maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Merge pull request #320 from guruevi/master

Browse Source 
Various fixes for failing nginx/LetsEncrypt
This commit is contained in:
Florian Aders
2016-02-22 12:14:12 +01:00
parent deb19f2625 83fd1ab0ca
commit 2286ea751e
3 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/classes/ssl/class.lescript.php
View File

@@ -324,7 +324,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
{ {
$res = openssl_pkey_new(array( $res = openssl_pkey_new(array(
"private_key_type" => OPENSSL_KEYTYPE_RSA, "private_key_type" => OPENSSL_KEYTYPE_RSA,
"private_key_bits" => Settings::Get('system.letsencryptkeysize'), "private_key_bits" => (int)Settings::Get('system.letsencryptkeysize'),
)); ));
if(!openssl_pkey_export($res, $privateKey)) { if(!openssl_pkey_export($res, $privateKey)) {

4
lib/configfiles/trusty.xml
View File

@@ -273,10 +273,10 @@ fastcgi_param REDIRECT_STATUS 200;
]]> ]]>
</content> </content>
</file> </file>
<file name="/etc/nginx/conf.d/acme.conf"> <file name="/etc/nginx/acme.conf">
<content><![CDATA[ <content><![CDATA[
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
alias {{settings.system.letsencryptchallengepath}}; alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) { location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain; default_type text/plain;

11
scripts/jobs/cron_tasks.inc.http.30.nginx.php
View File

@@ -422,6 +422,7 @@ class nginx extends HttpConfigBase {
) { ) {
$vhost_content.= "\n" . $this->composeSslSettings($domain) . "\n"; $vhost_content.= "\n" . $this->composeSslSettings($domain) . "\n";
} }
$vhost_content.= "\t".'include /etc/nginx/acme.conf;'."\n";
// if the documentroot is an URL we just redirect // if the documentroot is an URL we just redirect
if (preg_match('/^https?\:\/\//', $domain['documentroot'])) { if (preg_match('/^https?\:\/\//', $domain['documentroot'])) {
@@ -567,7 +568,7 @@ class nginx extends HttpConfigBase {
$this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create ssl-directives'); $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
echo $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n"; echo $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
} else { } else {
// obsolete: ssl on now belongs to the listen block as 'ssl' at the end // obsolete: ssl on now belongs to the listen block as 'ssl' at the end
//$sslsettings .= "\t" . 'ssl on;' . "\n"; //$sslsettings .= "\t" . 'ssl on;' . "\n";
$sslsettings .= "\t" . 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;' . "\n"; $sslsettings .= "\t" . 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;' . "\n";
$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n"; $sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
@@ -595,13 +596,13 @@ class nginx extends HttpConfigBase {
} }
} }
if ($domain['hsts'] > 0) { if (isset($domain_or_ip['hsts']) && $domain_or_ip['hsts'] > 0) {
$vhost_content .= 'add_header Strict-Transport-Security "max-age=' . $domain['hsts']; $vhost_content .= 'add_header Strict-Transport-Security "max-age=' . $domain_or_ip['hsts'];
if ($domain['hsts_sub'] == 1) { if ($domain_or_ip['hsts_sub'] == 1) {
$vhost_content .= '; includeSubdomains'; $vhost_content .= '; includeSubdomains';
} }
if ($domain['hsts_preload'] == 1) { if ($domain_or_ip['hsts_preload'] == 1) {
$vhost_content .= '; preload'; $vhost_content .= '; preload';
} }
$vhost_content .= '";' . "\n"; $vhost_content .= '";' . "\n";