diff --git a/.gitignore b/.gitignore index 6701a887..fe0574ad 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ *.gz .vscode .DS_Store +data +conf +log \ No newline at end of file diff --git a/Changelog.md b/Changelog.md index 6908b0e2..617bc9c3 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,36 +1,111 @@ -Version 0.9.9-0-6 [22-Jan-2024] +Version 0.9.9-0-13 [2025-08-15] +================================================== +* Improvement: Activating FileManager licence for all users (credits to Official VestaCP) +* Introducing a malware cleaning set of tools: v-install-wordfence-cli, v-desinfect-wordpress, v-fix-wordpress-core, v-change-database-password-for-wordpress, v-change-wordpress-admin-passwords, v-delete-inactive-wordpress-plugins-and-themes, v-delete-wordpress-uploads-php-files) (credits to isscbta) +* Improvement: Added support for PHP 8.3 and 8.4 +* SRS support for Exim4 (v-add-srs-support-to-exim) (credits to HestiaCP) +* Security: Ensuring that PHP files are visible only to the account they belong to - setting chmod 600 for all .php and .env files (also added as admin cronjob - v-fix-website-permissions-for-all-websites-only-php) +* Added cronjob for disk usage snapshot (size of each folder) to see what folder is growing every day (v-df-snapshot-make, v-df-snapshot-diff [some-day-snapshot] [some-other-day-snapshot]) +* Bugfix: SSL fix for Apache 2.4.65+ (fix for '421 Misdirected Request') +* Bugfix: vst-install-debian.sh: ability to install MySQL 8 on Debian 12 +* Improvement: Update nginx block-firewall.conf when user blocks 80,443 ports for some IPv4 address in the Firewall section of the admin panel +* Improvement: v-install-wordpress: Support for IDN format domains +* Security: Adding ProFTPD jail rule to Fail2Ban +* Introducing: v-make-main-apache-log - making one log file for PHP requests for all websites +* Security: Introducing a new command: v-fix-php-ini-disable-functions +* Improvement: Introducing myVesta rules for SpamAssassin (enhancing spam filtering) +* Improvement: When deleting a domain, also delete the database if the domain has a database +* Bugfix: Removing temporary Docker container network interfaces from RRD +* Introducing v-run-wp-cli-myvesta that knows the correct terminal width +* Introducing a new command: v-cd-www alias for v-change-dir-www +* Introducing a new command: v-clear-fail2ban +* Introducing a new command: v-get-dns-config (to print zone file in bind9 format) +* Introducing a DISABLE_IP_CHECK as vesta.conf variable (if logged-in user is getting a new IPv4 address every minute) +* Security: Introducing a parse_object_kv_list_non_eval() function in main.sh, to avoid the evil eval command +* Security: Enhance package validation, in v-change-user-package 'eval' replaced with 'parse_object_kv_list_non_eval' +* Improvement: Replacing all WordPress scripts to use 'v-run-wp-cli' instead of 'wp' +* Improvement: v-install-wordpress: Almost always use https +* Improvement: Skip the prompt to continue during myVesta installation if the administrator has set all required variables in the command line +* Security: Jailing v-run-wp-cli (running WP-CLI as user, added open_basedir, disabling shell_exec() and other dangerous PHP functions) +* Security: v-commander: removing the ability to set a root password +* Bugfix: DKIM record deletion command in v-delete-mail-domain-dkim script +* Adding FTP / SFTP port for Remote Backup (credits to ikheetjeff) +* Introducing a new command: v-delete-mails - delete emails older than N days (credits to isscbta) +* Introducing new commands: v-blacklist-email-domain, v-blacklist-email-account, v-whitelist-email-domain, v-whitelist-email-account (credits to isscbta) +* Bugfix: v-move-folder-and-make-symlink: use 'mv' instead of 'rsync' +* Improvement: Calculate the size of directories on /hdd too +* Bugfix: v-move-domain-and-database-to-account: Update wordfence-waf.php +* Bugfix: v-add-letsencrypt-domain: Detecting valid status on wildcard variant +* Bugfix: db.sh and v-clone-website: mysqldump --max_allowed_packet=1024M +* Bugfix: web/index.php: Prevent recreation of token by shitty browser add-ons +* Bugfix: v-restore-user: permissions fix while restoring backup +* Bugfix: Add some loops due to 403 errors during LE request in some random cases +* Improvement: v-clone-website: adding --EXCLUDE_UPLOADS parameter +* Bugfix: vst-install-debian.sh - removing phppgadmin +* Bugfix: v-update-firewall: $FIREWALL_STATEFUL conf variable (for Infomaniak VPS servers) +* Bugfix: Awstats template for all systems does not have a closed bracket in line 27 (credits to gkirde) +* Bugfix: Update v-import-cpanel-backup - removing /*!999999\- enable the sandbox mode */ +* Bugfix: Small PHP syntax fixes in the admin panel +* Introducing nginx template 'wprocket-webp-express-force-https' (credits to Luka Paunovic) +* Improvement: Added functions to check if a domain or user is unsuspended in main.sh +* Introducing a new command: v-update-document-errors-files +* Improvement: new v-backup-user-now command does backup even if the system Load Average is above the limit, or the administrator configured backups to perform only at night +* Improvement: v-install-wp-cli and v-install-wp-cli-myvesta - automatically updates if wp-cli is 30 days old +* Bugfix: Check for SSL certificate existence before deleting web domain SSL in v-install-unsigned-ssl +* Improvement: v-install-wordpress: avoid changing nginx proxy template in apache-less variant +* Added to .gitignore excludes for 'data', 'conf', and 'log' folders +* And many other minor bugfixes and improvements... + +Version 0.9.9-0-12 [2025-02-28] +================================================== +* SpamHaus DNSBL removed from exim4 +* A lot of small bugs fixed + +Version 0.9.9-0-11 [2024-05-30] +================================================== +* Introducing v-run-wp-cli command ( @isscbta ) +* Introducing v-add-wordpress-admin command ( @isscbta ) +* Few bugs fixed + +Version 0.9.9-0-10 [2024-04-11] +================================================== +* Introducing v-edit-php-ini command ( @isscbta ) +* Introducing v-edit-domain-php-ini command ( @isscbta ) + +Version 0.9.9-0-9 [2024-04-05] +================================================== +* Get quick info about a banned IP (Host, Banlist, Location) (many thanks to @VasilisParaschos ) +* Few bugs fixed + +Version 0.9.9-0-5 to 0.9.9-0-8 ================================================== * Few bugs fixed -Version 0.9.9-0-5 [08-Oct-2023] -================================================== -* Many bugfixes - -Version 0.9.9-0-4 [27-Jun-2023] +Version 0.9.9-0-4 [2023-06-27] ================================================== * Support for Debian 12 ( in mutual cooperation with @HestiaCP ) -Version 0.9.9-0-2 [12-Jun-2023] +Version 0.9.9-0-2 [2023-06-12] ================================================== * Hosting panel UI perfomance fix -Version 0.9.9-0 [05-Jun-2023] +Version 0.9.9-0 [2023-06-05] ================================================== * Redesign of hosting panel * Fix for WP_CACHE_KEY_SALTs in v-clone-website command * Fix for "Helo name contains a ip address" in Exim4 * Fix for Exim4 for punycode domains (in collaboration with @HestiaCP ) -Version 0.9.8-26-62 [05-Apr-2023] +Version 0.9.8-26-62 [2023-04-05] ================================================== * Fix for LetsEncrypt Asynchronous Order Finalization (in collaboration with @HestiaCP ) -Version 0.9.8-26-61 [04-Apr-2023] +Version 0.9.8-26-61 [2023-04-04] ================================================== * Many bugfixes * Hotfix for LetsEncrypt to prevent Apache falling -Version 0.9.8-26-60 [12-Feb-2023] +Version 0.9.8-26-60 [2023-02-12] ================================================== * New script: v-commander (useful for maintaining the server) * New script: v-activate-rocket-nginx (serve WP-Rocket cache directly from nginx) @@ -38,7 +113,7 @@ Version 0.9.8-26-60 [12-Feb-2023] * v-clone-website: By default cloning to database: user_domain_com (instead of cloning to database: user_old_db_migrated) * Many minor bugfixes -Version 0.9.8-26-59 [01-Feb-2023] +Version 0.9.8-26-59 [2023-02-01] ================================================== * Support for PHP 8.2 * New script: v-move-folder-and-make-symlink @@ -46,82 +121,82 @@ Version 0.9.8-26-59 [01-Feb-2023] * v-install-wordpress: Installing WordPress to user_domain_com database instead of installing to user_wp database * Many minor bugfixes -Version 0.9.8-26-58 [12-Jul-2022] +Version 0.9.8-26-58 [2022-07-12] ================================================== * [Security] hash_equals() in /reset/mail/ (credits to @divinity76 ) * Avoid out-of-memory while downloading large log files from panel (credits to @divinity76 ) * Fix for an boring PHP Notice in vesta-php -Version 0.9.8-26-57 [06-Jul-2022] +Version 0.9.8-26-57 [2022-07-06] ================================================== * Fix for GMail SMTP timeouts on Debian11 * [Security] Fix for Local Sed Injection Vulnerability ( credits to @cleemy-desu-wayo ) -Version 0.9.8-26-56 [28-May-2022] +Version 0.9.8-26-56 [2022-05-28] ================================================== * Adding Barracuda RBL to SpamAssassin * Fixing insane HTML form bug in List backup items page * Script for easy adding second IP address for SMTP authenticated users only (v-make-separated-ip-for-email) -Version 0.9.8-26-55 [26-Apr-2022] +Version 0.9.8-26-55 [2022-04-26] ================================================== * Support for MySQL 8 * [Security] Preventing brute-force resetting password (thanks to HestiaCP @hestiacp for fix) * Many minor bugfixes -Version 0.9.8-26-54 [17-Dec-2021] +Version 0.9.8-26-54 [2021-12-17] ================================================== * Checking if FreshClam is started after installation -Version 0.9.8-26-53 [12-Dec-2021] +Version 0.9.8-26-53 [2021-12-12] ================================================== * Support for PHP 8.1 * Function to ensure that pool.d folders are not empty -Version 0.9.8-26-52 [23-Nov-2021] +Version 0.9.8-26-52 [2021-11-23] ================================================== * Fix for not to match wildcard "*domains" and "databases*" while restoring * Added memcached to v-list-sys-services -Version 0.9.8-26-51 [14-Nov-2021] +Version 0.9.8-26-51 [2021-11-14] ================================================== * Many fixes for "List services" page (v-list-sys-services function) -Version 0.9.8-26-50 [07-Nov-2021] +Version 0.9.8-26-50 [2021-11-07] ================================================== * Many small bugfixes and CSRF fixes -Version 0.9.8-26-49 [17-Jul-2021] +Version 0.9.8-26-49 [2021-07-17] ================================================== * Support for Debian 11 -Version 0.9.8-26-48 [11-Jul-2021] +Version 0.9.8-26-48 [2021-07-11] ================================================== * Fixed two bugs in LetsEncrypt generating process -Version 0.9.8-26-47 [30-May-2021] +Version 0.9.8-26-47 [2021-05-30] ================================================== * Enabling TLS for ProFTPD FTPS * More logical "Restore backup" template -Version 0.9.8-26-46 [17-Apr-2021] +Version 0.9.8-26-46 [2021-04-17] ================================================== * [Feature] Updating CloudFlare IP addresses -Version 0.9.8-26-45 [13-Apr-2021] +Version 0.9.8-26-45 [2021-04-13] ================================================== * [Feature] Logging whole LetsEncrypt process to /usr/local/vesta/log/letsencrypt.log and /usr/local/vesta/log/letsencrypt_cron.log * [Feature] Warn admin once (by sending email) if LetsEncrypt renewing failed for server hostname * [Bugfix] Correct truncating of CA LetsEncrypt certificate (thanks to HestiaCP @hestiacp for fix) -Version 0.9.8-26-44 [04-Apr-2021] +Version 0.9.8-26-44 [2021-04-04] ================================================== * [Security] Preventing denial-of-service in openssl library in vesta-nginx service (CVE-2021-3449) * [Security] Preventing admin to install non-vesta packages from vesta admin panel user interface (Credits to: Numan Türle @numanturle) * [Bugfix] Preventing multiple execution of v-backup-users * [UserInterface] CSS fix for Apache status table (Credits to: Milos Spasic) -Version 0.9.8-26-43 [15-Mar-2021] +Version 0.9.8-26-43 [2021-03-15] ================================================== * [Security] fix for: CSRF remote code execution in UploadHandler.php - CVE-2021-28379 (Credits to: Fady Osman @fady_othman) * [Security] fix for: Local privilege escalation from user account to admin account via v-add-web-domain (Credits to: Two independent security researchers, Marti Guasch Jiménez and Francisco Andreu Sanz, working with the SSD Secure Disclosure program) (and also thanks to HestiaCP @hestiacp for fix) @@ -131,62 +206,62 @@ Version 0.9.8-26-43 [15-Mar-2021] * [Security] fix for: Admin to root escalation in v-activate-vesta-license (Credits to: Numan Türle @numanturle) * [Security] Ensure HTML will not be displayed in list log page (Credits to: Kristan Kenney @kristankenney, thanks to HestiaCP @hestiacp for fix) -Version 0.9.8-26-42 [26-Feb-2021] +Version 0.9.8-26-42 [2021-02-26] ================================================== * [Feature] Support for PHP 8.0, see: https://forum.myvestacp.com/viewtopic.php?f=18&t=52 * [Bugfix] Making sure Apache is in mpm_event mode -Version 0.9.8-26-41 [11-Feb-2021] +Version 0.9.8-26-41 [2021-02-11] ================================================== * Few bugfixes -Version 0.9.8-26-40 [08-Feb-2021] +Version 0.9.8-26-40 [2021-02-08] ================================================== * Few bugfixes -Version 0.9.8-26-39 [12-Dec-2020] +Version 0.9.8-26-39 [2020-12-12] ================================================== * [Security] Fixing useless issue with tokens in "download backup" and "loginas" functions (thanks to HestiaCP for fixes) * [Security] Fixing XSS in /list/rrd/?period= value -Version 0.9.8-26-38 [05-Dec-2020] +Version 0.9.8-26-38 [2020-12-05] ================================================== * [Security] Fixing Apache status public access (thanks to HestiaCP for letting us know) -Version 0.9.8-26-37 [26-Oct-2020] +Version 0.9.8-26-37 [2020-10-26] ================================================== * [Bugfix] Fixing LetsEncrypt deprecated GET method for ACME v2 (thanks to @moucho) * [Bugfix] Fixing Roundcube to send via authenticated SMTP user instead via php -Version 0.9.8-26-36 [10-Sep-2020] +Version 0.9.8-26-36 [2020-09-10] ================================================== * [Bugfix] Checking necessary available disk space before doing backup * [Security] Disabling login with 'root' -Version 0.9.8-26-35 [23-Aug-2020] +Version 0.9.8-26-35 [2020-08-23] ================================================== * [Feature] Limiting max recipients per email to 15, in order to prevent mass spamming * [Bugfix] While restoring backup, only exclude logs folder from root, not in public_html -Version 0.9.8-26-34 [19-Aug-2020] +Version 0.9.8-26-34 [2020-08-19] ================================================== * [Bugfix] Split long DNS TXT entries into 255 chunks -Version 0.9.8-26-33 [16-Aug-2020] +Version 0.9.8-26-33 [2020-08-16] ================================================== * [Feature] Ability to set some domain to send emails from another IP (command: v-make-separated-ip-for-email-domain) -Version 0.9.8-26-32 [02-Aug-2020] +Version 0.9.8-26-32 [2020-08-02] ================================================== * [Feature] v-replace-in-file command introduced * [Security] Making sure new myVesta commands can be called only by root -Version 0.9.8-26-31 [30-Jul-2020] +Version 0.9.8-26-31 [2020-07-30] ================================================== * [Feature] v-import-cpanel-backup command moved to vesta-bin folder (becoming standard myVesta command) * Starting to log auto-update output -Version 0.9.8-26-30 [26-Jul-2020] +Version 0.9.8-26-30 [2020-07-26] ================================================== * New ASCII logo in installer * Deleted favicon when user don't know secret-url of hosting panel @@ -194,14 +269,14 @@ Version 0.9.8-26-30 [26-Jul-2020] * [bugfix] Minor fix of URL for templates in v-update-dns-templates * [bugfix] Minor fixes in installer -Version 0.9.8-26-29 [21-Jul-2020] +Version 0.9.8-26-29 [2020-07-21] ================================================== * [Feature] v-clone-website command moved to vesta-bin folder (becoming standard myVesta command) * [Feature] v-migrate-site-to-https command moved to vesta-bin folder (becoming standard myVesta command) * [Bugfix] Fix for ClamAV socket * Changing Vesta to myVesta in title of hosting panel pages -Version 0.9.8-26-28 [15-Jul-2020] +Version 0.9.8-26-28 [2020-07-15] ================================================== * [Feature] v-install-wordpress command introduced * [Feature] v-move-domain-and-database-to-account command introduced @@ -209,37 +284,37 @@ Version 0.9.8-26-28 [15-Jul-2020] * [Bugfix] Fix for LetsEncrypt issuing in apache-less variant (nginx + php-fpm variant) * [Bugfix] Fix for configuring phpMyAdmin DB in apache-less variant (nginx + php-fpm variant) -Version 0.9.8-26-27 [05-Jul-2020] +Version 0.9.8-26-27 [2020-07-05] ================================================== * [Feature] Admins now see changelog when they open myVesta panel after myVesta get updated (changelog will dissapear on next refresh) * [Bugfix] Better control of opened SMTP concurrent connections (preventing denial-of-service of SMTP) on fresh installed servers - https://github.com/myvesta/vesta/commit/c57b15b5daca2a0ea88ee6a89a2ff5a4ef47d2a3 * Second tuning of php-fpm pool.d config files (perfomances and limits) -Version 0.9.8-26-26 [27-Jun-2020] +Version 0.9.8-26-26 [2020-06-27] ================================================== * [Feature] Self-signed SSL will be automaticaly added when you add new domain (CloudFlare is fine with that, you don't need LetsEncrypt anymore if you use CloudFlare as reverse-proxy(CDN+Firewall), just set "Full" in SSL section on CloudFlare) * [Feature] Script for adding self-signed SSL to desired domain [v-install-unsigned-ssl] * From now, on fresh installed server, default backup cron goes at Saturday at 01 AM (instead of everyday at 05 AM) * New favicon for hosting panel -Version 0.9.8-26-25 [23-Jun-2020] +Version 0.9.8-26-25 [2020-06-23] ================================================== * [Security] Fixing unnecessary slash in nginx configs for phpmyadmin and roundcube (Credits to Bernardo Berg @bberg1984 for finding this issue!) * [Security] Adding escapeshellarg on few more places in php code (Credits to Talha Günay and @Lupul for finding these places) -Version 0.9.8-26-24 [22-Jun-2020] +Version 0.9.8-26-24 [2020-06-22] ================================================== * [Bugfix] nginx + php-fpm installer variant now finally works -Version 0.9.8-26-23 [14-Jun-2020] +Version 0.9.8-26-23 [2020-06-14] ================================================== * Adding label that LetsEncrypt can be added when you Edit domain -Version 0.9.8-26-22 [13-Jun-2020] +Version 0.9.8-26-22 [2020-06-13] ================================================== * [Bugfix] Checking (in order to delete) php7.4 pool config file while deleting domain -Version 0.9.8-26-21 [13-Jun-2020] +Version 0.9.8-26-21 [2020-06-13] ================================================== * [Feature] Blocking executable files inside archives in received emails (ClamAV) * [Bugfix] Removing ability to schedule LetsEncrypt issuing while adding new domain (because it can fall in infinite loop whole day) @@ -248,82 +323,82 @@ Version 0.9.8-26-21 [13-Jun-2020] * [Bugfix] Script that removes depricated 'ssl on;' in nginx templates * [Security] Ensure UPDATE_SSL_SCRIPT is not set in some config files -Version 0.9.8-26-20 [01-Jun-2020] +Version 0.9.8-26-20 [2020-06-01] ================================================== * [Bugfix] Script that will ensure that Apache2 will always stay in mpm_event mode * [Bugfix] Ensure config files will not be overwritten while updating vesta-nginx package * [Bugfix] Fixing URL in v-update-web-templates script * [Feature] Additional rates for nginx anti-denial-of-service templates -Version 0.9.8-26-19 [15-May-2020] +Version 0.9.8-26-19 [2020-05-15] ================================================== * [Bugfix] Do not match subdomains while restoring domain [v-restore-user] -Version 0.9.8-26-18 [15-May-2020] +Version 0.9.8-26-18 [2020-05-15] ================================================== * [Bugfix] Fixing NS parameters in v-add-dns-on-web-alias -Version 0.9.8-26-17 [15-May-2020] +Version 0.9.8-26-17 [2020-05-15] ================================================== * [Bugfix] Reverting default clamav socket path * [Bugfix] Put mail_max_userip_connections = 50 in dovecot -Version 0.9.8-26-16 [15-May-2020] +Version 0.9.8-26-16 [2020-05-15] ================================================== * [Bugfix] Allow quick restarting of nginx if acme-challenge should be added many times * [Bugfix] Enabling email notification to fresh installed servers about backup success status * [Bugfix] Timeout 10 sec for apache2 status -Version 0.9.8-26-15 [09-May-2020] +Version 0.9.8-26-15 [2020-05-09] ================================================== * [Feature] nginx templates that can prevent denial-of-service on your server * First tuning php-fpm pool.d config files (perfomances and limits) * New logo -Version 0.9.8-26-14 [08-May-2020] +Version 0.9.8-26-14 [2020-05-08] ================================================== * v-clone-website script switched to parameters * Display new version in console while updating myVesta -Version 0.9.8-26-13 [07-May-2020] +Version 0.9.8-26-13 [2020-05-07] ================================================== * [Feature] Put build date and version in right-bottom corner of control panel -Version 0.9.8-26-12 [07-May-2020] +Version 0.9.8-26-12 [2020-05-07] ================================================== * [Feature] Put build date and version while compiling myVesta * [Feature] Office365 DNS template * [Feature] Yandex DNS template * ProFTPD MaxIstances = 100 for fresh installed servers -Version 0.9.8-26-11 [01-May-2020] +Version 0.9.8-26-11 [2020-05-01] ================================================== * [Feature] Skipping LE renewing after 7 failed attempts * [Bugfix] Keep conf files during auto-update * [Bugfix] Do not restart apache while preparing letsencrypt acme challenge * [Bugfix] Set ALLOW_BACKUP_ANYTIME='yes' for fresh installed servers -Version 0.9.8-26-10 [11-Apr-2020] +Version 0.9.8-26-10 [2020-04-11] ================================================== * [Feature] Creating v-normalize-restored-user script (normalize NS1, NS2 and IP of account that is backuped on other server and restored on this server) * Tweak for hostname FPM conf * [Security] Forbid changing root password (Credits to Alexandre ZANNI, Orange Cyberdefense, https://cyberdefense.orange.com) * [Security] Importing system enviroment in v-change-user-password (Credits to Alexandre ZANNI, Orange Cyberdefense, https://cyberdefense.orange.com) -Version 0.9.8-26-9 [23-Mar-2020] +Version 0.9.8-26-9 [2020-03-23] ================================================== * [Security] Preventing manipulation with $SERVER['HTTP_HOST'] (Credits to @mdisec - Managing Partner of PRODAFT / INVICTUS A.