Gate ssl_reject_handshake behind nginx 1.19.4#8593
Merged
Conversation
The shipped catch-all default site uses `ssl_reject_handshake`, which is unsupported on nginx older than 1.19.4 and causes nginx to fail to start on Debian Bullseye. The postinst now detects the installed nginx version and installs an HTTP-only variant of the catch-all on older systems.
github-actions Bot
pushed a commit
that referenced
this pull request
May 10, 2026
# History ## 0.38.2 Install/update via the bootstrap script: ```shell wget -NP . https://dokku.com/install/v0.38.2/bootstrap.sh sudo DOKKU_TAG=v0.38.2 bash bootstrap.sh ``` ### Security - #8590: @josegonzalez Restrict app names to prevent command injection - #8591: @josegonzalez Harden archive extraction against symlink traversal - #8589: @josegonzalez Enforce 0600 permissions on .netrc credentials file - #8588: @josegonzalez Sanitize openresty include filenames to prevent eval injection ### Bug Fixes - #8593: @josegonzalez Gate ssl_reject_handshake behind nginx 1.19.4 - #8578: @josegonzalez Reference SOURCECODE_WORK_DIR in builder core-post-extract ### Documentation - #8592: @josegonzalez Add security section to release changelog - #8587: @vixalien Correct buildkit builder code block syntax - #8580: @othercorey Set issue type in bug report template ### Tests - #8586: @josegonzalez Count assert_output_contains matches as fixed strings - #8581: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/go-fail-predeploy - #8582: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/gogrpc - #8584: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/go-fail-postdeploy - #8583: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/zombies-dockerfile-tini - #8585: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/zombies-dockerfile-no-tini - #8574: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-noexpose - #8575: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-procfile-bad - #8577: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-app-json-formations - #8576: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile - #8573: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-procfile ### Dependencies - #8579: @josegonzalez Use type prefix for dokku-bot dependency label
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The shipped catch-all default site uses
ssl_reject_handshake, which is unsupported on nginx older than 1.19.4 and causes nginx to fail to start on Debian Bullseye. The postinst now detects the installed nginx version and installs an HTTP-only variant of the catch-all on older systems.