maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add OCSP stapling support for apache2 and nginx

Browse Source
This commit is contained in:
Daniel Reichelt
2017-04-11 17:09:34 +02:00
parent d4cd827284
commit ec1bd6e19a
12 changed files with 160 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
actions/admin/settings/131.ssl.php
View File

@@ -79,6 +79,18 @@ return array(
'default' => '', 'default' => '',
'save_method' => 'storeSettingField' 'save_method' => 'storeSettingField'
), ),
'system_apache24_ocsp_cache_path' => array(
'label' => $lng['serversettings']['ssl']['apache24_ocsp_cache_path'],
'settinggroup' => 'system',
'varname' => 'apache24_ocsp_cache_path',
'type' => 'string',
'string_type' => 'string',
'string_emptyallowed' => false,
'default' => '',
'visible' => Settings::Get('system.webserver') == "apache2" &&
Settings::Get('system.apache24') == 1,
'save_method' => 'storeSettingField'
),
'system_leenabled' => array( 'system_leenabled' => array(
'label' => $lng['serversettings']['leenabled'], 'label' => $lng['serversettings']['leenabled'],
'settinggroup' => 'system', 'settinggroup' => 'system',

56
admin_domains.php
View File

@@ -595,6 +595,9 @@ if ($page == 'domains' || $page == 'overview') {
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0; $hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
$hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0; $hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0;
// OCSP stapling
$ocsp_stapling = isset($_POST['ocsp_stapling']) && (int)$_POST['ocsp_stapling'] == 1 ? 1 : 0;
} else { } else {
$ssl_redirect = 0; $ssl_redirect = 0;
$letsencrypt = 0; $letsencrypt = 0;
@@ -606,6 +609,9 @@ if ($page == 'domains' || $page == 'overview') {
$hsts_maxage = 0; $hsts_maxage = 0;
$hsts_sub = 0; $hsts_sub = 0;
$hsts_preload = 0; $hsts_preload = 0;
// OCSP stapling
$ocsp_stapling = 0;
} }
} else { } else {
$ssl_redirect = 0; $ssl_redirect = 0;
@@ -618,6 +624,9 @@ if ($page == 'domains' || $page == 'overview') {
$hsts_maxage = 0; $hsts_maxage = 0;
$hsts_sub = 0; $hsts_sub = 0;
$hsts_preload = 0; $hsts_preload = 0;
// OCSP stapling
$ocsp_stapling = 0;
} }
// We can't enable let's encrypt for wildcard - domains // We can't enable let's encrypt for wildcard - domains
@@ -789,7 +798,8 @@ if ($page == 'domains' || $page == 'overview') {
'letsencrypt' => $letsencrypt, 'letsencrypt' => $letsencrypt,
'hsts_maxage' => $hsts_maxage, 'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub, 'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload 'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
); );
$security_questions = array( $security_questions = array(
@@ -841,7 +851,8 @@ if ($page == 'domains' || $page == 'overview') {
'letsencrypt' => $letsencrypt, 'letsencrypt' => $letsencrypt,
'hsts' => $hsts_maxage, 'hsts' => $hsts_maxage,
'hsts_sub' => $hsts_sub, 'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload 'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
); );
$ins_stmt = Database::prepare(" $ins_stmt = Database::prepare("
@@ -878,7 +889,8 @@ if ($page == 'domains' || $page == 'overview') {
`letsencrypt` = :letsencrypt, `letsencrypt` = :letsencrypt,
`hsts` = :hsts, `hsts` = :hsts,
`hsts_sub` = :hsts_sub, `hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload `hsts_preload` = :hsts_preload,
`ocsp_stapling` = :ocsp_stapling
"); ");
Database::pexecute($ins_stmt, $ins_data); Database::pexecute($ins_stmt, $ins_data);
$domainid = Database::lastInsertId(); $domainid = Database::lastInsertId();
@@ -1421,6 +1433,9 @@ if ($page == 'domains' || $page == 'overview') {
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0; $hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
$hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0; $hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0;
// OCSP stapling
$ocsp_stapling = isset($_POST['ocsp_stapling']) && (int)$_POST['ocsp_stapling'] == 1 ? 1 : 0;
$ssl_ipandports = array(); $ssl_ipandports = array();
if (isset($_POST['ssl_ipandport']) && ! is_array($_POST['ssl_ipandport'])) { if (isset($_POST['ssl_ipandport']) && ! is_array($_POST['ssl_ipandport'])) {
