maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add HSTS for domains (admin-side) and froxlor-vhost; fixes #1660

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2016-10-07 11:01:45 +02:00
parent 074d85b40f
commit 4a3e02c1f0
13 changed files with 534 additions and 394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
actions/admin/settings/131.ssl.php
View File

@@ -153,7 +153,33 @@ return array(
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField'
)
),
'system_hsts_maxage' => array(
'label' => $lng['admin']['domain_hsts_maxage'],
'settinggroup' => 'system',
'varname' => 'hsts_maxage',
'type' => 'int',
'int_min' => 0,
'int_max' => 94608000, // 3-years
'default' => 0,
'save_method' => 'storeSettingField'
),
'system_hsts_incsub' => array(
'label' => $lng['admin']['domain_hsts_incsub'],
'settinggroup' => 'system',
'varname' => 'hsts_incsub',
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField'
),
'system_hsts_preload' => array(
'label' => $lng['admin']['domain_hsts_preload'],
'settinggroup' => 'system',
'varname' => 'hsts_preload',
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField'
),
)
)
)

2
install/froxlor.sql
View File

@@ -573,7 +573,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char_required', '0'),
('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'version', '0.9.37'),
('panel', 'db_version', '201609240');
('panel', 'db_version', '201610070');
DROP TABLE IF EXISTS `panel_tasks`;

27
install/updates/froxlor/0.9/update_0.9.inc.php
View File

@@ -3478,11 +3478,26 @@ if (isDatabaseVersion('201609120')) {
if (isDatabaseVersion('201609200')) {
showUpdateStep("Changing tables to be more mysql strict-mode compatible");
Database::query("ALTER TABLE `".TABLE_MAIL_VIRTUAL."` CHANGE `destination` `destination` TEXT NOT NULL DEFAULT '';");
Database::query("ALTER TABLE `".TABLE_PANEL_DOMAINS."` CHANGE `registration_date` `registration_date` DATE NULL DEFAULT NULL;");
Database::query("ALTER TABLE `".TABLE_PANEL_DOMAINS."` CHANGE `termination_date` `termination_date` DATE NULL DEFAULT NULL;");
lastStepStatus(0);
showUpdateStep("Changing tables to be more mysql strict-mode compatible");
Database::query("ALTER TABLE `".TABLE_MAIL_VIRTUAL."` CHANGE `destination` `destination` TEXT NOT NULL DEFAULT '';");
Database::query("ALTER TABLE `".TABLE_PANEL_DOMAINS."` CHANGE `registration_date` `registration_date` DATE NULL DEFAULT NULL;");
Database::query("ALTER TABLE `".TABLE_PANEL_DOMAINS."` CHANGE `termination_date` `termination_date` DATE NULL DEFAULT NULL;");
lastStepStatus(0);
updateToDbVersion('201609240');
updateToDbVersion('201609240');
}
if (isDatabaseVersion('201609240')) {
showUpdateStep("Add HSTS settings for froxlor-vhost");
Settings::AddNew("system.hsts_maxage", 0);
Settings::AddNew("system.hsts_incsub", 0);
Settings::AddNew("system.hsts_preload", 0);
lastStepStatus(0);
showUpdateStep("Settings HSTS default values for all domains (deactivated)");
Database::query("UPDATE `".TABLE_PANEL_DOMAINS."` SET `hsts_sub` = '0', `hsts_preload` = '0';");
lastStepStatus(0);
updateToDbVersion('201610070');
}

27
lib/classes/output/class.htmlform.php
View File

@@ -122,6 +122,8 @@ class htmlform
return self::_checkbox($fieldname, $data); break;
case 'file':
return self::_file($fieldname, $data); break;
case 'int':
return self::_int($fieldname, $data); break;
}
}
@@ -313,4 +315,29 @@ class htmlform
return $return;
}
private static function _int($fieldname = '', $data = array())
{
$return = '';
$extras = '';
if(isset($data['int_min'])) {
$extras .= ' min="'.$data['int_min'].'"';
}
if(isset($data['int_max'])) {
$extras .= ' max="'.$data['int_max'].'"';
}
// add support to save reloaded forms
if (isset($data['value'])) {
$value = $data['value'];
} elseif (isset($_SESSION['requestData'][$fieldname])) {
$value = $_SESSION['requestData'][$fieldname];
} else {
$value = '';
}
$type = 'number';
$ulfield = '';
eval("\$return = \"" . getTemplate("misc/form/input_text", "1") . "\";");
return $return;
}
}

