set version to 0.9.38.5 for upcoming release

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>

README.md

@@ -11,8 +11,8 @@ Developed by experienced server administrators, this panel simplifies the effort
 3. Point your browser to http://[ip-of-webserver]/froxlor
 4. Follow the installer
 5. Login as administrator
-6. Adjust "Server > Settings" according to your needs
-7. Choose your distribution under "Server > Configuration"
+6. Adjust "System > Settings" according to your needs
+7. Choose your distribution under "System > Configuration"
 8. Follow the steps for your services
 9. Have fun!
 

actions/admin/settings/100.panel.php

@@ -234,6 +234,7 @@ return array(
 					'type' => 'option',
 					'default' => '',
 					'option_mode' => 'multiple',
+					'option_emptyallowed' => true,
 					'option_options' => array(
 						'email'                       => $lng['menue']['email']['email'],
 						'mysql'                       => $lng['menue']['mysql']['mysql'],

actions/admin/settings/122.froxlorvhost.php

@@ -39,7 +39,7 @@ return array(
 					'varname' => 'le_froxlor_enabled',
 					'type' => 'bool',
 					'default' => false,
-					'save_method' => 'storeSettingField',
+					'save_method' => 'storeSettingClearCertificates',
 					'visible' => Settings::Get('system.leenabled')
 				),
 				'system_le_froxlor_redirect' => array(
@@ -49,7 +49,36 @@ return array(
 					'type' => 'bool',
 					'default' => false,
 					'save_method' => 'storeSettingField',
-					'visible' => Settings::Get('system.leenabled')
+					'visible' => Settings::Get('system.use_ssl')
+				),
+				'system_hsts_maxage' => array(
+					'label' => $lng['admin']['domain_hsts_maxage'],
+					'settinggroup' => 'system',
+					'varname' => 'hsts_maxage',
+					'type' => 'int',
+					'int_min' => 0,
+					'int_max' => 94608000, // 3-years
+					'default' => 0,
+					'save_method' => 'storeSettingField',
+					'visible' => Settings::Get('system.use_ssl')
+				),
+				'system_hsts_incsub' => array(
+					'label' => $lng['admin']['domain_hsts_incsub'],
+					'settinggroup' => 'system',
+					'varname' => 'hsts_incsub',
+					'type' => 'bool',
+					'default' => false,
+					'save_method' => 'storeSettingField',
+					'visible' => Settings::Get('system.use_ssl')
+				),
+				'system_hsts_preload' => array(
+					'label' => $lng['admin']['domain_hsts_preload'],
+					'settinggroup' => 'system',
+					'varname' => 'hsts_preload',
+					'type' => 'bool',
+					'default' => false,
+					'save_method' => 'storeSettingField',
+					'visible' => Settings::Get('system.use_ssl')
 				),
 				/**
 				 * FCGID

actions/admin/settings/130.webserver.php

@@ -179,6 +179,17 @@ return array(
 						'nginx'
 					)
 				),
+				'system_nginx_http2_support' => array(
+					'label' => $lng['serversettings']['nginx_http2_support'],
+					'settinggroup' => 'system',
+					'varname' => 'nginx_http2_support',
+					'type' => 'bool',
+					'default' => false,
+					'save_method' => 'storeSettingField',
+					'websrv_avail' => array(
+						'nginx'
+					)
+				),
 				'system_nginx_php_backend' => array(
 					'label' => $lng['serversettings']['nginx_php_backend'],
 					'settinggroup' => 'system',
@@ -260,11 +271,7 @@ return array(
 					'varname' => 'enabled',
 					'type' => 'bool',
 					'default' => false,
-					'save_method' => 'storeSettingField',
-					'websrv_avail' => array(
-						'apache2',
-						'lighttpd'
-					)
+					'save_method' => 'storeSettingField'
 				),
 				'customredirect_default' => array(
 					'label' => $lng['serversettings']['customredirect_default'],
@@ -274,11 +281,7 @@ return array(
 					'default' => '1',
 					'option_mode' => 'one',
 					'option_options_method' => 'getRedirectCodes',
-					'save_method' => 'storeSettingField',
-					'websrv_avail' => array(
-						'apache2',
-						'lighttpd'
-					)
+					'save_method' => 'storeSettingField'
 				)
 			)
 		)

actions/admin/settings/131.ssl.php

@@ -153,33 +153,7 @@ return array(
 					'type' => 'bool',
 					'default' => false,
 					'save_method' => 'storeSettingField'
-				),
-				'system_hsts_maxage' => array(
-					'label' => $lng['admin']['domain_hsts_maxage'],
-					'settinggroup' => 'system',
-					'varname' => 'hsts_maxage',
-					'type' => 'int',
-					'int_min' => 0,
-					'int_max' => 94608000, // 3-years
-					'default' => 0,
-					'save_method' => 'storeSettingField'
-				),
-				'system_hsts_incsub' => array(
-					'label' => $lng['admin']['domain_hsts_incsub'],
-					'settinggroup' => 'system',
-					'varname' => 'hsts_incsub',
-					'type' => 'bool',
-					'default' => false,
-					'save_method' => 'storeSettingField'
-				),
-				'system_hsts_preload' => array(
-					'label' => $lng['admin']['domain_hsts_preload'],
-					'settinggroup' => 'system',
-					'varname' => 'hsts_preload',
-					'type' => 'bool',
-					'default' => false,
-					'save_method' => 'storeSettingField'
-				),
+				)
 			)
 		)
 	)

admin_configfiles.php

@@ -30,6 +30,19 @@ if ($userinfo['change_serversettings'] == '1') {
 		$customer_tmpdir = Settings::Get('phpfpm.tmpdir');
 	}
 
+	// try to convert namserver hosts to ip's
+	$ns_ips = "";
+	if (Settings::Get('system.nameservers') != '') {
+		$nameservers = explode(',', Settings::Get('system.nameservers'));
+		foreach ($nameservers as $nameserver) {
+			$nameserver = trim($nameserver);
+			$nameserver_ips = gethostbynamel($nameserver);
+			if (is_array($nameserver_ips) && count($nameserver_ips) > 0) {
+				$ns_ips .= implode(",", $nameserver_ips);
+			}
+		}
+	}
+
 	$replace_arr = Array(
 		'<SQL_UNPRIVILEGED_USER>' => $sql['user'],
 		'<SQL_UNPRIVILEGED_PASSWORD>' => 'MYSQL_PASSWORD',
@@ -39,6 +52,8 @@ if ($userinfo['change_serversettings'] == '1') {
 		'<SERVERNAME>' => Settings::Get('system.hostname'),
 		'<SERVERIP>' => Settings::Get('system.ipaddress'),
 		'<NAMESERVERS>' => Settings::Get('system.nameservers'),
+		'<NAMESERVERS_IP>' => $ns_ips,
+		'<AXFRSERVERS>' => Settings::Get('system.axfrservers'),
 		'<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'),
 		'<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'),
 		'<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'),

admin_domains.php

@@ -210,6 +210,8 @@ if ($page == 'domains' || $page == 'overview') {
 					'id' => $id
 				));
 
+				$deleted_domains = $del_stmt->rowCount();
+
 				$upd_stmt = Database::prepare("
 					UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET
 					`subdomains_used` = `subdomains_used` - :domaincount
@@ -453,6 +455,7 @@ if ($page == 'domains' || $page == 'overview') {
 
 				if ($userinfo['caneditphpsettings'] == '1' || $userinfo['change_serversettings'] == '1') {
 
+                                        $phpenabled  = isset($POST_['phpenabled']) ? intval($_POST['phpenabled']) : 0;
 					$openbasedir = isset($_POST['openbasedir']) ? intval($_POST['openbasedir']) : 0;
 
 					if ((int) Settings::Get('system.mod_fcgid') == 1 || (int) Settings::Get('phpfpm.enabled') == 1) {
@@ -493,7 +496,9 @@ if ($page == 'domains' || $page == 'overview') {
 					}
 				} else {
 
+                                        $phpenabled = '1';
 					$openbasedir = '1';
+
 					if ((int) Settings::Get('phpfpm.enabled') == 1) {
 						$phpsettingid = Settings::Get('phpfpm.defaultini');
 					} else {
@@ -689,6 +694,10 @@ if ($page == 'domains' || $page == 'overview') {
 					standard_error('noipportgiven');
 				}
 				
+				if($phpenabled != '1') {
+					$phpenabled = '0';
+				}
+
 				if ($openbasedir != '1') {
 					$openbasedir = '0';
 				}
@@ -768,6 +777,7 @@ if ($page == 'domains' || $page == 'overview') {
 						'ipandport' => serialize($ipandports),
 						'ssl_redirect' => $ssl_redirect,
 						'ssl_ipandport' => serialize($ssl_ipandports),
+						'phpenabled' => $phpenabled,
 						'openbasedir' => $openbasedir,
 						'phpsettingid' => $phpsettingid,
 						'mod_fcgid_starter' => $mod_fcgid_starter,
@@ -777,7 +787,7 @@ if ($page == 'domains' || $page == 'overview') {
 						'termination_date' => $termination_date,
 						'issubof' => $issubof,
 						'letsencrypt' => $letsencrypt,
-						'hsts' => $hsts_maxage,
+						'hsts_maxage' => $hsts_maxage,
 						'hsts_sub' => $hsts_sub,
 						'hsts_preload' => $hsts_preload
 					);
@@ -816,6 +826,7 @@ if ($page == 'domains' || $page == 'overview') {
 						'email_only' => $email_only,
 						'subcanemaildomain' => $subcanemaildomain,
 						'caneditdomain' => $caneditdomain,
+						'phpenabled' => $phpenabled,
 						'openbasedir' => $openbasedir,
 						'speciallogfile' => $speciallogfile,
 						'specialsettings' => $specialsettings,
@@ -852,6 +863,7 @@ if ($page == 'domains' || $page == 'overview') {
 						`email_only` = :email_only,
 						`subcanemaildomain` = :subcanemaildomain,
 						`caneditdomain` = :caneditdomain,
+						`phpenabled` = :phpenabled,
 						`openbasedir` = :openbasedir,
 						`speciallogfile` = :speciallogfile,
 						`specialsettings` = :specialsettings,
@@ -1081,8 +1093,12 @@ if ($page == 'domains' || $page == 'overview') {
 	} elseif ($action == 'edit' && $id != 0) {
 
 		$result_stmt = Database::prepare("
-			SELECT `d`.*, `c`.`customerid` FROM `" . TABLE_PANEL_DOMAINS . "` `d` LEFT JOIN `" . TABLE_PANEL_CUSTOMERS . "` `c` USING(`customerid`)
-			WHERE `d`.`parentdomainid` = '0' AND `d`.`id` = :id" . ($userinfo['customers_see_all'] ? '' : " AND `d`.`adminid` = :adminid"));
+			SELECT `d`.*, `c`.`customerid`
+			FROM `" . TABLE_PANEL_DOMAINS . "` `d`
+			LEFT JOIN `" . TABLE_PANEL_CUSTOMERS . "` `c` USING(`customerid`)
+			WHERE `d`.`parentdomainid` = '0'
+			AND `d`.`id` = :id" . ($userinfo['customers_see_all'] ? '' : " AND `d`.`adminid` = :adminid")
+		);
 		$params = array(
 			'id' => $id
 		);
@@ -1227,7 +1243,7 @@ if ($page == 'domains' || $page == 'overview') {
 					$adminid = $result['adminid'];
 				}
 
-				$aliasdomain = intval($_POST['alias']);
+				$aliasdomain = isset($_POST['alias']) ? intval($_POST['alias']) : 0;
 				$issubof = intval($_POST['issubof']);
 				$subcanemaildomain = intval($_POST['subcanemaildomain']);
 				$caneditdomain = isset($_POST['caneditdomain']) ? intval($_POST['caneditdomain']) : 0;
@@ -1322,6 +1338,7 @@ if ($page == 'domains' || $page == 'overview') {
 
 				if ($userinfo['caneditphpsettings'] == '1' || $userinfo['change_serversettings'] == '1') {
 
+					$phpenabled  = isset($_POST['phpenabled']) ? intval($_POST['phpenabled']) : 0;
 					$openbasedir = isset($_POST['openbasedir']) ? intval($_POST['openbasedir']) : 0;
 
 					if ((int) Settings::Get('system.mod_fcgid') == 1 || (int) Settings::Get('phpfpm.enabled') == 1) {
@@ -1356,6 +1373,7 @@ if ($page == 'domains' || $page == 'overview') {
 						$mod_fcgid_maxrequests = $result['mod_fcgid_maxrequests'];
 					}
 				} else {
+					$phpenabled = $result['phpenabled'];
 					$openbasedir = $result['openbasedir'];
 					$phpsettingid = $result['phpsettingid'];
 					$mod_fcgid_starter = $result['mod_fcgid_starter'];
@@ -1398,6 +1416,11 @@ if ($page == 'domains' || $page == 'overview') {
 						$letsencrypt = (int) $_POST['letsencrypt'];
 					}
 
+					// HSTS
+					$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
+					$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
+					$hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0;
+
 					$ssl_ipandports = array();
 					if (isset($_POST['ssl_ipandport']) && ! is_array($_POST['ssl_ipandport'])) {
 						$_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']);
@@ -1424,11 +1447,6 @@ if ($page == 'domains' || $page == 'overview') {
 							}
 						}
 
-						// HSTS
-						$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
-						$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
-						$hsts_preload = isset($_POST['hsts_preload']) && (int)$_POST['hsts_preload'] == 1 ? 1 : 0;
-
 					} else {
 						$ssl_redirect = 0;
 						$letsencrypt = 0;
@@ -1468,6 +1486,10 @@ if ($page == 'domains' || $page == 'overview') {
 					$documentroot = makeCorrectDir($documentroot);
 				}
 				
+				if ($phpenabled != '1') {
+					$phpenabled = '0';
+				}
+
 				if ($openbasedir != '1') {
 					$openbasedir = '0';
 				}
@@ -1576,6 +1598,7 @@ if ($page == 'domains' || $page == 'overview') {
 					'dkim' => $dkim,
 					'selectserveralias' => $serveraliasoption,
 					'ssl_redirect' => $ssl_redirect,
+					'phpenabled' => $phpenabled,
 					'openbasedir' => $openbasedir,
 					'phpsettingid' => $phpsettingid,
 					'mod_fcgid_starter' => $mod_fcgid_starter,
@@ -1590,7 +1613,7 @@ if ($page == 'domains' || $page == 'overview') {
 					'ipandport' => serialize($ipandports),
 					'ssl_ipandport' => serialize($ssl_ipandports),
 					'letsencrypt' => $letsencrypt,
-					'hsts' => $hsts_maxage,
+					'hsts_maxage' => $hsts_maxage,
 					'hsts_sub' => $hsts_sub,
 					'hsts_preload' => $hsts_preload
 				);
@@ -1611,7 +1634,7 @@ if ($page == 'domains' || $page == 'overview') {
 				$wwwserveralias = ($serveraliasoption == '1') ? '1' : '0';
 				$iswildcarddomain = ($serveraliasoption == '0') ? '1' : '0';
 
