github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 21:04:07 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #2 from serghey-rodin/master

Browse source 
update 6 20 2019
This commit is contained in:
darkworks 2019-06-20 22:30:39 +05:00 committed by GitHub
commit b67c0f88e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1054 changed files with 44011 additions and 8506 deletions
Download patch file Download diff file Expand all files Collapse all files

8
bin/v-add-backup-host
View file

@ -38,8 +38,8 @@ EOF
sftpc() {
expect -f "-" <<EOF "$@"
set count 0
spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o \
Port=$port $user@$host
spawn "/usr/bin/sftp -o StrictHostKeyChecking=no -o \
Port=$port '$user@$host'"
expect {
"password:" {
send "$password\r"
@ -94,12 +94,14 @@ EOF
if [ "$type" != 'local' ];then
check_args '4' "$#" "TYPE HOST USERNAME PASSWORD [PATH] [PORT]"
is_format_valid 'host'
is_format_valid 'user' 'host' 'path' 'port'
is_password_valid
if [ "$type" = 'sftp' ]; then
which expect >/dev/null 2>&1
check_result $? "expect command not found" $E_NOTEXIST
fi
host "$host" >/dev/null 2>&1
check_result $? "host connection failed" "$E_CONNECT"
fi

4
bin/v-add-dns-on-web-alias
View file

@ -50,12 +50,12 @@ domain_lvl=$(echo "$alias" |grep -o "\." |wc -l)
# Adding second level domain
if [ "$domain_lvl" -eq 1 ] || [ "${#top_domain}" -le '6' ]; then
$BIN/v-add-dns-domain \
$user $alias $ip '' '' '' '' '' $restart >> /dev/null
$user $alias $ip '' '' '' '' '' '' '' '' $restart >> /dev/null
exit
fi
# Adding top-level domain and then its sub
$BIN/v-add-dns-domain $user $top_domain $ip '' '' '' '' $restart >> /dev/null
$BIN/v-add-dns-domain $user $top_domain $ip '' '' '' '' '' $restart >> /dev/null
# Checking top-level domain
if [ ! -e "$USER_DATA/dns/$top_domain.conf" ]; then

8
bin/v-add-dns-record
View file

@ -45,10 +45,12 @@ if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
fi
fi
dvalue=${dvalue//\"/}
if [ $rtype != "CAA" ]; then
dvalue=${dvalue//\"/}
if [[ "$dvalue" =~ [\;[:space:]] ]]; then
dvalue='"'"$dvalue"'"'
if [[ "$dvalue" =~ [\;[:space:]] ]]; then
dvalue='"'"$dvalue"'"'
fi
fi
# Additional argument formatting

16
bin/v-add-firewall-chain
View file

@ -21,6 +21,12 @@ protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
# Defining absolute path to iptables
iptables="/sbin/iptables"
# Get vesta port by reading nginx.conf
vestaport=$(grep 'listen' /usr/local/vesta/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
if [ -z "$vestaport" ]; then
vestaport=8083
fi
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
@ -41,13 +47,19 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
# Checking known chains
case $chain in
SSH) port=22; protocol=TCP ;;
SSH) # Get ssh port by reading ssh config file.
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [ -z "$sshport" ]; then
sshport=22
fi
port=$sshport;
protocol=TCP ;;
FTP) port=21; protocol=TCP ;;
MAIL) port='25,465,587,2525,110,995,143,993'; protocol=TCP ;;
DNS) port=53; protocol=UDP ;;
WEB) port='80,443'; protocol=TCP ;;
DB) port='3306,5432'; protocol=TCP ;;
VESTA) port=8083; protocol=TCP ;;
VESTA) port=$vestaport; protocol=TCP ;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac

254
bin/v-add-letsencrypt-domain
View file

@ -1,13 +1,8 @@
#!/bin/bash
# info: adding letsencrypt ssl cetificate for domain
# options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY]
# info: check letsencrypt domain
# options: USER DOMAIN [ALIASES]
#
# The function turns on SSL support for a domain. Parameter ssl_dir is a path
# to directory where 2 or 3 ssl files can be found. Certificate file
# domain.tld.crt and its key domain.tld.key are mandatory. Certificate
# authority domain.tld.ca file is optional. If home directory parameter
# (ssl_home) is not set, https domain uses public_shtml as separate
# documentroot directory.
# The function check and validates domain with Let's Encript
#----------------------------------------------------------#
@ -18,8 +13,9 @@
user=$1
domain=$2
aliases=$3
restart=$4
notify=$5
# LE API
API='https://acme-v02.api.letsencrypt.org'
# Includes
source $VESTA/func/main.sh
@ -27,30 +23,67 @@ source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf
# Additional argument formatting
format_domain_idn
format_identifier_idn() {
identifier_idn=$identifier
if [[ "$identifier_idn" = *[![:ascii:]]* ]]; then
identifier_idn=$(idn -t --quiet -a $identifier_idn)
fi
}
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
# Let's Encrypt v2 curl function
query_le_v2() {
protected='{"nonce": "'$3'",'
protected=''$protected' "url": "'$1'",'
protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
content="Content-Type: application/jose+json"
payload_=$(echo -n "$2" |encode_base64)
protected_=$(echo -n "$protected" |encode_base64)
signature_=$(printf "%s" "$protected_.$payload_" |\
openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
encode_base64)
post_data='{"protected":"'"$protected_"'",'
post_data=$post_data'"payload":"'"$payload_"'",'
post_data=$post_data'"signature":"'"$signature_"'"}'
curl -s -i -d "$post_data" "$1" -H "$content"
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]'
is_format_valid 'user' 'domain'
check_args '2' "$#" 'USER DOMAIN [ALIASES]'
is_format_valid 'user' 'domain' 'aliases'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_unsuspended 'web' 'DOMAIN' "$domain"
get_domain_values 'web'
# check if alias is the letsencrypt wildcard domain, if not, make the normal checks
if [[ "$aliases" != "*.$domain" ]]; then
for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
if [ -z "$check_alias" ]; then
check_result $E_NOTEXIST "domain alias $alias doesn't exist"
fi
done
fi;
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Parsing domain data
get_domain_values 'web'
# Registering LetsEncrypt user account
$BIN/v-add-letsencrypt-user $user
if [ "$?" -ne 0 ]; then
@ -62,53 +95,153 @@ fi
# Parsing LetsEncrypt account data
source $USER_DATA/ssl/le.conf
email=$EMAIL
# Validating domain and aliases
i=1
for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
$BIN/v-check-letsencrypt-domain $user $alias
if [ "$?" -ne 0 ]; then
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
send_notice "LETSENCRYPT" "$alias validation failed"
check_result $E_INVALID "LE domain validation" >/dev/null
# Checking wildcard alias
if [ "$aliases" = "*.$domain" ]; then
wildcard='yes'
proto="dns-01"
if [ ! -e "$VESTA/data/users/$user/dns/$domain.conf" ]; then
check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
fi
else
proto="http-01"
fi
# Requesting nonce / STEP 1
answer=$(curl -s -I "$API/directory")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt nonce request status $status"
fi
# Placing new order / STEP 2
url="$API/acme/new-order"
payload='{"identifiers":['
for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
format_identifier_idn
payload=$payload'{"type":"dns","value":"'$identifier_idn'"},'
done
payload=$(echo "$payload"|sed "s/,$//")
payload=$payload']}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
if [[ "$status" -ne 201 ]]; then
check_result $E_CONNECT "Let's Encrypt new auth status $status"
fi
# Requesting authorization token / STEP 3
for auth in $authz; do
payload=''
answer=$(query_le_v2 "$auth" "$payload" "$nonce")
url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
fi
# Checking LE limits per account
if [ "$i" -gt 100 ]; then
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
send_notice 'LETSENCRYPT' 'Limit of domains per account is reached'
check_result $E_LIMIT "LE can't sign more than 100 domains"
# Accepting challenge / STEP 4
if [ "$wildcard" = 'yes' ]; then
record=$(printf "%s" "$token.$THUMB" |\
openssl dgst -sha256 -binary |encode_base64)
old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
for old_record in $old_records; do
$BIN/v-delete-dns-record $user $domain $old_record
done
$BIN/v-add-dns-record $user $domain "_acme-challenge" "TXT" $record
check_result $? "DNS _acme-challenge record wasn't created"
else
if [ "$WEB_SYSTEM" = 'nginx' ] || [ ! -z "$PROXY_SYSTEM" ]; then
conf="$HOMEDIR/$user/conf/web/nginx.$domain.conf_letsencrypt"
sconf="$HOMEDIR/$user/conf/web/snginx.$domain.conf_letsencrypt"
if [ ! -e "$conf" ]; then
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
> $conf
echo ' default_type text/plain;' >> $conf
echo ' return 200 "$1.'$THUMB'";' >> $conf
echo '}' >> $conf
fi
if [ ! -e "$sconf" ]; then
ln -s "$conf" "$sconf"
fi
$BIN/v-restart-proxy
check_result $? "Proxy restart failed" >/dev/null
else
well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
acme_challenge="$well_known/acme-challenge"
mkdir -p $acme_challenge
echo "$token.$THUMB" > $acme_challenge/$token
chown -R $user:$user $well_known
fi
$BIN/v-restart-web
check_result $? "Web restart failed" >/dev/null
fi
# Requesting ACME validation / STEP 5
validation_check=$(echo "$answer" |grep '"valid"')
if [[ ! -z "$validation_check" ]]; then
validation='valid'
else
validation='pending'
fi
# Doing pol check on status
i=1
while [ "$validation" = 'pending' ]; do
payload='{}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt validation status $status"
fi
i=$((i + 1))
if [ "$i" -gt 10 ]; then
check_result $E_CONNECT "Let's Encrypt domain validation timeout"
fi
sleep 1
done
if [ "$validation" = 'invalid' ]; then
check_result $E_CONNECT "Let's Encrypt domain verification failed"
fi
i=$((i++))
done
# Generating CSR
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
# Generating new ssl certificate
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
"San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
# Signing CSR
crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
if [ "$?" -ne 0 ]; then
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
send_notice "LETSENCRYPT" "$alias validation failed"
check_result "$E_INVALID" "LE $domain validation"
# Sending CSR to finalize order / STEP 6
csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
payload='{"csr":"'$csr'"}'
answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
fi
echo "$crt" > $ssl_dir/$domain.crt
# Dowloading CA certificate
le_certs='https://letsencrypt.org/certs'
x1='lets-encrypt-x1-cross-signed.pem.txt'
x3='lets-encrypt-x3-cross-signed.pem.txt'
issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
if [ -z "$(echo $issuer|grep X3)" ]; then
curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
else
curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
fi
# Downloading signed certificate / STEP 7
curl -s "$certificate" -o $ssl_dir/$domain.pem
# Splitting up downloaded pem
crt_end=$(grep -n END $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
ca_end=$(grep -n "BEGIN" $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
ca_end=$(( pem_lines - crt_end + 1 ))
tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
# Adding SSL
ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
@ -140,18 +273,13 @@ update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
# Vesta #
#----------------------------------------------------------#
# Restarting web
$BIN/v-restart-web $restart
if [ "$?" -ne 0 ]; then
send_notice 'LETSENCRYPT' "web server needs to be restarted manually"
fi
# Deleteing task from queue
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
# Notifying user
send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
# Deleteing task from queue
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
# Logging
log_event "$OK" "$ARGUMENTS"

