diff --git a/actions/admin/settings/122.froxlorvhost.php b/actions/admin/settings/122.froxlorvhost.php
index 6175bb73..5ddbfc30 100644
--- a/actions/admin/settings/122.froxlorvhost.php
+++ b/actions/admin/settings/122.froxlorvhost.php
@@ -80,6 +80,19 @@ return array(
'save_method' => 'storeSettingField',
'visible' => Settings::Get('system.use_ssl')
),
+ 'system_http2_support' => array(
+ 'label' => $lng['serversettings']['http2_support'],
+ 'settinggroup' => 'system',
+ 'varname' => 'http2_support',
+ 'type' => 'bool',
+ 'default' => false,
+ 'save_method' => 'storeSettingField',
+ 'websrv_avail' => array(
+ 'apache2',
+ 'nginx'
+ ),
+ 'visible' => Settings::Get('system.use_ssl')
+ ),
/**
* FCGID
*/
diff --git a/actions/admin/settings/130.webserver.php b/actions/admin/settings/130.webserver.php
index 8a117d5c..4374b148 100644
--- a/actions/admin/settings/130.webserver.php
+++ b/actions/admin/settings/130.webserver.php
@@ -179,17 +179,6 @@ return array(
'nginx'
)
),
- 'system_nginx_http2_support' => array(
- 'label' => $lng['serversettings']['nginx_http2_support'],
- 'settinggroup' => 'system',
- 'varname' => 'nginx_http2_support',
- 'type' => 'bool',
- 'default' => false,
- 'save_method' => 'storeSettingField',
- 'websrv_avail' => array(
- 'nginx'
- )
- ),
'system_nginx_php_backend' => array(
'label' => $lng['serversettings']['nginx_php_backend'],
'settinggroup' => 'system',
diff --git a/admin_domains.php b/admin_domains.php
index 5b2b31a5..7c05f08a 100644
--- a/admin_domains.php
+++ b/admin_domains.php
@@ -590,6 +590,8 @@ if ($page == 'domains' || $page == 'overview') {
}
}
+ $http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;
+
// HSTS
$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -601,6 +603,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
+ $http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -616,6 +619,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
+ $http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -796,10 +800,11 @@ if ($page == 'domains' || $page == 'overview') {
'termination_date' => $termination_date,
'issubof' => $issubof,
'letsencrypt' => $letsencrypt,
+ 'http2' => $http2,
'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
- 'ocsp_stapling' => $ocsp_stapling,
+ 'ocsp_stapling' => $ocsp_stapling
);
$security_questions = array(
@@ -849,10 +854,11 @@ if ($page == 'domains' || $page == 'overview') {
'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
'ismainbutsubto' => $issubof,
'letsencrypt' => $letsencrypt,
+ 'http2' => $http2,
'hsts' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
- 'ocsp_stapling' => $ocsp_stapling,
+ 'ocsp_stapling' => $ocsp_stapling
);
$ins_stmt = Database::prepare("
@@ -887,6 +893,7 @@ if ($page == 'domains' || $page == 'overview') {
`mod_fcgid_maxrequests` = :mod_fcgid_maxrequests,
`ismainbutsubto` = :ismainbutsubto,
`letsencrypt` = :letsencrypt,
+ `http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload,
@@ -1428,6 +1435,8 @@ if ($page == 'domains' || $page == 'overview') {
$letsencrypt = (int) $_POST['letsencrypt'];
}
+ $http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;
+
// HSTS
$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -1465,6 +1474,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
+ $http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -1480,6 +1490,7 @@ if ($page == 'domains' || $page == 'overview') {
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
+ $http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -1634,10 +1645,11 @@ if ($page == 'domains' || $page == 'overview') {
'ipandport' => serialize($ipandports),
'ssl_ipandport' => serialize($ssl_ipandports),
'letsencrypt' => $letsencrypt,
+ 'http2' => $http2,
'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
- 'ocsp_stapling' => $ocsp_stapling,
+ 'ocsp_stapling' => $ocsp_stapling
);
$security_questions = array(
@@ -1672,6 +1684,7 @@ if ($page == 'domains' || $page == 'overview') {
$email_only != $result['email_only'] ||
($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') ||
$letsencrypt != $result['letsencrypt'] ||
+ $http2 != $result['http2'] ||
$hsts_maxage != $result['hsts'] ||
$hsts_sub != $result['hsts_sub'] ||
$hsts_preload != $result['hsts_preload'] ||
@@ -1828,6 +1841,7 @@ if ($page == 'domains' || $page == 'overview') {
$update_data['termination_date'] = $termination_date;
$update_data['ismainbutsubto'] = $issubof;
$update_data['letsencrypt'] = $letsencrypt;
+ $update_data['http2'] = $http2;
$update_data['hsts'] = $hsts_maxage;
$update_data['hsts_sub'] = $hsts_sub;
$update_data['hsts_preload'] = $hsts_preload;
@@ -1861,6 +1875,7 @@ if ($page == 'domains' || $page == 'overview') {