-				if ($documentroot != $result['documentroot'] || $ssl_redirect != $result['ssl_redirect'] || $wwwserveralias != $result['wwwserveralias'] || $iswildcarddomain != $result['iswildcarddomain'] || $openbasedir != $result['openbasedir'] || $phpsettingid != $result['phpsettingid'] || $mod_fcgid_starter != $result['mod_fcgid_starter'] || $mod_fcgid_maxrequests != $result['mod_fcgid_maxrequests'] || $specialsettings != $result['specialsettings'] || $aliasdomain != $result['aliasdomain'] || $issubof != $result['ismainbutsubto'] || $email_only != $result['email_only'] || ($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') || $letsencrypt != $result['letsencrypt']) {
+				if ($documentroot != $result['documentroot'] || $ssl_redirect != $result['ssl_redirect'] || $wwwserveralias != $result['wwwserveralias'] || $iswildcarddomain != $result['iswildcarddomain'] || $phpenabled != $result['phpenabled'] || $openbasedir != $result['openbasedir'] || $phpsettingid != $result['phpsettingid'] || $mod_fcgid_starter != $result['mod_fcgid_starter'] || $mod_fcgid_maxrequests != $result['mod_fcgid_maxrequests'] || $specialsettings != $result['specialsettings'] || $aliasdomain != $result['aliasdomain'] || $issubof != $result['ismainbutsubto'] || $email_only != $result['email_only'] || ($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') || $letsencrypt != $result['letsencrypt'] || $hsts_maxage != $result['hsts'] || $hsts_sub != $result['hsts_sub'] || $hsts_preload != $result['hsts_preload']) {
 					inserttask('1');
 				}
 
@@ -1640,6 +1663,16 @@ if ($page == 'domains' || $page == 'overview') {
 					$log->logAction(ADM_ACTION, LOG_NOTICE, "deleted domain #" . $id . " from mail-tables");
 				}
 
+				// check whether LE has been disabled, so we remove the certificate
+				if ($letsencrypt == '0' && $result['letsencrypt'] == '1')  {
+					$del_stmt = Database::prepare("
+						DELETE FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` WHERE `domainid` = :id
+					");
+					Database::pexecute($del_stmt, array(
+						'id' => $id
+					));
+				}
+
 				$updatechildren = '';
 
 				if ($subcanemaildomain == '0' && $result['subcanemaildomain'] != '0') {
@@ -1742,6 +1775,7 @@ if ($page == 'domains' || $page == 'overview') {
 				$update_data['zonefile'] = $zonefile;
 				$update_data['wwwserveralias'] = $wwwserveralias;
 				$update_data['iswildcarddomain'] = $iswildcarddomain;
+				$update_data['phpenabled'] = $phpenabled;
 				$update_data['openbasedir'] = $openbasedir;
 				$update_data['speciallogfile'] = $speciallogfile;
 				$update_data['phpsettingid'] = $phpsettingid;
@@ -1773,6 +1807,7 @@ if ($page == 'domains' || $page == 'overview') {
 					`zonefile` = :zonefile,
 					`wwwserveralias` = :wwwserveralias,
 					`iswildcarddomain` = :iswildcarddomain,
+					`phpenabled` = :phpenabled,
 					`openbasedir` = :openbasedir,
 					`speciallogfile` = :speciallogfile,
 					`phpsettingid` = :phpsettingid,
@@ -1792,6 +1827,7 @@ if ($page == 'domains' || $page == 'overview') {
 
 				$_update_data['customerid'] = $customerid;
 				$_update_data['adminid'] = $adminid;
+				$_update_data['phpenabled'] = $phpenabled;
 				$_update_data['openbasedir'] = $openbasedir;
 				$_update_data['phpsettingid'] = $phpsettingid;
 				$_update_data['mod_fcgid_starter'] = $mod_fcgid_starter;
@@ -1810,6 +1846,7 @@ if ($page == 'domains' || $page == 'overview') {
 					UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
 					`customerid` = :customerid,
 					`adminid` = :adminid,
+					`phpenabled` = :phpenabled,
 					`openbasedir` = :openbasedir,
 					`phpsettingid` = :phpsettingid,
 					`mod_fcgid_starter` = :mod_fcgid_starter,

customer_domains.php

@@ -517,7 +517,12 @@ if ($page == 'overview') {
 
 				// check if we at least have one ssl-ip/port, #1179
 				$ssl_ipsandports = '';
-				$ssl_ip_stmt = Database::prepare("SELECT COUNT(*) as countSSL FROM `panel_ipsandports` WHERE `ssl`='1'");
+				$ssl_ip_stmt = Database::prepare("
+					SELECT COUNT(*) as countSSL
+					FROM `".TABLE_PANEL_IPSANDPORTS."` pip
+					LEFT JOIN `".TABLE_DOMAINTOIP."` dti ON dti.id_ipandports = pip.id
+					WHERE pip.`ssl`='1'
+				");
 				Database::pexecute($ssl_ip_stmt);
 				$resultX = $ssl_ip_stmt->fetch(PDO::FETCH_ASSOC);
 				if (isset($resultX['countSSL']) && (int)$resultX['countSSL'] > 0) {
@@ -578,7 +583,7 @@ if ($page == 'overview') {
 					$_doredirect = true;
 				}
 
-				$aliasdomain = intval($_POST['alias']);
+				$aliasdomain = isset($_POST['alias']) ? intval($_POST['alias']) : 0;
 
 				if (isset($_POST['selectserveralias'])) {
 					$iswildcarddomain = ($_POST['selectserveralias'] == '0') ? '1' : '0';
@@ -681,7 +686,11 @@ if ($page == 'overview') {
 						|| $aliasdomain != $result['aliasdomain']
 						|| $openbasedir_path != $result['openbasedir_path']
 						|| $ssl_redirect != $result['ssl_redirect']
-						|| $letsencrypt != $result['letsencrypt']) {
+						|| $letsencrypt != $result['letsencrypt']
+						|| $hsts_maxage != $result['hsts']
+						|| $hsts_sub != $result['hsts_sub']
+						|| $hsts_preload != $result['hsts_preload']
+					) {
 						$log->logAction(USR_ACTION, LOG_INFO, "edited domain '" . $idna_convert->decode($result['domain']) . "'");
 
 						$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
@@ -720,12 +729,21 @@ if ($page == 'overview') {
 							// trigger when domain id for alias destination has changed: both for old and new destination
 							triggerLetsEncryptCSRForAliasDestinationDomain($result['aliasdomain'], $log);
 							triggerLetsEncryptCSRForAliasDestinationDomain($aliasdomain, $log);
-						} else
-							if ($result['wwwserveralias'] != $wwwserveralias || $result['letsencrypt'] != $letsencrypt) {
+						} elseif ($result['wwwserveralias'] != $wwwserveralias || $result['letsencrypt'] != $letsencrypt) {
 							// or when wwwserveralias or letsencrypt was changed
 							triggerLetsEncryptCSRForAliasDestinationDomain($aliasdomain, $log);
 						}
 
+						// check whether LE has been disabled, so we remove the certificate
+						if ($letsencrypt == '0' && $result['letsencrypt'] == '1')  {
+							$del_stmt = Database::prepare("
+								DELETE FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` WHERE `domainid` = :id
+							");
+							Database::pexecute($del_stmt, array(
+								'id' => $id
+							));
+						}
+
 						inserttask('1');
 
 						// Using nameserver, insert a task which rebuilds the server config
@@ -784,8 +802,13 @@ if ($page == 'overview') {
 
 				// check if we at least have one ssl-ip/port, #1179
 				$ssl_ipsandports = '';
-				$ssl_ip_stmt = Database::prepare("SELECT COUNT(*) as countSSL FROM `panel_ipsandports` WHERE `ssl`='1'");
-				Database::pexecute($ssl_ip_stmt);
+				$ssl_ip_stmt = Database::prepare("
+					SELECT COUNT(*) as countSSL
+					FROM `".TABLE_PANEL_IPSANDPORTS."` pip
+					LEFT JOIN `".TABLE_DOMAINTOIP."` dti ON dti.id_ipandports = pip.id
+					WHERE `dti`.`id_domain` = :id_domain AND pip.`ssl`='1'
+				");
+				Database::pexecute($ssl_ip_stmt, array("id_domain" => $result['id']));
 				$resultX = $ssl_ip_stmt->fetch(PDO::FETCH_ASSOC);
 				if (isset($resultX['countSSL']) && (int)$resultX['countSSL'] > 0) {
 					$ssl_ipsandports = 'notempty';

install/froxlor.sql

@@ -195,8 +195,9 @@ CREATE TABLE `panel_customers` (
   `theme` varchar(255) NOT NULL default 'Sparkle',
   `custom_notes` text,
   `custom_notes_show` tinyint(1) NOT NULL default '0',
-  `lepublickey` mediumtext DEFAULT NULL,
-  `leprivatekey` mediumtext DEFAULT NULL,
+  `lepublickey` mediumtext default NULL,
+  `leprivatekey` mediumtext default NULL,
+  `leregistered` tinyint(1) NOT NULL default '0',
    PRIMARY KEY  (`customerid`),
    UNIQUE KEY `loginname` (`loginname`)
 ) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;
@@ -237,6 +238,7 @@ CREATE TABLE `panel_domains` (
   `dkim_pubkey` text,
   `wwwserveralias` tinyint(1) NOT NULL default '1',
   `parentdomainid` int(11) NOT NULL default '0',
+  `phpenabled` tinyint(1) NOT NULL default '0',
   `openbasedir` tinyint(1) NOT NULL default '0',
   `openbasedir_path` tinyint(1) NOT NULL default '0',
   `speciallogfile` tinyint(1) NOT NULL default '0',
@@ -280,7 +282,8 @@ CREATE TABLE `panel_ipsandports` (
   `default_vhostconf_domain` text,
   `ssl_cert_chainfile` varchar(255) NOT NULL,
   `docroot` varchar(255) NOT NULL default '',
-  PRIMARY KEY  (`id`)
+  PRIMARY KEY  (`id`),
+  UNIQUE KEY `ip_port` (`ip`,`port`)
 ) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;
 
 
@@ -496,6 +499,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('system', 'ssl_cert_chainfile', ''),
 	('system', 'ssl_cipher_list', 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128'),
 	('system', 'nginx_php_backend', '127.0.0.1:8888'),
+	('system', 'nginx_http2_support', '0'),
 	('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
 	('system', 'phpreload_command', ''),
 	('system', 'apache24', '0'),
@@ -543,8 +547,9 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('system', 'mail_smtp_user', ''),
 	('system', 'mail_smtp_passwd', ''),
 	('system', 'hsts_maxage', '0'),
-	('system', 'hsts_sub', '0'),
+	('system', 'hsts_incsub', '0'),
 	('system', 'hsts_preload', '0'),
+	('system', 'leregistered', '0'),
 	('panel', 'decimal_places', '4'),
 	('panel', 'adminmail', 'admin@SERVERNAME'),
 	('panel', 'phpmyadmin_url', ''),
@@ -575,8 +580,9 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_numeric', '0'),
 	('panel', 'password_special_char_required', '0'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
-	('panel', 'version', '0.9.38-rc1'),
-	('panel', 'db_version', '201610070');
+	('panel', 'customer_hide_options', ''),
+	('panel', 'version', '0.9.38.5'),
+	('panel', 'db_version', '201612110');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;

install/lib/class.FroxlorInstall.php

@@ -177,10 +177,14 @@ class FroxlorInstall
 		}
 
 		// check system-hostname to be a FQDN
-		if ($this->_validate_ip($this->_data['servername'], true) !== false) {
+		if ($this->_validate_ip($this->_data['servername']) !== false) {
 			$this->_data['servername'] = '';
 		}
 
+		if (empty($this->_data['serverip'] || $this->_validate_ip($this->_data['serverip']) == false)) {
+			return false;
+		}
+
 		if (isset($_POST['installstep']) && $_POST['installstep'] == '1' && $this->_data['admin_pass1'] == $this->_data['admin_pass2'] && $this->_data['admin_pass1'] != '' && $this->_data['admin_pass2'] != '' && $this->_data['mysql_unpriv_pass'] != '' && $this->_data['mysql_root_pass'] != '' && $this->_data['servername'] != '' && $this->_data['serverip'] != '' && $this->_data['httpuser'] != '' && $this->_data['httpgroup'] != '' && $this->_data['mysql_unpriv_user'] != $this->_data['mysql_root_user']) {
 			return true;
 		}
@@ -781,7 +785,7 @@ class FroxlorInstall
 		}
 		$formdata .= $this->_getSectionItemString('servername', true, $style);
 		// serverip
-		if (! empty($_POST['installstep']) && $this->_data['serverip'] == '') {
+		if (! empty($_POST['installstep']) && ($this->_data['serverip'] == '' || $this->_validate_ip($this->_data['serverip']) == false)) {
 			$style = 'color:red;';
 		} else {
 			$style = '';

install/templates/dataitemchk.tpl

@@ -1,4 +1,4 @@
 <p>
 	<label for="{$fieldname}" class="install-block {$style}">{$this->_lng['install']['webserver']} {$fieldlabel}:</label>
-	<input type="radio" name="webserver" id="{$fieldname}" value="{$fieldname}" {$checked} /><span>{$fieldlabel}<span>
+	<input type="radio" name="webserver" id="{$fieldname}" value="{$fieldname}" {$checked} /><span>{$fieldlabel}</span>
 </p>

