Merge branch 'MISP:master' into master

MISP · Jan 15, 2025 · 040fe59 · 040fe59
2 parents bc6782d + 2b9390e
commit 040fe59
Show file tree

Hide file tree

Showing 9 changed files with 217 additions and 55 deletions.
diff --git a/README.md b/README.md
@@ -95,6 +95,14 @@ To override these behaviours edit the docker-compose.yml file's misp-core volume
 If it is just a default setting that is meant to be set if not already set by the user, add it in one of the `*.default.json` files.
 If it is a setting controlled by an environment variable which is meant to override whatever is set, add it in one of the `*.envars.json` files (note that you can still specify a default value).
 
+#### LDAP Authentication
+
+You can configure LDAP authentication in MISP using 2 methods:
+-  native plugin: LdapAuth (https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth) 
+-  previous approach with ApacheSecureAuth (https://gist.github.com/Kagee/f35ed25216369481437210753959d372). 
+
+LdapAuth is to be recommended, because it doesn't require rproxy apache with the ldap module.
+
 ### Production
 
 -   It is recommended to specify the build you want run by editing `docker-compose.yml` (see here for the list of available tags https://github.com/orgs/MISP/packages)
@@ -141,6 +149,45 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat
       - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
 ```
 
+## Database Management
+
+It is possible to backup and restore the underlying database using volume archiving.
+The process is *NOT* battle-tested, so it is *NOT* to be followed uncritically.
+
+### Backup
+
+1. Stop the MISP containers:
+   ```bash
+   docker compose down
+   ```
+
+2. Create an archive of the `misp-docker_mysql_data` volume using `tar`:
+   ```bash
+   tar -cvzf /root/misp_mysql_backup.tar.gz /var/lib/docker/volumes/misp-docker_mysql_data/
+   ```
+
+3. Start the MISP containers:
+   ```bash
+   docker compose up
+   ```
+
+### Restore
+
+1. Stop the MISP containers:
+   ```bash
+   docker compose down
+   ```
+
+2. Unpack the backup and overwrite existing data by using the `--overwrite` option to replace existing files:
+   ```bash
+   tar -xvzf /path_to_backup/misp_mysql_backup.tar.gz -C /var/lib/docker/volumes/misp-docker_mysql_data/ --overwrite
+   ```
+
+3. Start the MISP containers:
+   ```bash
+   docker compose up
+   ```
+
 ## Troubleshooting
 
 -   Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)

diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh
@@ -155,40 +155,92 @@ set_up_oidc() {
     fi
 }
 
-set_up_ldap() {
-    if [[ "$LDAP_ENABLE" != "true" ]]; then
-        echo "... LDAP authentication disabled"
+set_up_apachesecureauth() {
+    if [[ "$APACHESECUREAUTH_LDAP_ENABLE" != "true" ]]; then
+        echo "... LDAP APACHESECUREAUTH authentication disabled"
         return
     fi
 
+
+    if [ ! -z "$APACHESECUREAUTH_LDAP_OLD_VAR_DETECT" ]; then
+        echo "WARNING: old variables used for APACHESECUREAUTH bloc in env file. Switch to the new naming convention."