Ş. Master ninja at pentest.blog) -Version 0.9.8-26-8 [23-Mar-2020] +Version 0.9.8-26-8 [2020-03-23] ================================================== * [Security] Temporary fix for parsing backup conf (Credits to @dreiggy - https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/) -Version 0.9.8-26-7 [18-Mar-2020] +Version 0.9.8-26-7 [2020-03-18] ================================================== * [Bugfix] Fix that avoid LetsEncrypt domain validation timeout * [Bugfix] Set timeout in v-list-sys-web-status script -Version 0.9.8-26-6 [21-Feb-2020] +Version 0.9.8-26-6 [2020-02-21] ================================================== * [Bugfix] mail-wrapper.php from now works * [Feature] Introducing NOTIFY_ADMIN_FULL_BACKUP, email notification about backup success status @@ -331,7 +406,7 @@ Version 0.9.8-26-6 [21-Feb-2020] * [Feature] Introducing force-https-webmail-phpmyadmin nginx template * [Feature] Trigger for /root/update_firewall_custom.sh -Version 0.9.8-26-5 [10-Feb-2020] +Version 0.9.8-26-5 [2020-02-10] ================================================== * [Security] sudoers fix for Debian10 * [Feature] [Script that will migrate your site from http to https, replacing http to https URLs in database](https://github.com/myvesta/vesta/blob/master/src/deb/for-download/tools/v-migrate-site-to-https) @@ -340,7 +415,7 @@ Version 0.9.8-26-5 [10-Feb-2020] * [Bugfix] Roundcube force https * [Bugfix] Exim compatibility with Loopia for Debian10 -Version 0.9.8-26-4 [07-Jan-2020] +Version 0.9.8-26-4 [2020-01-07] ================================================== * [Feature] Allow whitelisting specific IP for /api/ * [Feature] Allow whitelisting specific IP to avoid secret_url @@ -348,11 +423,11 @@ Version 0.9.8-26-4 [07-Jan-2020] * [Bugfix] apparmor install fix again * [Bugfix] Turning off MariaDB SQL strict mode -Version 0.9.8-26-3 [26-Nov-2019] +Version 0.9.8-26-3 [2019-11-26] ================================================== * [Bugfix] Better check if session cron already added -Version 0.9.8-26-2 [15-Nov-2019] +Version 0.9.8-26-2 [2019-11-15] ================================================== * [Feature] Support for sub-sub-sub-sub versions :)) * [Bugfix] Support for longer username of email accounts @@ -360,7 +435,7 @@ Version 0.9.8-26-2 [15-Nov-2019] * [Bugfix] Trying to fix ClamAV broken socket * Moving to myvestacp.com -Version 0.9.8-26 [28-Sep-2019] +Version 0.9.8-26 [2019-09-28] ================================================== * [Bugfix] Let's Encrypt HTTP/2 support (by @serghey-rodin) * [Bugfix] Fixing broken autoreply output diff --git a/bin/v-activate-rocket-nginx b/bin/v-activate-rocket-nginx index bd4145cc..8b562c9b 100644 --- a/bin/v-activate-rocket-nginx +++ b/bin/v-activate-rocket-nginx @@ -75,18 +75,20 @@ fi # Changing Proxy Template # Check if the proxy template is already set correctly current_template=$(/usr/local/vesta/bin/v-list-web-domain $user $domain | grep 'PROXY:' | awk '{print $2}') -if [ "$current_template" == "wprocket-force-https" ] || [ "$current_template" == "wprocket-hosting" ]; then +if [ "$current_template" == "wprocket-force-https" ] || [ "$current_template" == "wprocket-hosting" ] || [ "$current_template" == "wprocket-webp-express-force-https" ]; then echo "Proxy Template is already set up correctly" else # Prompt the user to choose whether to force HTTPS or not - echo "Do you want to force-https in your Proxy Template or not (y/n):" + echo "Do you want to use wprocket-hosting template, wprocket-force-https template or wprocket-webp-express-force-https template (h/f/w):" read answer # Change the proxy template based on the user's choice - if [ "$answer" == "y" ]; then - /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "wprocket-force-https" - else + if [ "$answer" == "h" ]; then /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "wprocket-hosting" + elif [ "$answer" == "f" ]; then + /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "wprocket-force-https" + elif [ "$answer" == "w" ]; then + /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "wprocket-webp-express-force-https" fi echo "Proxy Template is ready" @@ -126,7 +128,7 @@ else chown $user:$user /home/$user/web/$domain/cron.log case $fpm_ver in - 5.6 | 7.0 | 7.1 | 7.2 | 7.3 | 7.4 | 8.0 | 8.1 | 8.2) + 5.6 | 7.0 | 7.1 | 7.2 | 7.3 | 7.4 | 8.0 | 8.1 | 8.2 | 8.3) /usr/local/vesta/bin/v-add-cron-job "$user" "*/15" "*" "*" "*" "*" "cd /home/$user/web/$domain/public_html; /usr/bin/php$fpm_ver wp-cron.php >/home/$user/web/$domain/cron.log 2>&1" ;; esac diff --git a/bin/v-add-firewall-ban b/bin/v-add-firewall-ban index a1eed13e..80143132 100755 --- a/bin/v-add-firewall-ban +++ b/bin/v-add-firewall-ban @@ -72,6 +72,13 @@ $iptables -I fail2ban-$chain 1 -s $ip \ # Changing permissions chmod 660 $conf +# nginx deny rules conf +if [ "$chain" = "WEB" ] && [ -f "/etc/nginx/conf.d/block.conf" ]; then + if ! grep -q "deny $ip;" /etc/nginx/conf.d/block.conf; then + echo "deny $ip;" >> /etc/nginx/conf.d/block.conf + systemctl reload nginx + fi +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-add-firewall-rule b/bin/v-add-firewall-rule index 6fb867d3..b815778b 100755 --- a/bin/v-add-firewall-rule +++ b/bin/v-add-firewall-rule @@ -83,6 +83,16 @@ sort_fw_rules # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + if [ "$port_ext" == "80,443" ] && [ "$action" == "DROP" ]; then + touch /etc/nginx/conf.d/block-firewall.conf + if ! grep -q "deny $ip;" /etc/nginx/conf.d/block-firewall.conf; then + echo "deny $ip;" >> /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi + fi +fi + #----------------------------------------------------------# # Vesta # diff --git a/bin/v-add-letsencrypt-domain b/bin/v-add-letsencrypt-domain index 1f1f5a6e..a7c7fbb8 100755 --- a/bin/v-add-letsencrypt-domain +++ b/bin/v-add-letsencrypt-domain @@ -154,6 +154,11 @@ for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do done payload=$(echo "$payload"|sed "s/,$//") payload=$payload']}' +# validation='pending' +# # Start counter to avoid infinite loop +# i=0 +# while [ "$validation" = 'pending' ]; do +# echo "[$(date)] : ----------------------- step 2 loop, counter \$i=$i -----------------------" >> /usr/local/vesta/log/letsencrypt.log echo "[$(date)] : payload=$payload" >> /usr/local/vesta/log/letsencrypt.log echo "[$(date)] : query_le_v2 \"$url\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log answer=$(query_le_v2 "$url" "$payload" "$nonce") @@ -168,10 +173,19 @@ order=$(echo -e "$answer" | grep -i location | cut -f2 -d \ | tr -d '\r\n') echo "[$(date)] : order=$order" >> /usr/local/vesta/log/letsencrypt.log status=$(echo "$answer" |grep HTTP/ |tail -n1 |cut -f2 -d ' ') echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log +validation=$(echo "$answer" | grep 'status":' | cut -f4 -d '"') +echo "[$(date)] : validation=$validation" >> /usr/local/vesta/log/letsencrypt.log if [[ "$status" -ne 201 ]]; then echo "[$(date)] : EXIT=Let's Encrypt new auth status $status" >> /usr/local/vesta/log/letsencrypt.log check_result $E_CONNECT "Let's Encrypt new auth status $status" fi +# # Exit the loop after 5 attempts +# i=$((i + 1)) +# if [ $i -gt 5 ]; then +# break +# fi +# sleep 2 +# done # Requesting authorization token / STEP 3 echo "[$(date)] : --- Requesting authorization token / STEP 3 ---" >> /usr/local/vesta/log/letsencrypt.log @@ -276,19 +290,35 @@ for auth in $authz; do # Doing pol check on status i=1 while [ "$validation" = 'pending' ]; do - echo "[$(date)] : - Doing pol check on status" >> /usr/local/vesta/log/letsencrypt.log - payload='{}' - echo "[$(date)] : query_le_v2 \"$url\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log - answer=$(query_le_v2 "$url" "$payload" "$nonce") - echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log - url2=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \") - echo "[$(date)] : url2=$url2" >> /usr/local/vesta/log/letsencrypt.log - validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \") - echo "[$(date)] : validation=$validation" >> /usr/local/vesta/log/letsencrypt.log - nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n') - echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log - status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ') - echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log + i=0 + while true; do + echo "[$(date)] : ----------------------- Doing pol check on status, counter \$i=$i -----------------------" >> /usr/local/vesta/log/letsencrypt.log + payload='{}' + echo "[$(date)] : query_le_v2 \"$url\" \"$payload\" \"$nonce\"" >> /usr/local/vesta/log/letsencrypt.log + answer=$(query_le_v2 "$url" "$payload" "$nonce") + echo "[$(date)] : answer=$answer" >> /usr/local/vesta/log/letsencrypt.log + url2=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \") + echo "[$(date)] : url2=$url2" >> /usr/local/vesta/log/letsencrypt.log + validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \") + echo "[$(date)] : validation=$validation" >> /usr/local/vesta/log/letsencrypt.log + nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n') + echo "[$(date)] : nonce=$nonce" >> /usr/local/vesta/log/letsencrypt.log + status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ') + echo "[$(date)] : status=$status" >> /usr/local/vesta/log/letsencrypt.log + if [[ $(echo "$answer" | grep 'addressesResolved') != "" ]]; then + break + fi + if [ "$wildcard" = 'yes' ]; then + if [[ $(echo "$answer" | grep '"status": "valid"') != "" ]]; then + break + fi + fi + i=$((i + 1)) + if ((i > 30)); then + break + fi + sleep 2 + done if [[ "$status" -ne 200 ]]; then echo "[$(date)] : EXIT=Let's Encrypt validation status $status" >> /usr/local/vesta/log/letsencrypt.log check_result $E_CONNECT "Let's Encrypt validation status $status" diff --git a/bin/v-add-srs-support-to-exim b/bin/v-add-srs-support-to-exim new file mode 100644 index 00000000..4b7789ea --- /dev/null +++ b/bin/v-add-srs-support-to-exim @@ -0,0 +1,77 @@ +#!/bin/bash + +gen_pass() { + MATRIX='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' + if [ -z "$1" ]; then + LENGTH=32 + else + LENGTH=$1 + fi + while [ ${n:=1} -le $LENGTH ]; do + PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}" + let n+=1 + done + echo "$PASS" +} + +eximversion=$(exim4 --version | grep '^Exim version ' | awk '{print $3}') +if (( $(echo "$eximversion < 4.96" | bc -l) )); then + echo "= ERROR: Exim SRS support requires Exim 4.96 or higher." + echo "You have Exim $eximversion" + exit 1; +fi + +echo "=== Addind SRS support to Exim4 ===" +# SRS support is taken from HestiaCP + +if [ ! -f "/etc/exim4/srs.conf" ]; then + echo "= Generating SRS KEY" + srs=$(gen_pass 16) + echo $srs > /etc/exim4/srs.conf + chmod 640 /etc/exim4/srs.conf + chown root:Debian-exim /etc/exim4/srs.conf +fi + +if [ ! -f "/etc/exim4/exim4.conf.template.backup-without-srs" ]; then + echo "= Backing up /etc/exim4/exim4.conf.template" + cp /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.backup-without-srs +fi + +if ! /usr/local/vesta/bin/v-grep 'SRS_SECRET = ' '/etc/exim4/exim4.conf.template' '-q'; then + echo "= Adding: SRS_SECRET = readfile /etc/exim4/srs.conf" + v-sed 'smtputf8_advertise_hosts =' 'smtputf8_advertise_hosts =\n\nSRS_SECRET = ${readfile{/etc/exim4/srs.conf}}' '/etc/exim4/exim4.conf.template' +fi + +if ! /usr/local/vesta/bin/v-grep 'if outbound, and forwarding has been done, use an alternate transport' '/etc/exim4/exim4.conf.template' '-q'; then + echo "= Patching \"dnslookup:\" block" + /usr/local/vesta/bin/v-php-func "replace_in_file_once_between_including_borders" "/etc/exim4/exim4.conf.template" 'dnslookup:' ' no_more' 'dnslookup:\n driver = dnslookup\n # if outbound, and forwarding has been done, use an alternate transport\n domains = ! +local_domains\n transport = ${if eq {$local_part@$domain} \\n {$original_local_part@$original_domain} \\n {remote_smtp} {remote_forwarded_smtp}}\n no_more' +fi + +if ! /usr/local/vesta/bin/v-grep 'inbound_srs:' '/etc/exim4/exim4.conf.template' '-q'; then + echo "= Adding \"inbound_srs\" and \"inbound_srs_failure\" blocks" + v-sed 'aliases:' 'inbound_srs:\n driver = redirect\n senders = :\n domains = +local_domains\n # detect inbound bounces which are converted to SRS, and decode them\n condition = ${if inbound_srs {$local_part} {SRS_SECRET}}\n data = $srs_recipient\n\ninbound_srs_failure:\n driver = redirect\n senders = :\n domains = +local_domains\n # detect inbound bounces which look converted to SRS but are invalid\n condition = ${if inbound_srs {$local_part} {}}\n allow_fail\n data = :fail: Invalid SRS recipient address\n\naliases:' '/etc/exim4/exim4.conf.template' +fi + +if ! /usr/local/vesta/bin/v-grep 'remote_forwarded_smtp:' '/etc/exim4/exim4.conf.template' '-q'; then + echo "= Adding \"remote_forwarded_smtp:\" block" + v-sed 'procmail:\n driver = pipe' 'remote_forwarded_smtp:\n driver = smtp\n dkim_domain = DKIM_DOMAIN\n dkim_selector = mail\n dkim_private_key = DKIM_PRIVATE_KEY\n dkim_canon = relaxed\n dkim_strict = 0\n hosts_try_fastopen = \n hosts_try_chunking = !93.188.3.0/24\n message_linelength_limit = 1G\n # modify the envelope from, for mails that we forward\n max_rcpt = 1\n return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}\n\nprocmail:\n driver = pipe' '/etc/exim4/exim4.conf.template' +fi + +touch /etc/exim4/limit_per_email_account_max_sent_emails_per_hour +touch /etc/exim4/limit_per_email_account_max_recipients +touch /etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour +touch /etc/exim4/limit_per_hosting_account_max_recipients + +echo "= Restarting exim4 service" +systemctl restart exim4 + +if [ $? -ne 0 ]; then + systemctl status exim4 + cp /etc/exim4/exim4.conf.template.backup-without-srs /etc/exim4/exim4.conf.template + systemctl restart exim4 + echo "=== Patching failed, old exim conf returned, exim4 restarted again." + exit 1 +fi +echo "=== SRS support was added successfully. ===" + +exit 0 diff --git a/bin/v-add-user-package b/bin/v-add-user-package index 0cab1a3d..e9fe210a 100755 --- a/bin/v-add-user-package +++ b/bin/v-add-user-package @@ -28,7 +28,7 @@ is_package_new() { } is_package_consistent() { - source $pkg_dir/$package.pkg + parse_object_kv_list_non_eval $(cat $pkg_dir/$package.pkg) if [ "$WEB_DOMAINS" != 'unlimited' ]; then is_int_format_valid $WEB_DOMAINS 'WEB_DOMAINS' fi @@ -63,6 +63,9 @@ is_package_consistent() { is_int_format_valid $BACKUPS 'BACKUPS' fi is_format_valid_shell $SHELL + is_web_template_valid $WEB_TEMPLATE + is_dns_template_valid $DNS_TEMPLATE + is_proxy_template_valid $PROXY_TEMPLATE } diff --git a/bin/v-add-wordpress-admin b/bin/v-add-wordpress-admin new file mode 100644 index 00000000..60778fb2 --- /dev/null +++ b/bin/v-add-wordpress-admin @@ -0,0 +1,76 @@ +#!