$_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']); $_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']);
@@ -1458,6 +1473,9 @@ if ($page == 'domains' || $page == 'overview') {
$hsts_maxage = 0; $hsts_maxage = 0;
$hsts_sub = 0; $hsts_sub = 0;
$hsts_preload = 0; $hsts_preload = 0;
// OCSP stapling
$ocsp_stapling = 0;
} }
} else { } else {
$ssl_redirect = 0; $ssl_redirect = 0;
@@ -1470,6 +1488,9 @@ if ($page == 'domains' || $page == 'overview') {
$hsts_maxage = 0; $hsts_maxage = 0;
$hsts_sub = 0; $hsts_sub = 0;
$hsts_preload = 0; $hsts_preload = 0;
// OCSP stapling
$ocsp_stapling = 0;
} }
// We can't enable let's encrypt for wildcard domains // We can't enable let's encrypt for wildcard domains
@@ -1615,7 +1636,8 @@ if ($page == 'domains' || $page == 'overview') {
'letsencrypt' => $letsencrypt, 'letsencrypt' => $letsencrypt,
'hsts_maxage' => $hsts_maxage, 'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub, 'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload 'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
); );
$security_questions = array( $security_questions = array(
@@ -1634,7 +1656,27 @@ if ($page == 'domains' || $page == 'overview') {
$wwwserveralias = ($serveraliasoption == '1') ? '1' : '0'; $wwwserveralias = ($serveraliasoption == '1') ? '1' : '0';
$iswildcarddomain = ($serveraliasoption == '0') ? '1' : '0'; $iswildcarddomain = ($serveraliasoption == '0') ? '1' : '0';
if ($documentroot != $result['documentroot'] || $ssl_redirect != $result['ssl_redirect'] || $wwwserveralias != $result['wwwserveralias'] || $iswildcarddomain != $result['iswildcarddomain'] || $phpenabled != $result['phpenabled'] || $openbasedir != $result['openbasedir'] || $phpsettingid != $result['phpsettingid'] || $mod_fcgid_starter != $result['mod_fcgid_starter'] || $mod_fcgid_maxrequests != $result['mod_fcgid_maxrequests'] || $specialsettings != $result['specialsettings'] || $aliasdomain != $result['aliasdomain'] || $issubof != $result['ismainbutsubto'] || $email_only != $result['email_only'] || ($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') || $letsencrypt != $result['letsencrypt'] || $hsts_maxage != $result['hsts'] || $hsts_sub != $result['hsts_sub'] || $hsts_preload != $result['hsts_preload']) { if (
$documentroot != $result['documentroot'] ||
$ssl_redirect != $result['ssl_redirect'] ||
$wwwserveralias != $result['wwwserveralias'] ||
$iswildcarddomain != $result['iswildcarddomain'] ||
$phpenabled != $result['phpenabled'] ||
$openbasedir != $result['openbasedir'] ||
$phpsettingid != $result['phpsettingid'] ||
$mod_fcgid_starter != $result['mod_fcgid_starter'] ||
$mod_fcgid_maxrequests != $result['mod_fcgid_maxrequests'] ||
$specialsettings != $result['specialsettings'] ||
$aliasdomain != $result['aliasdomain'] ||
$issubof != $result['ismainbutsubto'] ||
$email_only != $result['email_only'] ||
($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') ||
$letsencrypt != $result['letsencrypt'] ||
$hsts_maxage != $result['hsts'] ||
$hsts_sub != $result['hsts_sub'] ||
$hsts_preload != $result['hsts_preload'] ||
$ocsp_stapling != $result['ocsp_stapling']
) {
inserttask('1'); inserttask('1');
} }
@@ -1789,6 +1831,7 @@ if ($page == 'domains' || $page == 'overview') {
$update_data['hsts'] = $hsts_maxage; $update_data['hsts'] = $hsts_maxage;
$update_data['hsts_sub'] = $hsts_sub; $update_data['hsts_sub'] = $hsts_sub;
$update_data['hsts_preload'] = $hsts_preload; $update_data['hsts_preload'] = $hsts_preload;
$update_data['ocsp_stapling'] = $ocsp_stapling;
$update_data['id'] = $id; $update_data['id'] = $id;
$update_stmt = Database::prepare(" $update_stmt = Database::prepare("
@@ -1820,7 +1863,8 @@ if ($page == 'domains' || $page == 'overview') {
`letsencrypt` = :letsencrypt, `letsencrypt` = :letsencrypt,
`hsts` = :hsts, `hsts` = :hsts,
`hsts_sub` = :hsts_sub, `hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload `hsts_preload` = :hsts_preload,
`ocsp_stapling` = :ocsp_stapling
WHERE `id` = :id WHERE `id` = :id
"); ");
Database::pexecute($update_stmt, $update_data); Database::pexecute($update_stmt, $update_data);

