maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

try to implement ssl-redirect for froxlor-vhost; combine various settings that are froxlor-vhost related into its own category, fixes #1480

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2016-09-11 17:48:08 +02:00
parent 28461de7bc
commit b8c2047379
15 changed files with 931 additions and 823 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
scripts/jobs/cron_letsencrypt.php
View File

@@ -27,8 +27,7 @@ if (! extension_loaded('curl')) {
exit();
}
$certificates_stmt = Database::query(
"
$certificates_stmt = Database::query("
SELECT
domssl.`id`,
domssl.`domainid`,
@@ -63,8 +62,7 @@ $certificates_stmt = Database::query(
)
");
$aliasdomains_stmt = Database::prepare(
"
$aliasdomains_stmt = Database::prepare("
SELECT
dom.`id` as domainid,
dom.`domain`,
@@ -76,8 +74,7 @@ $aliasdomains_stmt = Database::prepare(
AND dom.`iswildcarddomain` = 0
");
$updcert_stmt = Database::prepare(
"
$updcert_stmt = Database::prepare("
REPLACE INTO
`" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
SET
@@ -116,7 +113,7 @@ if (Settings::Get('system.le_froxlor_enabled') == '1') {
);
$froxlor_ssl_settings_stmt = Database::prepare("
SELECT * FROM `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."`
SELECT * FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
WHERE `domainid` = '0' AND
(`expirationdate` < DATE_ADD(NOW(), INTERVAL 30 DAY) OR `expirationdate` IS NULL)
");
@@ -134,69 +131,62 @@ if (Settings::Get('system.le_froxlor_enabled') == '1') {
// check whether we have an entry with valid certificates which just does not need
// updating yet, so we need to skip this here
$froxlor_ssl_settings_stmt = Database::prepare("
SELECT * FROM `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."` WHERE `domainid` = '0'
SELECT * FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` WHERE `domainid` = '0'
");
$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
if ($froxlor_ssl && !empty($froxlor_ssl['ssl_cert_file'])) {
if ($froxlor_ssl && ! empty($froxlor_ssl['ssl_cert_file'])) {
$insert_or_update_required = false;
}
}
if ($insert_or_update_required)
{
if ($insert_or_update_required) {
$domains = array(
$certrow['domain'],
'www.'.$certrow['domain']
'www.' . $certrow['domain']
);
// Only renew let's encrypt certificate if no broken ssl_redirect is enabled
if ($certrow['ssl_redirect'] != 2) {
$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updating " . $certrow['domain']);
// - this temp. deactivation of the ssl-redirect is handled by the webserver-cronjob
$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updating " . $certrow['domain']);
$cronlog = FroxlorLogger::getInstanceOf(array(
'loginname' => $certrow['loginname']
$cronlog = FroxlorLogger::getInstanceOf(array(
'loginname' => $certrow['loginname']
));
try {
// Initialize Lescript with documentroot
$le = new lescript($cronlog, $version);
// Initialize Lescript
$le->initAccount($certrow, true);
// Request the new certificate (old key may be used)
$return = $le->signDomains($domains, $certrow['ssl_key_file']);
// We are interessted in the expirationdate
$newcert = openssl_x509_parse($return['crt']);
// Store the new data
Database::pexecute($updcert_stmt, array(
'id' => $certrow['id'],
'domainid' => $certrow['domainid'],
'crt' => $return['crt'],
'key' => $return['key'],
'ca' => $return['chain'],
'chain' => $return['chain'],
'csr' => $return['csr'],
'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
));
try {
// Initialize Lescript with documentroot
$le = new lescript($cronlog, $version);
// Initialize Lescript
$le->initAccount($certrow, true);
// Request the new certificate (old key may be used)
$return = $le->signDomains($domains, $certrow['ssl_key_file']);
// We are interessted in the expirationdate
$newcert = openssl_x509_parse($return['crt']);
// Store the new data
Database::pexecute($updcert_stmt,
array(
'id' => $certrow['id'],
'domainid' => $certrow['domainid'],
'crt' => $return['crt'],
'key' => $return['key'],
'ca' => $return['chain'],
'chain' => $return['chain'],
'csr' => $return['csr'],
'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
));
if ($certrow['ssl_redirect'] == 3) {
Settings::Set('system.le_froxlor_redirect', '1');
}
$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
$changedetected = 1;
} catch (Exception $e) {
$cronlog->logAction(CRON_ACTION, LOG_ERR,
"Could not get Let's Encrypt certificate for " . $certrow['domain'] . ": " . $e->getMessage());
if ($certrow['ssl_redirect'] == 3) {
Settings::Set('system.le_froxlor_redirect', '1');
}
} else {
$cronlog->logAction(CRON_ACTION, LOG_WARNING,
"Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
$changedetected = 1;
} catch (Exception $e) {
$cronlog->logAction(CRON_ACTION, LOG_ERR, "Could not get Let's Encrypt certificate for " . $certrow['domain'] . ": " . $e->getMessage());
}
}
}
@@ -252,17 +242,16 @@ foreach ($certrows as $certrow) {
$newcert = openssl_x509_parse($return['crt']);
// Store the new data
Database::pexecute($updcert_stmt,
array(
'id' => $certrow['id'],
'domainid' => $certrow['domainid'],
'crt' => $return['crt'],
'key' => $return['key'],
'ca' => $return['chain'],
'chain' => $return['chain'],
'csr' => $return['csr'],
'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
));
Database::pexecute($updcert_stmt, array(
'id' => $certrow['id'],
'domainid' => $certrow['domainid'],
'crt' => $return['crt'],
'key' => $return['key'],
'ca' => $return['chain'],
'chain' => $return['chain'],
'csr' => $return['csr'],
'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
));
if ($certrow['ssl_redirect'] == 3) {
Database::pexecute($upddom_stmt, array(
@@ -274,12 +263,10 @@ foreach ($certrows as $certrow) {
$changedetected = 1;
} catch (Exception $e) {
$cronlog->logAction(CRON_ACTION, LOG_ERR,
"Could not get Let's Encrypt certificate for " . $certrow['domain'] . ": " . $e->getMessage());
$cronlog->logAction(CRON_ACTION, LOG_ERR, "Could not get Let's Encrypt certificate for " . $certrow['domain'] . ": " . $e->getMessage());
}
} else {
$cronlog->logAction(CRON_ACTION, LOG_WARNING,
"Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
$cronlog->logAction(CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
}
}

