add dhparams for webserver/ssl, refs #519

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2018-11-18 20:34:53 +01:00
parent 776bb56b24
commit b032f5b2ba
10 changed files with 71 additions and 4 deletions
--- a/actions/admin/settings/130.webserver.php
+++ b/actions/admin/settings/130.webserver.php
@@ -73,6 +73,17 @@ return array(
 					),
 					'visible' => Settings::Get('system.use_ssl')
 				),
 				'system_dhparams_file' => array(
 					'label' => $lng['serversettings']['dhparams_file'],
 					'settinggroup' => 'system',
 					'varname' => 'dhparams_file',
 					'type' => 'string',
 					'string_type' => 'file',
 					'string_emptyallowed' => true,
 					'default' => '',
 					'save_method' => 'storeSettingField',
 					'visible' => Settings::Get('system.use_ssl')
 				),
 				'system_httpuser' => array(
 					'label' => $lng['admin']['webserver_user'],
 					'settinggroup' => 'system',
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -654,6 +654,7 @@ opcache.interned_strings_buffer'),
 	('system', 'logfiles_type', '1'),
 	('system', 'logfiles_piped', '0'),
 	('system', 'logfiles_script', ''),
 	('system', 'dhparams_file', ''),
 	('api', 'enabled', '0'),
 	('panel', 'decimal_places', '4'),
 	('panel', 'adminmail', 'admin@SERVERNAME'),
@@ -687,7 +688,7 @@ opcache.interned_strings_buffer'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'version', '0.10.0'),
-	('panel', 'db_version', '201809280');
+	('panel', 'db_version', '201811180');
 DROP TABLE IF EXISTS `panel_tasks`;
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -21,8 +21,8 @@ if (! defined('_CRON_UPDATE')) {
 	}
 }
-if (isFroxlorVersion('0.9.39.5')) {
+if (isFroxlorVersion('0.9.40')) {
-	showUpdateStep("Updating from 0.9.39.5 to 0.10.0", false);
+	showUpdateStep("Updating from 0.9.40 to 0.10.0", false);
 	showUpdateStep("Adding new api keys table");
 	Database::query("DROP TABLE IF EXISTS `api_keys`;");
@@ -68,3 +68,12 @@ if (isFroxlorVersion('0.9.39.5')) {
 	updateToVersion('0.10.0');
 }
 if (isDatabaseVersion('201809280')) {
 	showUpdateStep("Adding dhparams-file setting");
 	Settings::AddNew("system.dhparams_file",  '');
 	lastStepStatus(0);
 	updateToDbVersion('201811180');
 }
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -4060,3 +4060,8 @@ if (isDatabaseVersion('201809180')) {
 	updateToDbVersion('201809280');
 }
 if (isFroxlorVersion('0.9.39.5')) {
 	showUpdateStep("Updating from 0.9.39.5 to 0.9.40", false);
 	updateToVersion('0.9.40');
 }
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -19,7 +19,7 @@
 $version = '0.10.0';
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201809280';
+$dbversion = '201811180';
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2148,3 +2148,5 @@ $lng['apikeys']['valid_until'] = 'Valid until';
 $lng['apikeys']['valid_until_help'] = 'Date until valid, format YYYY-MM-DD';
 $lng['serversettings']['enable_api']['title'] = 'Enable external API usage';
 $lng['serversettings']['enable_api']['description'] = 'In order to use the froxlor API you need to activate this option. For more detailed information see <a href="https://api.froxlor.org/" target="_new">https://api.froxlor.org/</a>';
 $lng['serversettings']['dhparams_file']['title'] = 'DHParams file (Diffie–Hellman key exchange)';
 $lng['serversettings']['dhparams_file']['description'] = 'If a dhparams.pem file is specified here it will be included in the webserver configuration. Leave empty to disable.<br>Example: /etc/apache2/ssl/dhparams.pem<br><br>If the file does not exist, it will be created automatically with the following command: <em>openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096<em>. It is recommended to create the file prior to specifying it here as the creation takes quite a while and blocks the cronjob.';
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1796,3 +1796,5 @@ $lng['apikeys']['valid_until'] = 'Gültig bis';
 $lng['apikeys']['valid_until_help'] = 'Datum Gültigkeitsende, Format JJJJ-MM-TT';
 $lng['serversettings']['enable_api']['title'] = 'Aktiviere externe API Nutzung';
 $lng['serversettings']['enable_api']['description'] = 'Um die froxlor API nutzen zu können, muss diese Option aktiviert sein. Für detaillierte Informationen siehe <a href="https://api.froxlor.org/" target="_new">https://api.froxlor.org/</a>';
 $lng['serversettings']['dhparams_file']['title'] = 'DHParams Datei (Diffie–Hellman key exchange)';
