.gitignore

 .DS_Store
+/nbproject/private/
+.phplint-cache

.gitlab-ci.yml

+# Defines stages which are to be executed
+stages:
+  - syntax
+
+#
+### Stage syntax
+#
+
+syntax:lint:
+  stage: syntax
+  image: bobey/docker-gitlab-ci-runner-php7
+  allow_failure: false
+  only:
+    - schedules
+    - web
+
+  script:
+    - composer require overtrue/phplint
+    - echo "Syntax checking PHP files"
+    - echo "For more information http://www.icosaedro.it/phplint/"
+    - vendor/bin/phplint
+

.phplint.yml

+path: ./
+jobs: 10
+cache: .phplint-cache
+extensions:
+  - php
+  - lng
+exclude:
+  - vendor
+

README.md

 # ISPConfig - Hosting Control Panel
 
+Nightly (master): [![pipeline status](https://git.ispconfig.org/ispconfig/ispconfig3/badges/master/pipeline.svg)](https://git.ispconfig.org/ispconfig/ispconfig3/commits/master)   
+Stable branch: [![pipeline status](https://git.ispconfig.org/ispconfig/ispconfig3/badges/stable-3.1/pipeline.svg)](https://git.ispconfig.org/ispconfig/ispconfig3/commits/stable-3.1)
+
+
 - Manage multiple servers from one control panel
 - Web server management (Apache2 and nginx)
 - Mail server management (with virtual mail users)

helper_scripts/ubuntu-amavisd-new-2.11.patch

+--- amavisd-new.orig	2017-11-16 11:51:19.000000000 +0100
++++ amavisd-new	2018-05-25 16:53:45.623398108 +0200
+@@ -22829,6 +22829,7 @@
+         }
+         # load policy banks from the 'client_ipaddr_policy' lookup
+         Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
++        $msginfo->originating(c('originating'));
+ 
+         $msginfo->client_addr($cl_ip);      # ADDR
+         $msginfo->client_port($cl_port);    # PORT
+@@ -34361,6 +34362,7 @@
+     $sig_ind++;
+   }
+   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
++  $msginfo->originating(c('originating'));
+   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;
+ # if (ll(5) && $sig_ind > 0) {
+ #   # show which header fields are covered by which signature

install/dist/lib/fedora.lib.php

@@ -722,6 +722,12 @@ class installer_dist extends installer_base {
 		$tpl = new tpl('apache_ispconfig.conf.master');
 		$tpl->setVar('apache_version',getapacheversion());
 		
+		if($this->is_update == true) {
+			$tpl->setVar('logging',get_logging_state());
+		} else {
+			$tpl->setVar('logging','yes');
+		}
+		
 		$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
 		$ip_addresses = array();
 		
@@ -806,6 +812,17 @@ class installer_dist extends installer_base {
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+	
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
+	
 	}
 
 	public function configure_bastille_firewall()

install/dist/lib/gentoo.lib.php

@@ -603,6 +603,12 @@ class installer extends installer_base
 		$tpl = new tpl('apache_ispconfig.conf.master');
 		$tpl->setVar('apache_version',getapacheversion());
 		
+		if($this->is_update == true) {
+			$tpl->setVar('logging',get_logging_state());
+		} else {
+			$tpl->setVar('logging','yes');
+		}
+		
 		$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
 		$ip_addresses = array();
 		

install/dist/lib/opensuse.lib.php

@@ -507,7 +507,7 @@ class installer_dist extends installer_base {
 		$content = str_replace('{mysql_server_port}', $conf["mysql"]["port"], $content);
 		$content = str_replace('{mysql_server_ip}', $conf['mysql']['ip'], $content);
 		$content = str_replace('{hostname}', $conf['hostname'], $content);
-		$content = str_replace('{amavis_config_dir}', $conf['amavis']['config_dir']);
+		$content = str_replace('{amavis_config_dir}', $conf['amavis']['config_dir'], $content);
 		wf($conf["amavis"]["config_dir"].'/amavisd.conf', $content);
 		chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
 
