...
 
Commits (122)
#!/bin/bash
#####################################################################################
# #
# Syntax: fixcerts DOMAIN #
# #
# Use: Extend Letsencrypt SSl certificates for commonly grouped services such as #
# Apache,Postfix,Dovecot using Certbot. Useful for keeping all client #
# applications referencing the same virtual domain name, such as auto-config #
# email clients on phones, i.e. mailuser@mydomain.TLD smtp.mydomain.TLD #
# imaps.mydomain.TLD instead of mailuser@mydomain.TLD mail.ISPmaildomain.TLD #
# Also useful when sending mail through services like Gmail that will #
# validate sender through a negotiated TLS encrypted connection. #
# #
# Ex: sh fixcerts myhosteddomain.com #
# #
# Prerequisites: #
# - A Letsencrypt certificate for the DOMAIN must already exist #
# - A seperate certificate each for Dovecot and Postfix were previously generated #
# - All new host names to add MUST already exist in DNS at least as a CNAME #
# - Edit the Dovecot/Postfix conf to use the alternate certificate #
# - Set the variable wr_file to a directory that certbot can read and write from #
# - Set the dom_cert=,dv_cert=,pf_cert=,dv_file=, and pf_file= variables #
# #
# In my case, I ran: #
# certbot certonly -webroot /usr/local/ispconfig/interface/acme -d dc.hrst.xyz #
# certbot certonly -webroot /usr/local/ispconfig/interface/acme -d pf.hrst.xyz #
# to create the separate Dovecot and Postscript certificates, then edited and #
# ran the script to extend those certificate, once per hosted domain #
# #
# If you use only one alternate certifcate for both mail services, set both dv_file #
# and pf_file to the same file name and set one of _cert files="" and #
# use the other. If you don't wish to add to a particular certificate, set the #
# variable ="", such as dom_cert #
# TODO: Pre-validate desired additions as already existing in DNS #
# Generate SRV Records and add to DNS to autoconfig clients #
# #
# Author: tad.hasse@gmail.com #
# #
#####################################################################################
#bail out on error
set -e
# Hostnames to add to the main domain certificate
dom_cert="webmail"
# Hostnames to add to the Dovecot domain certificate
dv_cert="pop3s imap"
# Hostnames to add to the Postfix domain certificate
pf_cert="mail smtp smtps"
# Name of the certificate file that handles Dovecot
dv_file="dc.hrst.xyz"
# Name of the certificate file that handles Postfix
pf_file="pf.hrst.xyz"
# Writeable webroot for certbot (I use ISPConfig,
wr_file="/usr/local/ispconfig/interface/acme"
new_cert=""
nanobot=""
affected_services=""
if [ -z "$1" ] # Is parameter #1 zero length?
then
echo "-No DOMAIN specified" # Or no parameter passed.
exit 1
fi
#live_check='/etc/letsencrypt/live/'$1
if [[ ! -d '/etc/letsencrypt/live/'$1 ]]; then
echo "- DOMAIN certificate for \"$1\" not found -"
exit 1
fi
if [[ ! -d '/etc/letsencrypt/live/'${dv_file} ]]; then
echo "- Dovecot/postoffice certificate" ${dv_file}" for \"$1\" not found -"
exit 1
fi
if [[ ! -d '/etc/letsencrypt/live/'${pf_file} ]]; then
echo "- Postfix/mail certificate" ${pf_file}" for \"$1\" not found -"
exit 1
fi
# Have certbot generate its current certificate list for use as input
certbot certificates >~/certfile
# Extend base domain certificate which typically only contains the domain.TLD and www.domain.TLD
if [[ ! -z "${dom_cert}" ]]; then
echo
new_cert=$(echo $dom_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
echo "Adding" ${new_cert} " to "$1
nanobot=$(grep -A1 "Certificate Name: "$1 certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
${doit_cert}
affected_services=${affected_services}+"A"
