add OCSP stapling support for apache2 and nginx
This commit is contained in:
Daniel Reichelt
@@ -79,6 +79,18 @@ return array(
|
||||
'default' => '',
|
||||
'save_method' => 'storeSettingField'
|
||||
),
|
||||
'system_apache24_ocsp_cache_path' => array(
|
||||
'label' => $lng['serversettings']['ssl']['apache24_ocsp_cache_path'],
|
||||
'settinggroup' => 'system',
|
||||
'varname' => 'apache24_ocsp_cache_path',
|
||||
'type' => 'string',
|
||||
'string_type' => 'string',
|
||||
'string_emptyallowed' => false,
|
||||
'default' => '',
|
||||
'visible' => Settings::Get('system.webserver') == "apache2" &&
|
||||
Settings::Get('system.apache24') == 1,
|
||||
'save_method' => 'storeSettingField'
|
||||
),
|
||||
'system_leenabled' => array(
|
||||
'label' => $lng['serversettings']['leenabled'],
|
||||
'settinggroup' => 'system',
|
||||
|
||||
@@ -595,6 +595,9 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
|
||||
$hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0;
|
||||
|
||||
// OCSP stapling
|
||||
$ocsp_stapling = isset($_POST['ocsp_stapling']) && (int)$_POST['ocsp_stapling'] == 1 ? 1 : 0;
|
||||
|
||||
} else {
|
||||
$ssl_redirect = 0;
|
||||
$letsencrypt = 0;
|
||||
@@ -606,6 +609,9 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$hsts_maxage = 0;
|
||||
$hsts_sub = 0;
|
||||
$hsts_preload = 0;
|
||||
|
||||
// OCSP stapling
|
||||
$ocsp_stapling = 0;
|
||||
}
|
||||
} else {
|
||||
$ssl_redirect = 0;
|
||||
@@ -618,6 +624,9 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$hsts_maxage = 0;
|
||||
$hsts_sub = 0;
|
||||
$hsts_preload = 0;
|
||||
|
||||
// OCSP stapling
|
||||
$ocsp_stapling = 0;
|
||||
}
|
||||
|
||||
// We can't enable let's encrypt for wildcard - domains
|
||||
@@ -789,7 +798,8 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
'letsencrypt' => $letsencrypt,
|
||||
'hsts_maxage' => $hsts_maxage,
|
||||
'hsts_sub' => $hsts_sub,
|
||||
'hsts_preload' => $hsts_preload
|
||||
'hsts_preload' => $hsts_preload,
|
||||
'ocsp_stapling' => $ocsp_stapling,
|
||||
);
|
||||
|
||||
$security_questions = array(
|
||||
@@ -841,7 +851,8 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
'letsencrypt' => $letsencrypt,
|
||||
'hsts' => $hsts_maxage,
|
||||
'hsts_sub' => $hsts_sub,
|
||||
'hsts_preload' => $hsts_preload
|
||||
'hsts_preload' => $hsts_preload,
|
||||
'ocsp_stapling' => $ocsp_stapling,
|
||||
);
|
||||
|
||||
$ins_stmt = Database::prepare("
|
||||
@@ -878,7 +889,8 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
`letsencrypt` = :letsencrypt,
|
||||
`hsts` = :hsts,
|
||||
`hsts_sub` = :hsts_sub,
|
||||
`hsts_preload` = :hsts_preload
|
||||
`hsts_preload` = :hsts_preload,
|
||||
`ocsp_stapling` = :ocsp_stapling
|
||||
");
|
||||
Database::pexecute($ins_stmt, $ins_data);
|
||||
$domainid = Database::lastInsertId();
|
||||
@@ -1421,6 +1433,9 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
|
||||
$hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0;
|
||||
|
||||
// OCSP stapling
|
||||
$ocsp_stapling = isset($_POST['ocsp_stapling']) && (int)$_POST['ocsp_stapling'] == 1 ? 1 : 0;
|
||||
|
||||
$ssl_ipandports = array();
|
||||
if (isset($_POST['ssl_ipandport']) && ! is_array($_POST['ssl_ipandport'])) {
|
||||
$_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']);