104
lib/formfields/admin/domains/formfield.domains_add.php
View File

@@ -101,40 +101,6 @@ return array(
'is_array' => 1,
'mandatory' => true
),
'ssl_ipandport' => array(
'label' => $lng['domains']['ipandport_ssl_multi']['title'],
'desc' => $lng['domains']['ipandport_ssl_multi']['description'],
'type' => 'checkbox',
'values' => $ssl_ipsandports,
'value' => '',
'is_array' => 1
),
'ssl_redirect' => array(
'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
'label' => $lng['domains']['ssl_redirect']['title'],
'desc' => $lng['domains']['ssl_redirect']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array()
),
'letsencrypt' => array(
'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false) : false),
'label' => $lng['admin']['letsencrypt']['title'],
'desc' => $lng['admin']['letsencrypt']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array()
),
'no_ssl_available_info' => array(
'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports == '' ? true : false) : false),
'label' => 'SSL',
'type' => 'label',
'value' => $lng['panel']['nosslipsavailable']
),
'selectserveralias' => array(
'label' => $lng['admin']['selectserveralias'],
'desc' => $lng['admin']['selectserveralias_desc'],
@@ -161,6 +127,76 @@ return array(
)
)
),
'section_bssl' => array(
'title' => $lng['admin']['webserversettings_ssl'],
'image' => 'icons/domain_add.png',
'visible' => Settings::Get('system.use_ssl') == '1' ? true : false,
'fields' => array(
'ssl_ipandport' => array(
'label' => $lng['domains']['ipandport_ssl_multi']['title'],
'desc' => $lng['domains']['ipandport_ssl_multi']['description'],
'type' => 'checkbox',
'values' => $ssl_ipsandports,
'value' => '',
'is_array' => 1
),
'ssl_redirect' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['domains']['ssl_redirect']['title'],
'desc' => $lng['domains']['ssl_redirect']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array()
),
'letsencrypt' => array(
'visible' => (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
'label' => $lng['admin']['letsencrypt']['title'],
'desc' => $lng['admin']['letsencrypt']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array()
),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
'type' => 'label',
'value' => $lng['panel']['nosslipsavailable']
),
'hsts_maxage' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['admin']['domain_hsts_maxage']['title'],
'desc' => $lng['admin']['domain_hsts_maxage']['description'],
'type' => 'int',
'int_min' => 0,
'int_max' => 94608000, // 3-years
'value' => 0
),
'hsts_incsub' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['admin']['domain_hsts_incsub']['title'],
'desc' => $lng['admin']['domain_hsts_incsub']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array()
),
'hsts_preload' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['admin']['domain_hsts_preload']['title'],
'desc' => $lng['admin']['domain_hsts_preload']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array()
),
),
),
'section_c' => array(
'title' => $lng['admin']['phpserversettings'],
'image' => 'icons/domain_add.png',

104
lib/formfields/admin/domains/formfield.domains_edit.php
View File

@@ -113,40 +113,6 @@ return array(
'is_array' => 1,
'mandatory' => true
),
'ssl_ipandport' => array(
'label' => $lng['domains']['ipandport_ssl_multi']['title'],
'desc' => $lng['domains']['ipandport_ssl_multi']['description'],
'type' => 'checkbox',
'values' => $ssl_ipsandports,
'value' => $usedips,
'is_array' => 1
),
'ssl_redirect' => array(
'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
'label' => $lng['domains']['ssl_redirect']['title'],
'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array($result['ssl_redirect'])
),
'letsencrypt' => array(
'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false) : false),
'label' => $lng['admin']['letsencrypt']['title'],
'desc' => $lng['admin']['letsencrypt']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array($result['letsencrypt'])
),
'no_ssl_available_info' => array(
'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports == '' ? true : false) : false),
'label' => 'SSL',
'type' => 'label',
'value' => $lng['panel']['nosslipsavailable']
),
'selectserveralias' => array(
'label' => $lng['admin']['selectserveralias'],
'desc' => $lng['admin']['selectserveralias_desc'],
@@ -184,6 +150,76 @@ return array(
)
)
),
'section_bssl' => array(
'title' => $lng['admin']['webserversettings_ssl'],
'image' => 'icons/domain_edit.png',
'visible' => Settings::Get('system.use_ssl') == '1' ? true : false,
'fields' => array(
'ssl_ipandport' => array(
'label' => $lng['domains']['ipandport_ssl_multi']['title'],
'desc' => $lng['domains']['ipandport_ssl_multi']['description'],
'type' => 'checkbox',
'values' => $ssl_ipsandports,
'value' => $usedips,
'is_array' => 1
),
'ssl_redirect' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['domains']['ssl_redirect']['title'],
'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array($result['ssl_redirect'])
),
'letsencrypt' => array(
'visible' => (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
'label' => $lng['admin']['letsencrypt']['title'],
'desc' => $lng['admin']['letsencrypt']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array($result['letsencrypt'])
),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
'type' => 'label',
'value' => $lng['panel']['nosslipsavailable']
),
'hsts_maxage' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['admin']['domain_hsts_maxage']['title'],
'desc' => $lng['admin']['domain_hsts_maxage']['description'],
'type' => 'int',
'int_min' => 0,
'int_max' => 94608000, // 3-years
'value' => $result['hsts']
),
'hsts_incsub' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['admin']['domain_hsts_incsub']['title'],
'desc' => $lng['admin']['domain_hsts_incsub']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array($result['hsts_sub'])
),
'hsts_preload' => array(
'visible' => ($ssl_ipsandports != '' ? true : false),
'label' => $lng['admin']['domain_hsts_preload']['title'],
'desc' => $lng['admin']['domain_hsts_preload']['description'],
'type' => 'checkbox',
'values' => array(
array ('label' => $lng['panel']['yes'], 'value' => '1')
),
'value' => array($result['hsts_preload'])
),
)
),
'section_c' => array(
'title' => $lng['admin']['phpserversettings'],
'image' => 'icons/domain_edit.png',