else
echo "Domain Certificate unaffected"
fi
# Extend the Dovecot certificate
if [[ ! -z "${dv_cert}" ]]; then
echo
new_cert=$(echo $dv_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
echo "Adding" ${new_cert} " to "${dv_file}
nanobot=$(grep -A1 "Certificate Name: "${dv_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
${doit_cert}
affected_services=${affected_services}+"D"
else
echo "Dovecot Certificate unaffected"
fi
# Extend the Postscript certificate
if [[ ! -z "{$pf_cert}" ]]; then
echo
new_cert=$(echo $pf_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
echo "Adding" ${new_cert} " to " ${pf_file}
nanobot=$(grep -A1 "Certificate Name: "${pf_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
${doit_cert}
affected_services=${affected_services}+"P"
else
echo "Postfix Certificate unaffected"
fi
if [[ $affected_services == *"A"* ]]; then
echo "Remember to restart the httpd service"
fi
if [[ $affected_services == *"D"* ]]; then
echo "Remember to restart the dovecot/postoffice service"
fi
if [[ $affected_services == *"P"* ]]; then
echo "Remember to restart the postfix/sendmail service"
fi
echo
echo
echo "Add the following SRV records to DNS for client setup for "$1
if [[ $affected_services == *"D"* ]]; then
echo "_imaps._tcp."$1 "SRV 3600 4 60 993 imaps"
echo "_pop3s._tcp."$1 "SRV 3600 6 60 995 pop3s"
echo "_imap._tcp."$1 " SRV 3600 8 60 143 imap"
fi
if [[ $affected_services == *"P"* ]]; then
echo "_smtps._tcp."$1 "SRV 3600 8 60 465 smtps"
echo "_smtp._tcp."$1 " SRV 3600 10 60 587 smtp"
fi
\ No newline at end of file
This diff is collapsed.
......@@ -28,11 +28,11 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
//*** Ubuntu 16.04 default settings
//*** Debian Testing default settings
//* Main
$conf['language'] = 'en';
$conf['distname'] = 'ubuntu1604';
$conf['distname'] = 'debian100';
$conf['hostname'] = 'server1.domain.tld'; // Full hostname
$conf['ispconfig_install_dir'] = '/usr/local/ispconfig';
$conf['ispconfig_config_dir'] = '/usr/local/ispconfig';
......@@ -83,8 +83,8 @@ $conf['apache']['version'] = '2.4';
$conf['apache']['vhost_conf_dir'] = '/etc/apache2/sites-available';
$conf['apache']['vhost_conf_enabled_dir'] = '/etc/apache2/sites-enabled';
$conf['apache']['vhost_port'] = '8080';
$conf['apache']['php_ini_path_apache'] = '/etc/php/7.0/apache2/php.ini';
$conf['apache']['php_ini_path_cgi'] = '/etc/php/7.0/cgi/php.ini';
$conf['apache']['php_ini_path_apache'] = '/etc/php/7.3/apache2/php.ini';
$conf['apache']['php_ini_path_cgi'] = '/etc/php/7.3/cgi/php.ini';
//* Website base settings
$conf['web']['website_basedir'] = '/var/www';
......@@ -99,7 +99,7 @@ $conf['web']['apps_vhost_user'] = 'ispapps';
$conf['web']['apps_vhost_group'] = 'ispapps';
//* Fastcgi
$conf['fastcgi']['fastcgi_phpini_path'] = '/etc/php/7.0/cgi/';
$conf['fastcgi']['fastcgi_phpini_path'] = '/etc/php/7.3/cgi/';
$conf['fastcgi']['fastcgi_starter_path'] = '/var/www/php-fcgi-scripts/[system_user]/';
$conf['fastcgi']['fastcgi_bin'] = '/usr/bin/php-cgi';
......@@ -120,6 +120,10 @@ $conf['mailman']['installed'] = false; // will be detected automatically during
$conf['mailman']['config_dir'] = '/etc/mailman';
$conf['mailman']['init_script'] = 'mailman';
//* mlmmj
$conf['mlmmj']['installed'] = false; // will be detected automatically during installation
$conf['mlmmj']['config_dir'] = '/etc/mlmmj';
//* Getmail
$conf['getmail']['installed'] = false; // will be detected automatically during installation
$conf['getmail']['config_dir'] = '/etc/getmail';
......@@ -201,11 +205,11 @@ $conf['nginx']['vhost_conf_enabled_dir'] = '/etc/nginx/sites-enabled';
$conf['nginx']['init_script'] = 'nginx';
