maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add http2 support for froxlor-vhost and per-domain

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2017-08-24 13:21:21 +02:00
parent c2c5178831
commit bab982a0e6
12 changed files with 95 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
actions/admin/settings/122.froxlorvhost.php
View File

@@ -80,6 +80,19 @@ return array(
'save_method' => 'storeSettingField',
'visible' => Settings::Get('system.use_ssl')
),
'system_http2_support' => array(
'label' => $lng['serversettings']['http2_support'],
'settinggroup' => 'system',
'varname' => 'http2_support',
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField',
'websrv_avail' => array(
'apache2',
'nginx'
),
'visible' => Settings::Get('system.use_ssl')
),
/**
* FCGID
*/

11
actions/admin/settings/130.webserver.php
View File

@@ -179,17 +179,6 @@ return array(
'nginx'
)
),
'system_nginx_http2_support' => array(
'label' => $lng['serversettings']['nginx_http2_support'],
'settinggroup' => 'system',
'varname' => 'nginx_http2_support',
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField',
'websrv_avail' => array(
'nginx'
)
),
'system_nginx_php_backend' => array(
'label' => $lng['serversettings']['nginx_php_backend'],
'settinggroup' => 'system',

21
admin_domains.php
View File

@@ -590,6 +590,8 @@ if ($page == 'domains' || $page == 'overview') {
}
}
$http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;
// HSTS
$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -601,6 +603,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -616,6 +619,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -796,10 +800,11 @@ if ($page == 'domains' || $page == 'overview') {
'termination_date' => $termination_date,
'issubof' => $issubof,
'letsencrypt' => $letsencrypt,
'http2' => $http2,
'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
'ocsp_stapling' => $ocsp_stapling
);
$security_questions = array(
@@ -849,10 +854,11 @@ if ($page == 'domains' || $page == 'overview') {
'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
'ismainbutsubto' => $issubof,
'letsencrypt' => $letsencrypt,
'http2' => $http2,
'hsts' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
'ocsp_stapling' => $ocsp_stapling
);
$ins_stmt = Database::prepare("
@@ -887,6 +893,7 @@ if ($page == 'domains' || $page == 'overview') {
`mod_fcgid_maxrequests` = :mod_fcgid_maxrequests,
`ismainbutsubto` = :ismainbutsubto,
`letsencrypt` = :letsencrypt,
`http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload,
@@ -1428,6 +1435,8 @@ if ($page == 'domains' || $page == 'overview') {
$letsencrypt = (int) $_POST['letsencrypt'];
}
$http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;
// HSTS
$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -1465,6 +1474,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -1480,6 +1490,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -1634,10 +1645,11 @@ if ($page == 'domains' || $page == 'overview') {
'ipandport' => serialize($ipandports),
'ssl_ipandport' => serialize($ssl_ipandports),
'letsencrypt' => $letsencrypt,
'http2' => $http2,
'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
'ocsp_stapling' => $ocsp_stapling
);
$security_questions = array(
@@ -1672,6 +1684,7 @@ if ($page == 'domains' || $page == 'overview') {
$email_only != $result['email_only'] ||
($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') ||
$letsencrypt != $result['letsencrypt'] ||
$http2 != $result['http2'] ||
$hsts_maxage != $result['hsts'] ||
$hsts_sub != $result['hsts_sub'] ||
$hsts_preload != $result['hsts_preload'] ||
@@ -1828,6 +1841,7 @@ if ($page == 'domains' || $page == 'overview') {
$update_data['termination_date'] = $termination_date;
$update_data['ismainbutsubto'] = $issubof;
$update_data['letsencrypt'] = $letsencrypt;
$update_data['http2'] = $http2;
$update_data['hsts'] = $hsts_maxage;
$update_data['hsts_sub'] = $hsts_sub;
$update_data['hsts_preload'] = $hsts_preload;
@@ -1861,6 +1875,7 @@ if ($page == 'domains' || $page == 'overview') {
`termination_date` = :termination_date,
`ismainbutsubto` = :ismainbutsubto,
`letsencrypt` = :letsencrypt,
`http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload,