install/updates/froxlor/0.9/update_0.9.inc.php

@@ -3507,3 +3507,75 @@ if (isFroxlorVersion('0.9.37')) {
 	showUpdateStep("Updating from 0.9.37 to 0.9.38-rc1", false);
 	updateToVersion('0.9.38-rc1');
 }
+
+if (isFroxlorVersion('0.9.38-rc1')) {
+
+	showUpdateStep("Updating from 0.9.38-rc1 to 0.9.38-rc2", false);
+	updateToVersion('0.9.38-rc2');
+}
+
+if (isFroxlorVersion('0.9.38-rc2')) {
+
+	showUpdateStep("Updating from 0.9.38-rc2 to 0.9.38 final", false);
+	updateToVersion('0.9.38');
+}
+
+if (isDatabaseVersion('201610070')) {
+
+	showUpdateStep("Add Nginx http2 setting");
+	Settings::AddNew("system.nginx_http2_support", 0);
+	lastStepStatus(0);
+
+	updateToDbVersion('201611180');
+}
+
+if (isFroxlorVersion('0.9.38')) {
+
+	showUpdateStep("Updating from 0.9.38 to 0.9.38.1", false);
+	updateToVersion('0.9.38.1');
+}
+
+if (isFroxlorVersion('0.9.38.1')) {
+
+	showUpdateStep("Updating from 0.9.38.1 to 0.9.38.2", false);
+	updateToVersion('0.9.38.2');
+}
+
+if (isFroxlorVersion('0.9.38.2')) {
+
+	showUpdateStep("Updating from 0.9.38.2 to 0.9.38.3", false);
+	updateToVersion('0.9.38.3');
+}
+
+if (isFroxlorVersion('0.9.38.3')) {
+
+	showUpdateStep("Updating from 0.9.38.3 to 0.9.38.4", false);
+	updateToVersion('0.9.38.4');
+}
+
+if (isDatabaseVersion('201611180')) {
+
+	showUpdateStep("Updating database table definition for panel_domains");
+	Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `phpenabled` tinyint(1) NOT NULL default '1' AFTER `parentdomainid`;");
+	lastStepStatus(0);
+
+	showUpdateStep("Adding field for let's-encrypt registration status");
+	Database::query("ALTER TABLE `".TABLE_PANEL_CUSTOMERS."` add `leregistered` TINYINT(1) NOT NULL DEFAULT 0;");
+	lastStepStatus(0);
+
+	showUpdateStep("Adding system setting for let's-encrypt registration status");
+	Settings::AddNew('system.leregistered', '0');
+	lastStepStatus(0);
+
+  showUpdateStep("Adding unique key to ipsandports table");
+	Database::query("ALTER TABLE `" . TABLE_PANEL_IPSANDPORTS . "` ADD UNIQUE KEY `ip_port` (`ip`,`port`)");
+	lastStepStatus(0);
+
+	updateToDbVersion('201612110');
+}
+
+if (isFroxlorVersion('0.9.38.4')) {
+
+	showUpdateStep("Updating from 0.9.38.4 to 0.9.38.5", false);
+	updateToVersion('0.9.38.5');
+}

lib/classes/phpinterface/class.phpinterface_fcgid.php

@@ -135,15 +135,6 @@ class phpinterface_fcgid {
 			$openbasedir .= appendOpenBasedirPath($this->getTempDir());
 			$openbasedir .= $_phpappendopenbasedir;
 
-			$openbasedir = explode(':', $openbasedir);
-			$clean_openbasedir = array();
-			foreach ($openbasedir as $number => $path) {
-				if (trim($path) != '/') {
-					$clean_openbasedir[] = makeCorrectDir($path);
-				}
-			}
-			$openbasedir = implode(':', $clean_openbasedir);
-
 		} else {
 			$openbasedir = 'none';
 			$openbasedirc = ';';

lib/classes/phpinterface/class.phpinterface_fpm.php

@@ -267,15 +267,6 @@ class phpinterface_fpm {
 
 					$openbasedir .= appendOpenBasedirPath($this->getTempDir());
 					$openbasedir .= $_phpappendopenbasedir;
-
-					$openbasedir = explode(':', $openbasedir);
-					$clean_openbasedir = array();
-					foreach ($openbasedir as $number => $path) {
-						if (trim($path) != '/') {
-							$clean_openbasedir[] = makeCorrectDir($path);
-						}
-					}
-					$openbasedir = implode(':', $clean_openbasedir);
 				}
 			}
 			$fpm_config.= 'php_admin_value[session.save_path] = ' . makeCorrectDir(Settings::Get('phpfpm.tmpdir') . '/' . $this->_domain['loginname'] . '/') . "\n";

lib/classes/phpmailer/class.PHPMailer.php

@@ -31,7 +31,7 @@ class PHPMailer
 	 * The PHPMailer Version number.
 	 * @var string
 	 */
-    public $Version = '5.2.16';
+	public $Version = '5.2.21';
 
 	/**
 	 * Email priority.
@@ -201,6 +201,9 @@ class PHPMailer
 	/**
 	 * An ID to be used in the Message-ID header.
 	 * If empty, a unique id will be generated.
+	 * You can set your own, but it must be in the format "<id@domain>",
+	 * as defined in RFC5322 section 3.6.4 or it will be ignored.
+	 * @see https://tools.ietf.org/html/rfc5322#section-3.6.4
 	 * @var string
 	 */
 	public $MessageID = '';
@@ -420,6 +423,13 @@ class PHPMailer
 	 */
 	public $DKIM_private = '';
 
+	/**
+	 * DKIM private key string.
+	 * If set, takes precedence over `$DKIM_private`.
+	 * @var string
+	 */
+	public $DKIM_private_string = '';
+
 	/**
 	 * Callback Action function name.
 	 *
@@ -681,16 +691,16 @@ class PHPMailer
 		} else {
 			$subject = $this->encodeHeader($this->secureHeader($subject));
 		}
-        //Can't use additional_parameters in safe_mode
+
+		//Can't use additional_parameters in safe_mode, calling mail() with null params breaks
 		//@link http://php.net/manual/en/function.mail.php
-        if (ini_get('safe_mode') or !$this->UseSendmailOptions) {
+		if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
 			$result = @mail($to, $subject, $body, $header);
 		} else {
 			$result = @mail($to, $subject, $body, $header, $params);
 		}
 		return $result;
 	}
-
 	/**
 	 * Output debugging info via user-defined method.
 	 * Only generates output if SMTP debug output is enabled (@see SMTP::$do_debug).
@@ -1284,9 +1294,11 @@ class PHPMailer
 
 			// Sign with DKIM if enabled
 			if (!empty($this->DKIM_domain)
-                && !empty($this->DKIM_private)
 				&& !empty($this->DKIM_selector)
-                && file_exists($this->DKIM_private)) {
+				&& (!empty($this->DKIM_private_string)
+					|| (!empty($this->DKIM_private) && file_exists($this->DKIM_private))
+					)
+				) {
 					$header_dkim = $this->DKIM_Add(
 						$this->MIMEHeader . $this->mailHeader,
 						$this->encodeHeader($this->secureHeader($this->Subject)),
@@ -1352,19 +1364,24 @@ class PHPMailer
 	 */
 	protected function sendmailSend($header, $body)
 	{
-        if ($this->Sender != '') {
+		// CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+		if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
 			if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+				$sendmailFmt = '%s -f%s';
 			} else {
-                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+				$sendmailFmt = '%s -oi -f%s -t';
 			}
 		} else {
 			if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
+				$sendmailFmt = '%s';
 			} else {
-                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
+				$sendmailFmt = '%s -oi -t';
 			}
 		}
+
+		// TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
+		$sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
+
 		if ($this->SingleTo) {
 			foreach ($this->SingleToArray as $toAddr) {
 				if (!@$mail = popen($sendmail, 'w')) {
@@ -1410,6 +1427,40 @@ class PHPMailer
 		return true;
 	}
 
+	/**
+	 * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
+	 *
+	 * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
+	 * @param string $string The string to be validated
+	 * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
+	 * @access protected
+	 * @return boolean
+	 */
+	protected static function isShellSafe($string)
+	{
+		// Future-proof
+		if (escapeshellcmd($string) !== $string
+			or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
+			) {
+				return false;
+			}
+
+			$length = strlen($string);
+
+			for ($i = 0; $i < $length; $i++) {
+				$c = $string[$i];
+
+				// All other characters have a special meaning in at least one common shell, including = and +.
+				// Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+				// Note that this does permit non-Latin alphanumeric characters based on the current locale.
+				if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+					return false;
+				}
+			}
+
+			return true;
+	}
+
 	/**
 	 * Send mail using the PHP mail() function.
 	 * @param string $header The message headers
@@ -1429,10 +1480,13 @@ class PHPMailer
 
 		$params = null;
 		//This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
-        if (!empty($this->Sender)) {
+		if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
+			// CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+			if (self::isShellSafe($this->Sender)) {
 				$params = sprintf('-f%s', $this->Sender);
 			}
-        if ($this->Sender != '' and !ini_get('safe_mode')) {
+		}
+		if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
 			$old_from = ini_get('sendmail_from');
 			ini_set('sendmail_from', $this->Sender);
 		}
@@ -1486,10 +1540,10 @@ class PHPMailer
 		if (!$this->smtpConnect($this->SMTPOptions)) {
 			throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
 		}
-        if ('' == $this->Sender) {
-            $smtp_from = $this->From;
-        } else {
+		if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
 			$smtp_from = $this->Sender;
+		} else {
+			$smtp_from = $this->From;
 		}
 		if (!$this->smtp->mail($smtp_from)) {
 			$this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError()));
@@ -1681,6 +1735,19 @@ class PHPMailer
 	 */
 	public function setLanguage($langcode = 'en', $lang_path = '')
 	{
+		// Backwards compatibility for renamed language codes
+		$renamed_langcodes = array(
+			'br' => 'pt_br',
+			'cz' => 'cs',
+			'dk' => 'da',
+			'no' => 'nb',
+			'se' => 'sv',
+		);
+
+		if (isset($renamed_langcodes[$langcode])) {
+			$langcode = $renamed_langcodes[$langcode];
+		}
+
 		// Define full set of translatable strings in English
 		$PHPMAILER_LANG = array(
 			'authenticate' => 'SMTP Error: Could not authenticate.',
@@ -1707,6 +1774,10 @@ class PHPMailer
 			// Calculate an absolute path so it can work if CWD is not here
 			$lang_path = dirname(__FILE__). DIRECTORY_SEPARATOR . 'language'. DIRECTORY_SEPARATOR;
 		}
+		//Validate $langcode
+		if (!preg_match('/^[a-z]{2}(?:_[a-zA-Z]{2})?$/', $langcode)) {
+			$langcode = 'en';
+		}
 		$foundlang = true;
 		$lang_file = $lang_path . 'phpmailer.lang-' . $langcode . '.php';
 		// There is no English translation file
@@ -2000,6 +2071,8 @@ class PHPMailer
 				$result .= $this->headerLine('Subject', $this->encodeHeader($this->secureHeader($this->Subject)));
 			}
 
+			// Only allow a custom message ID if it conforms to RFC 5322 section 3.6.4
+			// https://tools.ietf.org/html/rfc5322#section-3.6.4
 			if ('' != $this->MessageID and preg_match('/^<.*@.*>$/', $this->MessageID)) {
 				$this->lastMessageID = $this->MessageID;
 			} else {
@@ -2105,6 +2178,14 @@ class PHPMailer
 		return rtrim($this->MIMEHeader . $this->mailHeader, "\n\r") . self::CRLF . self::CRLF . $this->MIMEBody;
 	}
 
+	/**
+	 * Create unique ID
+	 * @return string
+	 */
+	protected function generateId() {
+		return md5(uniqid(time()));
+	}
+
 	/**
 	 * Assemble the message body.
 	 * Returns an empty string on failure.
@@ -2116,7 +2197,7 @@ class PHPMailer
 	{
 		$body = '';
 		//Create unique IDs and preset boundaries
-        $this->uniqueid = md5(uniqid(time()));
+		$this->uniqueid = $this->generateId();
 		$this->boundary[1] = 'b1_' . $this->uniqueid;
 		$this->boundary[2] = 'b2_' . $this->uniqueid;
 		$this->boundary[3] = 'b3_' . $this->uniqueid;
@@ -3296,16 +3377,18 @@ class PHPMailer
 	}
 
 	/**
-     * Create a message from an HTML string.
-     * Automatically makes modifications for inline images and backgrounds
-     * and creates a plain-text version by converting the HTML.
-     * Overwrites any existing values in $this->Body and $this->AltBody
+	 * Create a message body from an HTML string.
+	 * Automatically inlines images and creates a plain-text version by converting the HTML,
+	 * overwriting any existing values in Body and AltBody.
+	 * $basedir is used when handling relative image paths, e.g. <img src="images/a.png">
+	 * will look for an image file in $basedir/images/a.png and convert it to inline.
+	 * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself.
 	 * @access public
 	 * @param string $message HTML message string
-     * @param string $basedir baseline directory for path
+	 * @param string $basedir base directory for relative paths to images
 	 * @param boolean|callable $advanced Whether to use the internal HTML to text converter
 	 *    or your own custom converter @see PHPMailer::html2text()
-     * @return string $message
+	 * @return string $message The transformed message Body
 	 */
 	public function msgHTML($message, $basedir = '', $advanced = false)
 	{
@@ -3375,7 +3458,7 @@ class PHPMailer
 	 * Convert an HTML string into plain text.
 	 * This is used by msgHTML().
 	 * Note - older versions of this function used a bundled advanced converter
-     * which was been removed for license reasons in #232
+	 * which was been removed for license reasons in #232.
 	 * Example usage:
 	 * <code>
 	 * // Use default conversion
@@ -3675,7 +3758,7 @@ class PHPMailer
 	 * @access public
 	 * @param string $signHeader
 	 * @throws phpmailerException
-     * @return string
+	 * @return string The DKIM signature value
 	 */
 	public function DKIM_Sign($signHeader)
 	{
@@ -3685,16 +3768,34 @@ class PHPMailer
 			}
 			return '';
 		}
-        $privKeyStr = file_get_contents($this->DKIM_private);
-        if ($this->DKIM_passphrase != '') {
+		$privKeyStr = !empty($this->DKIM_private_string) ? $this->DKIM_private_string : file_get_contents($this->DKIM_private);
+		if ('' != $this->DKIM_passphrase) {
 			$privKey = openssl_pkey_get_private($privKeyStr, $this->DKIM_passphrase);
 		} else {
 			$privKey = openssl_pkey_get_private($privKeyStr);
 		}
-        if (openssl_sign($signHeader, $signature, $privKey, 'sha256WithRSAEncryption')) { //sha1WithRSAEncryption
+		//Workaround for missing digest algorithms in old PHP & OpenSSL versions
+		//@link http://stackoverflow.com/a/11117338/333340
+		if (version_compare(PHP_VERSION, '5.3.0') >= 0 and
+			in_array('sha256WithRSAEncryption', openssl_get_md_methods(true))) {
+				if (openssl_sign($signHeader, $signature, $privKey, 'sha256WithRSAEncryption')) {
 					openssl_pkey_free($privKey);
 					return base64_encode($signature);
 				}
+			} else {
+				$pinfo = openssl_pkey_get_details($privKey);
+				$hash = hash('sha256', $signHeader);
+				//'Magic' constant for SHA256 from RFC3447
+				//@link https://tools.ietf.org/html/rfc3447#page-43
+				$t = '3031300d060960864801650304020105000420' . $hash;
+				$pslen = $pinfo['bits'] / 8 - (strlen($t) / 2 + 3);
+				$eb = pack('H*', '0001' . str_repeat('FF', $pslen) . '00' . $t);
+
+				if (openssl_private_encrypt($eb, $signature, $privKey, OPENSSL_NO_PADDING)) {
+					openssl_pkey_free($privKey);
+					return base64_encode($signature);
+				}
+			}
 			openssl_pkey_free($privKey);
 			return '';
 	}

lib/classes/phpmailer/class.SMTP.php

@@ -30,7 +30,7 @@ class SMTP
 	 * The PHPMailer SMTP version number.
 	 * @var string
 	 */
-    const VERSION = '5.2.16';
+	const VERSION = '5.2.21';
 