125
bin/v-add-letsencrypt-user
View file

@ -1,8 +1,8 @@
#!/bin/bash
# info: register letsencrypt user account
# options: USER [EMAIL]
# options: USER
#
# The function creates and register LetsEncript account key
# The function creates and register LetsEncript account
#----------------------------------------------------------#
@ -11,8 +11,9 @@
# Argument definition
user=$1
email=$2
key_size=4096
# LE API
API='https://acme-v02.api.letsencrypt.org'
# Includes
source $VESTA/func/main.sh
@ -23,15 +24,38 @@ encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
# Let's Encrypt v2 curl function
query_le_v2() {
protected='{"nonce": "'$3'",'
protected=''$protected' "url": "'$1'",'
protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
content="Content-Type: application/jose+json"
payload_=$(echo -n "$2" |encode_base64)
protected_=$(echo -n "$protected" |encode_base64)
signature_=$(printf "%s" "$protected_.$payload_" |\
openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
encode_base64)
post_data='{"protected":"'"$protected_"'",'
post_data=$post_data'"payload":"'"$payload_"'",'
post_data=$post_data'"signature":"'"$signature_"'"}'
curl -s -i -d "$post_data" "$1" -H "$content"
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'USER [EMAIL]'
check_args '1' "$#" 'USER'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
if [ -e "$USER_DATA/ssl/le.conf" ]; then
source "$USER_DATA/ssl/le.conf"
fi
if [ ! -z "$KID" ]; then
exit
fi
@ -40,57 +64,57 @@ fi
# Action #
#----------------------------------------------------------#
api='https://acme-v01.api.letsencrypt.org'
if [ -z "$email" ]; then
email=$(get_user_value '$CONTACT')
# Defining user email
if [[ -z "$EMAIL" ]]; then
EMAIL=$(get_user_value '$CONTACT')
fi
agreement=$(curl -s -I "$api/terms" |grep Location |cut -f 2 -d \ |tr -d '\r\n')
# Defining user agreement
agreement=''
# Generating key
key="$USER_DATA/ssl/user.key"
if [ ! -e "$key" ]; then
openssl genrsa -out $key $key_size >/dev/null 2>&1
chmod 600 $key
# Generating user key
KEY="$USER_DATA/ssl/user.key"
if [ ! -e "$KEY" ]; then
openssl genrsa -out $KEY 4096 >/dev/null 2>&1
chmod 600 $KEY
fi
# Defining key exponent
exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
xxd -r -p |encode_base64)
if [ -z "$EXPONENT" ]; then
EXPONENT=$(openssl pkey -inform pem -in "$KEY" -noout -text_pub |\
grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
xxd -r -p |encode_base64)
fi
# Defining key modulus
modulus=$(openssl rsa -in "$key" -modulus -noout |\
sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
if [ -z "$MODULUS" ]; then
MODULUS=$(openssl rsa -in "$KEY" -modulus -noout |\
sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
fi
# Defining key thumb
thumb='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
thumb="$(echo -n "$thumb" |openssl dgst -sha256 -binary |encode_base64)"
# Defining JWK
jwk='{"e":"'$EXPONENT'","kty":"RSA","n":"'"$MODULUS"'"}'
# Defining JWK header
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
header='{"alg":"RS256","jwk":'"$header"'}'
# Defining key thumbnail
if [ -z "$THUMB" ]; then
THUMB="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
fi
# Requesting nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
# Defining registration query
query='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
query=$query'"agreement":"'$agreement'"}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Requesting ACME nonce
nonce=$(curl -s -I "$API/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
# Sending request to LetsEncrypt API
answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
# Creating ACME account
url="$API/acme/new-acct"
payload='{"termsOfServiceAgreed": true}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
# Checking answer status
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
# Checking http answer status
if [[ "$status" -ne "201" ]] && [[ "$status" -ne "409" ]]; then
check_result $E_CONNECT "LetsEncrypt account registration $status"
if [[ "${status:0:2}" -ne "20" ]]; then
check_result $E_CONNECT "Let's Encrypt acc registration failed $status"
fi
@ -99,12 +123,17 @@ fi
#----------------------------------------------------------#
# Adding le.conf
echo "EMAIL='$email'" > $USER_DATA/ssl/le.conf
echo "EXPONENT='$exponent'" >> $USER_DATA/ssl/le.conf
echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
chmod 660 $USER_DATA/ssl/le.conf
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
echo "EXPONENT='$EXPONENT'" > $USER_DATA/ssl/le.conf
echo "MODULUS='$MODULUS'" >> $USER_DATA/ssl/le.conf
echo "THUMB='$THUMB'" >> $USER_DATA/ssl/le.conf
echo "EMAIL='$EMAIL'" >> $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
chmod 660 $USER_DATA/ssl/le.conf
else
sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi
# Logging
log_event "$OK" "$ARGUMENTS"

1
bin/v-add-mail-domain
View file

@ -45,6 +45,7 @@ is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
is_domain_new 'mail' "$domain"
is_package_full 'MAIL_DOMAINS'
is_dir_symlink $HOMEDIR/$user/mail
#----------------------------------------------------------#

106
bin/v-add-sys-mail-ssl Executable file
View file

@ -0,0 +1,106 @@
#!/bin/bash
# info: copy mail ssl certificate
# options: USER DOMAIN [RESTART]
#
# The function copies user domain SSL to mail SSL directory
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
restart=$3
# Includes
source $VESTA/func/main.sh
source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [RESTART]'
is_format_valid 'user' 'domain'
is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_value_exist 'web' 'DOMAIN' "$domain" '$SSL'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining certificate location
dom_crt="/home/$user/conf/web/ssl.$domain.pem"
dom_key="/home/$user/conf/web/ssl.$domain.key"
vst_crt="$VESTA/ssl/mail.crt"
vst_key="$VESTA/ssl/mail.key"
# Checking certificate
if [ ! -e "$dom_crt" ] || [ ! -e "$dom_key" ]; then
check_result $E_NOTEXIST "$domain certificate doesn't exist"
fi
# Checking difference
diff $dom_crt $vst_crt >/dev/null 2>&1
if [ $? -ne 0 ]; then
rm -f $vst_crt.old $vst_key.old
mv $vst_crt $vst_crt.old >/dev/null 2>&1
mv $vst_key $vst_key.old >/dev/null 2>&1
cp $dom_crt $vst_crt 2>/dev/null
cp $dom_key $vst_key 2>/dev/null
chown root:mail $vst_crt $vst_key
else
restart=no
fi
# Updating mail certificate
case $MAIL_SYSTEM in
exim) conf='/etc/exim/exim.conf';;
exim4) conf='/etc/exim4/exim4.conf.template';;
esac
if [ -e "$conf" ]; then
sed -e "s|^tls_certificate.*|tls_certificate = $vst_crt|" \
-e "s|^tls_privatekey.*|tls_privatekey = $vst_key|" -i $conf
fi
# Updating imap certificate
conf="/etc/dovecot/conf.d/10-ssl.conf"
if [ ! -z "$IMAP_SYSTEM" ] && [ -e "$conf" ]; then
sed -e "s|ssl_cert.*|ssl_cert = <$vst_crt|" \
-e "s|ssl_key.*|ssl_key = <$vst_key|" -i $conf
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restarting services
if [ "$restart" != 'no' ]; then
if [ ! -z "$MAIL_SYSTEM" ]; then
$BIN/v-restart-service $MAIL_SYSTEM
fi
if [ ! -z "$IMAP_SYSTEM" ]; then
$BIN/v-restart-service $IMAP_SYSTEM
fi
fi
# Updating vesta.conf
if [ -z "$(grep MAIL_CERTIFICATE $VESTA/conf/vesta.conf)" ]; then
echo "MAIL_CERTIFICATE='$user:$domain'" >> $VESTA/conf/vesta.conf
else
sed -i "s/MAIL_CERTIFICATE.*/MAIL_CERTIFICATE='$user:$domain'/g" \
$VESTA/conf/vesta.conf
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit

97
bin/v-add-sys-vesta-ssl Executable file
View file

@ -0,0 +1,97 @@
#!/bin/bash
# info: add vesta ssl certificate
# options: USER DOMAIN [RESTART]
#
# The function copies user domain SSL to vesta SSL directory
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
restart=$3
# Includes
source $VESTA/func/main.sh
source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [RESTART]'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_value_exist 'web' 'DOMAIN' "$domain" '$SSL'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining certificate location
dom_crt="/home/$user/conf/web/ssl.$domain.pem"
dom_key="/home/$user/conf/web/ssl.$domain.key"
vst_crt="$VESTA/ssl/certificate.crt"
vst_key="$VESTA/ssl/certificate.key"
# Checking certificate
if [ ! -e "$dom_crt" ] || [ ! -e "$dom_key" ]; then
check_result $E_NOTEXIST "$domain certificate doesn't exist"
fi
# Checking difference
diff $dom_crt $vst_crt >/dev/null 2>&1
if [ $? -ne 0 ]; then
rm -f $vst_crt.old $vst_key.old
mv $vst_crt $vst_crt.old
mv $vst_key $vst_key.old
cp $dom_crt $vst_crt 2>/dev/null
cp $dom_key $vst_key 2>/dev/null
chown root:mail $vst_crt $vst_key
else
restart=no
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restarting services
if [ "$restart" != 'no' ]; then
if [ ! -z "$MAIL_SYSTEM" ] && [ -z "$MAIL_CERTIFICATE" ]; then
$BIN/v-restart-service $MAIL_SYSTEM
fi
if [ ! -z "$IMAP_SYSTEM" ] && [ -z "$MAIL_CERTIFICATE" ]; then
$BIN/v-restart-service $IMAP_SYSTEM
fi
if [ ! -z "$FTP_SYSTEM" ]; then
$BIN/v-restart-service "$FTP_SYSTEM"
fi
if [ -e "/var/run/vesta-nginx.pid" ]; then
kill -HUP $(cat /var/run/vesta-nginx.pid)
else
service vesta restart
fi
fi
# Updating vesta.conf
if [ -z "$(grep VESTA_CERTIFICATE $VESTA/conf/vesta.conf)" ]; then
echo "VESTA_CERTIFICATE='$user:$domain'" >> $VESTA/conf/vesta.conf
else
sed -i "s/VESTA_CERTIFICATE.*/VESTA_CERTIFICATE='$user:$domain'/g" \
$VESTA/conf/vesta.conf
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit

22
bin/v-add-user-package
View file

@ -30,37 +30,37 @@ is_package_new() {
is_package_consistent() {
source $pkg_dir/$package.pkg
if [ "$WEB_DOMAINS" != 'unlimited' ]; then
is_format_valid_int $WEB_DOMAINS 'WEB_DOMAINS'
is_int_format_valid $WEB_DOMAINS 'WEB_DOMAINS'
fi
if [ "$WEB_ALIASES" != 'unlimited' ]; then
is_format_valid_int $WEB_ALIASES 'WEB_ALIASES'
is_int_format_valid $WEB_ALIASES 'WEB_ALIASES'
fi
if [ "$DNS_DOMAINS" != 'unlimited' ]; then
is_format_valid_int $DNS_DOMAINS 'DNS_DOMAINS'
is_int_format_valid $DNS_DOMAINS 'DNS_DOMAINS'
fi
if [ "$DNS_RECORDS" != 'unlimited' ]; then
is_format_valid_int $DNS_RECORDS 'DNS_RECORDS'
is_int_format_valid $DNS_RECORDS 'DNS_RECORDS'
fi
if [ "$MAIL_DOMAINS" != 'unlimited' ]; then
is_format_valid_int $MAIL_DOMAINS 'MAIL_DOMAINS'
is_int_format_valid $MAIL_DOMAINS 'MAIL_DOMAINS'
fi
if [ "$MAIL_ACCOUNTS" != 'unlimited' ]; then
is_format_valid_int $MAIL_ACCOUNTS 'MAIL_ACCOUNTS'
is_int_format_valid $MAIL_ACCOUNTS 'MAIL_ACCOUNTS'
fi
if [ "$DATABASES" != 'unlimited' ]; then
is_format_valid_int $DATABASES 'DATABASES'
is_int_format_valid $DATABASES 'DATABASES'
fi
if [ "$CRON_JOBS" != 'unlimited' ]; then
is_format_valid_int $CRON_JOBS 'CRON_JOBS'
is_int_format_valid $CRON_JOBS 'CRON_JOBS'
fi
if [ "$DISK_QUOTA" != 'unlimited' ]; then
is_format_valid_int $DISK_QUOTA 'DISK_QUOTA'
is_int_format_valid $DISK_QUOTA 'DISK_QUOTA'
fi
if [ "$BANDWIDTH" != 'unlimited' ]; then
is_format_valid_int $BANDWIDTH 'BANDWIDTH'
is_int_format_valid $BANDWIDTH 'BANDWIDTH'
fi
if [ "$BACKUPS" != 'unlimited' ]; then
is_format_valid_int $BACKUPS 'BACKUPS'
is_int_format_valid $BACKUPS 'BACKUPS'
fi
is_format_valid_shell $SHELL
}

