diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index fc27da8df38899cab84b71419ee3f7ff5e2fa626..11163806abfc75774d41b0880a53c67b6ac6fdc4 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -745,7 +745,7 @@ class installer_base {
copy($full_file_name, $config_dir.$configfile.'~');
chmod($config_dir.$configfile.'~',0600);
}
-
+
//* Replace variables in config file template
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
$content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content);
@@ -754,13 +754,13 @@ class installer_base {
$content = str_replace('{mysql_server_ip}', $conf['mysql']['ip'], $content);
$content = str_replace('{server_id}', $conf['server_id'], $content);
wf($full_file_name, $content);
-
+
//* Changing mode and group of the new created config file
caselog('chmod u=rw,g=r,o= '.escapeshellarg($full_file_name).' &> /dev/null',
__FILE__, __LINE__, 'chmod on '.$full_file_name, 'chmod on '.$full_file_name.' failed');
caselog('chgrp '.escapeshellarg($postfix_group).' '.escapeshellarg($full_file_name).' &> /dev/null',
__FILE__, __LINE__, 'chgrp on '.$full_file_name, 'chgrp on '.$full_file_name.' failed');
-
+
}
public function configure_jailkit() {
@@ -1097,7 +1097,7 @@ class installer_base {
}
unset($server_ini_array);
-
+
$myhostname = str_replace('.','\.',$conf['hostname']);
$postconf_placeholders = array('{config_dir}' => $config_dir,
@@ -1680,7 +1680,7 @@ class installer_base {
public function configure_rspamd() {
global $conf;
-
+
//* These postconf commands will be executed on installation and update
$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
@@ -2503,6 +2503,16 @@ class installer_base {
$tpl->setVar('apps_vhost_dir',$conf['web']['website_basedir'].'/apps');
$tpl->setVar('apps_vhost_basedir',$conf['web']['website_basedir']);
$tpl->setVar('apps_vhost_servername',$apps_vhost_servername);
+ if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
+ $tpl->setVar('ssl_comment','');
+ } else {
+ $tpl->setVar('ssl_comment','#');
+ }
+ if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key') && is_file($install_dir.'/interface/ssl/ispserver.bundle')) {
+ $tpl->setVar('ssl_bundle_comment','');
+ } else {
+ $tpl->setVar('ssl_bundle_comment','#');
+ }
$tpl->setVar('apache_version',getapacheversion());
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
diff --git a/install/tpl/apache_apps.vhost.master b/install/tpl/apache_apps.vhost.master
index 14f0f10da275e560cdeb51e3b10472dedf146dd7..ebd7cd6958abce71b48d44bd60a36469092950fc 100644
--- a/install/tpl/apache_apps.vhost.master
+++ b/install/tpl/apache_apps.vhost.master
@@ -1,4 +1,3 @@
-
######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
@@ -15,6 +14,57 @@
SetHandler None
</FilesMatch>
+ # SSL Configuration
+ <tmpl_var name="ssl_comment">SSLEngine On
+ <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
+ <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
+ <tmpl_else>
+ <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
+ </tmpl_if>
+ <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
+ <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+ <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
+
+ <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
+ <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
+ <tmpl_var name="ssl_comment">SSLCompression Off
+ </tmpl_if>
+ <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
+ <tmpl_var name="ssl_comment">SSLSessionTickets Off
+ </tmpl_if>
+
+ <IfModule mod_headers.c>
+ # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+ Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+ <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+ Header set X-Content-Type-Options: nosniff
+ Header set X-Frame-Options: SAMEORIGIN
+ Header set X-XSS-Protection: "1; mode=block"
+ Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+ <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
+ <IfVersion >= 2.4.7>
+ Header setifempty Strict-Transport-Security "max-age=15768000"
+ </IfVersion>
+ <IfVersion < 2.4.7>
+ Header set Strict-Transport-Security "max-age=15768000"
+ </IfVersion>
+ RequestHeader unset Proxy early
+ </IfModule>
+
+ <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+ <tmpl_var name="ssl_comment">SSLUseStapling On
+ <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
+ <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
+ </tmpl_if>
+</VirtualHost>
+
+<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+<IfModule mod_ssl.c>
+ <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>
+
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
diff --git a/server/conf/apache_apps.vhost.master b/server/conf/apache_apps.vhost.master
index fe73487fa05c569612ddbe5f3530b3c47d9636b1..ebd7cd6958abce71b48d44bd60a36469092950fc 100644
--- a/server/conf/apache_apps.vhost.master
+++ b/server/conf/apache_apps.vhost.master
@@ -1,4 +1,3 @@
-
######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
@@ -15,6 +14,57 @@
SetHandler None
</FilesMatch>
+ # SSL Configuration
+ <tmpl_var name="ssl_comment">SSLEngine On
+ <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
+ <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
+ <tmpl_else>
+ <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
+ </tmpl_if>
+ <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
+ <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+ <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
+
+ <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
+ <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
+ <tmpl_var name="ssl_comment">SSLCompression Off
+ </tmpl_if>
+ <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
+ <tmpl_var name="ssl_comment">SSLSessionTickets Off
+ </tmpl_if>
+
+ <IfModule mod_headers.c>
+ # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+ Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+ <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+ Header set X-Content-Type-Options: nosniff
+ Header set X-Frame-Options: SAMEORIGIN
+ Header set X-XSS-Protection: "1; mode=block"
+ Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+ <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
+ <IfVersion >= 2.4.7>
+ Header setifempty Strict-Transport-Security "max-age=15768000"
+ </IfVersion>
+ <IfVersion < 2.4.7>
+ Header set Strict-Transport-Security "max-age=15768000"
+ </IfVersion>
+ RequestHeader unset Proxy early
+ </IfModule>
+
+ <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+ <tmpl_var name="ssl_comment">SSLUseStapling On
+ <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
+ <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
+ </tmpl_if>
+</VirtualHost>
+
+<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+<IfModule mod_ssl.c>
+ <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>
+
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
@@ -55,9 +105,9 @@
<Directory {tmpl_var name='apps_vhost_dir'}>
Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
AllowOverride AuthConfig Indexes Limit Options FileInfo
- <FilesMatch "\.php$">
- SetHandler fcgid-script
- </FilesMatch>
+ <FilesMatch "\.php$">
+ SetHandler fcgid-script
+ </FilesMatch>
FCGIWrapper {tmpl_var name='apps_vhost_basedir'}/php-fcgi-scripts/apps/.php-fcgi-starter .php
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted
@@ -78,4 +128,6 @@
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
{/tmpl_if}
+
+
</VirtualHost>