Merge branch 'release/v1.6.5'

CHANGELOG.md

@@ -2,7 +2,17 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v1.6.3...HEAD)
+## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v1.6.5...HEAD)
+
+## [1.6.5](https://github.com/passbolt/passbolt_docker/compare/v1.6.3...v1.6.5) - 2017-09-14
+
+- Refer to [passbolt_api CHANGELOG](https://github.com/passbolt/passbolt_api/blob/master/CHANGELOG.md) for a list of new features and fixes.
+
+### Fixed
+- PASSBOLT-2406: change to LABEL, add docker-compose file for testing [#69](https://github.com/passbolt/passbolt_docker/pull/69)
+- PASSBOLT-2407: Check for email cron before setting it [#63](https://github.com/passbolt/passbolt_docker/issues/63)
+- PASSBOLT-2408: Strict Transport Security (HSTS)	Invalid Server provided more than one HSTS header [#65](https://github.com/passbolt/passbolt_docker/issues/65)
+- PASSBOLT-2410: nginx config sub optimal [#66](https://github.com/passbolt/passbolt_docker/issues/66)
 
 ## [1.6.3](https://github.com/passbolt/passbolt_docker/compare/v1.6.2+1...v1.6.3) - 2017-08-31
 

Dockerfile

@@ -1,8 +1,8 @@
 FROM alpine:3.6
 
-MAINTAINER diego@passbolt.com
+LABEL maintainer="diego@passbolt.com"
 
-ENV PASSBOLT_VERSION 1.6.3
+ENV PASSBOLT_VERSION 1.6.5
 ENV PASSBOLT_URL https://github.com/passbolt/passbolt_api/archive/v${PASSBOLT_VERSION}.tar.gz
 
 ARG BASE_PHP_DEPS="php5-curl \
@@ -54,11 +54,11 @@ RUN apk add --no-cache $BASE_PHP_DEPS \
 RUN apk add --no-cache $PHP_GNUPG_DEPS  \
     && ln -s /usr/bin/php5 /usr/bin/php \
     && ln -s /usr/bin/phpize5 /usr/bin/phpize \
-    #https://bugs.alpinelinux.org/issues/5378
     && sed -i "s/ -n / /" $(which pecl) \
-    && pecl install gnupg memcache \
-    && echo "extension=memcache.so" > /etc/php5/conf.d/memcache.ini \
+    && pecl install gnupg \
+    && pecl install redis \
     && echo "extension=gnupg.so" > /etc/php5/conf.d/gnupg.ini \
+    && echo "extension=redis.so" > /etc/php5/conf.d/redis.ini \
     && apk del $PHP_GNUPG_DEPS \
     && curl -sS https://getcomposer.org/installer | php \
     && mv composer.phar /usr/local/bin/composer \

bin/docker-entrypoint.sh

@@ -166,12 +166,14 @@ email_cron_job() {
 
   mkdir -p $cron_task_dir
 
+  if ! grep $cron_task_dir $root_crontab > /dev/null; then
     echo "* * * * * run-parts $cron_task_dir" >> $root_crontab
+  fi
   echo "#!/bin/sh" > $cron_task
   chmod +x $cron_task
   echo "su -c \"$process_email\" -ls /bin/bash nginx" >> $cron_task
 
-  crond -f -c /etc/crontabs
+  crond -f -c /etc/crontabs &
 }
 
 
@@ -209,6 +211,7 @@ install
 
 php-fpm5
 
-nginx -g "pid /tmp/nginx.pid; daemon off;" &
-
 email_cron_job
+
+nginx -g "pid /tmp/nginx.pid; daemon off;"
+

conf/passbolt.conf

@@ -53,12 +53,11 @@ server {
   ssl on;
   ssl_certificate     /etc/ssl/certs/certificate.crt;
   ssl_certificate_key /etc/ssl/certs/certificate.key;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_protocols TLSv1.2;
   ssl_prefer_server_ciphers on;
-  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
+  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   ssl_session_tickets off;
   add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
   add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
 
@@ -73,9 +72,6 @@ server {
   # This header enables the Cross-site scripting (XSS) filter
   add_header X-XSS-Protection "1; mode=block";
 
-  # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
-  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-
   location / {
     try_files $uri $uri/ /index.php?$args;
     index index.php;