10
bin/v-add-web-domain
View file

@ -47,6 +47,7 @@ is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
is_package_full 'WEB_DOMAINS' 'WEB_ALIASES'
is_domain_new 'web' "$domain,$aliases"
is_dir_symlink $HOMEDIR/$user/web
if [ ! -z "$ip" ]; then
is_ip_valid "$ip" "$user"
else
@ -90,7 +91,7 @@ chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* $conf
chmod 640 /var/log/$WEB_SYSTEM/domains/$domain.*
chmod 751 $HOMEDIR/$user/web/$domain $HOMEDIR/$user/web/$domain/*
chmod 551 $HOMEDIR/$user/web/$domain/stats $HOMEDIR/$user/web/$domain/logs
chmod 644 $HOMEDIR/$user/web/$domain/public_*html/*
chmod 644 $HOMEDIR/$user/web/$domain/public_*html/*.*
# Addding PHP-FPM backend
if [ ! -z "$WEB_BACKEND" ]; then
@ -112,9 +113,12 @@ if [ "$aliases" = 'none' ]; then
ALIAS=''
else
ALIAS="www.$domain"
if [ ! -z "$aliases" ]; then
ALIAS="$ALIAS,$aliases"
if [ -z "$aliases" ]; then
ALIAS="www.$domain"
else
ALIAS="$aliases"
fi
ip_alias=$(get_ip_alias $domain)
if [ ! -z "$ip_alias" ]; then
ALIAS="$ALIAS,$ip_alias"

20
bin/v-add-web-domain-ssl
View file

@ -120,6 +120,22 @@ check_result $? "Web restart failed" >/dev/null
$BIN/v-restart-proxy $restart
check_result $? "Proxy restart failed" >/dev/null
# Updating system ssl dependencies
if [ ! -z "$VESTA_CERTIFICATE" ]; then
crt_user=$(echo "$VESTA_CERTIFICATE" |cut -f 1 -d :)
crt_domain=$(echo "$VESTA_CERTIFICATE" |cut -f 2 -d :)
if [ "$user" = "$crt_user" ] && [ "$domain" = "$crt_domain" ]; then
$BIN/v-add-sys-vesta-ssl $user $domain >/dev/null 2>&1
fi
fi
if [ ! -z "$MAIL_CERTIFICATE" ]; then
crt_user=$(echo "$MAIL_CERTIFICATE" |cut -f 1 -d :)
crt_domain=$(echo "$MAIL_CERTIFICATE" |cut -f 2 -d :)
if [ "$user" = "$crt_user" ] && [ "$domain" = "$crt_domain" ]; then
$BIN/v-add-sys-mail-ssl $user $domain >/dev/null 2>&1
fi
fi
if [ ! -z "$UPDATE_HOSTNAME_SSL" ] && [ "$UPDATE_HOSTNAME_SSL" = "yes" ]; then
hostname=$(hostname)
if [ "$hostname" = "$domain" ]; then
@ -127,6 +143,10 @@ if [ ! -z "$UPDATE_HOSTNAME_SSL" ] && [ "$UPDATE_HOSTNAME_SSL" = "yes" ]; then
fi
fi
if [ ! -z "$UPDATE_SSL_SCRIPT" ]; then
eval "$UPDATE_SSL_SCRIPT $user $domain"
fi
# Logging
log_history "enabled ssl support for $domain"
log_event "$OK" "$ARGUMENTS"

55
bin/v-backup-user
View file

@ -68,8 +68,12 @@ while [ "$la" -ge "$BACKUP_LA_LIMIT" ]; do
(( ++i))
done
if [ -z "$BACKUP_TEMP" ]; then
BACKUP_TEMP=$BACKUP
fi
# Creating temporary directory
tmpdir=$(mktemp -p /tmp -d)
tmpdir=$(mktemp -p $BACKUP_TEMP -d)
if [ "$?" -ne 0 ]; then
echo "Can't create tmp dir $tmpdir" |$SENDMAIL -s "$subj" $email $notify
@ -212,24 +216,32 @@ if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB" != '*' ]; then
cp $USER_DATA/ssl/$domain.* vesta/
fi
# Changin dir to documentroot
cd $HOMEDIR/$user/web/$domain
# Define exclude arguments
exlusion=$(echo -e "$WEB" |tr ',' '\n' |grep "^$domain:")
set -f
fargs=()
fargs+=(--exclude='logs/*')
fargs+=(--exclude='./logs/*')
if [ ! -z "$exlusion" ]; then
xdirs="$(echo -e "$exlusion" |tr ':' '\n' |grep -v $domain)"
for xpath in $xdirs; do
fargs+=(--exclude=$xpath/*)
echo "$(date "+%F %T") excluding directory $xpath"
msg="$msg\n$(date "+%F %T") excluding directory $xpath"
if [ -d "$xpath" ]; then
fargs+=(--exclude=$xpath/*)
echo "$(date "+%F %T") excluding directory $xpath"
msg="$msg\n$(date "+%F %T") excluding directory $xpath"
else
echo "$(date "+%F %T") excluding file $xpath"
msg="$msg\n$(date "+%F %T") excluding file $xpath"
fargs+=(--exclude=$xpath)
fi
done
fi
set +f
# Backup files
cd $HOMEDIR/$user/web/$domain
tar -cpf- * ${fargs[@]} |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
tar --anchored -cpf- ${fargs[@]} * |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
done
# Print total
@ -388,14 +400,17 @@ if [ ! -z "$DB_SYSTEM" ] && [ "$DB" != '*' ]; then
grep "DB='$database'" $conf > vesta/db.conf
dump="$tmpdir/db/$database/$database.$TYPE.sql"
dumpgz="$tmpdir/db/$database/$database.$TYPE.sql.gz"
grants="$tmpdir/db/$database/conf/$database.$TYPE.$DBUSER"
case $TYPE in
mysql) dump_mysql_database ;;
pgsql) dump_pgsql_database ;;
esac
if [ ! -f "$dumpgz" ]; then
case $TYPE in
mysql) dump_mysql_database ;;
pgsql) dump_pgsql_database ;;
esac
# Compress dump
gzip -$BACKUP_GZIP $dump
# Compress dump
gzip -$BACKUP_GZIP $dump
fi
done
# Print total
@ -445,11 +460,15 @@ if [ "$USER" != '*' ]; then
fi
fargs=()
for xpath in $(echo "$USER" |tr ',' '\n'); do
fargs+=(-not)
fargs+=(-path)
fargs+=("./$xpath*")
echo "$(date "+%F %T") excluding directory $xpath" |\
if [ -d "$xpath" ]; then
fargs+=(--exclude=$xpath/*)
echo "$(date "+%F %T") excluding directory $xpath" |\
tee -a $BACKUP/$user.log
else
echo "$(date "+%F %T") excluding file $xpath" |\
tee -a $BACKUP/$user.log
fargs+=(--exclude=$xpath)
fi
done
IFS=$'\n'
@ -464,7 +483,7 @@ if [ "$USER" != '*' ]; then
echo -e "$(date "+%F %T") adding $udir" |tee -a $BACKUP/$user.log
# Backup files and dirs
tar -cpf- $udir |gzip -$BACKUP_GZIP - > $tmpdir/user_dir/$udir.tar.gz
tar --anchored -cpf- ${fargs[@]} $udir |gzip -$BACKUP_GZIP - > $tmpdir/user_dir/$udir.tar.gz
fi
done
set +f

3
bin/v-backup-users
View file

@ -28,6 +28,9 @@ if [ -z "$BACKUP_SYSTEM" ]; then
exit
fi
for user in $(grep '@' /etc/passwd |cut -f1 -d:); do
if [ ! -f "$VESTA/data/users/$user/user.conf" ]; then
continue;
fi
check_suspend=$(grep "SUSPENDED='no'" $VESTA/data/users/$user/user.conf)
log=$VESTA/log/backup.log
if [ ! -z "$check_suspend" ]; then

86
bin/v-change-sys-ip-nat
View file

@ -34,48 +34,72 @@ is_ip_valid "$ip"
# Action #
#----------------------------------------------------------#
# Changing nat ip
# Updating IP
if [ -z "$(grep NAT= $VESTA/data/ips/$ip)" ]; then
sed -i "s/^TIME/NAT='$nat_ip'\nTIME/g" $VESTA/data/ips/$ip
old=''
new=$nat_ip
else
update_ip_value '$NAT' "$nat_ip"
fi
# Check ftp system
if [ "$FTP_SYSTEM" = 'vsftpd' ]; then
# Find configuration
if [ -e '/etc/vsftpd/vsftpd.conf' ]; then
conf='/etc/vsftpd/vsftpd.conf'
fi
if [ -e '/etc/vsftpd.conf' ]; then
conf='/etc/vsftpd.conf'
fi
# Update config
if [ -z "$(grep pasv_address $conf)" ]; then
if [ ! -z "$nat_ip" ]; then
echo "pasv_address=$nat_ip" >> $conf
fi
else
if [ ! -z "$nat_ip" ]; then
sed -i "s/pasv_address=.*/pasv_address='$nat_ip'/g" $conf
else
sed -i "/pasv_address/d" $conf
fi
old=$(get_ip_value '$NAT')
new=$nat_ip
sed -i "s/NAT=.*/NAT='$new'/" $VESTA/data/ips/$ip
if [ -z "$nat_ip" ]; then
new=$ip
fi
fi
# Updating WEB configs
if [ ! -z "$old" ] && [ ! -z "$WEB_SYSTEM" ]; then
sed -i "s/$old/$new/" $VESTA/data/users/*/web.conf
for user in $(ls $VESTA/data/users/); do
$BIN/v-rebuild-web-domains $user no
done
$BIN/v-restart-dns $restart
fi
# Updating DNS configs
if [ ! -z "$old" ] && [ ! -z "$DNS_SYSTEM" ]; then
sed -i "s/$old/$new/" $VESTA/data/users/*/dns.conf
sed -i "s/$old/$new/" $VESTA/data/users/*/dns/*.conf
for user in $(ls $VESTA/data/users/); do
$BIN/v-rebuild-dns-domains $user no
done
$BIN/v-restart-dns $restart
fi
# Updating FTP
if [ ! -z "$old" ] && [ ! -z "$FTP_SYSTEM" ]; then
conf=$(find /etc -name $FTP_SYSTEM.conf)
if [ -e "$conf" ]; then
sed -i "s/$old/$new/g" $conf
if [ "$FTP_SYSTEM" = 'vsftpd' ]; then
check_pasv=$(grep pasv_address $conf)
if [ -z "$check_pasv" ] && [ ! -z "$nat_ip" ]; then
echo "pasv_address=$nat_ip" >> $conf
fi
if [ ! -z "$check_pasv" ] && [ -z "$nat_ip" ]; then
sed -i "/pasv_address/d" $conf
fi
if [ ! -z "$check_pasv" ] && [ ! -z "$nat_ip" ]; then
sed -i "s/pasv_address=.*/pasv_address='$nat_ip'/g" $conf
fi
fi
fi
$BIN/v-restart-ftp $restart
fi
# Updating firewall
if [ ! -z "$old" ] && [ ! -z "$FIREWALL_SYSTEM" ]; then
sed -i "s/$old/$new/g" $VESTA/data/firewall/*.conf
$BIN/v-update-firewall
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restart ftp server
$BIN/v-restart-ftp $restart
check_result $? "FTP restart failed" >/dev/null
# Logging
log_history "changed associated nat address on $ip to $nat_ip" '' 'admin'
log_event "$OK" "$ARGUMENTS"

12
bin/v-change-sys-service-config
View file

@ -95,13 +95,21 @@ if [ "$update" = 'yes' ] && [ "$restart" != 'no' ]; then
if [ "$service" = 'php' ]; then
if [ "$WEB_SYSTEM" = "nginx" ]; then
service=$(ls /etc/init.d/php*fpm* |cut -f 4 -d / |sed -n 1p)
if [ $(ps --no-headers -o comm 1) == systemd ]; then
service=$(systemctl | grep -o -E "php.*fpm.*\.service")
service=${service//.service/}
else
service=$(ls /etc/init.d/php*fpm* |cut -f 4 -d /)
fi
else
service=$WEB_SYSTEM
fi
fi
service $service restart >/dev/null 2>&1
for single_service in $service; do
service $single_service restart >/dev/null 2>&1
done <<< "$service"
if [ $? -ne 0 ]; then
for config in $dst; do
cat $config.vst.back > $config

2
bin/v-change-web-domain-ip
View file

@ -49,7 +49,7 @@ is_ip_valid "$ip" "$user"
# Preparing variables for vhost replace
get_domain_values 'web'
old=$(get_real_ip $IP)
new=$ip
new=$(get_real_ip $ip)
# Replacing vhost
replace_web_config "$WEB_SYSTEM" "$TPL.tpl"