|
||||
@@ -1458,6 +1473,9 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$hsts_maxage = 0;
|
||||
$hsts_sub = 0;
|
||||
$hsts_preload = 0;
|
||||
|
||||
// OCSP stapling
|
||||
$ocsp_stapling = 0;
|
||||
}
|
||||
} else {
|
||||
$ssl_redirect = 0;
|
||||
@@ -1470,6 +1488,9 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$hsts_maxage = 0;
|
||||
$hsts_sub = 0;
|
||||
$hsts_preload = 0;
|
||||
|
||||
// OCSP stapling
|
||||
$ocsp_stapling = 0;
|
||||
}
|
||||
|
||||
// We can't enable let's encrypt for wildcard domains
|
||||
@@ -1615,7 +1636,8 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
'letsencrypt' => $letsencrypt,
|
||||
'hsts_maxage' => $hsts_maxage,
|
||||
'hsts_sub' => $hsts_sub,
|
||||
'hsts_preload' => $hsts_preload
|
||||
'hsts_preload' => $hsts_preload,
|
||||
'ocsp_stapling' => $ocsp_stapling,
|
||||
);
|
||||
|
||||
$security_questions = array(
|
||||
@@ -1634,7 +1656,27 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$wwwserveralias = ($serveraliasoption == '1') ? '1' : '0';
|
||||
$iswildcarddomain = ($serveraliasoption == '0') ? '1' : '0';
|
||||
|
||||
if ($documentroot != $result['documentroot'] || $ssl_redirect != $result['ssl_redirect'] || $wwwserveralias != $result['wwwserveralias'] || $iswildcarddomain != $result['iswildcarddomain'] || $phpenabled != $result['phpenabled'] || $openbasedir != $result['openbasedir'] || $phpsettingid != $result['phpsettingid'] || $mod_fcgid_starter != $result['mod_fcgid_starter'] || $mod_fcgid_maxrequests != $result['mod_fcgid_maxrequests'] || $specialsettings != $result['specialsettings'] || $aliasdomain != $result['aliasdomain'] || $issubof != $result['ismainbutsubto'] || $email_only != $result['email_only'] || ($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') || $letsencrypt != $result['letsencrypt'] || $hsts_maxage != $result['hsts'] || $hsts_sub != $result['hsts_sub'] || $hsts_preload != $result['hsts_preload']) {
|
||||
if (
|
||||
$documentroot != $result['documentroot'] ||
|
||||
$ssl_redirect != $result['ssl_redirect'] ||
|
||||
$wwwserveralias != $result['wwwserveralias'] ||
|
||||
$iswildcarddomain != $result['iswildcarddomain'] ||
|
||||
$phpenabled != $result['phpenabled'] ||
|
||||
$openbasedir != $result['openbasedir'] ||
|
||||
$phpsettingid != $result['phpsettingid'] ||
|
||||
$mod_fcgid_starter != $result['mod_fcgid_starter'] ||
|
||||
$mod_fcgid_maxrequests != $result['mod_fcgid_maxrequests'] ||
|
||||
$specialsettings != $result['specialsettings'] ||
|
||||
$aliasdomain != $result['aliasdomain'] ||
|
||||
$issubof != $result['ismainbutsubto'] ||
|
||||
$email_only != $result['email_only'] ||
|
||||
($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') ||
|
||||
$letsencrypt != $result['letsencrypt'] ||
|
||||
$hsts_maxage != $result['hsts'] ||
|
||||
$hsts_sub != $result['hsts_sub'] ||
|
||||
$hsts_preload != $result['hsts_preload'] ||
|
||||
$ocsp_stapling != $result['ocsp_stapling']
|
||||
) {
|
||||
inserttask('1');
|
||||
}
|
||||
|
||||
@@ -1789,6 +1831,7 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
$update_data['hsts'] = $hsts_maxage;
|
||||
$update_data['hsts_sub'] = $hsts_sub;
|
||||
$update_data['hsts_preload'] = $hsts_preload;
|
||||
$update_data['ocsp_stapling'] = $ocsp_stapling;
|
||||
