added tls-settings per domain for admins with change_serversettings-flag set; fixes #519
Signed-off-by: Michael Kaufmann <michael.kaufmann@aixit.com>
This commit is contained in:
Michael Kaufmann
@@ -178,7 +178,7 @@ class Apache extends HttpConfigBase
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' ServerName ' . Settings::Get('system.hostname') . "\n";
|
||||
|
||||
$froxlor_aliases = Settings::Get('system.froxloraliases');
|
||||
if (!empty($froxlor_aliases)) {
|
||||
if (! empty($froxlor_aliases)) {
|
||||
$froxlor_aliases = explode(",", $froxlor_aliases);
|
||||
$aliases = "";
|
||||
foreach ($froxlor_aliases as $falias) {
|
||||
@@ -187,7 +187,7 @@ class Apache extends HttpConfigBase
|
||||
}
|
||||
}
|
||||
$aliases = trim($aliases);
|
||||
if (!empty($aliases)) {
|
||||
if (! empty($aliases)) {
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' ServerAlias ' . $aliases . "\n";
|
||||
}
|
||||
}
|
||||
@@ -483,7 +483,7 @@ class Apache extends HttpConfigBase
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder On' . "\n";
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
|
||||
$protocols = array_map('trim', explode(",", Settings::Get('system.ssl_protocols')));
|
||||
if (in_array("TLSv1.3", $protocols) && !empty(Settings::Get('system.tlsv13_cipher_list')) && Settings::Get('system.apache24') == 1) {
|
||||
if (in_array("TLSv1.3", $protocols) && ! empty(Settings::Get('system.tlsv13_cipher_list')) && Settings::Get('system.apache24') == 1) {
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite TLSv1.3 ' . Settings::Get('system.tlsv13_cipher_list') . "\n";
|
||||
}
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' SSLVerifyDepth 10' . "\n";
|
||||
@@ -967,8 +967,13 @@ class Apache extends HttpConfigBase
|
||||
}
|
||||
|
||||
if ($domain['ssl_cert_file'] != '') {
|
||||
|
||||
$ssl_protocols = ($domain['override_tls'] == '1' && ! empty($domain['ssl_protocols'])) ? $domain['ssl_protocols'] : Settings::Get('system.ssl_protocols');
|
||||
$ssl_cipher_list = ($domain['override_tls'] == '1' && ! empty($domain['ssl_cipher_list'])) ? $domain['ssl_cipher_list'] : Settings::Get('system.ssl_cipher_list');
|
||||
$tlsv13_cipher_list = ($domain['override_tls'] == '1' && ! empty($domain['tlsv13_cipher_list'])) ? $domain['tlsv13_cipher_list'] : Settings::Get('system.tlsv13_cipher_list');
|
||||
|
||||
$vhost_content .= ' SSLEngine On' . "\n";
|
||||
$vhost_content .= ' SSLProtocol -ALL +' . str_replace(",", " +", Settings::Get('system.ssl_protocols')) . "\n";
|
||||
$vhost_content .= ' SSLProtocol -ALL +' . str_replace(",", " +", $ssl_protocols) . "\n";
|
||||
if (Settings::Get('system.apache24') == '1') {
|
||||
if (isset($domain['http2']) && $domain['http2'] == '1' && Settings::Get('system.http2_support') == '1') {
|
||||
$vhost_content .= ' Protocols h2 http/1.1' . "\n";
|
||||
@@ -984,10 +989,10 @@ class Apache extends HttpConfigBase
|
||||
}
|
||||
// this makes it more secure, thx to Marcel (08/2013)
|
||||
$vhost_content .= ' SSLHonorCipherOrder On' . "\n";
|
||||
$vhost_content .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
|
||||
$protocols = array_map('trim', explode(",", Settings::Get('system.ssl_protocols')));
|
||||
if (in_array("TLSv1.3", $protocols) && !empty(Settings::Get('system.tlsv13_cipher_list')) && Settings::Get('system.apache24') == 1) {
|
||||
$vhost_content .= ' SSLCipherSuite TLSv1.3 ' . Settings::Get('system.tlsv13_cipher_list') . "\n";
|
||||
$vhost_content .= ' SSLCipherSuite ' . $ssl_cipher_list . "\n";
|
||||