+    fi
+
     # Check required variables
-    # LDAP_SEARCH_FILTER may be empty
-    check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS 
+    # APACHESECUREAUTH_LDAP_SEARCH_FILTER may be empty
+    check_env_vars APACHESECUREAUTH_LDAP_APACHE_ENV APACHESECUREAUTH_LDAP_SERVER APACHESECUREAUTH_LDAP_STARTTLS APACHESECUREAUTH_LDAP_READER_USER APACHESECUREAUTH_LDAP_READER_PASSWORD APACHESECUREAUTH_LDAP_DN APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE APACHESECUREAUTH_LDAP_FILTER APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID APACHESECUREAUTH_LDAP_DEFAULT_ORG APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT APACHESECUREAUTH_LDAP_OPT_REFERRALS
 
     sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
         \"ApacheSecureAuth\": {
-            \"apacheEnv\": \"${LDAP_APACHE_ENV}\",
-            \"ldapServer\": \"${LDAP_SERVER}\",
-            \"starttls\": ${LDAP_STARTTLS},
-            \"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
-            \"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
-            \"ldapReaderUser\": \"${LDAP_READER_USER}\",
-            \"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
-            \"ldapDN\": \"${LDAP_DN}\",
-            \"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
-            \"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
-            \"ldapFilter\": ${LDAP_FILTER},
-            \"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
-            \"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
-            \"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
-            \"ldapEmailField\": ${LDAP_EMAIL_FIELD}
+            \"apacheEnv\": \"${APACHESECUREAUTH_LDAP_APACHE_ENV}\",
+            \"ldapServer\": \"${APACHESECUREAUTH_LDAP_SERVER}\",
+            \"starttls\": ${APACHESECUREAUTH_LDAP_STARTTLS},
+            \"ldapProtocol\": ${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION},
+            \"ldapNetworkTimeout\": ${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT},
+            \"ldapReaderUser\": \"${APACHESECUREAUTH_LDAP_READER_USER}\",
+            \"ldapReaderPassword\": \"${APACHESECUREAUTH_LDAP_READER_PASSWORD}\",
+            \"ldapDN\": \"${APACHESECUREAUTH_LDAP_DN}\",
+            \"ldapSearchFilter\": \"${APACHESECUREAUTH_LDAP_SEARCH_FILTER}\",
+            \"ldapSearchAttribut\": \"${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE}\",
+            \"ldapFilter\": ${APACHESECUREAUTH_LDAP_FILTER},
+            \"ldapDefaultRoleId\": ${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID},
+            \"ldapDefaultOrg\": \"${APACHESECUREAUTH_LDAP_DEFAULT_ORG}\",
+            \"ldapAllowReferrals\": ${APACHESECUREAUTH_LDAP_OPT_REFERRALS},
+            \"ldapEmailField\": ${APACHESECUREAUTH_LDAP_EMAIL_FIELD}
         }
     }" > /dev/null
 
     # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
 }
 
+set_up_ldap() {
+    if [[ "$LDAPAUTH_ENABLE" != "true" ]]; then
+        echo "... LDAPAUTH authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    # LDAPAUTH_LDAPSEARCHFILTER may be empty
+    check_env_vars LDAPAUTH_LDAPSERVER LDAPAUTH_LDAPDN LDAPAUTH_LDAPREADERUSER LDAPAUTH_LDAPREADERPASSWORD LDAPAUTH_LDAPSEARCHATTRIBUTE LDAPAUTH_LDAPDEFAULTROLEID LDAPAUTH_LDAPDEFAULTORGID LDAPAUTH_LDAPEMAILFIELD LDAPAUTH_LDAPNETWORKTIMEOUT LDAPAUTH_LDAPPROTOCOL LDAPAUTH_LDAPALLOWREFERRALS LDAPAUTH_STARTTLS LDAPAUTH_MIXEDAUTH LDAPAUTH_UPDATEUSER LDAPAUTH_DEBUG LDAPAUTH_LDAPTLSREQUIRECERT LDAPAUTH_LDAPTLSCUSTOMCACERT LDAPAUTH_LDAPTLSCRLCHECK LDAPAUTH_LDAPTLSPROTOCOLMIN