$update_data['id'] = $id;
|
||||
|
||||
$update_stmt = Database::prepare("
|
||||
@@ -1820,7 +1863,8 @@ if ($page == 'domains' || $page == 'overview') {
|
||||
`letsencrypt` = :letsencrypt,
|
||||
`hsts` = :hsts,
|
||||
`hsts_sub` = :hsts_sub,
|
||||
`hsts_preload` = :hsts_preload
|
||||
`hsts_preload` = :hsts_preload,
|
||||
`ocsp_stapling` = :ocsp_stapling
|
||||
WHERE `id` = :id
|
||||
");
|
||||
Database::pexecute($update_stmt, $update_data);
|
||||
|
||||
@@ -257,6 +257,7 @@ CREATE TABLE `panel_domains` (
|
||||
`hsts` varchar(10) NOT NULL default '0',
|
||||
`hsts_sub` tinyint(1) NOT NULL default '0',
|
||||
`hsts_preload` tinyint(1) NOT NULL default '0',
|
||||
`ocsp_stapling` tinyint(1) DEFAULT '0',
|
||||
PRIMARY KEY (`id`),
|
||||
KEY `customerid` (`customerid`),
|
||||
KEY `parentdomain` (`parentdomainid`),
|
||||
@@ -503,6 +504,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
|
||||
('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
|
||||
('system', 'phpreload_command', ''),
|
||||
('system', 'apache24', '0'),
|
||||
('system', 'apache24_ocsp_cache_path', 'shmcb:/var/run/apache2/ocsp-stapling.cache(131072)'),
|
||||
('system', 'documentroot_use_default_value', '0'),
|
||||
('system', 'passwordcryptfunc', '3'),
|
||||
('system', 'axfrservers', ''),
|
||||
@@ -582,7 +584,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
|
||||
('panel', 'password_special_char', '!?<>§$%+#=@'),
|
||||
('panel', 'customer_hide_options', ''),
|
||||
('panel', 'version', '0.9.38.7'),
|
||||
('panel', 'db_version', '201612110');
|
||||
('panel', 'db_version', '201704100');
|
||||
|
||||
|
||||
DROP TABLE IF EXISTS `panel_tasks`;
|
||||
|
||||
@@ -3593,3 +3593,17 @@ if (isFroxlorVersion('0.9.38.6')) {
|
||||
showUpdateStep("Updating from 0.9.38.6 to 0.9.38.7", false);
|
||||
updateToVersion('0.9.38.7');
|
||||
}
|
||||
|
||||
if (isDatabaseVersion('201612110')) {
|
||||
|
||||
showUpdateStep("Adding field for OCSP stapling");
|
||||
Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS .
|
||||
"` ADD `ocsp_stapling` TINYINT(1) NOT NULL DEFAULT '0';");
|
||||
lastStepStatus(0);
|
||||
|
||||
showUpdateStep("Adding default setting for Apache 2.4 OCSP cache path");
|
||||
Settings::AddNew('system.apache24_ocsp_cache_path', 'shmcb:/var/run/apache2/ocsp-stapling.cache(131072)');
|
||||
lastStepStatus(0);
|
||||
|
||||
updateToDbVersion('201704100');
|
||||
}
|
||||
|
||||
@@ -33,7 +33,8 @@ class WebserverBase {
|
||||
`c`.`documentroot` AS `customerroot`, `c`.`deactivated`,
|
||||
`c`.`phpenabled` AS `phpenabled_customer`,
|
||||
`d`.`phpenabled` AS `phpenabled_vhost`,
|
||||
`d`.`mod_fcgid_starter`,`d`.`mod_fcgid_maxrequests`
|
||||
`d`.`mod_fcgid_starter`,`d`.`mod_fcgid_maxrequests`,
|
||||
`d`.`ocsp_stapling`
|
||||
FROM `".TABLE_PANEL_DOMAINS."` `d`
|
||||
|
||||
LEFT JOIN `".TABLE_PANEL_CUSTOMERS."` `c` USING(`customerid`)
|
||||
|
||||
@@ -213,7 +213,24 @@ return array(
|
||||
)
|
||||
),
|
||||
'value' => array()
|
||||
)
|
||||
),
|
||||
'ocsp_stapling' => array(
|
||||
'visible' => ($ssl_ipsandports != '' ? true : false) &&
|
||||
Settings::Get('system.webserver') != 'lighttpd',
|
||||
'label' => $lng['admin']['domain_ocsp_stapling']['title'],
|
||||
'desc' => $lng['admin']['domain_ocsp_stapling']['description'] .