162
bin/v-check-letsencrypt-domain
View file

@ -1,162 +0,0 @@
#!/bin/bash
# info: check letsencrypt domain
# options: USER DOMAIN
#
# The function check and validates domain with LetsEncript
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
# Additional argument formatting
format_domain_idn
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
fi
rdomain=$(egrep "'$domain'|'$domain,|,$domain,|,$domain'" $USER_DATA/web.conf)
if [ -z "$rdomain" ]; then
check_result $E_NOTEXIST "domain $domain doesn't exist"
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
source $USER_DATA/ssl/le.conf
api='https://acme-v01.api.letsencrypt.org'
r_domain=$(echo "$rdomain" |cut -f 2 -d \')
key="$USER_DATA/ssl/user.key"
exponent="$EXPONENT"
modulus="$MODULUS"
thumb="$THUMB"
# Defining JWK header
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
header='{"alg":"RS256","jwk":'"$header"'}'
# Requesting nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
# Defining ACME query (request challenge)
query='{"resource":"new-authz","identifier"'
query=$query':{"type":"dns","value":"'"$domain_idn"'"}}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Sending request to LetsEncrypt API
answer=$(curl -s -i -d "$data" "$api/acme/new-authz")
# Checking http answer status
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
if [[ "$status" -ne "201" ]]; then
check_result $E_CONNECT "LetsEncrypt challenge request $status"
fi
# Parsing domain nonce,token and uri
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
token=$(echo "$answer" |grep -A 3 http-01 |grep token |cut -f 4 -d \")
uri=$(echo "$answer" |grep -A 3 http-01 |grep uri |cut -f 4 -d \")
# Adding location wrapper for request challenge
if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
conf="$HOMEDIR/$user/conf/web/nginx.$r_domain.conf_letsencrypt"
sconf="$HOMEDIR/$user/conf/web/snginx.$r_domain.conf_letsencrypt"
if [ ! -e "$conf" ]; then
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' > $conf
echo ' default_type text/plain;' >> $conf
echo ' return 200 "$1.'$thumb'";' >> $conf
echo '}' >> $conf
fi
if [ ! -e "$sconf" ]; then
ln -s "$conf" "$sconf"
fi
else
acme="$HOMEDIR/$user/web/$r_domain/public_html/.well-known/acme-challenge"
if [ ! -d "$acme" ]; then
mkdir -p $acme
fi
echo "$token.$thumb" > $acme/$token
chown -R $user:$user $HOMEDIR/$user/web/$r_domain/public_html/.well-known
fi
# Restarting web server
if [ -z "$PROXY_SYSTEM" ]; then
$BIN/v-restart-web
check_result $? "Proxy restart failed" >/dev/null
else
$BIN/v-restart-proxy
$BIN/v-restart-web
check_result $? "Web restart failed" >/dev/null
fi
# Defining ACME query (request validation)
query='{"resource":"challenge","type":"http-01","keyAuthorization"'
query=$query':"'$token.$thumb'","token":"'$token'"}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Sending request to LetsEncrypt API
answer=$(curl -s -i -d "$data" "$uri")
# Checking domain validation status
i=1
status=$(echo $answer |tr ',' '\n' |grep status |cut -f 4 -d \")
location=$(echo "$answer" |grep Location: |awk '{print $2}' |tr -d '\r\n')
while [ "$status" = 'pending' ]; do
answer=$(curl -s -i "$location")
detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
status=$(echo "$answer" |tr ',' '\n' |grep status |cut -f 4 -d \")
sleep 1
i=$((i + 1))
if [ "$i" -gt 60 ]; then
check_result $E_CONNECT "$detail"
fi
done
if [ "$status" = 'invalid' ]; then
detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
check_result $E_CONNECT "$detail"
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit

6
bin/v-check-user-hash
View file

@ -75,15 +75,15 @@ else
method='des'
fi
# Checking salt
if [ -z "$salt" ]; then
echo "Error: password missmatch"
echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
exit 9
fi
# Checking hash
result=$(grep "^$user:$hash:" /etc/shadow 2>/dev/null)
if [[ -z "$result" ]]; then
# Comparing hashes
if [[ "$shadow" != "$hash" ]]; then
echo "Error: password missmatch"
echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
exit 9

75
bin/v-delete-sys-mail-ssl Executable file
View file

@ -0,0 +1,75 @@
#!/bin/bash
# info: delete sys vesta user ssl certificate
# options: NONE
#
# The script disables user domain ssl synchronization
#----------------------------------------------------------#
# Variable & Function #
#----------------------------------------------------------#
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
vst_crt="$VESTA/ssl/certificate.crt"
vst_key="$VESTA/ssl/certificate.key"
# Updating mail certificate
case $MAIL_SYSTEM in
exim) conf='/etc/exim/exim.conf';;
exim4) conf='/etc/exim4/exim4.conf.template';;
esac
if [ -e "$conf" ]; then
sed -e "s|^tls_certificate.*|tls_certificate = $vst_crt|" \
-e "s|^tls_privatekey.*|tls_privatekey = $vst_key|" -i $conf
fi
# Updating imap certificate
conf="/etc/dovecot/conf.d/10-ssl.conf"
if [ ! -z "$IMAP_SYSTEM" ] && [ -e "$conf" ]; then
sed -e "s|ssl_cert.*|ssl_cert = <$vst_crt|" \
-e "s|ssl_key.*|ssl_key = <$vst_key|" -i $conf
fi
# Moving old certificates
if [ -e "$VESTA/ssl/mail.crt" ]; then
mv -f $VESTA/ssl/mail.crt $VESTA/ssl/mail.crt.old
fi
if [ -e "VESTA/ssl/mail.key" ]; then
mv $VESTA/ssl/mail.key VESTA/ssl/mail.key.old
fi
# Updating vesta.conf value
sed -i "/MAIL_CERTIFICATE=/ d" $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restarting services
if [ "$restart" != 'no' ]; then
if [ ! -z "$MAIL_SYSTEM" ]; then
$BIN/v-restart-service $MAIL_SYSTEM
fi
if [ ! -z "$IMAP_SYSTEM" ]; then
$BIN/v-restart-service $IMAP_SYSTEM
fi
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit

37
bin/v-delete-sys-vesta-ssl Executable file
View file

@ -0,0 +1,37 @@
#!/bin/bash
# info: delete sys vesta user ssl certificate
# options: NONE
#
# The script disables user domain ssl synchronization
#----------------------------------------------------------#
# Variable & Function #
#----------------------------------------------------------#
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Updating vesta.conf value
sed -i "/VESTA_CERTIFICATE=/ d" $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit

10
bin/v-list-letsencrypt-user
View file

@ -23,7 +23,8 @@ json_list() {
"EMAIL": "'$EMAIL'",
"EXPONENT": "'$EXPONENT'",
"MODULUS": "'$MODULUS'",
"THUMB: "'$THUMB'"
"THUMB": "'$THUMB'",
"KID": "'$KID'"
}'
echo '}'
}
@ -35,17 +36,18 @@ shell_list() {
echo "THUMB: $THUMB"
echo "EXPONENT: $EXPONENT"
echo "MODULUS: $MODULUS"
echo "KID: $KID"
}
# PLAIN list function
plain_list() {
echo -e "$user\t$EMAIL\t$EXPONENT\t$MODULUS\t$THUMB"
echo -e "$user\t$EMAIL\t$EXPONENT\t$MODULUS\t$THUMB\t$KID"
}
# CSV list function
csv_list() {
echo "USER,EMAIL,EXPONENT,MODULUS,THUMB"
echo "$user,$EMAIL,$EXPONENT,$MODULUS,$THUMB"
echo "USER,EMAIL,EXPONENT,MODULUS,THUMB,KID"
echo "$user,$EMAIL,$EXPONENT,$MODULUS,$THUMB,$KID"
}

2
bin/v-list-mail-domain-dkim-dns
View file

@ -67,7 +67,7 @@ is_object_valid 'mail' 'DOMAIN' "$domain"
# Parsing domain keys
if [ -e "$USER_DATA/mail/$domain.pub" ]; then
pub=$(cat $USER_DATA/mail/$domain.pub |grep -v "KEY-----")
pub=$(cat $USER_DATA/mail/$domain.pub |grep -v "KEY-----" |tr -d "\n\r")
pub=$(echo "$pub" |sed ':a;N;$!ba;s/\n/\\n/g')
else
pub="DKIM-SUPPORT-IS-NOT-ACTIVATED"

19
bin/v-list-sys-config
View file

@ -51,7 +51,9 @@ json_list() {
"MAIL_URL": "'$MAIL_URL'",
"DB_PMA_URL": "'$DB_PMA_URL'",
"DB_PGA_URL": "'$DB_PGA_URL'",
"SOFTACULOUS": "'$SOFTACULOUS'"
"SOFTACULOUS": "'$SOFTACULOUS'",
"MAIL_CERTIFICATE": "'$MAIL_CERTIFICATE'",
"VESTA_CERTIFICATE": "'$VESTA_CERTIFICATE'"
}
}'
}
@ -138,6 +140,12 @@ shell_list() {
if [ ! -z "$LANGUAGE" ] && [ "$LANGUAGE" != 'en' ]; then
echo "Language: $LANGUAGE"
fi
if [ ! -z "$MAIL_CERTIFICATE" ]; then
echo "Mail SSL: $MAIL_CERTIFICATE"
fi
if [ ! -z "$VESTA_CERTIFICATE" ]; then
echo "Vesta SSL: $VESTA_CERTIFICATE"
fi
echo "Version: $VERSION"
}
@ -151,7 +159,8 @@ plain_list() {
echo -ne "$CRON_SYSTEM\t$DISK_QUOTA\t$FIREWALL_SYSTEM\t"
echo -ne "$FIREWALL_EXTENSION\t$FILEMANAGER_KEY\t$SFTPJAIL_KEY\t"
echo -ne "$REPOSITORY\t$VERSION\t$LANGUAGE\t$BACKUP_GZIP\t$BACKUP\t"
echo -e "$MAIL_URL\t$DB_PMA_URL\t$DB_PGA_URL"
echo -ne "$MAIL_URL\t$DB_PMA_URL\t$DB_PGA_URL\t$MAIL_CERTIFICATE\t"
echo -e "$VESTA_CERTIFICATE"
}
@ -165,7 +174,8 @@ csv_list() {
echo -n "'CRON_SYSTEM','DISK_QUOTA','FIREWALL_SYSTEM',"
echo -n "'FIREWALL_EXTENSION','FILEMANAGER_KEY','SFTPJAIL_KEY',"
echo -n "'REPOSITORY','VERSION','LANGUAGE','BACKUP_GZIP','BACKUP',"
echo -n "'MAIL_URL','DB_PMA_URL','DB_PGA_URL'"
echo -n "'MAIL_URL','DB_PMA_URL','DB_PGA_URL', 'SOFTACULOUS',"
echo -n "'MAIL_CERTIFICATE','VESTA_CERTIFICATE'"
echo
echo -n "'$WEB_SYSTEM','$WEB_RGROUPS','$WEB_PORT','$WEB_SSL',"
echo -n "'$WEB_SSL_PORT','$WEB_BACKEND','$PROXY_SYSTEM','$PROXY_PORT',"
@ -176,6 +186,7 @@ csv_list() {
echo -n "'$FIREWALL_EXTENSION','$FILEMANAGER_KEY','$SFTPJAIL_KEY',"
echo -n "'$REPOSITORY','$VERSION','$LANGUAGE','$BACKUP_GZIP','$BACKUP',"
echo -n "'$MAIL_URL','$DB_PMA_URL','$DB_PGA_URL', '$SOFTACULOUS'"
echo -n "'$MAIL_CERTIFICATE','$VESTA_CERTIFICATE'"
echo
}
@ -187,7 +198,7 @@ csv_list() {
# Listing data
case $format in
json) json_list ;;
plain) shell_list ;;
plain) plain_list ;;
csv) csv_list ;;
shell) shell_list ;;
esac