23
lib/init.php
View File

@@ -39,11 +39,6 @@ header("X-XSS-Protection: 1; mode=block");
// Don't allow to load Froxlor in an iframe to prevent i.e. clickjacking
header("X-Frame-Options: DENY");
// If Froxlor was called via HTTPS -> enforce it for the next time
if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
header("Strict-Transport-Security: max-age=15768000");
}
// Internet Explorer shall not guess the Content-Type, see:
// http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
header("X-Content-Type-Options: nosniff");
@@ -127,6 +122,24 @@ require FROXLOR_INSTALL_DIR.'/lib/tables.inc.php';
*/
$idna_convert = new idna_convert_wrapper();
/**
* If Froxlor was called via HTTPS -> enforce it for the next time by settings HSTS header according to settings
*/
if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
$maxage = Settings::Get('system.hsts_maxage');
if (empty($maxage)) {
$maxage = 0;
}
$hsts_header = "Strict-Transport-Security: max-age=".$maxage;
if (Settings::Get('system.hsts_incsub') == '1') {
$hsts_header .= "; includeSubDomains";
}
if (Settings::Get('system.hsts_preload') == '1') {
$hsts_header .= "; preload";
}
header($hsts_header);
}
/**
* disable magic_quotes_runtime if enabled
*/

2
lib/version.inc.php
View File

@@ -19,7 +19,7 @@
$version = '0.9.37';
// Database version (YYYYMMDDC where C is a daily counter)
$dbversion = '201609240';
$dbversion = '201610070';
// Distribution branding-tag (used for Debian etc.)
$branding = '';

9
lng/english.lng.php
View File

@@ -2027,7 +2027,7 @@ $lng['error']['dns_record_toolong'] = 'Records/labels can only be up to 63 chara
$lng['serversettings']['panel_customer_hide_options']['title'] = 'Hide menu items and traffic charts in customer panel';
$lng['serversettings']['panel_customer_hide_options']['description'] = 'Select items to hide in customer panel. To select multiple options, hold down CTRL while selecting.';
// Added in froxlor 0.9.37.1
// Added in froxlor 0.9.38-rc1
$lng['serversettings']['allow_allow_customer_shell']['title'] = 'Allow customers to enable shell access for ftp-users';
$lng['serversettings']['allow_allow_customer_shell']['description'] = '<strong class="red">Please note: Shell access allows the user to execute various binaries on your system. Use with extrem caution. Please only activate this if you REALLY know what you are doing!!!</strong>';
$lng['serversettings']['available_shells']['title'] = 'List of available shells';
@@ -2055,3 +2055,10 @@ $lng['domains']['ssl_certificates'] = 'SSL certificates';
$lng['domains']['ssl_certificate_removed'] = 'The certificate with the id #%s has been removed successfully';
$lng['domains']['ssl_certificate_error'] = "Error reading certificate for domain: %s";
$lng['domains']['no_ssl_certificates'] = "There are no domains with SSL certificate";
$lng['admin']['webserversettings_ssl'] = 'Webserver SSL settings';
$lng['admin']['domain_hsts_maxage']['title'] = 'HTTP Strict Transport Security (HSTS)';
$lng['admin']['domain_hsts_maxage']['description'] = 'Specify the max-age value for the Strict-Transport-Security header<br>The value <i>0</i> will disable HSTS for the domain. Most user set a value of <i>31536000</i> (one year).';
$lng['admin']['domain_hsts_incsub']['title'] = 'Include HSTS for any subdomain';
$lng['admin']['domain_hsts_incsub']['description'] = 'The optional "includeSubDomains" directive, if present, signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host\'s domain name.';
$lng['admin']['domain_hsts_preload']['title'] = 'Include domain in <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload list</a>';
$lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> before sending the header with "preload".';