 	/**
 	 * SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
 	 * @deprecated Use the `VERSION` constant instead
 	 * @see SMTP::VERSION
 	 */
-    public $Version = '5.2.16';
+	public $Version = '5.2.21';
 
 	/**
 	 * SMTP server port number.
@@ -150,6 +150,17 @@ class SMTP
 	 */
 	public $Timelimit = 300;
 
+	/**
+	 * @var array patterns to extract smtp transaction id from smtp reply
+	 * Only first capture group will be use, use non-capturing group to deal with it
+	 * Extend this class to override this property to fulfil your needs.
+	 */
+	protected $smtp_transaction_id_patterns = array(
+		'exim' => '/[0-9]{3} OK id=(.*)/',
+		'sendmail' => '/[0-9]{3} 2.0.0 (.*) Message/',
+		'postfix' => '/[0-9]{3} 2.0.0 Ok: queued as (.*)/'
+	);
+
 	/**
 	 * The socket for the server connection.
 	 * @var resource
@@ -206,7 +217,7 @@ class SMTP
 		}
 		//Avoid clash with built-in function names
 		if (!in_array($this->Debugoutput, array('error_log', 'html', 'echo')) and is_callable($this->Debugoutput)) {
-            call_user_func($this->Debugoutput, $str, $this->do_debug);
+			call_user_func($this->Debugoutput, $str, $level);
 			return;
 		}
 		switch ($this->Debugoutput) {
@@ -272,8 +283,8 @@ class SMTP
 		$errstr = '';
 		if ($streamok) {
 			$socket_context = stream_context_create($options);
-            //Suppress errors; connection failures are handled at a higher level
-            $this->smtp_conn = @stream_socket_client(
+			set_error_handler(array($this, 'errorHandler'));
+			$this->smtp_conn = stream_socket_client(
 				$host . ":" . $port,
 				$errno,
 				$errstr,
@@ -281,12 +292,14 @@ class SMTP
 				STREAM_CLIENT_CONNECT,
 				$socket_context
 				);
+			restore_error_handler();
 		} else {
 			//Fall back to fsockopen which should work in more places, but is missing some features
 			$this->edebug(
 				"Connection: stream_socket_client not available, falling back to fsockopen",
 				self::DEBUG_CONNECTION
 				);
+			set_error_handler(array($this, 'errorHandler'));
 			$this->smtp_conn = fsockopen(
 				$host,
 				$port,
@@ -294,6 +307,7 @@ class SMTP
 				$errstr,
 				$timeout
 				);
+			restore_error_handler();
 		}
 		// Verify we connected properly
 		if (!is_resource($this->smtp_conn)) {
@@ -474,7 +488,7 @@ class SMTP
 					$temp = new stdClass;
 					$ntlm_client = new ntlm_sasl_client_class;
 					//Check that functions are available
-                if (!$ntlm_client->Initialize($temp)) {
+					if (!$ntlm_client->initialize($temp)) {
 						$this->setError($temp->error);
 						$this->edebug(
 							'You need to enable some modules in your php.ini file: '
@@ -484,7 +498,7 @@ class SMTP
 						return false;
 					}
 					//msg1
-                $msg1 = $ntlm_client->TypeMsg1($realm, $workstation); //msg1
+					$msg1 = $ntlm_client->typeMsg1($realm, $workstation); //msg1
 
 					if (!$this->sendCommand(
 						'AUTH NTLM',
@@ -503,7 +517,7 @@ class SMTP
 							$password
 							);
 						//msg3
-                $msg3 = $ntlm_client->TypeMsg3(
+						$msg3 = $ntlm_client->typeMsg3(
 							$ntlm_res,
 							$username,
 							$realm,
@@ -1189,4 +1203,47 @@ class SMTP
 	{
 		return $this->Timeout;
 	}
+
+	/**
+	 * Reports an error number and string.
+	 * @param integer $errno The error number returned by PHP.
+	 * @param string $errmsg The error message returned by PHP.
+	 */
+	protected function errorHandler($errno, $errmsg)
+	{
+		$notice = 'Connection: Failed to connect to server.';
+		$this->setError(
+			$notice,
+			$errno,
+			$errmsg
+			);
+		$this->edebug(
+			$notice . ' Error number ' . $errno . '. "Error notice: ' . $errmsg,
+			self::DEBUG_CONNECTION
+			);
+	}
+
+	/**
+	 * Will return the ID of the last smtp transaction based on a list of patterns provided
+	 * in SMTP::$smtp_transaction_id_patterns.
+	 * If no reply has been received yet, it will return null.
+	 * If no pattern has been matched, it will return false.
+	 * @return bool|null|string
+	 */
+	public function getLastTransactionID()
+	{
+		$reply = $this->getLastReply();
+
+		if (empty($reply)) {
+			return null;
+		}
+
+		foreach($this->smtp_transaction_id_patterns as $smtp_transaction_id_pattern) {
+			if(preg_match($smtp_transaction_id_pattern, $reply, $matches)) {
+				return $matches[1];
+			}
+		}
+
+		return false;
+	}
 }

lib/classes/settings/class.Settings.php

@@ -86,6 +86,7 @@ class Settings {
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			self::$_data[$row['settinggroup']][$row['varname']] = $row['value'];
 		}
+		return true;
 	}
 
 	/**
@@ -161,10 +162,16 @@ class Settings {
 			if ($instant_save) {
 				$this->_storeSetting($sstr[0], $sstr[1], $value);
 			} else {
-				if (!is_array(self::$_data[$sstr[0]])) {
+				// set temporary data for usage
+				if (!isset(self::$_data[$sstr[0]]) || !is_array(self::$_data[$sstr[0]])) {
 					self::$_data[$sstr[0]] = array();
 				}
 				self::$_data[$sstr[0]][$sstr[1]] = $value;
+				// set update-data when invoking Flush()
+				if (!isset(self::$_updatedata[$sstr[0]]) || !is_array(self::$_updatedata[$sstr[0]])) {
+					self::$_updatedata[$sstr[0]] = array();
+				}
+				self::$_updatedata[$sstr[0]][$sstr[1]] = $value;
 			}
 			return true;
 		}
@@ -223,8 +230,9 @@ class Settings {
 			// now empty the array
 			self::$_updatedata = array();
 			// re-read in all settings
-			$this->_readSettings();
+			return $this->_readSettings();
 		}
+		return false;
 	}
 
 	/**

lib/classes/ssl/class.lescript.php

@@ -38,6 +38,12 @@ class lescript
 
 	private $accountKey;
 
+	private $customerid;
+
+	private $isFroxlorVhost;
+
+	private $isLeProduction;
+
 	private $version;
 
 	public function __construct($logger, $version = '1')
@@ -57,44 +63,71 @@ class lescript
 	{
 		// Let's see if we have the private accountkey
 		$this->accountKey = $certrow['leprivatekey'];
-		if (! $this->accountKey || $this->accountKey == 'unset' || Settings::Get('system.letsencryptca') != 'production') {
+		$this->customerId = $certrow['customerid'];
+		$this->isFroxlorVhost = $isFroxlorVhost;
+		$this->isLeProduction = (Settings::Get('system.letsencryptca') == 'production');
+
+		$leregistered=$certrow['leregistered'];
+
+		if (! $this->accountKey || $this->accountKey == 'unset' || !$this->isLeProduction) {
 
 			// generate and save new private key for account
 			// ---------------------------------------------
 
-			$this->log('Starting new account registration');
+			$this->log('Creating new account key');
 			$keys = $this->generateKey();
 			// Only store the accountkey in production, in staging always generate a new key
-			if (Settings::Get('system.letsencryptca') == 'production') {
+			if ($this->isLeProduction) {
 				if ($isFroxlorVhost) {
 					Settings::Set('system.lepublickey', $keys['public']);
 					Settings::Set('system.leprivatekey', $keys['private']);
+					Settings::Set('system.leregistered', 0); // key is not registered
 				} else {
-					$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `lepublickey` = :public, `leprivatekey` = :private " . "WHERE `customerid` = :customerid;");
+					$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `lepublickey` = :public, `leprivatekey` = :private, `leregistered` = :registered " . "WHERE `customerid` = :customerid;");
 					Database::pexecute($upd_stmt, array(
 						'public' => $keys['public'],
 						'private' => $keys['private'],
-						'customerid' => $certrow['customerid']
+						'registered' => 0,
+						'customerid' => $this->customerId
 					));
 				}
 			}
+			$leregistered=0;
 			$this->accountKey = $keys['private'];
+		} else {
+			$this->log('Using existing account key');
+		}
 
+		if ($leregistered==0) { // Account not registered
+
+			$this->log('Starting new account registration');
 			$response = $this->postNewReg();
-			if ($this->client->getLastCode() != 201) {
+			if ($this->client->getLastCode() == 409) {
+				$this->log('The key was already registered. Using existing account.');
+			} else if ($this->client->getLastCode() == 201) {
+				$this->log('New account registered.');
+			} else {
 				throw new \RuntimeException("Account not initialized, probably due to rate limiting. Whole response: " . json_encode($response));
 			}
+			$accountUrl=$this->client->getLastLocation();
+
+			$this->log('Accepting lets encrypt Terms of Service');
+
 			$this->license = $this->client->getAgreementURL();
 
-			// Terms of Servce are optional according to ACME specs; if no ToS are presented, no need to update registration
+			// Terms of Service are optional according to ACME specs; if no ToS are presented, no need to update registration
 			if (!empty($this->license)) {
-				$this->postRegAgreement(parse_url($this->client->getLastLocation(), PHP_URL_PATH));
+				$response = $this->postRegAgreement(parse_url($accountUrl, PHP_URL_PATH));
+				if ($this->client->getLastCode() != 202) {
+					throw new \RuntimeException("Terms of Service not accepted. Whole response: " . json_encode($response));
+				}
 			}
-			$this->log('New account certificate registered');
-		} else {
 
-			$this->log('Account already registered. Continuing.');
+			$leregistered=1;
+			$this->setLeRegisteredState($leregistered); // Account registered
+			$this->log('Lets encrypt Terms of Service accepted');
 		}
+
 	}
 
 	/**
@@ -136,11 +169,17 @@ class lescript
 				)
 			));
 
+			if ($this->client->getLastCode() == 403) {
+				$this->log("Got status 403 - setting LE status to unregistered.");
+				$this->setLeRegisteredState(0);
+				throw new RuntimeException("Got 'unauthorized' response - we need to re-register at next run.  Whole response: " . json_encode($response));
+			}
+
 			// if response is not an array but a string, it's most likely a server-error, e.g.
 			// <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>An error occurred while processing your request.
 			// <p>Reference&#32;&#35;179&#46;d8be1402&#46;1458059103&#46;3613c4db</BODY></HTML>
 			if (! is_array($response)) {
-				throw new RuntimeException("Invalid response from LE for domain $domain. Whole response: " . $response);
+				throw new RuntimeException("Invalid response from LE for domain $domain. Whole response: " . json_encode($response));
 			}
 
 			if (! array_key_exists('challenges', $response)) {
@@ -188,7 +227,7 @@ class lescript
 			$this->log("Token for $domain saved at $tokenPath and should be available at $uri");
 
 			// simple self check
-			$selfcheckContextOptions = array('http' => array('header' => "User Agent: Froxlor/".$this->version));
+			$selfcheckContextOptions = array('http' => array('header' => "User-Agent: Froxlor/".$this->version));
 			$selfcheckContext = stream_context_create($selfcheckContextOptions);
 			if ($payload !== trim(@file_get_contents($uri, false, $selfcheckContext))) {
 				$errmsg = json_encode(error_get_last());
@@ -309,6 +348,21 @@ class lescript
 		);
 	}
 
+	private function setLeRegisteredState($state)
+	{
+		if ($this->isLeProduction) {
+			if ($this->isFroxlorVhost) {
+				Settings::Set('system.leregistered', $state);
+			} else {
+				$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `leregistered` = :registered " . "WHERE `customerid` = :customerid;");
+				Database::pexecute($upd_stmt, array(
+					'registered' => $state,
+					'customerid' => $this->customerId
+				));
+			}
+		}
+	}
+
 	private function parsePemFromBody($body)
 	{
 		$pem = chunk_split(base64_encode($body), 64, "\n");
@@ -537,10 +591,46 @@ class Client
 		return $matches[1];
 	}
 
+	public function getAgreementURLFromLastResponse()
+	{
+		if (preg_match_all('~Link: <(.+)>;rel="terms-of-service"~', $this->lastHeader, $matches)) {
+			return $matches[1][0];
+		}
+		return "";
+	}
+	public function getAgreementURLFromDirectory()
+	{
+		// FIXME: Current license should be found in /directory but LE does not implement this yet
+		// $this->curl('GET', '/directory');
+		return "";
+	}
+	public function getAgreementURLFromTermsUrl()
+	{
+		$this->curl('GET', '/terms');
+		if (preg_match_all('~Location: (.+)~', $this->lastHeader, $matches)) {
+			return trim($matches[1][0]);
+		}
+		return "";
+	}
+
 	public function getAgreementURL()
 	{
-		preg_match_all('~Link: <(.+)>;rel="terms-of-service"~', $this->lastHeader, $matches);
-		return $matches[1][0];
+		// 1. check the header of the last response
+		$license=$this->getAgreementURLFromLastResponse();
+		if (!empty($license)) return $license;
+
+		// 2. query directory for license
+		$license=$this->getAgreementURLFromDirectory();
+		if (!empty($license)) return $license;
+
+		// 3. query /terms endpoint (not ACME standard but implemented by let's enrypt)
+		$license=$this->getAgreementURLFromTermsUrl();
+		if (!empty($license)) return $license;
+
+		// Fallback: use latest known license. This is only valid for let's encrypt and should be removed as soon as there is an official
+		// ACME-endpoint to get the current ToS
+		return "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
+		// return "";
 	}
 
