d6ee8e6d..08a90ff96 100644
--- a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
+++ b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
@@ -30,6 +30,12 @@ location / {
try_files $uri $uri/ /index.php?$query_string;
}
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+ deny all;
+}
+
# Pass "*.php" files to PHP-FPM
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
index 0685ac17c..810ff0747 100644
--- a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
+++ b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
@@ -36,6 +36,12 @@ location / {
try_files $uri $uri/ /index.php?$query_string;
}
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+ deny all;
+}
+
# Pass "*.php" files to PHP-FPM
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
diff --git a/src/variations/frankenphp/Dockerfile b/src/variations/frankenphp/Dockerfile
index 50813be46..f9c1ed677 100644
--- a/src/variations/frankenphp/Dockerfile
+++ b/src/variations/frankenphp/Dockerfile
@@ -2,7 +2,7 @@
ARG BASE_OS_VERSION='trixie'
ARG PHP_VERSION='8.5'
ARG BASE_IMAGE="php:${PHP_VERSION}-zts-${BASE_OS_VERSION}"
-ARG FRANKENPHP_VERSION='1.10.1'
+ARG FRANKENPHP_VERSION='1.11.1'
ARG GOLANG_VERSION='1.25'
########################
diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index 566911126..50b2158be 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -127,24 +127,43 @@ fd00::/8 \
}
(security) {
- # Reject dot files and certain file extensions
- @rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
-
- # Return 403 Forbidden for rejected files
+ # This configuration follows security best practices from:
+ #
+ # H5BP Server Configs (nginx) - Adapted for Caddy
+ # https://github.com/h5bp/server-configs-nginx
+ #
+ # OWASP Secure Headers Project
+ # https://owasp.org/www-project-secure-headers/
+ #
+ # RFC 8615 - Well-Known URIs
+ # https://www.rfc-editor.org/rfc/rfc8615
+
+ # Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+ # Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+ @storage-php path_regexp ^/storage/.*\.php$
+ respond @storage-php 403
+
+ # Block access to files that may expose sensitive information
+ @rejected {
+ path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.*
+ # EXCEPTION: /.well-known/* is allowed per RFC 8615 for ACME challenges
+ # https://www.rfc-editor.org/rfc/rfc8615
+ not path /.well-known/*
+ }
respond @rejected 403
- # Security headers
+ # Security Headers
+ # https://owasp.org/www-project-secure-headers/
header {
defer
- # Prevent IFRAME spoofing attacks
+ # Prevent clickjacking attacks by disabling iframe embedding
X-Frame-Options "SAMEORIGIN"
- # Prevent MIME type sniffing
+ # Prevent MIME type sniffing attacks
X-Content-Type-Options "nosniff"
- # Prevent referrer leakage
+ # Control referrer information sent with requests
Referrer-Policy "strict-origin-when-cross-origin"
- # Prevent server header leakage
+ # Remove server identification headers
-Server
- # Prevent powered by header leakage
-X-Powered-By
}
}