add optional dns validation for let's encrypt activated domains; fixes #817
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -214,11 +214,11 @@ return array(
|
||||
'save_method' => 'storeSettingField'
|
||||
),
|
||||
'system_disable_le_selfcheck' => array(
|
||||
'label' => $lng['serversettings']['disable_le_selfcheck'],
|
||||
'label' => $lng['serversettings']['le_domain_dnscheck'],
|
||||
'settinggroup' => 'system',
|
||||
'varname' => 'disable_le_selfcheck',
|
||||
'varname' => 'le_domain_dnscheck',
|
||||
'type' => 'bool',
|
||||
'default' => false,
|
||||
'default' => true,
|
||||
'save_method' => 'storeSettingField'
|
||||
)
|
||||
)
|
||||
|
||||
@@ -654,7 +654,7 @@ opcache.interned_strings_buffer'),
|
||||
('system', 'leregistered', '0'),
|
||||
('system', 'leaccount', ''),
|
||||
('system', 'nssextrausers', '0'),
|
||||
('system', 'disable_le_selfcheck', '0'),
|
||||
('system', 'le_domain_dnscheck', '1'),
|
||||
('system', 'ssl_protocols', 'TLSv1,TLSv1.2'),
|
||||
('system', 'tlsv13_cipher_list', ''),
|
||||
('system', 'honorcipherorder', '0'),
|
||||
@@ -705,7 +705,7 @@ opcache.interned_strings_buffer'),
|
||||
('panel', 'customer_hide_options', ''),
|
||||
('panel', 'is_configured', '0'),
|
||||
('panel', 'version', '0.10.15'),
|
||||
('panel', 'db_version', '202002290');
|
||||
('panel', 'db_version', '202004140');
|
||||
|
||||
|
||||
DROP TABLE IF EXISTS `panel_tasks`;
|
||||
|
||||
@@ -602,3 +602,13 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.14')) {
|
||||
showUpdateStep("Updating from 0.10.14 to 0.10.15", false);
|
||||
\Froxlor\Froxlor::updateToVersion('0.10.15');
|
||||
}
|
||||
|
||||
if (\Froxlor\Froxlor::isDatabaseVersion('202002290')) {
|
||||
showUpdateStep("Adding new setting to validate DNS when using Let's Encrypt");
|
||||
Database::query("DELETE FROM `" . TABLE_PANEL_SETTINGS . "` WHERE `settinggroup` = 'system' AND `varname` = 'disable_le_selfcheck'");
|
||||
$le_domain_dnscheck = isset($_POST['system_le_domain_dnscheck']) ? (int) $_POST['system_le_domain_dnscheck'] : '1';
|
||||
Settings::AddNew("system.le_domain_dnscheck", $le_domain_dnscheck);
|
||||
lastStepStatus(0);
|
||||
|
||||
\Froxlor\Froxlor::updateToDbVersion('202004140');
|
||||
}
|
||||
|
||||
@@ -34,6 +34,9 @@ function getPreConfig($current_version, $current_db_version)
|
||||
include_once \Froxlor\FileDir::makeCorrectFile(dirname(__FILE__) . '/preconfig/0.9/preconfig_0.9.inc.php');
|
||||
parseAndOutputPreconfig($has_preconfig, $return, $current_version, $current_db_version);
|
||||
|
||||
include_once \Froxlor\FileDir::makeCorrectFile(dirname(__FILE__) . '/preconfig/0.10/preconfig_0.10.inc.php');
|
||||
parseAndOutputPreconfig2($has_preconfig, $return, $current_version, $current_db_version);
|
||||
|
||||
$return .= '<br /><br />' . \Froxlor\UI\HTML::makecheckbox('update_changesagreed', '<strong>I have read the update notifications above and I am aware of the changes made to my system.</strong>', '1', true, '0', true);
|
||||
$return .= '</div>';
|
||||
$return .= '<input type="hidden" name="update_preconfig" value="1" />';
|
||||
|
||||
42
install/updates/preconfig/0.10/preconfig_0.10.inc.php
Normal file
42
install/updates/preconfig/0.10/preconfig_0.10.inc.php
Normal file
@@ -0,0 +1,42 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* This file is part of the Froxlor project.
|
||||
* Copyright (c) 2010 the Froxlor Team (see authors).