/bin/bash +# info: Add a WordPress admin user to a specific domain +# options: DOMAIN USERNAME PASSWORD EMAIL + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +if [ "$#" -lt 4 ]; then + echo "Usage: v-add-wordpress-admin [DOMAIN] [USERNAME] [PASSWORD] [EMAIL]" + exit 1 +fi + +# Importing system environment +source /etc/profile + +SILENT_MODE=1 + +# Argument definition +domain=$1 +username=$2 +password=$3 +email=$4 + +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh +source /usr/local/vesta/func/domain.sh + +if [ -z "$user" ]; then + check_result $E_NOTEXIST "domain $domain doesn't exist" +fi + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '4' "$#" 'DOMAIN USERNAME PASSWORD EMAIL' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" + +if [ ! -d "/home/$user" ]; then + echo "User doesn't exist"; + exit 1; +fi + +if [ ! -d "/home/$user/web/$domain/public_html" ]; then + echo "Domain doesn't exist"; + exit 1; +fi + +if [ ! -f "/home/$user/web/$domain/public_html/wp-config.php" ]; then + echo 'Please install WordPress first.' + exit 1; +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +/usr/local/vesta/bin/v-run-wp-cli $domain user create $username $email --role=administrator --user_pass="$password" --skip-plugins --skip-themes; + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit 0; diff --git a/bin/v-backup-user b/bin/v-backup-user index 0db5d376..f6629c9e 100755 --- a/bin/v-backup-user +++ b/bin/v-backup-user @@ -22,6 +22,9 @@ source $VESTA/func/domain.sh source $VESTA/func/db.sh source $VESTA/conf/vesta.conf +if [ ! -z "$NOW" ]; then + BACKUP_LA_LIMIT=50 +fi #----------------------------------------------------------# # Verifications # diff --git a/bin/v-backup-user-now b/bin/v-backup-user-now new file mode 100644 index 00000000..10eecd87 --- /dev/null +++ b/bin/v-backup-user-now @@ -0,0 +1,6 @@ +#!/bin/bash + +export ALLOW_BACKUP_ANYTIME='yes' +export NOW='yes' + +nice -n 19 ionice -c 3 /usr/local/vesta/bin/v-backup-user $1 diff --git a/bin/v-backup-users b/bin/v-backup-users index 16a93d6d..05550ded 100755 --- a/bin/v-backup-users +++ b/bin/v-backup-users @@ -37,7 +37,7 @@ fi log=$VESTA/log/backup.log -$BIN/v-check-vesta-license >/dev/null +# $BIN/v-check-vesta-license >/dev/null touch $log if [ ! -z "$NOTIFY_ADMIN_FULL_BACKUP" ]; then diff --git a/bin/v-blacklist-email-account b/bin/v-blacklist-email-account new file mode 100644 index 00000000..59ec9cf8 --- /dev/null +++ b/bin/v-blacklist-email-account @@ -0,0 +1,102 @@ +#!/bin/bash +# info: Add a specific email address to exim4 and spamassassin blacklist +# usage: v-blacklist-email-account EMAIL + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Determine Debian version and set SpamAssassin service name +release=$(cat /etc/debian_version | tr "." "\n" | head -n1) +if [ "$release" -lt 12 ]; then + SPAMD_SERVICE="spamassassin.service" +else + SPAMD_SERVICE="spamd.service" +fi + +DENY_SENDERS_FILE="/etc/exim4/deny_senders" +SPAMASSASSIN_FILE="/etc/spamassassin/local.cf" + +# Flags to track changes +SPAMASSASSIN_CHANGED=false + +# Function to check if an entry already exists in a file +check_entry_exists() { + local entry=$1 + local file=$2 + grep -qF "$entry" "$file" +} + +# Function to add an entry to a file +add_entry_to_file() { + local entry=$1 + local file=$2 + echo "$entry" >> "$file" +} + +# Display usage if no arguments are provided +if [ $# -lt 1 ]; then + echo "Usage: v-blacklist-email EMAIL" + exit 1 +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +EMAIL=$1 + +# Validate email format +if [[ ! "$EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then + echo "Invalid email address format." + exit 1 +fi + +# Prepare entries for Exim4 and SpamAssassin +EXIM_ENTRY="$EMAIL" +SPAMASSASSIN_ENTRY="blacklist_from $EMAIL" + +#----------------------------------------------------------# +# Exim4 Blacklist # +#----------------------------------------------------------# + +echo "Updating $DENY_SENDERS_FILE..." +if ! check_entry_exists "$EXIM_ENTRY" "$DENY_SENDERS_FILE"; then + add_entry_to_file "$EXIM_ENTRY" "$DENY_SENDERS_FILE" + echo "Added $EXIM_ENTRY to $DENY_SENDERS_FILE." +else + echo "$EXIM_ENTRY already exists in $DENY_SENDERS_FILE." +fi + +#----------------------------------------------------------# +# SpamAssassin Blacklist # +#----------------------------------------------------------# + +echo "Updating $SPAMASSASSIN_FILE..." +if ! check_entry_exists "$SPAMASSASSIN_ENTRY" "$SPAMASSASSIN_FILE"; then + add_entry_to_file "$SPAMASSASSIN_ENTRY" "$SPAMASSASSIN_FILE" + echo "Added $SPAMASSASSIN_ENTRY to $SPAMASSASSIN_FILE." + SPAMASSASSIN_CHANGED=true +else + echo "$SPAMASSASSIN_ENTRY already exists in $SPAMASSASSIN_FILE." +fi + +if [ "$SPAMASSASSIN_CHANGED" == "true" ]; then + systemctl restart "$SPAMD_SERVICE" + echo "SpamAssassin service ($SPAMD_SERVICE) restarted." +fi + +#----------------------------------------------------------# +# Done # +#----------------------------------------------------------# + +exit 0 diff --git a/bin/v-blacklist-email-domain b/bin/v-blacklist-email-domain new file mode 100644 index 00000000..a72a17a9 --- /dev/null +++ b/bin/v-blacklist-email-domain @@ -0,0 +1,133 @@ +#!/bin/bash +# info: Add a domain to exim4 and spamassassin blacklist +# usage: v-blacklist-email-domain DOMAIN SUBDOMAIN(YES/NO) + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Determine Debian version and set SpamAssassin service name +release=$(cat /etc/debian_version | tr "." "\n" | head -n1) +if [ "$release" -lt 12 ]; then + SPAMD_SERVICE="spamassassin.service" +else + SPAMD_SERVICE="spamd.service" +fi + +DENY_SENDERS_FILE="/etc/exim4/deny_senders" +SPAMASSASSIN_FILE="/etc/spamassassin/local.cf" + +# Flags to track changes +SPAMASSASSIN_CHANGED=false + +# Function to check if a domain already exists in a file +check_domain_exists() { + local domain=$1 + local file=$2 + grep -qE "^${domain}$" "$file" +} + +# Function to check if a SpamAssassin entry already exists +check_spamassassin_exists() { + local entry=$1 + local file=$2 + grep -qF "$entry" "$file" +} + +# Function to add domain to file +add_domain_to_file() { + local domain=$1 + local file=$2 + echo "$domain" >> "$file" +} + +# Display usage if no arguments are provided +if [ $# -lt 2 ]; then + echo "Usage: v-blacklist-domain DOMAIN SUBDOMAIN(YES/NO)" + exit 1 +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +DOMAIN=$1 +SUBDOMAIN=${2^^} # Convert to uppercase for consistency (YES/NO) + +# Validate SUBDOMAIN parameter +if [[ "$SUBDOMAIN" != "YES" && "$SUBDOMAIN" != "NO" ]]; then + echo "Invalid parameter for SUBDOMAIN. Use YES or NO." + exit 1 +fi + +# Prepare entries for Exim4 +EXIM_ENTRY_MAIN="$DOMAIN" +EXIM_ENTRY_SUB="*.