allow per php-config setting of adding '-pass-header Authorization' / 'CGIPassAuth On' to the domains vhosts

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>

install/froxlor.sql

@@ -589,7 +589,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'version', '0.9.38.8'),
-	('panel', 'db_version', '201801090');
+	('panel', 'db_version', '201801091');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;
@@ -795,6 +795,7 @@ CREATE TABLE `panel_phpconfigs` (
   `fpm_reqslow` varchar(15) NOT NULL default '5s',
   `phpsettings` text NOT NULL,
   `fpmsettingid` int(11) NOT NULL DEFAULT '1',
+  `pass_authorizationheader` tinyint(1) NOT NULL default '0',
   PRIMARY KEY  (`id`),
   KEY `fpmsettingid` (`fpmsettingid`)
 ) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;

install/updates/froxlor/0.9/update_0.9.inc.php

@@ -3734,3 +3734,12 @@ if (isDatabaseVersion('201801080')) {
 
 	updateToDbVersion('201801090');
 }
+
+if (isDatabaseVersion('201801090')) {
+
+	showUpdateStep("Adding field pass_authorizationheader for php-configs");
+	Database::query("ALTER TABLE `" . TABLE_PANEL_PHPCONFIGS . "` ADD `pass_authorizationheader` tinyint(1) NOT NULL default '0';");
+	lastStepStatus(0);
+
+	updateToDbVersion('201801091');
+}

lib/formfields/admin/phpconfig/formfield.phpconfig_add.php

@@ -90,6 +90,15 @@ return array(
 						'maxlength' => 10,
 						'value' => '5s'
 					),
+					'phpfpm_pass_authorizationheader' => array(
+						'visible' => (Settings::Get('phpfpm.enabled') == 1 ? true : false),
+						'label' => $lng['admin']['phpsettings']['pass_authorizationheader'],
+						'type' => 'checkbox',
+						'values' => array(
+							array ('label' => $lng['panel']['yes'], 'value' => '1')
+						),
+						'value' => array()
+					),
 					'phpsettings' => array(
 						'style' => 'align-top',
 						'label' => $lng['admin']['phpsettings']['phpinisettings'],

lib/formfields/admin/phpconfig/formfield.phpconfig_edit.php

@@ -93,6 +93,15 @@ return array(
 						'maxlength' => 10,
 						'value' => $result['fpm_reqslow']
 					),
+					'phpfpm_pass_authorizationheader' => array(
+						'visible' => (Settings::Get('phpfpm.enabled') == 1 ? true : false),
+						'label' => $lng['admin']['phpsettings']['pass_authorizationheader'],
+						'type' => 'checkbox',
+						'values' => array(
+							array ('label' => $lng['panel']['yes'], 'value' => '1')
+						),
+						'value' => array($result['pass_authorizationheader'])
+					),
 					'phpsettings' => array(
 						'style' => 'align-top',
 						'label' => $lng['admin']['phpsettings']['phpinisettings'],

lib/version.inc.php

@@ -19,7 +19,7 @@
 $version = '0.9.38.8';
 
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201801090';
+$dbversion = '201801091';
 
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';

lng/english.lng.php

@@ -2091,3 +2091,4 @@ $lng['serversettings']['phpsettingsforsubdomains']['description'] = 'If yes the
 $lng['serversettings']['leapiversion']['title'] = "Chose Let's Encrypt ACME implementation";
 $lng['serversettings']['leapiversion']['description'] = "Chose between ACME v1 and ACME v2 implementation for Let's Encrypt.";
 $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt can only validate wildcard-domains by DNS with ACME v2, sorry. Please set the ServerAlias to WWW or disable it completely';
+$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" to vhosts';

lng/german.lng.php

@@ -1742,3 +1742,4 @@ $lng['serversettings']['phpsettingsforsubdomains']['description'] = 'Wenn ja, wi
 $lng['serversettings']['leapiversion']['title'] = "Wähle Let's Encrypt ACME Implementierung";
 $lng['serversettings']['leapiversion']['description'] = "Wähle zwischen ACME v1 und ACME v2 Implementierung von Let's Encrypt.";
 $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt kann in ACME v2 Wildcard-Domains nur via DNS validieren, sorry. Bitte den ServerAlias auf WWW setzen oder deaktivieren';
+$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" in Vhosts ein';

scripts/jobs/cron_tasks.inc.http.10.apache.php

@@ -330,8 +330,17 @@ class apache extends HttpConfigBase
 							$this->virtualhosts_data[$vhosts_filename] .= '  <FilesMatch \.php$>' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  </FilesMatch>' . "\n";
+							if ($phpconfig['pass_authorizationheader'] == '1') {
+								$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . $mypath . '">' . "\n";
+								$this->virtualhosts_data[$vhosts_filename] .= '      CGIPassAuth On' . "\n";
+								$this->virtualhosts_data[$vhosts_filename] .= '  </Directory>' . "\n";
+							}
 						} else {
-							$this->virtualhosts_data[$vhosts_filename] .= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile() . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . "\n";
+							$addheader = "";
+							if ($phpconfig['pass_authorizationheader'] == '1') {
+								$addheader = " -pass-header Authorization";
+							}
+							$this->virtualhosts_data[$vhosts_filename] .= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile() . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . $addheader . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . $mypath . '">' . "\n";
 							$file_extensions = explode(' ', $phpconfig['file_extensions']);
 							$this->virtualhosts_data[$vhosts_filename] .= '   <FilesMatch "\.(' . implode('|', $file_extensions) . ')$">' . "\n";

scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php

@@ -54,13 +54,25 @@ class apache_fcgid extends apache
 				    // for this path, as this would be the first require and therefore grant all access
 				    if ($mypath_dir->isUserProtected() == false) {
 						$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
+						if ($phpconfig['pass_authorizationheader'] == '1') {
+							$php_options_text.= '    CGIPassAuth On' . "\n";
+						}
 					    $php_options_text.= '    Require all granted' . "\n";
 						$php_options_text.= '    AllowOverride All' . "\n";
 						$php_options_text.= '  </Directory>' . "\n";
+				    } elseif ($phpconfig['pass_authorizationheader'] == '1') {
+						// allow Pass of Authorization header
+						$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
+						$php_options_text.= '    CGIPassAuth On' . "\n";
+						$php_options_text.= '  </Directory>' . "\n";
 				    }
 
 				} else {
-					$php_options_text.= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile()  . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . "\n";
+					$addheader = "";
+					if ($phpconfig['pass_authorizationheader'] == '1') {
+						$addheader = " -pass-header Authorization";
+					}
+					$php_options_text.= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName . ' -socket ' . $php->getInterface()->getSocketFile()  . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . $addheader . "\n";
 					$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
 					$php_options_text.= '    <FilesMatch "\.php$">' . "\n";
 					$php_options_text.= '      SetHandler php5-fastcgi'. "\n";