 }

lib/classes/webserver/class.WebserverBase.php

@@ -31,8 +31,9 @@ class WebserverBase {
 		$query = "SELECT `d`.*, `pd`.`domain` AS `parentdomain`, `c`.`loginname`,
 				`d`.`phpsettingid`, `c`.`adminid`, `c`.`guid`, `c`.`email`,
 				`c`.`documentroot` AS `customerroot`, `c`.`deactivated`,
-				`c`.`phpenabled` AS `phpenabled`, `d`.`mod_fcgid_starter`,
-				`d`.`mod_fcgid_maxrequests`
+				`c`.`phpenabled` AS `phpenabled_customer`,
+				`d`.`phpenabled` AS `phpenabled_vhost`,
+				`d`.`mod_fcgid_starter`,`d`.`mod_fcgid_maxrequests`
 				FROM `".TABLE_PANEL_DOMAINS."` `d`
 
 				LEFT JOIN `".TABLE_PANEL_CUSTOMERS."` `c` USING(`customerid`)

lib/configfiles/gentoo.xml

@@ -396,7 +396,8 @@ mail	IN		A	<SERVERIP>
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -938,7 +939,8 @@ gmysql-password=
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.

lib/configfiles/jessie.xml

@@ -380,7 +380,8 @@ exit "$RETVAL"
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -921,7 +922,8 @@ gmysql-password=
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
-# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 
 #################################
 # allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
@@ -4467,9 +4469,9 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 				<!-- libnss-mysql -->
 				<daemon name="libnss" title="libnss-mysql (required for FCGID/php-fpm/mpm-itk)">
 					<install><![CDATA[apt-get install nscd
-wget http://ftp.us.debian.org/debian/pool/main/libn/libnss-mysql-bg/libnss-mysql-bg_1.5-4_`dpkg --print-architecture`.deb
-dpkg -i libnss-mysql-bg_1.5-4_`dpkg --print-architecture`.deb
-rm libnss-mysql-bg_1.5-4_`dpkg --print-architecture`.deb
+wget http://ftp.us.debian.org/debian/pool/main/libn/libnss-mysql-bg/libnss-mysql-bg_1.5-5_`dpkg --print-architecture`.deb
+dpkg -i libnss-mysql-bg_1.5-5_`dpkg --print-architecture`.deb
+rm libnss-mysql-bg_1.5-5_`dpkg --print-architecture`.deb
 ]]></install>
 					<file name="/etc/libnss-mysql.cfg" chown="root:root" chmod="0600"
 						backup="true">

lib/configfiles/precise.xml

@@ -346,7 +346,8 @@ exit "$RETVAL"
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
 					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
 						<content><![CDATA[
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 allow-recursion=127.0.0.1
 config-dir=/etc/powerdns
 daemon=yes
@@ -407,7 +408,8 @@ include-dir=/etc/powerdns/froxlor/
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf" chown="root:root"
 						chmod="600">
 						<content><![CDATA[
-allow-axfr-ips=<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 #local-ipv6=YOUR_IPv6_(if_any)
 bind-config=<BIND_CONFIG_PATH>named.conf
 bind-check-interval=180

lib/configfiles/trusty.xml

@@ -379,7 +379,8 @@ exit "$RETVAL"
 					<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
 					<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
 						<content><![CDATA[
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 allow-recursion=127.0.0.1
 config-dir=/etc/powerdns
 daemon=yes
@@ -417,7 +418,8 @@ gmysql-password=
 					<install><![CDATA[apt-get install pdns-server]]></install>
 					<file name="/etc/powerdns/pdns.conf" backup="true">
 						<content><![CDATA[
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 allow-recursion=127.0.0.1
 config-dir=/etc/powerdns
 daemon=yes
@@ -441,7 +443,8 @@ include-dir=/etc/powerdns/froxlor/
 					<file name="/etc/powerdns/froxlor/pdns_froxlor.conf" chown="root:root"
 						chmod="600">
 						<content><![CDATA[
-allow-axfr-ips=<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 #local-ipv6=YOUR_IPv6_(if_any)
 bind-config=<BIND_CONFIG_PATH>named.conf
 bind-check-interval=180

lib/configfiles/wheezy.xml

@@ -424,7 +424,8 @@ exit "$RETVAL"
 # allow-axfr-ips    If enabled, restrict zonetransfers to originate from these
 #                   IP addresses
 #
-allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 
 #################################
 # allow-recursion	List of netmasks that are allowed to recurse
@@ -763,7 +764,8 @@ gmysql-password=
 # allow-axfr-ips    If enabled, restrict zonetransfers to originate from these
 #                   IP addresses
 #
-allow-axfr-ips=<NAMESERVERS>
+allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
+# add these entries to the list if any speficied: <AXFRSERVERS>
 
 #################################
 # allow-recursion	List of netmasks that are allowed to recurse

lib/formfields/admin/domains/formfield.domains_add.php

@@ -14,7 +14,6 @@
  * @package    Formfields
  *
  */
-
 return array(
 	'domain_add' => array(
 		'title' => $lng['admin']['domain_add'],
@@ -27,20 +26,20 @@ return array(
 					'domain' => array(
 						'label' => 'Domain',
 						'type' => 'text',
-						'mandatory' => true,
+						'mandatory' => true
 					),
 					'customerid' => array(
 						'label' => $lng['admin']['customer'],
 						'type' => 'select',
 						'select_var' => $customers,
-						'mandatory' => true,
+						'mandatory' => true
 					),
 					'adminid' => array(
 						'visible' => ($userinfo['customers_see_all'] == '1' ? true : false),
 						'label' => $lng['admin']['admin'],
 						'type' => 'select',
 						'select_var' => $admins,
-						'mandatory' => true,
+						'mandatory' => true
 					),
 					'alias' => array(
 						'label' => $lng['domains']['aliasdomain'],
@@ -58,9 +57,14 @@ return array(
 						'desc' => $lng['admin']['domain_editable']['desc'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array('1')
+						'value' => array(
+							'1'
+						)
 					),
 					'add_date' => array(
 						'label' => $lng['domains']['add_date'],
@@ -112,7 +116,10 @@ return array(
 						'desc' => $lng['admin']['speciallogfile']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
 						'value' => array()
 					),
@@ -146,7 +153,10 @@ return array(
 						'desc' => $lng['domains']['ssl_redirect']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
 						'value' => array()
 					),
@@ -156,7 +166,10 @@ return array(
 						'desc' => $lng['admin']['letsencrypt']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
 						'value' => array()
 					),
@@ -175,13 +188,16 @@ return array(
 						'int_max' => 94608000, // 3-years
 						'value' => 0
 					),
-					'hsts_incsub' => array(
+					'hsts_sub' => array(
 						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['admin']['domain_hsts_incsub']['title'],
 						'desc' => $lng['admin']['domain_hsts_incsub']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
 						'value' => array()
 					),
@@ -191,11 +207,14 @@ return array(
 						'desc' => $lng['admin']['domain_hsts_preload']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
 						'value' => array()
-					),
-				),
+					)
+				)
 			),
 			'section_c' => array(
 				'title' => $lng['admin']['phpserversettings'],
@@ -206,9 +225,27 @@ return array(
 						'label' => 'OpenBasedir',
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array('1')
+						'value' => array(
+							'1'
+						)
+					),
+					'phpenabled' => array(
+						'label' => $lng['admin']['phpenabled'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array(
+							'1'
+						)
 					),
 					'phpsettingid' => array(
 						'visible' => (((int) Settings::Get('system.mod_fcgid') == 1 || (int) Settings::Get('phpfpm.enabled') == 1) ? true : false),
@@ -237,9 +274,14 @@ return array(
 						'label' => 'Nameserver',
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array('1')
+						'value' => array(
+							'1'
+						)
 					),
 					'zonefile' => array(
 						'label' => 'Zonefile',
@@ -256,15 +298,23 @@ return array(
 						'label' => $lng['admin']['emaildomain'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array('1')
+						'value' => array(
+							'1'
+						)
 					),
 					'email_only' => array(
 						'label' => $lng['admin']['email_only'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
 						'value' => array()
 					),
@@ -278,9 +328,14 @@ return array(
 						'label' => 'DomainKeys',
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array('1')
+						'value' => array(
+							'1'
+						)
 					)
 				)
 			)

lib/formfields/admin/domains/formfield.domains_edit.php

@@ -14,7 +14,6 @@
  * @package    Formfields
  *
  */
-
 return array(
 	'domain_edit' => array(
 		'title' => $lng['admin']['domain_edit'],
@@ -28,14 +27,14 @@ return array(
 						'label' => 'Domain',
 						'type' => 'label',
 						'value' => $result['domain'],
-						'mandatory' => true,
+						'mandatory' => true
 					),
 					'customerid' => array(
 						'label' => $lng['admin']['customer'],
 						'type' => (Settings::Get('panel.allow_domain_change_customer') == '1' ? 'select' : 'label'),
 						'select_var' => (isset($customers) ? $customers : null),
 						'value' => (isset($result['customername']) ? $result['customername'] : null),
-						'mandatory' => true,
+						'mandatory' => true
 					),
 					'adminid' => array(
 						'visible' => ($userinfo['customers_see_all'] == '1' ? true : false),
@@ -43,7 +42,7 @@ return array(
 						'type' => (Settings::Get('panel.allow_domain_change_admin') == '1' ? 'select' : 'label'),
 						'select_var' => (isset($admins) ? $admins : null),
 						'value' => (isset($result['adminname']) ? $result['adminname'] : null),
-						'mandatory' => true,
+						'mandatory' => true
 					),
 					'alias' => array(
 						'visible' => ($alias_check == '0' ? true : false),
@@ -67,9 +66,14 @@ return array(
 						'desc' => $lng['admin']['domain_editable']['desc'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['caneditdomain'])
+						'value' => array(
+							$result['caneditdomain']
+						)
 					),
 					'add_date' => array(
 						'label' => $lng['domains']['add_date'],
@@ -124,9 +128,14 @@ return array(
 						'desc' => $lng['admin']['speciallogfile']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['speciallogfile'])
+						'value' => array(
+							$result['speciallogfile']
+						)
 					),
 					'specialsettings' => array(
 						'visible' => ($userinfo['change_serversettings'] == '1' ? true : false),
@@ -144,9 +153,14 @@ return array(
 						'desc' => $lng['serversettings']['specialsettingsforsubdomains']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array('1')
+						'value' => array(
+							'1'
+						)
 					)
 				)
 			),
@@ -169,9 +183,14 @@ return array(
 						'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['ssl_redirect'])
+						'value' => array(
+							$result['ssl_redirect']
+						)
 					),
 					'letsencrypt' => array(
 						'visible' => (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
@@ -179,9 +198,14 @@ return array(
 						'desc' => $lng['admin']['letsencrypt']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['letsencrypt'])
+						'value' => array(
+							$result['letsencrypt']
+						)
 					),
 					'no_ssl_available_info' => array(
 						'visible' => ($ssl_ipsandports == '' ? true : false),
@@ -198,15 +222,20 @@ return array(
 						'int_max' => 94608000, // 3-years
 						'value' => $result['hsts']
 					),
-					'hsts_incsub' => array(
+					'hsts_sub' => array(
 						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['admin']['domain_hsts_incsub']['title'],
 						'desc' => $lng['admin']['domain_hsts_incsub']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['hsts_sub'])
+						'value' => array(
+							$result['hsts_sub']
+						)
 					),
 					'hsts_preload' => array(
 						'visible' => ($ssl_ipsandports != '' ? true : false),
@@ -214,10 +243,15 @@ return array(
 						'desc' => $lng['admin']['domain_hsts_preload']['description'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
-						),
-						'value' => array($result['hsts_preload'])
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
+						'value' => array(
+							$result['hsts_preload']
+						)
+					)
 				)
 			),
 			'section_c' => array(
@@ -229,9 +263,27 @@ return array(
 						'label' => 'OpenBasedir',
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['openbasedir'])
+						'value' => array(
+							$result['openbasedir']
+						)
+					),
+					'phpenabled' => array(
+						'label' => $lng['admin']['phpenabled'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array(
+							$result['phpenabled']
+						)
 					),
 					'phpsettingid' => array(
 						'visible' => (((int) Settings::Get('system.mod_fcgid') == 1 || (int) Settings::Get('phpfpm.enabled') == 1) ? true : false),
@@ -262,9 +314,14 @@ return array(
 						'label' => 'Nameserver',
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['isbinddomain'])
+						'value' => array(
+							$result['isbinddomain']
+						)
 					),
 					'zonefile' => array(
 						'label' => 'Zonefile',
@@ -282,17 +339,27 @@ return array(
 						'label' => $lng['admin']['emaildomain'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['isemaildomain'])
+						'value' => array(
+							$result['isemaildomain']
+						)
 					),
 					'email_only' => array(
 						'label' => $lng['admin']['email_only'],
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['email_only'])
+						'value' => array(
+							$result['email_only']
+						)
 					),
 					'subcanemaildomain' => array(
 						'label' => $lng['admin']['subdomainforemail'],
@@ -304,9 +371,14 @@ return array(
 						'label' => 'DomainKeys',
 						'type' => 'checkbox',
 						'values' => array(
-							array ('label' => $lng['panel']['yes'], 'value' => '1')
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
 						),
-						'value' => array($result['dkim'])
+						'value' => array(
+							$result['dkim']
+						)
 					)
 				)
 			)