$protocols = array_map('trim', explode(",", $ssl_protocols));
|
||||
if (in_array("TLSv1.3", $protocols) && ! empty($tlsv13_cipher_list) && Settings::Get('system.apache24') == 1) {
|
||||
$vhost_content .= ' SSLCipherSuite TLSv1.3 ' . $tlsv13_cipher_list . "\n";
|
||||
}
|
||||
$vhost_content .= ' SSLVerifyDepth 10' . "\n";
|
||||
$vhost_content .= ' SSLCertificateFile ' . \Froxlor\FileDir::makeCorrectFile($domain['ssl_cert_file']) . "\n";
|
||||
|
||||
@@ -570,6 +570,8 @@ class Lighttpd extends HttpConfigBase
|
||||
|
||||
if ($domain['ssl_cert_file'] != '') {
|
||||
|
||||
$ssl_cipher_list = ($domain['override_tls'] == '1' && ! empty($domain['ssl_cipher_list'])) ? $domain['ssl_cipher_list'] : Settings::Get('system.ssl_cipher_list');
|
||||
|
||||
// ssl.engine only necessary once in the ip/port vhost (SERVER['socket'] condition)
|
||||
// $ssl_settings .= 'ssl.engine = "enable"' . "\n";
|
||||
$ssl_settings .= 'ssl.use-compression = "disable"' . "\n";
|
||||
@@ -583,7 +585,7 @@ class Lighttpd extends HttpConfigBase
|
||||
}
|
||||
$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
|
||||
$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
|
||||
$ssl_settings .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
|
||||
$ssl_settings .= 'ssl.cipher-list = "' . $ssl_cipher_list . '"' . "\n";
|
||||
$ssl_settings .= 'ssl.honor-cipher-order = "enable"' . "\n";
|
||||
$ssl_settings .= 'ssl.pemfile = "' . \Froxlor\FileDir::makeCorrectFile($domain['ssl_cert_file']) . '"' . "\n";
|
||||
|
||||
|
||||
@@ -678,10 +678,14 @@ class Nginx extends HttpConfigBase
|
||||
if (! file_exists($domain_or_ip['ssl_cert_file'])) {
|
||||
\Froxlor\FroxlorLogger::getInstanceOf()->logAction(\Froxlor\FroxlorLogger::CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate file "' . $domain_or_ip['ssl_cert_file'] . '" does not exist! Cannot create ssl-directives');
|
||||
} else {
|
||||
|
||||
$ssl_protocols = (isset($domain_or_ip['override_tls']) && $domain_or_ip['override_tls'] == '1' && ! empty($domain_or_ip['ssl_protocols'])) ? $domain_or_ip['ssl_protocols'] : Settings::Get('system.ssl_protocols');
|
||||
$ssl_cipher_list = (isset($domain_or_ip['override_tls']) && $domain_or_ip['override_tls'] == '1' && ! empty($domain_or_ip['ssl_cipher_list'])) ? $domain_or_ip['ssl_cipher_list'] : Settings::Get('system.ssl_cipher_list');
|
||||
|
||||
// obsolete: ssl on now belongs to the listen block as 'ssl' at the end
|
||||
// $sslsettings .= "\t" . 'ssl on;' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", Settings::Get('system.ssl_protocols')) . ';' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", $ssl_protocols) . ';' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_ciphers ' . $ssl_cipher_list . ';' . "\n";
|
||||
if (! empty(Settings::Get('system.dhparams_file'))) {
|
||||
$dhparams = \Froxlor\FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
|
||||
if (! file_exists($dhparams)) {
|
||||
|
||||
@@ -36,9 +36,7 @@ class WebserverBase
|
||||
`d`.`phpsettingid`, `c`.`adminid`, `c`.`guid`, `c`.`email`,
|
||||
`c`.`documentroot` AS `customerroot`, `c`.`deactivated`,
|
||||
`c`.`phpenabled` AS `phpenabled_customer`,
|
||||
`d`.`phpenabled` AS `phpenabled_vhost`,
|
||||
`d`.`mod_fcgid_starter`,`d`.`mod_fcgid_maxrequests`,
|
||||
`d`.`ocsp_stapling`
|
||||
`d`.`phpenabled` AS `phpenabled_vhost`
|
||||
FROM `" . TABLE_PANEL_DOMAINS . "` `d`
|
||||
|
||||
LEFT JOIN `" . TABLE_PANEL_CUSTOMERS . "` `c` USING(`customerid`)
|
||||
|
||||
Reference in New Issue
Block a user