4
install/froxlor.sql
View File

@@ -257,6 +257,7 @@ CREATE TABLE `panel_domains` (
`hsts` varchar(10) NOT NULL default '0', `hsts` varchar(10) NOT NULL default '0',
`hsts_sub` tinyint(1) NOT NULL default '0', `hsts_sub` tinyint(1) NOT NULL default '0',
`hsts_preload` tinyint(1) NOT NULL default '0', `hsts_preload` tinyint(1) NOT NULL default '0',
`ocsp_stapling` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`), PRIMARY KEY (`id`),
KEY `customerid` (`customerid`), KEY `customerid` (`customerid`),
KEY `parentdomain` (`parentdomainid`), KEY `parentdomain` (`parentdomainid`),
@@ -503,6 +504,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'), ('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
('system', 'phpreload_command', ''), ('system', 'phpreload_command', ''),
('system', 'apache24', '0'), ('system', 'apache24', '0'),
('system', 'apache24_ocsp_cache_path', 'shmcb:/var/run/apache2/ocsp-stapling.cache(131072)'),
('system', 'documentroot_use_default_value', '0'), ('system', 'documentroot_use_default_value', '0'),
('system', 'passwordcryptfunc', '3'), ('system', 'passwordcryptfunc', '3'),
('system', 'axfrservers', ''), ('system', 'axfrservers', ''),
@@ -582,7 +584,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char', '!?<>§$%+#=@'), ('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''), ('panel', 'customer_hide_options', ''),
('panel', 'version', '0.9.38.7'), ('panel', 'version', '0.9.38.7'),
('panel', 'db_version', '201612110'); ('panel', 'db_version', '201704100');
DROP TABLE IF EXISTS `panel_tasks`; DROP TABLE IF EXISTS `panel_tasks`;

14
install/updates/froxlor/0.9/update_0.9.inc.php
View File

@@ -3593,3 +3593,17 @@ if (isFroxlorVersion('0.9.38.6')) {
showUpdateStep("Updating from 0.9.38.6 to 0.9.38.7", false); showUpdateStep("Updating from 0.9.38.6 to 0.9.38.7", false);
updateToVersion('0.9.38.7'); updateToVersion('0.9.38.7');
} }
if (isDatabaseVersion('201612110')) {
showUpdateStep("Adding field for OCSP stapling");
Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS .
"` ADD `ocsp_stapling` TINYINT(1) NOT NULL DEFAULT '0';");
lastStepStatus(0);
showUpdateStep("Adding default setting for Apache 2.4 OCSP cache path");
Settings::AddNew('system.apache24_ocsp_cache_path', 'shmcb:/var/run/apache2/ocsp-stapling.cache(131072)');
lastStepStatus(0);
updateToDbVersion('201704100');
}