|
||||
*
|
||||
* For the full copyright and license information, please view the COPYING
|
||||
* file that was distributed with this source code. You can also view the
|
||||
* COPYING file online at http://files.froxlor.org/misc/COPYING.txt
|
||||
*
|
||||
* @copyright (c) the authors
|
||||
* @author Froxlor team <team@froxlor.org> (2010-)
|
||||
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
|
||||
* @package Updater
|
||||
*
|
||||
*/
|
||||
|
||||
/**
|
||||
* checks if the new-version has some updating to do
|
||||
*
|
||||
* @param boolean $has_preconfig
|
||||
* pointer to check if any preconfig has to be output
|
||||
* @param string $return
|
||||
* pointer to output string
|
||||
* @param string $current_version
|
||||
* current froxlor version
|
||||
*
|
||||
* @return null
|
||||
*/
|
||||
function parseAndOutputPreconfig2(&$has_preconfig, &$return, $current_version, $current_db_version)
|
||||
{
|
||||
global $lng;
|
||||
|
||||
if (versionInUpdate($current_db_version, '202004140')) {
|
||||
$has_preconfig = true;
|
||||
$description = 'Froxlor can now optionally validate the dns entries of domains that request Lets Encrypt certificates to reduce dns-related problems (e.g. freshly registered domain or updated a-record).<br />';
|
||||
$question = '<strong>Validate DNS of domains when using Lets Encrypt ';
|
||||
$question .= \Froxlor\UI\HTML::makeyesno('system_le_domain_dnscheck', '1', '0', '1');
|
||||
|
||||
eval("\$return.=\"" . \Froxlor\UI\Template::getTemplate("update/preconfigitem") . "\";");
|
||||
}
|
||||
}
|
||||
@@ -4,6 +4,8 @@ namespace Froxlor\Cron\Http\LetsEncrypt;
|
||||
use Froxlor\FroxlorLogger;
|
||||
use Froxlor\Settings;
|
||||
use Froxlor\Database\Database;
|
||||
use Froxlor\PhpHelper;
|
||||
use Froxlor\Domain\Domain;
|
||||
|
||||
/**
|
||||
* This file is part of the Froxlor project.
|
||||
@@ -248,6 +250,9 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
self::validateDns($domains, $certrow['domainid'], $cronlog);
|
||||
|
||||
self::runAcmeSh($certrow, $domains, $cronlog, $do_force);
|
||||
} else {
|
||||
$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
|
||||
@@ -255,6 +260,32 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* validate dns (A / AAAA record) of domain against known system ips
|
||||
*
|
||||
* @param array $domains
|
||||
* @param int $domain_id
|
||||
* @param FroxlorLogger $cronlog
|
||||
*/
|
||||
private static function validateDns(&$domains = array(), $domain_id, &$cronlog)
|
||||
{
|
||||
if (Settings::Get('system.le_domain_dnscheck') == '1' && ! empty($domains)) {
|
||||
$loop_domains = $domains;
|
||||
// ips according to our system
|
||||
$our_ips = Domain::getIpsOfDomain($domain_id);
|
||||
foreach ($loop_domains as $idx => $domain) {
|
||||
$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Validating DNS of " . $domain);
|
||||
// ips accordint to NS
|
||||
$domain_ips = PhpHelper::gethostbynamel6($domain);
|
||||
if (count(array_intersect($our_ips, $domain_ips)) <= 0) {
|
||||
// no common ips...