135
bin/v-list-sys-mail-ssl Executable file
View file

@ -0,0 +1,135 @@
#!/bin/bash
# info: list mail ssl certificate
# options: [FORMAT]
#
# The function of obtaining mail ssl files.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
format=${1-shell}
# Includes
source $VESTA/func/main.sh
# JSON list function
json_list() {
echo '{'
echo -e "\t\"MAIL\": {"
echo " \"CRT\": \"$crt\","
echo " \"KEY\": \"$key\","
echo " \"CA\": \"$ca\","
echo " \"SUBJECT\": \"$subj\","
echo " \"ALIASES\": \"$alt_dns\","
echo " \"NOT_BEFORE\": \"$before\","
echo " \"NOT_AFTER\": \"$after\","
echo " \"SIGNATURE\": \"$signature\","
echo " \"PUB_KEY\": \"$pub_key\","
echo " \"ISSUER\": \"$issuer\""
echo -e "\t}\n}"
}
# SHELL list function
shell_list() {
if [ ! -z "$crt" ]; then
echo -e "$crt"
fi
if [ ! -z "$key" ]; then
echo -e "\n$key"
fi
if [ ! -z "$crt" ]; then
echo
echo
echo "SUBJECT: $subj"
if [ ! -z "$alt_dns" ]; then
echo "ALIASES: ${alt_dns//,/ }"
fi
echo "VALID FROM: $before"
echo "VALID TIL: $after"
echo "SIGNATURE: $signature"
echo "PUB_KEY: $pub_key"
echo "ISSUER: $issuer"
fi
}
# PLAIN list function
plain_list() {
if [ ! -z "$crt" ]; then
echo -e "$crt"
fi
if [ ! -z "$key" ]; then
echo -e "\n$key"
fi
if [ ! -z "$ca" ]; then
echo -e "\n$ca"
fi
if [ ! -z "$crt" ]; then
echo "$subj"
echo "${alt_dns//,/ }"
echo "$before"
echo "$after"
echo "$signature"
echo "$pub_key"
echo "$issuer"
fi
}
# CSV list function
csv_list() {
echo -n "CRT,KEY,CA,SUBJECT,ALIASES,NOT_BEFORE,NOT_AFTER,SIGNATURE,"
echo "PUB_KEY,ISSUER"
echo -n "\"$crt\",\"$key\",\"$ca\",\"$subj\",\"${alt_dns//,/ }\","
echo "\"$before\",\"$after\",\"$signature\",\"$pub_key\",\"$issuer\""
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Parsing SSL certificate
if [ ! -e "$VESTA/ssl/mail.crt" ] || [ ! -e "$VESTA/ssl/mail.key" ]; then
exit
fi
crt=$(cat $VESTA/ssl/mail.crt |sed ':a;N;$!ba;s/\n/\\n/g')
key=$(cat $VESTA/ssl/mail.key |sed ':a;N;$!ba;s/\n/\\n/g')
# Parsing SSL certificate details without CA
info=$(openssl x509 -text -in $VESTA/ssl/mail.crt)
subj=$(echo "$info" |grep Subject: |cut -f 2 -d =)
before=$(echo "$info" |grep Before: |sed -e "s/.*Before: //")
after=$(echo "$info" |grep "After :" |sed -e "s/.*After : //")
signature=$(echo "$info" |grep "Algorithm:" |head -n1 )
signature=$(echo "$signature"| sed -e "s/.*Algorithm: //")
pub_key=$(echo "$info" |grep Public-Key: |cut -f2 -d \( | tr -d \))
issuer=$(echo "$info" |grep Issuer: |sed -e "s/.*Issuer: //")
alt_dns=$(echo "$info" |grep DNS |sed -e 's/DNS:/\n/g' |tr -d ',')
alt_dns=$(echo "$alt_dns" |tr -d ' ' |sed -e "/^$/d")
alt_dns=$(echo "$alt_dns" |sed -e ':a;N;$!ba;s/\n/,/g')
# Listing data
case $format in
json) json_list ;;
plain) plain_list ;;
csv) csv_list ;;
shell) shell_list ;;
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

23
bin/v-list-user-log
View file

@ -23,7 +23,10 @@ json_list() {
objects=$(echo "$logs" |wc -l)
echo "{"
for str in $logs; do
eval $str
ID=$(echo "$str" |cut -f 2 -d \')
DATE=$(echo "$str" |cut -f 4 -d \')
TIME=$(echo "$str" |cut -f 6 -d \')
CMD=$(echo "$str" |cut -f 8 -d \')
CMD=${CMD//\"/\\\"}
echo -n ' "'$ID'": {
"CMD": "'$CMD'",
@ -46,13 +49,9 @@ shell_list() {
echo "DATE~TIME~CMD"
echo "----~----~---"
for str in $logs; do
eval $str
if [ -z "$DATE" ]; then
DATE='no'
fi
if [ -z "$TIME" ]; then
TIME='no'
fi
DATE=$(echo "$str" |cut -f 4 -d \')
TIME=$(echo "$str" |cut -f 6 -d \')
CMD=$(echo "$str" |cut -f 8 -d \')
echo "$DATE~$TIME~$CMD"
done
}
@ -61,7 +60,9 @@ shell_list() {
plain_list() {
IFS=$'\n'
for str in $logs; do
eval $str
DATE=$(echo "$str" |cut -f 4 -d \')
TIME=$(echo "$str" |cut -f 6 -d \')
CMD=$(echo "$str" |cut -f 8 -d \')
echo -e "$ID\t$CMD\t$UNDO\t$TIME\t$DATE"
done
}
@ -71,7 +72,9 @@ csv_list() {
IFS=$'\n'
echo "ID,CMD,UNDO,TIME,DATE"
for str in $logs; do
eval $str
DATE=$(echo "$str" |cut -f 4 -d \')
TIME=$(echo "$str" |cut -f 6 -d \')
CMD=$(echo "$str" |cut -f 8 -d \')
echo "$ID,\"$CMD\",\"$UNDO\",$TIME,$DATE"
done
}

25
bin/v-list-users
View file

@ -15,9 +15,14 @@ format=${1-shell}
# JSON list function
json_list() {
echo '{'
object_count=$(grep '@' /etc/passwd |wc -l)
i=1
while read USER; do
if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
continue;
fi
if [ $i -gt 1 ]; then
echo ","
fi
source $VESTA/data/users/$USER/user.conf
echo -n ' "'$USER'": {
"FNAME": "'$FNAME'",
@ -74,14 +79,8 @@ json_list() {
"TIME": "'$TIME'",
"DATE": "'$DATE'"
}'
if [ "$i" -lt "$object_count" ]; then
echo ','
else
echo
fi
((i++))
done < <(grep '@' /etc/passwd |cut -f1 -d:)
echo '}'
}
@ -90,6 +89,9 @@ shell_list() {
echo "USER PKG WEB DNS MAIL DB DISK BW SPND DATE"
echo "---- --- --- --- --- -- ---- -- ---- ----"
while read USER; do
if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
continue;
fi
source $VESTA/data/users/$USER/user.conf
echo -n "$USER $PACKAGE $U_WEB_DOMAINS $U_DNS_DOMAINS $U_MAIL_DOMAINS"
echo " $U_DATABASES $U_DISK $U_BANDWIDTH $SUSPENDED $DATE"
@ -99,6 +101,9 @@ shell_list() {
# PLAIN list function
plain_list() {
while read USER; do
if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
continue;
fi
source $VESTA/data/users/$USER/user.conf
echo -ne "$USER\t$FNAME\t$LNAME\t$PACKAGE\t$WEB_TEMPLATE\t"
echo -ne "$BACKEND_TEMPLATE\t$PROXY_TEMPLATE\t$DNS_TEMPLATE\t"
@ -131,6 +136,9 @@ csv_list() {
echo -n "U_MAIL_DOMAINS,U_MAIL_DKIM,U_MAIL_ACCOUNTS,U_DATABASES"
echo "U_CRON_JOBS,U_BACKUPS,LANGUAGE,TIME,DATE"
while read USER; do
if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
continue;
fi
source $VESTA/data/users/$USER/user.conf
echo -n "$USER,\"$FNAME\",\"$LNAME\",$PACKAGE,$WEB_TEMPLATE,"
echo -n "$BACKEND_TEMPLATE,$PROXY_TEMPLATE,$DNS_TEMPLATE,"
@ -151,6 +159,9 @@ csv_list() {
# Raw list function
raw_list() {
while read USER; do
if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
continue;
fi
echo $VESTA/data/users/$USER/user.conf
cat $VESTA/data/users/$USER/user.conf
done < <(grep '@' /etc/passwd |cut -f1 -d:)

1
bin/v-list-web-domain-ssl
View file

@ -19,6 +19,7 @@ source $VESTA/func/main.sh
# JSON list function
json_list() {
issuer=$(echo "$issuer" |sed -e 's/"/\\"/g' -e "s/%quote%/'/g")
echo '{'
echo -e "\t\"$domain\": {"
echo " \"CRT\": \"$crt\","

5
bin/v-open-fs-config
View file

@ -35,6 +35,11 @@ if [ ! -z "$src_file" ]; then
echo "Error: invalid source path $src_file"
exit 2
fi
spath=$(echo "$rpath" |egrep "/etc|/var/lib")
if [ -z "$spath" ]; then
echo "Error: invalid source path $src_file"
exit 2
fi
fi
# Reading conf

4
bin/v-rebuild-web-domains
View file

@ -37,7 +37,7 @@ is_object_unsuspended 'user' 'USER' "$user"
#----------------------------------------------------------#
# Deleting old web configs
sed -i "/.*\/$user\//d" /etc/$WEB_SYSTEM/conf.d/vesta.conf
sed -i "/.*\/$user\/conf\/web\//d" /etc/$WEB_SYSTEM/conf.d/vesta.conf
if [ -e "$HOMEDIR/$user/conf/web/$WEB_SYSTEM.conf" ]; then
rm $HOMEDIR/$user/conf/web/$WEB_SYSTEM.conf
fi
@ -47,7 +47,7 @@ fi
# Deleting old proxy configs
if [ ! -z "$PROXY_SYSTEM" ]; then
sed -i "/.*\/$user\//d" /etc/$PROXY_SYSTEM/conf.d/vesta.conf
sed -i "/.*\/$user\/conf\/web\//d" /etc/$PROXY_SYSTEM/conf.d/vesta.conf
if [ -e "$HOMEDIR/$user/conf/web/$PROXY_SYSTEM.conf" ]; then
rm $HOMEDIR/$user/conf/web/$PROXY_SYSTEM.conf

6
bin/v-restore-user
View file

@ -229,8 +229,12 @@ while [ "$la" -ge "$BACKUP_LA_LIMIT" ]; do
(( ++i))
done
if [ -z "$BACKUP_TEMP" ]; then
BACKUP_TEMP=$BACKUP
fi
# Creating temporary directory
tmpdir=$(mktemp -p /tmp -d)
tmpdir=$(mktemp -p $BACKUP_TEMP -d)
if [ "$?" -ne 0 ]; then
echo "Can't create tmp dir $tmpdir" |$SENDMAIL -s "$subj" $email $notify
sed -i "/ $user /d" $VESTA/data/queue/backup.pipe

93
bin/v-search-ssl-certificates Executable file
View file

@ -0,0 +1,93 @@
#!/bin/bash
# info: search ssl certificates
# options: [FORMAT]
#
# The function to obtain the list of available ssl certificates.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
format=${1-shell}
# Includes
source $VESTA/func/main.sh
# JSON list function
json_list() {
IFS=$'\n'
objects=$(echo "$search_cmd" |wc -l)
i=1
echo '['
for str in $search_cmd; do
eval $str
if [ "$i" -lt "$objects" ]; then
echo -e "\t\"$USER:$DOMAIN\","
else
echo -e "\t\"$USER:$DOMAIN\""
fi
(( ++i))
done
echo "]"
}
# SHELL list function
shell_list() {
IFS=$'\n'
echo "USER DOMAIN"
echo "---- ------"
for str in $search_cmd; do
eval $str
echo "$USER $DOMAIN"
done
}
# PLAIN list function
plain_list() {
IFS=$'\n'
for str in $search_cmd; do
eval $str
echo -e "$USER\t$DOMAIN"
done
}
# CSV list function
csv_list() {
IFS=$'\n'
echo "USER,DOMAIN"
for str in $search_cmd; do
eval $str
echo "$USER,$DOMAIN"
done
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
search_cmd=$(grep -H "SSL='yes'" $VESTA/data/users/*/web.conf |\
cut -f 1 -d ' ' |\
sed -e "s|$VESTA/data/users/|USER='|" -e "s|/web.conf:|' |")
# Listing data
case $format in
json) json_list ;;
plain) plain_list ;;
csv) csv_list ;;
shell) shell_list |column -t ;;
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