5
install/froxlor.sql
View File

@@ -258,6 +258,7 @@ CREATE TABLE `panel_domains` (
`hsts_sub` tinyint(1) NOT NULL default '0',
`hsts_preload` tinyint(1) NOT NULL default '0',
`ocsp_stapling` tinyint(1) DEFAULT '0',
`http2` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`),
KEY `customerid` (`customerid`),
KEY `parentdomain` (`parentdomainid`),
@@ -500,7 +501,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('system', 'ssl_cert_chainfile', ''),
('system', 'ssl_cipher_list', 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128'),
('system', 'nginx_php_backend', '127.0.0.1:8888'),
('system', 'nginx_http2_support', '0'),
('system', 'http2_support', '0'),
('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
('system', 'phpreload_command', ''),
('system', 'apache24', '0'),
@@ -585,7 +586,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''),
('panel', 'version', '0.9.38.7'),
('panel', 'db_version', '201705050');
('panel', 'db_version', '201708240');
DROP TABLE IF EXISTS `panel_tasks`;

16
install/updates/froxlor/0.9/update_0.9.inc.php
View File

@@ -3617,3 +3617,19 @@ if (isDatabaseVersion('201704100')) {
updateToDbVersion('201705050');
}
if (isDatabaseVersion('201705050')) {
showUpdateStep("Updating HTTP2 setting");
if (Settings::Get('system.nginx_http2_support') != null) {
Database::query("UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `varname` = 'http2_support' WHERE `varname` = 'nginx_http2_support';");
} else {
Settings::AddNew('system.http2_support', 0);
}
lastStepStatus(0);
showUpdateStep("Adding domain field for HTTP2 stapling");
Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `http2` TINYINT(1) NOT NULL DEFAULT '0';");
lastStepStatus(0);
updateToDbVersion('201708240');
}

13
lib/formfields/admin/domains/formfield.domains_add.php
View File

@@ -173,6 +173,19 @@ return array(
),
'value' => array()
),
'http2' => array(
'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
'label' => $lng['admin']['domain_http2']['title'],
'desc' => $lng['admin']['domain_http2']['description'],
'type' => 'checkbox',
'values' => array(
array (
'label' => $lng['panel']['yes'],
'value' => '1'
)
),
'value' => array()
),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',

15
lib/formfields/admin/domains/formfield.domains_edit.php
View File

@@ -207,6 +207,21 @@ return array(
$result['letsencrypt']
)
),
'http2' => array(
'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
'label' => $lng['admin']['domain_http2']['title'],
'desc' => $lng['admin']['domain_http2']['description'],
'type' => 'checkbox',
'values' => array(
array (
'label' => $lng['panel']['yes'],
'value' => '1'
)
),
'value' => array(
$result['http2']
)
),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',

2
lib/version.inc.php
View File

@@ -19,7 +19,7 @@
$version = '0.9.38.7';
// Database version (YYYYMMDDC where C is a daily counter)
$dbversion = '201705050';
$dbversion = '201708240';
// Distribution branding-tag (used for Debian etc.)
$branding = '';

6
lng/english.lng.php
View File

@@ -2063,8 +2063,8 @@ $lng['admin']['domain_hsts_incsub']['description'] = 'The optional "includeSubDo
$lng['admin']['domain_hsts_preload']['title'] = 'Include domain in <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload list</a>';
$lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> before sending the header with "preload".';
$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';
$lng['serversettings']['http2_support']['title'] = 'HTTP2 Support';
$lng['serversettings']['http2_support']['description'] = 'enable HTTP2 support for ssl.<br><em class="red">ENABLE ONLY IF YOUR WEBSERVER SUPPORTS THIS FEATURE (nginx version 1.9.5+, apache2 version 2.4.17+)</em>';
$lng['error']['noipportgiven'] = 'No IP/port given';
@@ -2076,3 +2076,5 @@ $lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Configures the cache used to store OCSP responses which get included in TLS handshakes.';
$lng['serversettings']['nssextrausers']['title'] = 'Use libnss-extrausers instead of libnss-mysql';
$lng['serversettings']['nssextrausers']['description'] = 'Do not read users from the database but from files. Please only activate if you have already gone through the required configuration steps (system -> libnss-extrausers).<br><strong class="red">For Debian/Ubuntu only (or if you have compiled libnss-extrausers yourself!)</strong>';
$lng['admin']['domain_http2']['title'] = 'HTTP2 support';
$lng['admin']['domain_http2']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">Wikipedia</a> for a detailed explanation of HTTP2';

