From ba58991d11f80ac28694f485b695c96d4659a586 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Tue, 9 Jan 2018 17:14:57 +0100
Subject: [PATCH] allow per php-config setting of adding '-pass-header
 Authorization' / 'CGIPassAuth On' to the domains vhosts

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 install/froxlor.sql                                |  3 ++-
 install/updates/froxlor/0.9/update_0.9.inc.php     |  9 +++++++++
 .../admin/phpconfig/formfield.phpconfig_add.php    |  9 +++++++++
 .../admin/phpconfig/formfield.phpconfig_edit.php   |  9 +++++++++
 lib/version.inc.php                                |  2 +-
 lng/english.lng.php                                |  1 +
 lng/german.lng.php                                 |  1 +
 scripts/jobs/cron_tasks.inc.http.10.apache.php     | 11 ++++++++++-
 .../jobs/cron_tasks.inc.http.15.apache_fcgid.php   | 14 +++++++++++++-
 9 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/install/froxlor.sql b/install/froxlor.sql
index e96c62b6..26ec3281 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -589,7 +589,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'version', '0.9.38.8'),
-	('panel', 'db_version', '201801090');
+	('panel', 'db_version', '201801091');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;
@@ -795,6 +795,7 @@ CREATE TABLE `panel_phpconfigs` (
   `fpm_reqslow` varchar(15) NOT NULL default '5s',
   `phpsettings` text NOT NULL,
   `fpmsettingid` int(11) NOT NULL DEFAULT '1',
+  `pass_authorizationheader` tinyint(1) NOT NULL default '0',
   PRIMARY KEY  (`id`),
   KEY `fpmsettingid` (`fpmsettingid`)
 ) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;
diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
index de39f9e3..52f26e39 100644
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -3734,3 +3734,12 @@ if (isDatabaseVersion('201801080')) {
 
 	updateToDbVersion('201801090');
 }
+
+if (isDatabaseVersion('201801090')) {
+
+	showUpdateStep("Adding field pass_authorizationheader for php-configs");
+	Database::query("ALTER TABLE `" . TABLE_PANEL_PHPCONFIGS . "` ADD `pass_authorizationheader` tinyint(1) NOT NULL default '0';");
+	lastStepStatus(0);
+
+	updateToDbVersion('201801091');
+}
diff --git a/lib/formfields/admin/phpconfig/formfield.phpconfig_add.php b/lib/formfields/admin/phpconfig/formfield.phpconfig_add.php
index 07889120..6d30adfd 100644
--- a/lib/formfields/admin/phpconfig/formfield.phpconfig_add.php
+++ b/lib/formfields/admin/phpconfig/formfield.phpconfig_add.php
@@ -90,6 +90,15 @@ return array(
 						'maxlength' => 10,
 						'value' => '5s'
 					),
+					'phpfpm_pass_authorizationheader' => array(
+						'visible' => (Settings::Get('phpfpm.enabled') == 1 ? true : false),
+						'label' => $lng['admin']['phpsettings']['pass_authorizationheader'],
+						'type' => 'checkbox',
+						'values' => array(
+							array ('label' => $lng['panel']['yes'], 'value' => '1')
+						),
+						'value' => array()
+					),
 					'phpsettings' => array(
 						'style' => 'align-top',
 						'label' => $lng['admin']['phpsettings']['phpinisettings'],
diff --git a/lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php b/lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php
index 9ae736ed..e2e8fd11 100644
--- a/lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php
+++ b/lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php
@@ -93,6 +93,15 @@ return array(
 						'maxlength' => 10,
 						'value' => $result['fpm_reqslow']
 					),
+					'phpfpm_pass_authorizationheader' => array(
+						'visible' => (Settings::Get('phpfpm.enabled') == 1 ? true : false),
+						'label' => $lng['admin']['phpsettings']['pass_authorizationheader'],
+						'type' => 'checkbox',
+						'values' => array(
+							array ('label' => $lng['panel']['yes'], 'value' => '1')
+						),
+						'value' => array($result['pass_authorizationheader'])
+					),
 					'phpsettings' => array(
 						'style' => 'align-top',
 						'label' => $lng['admin']['phpsettings']['phpinisettings'],
diff --git a/lib/version.inc.php b/lib/version.inc.php
index 2632a02f..40aa7b18 100644
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -19,7 +19,7 @@
 $version = '0.9.38.8';
 