110
bin/v-sign-letsencrypt-csr
View file

@ -1,110 +0,0 @@
#!/bin/bash
# info: sing letsencrypt csr
# options: USER DOMAIN CSR_DIR [FORMAT]
#
# The function signs certificate request using LetsEncript API
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
csr="$3/$domain.csr"
format=$4
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '3' "$#" 'USER DOMAIN CSR'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
fi
check_domain=$(grep -w "$domain'" $USER_DATA/web.conf)
if [ -z "$check_domain" ]; then
check_result $E_NOTEXIST "domain $domain doesn't exist"
fi
if [ ! -e "$csr" ]; then
check_result $E_NOTEXIST "$csr doesn't exist"
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
source $USER_DATA/ssl/le.conf
api='https://acme-v01.api.letsencrypt.org'
key="$USER_DATA/ssl/user.key"
exponent="$EXPONENT"
modulus="$MODULUS"
thumb="$THUMB"
# Defining JWK header
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
header='{"alg":"RS256","jwk":'"$header"'}'
# Requesting nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
# Defining ACME query (request challenge)
csr=$(openssl req -in $csr -outform DER |encode_base64)
query='{"resource":"new-cert","csr":"'$csr'"}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Sending request to LetsEncrypt API
answer=$(mktemp)
curl -s -d "$data" "$api/acme/new-cert" -o $answer
if [ ! -z "$(grep Error $answer)" ]; then
detail="$(cat $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
detail=$(echo "$detail" |awk -F "::" '{print $2}')
rm $answer
check_result $E_LIMIT "$detail"
fi
# Printing certificate
crt=$(cat "$answer" |openssl base64 -e)
rm $answer
if [ "$format" != 'json' ]; then
echo "-----BEGIN CERTIFICATE-----"
echo "$crt"
echo "-----END CERTIFICATE-----"
else
echo -e "{\n\t\"$domain\": {\n\t\t\"CRT\":\""
echo -n '-----BEGIN CERTIFICATE-----\n'
echo -n "$crt" |sed ':a;N;$!ba;s/\n/\\n/g'
echo -n '-----END CERTIFICATE-----'
echo -e "\"\n\t\t}\n\t}"
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit

10
bin/v-suspend-dns-domain
View file

@ -41,6 +41,16 @@ is_object_unsuspended 'dns' 'DOMAIN' "$domain"
# Action #
#----------------------------------------------------------#
# Deleting system configs
if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
if [ -e '/etc/named.conf' ]; then
dns_conf='/etc/named.conf'
else
dns_conf='/etc/bind/named.conf'
fi
sed -i "/\/$user\/conf\/dns\/$domain.db\"/d" $dns_conf
fi
#----------------------------------------------------------#
# Vesta #

14
bin/v-unsuspend-dns-domain
View file

@ -40,7 +40,21 @@ is_object_suspended 'dns' 'DOMAIN' "$domain"
# Action #
#----------------------------------------------------------#
# Creating system configs
if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
if [ -e '/etc/named.conf' ]; then
dns_conf='/etc/named.conf'
dns_group='named'
else
dns_conf='/etc/bind/named.conf'
dns_group='bind'
fi
# Adding zone in named.conf
named="zone \"$domain_idn\" {type master; file"
named="$named \"$HOMEDIR/$user/conf/dns/$domain.db\";};"
echo "$named" >> $dns_conf
fi
#----------------------------------------------------------#
# Vesta #

3
bin/v-unsuspend-mail-account
View file

@ -48,6 +48,9 @@ is_object_suspended "mail/$domain" 'ACCOUNT' "$account"
if [[ "$MAIL_SYSTEM" =~ exim ]]; then
md5=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$MD5')
quota=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$QUOTA')
if [ "$quota" = 'unlimited' ]; then
quota=0
fi
sed -i "/^$account:/d" $HOMEDIR/$user/conf/mail/$domain/passwd
str="$account:$md5:$user:mail::$HOMEDIR/$user:$quota"
echo $str >> $HOMEDIR/$user/conf/mail/$domain/passwd

5
bin/v-update-firewall
View file

@ -51,11 +51,6 @@ if [ $? -ne 0 ]; then
conntrack_ftp='no'
fi
# Checking custom OpenSSH port
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22" ]; then
sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
fi
# Creating temporary file
tmp=$(mktemp)

3
bin/v-update-host-certificate
View file

@ -76,6 +76,9 @@ $BIN/v-restart-mail
if [ ! -z "$IMAP_SYSTEM" ]; then
$BIN/v-restart-service "$IMAP_SYSTEM"
fi
if [ ! -z "$FTP_SYSTEM" ]; then
$BIN/v-restart-service "$FTP_SYSTEM"
fi
if [ -f "/var/run/vesta-nginx.pid" ]; then
kill -HUP $(cat /var/run/vesta-nginx.pid)
fi

53
bin/v-update-letsencrypt-ssl
View file

@ -22,42 +22,33 @@ source $VESTA/conf/vesta.conf
# Action #
#----------------------------------------------------------#
# Defining user list
users=$($BIN/v-list-users | tail -n+3 | awk '{ print $1 }')
lecounter=0
# Checking users
for user in $users; do
# Checking user certificates
for user in $($BIN/v-list-users plain |cut -f 1); do
USER_DATA=$VESTA/data/users/$user
# Checking user certificates
for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
crt="$VESTA/data/users/$user/ssl/$domain.crt"
crt_data=$(openssl x509 -text -in "$crt")
expire=$(echo "$crt_data" |grep "Not After")
expire=$(echo "$expire" |cut -f 2,3,4 -d :)
expire=$(date -d "$expire" +%s)
for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
crt_data=$(openssl x509 -text -in $USER_DATA/ssl/$domain.crt)
not_after=$(echo "$crt_data" |grep "Not After" |cut -f 2,3,4 -d :)
expiration=$(date -d "$not_after" +%s)
now=$(date +%s)
expire=$((expire - now))
expire=$((expire / 86400))
domain=$(basename $crt |sed -e "s/.crt$//")
if [[ "$expire" -lt 31 ]]; then
aliases=$(echo "$crt_data" |grep DNS:)
aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//")
aliases=$(echo "$aliases" |tr ' ' '\n' |sed "/^$/d")
aliases=$(echo "$aliases" |grep -v "^$domain$")
if [ ! -z "$aliases" ]; then
aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')
msg=$($BIN/v-add-letsencrypt-domain $user $domain $aliases)
if [ $? -ne 0 ]; then
echo "$domain $msg"
fi
else
msg==$($BIN/v-add-letsencrypt-domain $user $domain)
if [ $? -ne 0 ]; then
echo "$domain $msg"
fi
seconds_valid=$((expiration - now))
days_valid=$((seconds_valid / 86400))
if [[ "$days_valid" -lt 31 ]]; then
if [ $lecounter -gt 0 ]; then
sleep 10
fi
((lecounter++))
aliases=$(echo "$crt_data" |grep DNS:)
aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//g")
aliases=$(echo "$aliases" |tr ' ' '\n' |sed "/^$/d")
aliases=$(echo "$aliases" |grep -v "^$domain,$")
aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')
msg=$($BIN/v-add-letsencrypt-domain $user $domain $aliases)
if [ $? -ne 0 ]; then
echo "$domain $msg"
fi
sleep 10
fi
done
done

154
bin/v-update-sys-ip
View file

@ -1,6 +1,6 @@
#!/bin/bash
# info: update system ip
# options: [USER] [IP_STATUS]
# options: [NONE]
#
# The function scans configured ip in the system and register them with vesta
# internal database. This call is intended for use on vps servers, where ip is
@ -11,12 +11,10 @@
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=${1-admin}
ip_status=${2-shared}
# Importing system variables
source /etc/profile
# Includes
source /etc/profile.d/vesta.sh
source $VESTA/func/main.sh
source $VESTA/func/ip.sh
source $VESTA/conf/vesta.conf
@ -26,87 +24,84 @@ source $VESTA/conf/vesta.conf
# Verifications #
#----------------------------------------------------------#
check_args '0' "$#" '[USER] [IP_STATUS]'
is_format_valid 'user' 'ip_status'
is_object_valid 'user' 'USER' "$user" "$user"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Get list of ip addresses
ip_list=$(/sbin/ip addr|grep 'inet '|grep global|awk '{print $2}')
ip_list=$(echo "$ip_list"|cut -f 1 -d /)
ip_num=$(echo "$ip_list" | wc -l)
# Listing system ip addresses
ips=$(/sbin/ip addr |grep 'inet ' |grep global |awk '{print $2}' |cut -f1 -d/)
v_ips=$(ls $VESTA/data/ips/)
ip_num=$(echo "$ips" |wc -l)
v_ip_num=$(echo "$v_ips" |wc -l)
# WorkAround for DHCP IP address
vst_ip_list=$(ls $VESTA/data/ips/)
vst_ip_num=$(echo "$vst_ip_list" | wc -l)
if [ ! -z "$vst_ip_list" ] && [ "$vst_ip_num" -eq '1' ]; then
if [ $ip_num -eq 1 ] && [ "$ip_list" != "$vst_ip_list" ]; then
new=$ip_list
old=$vst_ip_list
mv $VESTA/data/ips/$old $VESTA/data/ips/$new
if [ ! -z "$PROXY_SYSTEM" ]; then
mv /etc/$PROXY_SYSTEM/conf.d/$old.conf \
/etc/$PROXY_SYSTEM/conf.d/$new.conf
sed -i "s/$old/$new/g" /etc/$PROXY_SYSTEM/conf.d/$new.conf
fi
if [ ! -z "$WEB_SYSTEM" ]; then
mv /etc/$WEB_SYSTEM/conf.d/$old.conf \
/etc/$WEB_SYSTEM/conf.d/$new.conf
sed -i "s/$old/$new/g" /etc/$WEB_SYSTEM/conf.d/$new.conf
sed -i "s/$old/$new/g" $VESTA/data/users/*/web.conf
# Rebuild web domains
for user in $(ls $VESTA/data/users/); do
$BIN/v-rebuild-web-domains $user no
done
fi
if [ ! -z "$FTP_SYSTEM" ];then
ftpd_conf_file=$(find /etc/ -maxdepth 2 -name $FTP_SYSTEM.conf)
sed -i "s/$old/$new/g" $ftpd_conf_file
fi
# Restarting web server
$BIN/v-restart-web
# Restarting ftp server
$BIN/v-restart-ftp
# Restarting proxy server
if [ ! -z "$PROXY_SYSTEM" ]; then
$BIN/v-restart-proxy
fi
# Restarting firewall
if [ ! -z "$FIREWALL_SYSTEM" ]; then
$BIN/v-update-firewall
fi
if [ ! -z "$DNS_SYSTEM" ]; then
# Rebuild dns domains
for user in $(ls $VESTA/data/users/); do
sed -i "s/$old/$new/g" $VESTA/data/users/$user/dns.conf
sed -i "s/$old/$new/g" $VESTA/data/users/$user/dns/*.conf
$BIN/v-rebuild-dns-domains $user no
done
$BIN/v-restart-dns
check_result $? "dns restart failed" >/dev/null
fi
# No further comparation is needed
exit
# Checking primary IP change
if [[ "$ip_num" -eq '1' ]] && [[ "$v_ip_num" -eq 1 ]]; then
if [ "$ips" != "$v_ips" ]; then
new=$ips
old=$v_ips
fi
fi
# Compare ips
for ip in $ip_list; do
# Updating configs
if [ ! -z "$old" ]; then
mv $VESTA/data/ips/$old $VESTA/data/ips/$new
# Updating PROXY
if [ ! -z "$PROXY_SYSTEM" ]; then
cd /etc/$PROXY_SYSTEM/conf.d
if [ -e "$old.conf" ]; then
mv $old.conf $new.conf
sed -i "s/$old/$new/g" $new.conf
fi
fi
# Updating WEB
if [ ! -z "$WEB_SYSTEM" ]; then
cd /etc/$WEB_SYSTEM/conf.d
if [ -e "$old.conf" ]; then
mv $old.conf $new.conf
sed -i "s/$old/$new/g" $new.conf
fi
sed -i "s/$old/$new/g" $VESTA/data/users/*/web.conf
for user in $(ls $VESTA/data/users/); do
$BIN/v-rebuild-web-domains $user no
done
$BIN/v-restart-proxy
$BIN/v-restart-web
fi
# Updating DNS
if [ ! -z "$DNS_SYSTEM" ]; then
sed -i "s/$old/$new/g" $VESTA/data/users/*/dns.conf
sed -i "s/$old/$new/g" $VESTA/data/users/*/dns/*.conf
for user in $(ls $VESTA/data/users/); do
$BIN/v-rebuild-dns-domains $user no
done
$BIN/v-restart-dns
fi
# Updating FTP
if [ ! -z "$FTP_SYSTEM" ] && [ "$FTP_SYSTEM" = 'vsftpd' ]; then
conf=$(find /etc/ -maxdepth 2 -name $FTP_SYSTEM.conf)
if [ ! -z "$conf" ]; then
sed -i "s/$old/$new/g" $conf
$BIN/v-restart-ftp
fi
fi
# Updating firewall
if [ ! -z "$FIREWALL_SYSTEM" ]; then
sed -i "s/$old/$new/g" $VESTA/data/firewall/*.conf
$BIN/v-update-firewall
fi
fi
# Adding system IP
for ip in $ips; do
check_ifconfig=$(/sbin/ifconfig |grep "$ip")
if [ ! -e "$VESTA/data/ips/$ip" ] && [ ! -z "$check_ifconfig" ]; then
interface=$(/sbin/ip addr |grep $ip |awk '{print $NF}'|uniq)
interface=$(/sbin/ip addr |grep $ip |awk '{print $NF}' |uniq)
interface=$(echo "$interface" |cut -f 1 -d : |head -n 1)
netmask=$(/sbin/ip addr |grep $ip |cut -f 2 -d / |cut -f 1 -d \ )
netmask=$(convert_cidr $netmask)
@ -114,12 +109,11 @@ for ip in $ip_list; do
fi
done
# Checking NAT
# Updating NAT
pub_ip=$(curl -s vestacp.com/what-is-my-ip/)
if [ ! -z "$pub_ip" ] && [ ! -e "$VESTA/data/ips/$pub_ip" ]; then
check_nat=$(grep -R "$pub_ip" $VESTA/data/ips/)
if [ -z "$check_nat" ]; then
ip=$(ls -t $VESTA/data/ips/|head -n1)
if [ ! -e "$VESTA/data/ips/$pub_ip" ]; then
if [ -z "$(grep -R "$pub_ip" $VESTA/data/ips/)" ]; then
ip=$(ls -t $VESTA/data/ips/ |head -n1)
$BIN/v-change-sys-ip-nat $ip $pub_ip
fi
fi

