add dhparams for webserver/ssl, refs #519
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -73,6 +73,17 @@ return array(
|
||||
),
|
||||
'visible' => Settings::Get('system.use_ssl')
|
||||
),
|
||||
'system_dhparams_file' => array(
|
||||
'label' => $lng['serversettings']['dhparams_file'],
|
||||
'settinggroup' => 'system',
|
||||
'varname' => 'dhparams_file',
|
||||
'type' => 'string',
|
||||
'string_type' => 'file',
|
||||
'string_emptyallowed' => true,
|
||||
'default' => '',
|
||||
'save_method' => 'storeSettingField',
|
||||
'visible' => Settings::Get('system.use_ssl')
|
||||
),
|
||||
'system_httpuser' => array(
|
||||
'label' => $lng['admin']['webserver_user'],
|
||||
'settinggroup' => 'system',
|
||||
|
||||
@@ -654,6 +654,7 @@ opcache.interned_strings_buffer'),
|
||||
('system', 'logfiles_type', '1'),
|
||||
('system', 'logfiles_piped', '0'),
|
||||
('system', 'logfiles_script', ''),
|
||||
('system', 'dhparams_file', ''),
|
||||
('api', 'enabled', '0'),
|
||||
('panel', 'decimal_places', '4'),
|
||||
('panel', 'adminmail', 'admin@SERVERNAME'),
|
||||
@@ -687,7 +688,7 @@ opcache.interned_strings_buffer'),
|
||||
('panel', 'password_special_char', '!?<>§$%+#=@'),
|
||||
('panel', 'customer_hide_options', ''),
|
||||
('panel', 'version', '0.10.0'),
|
||||
('panel', 'db_version', '201809280');
|
||||
('panel', 'db_version', '201811180');
|
||||
|
||||
|
||||
DROP TABLE IF EXISTS `panel_tasks`;
|
||||
|
||||
@@ -21,8 +21,8 @@ if (! defined('_CRON_UPDATE')) {
|
||||
}
|
||||
}
|
||||
|
||||
if (isFroxlorVersion('0.9.39.5')) {
|
||||
showUpdateStep("Updating from 0.9.39.5 to 0.10.0", false);
|
||||
if (isFroxlorVersion('0.9.40')) {
|
||||
showUpdateStep("Updating from 0.9.40 to 0.10.0", false);
|
||||
|
||||
showUpdateStep("Adding new api keys table");
|
||||
Database::query("DROP TABLE IF EXISTS `api_keys`;");
|
||||
@@ -68,3 +68,12 @@ if (isFroxlorVersion('0.9.39.5')) {
|
||||
|
||||
updateToVersion('0.10.0');
|
||||
}
|
||||
|
||||
if (isDatabaseVersion('201809280')) {
|
||||
|
||||
showUpdateStep("Adding dhparams-file setting");
|
||||
Settings::AddNew("system.dhparams_file", '');
|
||||
lastStepStatus(0);
|
||||
|
||||
updateToDbVersion('201811180');
|
||||
}
|
||||
|
||||
@@ -4060,3 +4060,8 @@ if (isDatabaseVersion('201809180')) {
|
||||
|
||||
updateToDbVersion('201809280');
|
||||
}
|
||||
|
||||
if (isFroxlorVersion('0.9.39.5')) {
|
||||
showUpdateStep("Updating from 0.9.39.5 to 0.9.40", false);
|
||||
updateToVersion('0.9.40');
|
||||
}
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
$version = '0.10.0';
|
||||
|
||||
// Database version (YYYYMMDDC where C is a daily counter)
|
||||
$dbversion = '201809280';
|
||||
$dbversion = '201811180';
|
||||
|
||||
// Distribution branding-tag (used for Debian etc.)