@@ -691,6 +691,12 @@ class installer_dist extends installer_base {
 		$tpl = new tpl('apache_ispconfig.conf.master');
 		$tpl->setVar('apache_version',getapacheversion());
 		
+		if($this->is_update == true) {
+			$tpl->setVar('logging',get_logging_state());
+		} else {
+			$tpl->setVar('logging','yes');
+		}
+		
 		$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
 		$ip_addresses = array();
 		
@@ -817,6 +823,16 @@ class installer_dist extends installer_base {
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+	
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
 	}
 
 	public function configure_bastille_firewall()

install/install.php

@@ -97,6 +97,9 @@ require_once 'lib/classes/tpl.inc.php';
     die('We will stop here. There is already a ISPConfig installation, use the update script to update this installation.');
 }*/
 
+// Patch is required to reapir latest amavis versions
+if(is_installed('amavisd-new') && !is_installed('patch')) die('The patch command is missing. Install patch command and start installation again.');
+
 //** Get distribution identifier
 $dist = get_distname();
 

install/lib/install.lib.php

@@ -95,6 +95,10 @@ function get_distname() {
 				$mainver = current($mainver).'.'.next($mainver);
 			}
 			switch ($mainver){
+			case "18.04":
+				$relname = "(Bionic Beaver)";
+				$distconfid = 'ubuntu1804';
+				break;
 			case "17.10":
 				$relname = "(Artful Aardvark)";
 				$distconfid = 'ubuntu1710';
@@ -855,6 +859,28 @@ function is_ispconfig_ssl_enabled() {
 	}
 }
 
+/*
+* Is anonymization enabled in ispconfig.conf file
+*/
+
+function get_logging_state() {
+	global $conf;
+	$ispconfig_conf_file = $conf['apache']['vhost_conf_dir'].'/ispconfig.conf';
+
+	if(is_file($ispconfig_conf_file)) {
+		$tmp = file_get_contents($ispconfig_conf_file);
+		if(stristr($tmp, '/usr/local/ispconfig/server/scripts/vlogger -p -s access.log')) {
+			return 'anon';
+		} elseif(stristr($tmp, '/usr/local/ispconfig/server/scripts/vlogger -s access.log')) {
+			return 'yes';
+		} else {
+			return 'no';
+		}
+	} else {
+		return 'yes';
+	}
+}
+
 /**
  Function to find the hash file for timezone detection
  (c) 2012 Marius Cramer, pixcept KG, m.cramer@pixcept.de

install/lib/installer_base.lib.php

@@ -225,14 +225,14 @@ class installer_base {
 		global $conf;
 
 		//* check sql-mode
-		$check_sql_mode = $this->db->queryOneRecord("SELECT @@sql_mode");
+		/*$check_sql_mode = $this->db->queryOneRecord("SELECT @@sql_mode");
 
 		if ($check_sql_mode['@@sql_mode'] != '' && $check_sql_mode['@@sql_mode'] != 'NO_ENGINE_SUBSTITUTION') {
 			echo "Wrong SQL-mode. You should use NO_ENGINE_SUBSTITUTION. Add\n\n";
 			echo "    sql-mode=\"NO_ENGINE_SUBSTITUTION\"\n\n";
 			echo"to the mysqld-section in your mysql-config on this server and restart mysqld afterwards\n";
 			die();
-		}
+		}*/
 