$conf['nginx']['vhost_port'] = '8080';
$conf['nginx']['cgi_socket'] = '/var/run/fcgiwrap.socket';
$conf['nginx']['php_fpm_init_script'] = 'php7.0-fpm';
$conf['nginx']['php_fpm_ini_path'] = '/etc/php/7.0/fpm/php.ini';
$conf['nginx']['php_fpm_pool_dir'] = '/etc/php/7.0/fpm/pool.d';
$conf['nginx']['php_fpm_init_script'] = 'php7.3-fpm';
$conf['nginx']['php_fpm_ini_path'] = '/etc/php/7.3/fpm/php.ini';
$conf['nginx']['php_fpm_pool_dir'] = '/etc/php/7.3/fpm/pool.d';
$conf['nginx']['php_fpm_start_port'] = 9010;
$conf['nginx']['php_fpm_socket_dir'] = '/var/lib/php7.0-fpm';
$conf['nginx']['php_fpm_socket_dir'] = '/var/lib/php7.3-fpm';
//* OpenVZ
$conf['openvz']['installed'] = false;
......
......@@ -111,6 +111,25 @@ class installer_centos extends installer_dist {
removeLine('/etc/sysconfig/freshclam', 'FRESHCLAM_DELAY=disabled-warn # REMOVE ME', 1);
replaceLine('/etc/freshclam.conf', 'Example', '# Example', 1);
// get shell-group for amavis
$amavis_group=exec('grep -o "^amavis:\|^vscan:" /etc/group');
if(!empty($amavis_group)) {
$amavis_group=rtrim($amavis_group, ":");
}
// get shell-user for amavis
$amavis_user=exec('grep -o "^amavis:\|^vscan:" /etc/passwd');
if(!empty($amavis_user)) {
$amavis_user=rtrim($amavis_user, ":");
}
// Create the director for DKIM-Keys
if(!is_dir('/var/lib/amavis')) mkdir('/var/lib/amavis', 0750, true);
if(!empty($amavis_user)) exec('chown '.$amavis_user.' /var/lib/amavis');
if(!empty($amavis_group)) exec('chgrp '.$amavis_group.' /var/lib/amavis');
if(!is_dir('/var/lib/amavis/dkim')) mkdir('/var/lib/amavis/dkim', 0750);
if(!empty($amavis_user)) exec('chown -R '.$amavis_user.' /var/lib/amavis/dkim');
if(!empty($amavis_group)) exec('chgrp -R '.$amavis_group.' /var/lib/amavis/dkim');
}
......
......@@ -116,6 +116,32 @@ class installer extends installer_base {
file_put_contents($config_dir.'/'.$configfile,$content);
unset($content);
}
if(version_compare($dovecot_version,2.3) >= 0) {
// Remove deprecated setting(s)
removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
// Check if we have a dhparams file and if not, create it
if(!file_exists('/etc/dovecot/dh.pem')) {
swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
if(file_exists('/var/lib/dovecot/ssl-parameters.dat')) {
// convert existing ssl parameters file
$command = 'dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
} else {
/*
Create a new dhparams file. We use 2048 bit only as it simply takes too long
on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
a 4096 bit file, create it manually before you install ISPConfig
*/
$command = 'openssl dhparam -out /etc/dovecot/dh.pem 2048';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
}
}
} else {
// remove settings which are not supported in Dovecot < 2.3
removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
removeLine($config_dir.'/'.$configfile, 'ssl_dh =');
}
} else {
if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian6_dovecot.conf.master')) {
copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian6_dovecot.conf.master', $config_dir.'/'.$configfile);
......
......@@ -1253,11 +1253,11 @@ class installer_dist extends installer_base {
$content = str_replace('{vhost_port}', $conf['nginx']['vhost_port'], $content);
if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
$content = str_replace('{ssl_on}', ' on', $content);
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '', $content);
$content = str_replace('{fastcgi_ssl}', 'on', $content);
} else {
$content = str_replace('{ssl_on}', ' off', $content);
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
$content = str_replace('{fastcgi_ssl}', 'off', $content);
}
......