3
lib/classes/webserver/class.WebserverBase.php
View File

@@ -33,7 +33,8 @@ class WebserverBase {
`c`.`documentroot` AS `customerroot`, `c`.`deactivated`, `c`.`documentroot` AS `customerroot`, `c`.`deactivated`,
`c`.`phpenabled` AS `phpenabled_customer`, `c`.`phpenabled` AS `phpenabled_customer`,
`d`.`phpenabled` AS `phpenabled_vhost`, `d`.`phpenabled` AS `phpenabled_vhost`,
`d`.`mod_fcgid_starter`,`d`.`mod_fcgid_maxrequests` `d`.`mod_fcgid_starter`,`d`.`mod_fcgid_maxrequests`,
`d`.`ocsp_stapling`
FROM `".TABLE_PANEL_DOMAINS."` `d` FROM `".TABLE_PANEL_DOMAINS."` `d`
LEFT JOIN `".TABLE_PANEL_CUSTOMERS."` `c` USING(`customerid`) LEFT JOIN `".TABLE_PANEL_CUSTOMERS."` `c` USING(`customerid`)

19
lib/formfields/admin/domains/formfield.domains_add.php
View File

@@ -213,7 +213,24 @@ return array(
) )
), ),
'value' => array() 'value' => array()
) ),
'ocsp_stapling' => array(
'visible' => ($ssl_ipsandports != '' ? true : false) &&
Settings::Get('system.webserver') != 'lighttpd',
'label' => $lng['admin']['domain_ocsp_stapling']['title'],
'desc' => $lng['admin']['domain_ocsp_stapling']['description'] .
(Settings::Get('system.webserver') == 'nginx' ?
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] :
""),
'type' => 'checkbox',
'values' => array(
array (
'label' => $lng['panel']['yes'],
'value' => '1'
)
),
'value' => array()
),
) )
), ),
'section_c' => array( 'section_c' => array(

21
lib/formfields/admin/domains/formfield.domains_edit.php
View File

@@ -251,7 +251,26 @@ return array(
'value' => array( 'value' => array(
$result['hsts_preload'] $result['hsts_preload']
) )
) ),
'ocsp_stapling' => array(
'visible' => ($ssl_ipsandports != '' ? true : false) &&
Settings::Get('system.webserver') != 'lighttpd',
'label' => $lng['admin']['domain_ocsp_stapling']['title'],
'desc' => $lng['admin']['domain_ocsp_stapling']['description'] .
(Settings::Get('system.webserver') == 'nginx' ?
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] :
""),
'type' => 'checkbox',
'values' => array(
array (
'label' => $lng['panel']['yes'],
'value' => '1'
)
),
'value' => array(
$result['ocsp_stapling']
)
),
) )
), ),
'section_c' => array( 'section_c' => array(

2
lib/version.inc.php
View File

@@ -19,7 +19,7 @@
$version = '0.9.38.7'; $version = '0.9.38.7';
// Database version (YYYYMMDDC where C is a daily counter) // Database version (YYYYMMDDC where C is a daily counter)
$dbversion = '201612110'; $dbversion = '201704100';
// Distribution branding-tag (used for Debian etc.) // Distribution branding-tag (used for Debian etc.)
$branding = ''; $branding = '';

7
lng/english.lng.php
View File

@@ -2067,3 +2067,10 @@ $lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)'; $lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';
$lng['error']['noipportgiven'] = 'No IP/port given'; $lng['error']['noipportgiven'] = 'No IP/port given';
// Added in froxlor 0.9.38.8
$lng['admin']['domain_ocsp_stapling']['title'] = 'OCSP stapling';
$lng['admin']['domain_ocsp_stapling']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/OCSP_stapling">Wikipedia</a> for a detailed explanation of OCSP stapling';
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] = '<br /><strong class="red">WARNING:</strong> Nginx version 1.3.7 or above is required for OCSP stapling. If your version is older, the webserver will NOT start correctly while OCSP stapling is enabled!';
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4: path to the OCSP stapling cache';
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Configures the cache used to store OCSP responses which get included in TLS handshakes.';