 		$unwanted_sql_plugins = array('validate_password');		
 		$sql_plugins = $this->db->queryAllRecords("SELECT plugin_name FROM information_schema.plugins WHERE plugin_status='ACTIVE' AND plugin_name IN ?", $unwanted_sql_plugins);
@@ -255,10 +255,10 @@ class installer_base {
 			$this->error('Stopped: Database already contains some tables.');
 		} else {
 			if($conf['mysql']['admin_password'] == '') {
-				caselog("mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." ".escapeshellarg($conf['mysql']['database'])." < '".ISPC_INSTALL_ROOT."/install/sql/ispconfig3.sql' &> /dev/null",
+				caselog("mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -P ".escapeshellarg($conf['mysql']['port'])." ".escapeshellarg($conf['mysql']['database'])." < '".ISPC_INSTALL_ROOT."/install/sql/ispconfig3.sql' &> /dev/null",
 					__FILE__, __LINE__, 'read in ispconfig3.sql', 'could not read in ispconfig3.sql');
 			} else {
-				caselog("mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." ".escapeshellarg($conf['mysql']['database'])." < '".ISPC_INSTALL_ROOT."/install/sql/ispconfig3.sql' &> /dev/null",
+				caselog("mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." -P ".escapeshellarg($conf['mysql']['port'])." ".escapeshellarg($conf['mysql']['database'])." < '".ISPC_INSTALL_ROOT."/install/sql/ispconfig3.sql' &> /dev/null",
 					__FILE__, __LINE__, 'read in ispconfig3.sql', 'could not read in ispconfig3.sql');
 			}
 			$db_tables = $this->db->getTables();
@@ -1754,6 +1754,12 @@ class installer_base {
 		$tpl = new tpl('apache_ispconfig.conf.master');
 		$tpl->setVar('apache_version',getapacheversion());
 		
+		if($this->is_update == true) {
+			$tpl->setVar('logging',get_logging_state());
+		} else {
+			$tpl->setVar('logging','yes');
+		}
+		
 		$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
 		$ip_addresses = array();
 		
@@ -1837,6 +1843,17 @@ class installer_base {
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
+		
 	}
 
 	public function configure_fail2ban() {
@@ -2010,6 +2027,11 @@ class installer_base {
 			$tpl->setVar('apps_vhost_basedir',$conf['web']['website_basedir']);
 			$tpl->setVar('apps_vhost_servername',$apps_vhost_servername);
 			$tpl->setVar('apache_version',getapacheversion());
+			if($this->is_update == true) {
+				$tpl->setVar('logging',get_logging_state());
+			} else {
+				$tpl->setVar('logging','yes');
+			}
 
 
 			// comment out the listen directive if port is 80 or 443
@@ -2093,7 +2115,12 @@ class installer_base {
 			$content = str_replace('{fpm_socket}', $fpm_socket, $content);
 			$content = str_replace('{cgi_socket}', $cgi_socket, $content);
 
-			if(file_exists('/var/run/php5-fpm.sock') || file_exists('/var/run/php/php7.0-fpm.sock')){
+			if(	file_exists('/var/run/php5-fpm.sock')
+				|| file_exists('/var/run/php/php7.0-fpm.sock')
+				|| file_exists('/var/run/php/php7.1-fpm.sock')
+				|| file_exists('/var/run/php/php7.2-fpm.sock')
+				|| file_exists('/var/run/php/php7.3-fpm.sock')
+			){
 				$use_tcp = '#';
 				$use_socket = '';
 			} else {
@@ -2108,9 +2135,9 @@ class installer_base {
 			$content = str_replace('{ssl_comment}', '#', $content);
 			
 			// Fix socket path on PHP 7 systems
-			if(file_exists('/var/run/php/php7.0-fpm.sock')) {
-				$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.0-fpm.sock', $content);
-			}
+			if(file_exists('/var/run/php/php7.0-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.0-fpm.sock', $content);
+			if(file_exists('/var/run/php/php7.1-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.1-fpm.sock', $content);
+			if(file_exists('/var/run/php/php7.2-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.2-fpm.sock', $content);
 
 			wf($vhost_conf_dir.'/apps.vhost', $content);
 

install/lib/update.lib.php

@@ -82,9 +82,9 @@ function prepareDBDump() {
 	if ($conf['powerdns']['installed']) {
 		//** export the current PowerDNS database data
 		if( !empty($conf["mysql"]["admin_password"]) ) {
-			system("mysqldump -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." -c -t --add-drop-table --create-options --quick --result-file=existing_powerdns_db.sql ".$conf['powerdns']['database']);
+			system("mysqldump -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." -P ".escapeshellarg($conf['mysql']['port'])." -c -t --add-drop-table --create-options --quick --result-file=existing_powerdns_db.sql ".$conf['powerdns']['database']);
 		} else {
-			system("mysqldump -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -c -t --add-drop-table --create-options --quick --result-file=existing_powerdns_db.sql ".$conf['powerdns']['database']);
+			system("mysqldump -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -P ".escapeshellarg($conf['mysql']['port'])." -c -t --add-drop-table --create-options --quick --result-file=existing_powerdns_db.sql ".$conf['powerdns']['database']);
 		}
 