......@@ -785,7 +785,7 @@ class installer extends installer_base
$content = str_replace('{cgi_socket}', $cgi_socket, $content);
// SSL in apps vhost is off by default. Might change later.
$content = str_replace('{ssl_on}', 'off', $content);
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '#', $content);
wf($vhost_conf_dir.'/apps.vhost', $content);
......@@ -1139,11 +1139,11 @@ class installer extends installer_base
$content = str_replace('{vhost_port}', $conf['nginx']['vhost_port'], $content);
if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
$content = str_replace('{ssl_on}', ' on', $content);
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '', $content);
$content = str_replace('{fastcgi_ssl}', 'on', $content);
} else {
$content = str_replace('{ssl_on}', ' off', $content);
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
$content = str_replace('{fastcgi_ssl}', 'off', $content);
}
......
......@@ -1264,11 +1264,11 @@ class installer_dist extends installer_base {
$content = str_replace('{vhost_port}', $conf['nginx']['vhost_port'], $content);
if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
$content = str_replace('{ssl_on}', ' on', $content);
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '', $content);
$content = str_replace('{fastcgi_ssl}', 'on', $content);
} else {
$content = str_replace('{ssl_on}', ' off', $content);
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
$content = str_replace('{fastcgi_ssl}', 'off', $content);
}
......
......@@ -186,7 +186,7 @@ function get_distname() {
break;
default:
$relname = "UNKNOWN";
$distconfid = 'ubuntu1604';
$distconfid = 'ubuntu1804';
}
$distver = $ver.$lts." ".$relname;
swriteln("Operating System: ".$distname.' '.$distver."\n");
......@@ -214,19 +214,26 @@ function get_distname() {
$distid = 'debian60';
$distbaseid = 'debian';
swriteln("Operating System: Debian 7.0 (Wheezy/Sid) or compatible\n");
} elseif(strstr(trim(file_get_contents('/etc/debian_version')), '8') || substr(trim(file_get_contents('/etc/debian_version')),0,1) == '8') {
} elseif(substr(trim(file_get_contents('/etc/debian_version')),0,1) == '8') {
$distname = 'Debian';
$distver = 'Jessie';
$distid = 'debian60';
$distbaseid = 'debian';
swriteln("Operating System: Debian 8.0 (Jessie) or compatible\n");
} elseif(strstr(trim(file_get_contents('/etc/debian_version')), '9') || substr(trim(file_get_contents('/etc/debian_version')),0,1) == '9') {
} elseif(substr(trim(file_get_contents('/etc/debian_version')),0,1) == '9') {
$distname = 'Debian';
$distver = 'Stretch';
$distconfid = 'debian90';
$distid = 'debian60';
$distbaseid = 'debian';
swriteln("Operating System: Debian 9.0 (Stretch) or compatible\n");
} elseif(substr(trim(file_get_contents('/etc/debian_version')),0,2) == '10') {
$distname = 'Debian';
$distver = 'Buster';
$distconfid = 'debian100';
$distid = 'debian60';
$distbaseid = 'debian';
swriteln("Operating System: Debian 10.0 (Buster) or compatible\n");
} elseif(strstr(trim(file_get_contents('/etc/debian_version')), '/sid')) {
$distname = 'Debian';
$distver = 'Testing';
......@@ -238,7 +245,7 @@ function get_distname() {
$distname = 'Debian';
$distver = 'Unknown';
$distid = 'debian60';
$distconfid = 'debian90';
$distconfid = 'debian100';
$distbaseid = 'debian';
swriteln("Operating System: Debian or compatible, unknown version.\n");
}
......