7
lng/german.lng.php
View File

@@ -1718,3 +1718,10 @@ $lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Unterstüt
$lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)'; $lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)';
$lng['error']['noipportgiven'] = 'Keine IP/Port angegeben'; $lng['error']['noipportgiven'] = 'Keine IP/Port angegeben';
// Added in froxlor 0.9.38.8
$lng['admin']['domain_ocsp_stapling']['title'] = 'OCSP stapling';
$lng['admin']['domain_ocsp_stapling']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Online_Certificate_Status_Protocol_stapling">Wikipedia</a> für eine ausführliche Beschreibung von OCSP-Stapling';
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] = '<br /><strong class="red">WARNUNG:</strong> Nginx unterstützt OCSP-Stapling erst ab Version 1.3.7. Wenn Ihre Version älter ist, wird der Webserver bei aktiviertem OCSP-Stapling NICHT korrekt starten.';
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4: Pfad zum OCSP-Stapling-Cache';
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Konfiguriert den Cache-Pfad zum Zwischenspeichern der OCSP-Antworten,<br />die an TLS-Handshakes angehängt werden.';

17
scripts/jobs/cron_tasks.inc.http.10.apache.php
View File

@@ -107,6 +107,17 @@ class apache extends HttpConfigBase
} }
$this->virtualhosts_data[$vhosts_filename] .= ' </Directory>' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' </Directory>' . "\n";
} }
$ocsp_cache_filename = makeCorrectFile($vhosts_folder . '/03_froxlor_ocsp_cache.conf');
if (Settings::Get('system.use_ssl') == '1' && Settings::Get('system.apache24') == 1) {
$this->virtualhosts_data[$ocsp_cache_filename] = 'SSLStaplingCache ' .
Settings::Get('system.apache24_ocsp_cache_path') . "\n";
} else {
if (file_exists($ocsp_cache_filename)) {
$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'apache::_createStandardDirectoryEntry: unlinking ' . basename($ocsp_cache_filename));
unlink(makeCorrectFile($ocsp_cache_filename));
}
}
} }
/** /**
@@ -878,6 +889,12 @@ class apache extends HttpConfigBase
$vhost_content .= ' SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n"; $vhost_content .= ' SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n";
} }
if (Settings::Get('system.apache24') == '1' && isset($domain['ocsp_stapling']) &&
$domain['ocsp_stapling'] == '1')
{
$vhost_content .= ' SSLUseStapling on' . PHP_EOL;
}
if ($domain['hsts'] >= 0) { if ($domain['hsts'] >= 0) {
$vhost_content .= ' <IfModule mod_headers.c>' . "\n"; $vhost_content .= ' <IfModule mod_headers.c>' . "\n";
$vhost_content .= ' Header always set Strict-Transport-Security "max-age=' . $domain['hsts']; $vhost_content .= ' Header always set Strict-Transport-Security "max-age=' . $domain['hsts'];

8
scripts/jobs/cron_tasks.inc.http.30.nginx.php
View File

@@ -634,6 +634,14 @@ class nginx extends HttpConfigBase
} }
$sslsettings .= '";' . "\n"; $sslsettings .= '";' . "\n";
} }
if ((isset($domain_or_ip['ocsp_stapling']) && $domain_or_ip['ocsp_stapling'] == "1") ||
(isset($domain_or_ip['letsencrypt']) && $domain_or_ip['letsencrypt'] == "1") ) {
$sslsettings .= "\t" . 'ssl_stapling on;' . "\n";
$sslsettings .= "\t" . 'ssl_stapling_verify on;' . "\n";
$sslsettings .= "\t" . 'ssl_trusted_certificate ' .
makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";
}
} }
} }