+
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"LdapAuth\": {
+          \"ldapServer\": \"${LDAPAUTH_LDAPSERVER}\",
+          \"ldapDn\": \"${LDAPAUTH_LDAPDN}\",
+          \"ldapReaderUser\": \"${LDAPAUTH_LDAPREADERUSER}\",
+          \"ldapReaderPassword\": \"${LDAPAUTH_LDAPREADERPASSWORD}\",
+          \"ldapSearchFilter\": \"${LDAPAUTH_LDAPSEARCHFILTER}\",
+          \"ldapSearchAttribute\": \"${LDAPAUTH_LDAPSEARCHATTRIBUTE}\",
+          \"ldapEmailField\": ${LDAPAUTH_LDAPEMAILFIELD},
+          \"ldapNetworkTimeout\": ${LDAPAUTH_LDAPNETWORKTIMEOUT},
+          \"ldapProtocol\": ${LDAPAUTH_LDAPPROTOCOL},
+          \"ldapAllowReferrals\": ${LDAPAUTH_LDAPALLOWREFERRALS},
+          \"starttls\": ${LDAPAUTH_STARTTLS},
+          \"mixedAuth\": ${LDAPAUTH_MIXEDAUTH},
+          \"ldapDefaultOrgId\": ${LDAPAUTH_LDAPDEFAULTORGID},
+          \"ldapDefaultRoleId\": ${LDAPAUTH_LDAPDEFAULTROLEID},
+          \"updateUser\": ${LDAPAUTH_UPDATEUSER},
+          \"debug\": ${LDAPAUTH_DEBUG},
+          \"ldapTlsRequireCert\": \"${LDAPAUTH_LDAPTLSREQUIRECERT}\",
+          \"ldapTlsCustomCaCert\": ${LDAPAUTH_LDAPTLSCUSTOMCACERT},
+          \"ldapTlsCrlCheck\": \"${LDAPAUTH_LDAPTLSCRLCHECK}\",
+          \"ldapTlsProtocolMin\": \"${LDAPAUTH_LDAPTLSPROTOCOLMIN}\"
+       }
+    }" > /dev/null
+
+    # Configure LdapAuth in MISP
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+            \"Security\": {
+                \"auth\": [\"LdapAuth.Ldap\"]
+            }
+        }" > /dev/null
+
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
 set_up_aad() {
     if [[ "$AAD_ENABLE" != "true" ]]; then
         echo "... Entra (AzureAD) authentication disabled"
@@ -449,6 +501,8 @@ echo "MISP | Create sync servers ..." && create_sync_servers
 
 echo "MISP | Set Up OIDC ..." && set_up_oidc
 
+echo "MISP | Set Up apachesecureauth ..." && set_up_apachesecureauth
+
 echo "MISP | Set Up LDAP ..." && set_up_ldap
 
 echo "MISP | Set Up AAD ..." && set_up_aad

diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh
@@ -50,6 +50,7 @@ export PHP_MAX_EXECUTION_TIME=${PHP_MAX_EXECUTION_TIME:-300}
 export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
 export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
 export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
+export PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-50}
 
 export PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN:-5}
 export PHP_FCGI_START_SERVERS=${PHP_FCGI_START_SERVERS:-2}
@@ -67,6 +68,7 @@ export PHP_SESSION_COOKIE_SAMESITE=${PHP_SESSION_COOKIE_SAMESITE:-Lax}
 
 export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
 export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
+export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M}
 
 # start supervisord using the main configuration file so we have a socket interface
 /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh
@@ -19,6 +19,8 @@ change_php_vars() {
         sed -i "s/max_execution_time = .*/max_execution_time = ${PHP_MAX_EXECUTION_TIME}/" "$FILE"
         echo "Configure PHP | Setting 'upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}'"
         sed -i "s/upload_max_filesize = .*/upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}/" "$FILE"
+        echo "Configure PHP | Setting 'max_file_uploads = ${PHP_MAX_FILE_UPLOADS}'"
+        sed -i "s/max_file_uploads = .*/max_file_uploads = ${PHP_MAX_FILE_UPLOADS}/" "$FILE"