......@@ -288,11 +288,15 @@ class installer_base {
$this->db->query("DROP USER ?@?", $conf['mysql']['ispconfig_user'], $from_host);
$this->db->query("DROP DATABASE IF EXISTS ?", $conf['mysql']['database']);
//* Create the ISPConfig database user in the local database
$query = 'GRANT SELECT, INSERT, UPDATE, DELETE ON ?? TO ?@? IDENTIFIED BY ?';
if(!$this->db->query($query, $conf['mysql']['database'] . ".*", $conf['mysql']['ispconfig_user'], $from_host, $conf['mysql']['ispconfig_password'])) {
//* Create the ISPConfig database user and grant permissions in the local database
$query = 'CREATE USER ?@? IDENTIFIED BY ?';
if(!$this->db->query($query, $conf['mysql']['ispconfig_user'], $from_host, $conf['mysql']['ispconfig_password'])) {
$this->error('Unable to create database user: '.$conf['mysql']['ispconfig_user'].' Error: '.$this->db->errorMessage);
}
$query = 'GRANT SELECT, INSERT, UPDATE, DELETE ON ?? TO ?@?';
if(!$this->db->query($query, $conf['mysql']['database'] . ".*", $conf['mysql']['ispconfig_user'], $from_host)) {
$this->error('Unable to grant databse permissions to user: '.$conf['mysql']['ispconfig_user'].' Error: '.$this->db->errorMessage);
}
//* Set the database name in the DB library
$this->db->setDBName($conf['mysql']['database']);
......@@ -1046,7 +1050,7 @@ class installer_base {
$regex = "/^maildrop unix.*pipe flags=DRhu user=vmail argv=\\/usr\\/bin\\/maildrop -d ".$cf['vmail_username']." \\$\{extension} \\$\{recipient} \\$\{user} \\$\{nexthop} \\$\{sender}/";
$configfile = $config_dir.'/master.cf';
if($this->get_postfix_service('maildrop', 'unix')) {
exec ("postconf -M maildrop.unix &> /dev/null", $out, $ret);
exec ("postconf -M maildrop.unix 2> /dev/null", $out, $ret);
$change_maildrop_flags = @(preg_match($regex, $out[0]) && $out[0] !='')?false:true;
} else {
$change_maildrop_flags = @(preg_match($regex, $configfile))?false:true;
......@@ -2047,8 +2051,8 @@ class installer_base {
//copy('tpl/apache_ispconfig.vhost.master', "$vhost_conf_dir/ispconfig.vhost");
//* and create the symlink
if(@is_link($vhost_conf_enabled_dir.'/apps.vhost')) unlink($vhost_conf_enabled_dir.'/apps.vhost');
if(!@is_link($vhost_conf_enabled_dir.'/000-apps.vhost')) {
symlink($vhost_conf_dir.'/apps.vhost', $vhost_conf_enabled_dir.'/000-apps.vhost');
if(!@is_link($vhost_conf_enabled_dir.'/000-apps.vhost') && @is_file($vhost_conf_dir.'/apps.vhost')) {
@symlink($vhost_conf_dir.'/apps.vhost', $vhost_conf_enabled_dir.'/000-apps.vhost');
}
if(!is_file($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter')) {
......@@ -2131,7 +2135,7 @@ class installer_base {
$content = str_replace('{use_socket}', $use_socket, $content);
// SSL in apps vhost is off by default. Might change later.
$content = str_replace('{ssl_on}', 'off', $content);
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
// Fix socket path on PHP 7 systems
......@@ -2564,11 +2568,11 @@ class installer_base {
$content = str_replace('{vhost_port}', $conf['nginx']['vhost_port'], $content);
if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
$content = str_replace('{ssl_on}', 'on', $content);
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '', $content);
$content = str_replace('{fastcgi_ssl}', 'on', $content);
} else {
$content = str_replace('{ssl_on}', 'off', $content);
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
$content = str_replace('{fastcgi_ssl}', 'off', $content);
}
......