lib/formfields/customer/domains/formfield.domains_add.php

@@ -54,7 +54,7 @@ return array(
 						'type' => 'text'
 					),
 					'redirectcode' => array(
-						'visible' => ((Settings::Get('system.webserver') == 'apache2' && Settings::Get('customredirect.enabled') == '1') ? true : false),
+						'visible' => (Settings::Get('customredirect.enabled') == '1' ? true : false),
 						'label' => $lng['domains']['redirectifpathisurl'],
 						'desc' => $lng['domains']['redirectifpathisurlinfo'],
 						'type' => 'select',
@@ -76,10 +76,9 @@ return array(
 			'section_bssl' => array(
 				'title' => $lng['admin']['webserversettings_ssl'],
 				'image' => 'icons/domain_add.png',
-				'visible' => Settings::Get('system.use_ssl') == '1' ? true : false,
+				'visible' => Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? true : false) : false,
 				'fields' => array(
 					'ssl_redirect' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['domains']['ssl_redirect']['title'],
 						'desc' => $lng['domains']['ssl_redirect']['description'],
 						'type' => 'checkbox',
@@ -89,7 +88,7 @@ return array(
 						'value' => array()
 					),
 					'letsencrypt' => array(
-						'visible' => (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
+						'visible' => (Settings::Get('system.leenabled') == '1' ? true : false),
 						'label' => $lng['customer']['letsencrypt']['title'],
 						'desc' => $lng['customer']['letsencrypt']['description'],
 						'type' => 'checkbox',
@@ -99,7 +98,6 @@ return array(
 						'value' => array()
 					),
 					'hsts_maxage' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['admin']['domain_hsts_maxage']['title'],
 						'desc' => $lng['admin']['domain_hsts_maxage']['description'],
 						'type' => 'int',
@@ -107,8 +105,7 @@ return array(
 						'int_max' => 94608000, // 3-years
 						'value' => 0
 					),
-					'hsts_incsub' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
+					'hsts_sub' => array(
 						'label' => $lng['admin']['domain_hsts_incsub']['title'],
 						'desc' => $lng['admin']['domain_hsts_incsub']['description'],
 						'type' => 'checkbox',
@@ -118,7 +115,6 @@ return array(
 						'value' => array()
 					),
 					'hsts_preload' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['admin']['domain_hsts_preload']['title'],
 						'desc' => $lng['admin']['domain_hsts_preload']['description'],
 						'type' => 'checkbox',

lib/formfields/customer/domains/formfield.domains_edit.php

@@ -54,7 +54,7 @@ return array(
 						'value' => $urlvalue
 					),
 					'redirectcode' => array(
-						'visible' => ((Settings::Get('system.webserver') == 'apache2' && Settings::Get('customredirect.enabled') == '1') ? true : false),
+						'visible' => (Settings::Get('customredirect.enabled') == '1' ? true : false),
 						'label' => $lng['domains']['redirectifpathisurl'],
 						'desc' => $lng['domains']['redirectifpathisurlinfo'],
 						'type' => 'select',
@@ -87,10 +87,9 @@ return array(
 			'section_bssl' => array(
 				'title' => $lng['admin']['webserversettings_ssl'],
 				'image' => 'icons/domain_edit.png',
-				'visible' => Settings::Get('system.use_ssl') == '1' ? true : false,
+				'visible' => Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? (domainHasSslIpPort($result['id']) ? true : false) : false) : false,
 				'fields' => array(
 					'ssl_redirect' => array(
-						'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? (domainHasSslIpPort($result['id']) ? true : false) : false) : false),
 						'label' => $lng['domains']['ssl_redirect']['title'],
 						'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
 						'type' => 'checkbox',
@@ -100,7 +99,7 @@ return array(
 						'value' => array($result['ssl_redirect'])
 					),
 					'letsencrypt' => array(
-						'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? (domainHasSslIpPort($result['id']) ? true : false) : false) : false) : false),
+						'visible' => Settings::Get('system.leenabled') == '1' ? true : false,
 						'label' => $lng['customer']['letsencrypt']['title'],
 						'desc' => $lng['customer']['letsencrypt']['description'],
 						'type' => 'checkbox',
@@ -110,7 +109,6 @@ return array(
 						'value' => array($result['letsencrypt'])
 					),
 					'hsts_maxage' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['admin']['domain_hsts_maxage']['title'],
 						'desc' => $lng['admin']['domain_hsts_maxage']['description'],
 						'type' => 'int',
@@ -118,8 +116,7 @@ return array(
 						'int_max' => 94608000, // 3-years
 						'value' => $result['hsts']
 					),
-					'hsts_incsub' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
+					'hsts_sub' => array(
 						'label' => $lng['admin']['domain_hsts_incsub']['title'],
 						'desc' => $lng['admin']['domain_hsts_incsub']['description'],
 						'type' => 'checkbox',
@@ -129,7 +126,6 @@ return array(
 						'value' => array($result['hsts_sub'])
 					),
 					'hsts_preload' => array(
-						'visible' => ($ssl_ipsandports != '' ? true : false),
 						'label' => $lng['admin']['domain_hsts_preload']['title'],
 						'desc' => $lng['admin']['domain_hsts_preload']['description'],
 						'type' => 'checkbox',

lib/functions/dns/function.createDomainZone.php

@@ -275,13 +275,11 @@ function createDomainZone($domain_id, $froxlorhostname = false, $isMainButSubTo
 			Database::pexecute($upd_stmt, array('serial' => $domain['bindserial'], 'id' => $domain['id']));
 		}
 
-		$soa_content = $primary_ns . " " . escapeSoaAdminMail(Settings::Get('panel.adminmail')) . " (" . PHP_EOL;
-		$soa_content .= $domain['bindserial'] . "\t; serial" . PHP_EOL;
+		// PowerDNS does not like multi-line-format
+		$soa_content = $primary_ns . " " . escapeSoaAdminMail(Settings::Get('panel.adminmail')) . " ";
+		$soa_content .= $domain['bindserial'] . " ";
 		// TODO for now, dummy time-periods
-		$soa_content .= "1800\t; refresh (30 mins)" . PHP_EOL;
-		$soa_content .= "900\t; retry (15 mins)" . PHP_EOL;
-		$soa_content .= "604800\t; expire (7 days)" . PHP_EOL;
-		$soa_content .= "1200\t)\t; minimum (20 mins)";
+		$soa_content .= "3600 900 604800 1200";
 
 		$soa_record = new DnsEntry('@', 'SOA', $soa_content);
 		array_unshift($zonerecords, $soa_record);

lib/functions/filedir/function.findDirs.php

@@ -17,27 +17,57 @@
  *
  */
 
+
 /**
  * Returns an array of found directories
  *
  * This function checks every found directory if they match either $uid or $gid, if they do
  * the found directory is valid. It uses recursive-iterators to find subdirectories.
  *
- * @param  string $path the path to start searching in
- * @param  int $uid the uid which must match the found directories
- * @param  int $gid the gid which must match the found direcotries
+ * @param string $path
+ *        	the path to start searching in
+ * @param int $uid
+ *        	the uid which must match the found directories
+ * @param int $gid
+ *        	the gid which must match the found direcotries
  *
  * @return array Array of found valid paths
  */
-function findDirs($path, $uid, $gid) {
-
+function findDirs($path, $uid, $gid)
+{
 	$_fileList = array();
 	$path = makeCorrectDir($path);
 
 	// valid directory?
 	if (is_dir($path)) {
+
+		// Will exclude everything under these directories
+		$exclude = array(
+			'awstats',
+			'webalizer'
+		);
+
+		/**
+		 *
+		 * @param SplFileInfo $file
+		 * @param mixed $key
+		 * @param RecursiveCallbackFilterIterator $iterator
+		 * @return bool True if you need to recurse or if the item is acceptable
+		 */
+		$filter = function ($file, $key, $iterator) use ($exclude) {
+			if (in_array($file->getFilename(), $exclude)) {
+				return false;
+			}
+			return true;
+		};
+
 		// create RecursiveIteratorIterator
-		$its = new RecursiveIteratorIterator(new IgnorantRecursiveDirectoryIterator($path));
+		$its = new RecursiveIteratorIterator(
+			new RecursiveCallbackFilterIterator(
+				new IgnorantRecursiveDirectoryIterator($path, RecursiveDirectoryIterator::SKIP_DOTS),
+				$filter
+			)
+		);
 		// we can limit the recursion-depth, but will it be helpful or
 		// will people start asking "why do I only see 2 subdirectories, i want to use /a/b/c"
 		// let's keep this in mind and see whether it will be useful
@@ -50,10 +80,10 @@ function findDirs($path, $uid, $gid) {
 				$_fileList[] = makeCorrectDir(dirname($fullFileName));
 			}
 		}
+		$_fileList[] = $path;
 	}
 
 	return array_unique($_fileList);
-
 }
 
 /**
@@ -61,9 +91,12 @@ function findDirs($path, $uid, $gid) {
  * into UnexpectedValueException you may use this little hack to ignore those
  * directories, such as lost+found on linux.
  * (User "antennen" @ http://php.net/manual/en/class.recursivedirectoryiterator.php#101654)
-**/
-class IgnorantRecursiveDirectoryIterator extends RecursiveDirectoryIterator {
-    function getChildren() {
+ */
+class IgnorantRecursiveDirectoryIterator extends RecursiveDirectoryIterator
+{
+
+	function getChildren()
+	{
 		try {
 			return new IgnorantRecursiveDirectoryIterator($this->getPathname());
 		} catch (UnexpectedValueException $e) {

lib/functions/filedir/function.makeCorrectDir.php

@@ -26,7 +26,11 @@
  */
 function makeCorrectDir($dir) {
 
+	if (version_compare("5.4.6", PHP_VERSION, ">")) {
 		assert('is_string($dir) && strlen($dir) > 0 /* $dir does not look like an actual folder name */');
+	} else {
+		assert('is_string($dir) && strlen($dir) > 0', 'Value "' . $dir .'" does not look like an actual folder name');
+	}
 
 	$dir = trim($dir);
 

lib/functions/filedir/function.makePathfield.php

@@ -64,7 +64,12 @@ function makePathfield($path, $uid, $gid, $value = '', $dom = false) {
 				$_field = '';
 				foreach ($dirList as $key => $dir) {
 					if (strpos($dir, $path) === 0) {
-						$dir = makeCorrectDir(substr($dir, strlen($path)));
+						$dir = substr($dir, strlen($path));
+						// docroot cut off of current directory == empty -> directory is the docroot
+						if (empty($dir)) {
+							$dir = '/';
+						}
+						$dir = makeCorrectDir($dir);
 					}
 					$_field.= makeoption($dir, $dir, $value);
 				}

lib/functions/formfields/option/function.validateFormFieldOption.php

@@ -40,6 +40,9 @@ function validateFormFieldOption($fieldname, $fielddata, $newfieldvalue)
 	}
 	else
 	{
+		if (isset($fielddata['option_emptyallowed']) && $fielddata['option_emptyallowed']) {
+			return true;
+		}
 		return 'not in option';
 	}
 }

lib/functions/formfields/string/function.validateFormFieldString.php

@@ -122,7 +122,7 @@ function validateFormFieldString($fieldname, $fielddata, $newfieldvalue)
                         $newfieldvalue = '';
                         $returnvalue = 'stringmustntbeempty';
                     } else {
-                        $newfieldvalue = validate_ip2($newfieldvalue, true, true, true);
+                        $newfieldvalue = validate_ip2($newfieldvalue, true, 'invalidip', true, true, true);
                         $returnvalue = ($newfieldvalue !== false ? true : 'invalidip');
                     }
                 }

lib/functions/output/function.RedirectCode.php

@@ -58,12 +58,13 @@ function getRedirectCodes() {
  * domain-id
  *
  * @param integer $domainid id of the domain
+ * @param string $default
  *
  * @return string redirect-code
  */
-function getDomainRedirectCode($domainid = 0) {
+function getDomainRedirectCode($domainid = 0, $default = '') {
 
-	$code = '';
+	$code = $default;
 	if ($domainid > 0) {
 
 		$result_stmt = Database::prepare("
@@ -76,7 +77,7 @@ function getDomainRedirectCode($domainid = 0) {
 		if (is_array($result)
 			&& isset($result['redirect'])
 		) {
-			$code = ($result['redirect'] == '---') ? '' : $result['redirect'];
+			$code = ($result['redirect'] == '---') ? $default : $result['redirect'];
 		}
 	}
 	return $code;

lib/functions/settings/function.storeSettingClearCertificates.php

@@ -0,0 +1,37 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+* Copyright (c) 2003-2009 the SysCP Team (see authors).
+* Copyright (c) 2010 the Froxlor Team (see authors).
+*
+* For the full copyright and license information, please view the COPYING
+* file that was distributed with this source code. You can also view the
+* COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+*
+* @copyright  (c) the authors
+* @author     Froxlor team <team@froxlor.org> (2010-)
+* @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+* @package    Functions
+*
+*/
+
+function storeSettingClearCertificates($fieldname, $fielddata, $newfieldvalue) {
+
+	$returnvalue = storeSettingField($fieldname, $fielddata, $newfieldvalue);
+
+	if ($returnvalue !== false
+		&& is_array($fielddata)
+		&& isset($fielddata['settinggroup'])
+		&& $fielddata['settinggroup'] == 'system'
+		&& isset($fielddata['varname'])
+		&& $fielddata['varname'] == 'le_froxlor_enabled'
+		&& $newfieldvalue == '0'
+		) {
+			Database::query("
+				DELETE FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` WHERE `domainid` = '0'
+			");
+		}
+
+		return $returnvalue;
+}

lib/functions/validate/function.appendOpenbasedirPath.php

@@ -29,15 +29,18 @@
  */
 function appendOpenBasedirPath($path = '', $first = false)
 {
-    if ($path != '' && $path != '/'
-        && (! preg_match("#^/dev#i", $path) || preg_match("#^/dev/urandom#i", $path))
+	if ($path != '' && $path != '/' &&
+		(! preg_match("#^/dev#i", $path) || preg_match("#^/dev/urandom#i", $path))
 		&& ! preg_match("#^/proc#i", $path)
 		&& ! preg_match("#^/etc#i", $path)
 		&& ! preg_match("#^/sys#i", $path)
-        && ! preg_match("#:#", $path)
-    ) {
+		&& ! preg_match("#:#", $path)) {
 
+		if (preg_match("#^/dev/urandom#i", $path)) {
+			$path = makeCorrectFile($path);
+		} else {
 			$path = makeCorrectDir($path);
+		}
 
 		// check for php-version that requires the trailing
 		// slash to be removed as it does not allow the usage

lib/functions/validate/function.validateUrl.php

@@ -37,7 +37,11 @@ function validateUrl($url) {
 	}
 
 	// needs converting
+	try {
 		$url = $idna_convert->encode($url);
+	} catch (Exception $e) {
+		return false;
+	}
 