 		// create a backup copy of the PowerDNS database in the root folder
@@ -103,7 +103,7 @@ function checkDbHealth() {
 	$notok = array();
 
 	echo "Checking ISPConfig database .. ";
-	exec("mysqlcheck -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." -r ".escapeshellarg($conf["mysql"]["database"]), $result);
+	exec("mysqlcheck -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." -P ".escapeshellarg($conf['mysql']['port'])." -r ".escapeshellarg($conf["mysql"]["database"]), $result);
 	for( $i=0; $i<sizeof($result);$i++) {
 		if ( substr($result[$i], -2) != "OK" ) {
 			$notok[] = $result[$i];
@@ -126,13 +126,14 @@ function updateDbAndIni() {
 	global $inst, $conf;
 
 	//* check sql-mode
+	/*
 	$check_sql_mode = $inst->db->queryOneRecord("SELECT @@sql_mode");
 	if ($check_sql_mode['@@sql_mode'] != '' && $check_sql_mode['@@sql_mode'] != 'NO_ENGINE_SUBSTITUTION') {
 		echo "Wrong SQL-mode. You should use NO_ENGINE_SUBSTITUTION. Add\n\n";
 		echo "    sql-mode=\"NO_ENGINE_SUBSTITUTION\"\n\n";
 		echo"to the mysqld-section in your mysql-config on this server and restart mysqld afterwards\n";
 		die();
-	}
+	}*/
 
 	$unwanted_sql_plugins = array('validate_password');
 	$sql_plugins = $inst->db->queryAllRecords("SELECT plugin_name FROM information_schema.plugins WHERE plugin_status='ACTIVE' AND plugin_name IN ?", $unwanted_sql_plugins);
@@ -209,9 +210,9 @@ function updateDbAndIni() {
 
 				//* Load patch file into database
 				if( !empty($conf["mysql"]["admin_password"]) ) {
-					$cmd = "mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." --force -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." ".escapeshellarg($conf['mysql']['database'])." < ".$sql_patch_filename;
+					$cmd = "mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." --force -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -p".escapeshellarg($conf['mysql']['admin_password'])." -P ".escapeshellarg($conf['mysql']['port'])." ".escapeshellarg($conf['mysql']['database'])." < ".$sql_patch_filename;
 				} else {
-					$cmd = "mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." --force -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." ".escapeshellarg($conf['mysql']['database'])." < ".$sql_patch_filename;
+					$cmd = "mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." --force -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -P ".escapeshellarg($conf['mysql']['port'])." ".escapeshellarg($conf['mysql']['database'])." < ".$sql_patch_filename;
 				}
 				
 				if(in_array($next_db_version,explode(',',$silent_update_versions))) {

install/sql/incremental/upd_0086.sql

+ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
+ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
+ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;
+ALTER TABLE `server_php` ADD `active` enum('y','n') NOT NULL DEFAULT 'y' AFTER `php_fpm_pool_dir`;
+ALTER TABLE `web_domain` CHANGE `log_retention` `log_retention` INT(11) NOT NULL DEFAULT '10';
\ No newline at end of file

install/sql/incremental/upd_dev_collection.sql

-ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
-ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
-ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;
+

install/sql/ispconfig3.sql

@@ -1346,6 +1346,7 @@ CREATE TABLE `server_php` (
   `php_fpm_init_script` varchar(255) DEFAULT NULL,
   `php_fpm_ini_dir` varchar(255) DEFAULT NULL,
   `php_fpm_pool_dir` varchar(255) DEFAULT NULL,
+  `active` enum('n','y') NOT NULL DEFAULT 'y',
   PRIMARY KEY (`server_php_id`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
 