ALTER TABLE `sys_datalog` ADD `session_id` varchar(64) NOT NULL DEFAULT '' AFTER `error`;
ALTER TABLE `sys_user` CHANGE `sys_userid` `sys_userid` INT(11) UNSIGNED NOT NULL DEFAULT '1' COMMENT 'Created by userid';
ALTER TABLE `sys_user` CHANGE `sys_groupid` `sys_groupid` INT(11) UNSIGNED NOT NULL DEFAULT '1' COMMENT 'Created by groupid';
ALTER TABLE `web_domain` ADD COLUMN `php_fpm_chroot` enum('n','y') NOT NULL DEFAULT 'n' AFTER `php_fpm_use_socket`;
CREATE TABLE IF NOT EXISTS `dns_ssl_ca` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`sys_userid` int(11) unsigned NOT NULL DEFAULT '0',
`sys_groupid` int(11) unsigned NOT NULL DEFAULT '0',
`sys_perm_user` varchar(5) NOT NULL DEFAULT '',
`sys_perm_group` varchar(5) NOT NULL DEFAULT '',
`sys_perm_other` varchar(5) NOT NULL DEFAULT '',
`active` enum('N','Y') NOT NULL DEFAULT 'N',
`ca_name` varchar(255) NOT NULL DEFAULT '',
`ca_issue` varchar(255) NOT NULL DEFAULT '',
`ca_wildcard` enum('Y','N') NOT NULL DEFAULT 'N',
`ca_iodef` text NOT NULL,
`ca_critical` tinyint(1) NOT NULL DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY (`ca_issue`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
ALTER TABLE `dns_ssl_ca` ADD UNIQUE(`ca_issue`);
UPDATE `dns_ssl_ca` SET `ca_issue` = 'comodo.com' WHERE `ca_issue` = 'comodoca.com';
DELETE FROM `dns_ssl_ca` WHERE `ca_issue` = 'geotrust.com';
DELETE FROM `dns_ssl_ca` WHERE `ca_issue` = 'thawte.com';
UPDATE `dns_ssl_ca` SET `ca_name` = 'Symantec / Thawte / GeoTrust' WHERE `ca_issue` = 'symantec.com';
ALTER TABLE `dns_rr` CHANGE `type` `type` ENUM('A','AAAA','ALIAS','CAA','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY') CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL;
ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL;
INSERT IGNORE INTO `dns_ssl_ca` (`id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `active`, `ca_name`, `ca_issue`, `ca_wildcard`, `ca_iodef`, `ca_critical`) VALUES
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'AC Camerfirma', 'camerfirma.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'ACCV', 'accv.es', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Actalis', 'actalis.it', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Amazon', 'amazon.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Asseco', 'certum.pl', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Buypass', 'buypass.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'CA Disig', 'disig.sk', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'CATCert', 'aoc.cat', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Certinomis', 'www.certinomis.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Certizen', 'hongkongpost.gov.hk', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'certSIGN', 'certsign.ro', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'CFCA', 'cfca.com.cn', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Chunghwa Telecom', 'cht.com.tw', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Comodo', 'comodoca.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'D-TRUST', 'd-trust.net', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'DigiCert', 'digicert.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'DocuSign', 'docusign.fr', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'e-tugra', 'e-tugra.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'EDICOM', 'edicomgroup.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Entrust', 'entrust.net', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Firmaprofesional', 'firmaprofesional.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'FNMT', 'fnmt.es', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'GlobalSign', 'globalsign.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'GoDaddy', 'godaddy.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Google Trust Services', 'pki.goog', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'GRCA', 'gca.nat.gov.tw', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'HARICA', 'harica.gr', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'IdenTrust', 'identrust.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Izenpe', 'izenpe.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Kamu SM', 'kamusm.gov.tr', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Let''s Encrypt', 'letsencrypt.org', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Microsec e-Szigno', 'e-szigno.hu', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'NetLock', 'netlock.hu', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'PKIoverheid', 'www.pkioverheid.nl', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'PROCERT', 'procert.net.ve', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'QuoVadis', 'quovadisglobal.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'SECOM', 'secomtrust.net', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Sertifitseerimiskeskuse', 'sk.ee', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'StartCom', 'startcomca.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'SwissSign', 'swisssign.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Symantec / Thawte / GeoTrust', 'symantec.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'T-Systems', 'telesec.de', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Telia', 'telia.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Trustwave', 'trustwave.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'Web.com', 'web.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'WISeKey', 'wisekey.com', 'Y', '', 0),
(NULL, 1, 1, 'riud', 'riud', '', 'Y', 'WoSign', 'wosign.com', 'Y', '', 0);
ALTER TABLE `dns_soa` CHANGE `xfer` `xfer` TEXT NULL;
ALTER TABLE `dns_soa` CHANGE `also_notify` `also_notify` TEXT NULL;
ALTER TABLE `dns_slave` CHANGE `xfer` `xfer` TEXT NULL;
ALTER TABLE `firewall` CHANGE `tcp_port` `tcp_port` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL;
ALTER TABLE `firewall` CHANGE `udp_port` `udp_port` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL;
\ No newline at end of file
ALTER TABLE `sys_datalog` ADD `session_id` varchar(64) NOT NULL DEFAULT '' AFTER `error`;
This diff is collapsed.