9
lng/german.lng.php
View File

@@ -1679,7 +1679,7 @@ $lng['error']['dns_record_toolong'] = 'Records/Labels können maximal 63 Zeichen
$lng['serversettings']['panel_customer_hide_options']['title'] = 'Menüpunkte und Traffic-Charts im Kundenbereich ausblenden';
$lng['serversettings']['panel_customer_hide_options']['description'] = 'Wählen Sie hier die gewünschten Menüpunkte und Traffic-Charts aus, welche im Kundenbereich ausgeblendet werden sollen. Für Mehrfachauswahl, halten Sie während der Auswahl STRG gedrückt.';
// Added in froxlor 0.9.37.1
// Added in froxlor 0.9.38-rc1
$lng['serversettings']['allow_allow_customer_shell']['title'] = 'Erlaube Kunden für FTP Benutzer eine Shell auszuwählen';
$lng['serversettings']['allow_allow_customer_shell']['description'] = '<strong class="red">Bitte beachten: Shell Zugriff gestattet dem Benutzer verschiedene Programme auf Ihrem System auszuführen. Mit großer Vorsicht verwenden. Bitte aktiviere dies nur wenn WIRKLICH bekannt ist, was das bedeutet!!!</strong>';
$lng['serversettings']['available_shells']['title'] = 'Liste der verfügbaren Shells';
@@ -1706,3 +1706,10 @@ $lng['domains']['ssl_certificates'] = 'SSL Zertifikate';
$lng['domains']['ssl_certificate_removed'] = 'Das Zertifikat mit der ID #%s wurde erfolgreich gelöscht.';
$lng['domains']['ssl_certificate_error'] = "Fehler beim Lesen des Zertifikats für die Domain: %s";
$lng['domains']['no_ssl_certificates'] = "Es wurden keine SSL-Zertifikate gefunden";
$lng['admin']['webserversettings_ssl'] = 'Webserver SSL-Einstellungen';
$lng['admin']['domain_hsts_maxage']['title'] = 'HTTP Strict Transport Security (HSTS)';
$lng['admin']['domain_hsts_maxage']['description'] = '"max-age" Wert für den Strict-Transport-Security Header<br>Der Wert <i>0</i> deaktiviert HSTS für diese Domain. Meist wird der Wert <i>31536000</i> gerne genutzt (ein Jahr).';
$lng['admin']['domain_hsts_incsub']['title'] = 'Inkludiere HSTS für jede Subdomain';
$lng['admin']['domain_hsts_incsub']['description'] = 'Die optionale "includeSubDomains" Direktive, wenn vorhanden, signalisiert dem UA, dass die HSTS that the HSTS Regel für diese Domain und auch jede Subdomain dieser gilt.';
$lng['admin']['domain_hsts_preload']['title'] = 'Füge Domain in die <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload Liste</a> hinzu';
$lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachte Details unter <a href="hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> bevor ein Header mit "preload" gesendet wird.';

2
scripts/jobs/cron_tasks.inc.http.10.apache.php
View File

@@ -836,7 +836,7 @@ class apache extends HttpConfigBase
$vhost_content .= ' SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n";
}
if ($domain['hsts'] > 0) {
if ($domain['hsts'] >= 0) {
$vhost_content .= ' <IfModule mod_headers.c>' . "\n";
$vhost_content .= ' Header always set Strict-Transport-Security "max-age=' . $domain['hsts'];
if ($domain['hsts_sub'] == 1) {

2
scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
View File

@@ -519,7 +519,7 @@ class lighttpd extends HttpConfigBase
$ssl_settings .= 'ssl.ca-file = "' . makeCorrectFile($domain['ssl_ca_file']) . '"' . "\n";
}
if ($domain['hsts'] > 0) {
if ($domain['hsts'] >= 0) {
$vhost_content .= '$HTTP["scheme"] == "https" { setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=' . $domain['hsts'];
if ($domain['hsts_sub'] == 1) {

589
scripts/jobs/cron_tasks.inc.http.30.nginx.php
View File

File diff suppressed because it is too large Load Diff