6
lng/german.lng.php
View File

@@ -1714,8 +1714,8 @@ $lng['admin']['domain_hsts_incsub']['description'] = 'Die optionale "includeSubD
$lng['admin']['domain_hsts_preload']['title'] = 'Füge Domain in die <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload Liste</a> hinzu';
$lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachte Details unter <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> bevor ein Header mit "preload" gesendet wird.';
$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Unterstützung';
$lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)';
$lng['serversettings']['http2_support']['title'] = 'HTTP2 Unterstützung';
$lng['serversettings']['http2_support']['description'] = 'Aktiviere HTTP2 Unterstützung für SSL.<br><em class="red">NUR AKTIVIEREN, WENN DER WEBSERVER DIESE FUNKTION UNTERSTÜTZT (nginx version 1.9.5+, apache2 version 2.4.17+)</em>';
$lng['error']['noipportgiven'] = 'Keine IP/Port angegeben';
@@ -1727,3 +1727,5 @@ $lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Konfiguriert den Cache-Pfad zum Zwischenspeichern der OCSP-Antworten,<br />die an TLS-Handshakes angehängt werden.';
$lng['serversettings']['nssextrausers']['title'] = 'Verwende libnss-extrausers anstatt libnss-mysql';
$lng['serversettings']['nssextrausers']['description'] = 'Lese Benutzer nicht direkt aus der Datenbank sondern über Dateien, bitte nur aktivieren, wenn die entsprechende Konfiguration vorgenommen wurde (System -> libnss-extrausers).<br><strong class="red">Nur für Debian/Ubuntu (oder wenn libnss-extrausers manuell kompiliert wurde!)</strong>';
$lng['admin']['domain_http2']['title'] = 'HTTP2 Unterstützung';
$lng['admin']['domain_http2']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol#HTTP.2F2">Wikipedia</a> für eine ausführliche Beschreibung von HTTP2';

6
scripts/jobs/cron_tasks.inc.http.10.apache.php
View File

@@ -434,6 +434,9 @@ class apache extends HttpConfigBase
$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
if (Settings::Get('system.apache24') == '1') {
if (Settings::Get('system.http2_support') == '1') {
$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
}
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
@@ -869,6 +872,9 @@ class apache extends HttpConfigBase
$vhost_content .= ' SSLEngine On' . "\n";
$vhost_content .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
if (Settings::Get('system.apache24') == '1') {
if (isset($domain['http2']) && $domain['http2'] == '1') {
$vhost_content .= ' Protocols h2 http/1.1' . "\n";
}
$vhost_content .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)

4
scripts/jobs/cron_tasks.inc.http.30.nginx.php
View File

@@ -196,7 +196,7 @@ class nginx extends HttpConfigBase
}
}
$http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
$http2 = $ssl_vhost == true && Settings::Get('system.http2_support') == '1';
/**
* this HAS to be set for the default host in nginx or else no vhost will work
@@ -418,7 +418,7 @@ class nginx extends HttpConfigBase
$_vhost_content .= $this->processSpecialConfigTemplate($ipandport['default_vhostconf_domain'], $domain, $domain['ip'], $domain['port'], $ssl_vhost) . "\n";
}
$http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
$http2 = $ssl_vhost == true && (isset($domain['http2']) && $domain['http2'] == '1');
$vhost_content .= "\t" . 'listen ' . $ipport . ($ssl_vhost == true ? ' ssl' : '') . ($http2 == true ? ' http2' : '') . ';' . "\n";
}