......@@ -83,7 +83,6 @@ $notify_method = 'smtp:127.0.0.1:*';
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
# IP-Addresses for internal networks => load policy MYNETS
......
......@@ -89,11 +89,11 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
<IfModule mod_headers.c>
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
<tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
</IfVersion>
......
......@@ -6,7 +6,9 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_dh = </etc/dovecot/dh.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_min_protocol = TLSv1
mail_max_userip_connections = 100
passdb {
args = /etc/dovecot/dovecot-sql.conf
......
server {
listen {apps_vhost_port};
listen [::]:{apps_vhost_port} ipv6only=on;
ssl {ssl_on};
listen {apps_vhost_port} {ssl_on};
listen [::]:{apps_vhost_port} {ssl_on} ipv6only=on;
{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
......
server {
listen {vhost_port};
listen [::]:{vhost_port} ipv6only=on;
ssl {ssl_on};
listen {vhost_port} {ssl_on};
listen [::]:{vhost_port} {ssl_on} ipv6only=on;
{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
......
......@@ -116,6 +116,7 @@ overquota_db_notify_admin=y
overquota_db_notify_client=y
overquota_notify_onok=n
logging=yes
php_fpm_reload_mode=reload
[dns]
bind_user=root
......@@ -140,6 +141,7 @@ jailkit_chroot_home=/home/[username]
jailkit_chroot_app_sections=basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh
jailkit_chroot_app_programs=/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico /usr/bin/mysql /usr/bin/mysqldump /usr/bin/git /usr/bin/git-receive-pack /usr/bin/git-upload-pack /usr/bin/unzip /usr/bin/zip /bin/tar /bin/rm /usr/bin/patch /usr/bin/which /usr/lib/x86_64-linux-gnu/libmemcached.so.11 /usr/lib/x86_64-linux-gnu/libmemcachedutil.so.2 /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.2 /opt/php-5.6.8/bin/php /opt/php-5.6.8/include /opt/php-5.6.8/lib
jailkit_chroot_cron_programs=/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php
jailkit_chroot_authorized_keys_template=/root/.ssh/authorized_keys
[vlogger]
config_dir=/etc
......
......@@ -33,6 +33,7 @@ vhost_aliasdomains=n
client_username_web_check_disabled=n
backups_include_into_web_quota=n
reseller_can_use_options=n
web_php_options=no,fast-cgi,mod,php-fpm
[tools]
......
......@@ -59,6 +59,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
error_reporting(E_ALL|E_STRICT);
define('INSTALLER_RUN', true);
define('INSTALLER_UPDATE', true);
//** The banner on the command line
echo "\n\n".str_repeat('-', 80)."\n";
......
......@@ -68,20 +68,32 @@ class app {
$this->db = false;
}
}
$this->uses('functions'); // we need this before all others!