 	$pattern = "/^https?:\/\/[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,4}(\:[0-9]+)?\/?(.+)?$/i";
 	if (preg_match($pattern, $url)) {

lib/functions/validate/function.validate_ip.php

@@ -49,10 +49,30 @@ function validate_ip($ip, $return_bool = false, $lng = 'invalidip') {
  * @param string $lng index for error-message (if $return_bool is false)
  * @param bool $allow_localhost whether to allow 127.0.0.1
  * @param bool $allow_priv whether to allow private network addresses
+ * @param bool $allow_cidr whether to allow CIDR values e.g. 10.10.10.10/16
  *
  * @return string|bool ip address on success, false on failure
  */
-function validate_ip2($ip, $return_bool = false, $lng = 'invalidip', $allow_localhost = false, $allow_priv = false) {
+function validate_ip2($ip, $return_bool = false, $lng = 'invalidip', $allow_localhost = false, $allow_priv = false, $allow_cidr = false) {
+
+	$cidr = "";
+	if ($allow_cidr) {
+		$org_ip = $ip;
+		$ip_cidr = explode("/", $ip);
+		if (count($ip_cidr) == 2) {
+			$ip = $ip_cidr[0];
+			$cidr = "/".$ip_cidr[1];
+		} else {
+			$ip = $org_ip;
+		}
+	} elseif (strpos($ip, "/") !== false) {
+		if ($return_bool) {
+			return false;
+		} else {
+			standard_error($lng, $ip);
+			exit();
+		}
+	}
 
 	$filter_lan = $allow_priv ? FILTER_FLAG_NO_RES_RANGE : (FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE);
 
@@ -60,12 +80,12 @@ function validate_ip2($ip, $return_bool = false, $lng = 'invalidip', $allow_loca
 			|| filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4))
 			&& filter_var($ip, FILTER_VALIDATE_IP, $filter_lan)
 	) {
-		return $ip;
+		return $ip.$cidr;
 	}
 
 	// special case where localhost ip is allowed (mysql-access-hosts for example)
 	if ($allow_localhost && $ip == '127.0.0.1') {
-		return $ip;
+		return $ip.$cidr;
 	}
 
 	if ($return_bool) {

lib/version.inc.php

@@ -16,10 +16,10 @@
  */
 
 // Main version variable
-$version = '0.9.38-rc1';
+$version = '0.9.38.5';
 
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201610070';
+$dbversion = '201612110';
 
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';

lng/english.lng.php

@@ -2061,4 +2061,7 @@ $lng['admin']['domain_hsts_maxage']['description'] = 'Specify the max-age value
 $lng['admin']['domain_hsts_incsub']['title'] = 'Include HSTS for any subdomain';
 $lng['admin']['domain_hsts_incsub']['description'] = 'The optional "includeSubDomains" directive, if present, signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host\'s domain name.';
 $lng['admin']['domain_hsts_preload']['title'] = 'Include domain in <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload list</a>';
-$lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> before sending the header with "preload".';
+$lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> before sending the header with "preload".';
+
+$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
+$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';

lng/german.lng.php

@@ -1710,6 +1710,6 @@ $lng['admin']['webserversettings_ssl'] = 'Webserver SSL-Einstellungen';
 $lng['admin']['domain_hsts_maxage']['title'] = 'HTTP Strict Transport Security (HSTS)';
 $lng['admin']['domain_hsts_maxage']['description'] = '"max-age" Wert für den Strict-Transport-Security Header<br>Der Wert <i>0</i> deaktiviert HSTS für diese Domain. Meist wird der Wert <i>31536000</i> gerne genutzt (ein Jahr).';
 $lng['admin']['domain_hsts_incsub']['title'] = 'Inkludiere HSTS für jede Subdomain';
-$lng['admin']['domain_hsts_incsub']['description'] = 'Die optionale "includeSubDomains" Direktive, wenn vorhanden, signalisiert dem UA, dass die HSTS that the HSTS Regel für diese Domain und auch jede Subdomain dieser gilt.';
+$lng['admin']['domain_hsts_incsub']['description'] = 'Die optionale "includeSubDomains" Direktive, wenn vorhanden, signalisiert dem UA, dass die HSTS Regel für diese Domain und auch jede Subdomain dieser gilt.';
 $lng['admin']['domain_hsts_preload']['title'] = 'Füge Domain in die <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload Liste</a> hinzu';
-$lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachte Details unter <a href="hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> bevor ein Header mit "preload" gesendet wird.';
+$lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachte Details unter <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> bevor ein Header mit "preload" gesendet wird.';

scripts/jobs/cron_letsencrypt.php

@@ -43,6 +43,7 @@ $certificates_stmt = Database::query("
 			dom.`ssl_redirect`,
 			cust.`leprivatekey`,
 			cust.`lepublickey`,
+			cust.`leregistered`,
 			cust.`customerid`,
 			cust.`loginname`
 		FROM
@@ -103,6 +104,7 @@ if (Settings::Get('system.le_froxlor_enabled') == '1') {
 		'documentroot' => FROXLOR_INSTALL_DIR,
 		'leprivatekey' => Settings::Get('system.leprivatekey'),
 		'lepublickey' => Settings::Get('system.lepublickey'),
+		'leregistered' => Settings::Get('system.leregistered'),
 		'ssl_redirect' => Settings::Get('system.le_froxlor_redirect'),
 		'expirationdate' => null,
 		'ssl_cert_file' => null,
@@ -141,8 +143,7 @@ if (Settings::Get('system.le_froxlor_enabled') == '1') {
 
 	if ($insert_or_update_required) {
 		$domains = array(
-			$certrow['domain'],
-			'www.' . $certrow['domain']
+			$certrow['domain']
 		);
 
 		// Only renew let's encrypt certificate if no broken ssl_redirect is enabled

scripts/jobs/cron_tasks.inc.dns.10.bind.php

@@ -129,11 +129,9 @@ class bind extends DnsBase
 			// AXFR server #100
 			if (count($this->_axfr) > 0) {
 				foreach ($this->_axfr as $axfrserver) {
-					if (validate_ip($axfrserver, true) !== false) {
 					$bindconf_file .= '		' . $axfrserver . ';' . "\n";
 				}
 			}
-			}
 			// close allow-transfer
 			$bindconf_file .= '	};' . "\n";
 		}

scripts/jobs/cron_tasks.inc.dns.20.pdns.php

@@ -194,14 +194,12 @@ class pdns extends DnsBase
 			// AXFR server #100
 			if (count($this->_axfr) > 0) {
 				foreach ($this->_axfr as $axfrserver) {
-					if (validate_ip($axfrserver, true) !== false) {
 					$ins_data['value'] = $axfrserver;
 					$ins_stmt->execute($ins_data);
 				}
 			}
 		}
 	}
-	}
 
 	private function _connectToPdnsDb()
 	{

scripts/jobs/cron_tasks.inc.http.10.apache.php

@@ -1,5 +1,4 @@
 <?php
-
 if (! defined('MASTER_CRONJOB'))
 	die('You cannot access this file directly!');
 
@@ -183,6 +182,10 @@ class apache extends HttpConfigBase
 			}
 
 			if ($row_ipsandports['vhostcontainer'] == '1') {
+
+				$without_vhost = $this->virtualhosts_data[$vhosts_filename];
+				$close_vhost = true;
+
 				$this->virtualhosts_data[$vhosts_filename] .= '<VirtualHost ' . $ipport . '>' . "\n";
 
 				$mypath = $this->getMyPath($row_ipsandports);
@@ -274,8 +277,9 @@ class apache extends HttpConfigBase
 							}
 							$this->virtualhosts_data[$vhosts_filename] .= '  </Directory>' . "\n";
 						}
-					}					// create php-fpm <Directory>-Part (config is created in apache_fcgid)
+					}
 					elseif (Settings::Get('phpfpm.enabled') == '1') {
+						// create php-fpm <Directory>-Part (config is created in apache_fcgid)
 						$domain = array(
 							'id' => 'none',
 							'domain' => Settings::Get('system.hostname'),
@@ -340,6 +344,15 @@ class apache extends HttpConfigBase
 						);
 					}
 				} // end of ssl-redirect check
+				else
+				{
+					// fallback of froxlor domain-data for processSpecialConfigTemplate()
+					$domain = array(
+						'domain' => Settings::Get('system.hostname'),
+						'loginname' => 'froxlor.panel',
+						'documentroot' => $mypath
+					);
+				}
 
 				/**
 				 * dirprotection, see #72
@@ -408,7 +421,7 @@ class apache extends HttpConfigBase
 						} else {
 
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
-							$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol ALL -SSLv2 -SSLv3' . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
 							// this makes it more secure, thx to Marcel (08/2013)
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder On' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
@@ -443,10 +456,19 @@ class apache extends HttpConfigBase
 								}
 							}
 						}
+					} else {
+						// if there is no cert-file specified but we are generating a ssl-vhost,
+						// we should return an empty string because this vhost would suck dick, ref #1583
+						$this->logger->logAction(CRON_ACTION, LOG_ERR, $domain['domain'] . ' :: empty certificate file! Cannot create ssl-directives');
+						$this->virtualhosts_data[$vhosts_filename] = $without_vhost;
+						$this->virtualhosts_data[$vhosts_filename] .= '# no ssl-certificate was specified for this domain, therefore no explicit vhost-container is being generated';
+						$close_vhost = false;
 					}
 				}
 
+				if ($close_vhost) {
 					$this->virtualhosts_data[$vhosts_filename] .= '</VirtualHost>' . "\n";
+				}
 				$this->logger->logAction(CRON_ACTION, LOG_DEBUG, $ipport . ' :: inserted vhostcontainer');
 			}
 			unset($vhosts_filename);
@@ -475,7 +497,7 @@ class apache extends HttpConfigBase
 	{
 		$php_options_text = '';
 
-		if ($domain['phpenabled'] == '1') {
+		if ($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1') {
 			// This vHost has PHP enabled and we are using the regular mod_php
 
 			if ($domain['openbasedir'] == '1') {
@@ -795,7 +817,7 @@ class apache extends HttpConfigBase
 				$_sslport = ":" . $ssldestport['port'];
 			}
 
-			$domain['documentroot'] = 'https://' . $domain['domain'] . $_sslport . '/';
+			$domain['documentroot'] = 'https://%{HTTP_HOST}' . $_sslport . '/';
 		}
 
 		if ($ssl_vhost === true && $domain['ssl'] == '1' && Settings::Get('system.use_ssl') == '1') {
@@ -817,7 +839,7 @@ class apache extends HttpConfigBase
 
 			if ($domain['ssl_cert_file'] != '') {
 				$vhost_content .= '  SSLEngine On' . "\n";
-				$vhost_content .= '  SSLProtocol ALL -SSLv2 -SSLv3' . "\n";
+				$vhost_content .= '  SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
 				// this makes it more secure, thx to Marcel (08/2013)
 				$vhost_content .= '  SSLHonorCipherOrder On' . "\n";
 				$vhost_content .= '  SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
@@ -860,10 +882,10 @@ class apache extends HttpConfigBase
 		$domain['documentroot'] = trim($domain['documentroot']);
 
 		if (preg_match('/^https?\:\/\//', $domain['documentroot'])) {
-			$corrected_docroot = $this->idnaConvert->encode_uri($domain['documentroot']);
+			$corrected_docroot = $domain['documentroot'];
 
 			// Get domain's redirect code
-			$code = getDomainRedirectCode($domain['id']);
+			$code = getDomainRedirectCode($domain['id'], '301');
 			$modrew_red = '';
 			if ($code != '') {
 				$modrew_red = ' [R=' . $code . ';L,NE]';

scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php

@@ -23,7 +23,7 @@ class apache_fcgid extends apache
 	{
 		$php_options_text = '';
 
-		if($domain['phpenabled'] == '1')
+		if($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1')
 		{
 			$php = new phpinterface($domain);
 			$phpconfig = $php->getPhpConfig((int)$domain['phpsettingid']);

scripts/jobs/cron_tasks.inc.http.20.lighttpd.php

@@ -162,7 +162,25 @@ class lighttpd extends HttpConfigBase
 						$this->lighttpd_data[$vhost_filename] .= "\t" . ')' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= "\t" . ')' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= '  )' . "\n";
+					} else {
+						$domain = array(
+							'id' => 'none',
+							'domain' => Settings::Get('system.hostname'),
+							'adminid' => 1, /* first admin-user (superadmin) */
+							'guid' => Settings::Get('system.httpuser'),
+							'openbasedir' => 0,
+							'email' => Settings::Get('panel.adminmail'),
+							'loginname' => 'froxlor.panel',
+							'documentroot' => $mypath
+						);
 					}
+				} else {
+					// fallback of froxlor domain-data for processSpecialConfigTemplate()
+					$domain = array(
+						'domain' => Settings::Get('system.hostname'),
+						'loginname' => 'froxlor.panel',
+						'documentroot' => $mypath
+					);
 				}
 
 				if ($row_ipsandports['specialsettings'] != '') {
@@ -210,7 +228,9 @@ class lighttpd extends HttpConfigBase
 						echo $ip . ':' . $port . ' :: certificate file "' . $domain['ssl_cert_file'] . '" does not exist! Cannot create SSL-directives' . "\n";
 					} else {
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.engine = "enable"' . "\n";
+						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-compression = "disable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv2 = "disable"' . "\n";
+						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv3 = "disable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.honor-cipher-order = "enable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.pemfile = "' . makeCorrectFile($domain['ssl_cert_file']) . '"' . "\n";
@@ -422,15 +442,21 @@ class lighttpd extends HttpConfigBase
 				$_sslport = ":" . $ssldestport['port'];
 			}
 
-			$domain['documentroot'] = 'https://' . $domain['domain'] . $_sslport . '/';
+			$domain['documentroot'] = 'https://%1' . $_sslport . '/';
 		}
 
 		// avoid using any whitespaces
 		$domain['documentroot'] = trim($domain['documentroot']);
 
 		if (preg_match('/^https?\:\/\//', $domain['documentroot'])) {
+			$uri = $domain['documentroot'];
+
+			// Get domain's redirect code
+			$code = getDomainRedirectCode($domain['id'], '301');
+
+			$vhost_content .= '  url.redirect-code = ' . $code. "\n";
 			$vhost_content .= '  url.redirect = (' . "\n";
-			$vhost_content .= '     "^/(.*)$" => "' . $this->idnaConvert->encode_uri($domain['documentroot']) . '$1"' . "\n";
+			$vhost_content .= '     "^/(.*)$" => "' . $uri . '$1"' . "\n";
 			$vhost_content .= '  )' . "\n";
 		} else {
 
@@ -510,7 +536,9 @@ class lighttpd extends HttpConfigBase
 			if ($domain['ssl_cert_file'] != '') {
 