         echo "Configure PHP | Setting 'post_max_size = ${PHP_POST_MAX_SIZE}'"
         sed -i "s/post_max_size = .*/post_max_size = ${PHP_POST_MAX_SIZE}/" "$FILE"
         echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'"

diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh
@@ -225,6 +225,10 @@ init_nginx() {
     echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}"
     sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp
 
+    # Adjust maximum allowed size of the client request body
+    echo "... adjusting 'client_max_body_size' to ${NGINX_CLIENT_MAX_BODY_SIZE}"
+    sed -i "s/client_max_body_size .*;/client_max_body_size ${NGINX_CLIENT_MAX_BODY_SIZE};/" /etc/nginx/includes/misp
+
     # Adjust forwarding header settings (clean up first)
     sed -i '/real_ip_header/d' /etc/nginx/includes/misp
     sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp

diff --git a/core/files/etc/nginx/includes/misp b/core/files/etc/nginx/includes/misp
@@ -11,7 +11,6 @@ add_header X-Download-Options "noopen" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Permitted-Cross-Domain-Policies "none" always;
 add_header X-Robots-Tag "none" always;
-add_header X-XSS-Protection "1; mode=block" always;
 
 # remove X-Powered-By and nginx version, which is an information leak
 fastcgi_hide_header X-Powered-By;

diff --git a/core/files/var/www/html/index.php b/core/files/var/www/html/index.php
@@ -1,7 +1,7 @@
 <?php
 $proto = (isset($_SERVER['SERVER_PROTOCOL']))?($_SERVER['SERVER_PROTOCOL']):('HTTP/1.1');
 header($proto.' 503 Service Unavailable', true);
-header('cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
+header('cache-control: no-store, no-cache, must-revalidate');
 header('retry-after: 30');
 header('refresh: 30');
 ?>

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -125,23 +125,46 @@ services:
       - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
       - "OIDC_LOGOUT_URL=${OIDC_LOGOUT_URL}"
       - "OIDC_SCOPES=${OIDC_SCOPES}"
-      # LDAP authentication settings
-      - "LDAP_ENABLE=${LDAP_ENABLE}"
-      - "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}"
-      - "LDAP_SERVER=${LDAP_SERVER}"
-      - "LDAP_STARTTLS=${LDAP_STARTTLS}"
-      - "LDAP_READER_USER=${LDAP_READER_USER}"
-      - "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}"
-      - "LDAP_DN=${LDAP_DN}"
-      - "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}"
-      - "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}"
-      - "LDAP_FILTER=${LDAP_FILTER}"
-      - "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}"
-      - "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}"
-      - "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}"
-      - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
-      - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
-      - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
+      # APACHESECUREAUTH authentication settings
+      - "APACHESECUREAUTH_LDAP_OLD_VAR_DETECT=${LDAP_ENABLE}"
+      - "APACHESECUREAUTH_LDAP_ENABLE=${APACHESECUREAUTH_LDAP_ENABLE:-${LDAP_ENABLE}}"
+      - "APACHESECUREAUTH_LDAP_APACHE_ENV=${APACHESECUREAUTH_LDAP_APACHE_ENV:-${LDAP_APACHE_ENV}}"
+      - "APACHESECUREAUTH_LDAP_SERVER=${APACHESECUREAUTH_LDAP_SERVER:-${LDAP_SERVER}}"
+      - "APACHESECUREAUTH_LDAP_STARTTLS=${APACHESECUREAUTH_LDAP_STARTTLS:-${LDAP_STARTTLS}}"
+      - "APACHESECUREAUTH_LDAP_READER_USER=${APACHESECUREAUTH_LDAP_READER_USER:-${LDAP_READER_USER}}"
+      - "APACHESECUREAUTH_LDAP_READER_PASSWORD=${APACHESECUREAUTH_LDAP_READER_PASSWORD:-${LDAP_READER_PASSWORD}}"