$this->uses('auth,plugin,ini_parser,getconf');
}
public function __get($prop) {
if(property_exists($this, $prop)) return $this->{$prop};
$this->uses($prop);
if(property_exists($this, $prop)) return $this->{$prop};
else return null;
}
public function __destruct() {
session_write_close();
}
public function initialize_session() {
//* Start the session
if($this->_conf['start_session'] == true) {
session_name('ISPCSESS');
$this->uses('session');
$sess_timeout = $this->conf('interface', 'session_timeout');
$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
// Workaround for Nginx servers
if($cookie_domain == '_') {
$tmp = explode(':',$_SERVER["HTTP_HOST"]);
$cookie_domain = $tmp[0];
unset($tmp);
}
$cookie_domain = $this->get_cookie_domain();
$this->log("cookie_domain is ".$cookie_domain,0);
$cookie_domain = '';
$cookie_secure = ($_SERVER["HTTPS"] == 'on')?true:false;
if($sess_timeout) {
/* check if user wants to stay logged in */
......@@ -122,23 +134,8 @@ class app {
if(empty($_SESSION['s']['language'])) $_SESSION['s']['language'] = $conf['language'];
}
$this->uses('functions'); // we need this before all others!
$this->uses('auth,plugin,ini_parser,getconf');
}
public function __get($prop) {
if(property_exists($this, $prop)) return $this->{$prop};
$this->uses($prop);
if(property_exists($this, $prop)) return $this->{$prop};
else return null;
}
public function __destruct() {
session_write_close();
}
public function uses($classes) {
$cl = explode(',', $classes);
if(is_array($cl)) {
......@@ -336,12 +333,52 @@ class app {
$this->tpl->setVar('globalsearch_noresults_limit_txt', $this->lng('globalsearch_noresults_limit_txt'));
$this->tpl->setVar('globalsearch_searchfield_watermark_txt', $this->lng('globalsearch_searchfield_watermark_txt'));
}
private function get_cookie_domain() {
$sec_config = $this->getconf->get_security_config('permissions');
$proxy_panel_allowed = $sec_config['reverse_proxy_panel_allowed'];
if ($proxy_panel_allowed == 'all') {
return '';
}
/*
* See ticket #5238: It should be ensured, that _SERVER_NAME is always set.
* Otherwise the security improvement doesn't work with nginx. If this is done,
* the check for HTTP_HOST and workaround for nginx is obsolete.
*/
$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
// Workaround for Nginx servers
if($cookie_domain == '_') {
$tmp = explode(':',$_SERVER["HTTP_HOST"]);
$cookie_domain = $tmp[0];
unset($tmp);
}
if($proxy_panel_allowed == 'sites') {
$forwarded_host = (isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : null );
if($forwarded_host !== null && $forwarded_host !== $cookie_domain) {
// Just check for complete domain name and not auto subdomains
$sql = "SELECT domain_id from web_domain where domain = '$forwarded_host'";
$recs = $this->db->queryOneRecord($sql);
if($recs !== null) {
$cookie_domain = $forwarded_host;
}
unset($forwarded_host);
}
}
return $cookie_domain;
}
} // end class
//** Initialize application (app) object
//* possible future = new app($conf);
$app = new app();
/*
split session creation out of constructor is IMHO better.
otherwise we have some circular references to global $app like in
getconfig property of App - RA
*/
$app->initialize_session();
// load and enable PHP Intrusion Detection System (PHPIDS)
$ids_security_config = $app->getconf->get_security_config('ids');
......
......@@ -249,6 +249,15 @@ class ApsGUIController extends ApsBase
$settings['main_database_host'] = 'localhost';
$mysql_db_remote_access = 'n';
$mysql_db_remote_ips = '';
// If we are dealing with chrooted PHP-FPM, use a network connection instead because the MySQL socket file
// does not exist within the chroot.
$php_fpm_chroot = $app->db->queryOneRecord("SELECT php_fpm_chroot FROM web_domain WHERE domain_id = ?", $websrv['domain_id']);
if ($php_fpm_chroot['php_fpm_chroot'] === 'y') {
$settings['main_database_host'] = '127.0.0.1';
$mysql_db_remote_access = 'y';
$mysql_db_remote_ips = '127.0.0.1';
}
} else {
//* get the default database server of the client
$client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $websrv['sys_groupid']);
......@@ -558,6 +567,16 @@ class ApsGUIController extends ApsBase
}
else $error[] = $app->lng('error_main_domain');
if(isset($postinput['admin_password']))
{
$app->uses('validate_password');
$passwordError = $app->validate_password->password_check('', $postinput['admin_password'], '');
if ($passwordError) {
$error[] = $passwordError;
}
}