From 9025d2e52dce7217eb8f777231910ee2a4e33d96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Sat, 14 Jan 2017 22:03:16 +0100 Subject: [PATCH 1/6] used domain instead of ssl_domain for LE --- server/plugins-available/apache2_plugin.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php index 747f925c64..cd75f2a5ea 100644 --- a/server/plugins-available/apache2_plugin.inc.php +++ b/server/plugins-available/apache2_plugin.inc.php @@ -1158,12 +1158,13 @@ class apache2_plugin { $bundle_file = $ssl_dir.'/'.$domain.'.bundle'; if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') { - $domain = $data['new']['domain']; + $domain = $data['new']['ssl_domain']; if(substr($domain, 0, 2) === '*.') { // wildcard domain not yet supported by letsencrypt! $app->log('Wildcard domains not yet supported by letsencrypt, so changing ' . $domain . ' to ' . substr($domain, 2), LOGLEVEL_WARN); $domain = substr($domain, 2); } + $app->log('We will be issuing a letsencrypt certificate with CN of ' . $domain, LOGLEVEL_DEBUG); $data['new']['ssl_domain'] = $domain; $vhost_data['ssl_domain'] = $domain; -- GitLab From b12cf30ee6a7a5fb3756b79855fd7bd1bb38ac37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Sat, 14 Jan 2017 23:33:02 +0100 Subject: [PATCH 2/6] added a default vhost (does not collide with apaches default as this one uses IP:Port instead of _default_) --- install/lib/installer_base.lib.php | 5 ++ install/tpl/apache_defaultindex.html.master | 60 +++++++++++++++++++++ install/tpl/apache_ispconfig.conf.master | 38 +++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 install/tpl/apache_defaultindex.html.master diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 5309c91dca..abf06dd046 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1838,6 +1838,11 @@ class installer_base { wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab()); unset($tpl); + + if (!@is_dir('/etc/webalizer')) mkdir('/var/www/default/'); + $tpl = new tpl('apache_defaultindex.html.master'); + wf('/var/www/default/ispconfig.html', $tpl->grab()); + unset($tpl); if(!@is_link($vhost_conf_enabled_dir.'/000-ispconfig.conf')) { symlink($vhost_conf_dir.'/ispconfig.conf', $vhost_conf_enabled_dir.'/000-ispconfig.conf'); diff --git a/install/tpl/apache_defaultindex.html.master b/install/tpl/apache_defaultindex.html.master new file mode 100644 index 0000000000..42aedd656a --- /dev/null +++ b/install/tpl/apache_defaultindex.html.master @@ -0,0 +1,60 @@ + + + + Welcome! + + + + + +
+ +
+

Oops!

+

The domain name you tried to access is registered and points to a server which is managed using ISPConfig

+

If this is your domain you have to log in to ISPConfig and configure a Website for this domain.

+

If you need some assistance feel free to contact our support.