+      - "APACHESECUREAUTH_LDAP_DN=${APACHESECUREAUTH_LDAP_DN:-${LDAP_DN}}"
+      - "APACHESECUREAUTH_LDAP_SEARCH_FILTER=${APACHESECUREAUTH_LDAP_SEARCH_FILTER:-${LDAP_SEARCH_FILTER}}"
+      - "APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE=${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE:-${LDAP_SEARCH_ATTRIBUTE}}"
+      - "APACHESECUREAUTH_LDAP_FILTER=${APACHESECUREAUTH_LDAP_FILTER:-${LDAP_FILTER}}"
+      - "APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID=${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID:-${LDAP_DEFAULT_ROLE_ID}}"
+      - "APACHESECUREAUTH_LDAP_DEFAULT_ORG=${APACHESECUREAUTH_LDAP_DEFAULT_ORG:-${LDAP_DEFAULT_ORG}}"
+      - "APACHESECUREAUTH_LDAP_EMAIL_FIELD=${APACHESECUREAUTH_LDAP_EMAIL_FIELD:-${LDAP_EMAIL_FIELD}}"
+      - "APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION=${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION:-${LDAP_OPT_PROTOCOL_VERSION}}"
+      - "APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT=${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT:-${LDAP_OPT_NETWORK_TIMEOUT}}"
+      - "APACHESECUREAUTH_LDAP_OPT_REFERRALS=${APACHESECUREAUTH_LDAP_OPT_REFERRALS:-${LDAP_OPT_REFERRALS}}"
+      # LdapAuth MISP authentication settings
+      - "LDAPAUTH_ENABLE=${LDAPAUTH_ENABLE}"
+      - "LDAPAUTH_LDAPSERVER=${LDAPAUTH_LDAPSERVER}"
+      - "LDAPAUTH_LDAPDN=${LDAPAUTH_LDAPDN}"
+      - "LDAPAUTH_LDAPREADERUSER=${LDAPAUTH_LDAPREADERUSER}"
+      - "LDAPAUTH_LDAPREADERPASSWORD=${LDAPAUTH_LDAPREADERPASSWORD}"
+      - "LDAPAUTH_LDAPSEARCHFILTER=${LDAPAUTH_LDAPSEARCHFILTER}"
+      - "LDAPAUTH_LDAPSEARCHATTRIBUTE=${LDAPAUTH_LDAPSEARCHATTRIBUTE}"
+      - "LDAPAUTH_LDAPEMAILFIELD=${LDAPAUTH_LDAPEMAILFIELD}"
+      - "LDAPAUTH_LDAPNETWORKTIMEOUT=${LDAPAUTH_LDAPNETWORKTIMEOUT}"
+      - "LDAPAUTH_LDAPPROTOCOL=${LDAPAUTH_LDAPPROTOCOL}"
+      - "LDAPAUTH_LDAPALLOWREFERRALS=${LDAPAUTH_LDAPALLOWREFERRALS}"
+      - "LDAPAUTH_STARTTLS=${LDAPAUTH_STARTTLS}"
+      - "LDAPAUTH_MIXEDAUTH=${LDAPAUTH_MIXEDAUTH}"
+      - "LDAPAUTH_LDAPDEFAULTORGID=${LDAPAUTH_LDAPDEFAULTORGID}"
+      - "LDAPAUTH_LDAPDEFAULTROLEID=${LDAPAUTH_LDAPDEFAULTROLEID}"
+      - "LDAPAUTH_UPDATEUSER=${LDAPAUTH_UPDATEUSER}"
+      - "LDAPAUTH_DEBUG=${LDAPAUTH_DEBUG}"
+      - "LDAPAUTH_LDAPTLSREQUIRECERT=${LDAPAUTH_LDAPTLSREQUIRECERT}"
+      - "LDAPAUTH_LDAPTLSCUSTOMCACERT=${LDAPAUTH_LDAPTLSCUSTOMCACERT}"
+      - "LDAPAUTH_LDAPTLSCRLCHECK=${LDAPAUTH_LDAPTLSCRLCHECK}"
+      - "LDAPAUTH_LDAPTLSPROTOCOLMIN=${LDAPAUTH_LDAPTLSPROTOCOLMIN}"
       # AAD authentication settings
       - "AAD_ENABLE=${AAD_ENABLE}"
       - "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
@@ -157,6 +180,7 @@ services:
       # Nginx settings
       - "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}"
       - "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}"
+      - "NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M}"
       # Proxy settings
       - "PROXY_ENABLE=${PROXY_ENABLE}"
       - "PROXY_HOST=${PROXY_HOST}"
@@ -201,6 +225,7 @@ services:
       - "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}"
       - "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}"
       - "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}"
+      - "PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-50}"
       # PHP FPM pool setup
       - "PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN:-5}"
       - "PHP_FCGI_START_SERVERS=${PHP_FCGI_START_SERVERS:-2}"