723
scripts/jobs/cron_tasks.inc.http.10.apache.php
View File

File diff suppressed because it is too large Load Diff

102
scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
View File

@@ -100,57 +100,69 @@ class lighttpd extends HttpConfigBase
$this->lighttpd_data[$vhost_filename] .= '# Froxlor default vhost' . "\n";
$this->lighttpd_data[$vhost_filename] .= '$HTTP["host"] =~ "^(?:www\.|)' . $myhost . '$" {' . "\n";
if ($row_ipsandports['docroot'] == '') {
if (Settings::Get('system.froxlordirectlyviahostname')) {
$mypath = makeCorrectDir(dirname(dirname(dirname(__FILE__))));
} else {
$mypath = makeCorrectDir(dirname(dirname(dirname(dirname(__FILE__)))));
}
} else {
// user-defined docroot, #417
$mypath = makeCorrectDir($row_ipsandports['docroot']);
}
$mypath = $this->getMyPath($row_ipsandports);
$this->lighttpd_data[$vhost_filename] .= ' server.document-root = "' . $mypath . '"' . "\n";
/**
* dirprotection, see #72
*
* @todo use better regex for this, deferred until 0.9.5
*
* $this->lighttpd_data[$vhost_filename].= ' $HTTP["url"] =~ "^/(.+)\/(.+)\.php" {' . "\n";
* $this->lighttpd_data[$vhost_filename].= ' url.access-deny = ("")' . "\n";
* $this->lighttpd_data[$vhost_filename].= ' }' . "\n";
*/
$is_redirect = false;
// check for SSL redirect
if ($row_ipsandports['ssl'] == '0' && Settings::Get('system.le_froxlor_redirect') == '1') {
$is_redirect = true;
// check whether froxlor uses Let's Encrypt and not cert is being generated yet
// or a renew is ongoing - disable redirect
if (System::Get('system.le_froxlor_enabled') && ($this->froxlorVhostHasLetsEncryptCert() == false || $this->froxlorVhostLetsEncryptNeedsRenew())) {
$this->lighttpd_data[$vhost_filename] .= '# temp. disabled ssl-redirect due to Let\'s Encrypt certificate generation.' . PHP_EOL;
$is_redirect = false;
} else {
$_sslport = $this->checkAlternativeSslPort();
$mypath = 'https://' . Settings::Get('system.hostname') . $_sslport . '/';
/**
* own php-fpm vhost
*/
if ((int) Settings::Get('phpfpm.enabled') == 1) {
$domain = array(
'id' => 'none',
'domain' => Settings::Get('system.hostname'),
'adminid' => 1, /* first admin-user (superadmin) */
'mod_fcgid_starter' => - 1,
'mod_fcgid_maxrequests' => - 1,
'guid' => Settings::Get('phpfpm.vhost_httpuser'),
'openbasedir' => 0,
'email' => Settings::Get('panel.adminmail'),
'loginname' => 'froxlor.panel',
'documentroot' => $mypath
);
$this->lighttpd_data[$vhost_filename] .= ' url.redirect = (' . "\n";
$this->lighttpd_data[$vhost_filename] .= ' "^/(.*)$" => "' . $mypath . '$1"' . "\n";
$this->lighttpd_data[$vhost_filename] .= ' )' . "\n";
}
}
$php = new phpinterface($domain);
if (!$is_redirect) {
/**
* dirprotection, see #72
*
* @todo use better regex for this, deferred until 0.9.5
*
* $this->lighttpd_data[$vhost_filename].= ' $HTTP["url"] =~ "^/(.+)\/(.+)\.php" {' . "\n";
* $this->lighttpd_data[$vhost_filename].= ' url.access-deny = ("")' . "\n";
* $this->lighttpd_data[$vhost_filename].= ' }' . "\n";
*/
$this->lighttpd_data[$vhost_filename] .= ' fastcgi.server = ( ' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t" . '".php" => (' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"localhost" => (' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"socket" => "' . $php->getInterface()->getSocketFile() . '",' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"check-local" => "enable",' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"disable-time" => 1' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t" . ')' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t" . ')' . "\n";
$this->lighttpd_data[$vhost_filename] .= ' )' . "\n";
/**
* own php-fpm vhost
*/
if ((int) Settings::Get('phpfpm.enabled') == 1) {
$domain = array(
'id' => 'none',
'domain' => Settings::Get('system.hostname'),
'adminid' => 1, /* first admin-user (superadmin) */
'mod_fcgid_starter' => - 1,
'mod_fcgid_maxrequests' => - 1,
'guid' => Settings::Get('phpfpm.vhost_httpuser'),
'openbasedir' => 0,
'email' => Settings::Get('panel.adminmail'),
'loginname' => 'froxlor.panel',
'documentroot' => $mypath
);
$php = new phpinterface($domain);
$this->lighttpd_data[$vhost_filename] .= ' fastcgi.server = ( ' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t" . '".php" => (' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"localhost" => (' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"socket" => "' . $php->getInterface()->getSocketFile() . '",' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"check-local" => "enable",' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t\t" . '"disable-time" => 1' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t" . ')' . "\n";
$this->lighttpd_data[$vhost_filename] .= "\t" . ')' . "\n";
$this->lighttpd_data[$vhost_filename] .= ' )' . "\n";
}
}
if ($row_ipsandports['specialsettings'] != '') {