@@ -1989,7 +1990,7 @@ CREATE TABLE `web_domain` (
   `http_port` int(11) unsigned NOT NULL DEFAULT '80',
   `https_port` int(11) unsigned NOT NULL DEFAULT '443',
   `folder_directive_snippets` text,
-  `log_retention` int(11) NOT NULL DEFAULT '30',
+  `log_retention` int(11) NOT NULL DEFAULT '10',
   PRIMARY KEY  (`domain_id`),
   UNIQUE KEY `serverdomain` (  `server_id` , `ip_address`,  `domain` )
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;

install/tpl/apache_apps.vhost.master

@@ -34,6 +34,21 @@
     </Directory>
   </IfModule>
   
+  <IfModule mod_php7.c>
+    DocumentRoot {tmpl_var name='apps_vhost_dir'}
+    AddType application/x-httpd-php .php
+    <Directory {tmpl_var name='apps_vhost_dir'}>
+		Options FollowSymLinks
+		AllowOverride None
+		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+		Require all granted
+		<tmpl_else>
+		Order allow,deny
+		Allow from all
+		</tmpl_if>
+    </Directory>
+  </IfModule>
+  
   <IfModule mod_fcgid.c>
     DocumentRoot {tmpl_var name='apps_vhost_dir'}
     SuexecUserGroup ispapps ispapps

install/tpl/apache_ispconfig.conf.master

@@ -6,7 +6,12 @@
 SetEnvIf Request_URI "^/datalogstatus.php$" dontlog
 
 LogFormat "%v %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
+<tmpl_if name='logging' op='==' value='anon'>
+CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -p -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig env=!dontlog
+</tmpl_if>
+<tmpl_if name='logging' op='==' value='yes'>
 CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig env=!dontlog
+</tmpl_if>
 
 <Directory /var/www/clients>
     AllowOverride None

install/tpl/apache_ispconfig.vhost.master

@@ -88,8 +88,19 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
   </tmpl_if>
 
   <IfModule mod_headers.c>
-    Header always add Strict-Transport-Security "max-age=15768000"
-	RequestHeader unset Proxy early
+    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    Header set X-Content-Type-Options: nosniff
+    Header set X-Frame-Options: SAMEORIGIN
+    Header set X-XSS-Protection: "1; mode=block"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
+    <IfVersion >= 2.4.7>
+        Header setifempty Strict-Transport-Security "max-age=15768000"
+    </IfVersion>
+    <IfVersion < 2.4.7>
+        Header set Strict-Transport-Security "max-age=15768000"
+    </IfVersion>
+    RequestHeader unset Proxy early
   </IfModule>
 
   <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>

install/tpl/nginx_anonlog.master

+map $remote_addr $ip_anonym1 {
+default 0.0.0;
+"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+"~(?P<ip>[^:]+:[^:]+):" $ip;
+}
+
+map $remote_addr $ip_anonym2 {
+default .0;
+"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+"~(?P<ip>[^:]+:[^:]+):" ::;
+}
+
+map $ip_anonym1$ip_anonym2 $ip_anonymized {
+default 0.0.0.0;
+"~(?P<ip>.*)" $ip;
+}
+
+log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+'"$request" $status $body_bytes_sent '
+'"$http_referer" "$http_user_agent"';

install/tpl/server.ini.master

@@ -29,6 +29,7 @@ munin_user=
 munin_password=
 monitor_system_updates=y
 migration_mode=n
+log_retention=10
 
 [mail]
 module=postfix_mysql
@@ -101,6 +102,7 @@ php_fpm_ini_path=/etc/php5/fpm/php.ini
 php_fpm_pool_dir=/etc/php5/fpm/pool.d
 php_fpm_start_port=9010
 php_fpm_socket_dir=/var/lib/php5-fpm
+php_default_name=Default
 set_folder_permissions_on_update=n
 add_web_users_to_sshusers_group=y
 connect_userid_to_webid=n
@@ -113,6 +115,7 @@ overquota_notify_freq=7
 overquota_db_notify_admin=y
 overquota_db_notify_client=y
 overquota_notify_onok=n
+logging=yes
 
 [dns]
 bind_user=root