|
||||
(Settings::Get('system.webserver') == 'nginx' ?
|
||||
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] :
|
||||
""),
|
||||
'type' => 'checkbox',
|
||||
'values' => array(
|
||||
array (
|
||||
'label' => $lng['panel']['yes'],
|
||||
'value' => '1'
|
||||
)
|
||||
),
|
||||
'value' => array()
|
||||
),
|
||||
)
|
||||
),
|
||||
'section_c' => array(
|
||||
|
||||
@@ -251,7 +251,26 @@ return array(
|
||||
'value' => array(
|
||||
$result['hsts_preload']
|
||||
)
|
||||
)
|
||||
),
|
||||
'ocsp_stapling' => array(
|
||||
'visible' => ($ssl_ipsandports != '' ? true : false) &&
|
||||
Settings::Get('system.webserver') != 'lighttpd',
|
||||
'label' => $lng['admin']['domain_ocsp_stapling']['title'],
|
||||
'desc' => $lng['admin']['domain_ocsp_stapling']['description'] .
|
||||
(Settings::Get('system.webserver') == 'nginx' ?
|
||||
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] :
|
||||
""),
|
||||
'type' => 'checkbox',
|
||||
'values' => array(
|
||||
array (
|
||||
'label' => $lng['panel']['yes'],
|
||||
'value' => '1'
|
||||
)
|
||||
),
|
||||
'value' => array(
|
||||
$result['ocsp_stapling']
|
||||
)
|
||||
),
|
||||
)
|
||||
),
|
||||
'section_c' => array(
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
$version = '0.9.38.7';
|
||||
|
||||
// Database version (YYYYMMDDC where C is a daily counter)
|
||||
$dbversion = '201612110';
|
||||
$dbversion = '201704100';
|
||||
|
||||
// Distribution branding-tag (used for Debian etc.)
|
||||
$branding = '';
|
||||
|
||||
@@ -2067,3 +2067,10 @@ $lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
|
||||
$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';
|
||||
|
||||
$lng['error']['noipportgiven'] = 'No IP/port given';
|
||||
|
||||
// Added in froxlor 0.9.38.8
|
||||
$lng['admin']['domain_ocsp_stapling']['title'] = 'OCSP stapling';
|
||||
$lng['admin']['domain_ocsp_stapling']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/OCSP_stapling">Wikipedia</a> for a detailed explanation of OCSP stapling';
|
||||
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] = '<br /><strong class="red">WARNING:</strong> Nginx version 1.3.7 or above is required for OCSP stapling. If your version is older, the webserver will NOT start correctly while OCSP stapling is enabled!';
|
||||
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4: path to the OCSP stapling cache';
|
||||
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Configures the cache used to store OCSP responses which get included in TLS handshakes.';
|
||||
|
||||
@@ -1718,3 +1718,10 @@ $lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Unterstüt
|
||||
$lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)';
|
||||
|
||||
$lng['error']['noipportgiven'] = 'Keine IP/Port angegeben';
|
||||
|
||||
// Added in froxlor 0.9.38.8
|
||||
$lng['admin']['domain_ocsp_stapling']['title'] = 'OCSP stapling';
|
||||
$lng['admin']['domain_ocsp_stapling']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Online_Certificate_Status_Protocol_stapling">Wikipedia</a> für eine ausführliche Beschreibung von OCSP-Stapling';