`termination_date` = :termination_date,
`ismainbutsubto` = :ismainbutsubto,
`letsencrypt` = :letsencrypt,
+ `http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload,
diff --git a/install/froxlor.sql b/install/froxlor.sql
index d3069621..f1b896da 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -258,6 +258,7 @@ CREATE TABLE `panel_domains` (
`hsts_sub` tinyint(1) NOT NULL default '0',
`hsts_preload` tinyint(1) NOT NULL default '0',
`ocsp_stapling` tinyint(1) DEFAULT '0',
+ `http2` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`),
KEY `customerid` (`customerid`),
KEY `parentdomain` (`parentdomainid`),
@@ -500,7 +501,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('system', 'ssl_cert_chainfile', ''),
('system', 'ssl_cipher_list', 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128'),
('system', 'nginx_php_backend', '127.0.0.1:8888'),
- ('system', 'nginx_http2_support', '0'),
+ ('system', 'http2_support', '0'),
('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
('system', 'phpreload_command', ''),
('system', 'apache24', '0'),
@@ -585,7 +586,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''),
('panel', 'version', '0.9.38.7'),
- ('panel', 'db_version', '201705050');
+ ('panel', 'db_version', '201708240');
DROP TABLE IF EXISTS `panel_tasks`;
diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
index 1701f8be..b8d6f495 100644
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -3617,3 +3617,19 @@ if (isDatabaseVersion('201704100')) {
updateToDbVersion('201705050');
}
+
+if (isDatabaseVersion('201705050')) {
+
+ showUpdateStep("Updating HTTP2 setting");
+ if (Settings::Get('system.nginx_http2_support') != null) {
+ Database::query("UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `varname` = 'http2_support' WHERE `varname` = 'nginx_http2_support';");
+ } else {
+ Settings::AddNew('system.http2_support', 0);
+ }
+ lastStepStatus(0);
+ showUpdateStep("Adding domain field for HTTP2 stapling");
+ Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `http2` TINYINT(1) NOT NULL DEFAULT '0';");
+ lastStepStatus(0);
+
+ updateToDbVersion('201708240');
+}
diff --git a/lib/formfields/admin/domains/formfield.domains_add.php b/lib/formfields/admin/domains/formfield.domains_add.php
index 988c496f..1976b034 100644
--- a/lib/formfields/admin/domains/formfield.domains_add.php
+++ b/lib/formfields/admin/domains/formfield.domains_add.php
@@ -173,6 +173,19 @@ return array(
),
'value' => array()
),
+ 'http2' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
+ 'label' => $lng['admin']['domain_http2']['title'],
+ 'desc' => $lng['admin']['domain_http2']['description'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array (
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array()
+ ),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
diff --git a/lib/formfields/admin/domains/formfield.domains_edit.php b/lib/formfields/admin/domains/formfield.domains_edit.php
index e351c8da..d668aa9d 100644
--- a/lib/formfields/admin/domains/formfield.domains_edit.php
+++ b/lib/formfields/admin/domains/formfield.domains_edit.php
@@ -207,6 +207,21 @@ return array(
$result['letsencrypt']
)
),
+ 'http2' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
+ 'label' => $lng['admin']['domain_http2']['title'],
+ 'desc' => $lng['admin']['domain_http2']['description'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array (
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ $result['http2']
+ )
+ ),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
diff --git a/lib/version.inc.php b/lib/version.inc.php
index 7d67b9da..187d99b3 100644
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -19,7 +19,7 @@
$version = '0.9.38.7';
// Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201705050';
+$dbversion = '201708240';
// Distribution branding-tag (used for Debian etc.)
$branding = '';
diff --git a/lng/english.lng.php b/lng/english.lng.php
index bfd981f8..1fb24970 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2063,8 +2063,8 @@ $lng['admin']['domain_hsts_incsub']['description'] = 'The optional "includeSubDo
$lng['admin']['domain_hsts_preload']['title'] = 'Include domain in HSTS preload list';
$lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.
Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.
Please read the details at hstspreload.appspot.com/#removal before sending the header with "preload".';
-$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
-$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';
+$lng['serversettings']['http2_support']['title'] = 'HTTP2 Support';
+$lng['serversettings']['http2_support']['description'] = 'enable HTTP2 support for ssl.