 				$ssl_settings .= 'ssl.engine = "enable"' . "\n";
+				$ssl_settings .= 'ssl.use-compression = "disable"' . "\n";
 				$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
+				$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
 				$ssl_settings .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
 				$ssl_settings .= 'ssl.honor-cipher-order = "enable"' . "\n";
 				$ssl_settings .= 'ssl.pemfile = "' . makeCorrectFile($domain['ssl_cert_file']) . '"' . "\n";
@@ -521,14 +549,14 @@ class lighttpd extends HttpConfigBase
 
 				if ($domain['hsts'] >= 0) {
 
-					$vhost_content .= '$HTTP["scheme"] == "https" { setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=' . $domain['hsts'];
+					$ssl_settings .= '$HTTP["scheme"] == "https" { setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=' . $domain['hsts'];
 					if ($domain['hsts_sub'] == 1) {
-						$vhost_content .= '; includeSubDomains';
+						$ssl_settings .= '; includeSubDomains';
 					}
 					if ($domain['hsts_preload'] == 1) {
-						$vhost_content .= '; preload';
+						$ssl_settings .= '; preload';
 					}
-					$vhost_content .= '") }' . "\n";
+					$ssl_settings .= '") }' . "\n";
 				}
 			}
 		}

scripts/jobs/cron_tasks.inc.http.25.lighttpd_fcgid.php

@@ -21,7 +21,7 @@ class lighttpd_fcgid extends lighttpd
 	{
 		$php_options_text = '';
 
-		if($domain['phpenabled'] == '1')
+		if($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1')
 		{
 			$php = new phpinterface($domain);
 			$phpconfig = $php->getPhpConfig((int)$domain['phpsettingid']);

scripts/jobs/cron_tasks.inc.http.30.nginx.php

@@ -196,15 +196,22 @@ class nginx extends HttpConfigBase
 					}
 				}
 
+				$http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
+
 				/**
 				 * this HAS to be set for the default host in nginx or else no vhost will work
 				 */
-				$this->nginx_data[$vhost_filename] .= "\t" . 'listen    ' . $ip . ':' . $port . ' default_server' . ($ssl_vhost == true ? ' ssl' : '') . ';' . "\n";
+				$this->nginx_data[$vhost_filename] .= "\t" . 'listen    ' . $ip . ':' . $port . ' default_server' . ($ssl_vhost == true ? ' ssl' : '') . ($http2 == true ? ' http2' : '') . ';' . "\n";
 
 				$this->nginx_data[$vhost_filename] .= "\t" . '# Froxlor default vhost' . "\n";
 				$this->nginx_data[$vhost_filename] .= "\t" . 'server_name    ' . Settings::Get('system.hostname') . ';' . "\n";
 				$this->nginx_data[$vhost_filename] .= "\t" . 'access_log      /var/log/nginx/access.log;' . "\n";
 
+				if (Settings::Get('system.use_ssl') == '1' && Settings::Get('system.leenabled') == '1' && Settings::Get('system.le_froxlor_enabled') == '1') {
+					$acmeConfFilename = Settings::Get('system.letsencryptacmeconf');
+					$this->nginx_data[$vhost_filename] .= "\t" . 'include ' . $acmeConfFilename . ';' . "\n";
+				}
+
 				$is_redirect = false;
 				// check for SSL redirect
 				if ($row_ipsandports['ssl'] == '0' && Settings::Get('system.le_froxlor_redirect') == '1') {
@@ -217,7 +224,7 @@ class nginx extends HttpConfigBase
 					} else {
 						$_sslport = $this->checkAlternativeSslPort();
 						$mypath = 'https://' . Settings::Get('system.hostname') . $_sslport . '/';
-						$this->nginx_data[$vhost_filename] .= "\t" . 'if ($request_uri !~ "^/\.well-known/acme-challenge/\w+$") {' . "\n";
+						$this->nginx_data[$vhost_filename] .= "\t" . 'if ($request_uri !~ ^/.well-known/acme-challenge/\w+$) {' . "\n";
 						$this->nginx_data[$vhost_filename] .= "\t\t" . 'return 301 ' . $mypath . '$request_uri;' . "\n";
 						$this->nginx_data[$vhost_filename] .= "\t" . '}' . "\n";
 					}
@@ -411,7 +418,9 @@ class nginx extends HttpConfigBase
 				$_vhost_content .= $this->processSpecialConfigTemplate($ipandport['default_vhostconf_domain'], $domain, $domain['ip'], $domain['port'], $ssl_vhost) . "\n";
 			}
 
-			$vhost_content .= "\t" . 'listen ' . $ipport . ($ssl_vhost == true ? ' ssl' : '') . ';' . "\n";
+            $http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
+
+            $vhost_content .= "\t" . 'listen ' . $ipport . ($ssl_vhost == true ? ' ssl' : '') . ($http2 == true ? ' http2' : '') . ';' . "\n";
 		}
 
 		// get all server-names
@@ -438,7 +447,7 @@ class nginx extends HttpConfigBase
 				$_sslport = ":" . $ssldestport['port'];
 			}
 
-			$domain['documentroot'] = 'https://' . $domain['domain'] . $_sslport . '/';
+			$domain['documentroot'] = 'https://$host' . $_sslport . '/';
 		}
 
 		// avoid using any whitespaces
@@ -456,12 +465,16 @@ class nginx extends HttpConfigBase
 
 		// if the documentroot is an URL we just redirect
 		if (preg_match('/^https?\:\/\//', $domain['documentroot'])) {
-			$uri = $this->idnaConvert->encode_uri($domain['documentroot']);
+			$uri = $domain['documentroot'];
 			if (substr($uri, - 1) == '/') {
 				$uri = substr($uri, 0, - 1);
 			}
-			$vhost_content .= "\t" . 'if ($request_uri !~ "^/\.well-known/acme-challenge/\w+$") {' . "\n";
-			$vhost_content .= "\t\t" . 'return 301 ' . $uri . '$request_uri;' . "\n";
+
+			// Get domain's redirect code
+			$code = getDomainRedirectCode($domain['id'], '301');
+
+			$vhost_content .= "\t" . 'if ($request_uri !~ ^/.well-known/acme-challenge/\w+$) {' . "\n";
+			$vhost_content .= "\t\t" . 'return ' . $code .' ' . $uri . '$request_uri;' . "\n";
 			$vhost_content .= "\t" . '}' . "\n";
 		} else {
 			mkDirWithCorrectOwnership($domain['customerroot'], $domain['documentroot'], $domain['guid'], $domain['guid'], true);
@@ -596,7 +609,7 @@ class nginx extends HttpConfigBase
 			} else {
 				// obsolete: ssl on now belongs to the listen block as 'ssl' at the end
 				// $sslsettings .= "\t" . 'ssl on;' . "\n";
-				$sslsettings .= "\t" . 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;' . "\n";
+				$sslsettings .= "\t" . 'ssl_protocols TLSv1 TLSv1.2;' . "\n";
 				$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
 				$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
 				$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
@@ -833,7 +846,7 @@ class nginx extends HttpConfigBase
 	protected function composePhpOptions($domain, $ssl_vhost = false)
 	{
 		$phpopts = '';
-		if ($domain['phpenabled'] == '1') {
+		if ($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1') {
 			$phpopts = "\tlocation ~ \.php {\n";
 			$phpopts .= "\t\t" . 'try_files ' . $domain['nonexistinguri'] . ' @php;' . "\n";
 			$phpopts .= "\t" . '}' . "\n\n";
@@ -869,7 +882,7 @@ class nginx extends HttpConfigBase
 
 		$webroot_text .= "\n\t" . 'location / {' . "\n";
 
-		if ($domain['phpenabled'] == '1') {
+		if ($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1') {
 			$webroot_text .= "\t" . 'index    index.php index.html index.htm;' . "\n";
 			$webroot_text .= "\t\t" . 'try_files $uri $uri/ @rewrites;' . "\n";
 		} else {
@@ -882,7 +895,7 @@ class nginx extends HttpConfigBase
 		}
 
 		$webroot_text .= "\t" . '}' . "\n\n";
-		if ($domain['phpenabled'] == '1') {
+		if ($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1') {
 			$webroot_text .= "\tlocation @rewrites {\n";
 			$webroot_text .= "\t\trewrite ^ /index.php last;\n";
 			$webroot_text .= "\t}\n\n";

scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php

@@ -20,7 +20,7 @@ class nginx_phpfpm extends nginx
 	protected function composePhpOptions($domain, $ssl_vhost = false) {
 		$php_options_text = '';
 
-		if ($domain['phpenabled'] == '1') {
+		if ($domain['phpenabled_customer'] == 1 && $domain['phpenabled_vhost'] == '1') {
 			$php = new phpinterface($domain);
 			$phpconfig = $php->getPhpConfig((int)$domain['phpsettingid']);
 			

ssl_certificates.php

@@ -27,12 +27,36 @@ $success_message = "";
 if ($action == 'delete') {
 	$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 	if ($id > 0) {
+		$chk = (AREA == 'admin' && $userinfo['customers_see_all'] == '1') ? true : false;
+		if (AREA == 'customer') {
+			$chk_stmt = Database::prepare("
+				SELECT d.domain FROM `" . TABLE_PANEL_DOMAINS . "` d
+				LEFT JOIN `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` s ON s.domainid = d.id
+				WHERE s.`id` = :id AND d.`customerid` = :cid
+			");
+			$chk = Database::pexecute_first($chk_stmt, array(
+				'id' => $id,
+				'cid' => $userinfo['customerid']
+			));
+		} elseif (AREA == 'admin' && $userinfo['customers_see_all'] == '0') {
+			$chk_stmt = Database::prepare("
+				SELECT d.domain FROM `" . TABLE_PANEL_DOMAINS . "` d
+				LEFT JOIN `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` s ON s.domainid = d.id
+				WHERE s.`id` = :id AND d.`adminid` = :aid
+			");
+			$chk = Database::pexecute_first($chk_stmt, array(
+				'id' => $id,
+				'aid' => $userinfo['adminid']
+			));
+		}
+		if ($chk !== false) {
 			Database::pexecute($del_stmt, array(
 				'id' => $id
 			));
 			$success_message = sprintf($lng['domains']['ssl_certificate_removed'], $id);
 		}
 	}
+}
 
 $log->logAction(USR_ACTION, LOG_NOTICE, "viewed domains::ssl_certificates");
 $fields = array(
@@ -72,7 +96,9 @@ $certificates = "";
 if (count($all_certs) == 0) {
 	$message = $lng['domains']['no_ssl_certificates'];
 	$sortcode = "";
-	$arrowcode = array('d.domain' => '');
+	$arrowcode = array(
+		'd.domain' => ''
+	);
 	$searchcode = "";
 	$pagingcode = "";
 	eval("\$certificates.=\"" . getTemplate("ssl_certificates/certs_error", true) . "\";");
@@ -86,6 +112,13 @@ if (count($all_certs) == 0) {
 	foreach ($all_certs as $idx => $cert) {
 		if ($paging->checkDisplay($idx)) {
 
+			// respect froxlor-hostname
+			if ($cert['domainid'] == 0) {
+				$cert['domain'] = Settings::Get('system.hostname');
+				$cert['letsencrypt'] = Settings::Get('system.le_froxlor_enabled');
+				$cert['loginname'] = 'froxlor.panel';
+			}
+
 			if (empty($cert['domain']) || empty($cert['ssl_cert_file'])) {
 				// no domain found to the entry or empty entry - safely delete it from the DB
 				Database::pexecute($del_stmt, array(
@@ -96,10 +129,10 @@ if (count($all_certs) == 0) {
 
 			$cert_data = openssl_x509_parse($cert['ssl_cert_file']);
 
-			$cert['domain'] = $idna_convert->encode($cert['domain']);
+			$cert['domain'] = $idna_convert->decode($cert['domain']);
 
 			$adminCustomerLink = "";
-			if (AREA == 'admin') {
+			if (AREA == 'admin' && $cert['domainid'] > 0) {
 				if (! empty($cert['loginname'])) {
 					$adminCustomerLink = '&nbsp;(<a href="' . $linker->getLink(array(
 						'section' => 'customers',
@@ -119,6 +152,18 @@ if (count($all_certs) == 0) {
 					$isValid = false;
 				}
 
+				$san_list = "";
+				if (isset($cert_data['extensions']['subjectAltName']) && ! empty($cert_data['extensions']['subjectAltName'])) {
+					$SANs = explode(",", $cert_data['extensions']['subjectAltName']);
+					$SANs = array_map('trim', $SANs);
+					foreach ($SANs as $san) {
+						$san = str_replace("DNS:", "", $san);
+						if ($san != $cert_data['subject']['CN'] && strpos($san, "othername:") === false) {
+							$san_list .= $san . "<br>";
+						}
+					}
+				}
+
 				$row = htmlentities_array($cert);
 				eval("\$certificates.=\"" . getTemplate("ssl_certificates/certs_cert", true) . "\";");
 			} else {

templates/Sparkle/admin/ipsandports/ipsandports.tpl

@@ -27,7 +27,7 @@ $header
 							<th>{$lng['admin']['ipsandports']['ip']}&nbsp;{$arrowcode['ip']}</th>
 							<th>{$lng['admin']['ipsandports']['port']}&nbsp;{$arrowcode['port']}</th>
 							<if !$is_nginx><th>Listen</th></if>
-							<if $is_apache><th>NameVirtualHost</th></if>
+							<if $is_apache && !$is_apache24><th>NameVirtualHost</th></if>
 							<th>vHost-Container</th>
 							<th>Specialsettings</th>
 							<if $is_apache><th>ServerName</th></if>

templates/Sparkle/admin/ipsandports/ipsandports_ipandport.tpl

@@ -2,7 +2,7 @@
 	<td>{$row['ip']}</td>
 	<td>{$row['port']}</td>
 	<if !$is_nginx><td><if $row['listen_statement']=='1'>{$lng['panel']['yes']}<else>{$lng['panel']['no']}</if></td></if>
-	<if $is_apache><td><if $row['namevirtualhost_statement']=='1'>{$lng['panel']['yes']}<else>{$lng['panel']['no']}</if></td></if>
+	<if $is_apache && !$is_apache24><td><if $row['namevirtualhost_statement']=='1'>{$lng['panel']['yes']}<else>{$lng['panel']['no']}</if></td></if>
 	<td><if $row['vhostcontainer']=='1'>{$lng['panel']['yes']}<else>{$lng['panel']['no']}</if></td>
 	<td><if $row['specialsettings']!=''>{$lng['panel']['yes']}<else>{$lng['panel']['no']}</if></td>
 	<if $is_apache><td><if $row['vhostcontainer_servername_statement']=='1'>{$lng['panel']['yes']}<else>{$lng['panel']['no']}</if></td></if>

templates/Sparkle/ssl_certificates/certs_cert.tpl

@@ -5,6 +5,7 @@
 	</td>
 	<td>
 		{$cert_data['subject']['CN']}
+		<if !empty($san_list)><br>SAN: {$san_list}</if>
 	</td>
 	<td>
 		{$cert_data['issuer']['O']}