$DOMAIN" + +# Prepare entries for SpamAssassin +SPAMASSASSIN_ENTRY_MAIN="blacklist_from *@${DOMAIN}" +SPAMASSASSIN_ENTRY_SUB="blacklist_from *.$DOMAIN" + +#----------------------------------------------------------# +# Exim4 Blacklist # +#----------------------------------------------------------# + +echo "Updating $DENY_SENDERS_FILE..." +if ! check_domain_exists "$EXIM_ENTRY_MAIN" "$DENY_SENDERS_FILE"; then + add_domain_to_file "$EXIM_ENTRY_MAIN" "$DENY_SENDERS_FILE" + echo "Added $EXIM_ENTRY_MAIN to $DENY_SENDERS_FILE." +else + echo "$EXIM_ENTRY_MAIN already exists in $DENY_SENDERS_FILE." +fi + +if [ "$SUBDOMAIN" == "YES" ]; then + if ! check_domain_exists "$EXIM_ENTRY_SUB" "$DENY_SENDERS_FILE"; then + add_domain_to_file "$EXIM_ENTRY_SUB" "$DENY_SENDERS_FILE" + echo "Added $EXIM_ENTRY_SUB to $DENY_SENDERS_FILE." + else + echo "$EXIM_ENTRY_SUB already exists in $DENY_SENDERS_FILE." + fi +fi + +#----------------------------------------------------------# +# SpamAssassin Blacklist # +#----------------------------------------------------------# + +echo "Updating $SPAMASSASSIN_FILE..." +if ! check_spamassassin_exists "$SPAMASSASSIN_ENTRY_MAIN" "$SPAMASSASSIN_FILE"; then + add_domain_to_file "$SPAMASSASSIN_ENTRY_MAIN" "$SPAMASSASSIN_FILE" + echo "Added $SPAMASSASSIN_ENTRY_MAIN to $SPAMASSASSIN_FILE." + SPAMASSASSIN_CHANGED=true +else + echo "$SPAMASSASSIN_ENTRY_MAIN already exists in $SPAMASSASSIN_FILE." +fi + +if [ "$SUBDOMAIN" == "YES" ]; then + if ! check_spamassassin_exists "$SPAMASSASSIN_ENTRY_SUB" "$SPAMASSASSIN_FILE"; then + add_domain_to_file "$SPAMASSASSIN_ENTRY_SUB" "$SPAMASSASSIN_FILE" + echo "Added $SPAMASSASSIN_ENTRY_SUB to $SPAMASSASSIN_FILE." + SPAMASSASSIN_CHANGED=true + else + echo "$SPAMASSASSIN_ENTRY_SUB already exists in $SPAMASSASSIN_FILE." + fi +fi + +if [ "$SPAMASSASSIN_CHANGED" == "true" ]; then + systemctl restart "$SPAMD_SERVICE" + echo "SpamAssassin service ($SPAMD_SERVICE) restarted." +fi + +#----------------------------------------------------------# +# Done # +#----------------------------------------------------------# + +exit 0 diff --git a/bin/v-change-database-password-for-all-wordpress b/bin/v-change-database-password-for-all-wordpress new file mode 100644 index 00000000..1a364307 --- /dev/null +++ b/bin/v-change-database-password-for-all-wordpress @@ -0,0 +1,65 @@ +#!/bin/bash +# info: change db password to all wordpress databases +# options: +# +# The command is used for changing db password to all wordpress databases on the server. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Importing system variables +source /etc/profile + +# Includes +source $VESTA/func/main.sh + +only_user=''; +if [ ! -z "$1" ]; then + only_user=$1 +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +touch /root/remember-db-user-pass.txt + +for user in $(grep '@' /etc/passwd |cut -f1 -d:); do + if [ ! -f "/usr/local/vesta/data/users/$user/user.conf" ]; then + continue; + fi + + if [ ! -z "$only_user" ]; then + if [ "$only_user" != "$user" ]; then + continue; + fi + fi + + for domain in $(/usr/local/vesta/bin/v-list-web-domains $user plain |cut -f 1); do + if [ -f "/home/$user/web/$domain/public_html/wp-config.php" ]; then + /usr/local/vesta/bin/v-change-database-password-for-wordpress $domain $user + echo "--------------------------------" + fi + done + + if [ ! -z "$only_user" ]; then + break; + fi + +done + +# cat /root/remember-db-user-pass.txt +if [ -f "/root/remember-db-user-pass.txt" ]; then + rm /root/remember-db-user-pass.txt +fi + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$ARGUMENTS" + +exit diff --git a/bin/v-change-database-password-for-wordpress b/bin/v-change-database-password-for-wordpress new file mode 100644 index 00000000..7f31b181 --- /dev/null +++ b/bin/v-change-database-password-for-wordpress @@ -0,0 +1,132 @@ +#!/bin/bash +# info: change database password for wordpress +# options: +# +# The command is used for changing database password for wordpress. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Argument definition +domain=$1 + +# Check if number of arguments is 2 +if [ $# -eq 2 ]; then + user=$2 +else + user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +fi +USER=$user + +if [ -z "$user" ]; then + echo "ERROR: Domain $domain not found" + exit 1; +fi + +if [ ! -d "/home/$user" ]; then + echo "ERROR: User $user doesn't exist"; + exit 1; +fi + +# Includes +source /usr/local/vesta/func/main.sh + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +check_args '1' "$#" 'DOMAIN' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" + +if [ ! -d "/home/$user/web/$domain/public_html" ]; then + echo "ERROR: Domain doesn't exist"; + exit 1; +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +if [ -f "/home/$user/web/$domain/public_html/wp-config.php" ]; then + echo "=== Domain: $domain" + wp_config_path="/home/$user/web/$domain/public_html/wp-config.php" + if grep -q $'\r' $wp_config_path; then + echo "=== removing CRLF from wp-config.php" + tr -d '\r' < $wp_config_path > /tmp/wp-config.php && mv /tmp/wp-config.php $wp_config_path + chown $user:$user $wp_config_path + fi + db_name=$(grep "DB_NAME" $wp_config_path | grep -oP "define\s*\(\s*'DB_NAME'\s*,\s*'\K[^']+") + db_user=$(grep "DB_USER" $wp_config_path | grep -oP "define\s*\(\s*'DB_USER'\s*,\s*'\K[^']+") + if [ -z "$db_name" ]; then + db_name=$(grep "DB_NAME" $wp_config_path | grep -oP "define\s*\(\s*'DB_NAME'\s*,\s*\"\K[^\"]+") + fi + if [ -z "$db_user" ]; then + db_user=$(grep "DB_USER" $wp_config_path | grep -oP "define\s*\(\s*'DB_USER'\s*,\s*\"\K[^\"]+") + fi + new_password='' + found_existing_password=0 + if [ -f "/root/remember-db-user-pass.txt" ]; then + db_user_pass=$(grep "$db_user:" /root/remember-db-user-pass.txt) + if [ -n "$db_user_pass" ]; then + new_password=$(echo "$db_user_pass" | cut -d':' -f2) + echo "= Using existing password for $db_user" + found_existing_password=1 + fi + fi + + if [ -z "$new_password" ]; then + new_password=$(generate_password) + fi + + echo "DB name: $db_name" + echo "DB user: $db_user" + echo "New DB password: $new_password" + if [ $found_existing_password -eq 0 ]; then + touch /root/remember-db-user-pass.txt + echo "$db_user:$new_password" >> /root/remember-db-user-pass.txt + chown root:root /root/remember-db-user-pass.txt + chmod 600 /root/remember-db-user-pass.txt + fi + /usr/local/vesta/bin/v-change-database-password "$user" "$db_name" "$new_password" + if [ $? -ne 0 ]; then + echo "*************** ERROR: Failed to change database password ***************" + exit 1; + fi + line="define('DB_PASSWORD', '$new_password');" + chattr -i $wp_config_path + sed -i "s/.*define(.*DB_PASSWORD'.*/$line/" $wp_config_path + new_password_line=$(grep "DB_PASSWORD" $wp_config_path) + echo "New DB password line: $new_password_line" + if [ "$new_password_line" != "$line" ]; then + echo "*************** ERROR: line in wp-config.php is not what we expected ***************" + echo "Expected: $line" + echo "Actual : $new_password_line" + echo "*************** ERROR: Please check wp-config.php manually ***************" + exit 1; + fi +else + echo "ERROR: WP-config.php not found" + exit 1; +fi + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$ARGUMENTS" + +exit 0; diff --git a/bin/v-change-dir-www b/bin/v-change-dir-www new file mode 100644 index 00000000..1f230099 --- /dev/null +++ b/bin/v-change-dir-www @@ -0,0 +1,71 @@ +#!