|
||||
$lng['admin']['domain_ocsp_stapling']['nginx_version_warning'] = '<br /><strong class="red">WARNUNG:</strong> Nginx unterstützt OCSP-Stapling erst ab Version 1.3.7. Wenn Ihre Version älter ist, wird der Webserver bei aktiviertem OCSP-Stapling NICHT korrekt starten.';
|
||||
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['title'] = 'Apache 2.4: Pfad zum OCSP-Stapling-Cache';
|
||||
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Konfiguriert den Cache-Pfad zum Zwischenspeichern der OCSP-Antworten,<br />die an TLS-Handshakes angehängt werden.';
|
||||
|
||||
@@ -107,6 +107,17 @@ class apache extends HttpConfigBase
|
||||
}
|
||||
$this->virtualhosts_data[$vhosts_filename] .= ' </Directory>' . "\n";
|
||||
}
|
||||
|
||||
$ocsp_cache_filename = makeCorrectFile($vhosts_folder . '/03_froxlor_ocsp_cache.conf');
|
||||
if (Settings::Get('system.use_ssl') == '1' && Settings::Get('system.apache24') == 1) {
|
||||
$this->virtualhosts_data[$ocsp_cache_filename] = 'SSLStaplingCache ' .
|
||||
Settings::Get('system.apache24_ocsp_cache_path') . "\n";
|
||||
} else {
|
||||
if (file_exists($ocsp_cache_filename)) {
|
||||
$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'apache::_createStandardDirectoryEntry: unlinking ' . basename($ocsp_cache_filename));
|
||||
unlink(makeCorrectFile($ocsp_cache_filename));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -504,7 +515,7 @@ class apache extends HttpConfigBase
|
||||
// This vHost has PHP enabled and we are using the regular mod_php
|
||||
$cmail = getCustomerDetail($domain['customerid'], 'email');
|
||||
$php_options_text .= ' php_admin_value sendmail_path "/usr/sbin/sendmail -t -f '.$cmail.'"' . PHP_EOL;
|
||||
|
||||
|
||||
if ($domain['openbasedir'] == '1') {
|
||||
if ($domain['openbasedir_path'] == '1' || strstr($domain['documentroot'], ":") !== false) {
|
||||
$_phpappendopenbasedir = appendOpenBasedirPath($domain['customerroot'], true);
|
||||
@@ -878,6 +889,12 @@ class apache extends HttpConfigBase
|
||||
$vhost_content .= ' SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n";
|
||||
}
|
||||
|
||||
if (Settings::Get('system.apache24') == '1' && isset($domain['ocsp_stapling']) &&
|
||||
$domain['ocsp_stapling'] == '1')
|
||||
{
|
||||
$vhost_content .= ' SSLUseStapling on' . PHP_EOL;
|
||||
}
|
||||
|
||||
if ($domain['hsts'] >= 0) {
|
||||
$vhost_content .= ' <IfModule mod_headers.c>' . "\n";
|
||||
$vhost_content .= ' Header always set Strict-Transport-Security "max-age=' . $domain['hsts'];
|
||||
|
||||
@@ -634,6 +634,14 @@ class nginx extends HttpConfigBase
|
||||
}
|
||||
$sslsettings .= '";' . "\n";
|
||||
}
|
||||
|
||||
if ((isset($domain_or_ip['ocsp_stapling']) && $domain_or_ip['ocsp_stapling'] == "1") ||
|
||||
(isset($domain_or_ip['letsencrypt']) && $domain_or_ip['letsencrypt'] == "1") ) {
|
||||
$sslsettings .= "\t" . 'ssl_stapling on;' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_stapling_verify on;' . "\n";
|
||||
$sslsettings .= "\t" . 'ssl_trusted_certificate ' .
|
||||
makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user