102
scripts/jobs/cron_tasks.inc.http.30.nginx.php
View File

@@ -134,6 +134,8 @@ class nginx extends HttpConfigBase {
$this->nginx_data[$vhost_filename] .= 'server { ' . "\n";
$mypath = $this->getMyPath($row_ipsandports);
// check for ssl before anything else so
// we know whether it's an ssl vhost or not
$ssl_vhost = false;
@@ -191,26 +193,28 @@ class nginx extends HttpConfigBase {
$this->nginx_data[$vhost_filename] .= "\t".'server_name ' . Settings::Get('system.hostname') . ';' . "\n";
$this->nginx_data[$vhost_filename] .= "\t".'access_log /var/log/nginx/access.log;' . "\n";
$mypath = '';
// no custom docroot set?
if ($row_ipsandports['docroot'] == '') {
// check whether the hostname should directly point to
// the froxlor-installation or not
if (Settings::Get('system.froxlordirectlyviahostname')) {
$mypath = makeCorrectDir(dirname(dirname(dirname(__FILE__))));
$is_redirect = false;
// check for SSL redirect
if ($row_ipsandports['ssl'] == '0' && Settings::Get('system.le_froxlor_redirect') == '1') {
$is_redirect = true;
// check whether froxlor uses Let's Encrypt and not cert is being generated yet
// or a renew is ongoing - disable redirect
if (System::Get('system.le_froxlor_enabled') && ($this->froxlorVhostHasLetsEncryptCert() == false || $this->froxlorVhostLetsEncryptNeedsRenew())) {
$this->nginx_data[$vhost_filename] .= '# temp. disabled ssl-redirect due to Let\'s Encrypt certificate generation.' . PHP_EOL;
$is_redirect = false;
} else {
$mypath = makeCorrectDir(dirname(dirname(dirname(dirname(__FILE__)))));
$_sslport = $this->checkAlternativeSslPort();
$mypath = 'https://' . Settings::Get('system.hostname') . $_sslport . '/';
$this->nginx_data[$vhost_filename] .= "\t".'return 301 '.$mypath.'$request_uri;'."\n";
}
} else {
// user-defined docroot, #417
$mypath = makeCorrectDir($row_ipsandports['docroot']);
}
$this->nginx_data[$vhost_filename] .= "\t".'root '.$mypath.';'."\n";
$this->nginx_data[$vhost_filename] .= "\t".'index index.php index.html index.htm;'."\n\n";
$this->nginx_data[$vhost_filename] .= "\t".'location / {'."\n";
$this->nginx_data[$vhost_filename] .= "\t".'}'."\n";
if (!$is_redirect) {
$this->nginx_data[$vhost_filename] .= "\t".'root '.$mypath.';'."\n";
$this->nginx_data[$vhost_filename] .= "\t".'index index.php index.html index.htm;'."\n\n";
$this->nginx_data[$vhost_filename] .= "\t".'location / {'."\n";
$this->nginx_data[$vhost_filename] .= "\t".'}'."\n";
}
if ($row_ipsandports['specialsettings'] != '') {
$this->nginx_data[$vhost_filename].= $this->processSpecialConfigTemplate(
@@ -227,44 +231,46 @@ class nginx extends HttpConfigBase {
* SSL config options
*/
if ($row_ipsandports['ssl'] == '1') {
$row_ipsandports['domain'] = Settings::Get('system.hostname');
$row_ipsandports['domain'] = Settings::Get('system.hostname');
$this->nginx_data[$vhost_filename].=$this->composeSslSettings($row_ipsandports);
}
$this->nginx_data[$vhost_filename] .= "\tlocation ~ \.php {\n";