|
||||
$branding = '';
|
||||
|
||||
@@ -2148,3 +2148,5 @@ $lng['apikeys']['valid_until'] = 'Valid until';
|
||||
$lng['apikeys']['valid_until_help'] = 'Date until valid, format YYYY-MM-DD';
|
||||
$lng['serversettings']['enable_api']['title'] = 'Enable external API usage';
|
||||
$lng['serversettings']['enable_api']['description'] = 'In order to use the froxlor API you need to activate this option. For more detailed information see <a href="https://api.froxlor.org/" target="_new">https://api.froxlor.org/</a>';
|
||||
$lng['serversettings']['dhparams_file']['title'] = 'DHParams file (Diffie–Hellman key exchange)';
|
||||
$lng['serversettings']['dhparams_file']['description'] = 'If a dhparams.pem file is specified here it will be included in the webserver configuration. Leave empty to disable.<br>Example: /etc/apache2/ssl/dhparams.pem<br><br>If the file does not exist, it will be created automatically with the following command: <em>openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096<em>. It is recommended to create the file prior to specifying it here as the creation takes quite a while and blocks the cronjob.';
|
||||
|
||||
@@ -1796,3 +1796,5 @@ $lng['apikeys']['valid_until'] = 'Gültig bis';
|
||||
$lng['apikeys']['valid_until_help'] = 'Datum Gültigkeitsende, Format JJJJ-MM-TT';
|
||||
$lng['serversettings']['enable_api']['title'] = 'Aktiviere externe API Nutzung';
|
||||
$lng['serversettings']['enable_api']['description'] = 'Um die froxlor API nutzen zu können, muss diese Option aktiviert sein. Für detaillierte Informationen siehe <a href="https://api.froxlor.org/" target="_new">https://api.froxlor.org/</a>';
|
||||
$lng['serversettings']['dhparams_file']['title'] = 'DHParams Datei (Diffie–Hellman key exchange)';
|
||||
$lng['serversettings']['dhparams_file']['description'] = 'Wird eine dhparams.pem Datei hier angegeben, wir sie in die Webserver Konfiguration mit eingefügt.<br>Beispiel: /etc/apache2/ssl/dhparams.pem<br><br>Existiert die Datei nicht, wird sie wie folgt erstellt: <em>openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096<em>. Es wird empfohlen die Datei zu erstellen, bevor sie hier angegeben wird, da die Erstellung längere Zeit in Anspruch nimmt und den Cronjob blockiert.';
|
||||
|
||||
@@ -474,6 +474,13 @@ class apache extends HttpConfigBase
|
||||
if (Settings::Get('system.http2_support') == '1') {
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
|
||||
}
|
||||
if (!empty(Settings::Get('system.dhparams_file'))) {
|
||||
$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
|
||||
if (!file_exists($dhparams)) {
|
||||
safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
|
||||
}
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
|
||||
}
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
|
||||
}
|
||||
// this makes it more secure, thx to Marcel (08/2013)
|
||||
@@ -937,6 +944,13 @@ class apache extends HttpConfigBase
|
||||
if (isset($domain['http2']) && $domain['http2'] == '1' && Settings::Get('system.http2_support') == '1') {
|
||||
$vhost_content .= ' Protocols h2 http/1.1' . "\n";
|
||||
}
|
||||
if (!empty(Settings::Get('system.dhparams_file'))) {
|
||||
$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
|
||||
if (!file_exists($dhparams)) {
|
||||
safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
|
||||
}
|
||||
$vhost_content .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
|
||||
}
|
||||
$vhost_content .= ' SSLCompression Off' . "\n";
|
||||
}
|
||||
// this makes it more secure, thx to Marcel (08/2013)
|
||||
|
||||
@@ -243,6 +243,14 @@ class lighttpd extends HttpConfigBase
|
||||
} else {
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.engine = "enable"' . "\n";
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.use-compression = "disable"' . "\n";
|
||||
if (!empty(Settings::Get('system.dhparams_file'))) {
|
||||
$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
|
||||
if (!file_exists($dhparams)) {
|
||||
safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
|
||||
}
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.ec-curve = "secp384r1"' . "\n";
|
||||
}
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv2 = "disable"' . "\n";
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv3 = "disable"' . "\n";
|
||||
$this->lighttpd_data[$vhost_filename] .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
|
||||
@@ -552,6 +560,14 @@ class lighttpd extends HttpConfigBase
|
||||
// ssl.engine only necessary once in the ip/port vhost (SERVER['socket'] condition)
|
||||
//$ssl_settings .= 'ssl.engine = "enable"' . "\n";
|
||||
$ssl_settings .= 'ssl.use-compression = "disable"' . "\n";
|
||||
if (!empty(Settings::Get('system.dhparams_file'))) {
|
||||
$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
|
||||
if (!file_exists($dhparams)) {
|
||||
safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
|
||||
}
|
||||
$ssl_settings .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
|
||||
$ssl_settings .= 'ssl.ec-curve = "secp384r1"' . "\n";
|
||||
}
|
||||
$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
|
||||
$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
|
||||
$ssl_settings .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
|
||||
|
||||
@@ -625,6 +625,13 @@ class nginx extends HttpConfigBase
|
||||
// $sslsettings .= "\t" . 'ssl on;' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", Settings::Get('system.ssl_protocols')) . ';' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
|
||||
if (!empty(Settings::Get('system.dhparams_file'))) {
|
||||
$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
|
||||
if (!file_exists($dhparams)) {
|
||||
safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
|
||||
}
|
||||
$sslsettings .= 'ssl_dhparam ' . $dhparams . ';' . "\n";
|
||||
}
|
||||
$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_certificate ' . makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";
|
||||
|
||||
Reference in New Issue
Block a user