ENABLE ONLY IF YOUR WEBSERVER SUPPORTS THIS FEATURE (nginx version 1.9.5+, apache2 version 2.4.17+)';
$lng['error']['noipportgiven'] = 'No IP/port given';
@@ -2076,3 +2076,5 @@ $lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Configures the cache used to store OCSP responses which get included in TLS handshakes.';
$lng['serversettings']['nssextrausers']['title'] = 'Use libnss-extrausers instead of libnss-mysql';
$lng['serversettings']['nssextrausers']['description'] = 'Do not read users from the database but from files. Please only activate if you have already gone through the required configuration steps (system -> libnss-extrausers).
For Debian/Ubuntu only (or if you have compiled libnss-extrausers yourself!)';
+$lng['admin']['domain_http2']['title'] = 'HTTP2 support';
+$lng['admin']['domain_http2']['description'] = 'See Wikipedia for a detailed explanation of HTTP2';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 761fdac5..df6f0bf6 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1714,8 +1714,8 @@ $lng['admin']['domain_hsts_incsub']['description'] = 'Die optionale "includeSubD
$lng['admin']['domain_hsts_preload']['title'] = 'Füge Domain in die HSTS preload Liste hinzu';
$lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.
Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.
Beachte Details unter hstspreload.appspot.com/#removal bevor ein Header mit "preload" gesendet wird.';
-$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Unterstützung';
-$lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)';
+$lng['serversettings']['http2_support']['title'] = 'HTTP2 Unterstützung';
+$lng['serversettings']['http2_support']['description'] = 'Aktiviere HTTP2 Unterstützung für SSL.
NUR AKTIVIEREN, WENN DER WEBSERVER DIESE FUNKTION UNTERSTÜTZT (nginx version 1.9.5+, apache2 version 2.4.17+)';
$lng['error']['noipportgiven'] = 'Keine IP/Port angegeben';
@@ -1727,3 +1727,5 @@ $lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Konfiguriert den Cache-Pfad zum Zwischenspeichern der OCSP-Antworten,
die an TLS-Handshakes angehängt werden.';
$lng['serversettings']['nssextrausers']['title'] = 'Verwende libnss-extrausers anstatt libnss-mysql';
$lng['serversettings']['nssextrausers']['description'] = 'Lese Benutzer nicht direkt aus der Datenbank sondern über Dateien, bitte nur aktivieren, wenn die entsprechende Konfiguration vorgenommen wurde (System -> libnss-extrausers).
Nur für Debian/Ubuntu (oder wenn libnss-extrausers manuell kompiliert wurde!)';
+$lng['admin']['domain_http2']['title'] = 'HTTP2 Unterstützung';
+$lng['admin']['domain_http2']['description'] = 'Siehe Wikipedia für eine ausführliche Beschreibung von HTTP2';
diff --git a/scripts/jobs/cron_tasks.inc.http.10.apache.php b/scripts/jobs/cron_tasks.inc.http.10.apache.php
index 8440d005..98d1ed17 100644
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -434,6 +434,9 @@ class apache extends HttpConfigBase
$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
if (Settings::Get('system.apache24') == '1') {
+ if (Settings::Get('system.http2_support') == '1') {
+ $this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
+ }
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
@@ -869,6 +872,9 @@ class apache extends HttpConfigBase
$vhost_content .= ' SSLEngine On' . "\n";
$vhost_content .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
if (Settings::Get('system.apache24') == '1') {
+ if (isset($domain['http2']) && $domain['http2'] == '1') {
+ $vhost_content .= ' Protocols h2 http/1.1' . "\n";
+ }
$vhost_content .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
index 20d3dbc8..bc7f23fc 100644
--- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php
+++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
@@ -196,7 +196,7 @@ class nginx extends HttpConfigBase
}
}
- $http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
+ $http2 = $ssl_vhost == true && Settings::Get('system.http2_support') == '1';
/**
* this HAS to be set for the default host in nginx or else no vhost will work
@@ -418,7 +418,7 @@ class nginx extends HttpConfigBase
$_vhost_content .= $this->processSpecialConfigTemplate($ipandport['default_vhostconf_domain'], $domain, $domain['ip'], $domain['port'], $ssl_vhost) . "\n";
}
- $http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
+ $http2 = $ssl_vhost == true && (isset($domain['http2']) && $domain['http2'] == '1');
$vhost_content .= "\t" . 'listen ' . $ipport . ($ssl_vhost == true ? ' ssl' : '') . ($http2 == true ? ' http2' : '') . ';' . "\n";
}