Depending on the data present, the LE cronscript may cause multiple
entries per domain in domain_ssl_settings.
This is due to $updcert_stmt interfering with the outer loop
while ($certrow = $stmt->fetch()): PDO's DB cursor sees rows newly created
by $updcert_stmt within the loop. As a consequence this also leads to
superfluous CSRs, thus increasing the certificate limit counter on the LE
side.
Solution: manifest the result of @$certificates_stmt@ on the PHP side in
its entirety prior to entering the outer loop.
This reverts commit 319668d384, reversing
changes made to aa592c7369.
Conflicts:
install/froxlor.sql
install/updates/froxlor/0.9/update_0.9.inc.php
lib/version.inc.php
trusty.xml: All files in conf.d get automatically included causing the location to be out of place and nginx fails to start
cron_tasks.inc.http.30.nginx.php: Location directives should be included in a host, nginx doesn't have the concept of global location directives in the way apache does
Reworked the initial implementation by hpmewes (https://github.com/Froxlor/Froxlor/pull/233) with
- bugfixes all over
- added support for apache and lighttpd also
- added an update sequence (instead of only modifying froxlor.sql)
- added english language variables
- added missing parts in admin_vhostsettings.php
- added parameter replacements as available since PR 244
PHP scripts
Although the implemented direction protection posed a prompt when
accessing the http://...com/protectedir/
it was still possible to call http://...com/protectedir/script.php
This vulnerability emerges from the precedence order of "location"
statements. The RegEx matching the PHP script is triggered before the
directory protection is evaluated. As a result, the PHP script is
interpreted and path parsing stops due to the circumflex (see
http://nginx.org/en/docs/http/ngx_http_core_module.html#location).
The fix involves adding a PHP parsing snippet to every protected
block. In order to prevent PHP-related config params repeatedly, the
required section is referenced using a prefix.
The problem occurs if a Vhost is assigned multiple different auth names
in Froxlor. Each block is then added repeatedly, leading to an
unparseable configuration
cron_tasks/bind: refactor zone creation
DNS records for subdomains managed as main domains (i.e. have
ismainbutsubto>1) get written to separate zone files for each subdomain.
This does not play well with hidden-master setups, where a quering DNS
server would only request a transfer of the topmost parent zone and ignore
SOA records therein to initiate the potentially required transfers of
subzones.
This patch changes how zonefiles are created, so that DNS records of
"ismainbutsubto>1"-domains end up within the zone of the topmost parent
domain. Obviously this relies on correctly set ismainbutsubto-fields of
all subdomains managed as main domain in Froxlor.
Refactoring summary:
- Previously _generateDomainConfig() would be called for each customer
domain, handle writing the zone file and accumulate the bind config
data.
Now writing the zone files is decoupled and both _generateDomainConfig()
and generateZone() get called from the main loop over the customer
domains.
- The main loop over customer domains only considers
"ismainbutsubto==0"-domains, children are handled via recursion within
walkDomainList() according to the previously collected relations of
direct children.
- The recursion accumulates the zone data, storing it in $_bind_conf_file
(which is now a private member) until it gets written to a zone file.
The resulting structure is written to the debugHandler.
-- For "ismainbutsubto==0"-domains, generateZone() returns a SOA record
and further applicable records as usual.
-- For "ismainbutsubto>0"-domains, generateZone() returns a "$ORIGIN
$domain"-line and further applicable records as usual. This now excludes
NS records, since they're no longer required.
- The boolean parameter $froxlorhost=true to _generateDomainConfig() and
generateZone() was replaced by the additional field
$hostname_arr['froxlorhost']
This patch adds isemaildomain==1 as an additional condition for the
creation of mx/imap/smtp/pop3/spf-txt records for a domain.
For the hostname entry, this depends on the system setting
dns_createmailentry.
The bind cronjob awlays creates www A/AAAA records, regardless of a
domain's iswildcarddomain or wwwserveralias settings.
With this patch www records only get created if "www alias" is selected
for a domain, i.e. iswildcarddomain is disabled and wwwserveralias is
enabled.