+
+ +
+ + \ No newline at end of file diff --git a/install/tpl/apache_ispconfig.conf.master b/install/tpl/apache_ispconfig.conf.master index c6a3b651a8..b61e1a7945 100644 --- a/install/tpl/apache_ispconfig.conf.master +++ b/install/tpl/apache_ispconfig.conf.master @@ -144,3 +144,41 @@ NameVirtualHost *:443 NameVirtualHost {tmpl_var name="ip_address"}:{tmpl_var name="port"} + + +################################################ +# ISPConfig default vHosts +################################################ + + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/default + DirectoryIndex index.php index.html ispconfig.html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/default-error.log + CustomLog ${APACHE_LOG_DIR}/default-access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + + -- GitLab From 1a9eab7126fc5273712857005354adf28d3e9211 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Sun, 15 Jan 2017 00:25:05 +0100 Subject: [PATCH 3/6] added ssl default vhost and ssl cert for this default host --- install/lib/installer_base.lib.php | 30 +++++++++++++++++-- install/tpl/apache_ispconfig.conf.master | 38 ++++++++++-------------- 2 files changed, 43 insertions(+), 25 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index abf06dd046..eee1f811a7 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1752,6 +1752,31 @@ class installer_base { exec($this->getinitcommand($conf['xmpp']['init_script'], 'restart')); } + public function make_defaultvhost_ssl_cert() { + global $conf,$autoinstall; + + $install_dir = $conf['ispconfig_install_dir']; + + $ssl_crt_file = $install_dir.'/interface/ssl/defaultvhost.crt'; + $ssl_csr_file = $install_dir.'/interface/ssl/defaultvhost.csr'; + $ssl_key_file = $install_dir.'/interface/ssl/defaultvhost.key'; + + if(!@is_dir($install_dir.'/interface/ssl')) mkdir($install_dir.'/interface/ssl', 0755, true); + + echo "Creating Self-Signed certificate for Apache default vHost\n"; + + $ssl_pw = substr(md5(mt_rand()), 0, 6); + exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096"); + //We do not use * as CN as if someone trusts this certificate globally else this would be a miuch too big security issue + exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=XX/ST=XX/L=XX/O=Not a real Certificate/OU=Only issued for displaying errors/CN=ISPConfig Dummy Certificate' -key $ssl_key_file -out $ssl_csr_file"); + exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 36500"); + exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); + rename($ssl_key_file, $ssl_key_file.'.secure'); + rename($ssl_key_file.'.insecure', $ssl_key_file); + + exec('chown -R root:root '.$install_dir.'/interface/ssl'); + + } public function configure_apache() { global $conf; @@ -1839,7 +1864,8 @@ class installer_base { wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab()); unset($tpl); - if (!@is_dir('/etc/webalizer')) mkdir('/var/www/default/'); + if (!@is_dir('/var/www/default')) mkdir('/var/www/default/'); + if (!@file_exists('/usr/local/ispconfig/interface/ssl/defaultvhost.crt')) $this->make_defaultvhost_ssl_cert(); //Clients should never see this page and if they do there will always be an error so there is no reason to refresh the certificate. This is just for falback access to default vHost... $tpl = new tpl('apache_defaultindex.html.master'); wf('/var/www/default/ispconfig.html', $tpl->grab()); unset($tpl); @@ -2215,7 +2241,7 @@ class installer_base { rename($ssl_key_file, $ssl_key_file.'.secure'); rename($ssl_key_file.'.insecure', $ssl_key_file); - exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); + exec('chown -R root:root '.$install_dir.'/interface/ssl'); } diff --git a/install/tpl/apache_ispconfig.conf.master b/install/tpl/apache_ispconfig.conf.master index b61e1a7945..f1c428af74 100644 --- a/install/tpl/apache_ispconfig.conf.master +++ b/install/tpl/apache_ispconfig.conf.master @@ -151,34 +151,26 @@ NameVirtualHost {tmpl_var name="ip_address"}:{tmpl_var name="port"} ################################################ - # The ServerName directive sets the request scheme, hostname and port that - # the server uses to identify itself. This is used when creating - # redirection URLs. In the context of virtual hosts, the ServerName - # specifies what hostname must appear in the request's Host: header to - # match this virtual host. For the default virtual host (this file) this - # value is not decisive as it is used as a last resort host regardless. - # However, you must set it for any further virtual host explicitly. - #ServerName www.example.com - ServerAdmin webmaster@localhost + + + # This will always cause a cert error to clients so we simply try to redirect to http afterwards - so the visitor will eighter see the website in http + # or see an error stating the website is not known. Worst case - if something is wrong with the web config clients will se an infinite + # redirect error (is http->https is active and SSL is inactive or non-functional) + SSLEngine on + SSLCertificateFile /usr/local/ispconfig/interface/ssl/defaultvhost.crt + SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/defaultvhost.key + + RewriteEngine On + RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=303,L] + + DocumentRoot /var/www/default DirectoryIndex index.php index.html ispconfig.html - - # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, - # error, crit, alert, emerg. - # It is also possible to configure the loglevel for particular - # modules, e.g. - #LogLevel info ssl:warn - + + ErrorLog ${APACHE_LOG_DIR}/default-error.log CustomLog ${APACHE_LOG_DIR}/default-access.log combined - - # For most configuration files from conf-available/, which are - # enabled or disabled at a global level, it is possible to - # include a line for only one particular virtual host. For example the - # following line enables the CGI configuration for this host only - # after it has been globally disabled with "a2disconf". - #Include conf-available/serve-cgi-bin.conf -- GitLab From 020fc001a40fb0f3265b649bb25bdd6cdee95c10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Sun, 15 Jan 2017 00:36:18 +0100 Subject: [PATCH 4/6] added a note to the default vhost html file --- install/tpl/apache_defaultindex.html.master | 31 +++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/install/tpl/apache_defaultindex.html.master b/install/tpl/apache_defaultindex.html.master index 42aedd656a..f7732c2a88 100644 --- a/install/tpl/apache_defaultindex.html.master +++ b/install/tpl/apache_defaultindex.html.master @@ -1,6 +1,37 @@ + + + + + + + + + + + + + + + + + + + Welcome! -- GitLab From 7a090770bc49af8edccfdca1704f49adc245d349 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Sun, 15 Jan 2017 00:39:35 +0100 Subject: [PATCH 5/6] reverted unintended change --- server/plugins-available/apache2_plugin.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php index cd75f2a5ea..1e7f676a48 100644 --- a/server/plugins-available/apache2_plugin.inc.php +++ b/server/plugins-available/apache2_plugin.inc.php @@ -1158,7 +1158,7 @@ class apache2_plugin { $bundle_file = $ssl_dir.'/'.$domain.'.bundle'; if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') { - $domain = $data['new']['ssl_domain']; + $domain = $data['new']['domain']; if(substr($domain, 0, 2) === '*.') { // wildcard domain not yet supported by letsencrypt! $app->log('Wildcard domains not yet supported by letsencrypt, so changing ' . $domain . ' to ' . substr($domain, 2), LOGLEVEL_WARN); -- GitLab From 19d2fdfe59c2d18bb8d209613b4059da24513ca9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Sun, 15 Jan 2017 00:40:24 +0100 Subject: [PATCH 6/6] reverted unintended change --- server/plugins-available/apache2_plugin.inc.php | 1 - 1 file changed, 1 deletion(-) diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php index 1e7f676a48..747f925c64 100644 --- a/server/plugins-available/apache2_plugin.inc.php +++ b/server/plugins-available/apache2_plugin.inc.php @@ -1164,7 +1164,6 @@ class apache2_plugin { $app->log('Wildcard domains not yet supported by letsencrypt, so changing ' . $domain . ' to ' . substr($domain, 2), LOGLEVEL_WARN); $domain = substr($domain, 2); } - $app->log('We will be issuing a letsencrypt certificate with CN of ' . $domain, LOGLEVEL_DEBUG); $data['new']['ssl_domain'] = $domain; $vhost_data['ssl_domain'] = $domain; -- GitLab