|
||||
$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $domain . " due to no system known IP address via DNS check");
|
||||
unset($domains[$idx]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static function runAcmeSh($certrow = array(), $domains = array(), &$cronlog = null, $force = false)
|
||||
{
|
||||
if (! empty($domains)) {
|
||||
|
||||
@@ -6,6 +6,41 @@ use Froxlor\Database\Database;
|
||||
class Domain
|
||||
{
|
||||
|
||||
/**
|
||||
* return all ip addresses associated with given domain,
|
||||
* returns all ips if domain-id = 0 (froxlor.vhost)
|
||||
*
|
||||
* @param int $domain_id
|
||||
* @return array
|
||||
*/
|
||||
public static function getIpsOfDomain($domain_id)
|
||||
{
|
||||
if ($domain_id > 0) {
|
||||
$sel_stmt = Database::prepare("
|
||||
SELECT i.ip FROM `" . TABLE_PANEL_IPSANDPORTS . "` `i`
|
||||
LEFT JOIN `" . TABLE_DOMAINTOIP . "` `dip` ON dip.id_ipandports = i.id
|
||||
AND dip.id_domain = :domainid
|
||||
GROUP BY i.ip
|
||||
");
|
||||
$sel_param = array(
|
||||
'domainid' => $domain_id
|
||||
);
|
||||
} else {
|
||||
// assuming froxlor.vhost (id = 0)
|
||||
$sel_stmt = Database::prepare("
|
||||
SELECT ip FROM `" . TABLE_PANEL_IPSANDPORTS . "`
|
||||
GROUP BY ip
|
||||
");
|
||||
$sel_param = array();
|
||||
}
|
||||
Database::pexecute($sel_stmt, $sel_param);
|
||||
$result = array();
|
||||
while ($ip = $sel_stmt->fetch(\PDO::FETCH_ASSOC)) {
|
||||
$result[] = $ip['ip'];
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* return an array of all enabled redirect-codes
|
||||
*
|
||||
|
||||
@@ -10,7 +10,7 @@ final class Froxlor
|
||||
const VERSION = '0.10.15';
|
||||
|
||||
// Database version (YYYYMMDDC where C is a daily counter)
|
||||
const DBVERSION = '202002290';
|
||||
const DBVERSION = '202004140';
|
||||
|
||||
// Distribution branding-tag (used for Debian etc.)
|
||||
const BRANDING = '';
|
||||
|
||||
@@ -1982,8 +1982,8 @@ $lng['admin']['domain_http2']['title'] = 'HTTP2 support';
|
||||
$lng['admin']['domain_http2']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">Wikipedia</a> for a detailed explanation of HTTP2';
|
||||
$lng['admin']['testmail'] = 'SMTP test';
|
||||
$lng['success']['testmailsent'] = 'Test mail sent successfully';
|
||||
$lng['serversettings']['disable_le_selfcheck']['title'] = "Disable Let's Encrypt local self-check";
|
||||
$lng['serversettings']['disable_le_selfcheck']['description'] = "If activated, froxlor will <strong>not</strong> perform its self-check for token accessibility. Needed for NATed IP's or similar.";
|
||||
$lng['serversettings']['le_domain_dnscheck']['title'] = "Validate DNS of domains when using Let's Encrypt";
|
||||
$lng['serversettings']['le_domain_dnscheck']['description'] = "If activated, froxlor will validate whether the domain which requests a Let's Encrypt certificate resolves to at least one of the system ip addresses.";
|
||||
$lng['menue']['phpsettings']['fpmdaemons'] = 'PHP-FPM versions';
|
||||
$lng['admin']['phpsettings']['activephpconfigs'] = 'In use for php-config(s)';
|
||||
$lng['admin']['phpsettingsforsubdomains'] = 'Apply php-config to all subdomains:';
|
||||
|
||||
@@ -1632,8 +1632,8 @@ $lng['admin']['domain_http2']['title'] = 'HTTP2 Unterstützung';
|
||||
$lng['admin']['domain_http2']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol#HTTP.2F2">Wikipedia</a> für eine ausführliche Beschreibung von HTTP2';
|
||||
$lng['admin']['testmail'] = 'SMTP Test';
|
||||
$lng['success']['testmailsent'] = 'Test E-Mail erfolgreich gesendet';
|
||||
$lng['serversettings']['disable_le_selfcheck']['title'] = "Deaktiviere Let's Encrypt lokale Selbstprüfung";
|
||||
$lng['serversettings']['disable_le_selfcheck']['description'] = "Wenn aktiviert wird Froxlor <strong>keine</strong> Erreichbarkeitsprüfung des Tokens vornehmen. Nötig bei ge-NAT-eten IP-Adressen oder Ähnlichem";
|
||||
$lng['serversettings']['le_domain_dnscheck']['title'] = "Validiere DNS der Domains wenn Let's Encrypt genutzt wird";
|
||||
$lng['serversettings']['le_domain_dnscheck']['description'] = "Wenn aktiviert wird froxlor überprüfen ob die DNS Einträge der Domains, welche ein Let's Encrypt Zertifikat beantragt, mindestens auf eine der System IP Adressen auflöst.";
|
||||
$lng['menue']['phpsettings']['fpmdaemons'] = 'PHP-FPM Versionen';
|
||||
$lng['admin']['phpsettings']['activephpconfigs'] = 'In Verwendung für PHP-Konfiguration(en)';
|
||||
$lng['admin']['phpsettingsforsubdomains'] = 'PHP-Config für alle Subdomains übernehmen:';
|
||||
|
||||
Reference in New Issue
Block a user