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201801090';
+$dbversion = '201801091';
 
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';
diff --git a/lng/english.lng.php b/lng/english.lng.php
index c864e66d..b33762e3 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2091,3 +2091,4 @@ $lng['serversettings']['phpsettingsforsubdomains']['description'] = 'If yes the
 $lng['serversettings']['leapiversion']['title'] = "Chose Let's Encrypt ACME implementation";
 $lng['serversettings']['leapiversion']['description'] = "Chose between ACME v1 and ACME v2 implementation for Let's Encrypt.";
 $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt can only validate wildcard-domains by DNS with ACME v2, sorry. Please set the ServerAlias to WWW or disable it completely';
+$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" to vhosts';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 7943e0d4..1302358b 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1742,3 +1742,4 @@ $lng['serversettings']['phpsettingsforsubdomains']['description'] = 'Wenn ja, wi
 $lng['serversettings']['leapiversion']['title'] = "Wähle Let's Encrypt ACME Implementierung";
 $lng['serversettings']['leapiversion']['description'] = "Wähle zwischen ACME v1 und ACME v2 Implementierung von Let's Encrypt.";
 $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt kann in ACME v2 Wildcard-Domains nur via DNS validieren, sorry. Bitte den ServerAlias auf WWW setzen oder deaktivieren';
+$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" in Vhosts ein';
diff --git a/scripts/jobs/cron_tasks.inc.http.10.apache.php b/scripts/jobs/cron_tasks.inc.http.10.apache.php
index 5887e9a7..b3147f03 100644
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -330,8 +330,17 @@ class apache extends HttpConfigBase
 							$this->virtualhosts_data[$vhosts_filename] .= '  <FilesMatch \.php$>' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  </FilesMatch>' . "\n";
+							if ($phpconfig['pass_authorizationheader'] == '1') {
+								$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . $mypath . '">' . "\n";
+								$this->virtualhosts_data[$vhosts_filename] .= '      CGIPassAuth On' . "\n";
+								$this->virtualhosts_data[$vhosts_filename] .= '  </Directory>' . "\n";
+							}
 						} else {
-							$this->virtualhosts_data[$vhosts_filename] .= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile() . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . "\n";
+							$addheader = "";
+							if ($phpconfig['pass_authorizationheader'] == '1') {
+								$addheader = " -pass-header Authorization";
+							}
+							$this->virtualhosts_data[$vhosts_filename] .= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile() . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . $addheader . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . $mypath . '">' . "\n";
 							$file_extensions = explode(' ', $phpconfig['file_extensions']);
 							$this->virtualhosts_data[$vhosts_filename] .= '   <FilesMatch "\.(' . implode('|', $file_extensions) . ')$">' . "\n";
diff --git a/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php b/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
index ab53539c..b2385abb 100644
--- a/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
+++ b/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
@@ -54,13 +54,25 @@ class apache_fcgid extends apache
 				    // for this path, as this would be the first require and therefore grant all access
 				    if ($mypath_dir->isUserProtected() == false) {
 						$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
+						if ($phpconfig['pass_authorizationheader'] == '1') {
+							$php_options_text.= '    CGIPassAuth On' . "\n";
+						}
 					    $php_options_text.= '    Require all granted' . "\n";
 						$php_options_text.= '    AllowOverride All' . "\n";
 						$php_options_text.= '  </Directory>' . "\n";
+				    } elseif ($phpconfig['pass_authorizationheader'] == '1') {
+						// allow Pass of Authorization header
+						$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
+						$php_options_text.= '    CGIPassAuth On' . "\n";
+						$php_options_text.= '  </Directory>' . "\n";
 				    }
 
 				} else {
-					$php_options_text.= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile()  . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . "\n";
+					$addheader = "";
+					if ($phpconfig['pass_authorizationheader'] == '1') {
+						$addheader = " -pass-header Authorization";
+					}
+					$php_options_text.= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile()  . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . $addheader . "\n";
 					$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
 					$php_options_text.= '    <FilesMatch "\.php$">' . "\n";
 					$php_options_text.= '      SetHandler php5-fastcgi'. "\n";