22
bin/v-update-sys-rrd-mysql
View file

@ -14,6 +14,7 @@ period=${1-daily}
# Includes
source $VESTA/func/main.sh
source $VESTA/func/db.sh
source $VESTA/conf/vesta.conf
@ -66,23 +67,10 @@ for host in $hosts; do
fi
if [ "$period" = 'daily' ]; then
# Defining host credentials
host_str=$(grep "HOST='$host'" $conf)
for key in $host_str; do
eval ${key%%=*}=${key#*=}
done
sql="mysql -h $HOST -u $USER -p$PASSWORD -e"
# Checking empty vars
if [ -z $HOST ] || [ -z $USER ] || [ -z $PASSWORD ]; then
echo "Error: config is broken"
log_event "$E_PARSING" "$ARGUMENTS"
exit $E_PARSING
fi
# Parsing data
status=$($sql "SHOW GLOBAL STATUS" 2>/dev/null); code="$?"
if [ '0' -ne "$code" ]; then
mysql_connect $host
query='SHOW GLOBAL STATUS'
status=$(mysql_query "$query" 2>/dev/null)
if [ $? -ne 0 ]; then
active=0
slow=0
else

2
bin/v-update-sys-rrd-pgsql
View file

@ -85,7 +85,7 @@ for host in $hosts; do
# Parsing data
q='SELECT SUM(xact_commit + xact_rollback), SUM(numbackends)
FROM pg_stat_database;'
status=$($sql plsql -d postgres -c "$q" 2>/dev/null); code="$?"
status=$($sql psql -d postgres -c "$q" 2>/dev/null); code="$?"
if [ '0' -ne "$code" ]; then
active=0
slow=0

1
bin/v-update-user-counters
View file

@ -53,6 +53,7 @@ for user in $user_list; do
IP_OWNED=0
U_USERS=0
U_DISK=0
DISK=0
U_DISK_DIRS=$(get_user_value '$U_DISK_DIRS')
if [ -z "$U_DISK_DIRS" ]; then
U_DISK_DIRS=0

2
bin/v-update-user-quota
View file

@ -33,7 +33,7 @@ is_object_valid 'user' 'USER' "$user"
# Updating disk quota
# Had quota equals package value. Soft quota equals 90% of package value for warnings.
quota=$(get_user_value '$DISK_QUOTA')
soft=$(echo "$quota * 1024 * 0.90"|bc |cut -f 1 -d .)
soft=$(echo "$quota * 1024"|bc |cut -f 1 -d .)
hard=$(echo "$quota * 1024"|bc |cut -f 1 -d .)
# Searching home mount point

3
bin/v-update-user-stats
View file

@ -67,6 +67,9 @@ TOTAL_USERS=0
# Updating user stats
for user in $user_list; do
if [ ! -f "$VESTA/data/users/$user/user.conf" ]; then
continue;
fi
USER_DATA=$VESTA/data/users/$user
source $USER_DATA/user.conf
next_month=$(date +'%m/01/%y' -d '+ 1 month')

14
func/db.sh
View file

@ -47,19 +47,22 @@ mysql_connect() {
}
mysql_query() {
mysql --defaults-file=$mycnf -e "$1" 2>/dev/null
sql_tmp=$(mktemp)
echo "$1" > $sql_tmp
mysql --defaults-file=$mycnf < "$sql_tmp" 2>/dev/null
rm -f "$sql_tmp"
}
mysql_dump() {
err="/tmp/e.mysql"
mysqldump --defaults-file=$mycnf --single-transaction -r $1 $2 2> $err
mysqldump --defaults-file=$mycnf --single-transaction --max_allowed_packet=100M -r $1 $2 2> $err
if [ '0' -ne "$?" ]; then
rm -rf $tmpdir
if [ "$notify" != 'no' ]; then
echo -e "Can't dump database $database\n$(cat $err)" |\
$SENDMAIL -s "$subj" $email
fi
echo "Error: dump $database failed"
echo "Error: dump $database failed\n$(cat $err)"
log_event "$E_DB" "$ARGUMENTS"
exit $E_DB
fi
@ -89,7 +92,10 @@ psql_connect() {
}
psql_query() {
psql -h $HOST -U $USER -c "$1" 2>/dev/null
sql_tmp=$(mktemp)
echo "$1" > $sql_tmp
psql -h $HOST -U $USER -f "$sql_tmp" 2>/dev/null
rm -f $sql_tmp
}
psql_dump() {

18
func/domain.sh
View file

@ -215,7 +215,11 @@ add_web_config() {
fi
fi
trigger="${2/.*pl/.sh}"
trigger="${2/%.tpl/.sh}"
if [[ "$2" =~ stpl$ ]]; then
trigger="${2/%.stpl/.sh}"
fi
if [ -x "$WEBTPL/$1/$WEB_BACKEND/$trigger" ]; then
$WEBTPL/$1/$WEB_BACKEND/$trigger \
$user $domain $local_ip $HOMEDIR \
@ -269,7 +273,7 @@ replace_web_config() {
fi
}
# Delete web configuartion
# Delete web configuration
del_web_config() {
conf="$HOMEDIR/$user/conf/web/$domain.$1.conf"
if [[ "$2" =~ stpl$ ]]; then
@ -285,13 +289,15 @@ del_web_config() {
if [[ "$2" =~ stpl$ ]]; then
conf="$HOMEDIR/$user/conf/web/s$1.conf"
fi
get_web_config_lines $WEBTPL/$1/$WEB_BACKEND/$2 $conf
sed -i "$top_line,$bottom_line d" $conf
if [ -e "$conf" ]; then
get_web_config_lines $WEBTPL/$1/$WEB_BACKEND/$2 $conf
sed -i "$top_line,$bottom_line d" $conf
fi
fi
# clean-up for both config styles if there is no more domains
web_domain=$(grep DOMAIN $USER_DATA/web.conf |wc -l)
if [ "$web_domain" -eq '0' ]; then
sed -i "/.*\/$user\/.*/d" /etc/$1/conf.d/vesta.conf
sed -i "/.*\/$user\/conf\/web\//d" /etc/$1/conf.d/vesta.conf
if [ -f "$conf" ]; then
rm -f $conf
fi
@ -337,7 +343,7 @@ is_web_domain_cert_valid() {
check_result $E_FORBIDEN "SSL Key is protected (remove pass_phrase)"
fi
openssl s_server -quiet -cert $ssl_dir/$domain.crt \
openssl s_server -port 654321 -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &
pid=$!
sleep 0.5

4
func/ip.sh
View file

@ -26,7 +26,7 @@ get_ip_iface() {
}
# Check ip address speciefic value
# Check ip address specific value
is_ip_key_empty() {
key="$1"
string=$(cat $VESTA/data/ips/$ip)
@ -141,7 +141,7 @@ get_real_ip() {
else
nat=$(grep -H "^NAT='$1'" $VESTA/data/ips/*)
if [ ! -z "$nat" ]; then
echo "$nat" |cut -f 1 -d : |cut -f 7 -d /
echo "$nat" |cut -f 1 -d : |cut -f 7 -d / |head -n 1
fi
fi
}

28
func/main.sh
View file

@ -287,6 +287,13 @@ is_hash_valid() {
fi
}
# Check if directory is a symlink
is_dir_symlink() {
if [[ -L "$1" ]]; then
check_result $E_FORBIDEN "$1 directory is a symlink"
fi
}
# Get object value
get_object_value() {
object=$(grep "$2='$3'" $USER_DATA/$1.conf)
@ -525,7 +532,7 @@ is_user_format_valid() {
is_domain_format_valid() {
object_name=${2-domain}
exclude="[!|@|#|$|^|&|*|(|)|+|=|{|}|:|,|<|>|?|_|/|\|\"|'|;|%|\`| ]"
if [[ $1 =~ $exclude ]] || [[ $1 =~ ^[0-9]+$ ]] || [[ $1 =~ "\.\." ]]; then
if [[ $1 =~ $exclude ]] || [[ $1 =~ ^[0-9]+$ ]] || [[ $1 =~ "\.\." ]] || [[ $1 =~ "$(printf '\t')" ]]; then
check_result $E_INVALID "invalid $object_name format :: $1"
fi
}
@ -652,7 +659,7 @@ is_dbuser_format_valid() {
# DNS record type validator
is_dns_type_format_valid() {
known_dnstype='A,AAAA,NS,CNAME,MX,TXT,SRV,DNSKEY,KEY,IPSECKEY,PTR,SPF,TLSA'
known_dnstype='A,AAAA,NS,CNAME,MX,TXT,SRV,DNSKEY,KEY,IPSECKEY,PTR,SPF,TLSA,CAA'
if [ -z "$(echo $known_dnstype |grep -w $1)" ]; then
check_result $E_INVALID "invalid dns record type format :: $1"
fi
@ -798,7 +805,16 @@ is_password_format_valid() {
check_result $E_INVALID "invalid password format :: $1"
fi
}
# Missing function -
# Before: validate_format_shell
# After: is_format_valid_shell
is_format_valid_shell() {
if [ -z "$(grep -w $1 /etc/shells)" ]; then
echo "Error: shell $1 is not valid"
log_event "$E_INVALID" "$EVENT"
exit $E_INVALID
fi
}
# Format validation controller
is_format_valid() {
for arg_name in $*; do
@ -865,7 +881,9 @@ is_format_valid() {
restart) is_boolean_format_valid "$arg" 'restart' ;;
rtype) is_dns_type_format_valid "$arg" ;;
rule) is_int_format_valid "$arg" "rule id" ;;
soa) is_domain_format_valid "$arg" 'SOA' ;;
soa) is_domain_format_valid "$arg" 'SOA' ;;
#missing command: is_format_valid_shell
shell) is_format_valid_shell "$arg" ;;
stats_pass) is_password_format_valid "$arg" ;;
stats_user) is_user_format_valid "$arg" "$arg_name" ;;
template) is_object_format_valid "$arg" "$arg_name" ;;
@ -915,7 +933,7 @@ format_aliases() {
aliases=$(echo "$aliases" |tr -s '.')
aliases=$(echo "$aliases" |sed -e "s/[.]*$//g")
aliases=$(echo "$aliases" |sed -e "s/^[.]*//")
aliases=$(echo "$aliases" |grep -v www.$domain |sed -e "/^$/d")
aliases=$(echo "$aliases" |sed -e "/^$/d")
aliases=$(echo "$aliases" |tr '\n' ',' |sed -e "s/,$//")
fi
}