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_split_path_info ^(.+\.php)(/.+)\$;\n";
$this->nginx_data[$vhost_filename] .= "\t\tinclude ".Settings::Get('nginx.fastcgiparams').";\n";
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;\n";
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param PATH_INFO \$fastcgi_path_info;\n";
$this->nginx_data[$vhost_filename] .= "\t\ttry_files \$fastcgi_script_name =404;\n";
if (!$is_redirect) {
$this->nginx_data[$vhost_filename] .= "\tlocation ~ \.php {\n";
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_split_path_info ^(.+\.php)(/.+)\$;\n";
$this->nginx_data[$vhost_filename] .= "\t\tinclude ".Settings::Get('nginx.fastcgiparams').";\n";
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;\n";
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param PATH_INFO \$fastcgi_path_info;\n";
$this->nginx_data[$vhost_filename] .= "\t\ttry_files \$fastcgi_script_name =404;\n";
if ($row_ipsandports['ssl'] == '1') {
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param HTTPS on;\n";
if ($row_ipsandports['ssl'] == '1') {
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param HTTPS on;\n";
}
if ((int)Settings::Get('phpfpm.enabled') == 1 && (int)Settings::Get('phpfpm.enabled_ownvhost') == 1) {
$domain = array(
'id' => 'none',
'domain' => Settings::Get('system.hostname'),
'adminid' => 1, /* first admin-user (superadmin) */
'mod_fcgid_starter' => -1,
'mod_fcgid_maxrequests' => -1,
'guid' => Settings::Get('phpfpm.vhost_httpuser'),
'openbasedir' => 0,
'email' => Settings::Get('panel.adminmail'),
'loginname' => 'froxlor.panel',
'documentroot' => $mypath,
);
$php = new phpinterface($domain);
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_pass unix:".$php->getInterface()->getSocketFile().";\n";
} else {
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_pass ".Settings::Get('system.nginx_php_backend').";\n";
}
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_index index.php;\n";
$this->nginx_data[$vhost_filename] .= "\t}\n";
}
if ((int)Settings::Get('phpfpm.enabled') == 1 && (int)Settings::Get('phpfpm.enabled_ownvhost') == 1) {
$domain = array(
'id' => 'none',
'domain' => Settings::Get('system.hostname'),
'adminid' => 1, /* first admin-user (superadmin) */
'mod_fcgid_starter' => -1,
'mod_fcgid_maxrequests' => -1,
'guid' => Settings::Get('phpfpm.vhost_httpuser'),
'openbasedir' => 0,
'email' => Settings::Get('panel.adminmail'),
'loginname' => 'froxlor.panel',
'documentroot' => $mypath,
);
$php = new phpinterface($domain);
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_pass unix:".$php->getInterface()->getSocketFile().";\n";
} else {
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_pass ".Settings::Get('system.nginx_php_backend').";\n";
}
$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_index index.php;\n";
$this->nginx_data[$vhost_filename] .= "\t}\n";
$this->nginx_data[$vhost_filename] .= "}\n\n";
// End of Froxlor server{}-part
}