 $lng['serversettings']['dhparams_file']['description'] = 'Wird eine dhparams.pem Datei hier angegeben, wir sie in die Webserver Konfiguration mit eingefügt.<br>Beispiel: /etc/apache2/ssl/dhparams.pem<br><br>Existiert die Datei nicht, wird sie wie folgt erstellt: <em>openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096<em>. Es wird empfohlen die Datei zu erstellen, bevor sie hier angegeben wird, da die Erstellung längere Zeit in Anspruch nimmt und den Cronjob blockiert.';
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -474,6 +474,13 @@ class apache extends HttpConfigBase
 								if (Settings::Get('system.http2_support') == '1') {
 									$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
 								}
 								if (!empty(Settings::Get('system.dhparams_file'))) {
 									$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
 									if (!file_exists($dhparams)) {
 										safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
 									}
 									$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 								}
 								$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
 							}
 							// this makes it more secure, thx to Marcel (08/2013)
@@ -937,6 +944,13 @@ class apache extends HttpConfigBase
 					if (isset($domain['http2']) && $domain['http2'] == '1' && Settings::Get('system.http2_support') == '1') {
 						$vhost_content .= ' Protocols h2 http/1.1' . "\n";
 					}
 					if (!empty(Settings::Get('system.dhparams_file'))) {
 						$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
 						if (!file_exists($dhparams)) {
 							safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
 						}
 						$vhost_content .= '  SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 					}
 					$vhost_content .= '  SSLCompression Off' . "\n";
 				}
 				// this makes it more secure, thx to Marcel (08/2013)
--- a/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
+++ b/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
@@ -243,6 +243,14 @@ class lighttpd extends HttpConfigBase
 					} else {
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.engine = "enable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-compression = "disable"' . "\n";
 						if (!empty(Settings::Get('system.dhparams_file'))) {
 							$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
 							if (!file_exists($dhparams)) {
 								safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
 							}
 							$this->lighttpd_data[$vhost_filename] .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
 							$this->lighttpd_data[$vhost_filename] .= 'ssl.ec-curve = "secp384r1"' . "\n";
 						}
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv2 = "disable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv3 = "disable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
@@ -552,6 +560,14 @@ class lighttpd extends HttpConfigBase
 				// ssl.engine only necessary once in the ip/port vhost (SERVER['socket'] condition)
 				//$ssl_settings .= 'ssl.engine = "enable"' . "\n";
 				$ssl_settings .= 'ssl.use-compression = "disable"' . "\n";
 				if (!empty(Settings::Get('system.dhparams_file'))) {
 					$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
 					if (!file_exists($dhparams)) {
 						safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
 					}
 					$ssl_settings .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
 					$ssl_settings .= 'ssl.ec-curve = "secp384r1"' . "\n";
 				}
 				$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
 				$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
 				$ssl_settings .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
--- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php
+++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
@@ -625,6 +625,13 @@ class nginx extends HttpConfigBase
 				// $sslsettings .= "\t" . 'ssl on;' . "\n";
 				$sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", Settings::Get('system.ssl_protocols')) . ';' . "\n";
 				$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
 				if (!empty(Settings::Get('system.dhparams_file'))) {
 					$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
 					if (!file_exists($dhparams)) {
 						safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
 					}
 					$sslsettings .= 'ssl_dhparam ' . $dhparams . ';' . "\n";
 				}
 				$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
 				$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
 				$sslsettings .= "\t" . 'ssl_certificate ' . makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";