10
func/rebuild.sh
View file

@ -71,6 +71,9 @@ rebuild_user_conf() {
echo "$BIN/v-update-web-domains-disk $user" \
>> $VESTA/data/queue/disk.pipe
if [[ -L "$HOMEDIR/$user/web" ]]; then
rm $HOMEDIR/$user/web
fi
mkdir -p $HOMEDIR/$user/conf/web
mkdir -p $HOMEDIR/$user/web
mkdir -p $HOMEDIR/$user/tmp
@ -105,6 +108,9 @@ rebuild_user_conf() {
echo "$BIN/v-update-mail-domains-disk $user" \
>> $VESTA/data/queue/disk.pipe
if [[ -L "$HOMEDIR/$user/mail" ]]; then
rm $HOMEDIR/$user/mail
fi
mkdir -p $HOMEDIR/$user/conf/mail
mkdir -p $HOMEDIR/$user/mail
chmod 751 $HOMEDIR/$user/mail
@ -594,7 +600,7 @@ rebuild_pgsql_database() {
exit $E_CONNECT
fi
query="CREATE ROLE $DBUSER"
query="CREATE ROLE $DBUSER WITH LOGIN"
psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
query="UPDATE pg_authid SET rolpassword='$MD5' WHERE rolname='$DBUSER'"
@ -611,7 +617,7 @@ rebuild_pgsql_database() {
query="GRANT ALL PRIVILEGES ON DATABASE $DB TO $DBUSER"
psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
query="GRANT CONNECT ON DATABASE template1 to $dbuser"
query="GRANT CONNECT ON DATABASE template1 to $DBUSER"
psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
}

1
install/debian/7/nginx/nginx.conf
View file

@ -50,6 +50,7 @@ http {
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;

2
install/debian/7/sudo/admin
View file

@ -4,5 +4,5 @@ Defaults:admin !syslog
Defaults:admin !requiretty
Defaults:root !requiretty
admin ALL=(ALL) ALL
# sudo is limited to vesta scripts
admin ALL=NOPASSWD:/usr/local/vesta/bin/*

2
install/debian/7/templates/web/apache2/basedir.stpl
View file

@ -15,7 +15,7 @@
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"

2
install/debian/7/templates/web/apache2/hosting.stpl
View file

@ -22,7 +22,7 @@
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
</Directory>

2
install/debian/7/templates/web/apache2/phpcgi.stpl
View file

@ -15,7 +15,7 @@
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php

2
install/debian/7/templates/web/apache2/phpfcgid.stpl
View file

@ -15,7 +15,7 @@
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
<Files *.php>

3
install/debian/7/templates/web/nginx/caching.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

3
install/debian/7/templates/web/nginx/default.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

5
install/debian/7/templates/web/nginx/hosting.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
@ -31,7 +30,7 @@ server {
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=%docroot%;
disable_symlinks if_not_owner from=%sdocroot%;
include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

9
install/debian/7/templates/web/nginx/http2.stpl
View file

@ -1,17 +1,16 @@
server {
listen %ip%:%proxy_ssl_port% http2;
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/httpd/domains/%domain%.error.log error;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/httpd/domains/%domain%.log combined;
access_log /var/log/httpd/domains/%domain%.bytes bytes;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}

6
install/debian/7/templates/web/nginx/http2.tpl
View file

@ -1,14 +1,14 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/httpd/domains/%domain%.error.log error;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %docroot%;
access_log /var/log/httpd/domains/%domain%.log combined;
access_log /var/log/httpd/domains/%domain%.bytes bytes;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}

88
install/debian/7/templates/web/nginx/php5-fpm/drupal6.stpl
View file

@ -10,69 +10,53 @@ server {
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
location ~ \..*/.*\.php$ {
return 403;
}
location / {
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ [^/]\.php(/|$) {
location ~ ^/sites/.*/files/imagecache/ {
try_files $uri @rewrite;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# For Drupal 6 and bwlow:
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

101
install/debian/7/templates/web/nginx/php5-fpm/drupal6.tpl
View file

@ -7,69 +7,52 @@ server {
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# For Drupal 6 and bwlow:
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ ^/sites/.*/files/imagecache/ {
try_files $uri @rewrite;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

94
install/debian/7/templates/web/nginx/php5-fpm/drupal7.stpl
View file

@ -11,68 +11,56 @@ server {
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
location ~ \..*/.*\.php$ {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ [^/]\.php(/|$) {
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

107
install/debian/7/templates/web/nginx/php5-fpm/drupal7.tpl
View file

@ -7,69 +7,56 @@ server {
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

100
install/debian/7/templates/web/nginx/php5-fpm/drupal8.stpl
View file

@ -11,70 +11,62 @@ server {
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
location ~ \..*/.*\.php$ {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ [^/]\.php(/|$)|^/update.php {
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;

111
install/debian/7/templates/web/nginx/php5-fpm/drupal8.tpl
View file

@ -7,71 +7,62 @@ server {
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ [^/]\.php(/|$)|^/update.php {
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;

2
install/debian/7/templates/web/nginx/php5-fpm/sendy.stpl
View file

@ -3,7 +3,7 @@ server {
server_name %domain_idn% %alias_idn%;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
root %docroot%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;

2
install/debian/7/templates/web/nginx/php5-fpm/wordpress2_rewrite.stpl
View file

@ -1,7 +1,7 @@
server {
listen %ip%:%web_ssl_port%;
server_name %domain_idn% %alias_idn%;
root %docroot%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;

89
install/debian/7/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.stpl Normal file
View file

@ -0,0 +1,89 @@
server {
listen %ip%:%web_ssl_port%;
server_name %domain_idn% %alias_idn%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
set $cache_uri $request_uri;
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
|wp-.*.php|/feed/|index.php|wp-comments-popup.php
|wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
|wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
set $cache_uri 'null cache';
}
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index-https.html $uri $uri/ /index.php?$args;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/conf/web/%domain%.auth*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

85
install/debian/7/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.tpl Normal file
View file

@ -0,0 +1,85 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root %docroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
set $cache_uri $request_uri;
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
|wp-.*.php|/feed/|index.php|wp-comments-popup.php
|wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
|wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
set $cache_uri 'null cache';
}
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/conf/web/%domain%.auth*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include %home%/%user%/conf/web/nginx.%domain%.conf*;
}

1
install/debian/8/nginx/nginx.conf
View file

@ -51,6 +51,7 @@ http {
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;

2
install/debian/8/sudo/admin
View file

@ -4,5 +4,5 @@ Defaults:admin !syslog
Defaults:admin !requiretty
Defaults:root !requiretty
admin ALL=(ALL) ALL
# sudo is limited to vesta scripts
admin ALL=NOPASSWD:/usr/local/vesta/bin/*

2
install/debian/8/templates/web/apache2/basedir.stpl
View file

@ -15,7 +15,7 @@
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"

2
install/debian/8/templates/web/apache2/hosting.stpl
View file

@ -22,7 +22,7 @@
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
</Directory>

2
install/debian/8/templates/web/apache2/phpcgi.stpl
View file

@ -15,7 +15,7 @@
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php

2
install/debian/8/templates/web/apache2/phpfcgid.stpl
View file

@ -15,7 +15,7 @@
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
<Files *.php>

3
install/debian/8/templates/web/nginx/caching.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

3
install/debian/8/templates/web/nginx/default.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

5
install/debian/8/templates/web/nginx/hosting.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
@ -31,7 +30,7 @@ server {
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
disable_symlinks if_not_owner from=%docroot%;
disable_symlinks if_not_owner from=%sdocroot%;
include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

9
install/debian/8/templates/web/nginx/http2.stpl
View file

@ -1,17 +1,16 @@
server {
listen %ip%:%proxy_ssl_port% http2;
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/httpd/domains/%domain%.error.log error;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/httpd/domains/%domain%.log combined;
access_log /var/log/httpd/domains/%domain%.bytes bytes;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}

6
install/debian/8/templates/web/nginx/http2.tpl
View file

@ -1,14 +1,14 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/httpd/domains/%domain%.error.log error;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %docroot%;
access_log /var/log/httpd/domains/%domain%.log combined;
access_log /var/log/httpd/domains/%domain%.bytes bytes;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}

88
install/debian/8/templates/web/nginx/php5-fpm/drupal6.stpl
View file

@ -10,69 +10,53 @@ server {
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
location ~ \..*/.*\.php$ {
return 403;
}
location / {
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ [^/]\.php(/|$) {
location ~ ^/sites/.*/files/imagecache/ {
try_files $uri @rewrite;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# For Drupal 6 and bwlow:
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

101
install/debian/8/templates/web/nginx/php5-fpm/drupal6.tpl
View file

@ -7,69 +7,52 @@ server {
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# For Drupal 6 and bwlow:
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ ^/sites/.*/files/imagecache/ {
try_files $uri @rewrite;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

94
install/debian/8/templates/web/nginx/php5-fpm/drupal7.stpl
View file

@ -11,68 +11,56 @@ server {
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
location ~ \..*/.*\.php$ {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ [^/]\.php(/|$) {
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

107
install/debian/8/templates/web/nginx/php5-fpm/drupal7.tpl
View file

@ -7,69 +7,56 @@ server {
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;

100
install/debian/8/templates/web/nginx/php5-fpm/drupal8.stpl
View file

@ -11,70 +11,62 @@ server {
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
location ~ \..*/.*\.php$ {
return 403;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ [^/]\.php(/|$)|^/update.php {
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;

111
install/debian/8/templates/web/nginx/php5-fpm/drupal8.tpl
View file

@ -7,71 +7,62 @@ server {
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location / {
try_files $uri @rewrite;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ [^/]\.php(/|$)|^/update.php {
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
try_files $uri /index.php?$query_string;
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ {
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi_params;
}
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
}
location ~ ^/sites/.*/files/styles/ {
try_files $uri @rewrite;
}
fastcgi_pass %backend_lsnr%;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;

2
install/debian/8/templates/web/nginx/php5-fpm/sendy.stpl
View file

@ -3,7 +3,7 @@ server {
server_name %domain_idn% %alias_idn%;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
root %docroot%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;

2
install/debian/8/templates/web/nginx/php5-fpm/wordpress2_rewrite.stpl
View file

@ -1,7 +1,7 @@
server {
listen %ip%:%web_ssl_port%;
server_name %domain_idn% %alias_idn%;
root %docroot%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;

89
install/debian/8/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.stpl Normal file
View file

@ -0,0 +1,89 @@
server {
listen %ip%:%web_ssl_port%;
server_name %domain_idn% %alias_idn%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
set $cache_uri $request_uri;
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
|wp-.*.php|/feed/|index.php|wp-comments-popup.php
|wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
|wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
set $cache_uri 'null cache';
}
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index-https.html $uri $uri/ /index.php?$args;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/conf/web/%domain%.auth*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

85
install/debian/8/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.tpl Normal file
View file

@ -0,0 +1,85 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root %docroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
set $cache_uri $request_uri;
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
|wp-.*.php|/feed/|index.php|wp-comments-popup.php
|wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
|wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
set $cache_uri 'null cache';
}
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/conf/web/%domain%.auth*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include %home%/%user%/conf/web/nginx.%domain%.conf*;
}

29
install/debian/9/dovecot/conf.d/15-mailboxes.conf Normal file
View file

@ -0,0 +1,29 @@
## Mailbox definitions
##
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox "Sent Messages" {
special_use = \Sent
}
}

1
install/debian/9/nginx/nginx.conf
View file

@ -51,6 +51,7 @@ http {
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;

2
install/debian/9/sudo/admin
View file

@ -4,5 +4,5 @@ Defaults:admin !syslog
Defaults:admin !requiretty
Defaults:root !requiretty
admin ALL=(ALL) ALL
# sudo is limited to vesta scripts
admin ALL=NOPASSWD:/usr/local/vesta/bin/*

2
install/debian/9/templates/web/apache2/basedir.stpl
View file

@ -15,7 +15,7 @@
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"

2
install/debian/9/templates/web/apache2/hosting.stpl
View file

@ -22,7 +22,7 @@
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
</Directory>

2
install/debian/9/templates/web/apache2/phpcgi.stpl
View file

@ -15,7 +15,7 @@
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php

2
install/debian/9/templates/web/apache2/phpfcgid.stpl
View file

@ -15,7 +15,7 @@
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
<Files *.php>

3
install/debian/9/templates/web/nginx/caching.stpl
View file

@ -1,7 +1,6 @@
server {
listen %ip%:%proxy_ssl_port%;
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

Some files were not shown because too many files have changed in this diff Show more