/bin/bash +# info: Change directory to the public_html folder of a domain +# usage: source v-cd-www DOMAIN + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + echo "This script must be sourced to change the current directory." + echo "Usage: source v-cd-www DOMAIN" + exit 1 +fi + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + return 1 +fi + +# Importing system environment +source /etc/profile +PATH=$PATH:/usr/local/vesta/bin && export PATH + +SILENT_MODE=1 + +# Argument definition +domain=$1 + +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) + +if [ -z "$user" ]; then + echo "Domain $domain doesn't exist" + return 1 +fi + +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh +source /usr/local/vesta/func/domain.sh + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'DOMAIN' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" + +if [ ! -d "/home/$user" ]; then + echo "User $user doesn't exist" + return 1 +fi + +if [ ! -d "/home/$user/web/$domain/public_html" ]; then + echo "Domain $domain doesn't have a public_html directory" + return 1 +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +cd "/home/$user/web/$domain/public_html" + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +return 0 diff --git a/bin/v-change-domain-owner b/bin/v-change-domain-owner index 09ae9bcc..ed5fa5a4 100755 --- a/bin/v-change-domain-owner +++ b/bin/v-change-domain-owner @@ -82,6 +82,10 @@ if [ ! -z "$web_data" ]; then # Move data mv $HOMEDIR/$owner/web/$domain $HOMEDIR/$user/web/ + if [ -d "/hdd/home/$owner/web/$domain" ]; then + $BIN/v-move-folder-and-make-symlink /hdd/home/$owner/web/$domain /hdd/home/$user/web/$domain + fi + # Change ownership find $HOMEDIR/$user/web/$domain -user $owner \ -exec chown -h $user:$user {} \; @@ -152,6 +156,10 @@ if [ ! -z "$mail_data" ]; then # Move data mv $HOMEDIR/$owner/mail/$domain $HOMEDIR/$user/mail/ + if [ -d "/hdd/home/$owner/mail/$domain" ]; then + $BIN/v-move-folder-and-make-symlink /hdd/home/$owner/mail/$domain /hdd/home/$user/mail/$domain + fi + # Change ownership find $HOMEDIR/$user/mail/$domain -user $owner \ -exec chown -h $user {} \; diff --git a/bin/v-change-firewall-rule b/bin/v-change-firewall-rule index d2502bce..aad2ec38 100755 --- a/bin/v-change-firewall-rule +++ b/bin/v-change-firewall-rule @@ -62,6 +62,8 @@ str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'" str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'" str="$str TIME='$time' DATE='$date'" +oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf) + # Deleting old rule sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf @@ -74,6 +76,14 @@ sort_fw_rules # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + if [ "$port_ext" == "80,443" ] && [ "$action" == "DROP" ]; then + NEWIP=$ip + parse_object_kv_list_non_eval "$oldvalues" + sed -i "s|$IP|$NEWIP|g" /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-change-user-package b/bin/v-change-user-package index d0de98db..1e088bcc 100755 --- a/bin/v-change-user-package +++ b/bin/v-change-user-package @@ -16,6 +16,7 @@ force=$3 # Includes source $VESTA/func/main.sh +source $VESTA/func/domain.sh source $VESTA/conf/vesta.conf is_package_avalable() { @@ -23,7 +24,7 @@ is_package_avalable() { usr_data=$(cat $USER_DATA/user.conf) IFS=$'\n' for key in $usr_data; do - eval ${key%%=*}=${key#*=} + parse_object_kv_list_non_eval $key done WEB_DOMAINS='0' @@ -35,7 +36,7 @@ is_package_avalable() { pkg_data=$(cat $VESTA/data/packages/$package.pkg |grep -v TIME |\ grep -v DATE) - eval $pkg_data + parse_object_kv_list_non_eval $pkg_data # Checking usage agains package limits if [ "$WEB_DOMAINS" != 'unlimited' ]; then @@ -73,11 +74,15 @@ is_package_avalable() { check_result $E_LIMIT "Package doesn't cover BANDWIDTH usage" fi fi + + is_web_template_valid $WEB_TEMPLATE + is_dns_template_valid $DNS_TEMPLATE + is_proxy_template_valid $PROXY_TEMPLATE } change_user_package() { - eval $(cat $USER_DATA/user.conf) - eval $(cat $VESTA/data/packages/$package.pkg |egrep -v "TIME|DATE") + parse_object_kv_list_non_eval $(cat $USER_DATA/user.conf) + parse_object_kv_list_non_eval $(cat $VESTA/data/packages/$package.pkg |egrep -v "TIME|DATE") echo "FNAME='$FNAME' LNAME='$LNAME' PACKAGE='$package' diff --git a/bin/v-change-wordpress-admin-passwords b/bin/v-change-wordpress-admin-passwords new file mode 100644 index 00000000..bca23ad8 --- /dev/null +++ b/bin/v-change-wordpress-admin-passwords @@ -0,0 +1,201 @@ +#!/bin/bash +# info: interactively delete or change WordPress admin passwords for a given domain +# options: DOMAIN +# +# d → delete user (with content reassignment) +# c → change password (random 10-char alnum) +# s → skip +# x → exit + +#----------------------------------------------------------# +# Variable & Function # +#----------------------------------------------------------# + +[ "$(whoami)" != "root" ] && { echo "You must be root to run this command."; exit 1; } +source /etc/profile + +DOMAIN="$1" +[ -z "$DOMAIN" ] && { echo "Usage: v-change-wp-admins-pass DOMAIN"; exit 1; } + +USER="$(/usr/local/vesta/bin/v-search-domain-owner "$DOMAIN")" +[ -z "$USER" ] && { echo "Domain $DOMAIN does not exist."; exit 1; } + +WP_PATH="/home/$USER/web/$DOMAIN/public_html" +[ ! -f "$WP_PATH/wp-config.php" ] && { echo "WordPress is not installed on this domain."; exit 1; } + +# WP-CLI wrapper +if [ ! -z "$PHP" ]; then + WP_RUN="PHP=$PHP /usr/local/vesta/bin/v-run-wp-cli $DOMAIN --skip-plugins --skip-themes" +else + WP_RUN="/usr/local/vesta/bin/v-run-wp-cli $DOMAIN --skip-plugins --skip-themes" +fi + +# random 10-char password +gen_pass() { tr -dc 'A-Za-z0-9' > /home/$USER/web/$DOMAIN/wp-admin-password-change.txt + chown $USER:$USER /home/$USER/web/$DOMAIN/wp-admin-password-change.txt + chmod 600 /home/$USER/web/$DOMAIN/wp-admin-password-change.txt + else + cat /home/$USER/web/$DOMAIN/wp-cli-error.log + echo "Failed to change password for $TARGET." + fi + break + ;; + [Ss]* ) + echo "Skipping $TARGET." + break + ;; + [Xx]* ) + echo "Exiting." + exit 0 + ;; + * ) echo "Please answer d, c, s, or x." ;; + esac + done +done <<< "$ADMIN_LIST_CSV" + +if [ -f /home/$USER/web/$DOMAIN/wp-admin-password-change.txt ]; then + echo "" + echo "" + echo "-------------------------------------" + echo "For website $DOMAIN - new wp-admin passwords have been set." + echo "-------------------------------------" + cat /home/$USER/web/$DOMAIN/wp-admin-password-change.txt + echo "-------------------------------------" + echo "" + echo "" + read -r -p "Do you want to save the new passwords to a file /home/$USER/web/$DOMAIN/wp-admin-password-change.txt ? (y/n, default: n) " SAVE_PASSWORDS < /dev/tty + if [ -z "$SAVE_PASSWORDS" ]; then + SAVE_PASSWORDS="n" + fi + if [[ $SAVE_PASSWORDS =~ ^[Nn]$ ]]; then + rm /home/$USER/web/$DOMAIN/wp-admin-password-change.txt + fi +fi + +#----------------------------------------------------------# +# flush cache and refresh all security salts # +#----------------------------------------------------------# + +echo "-------------------------------------" +echo +echo "Flushing cache and refreshing salts..." + +RUN="$WP_RUN cache flush" +eval "$RUN" +RUN="$WP_RUN config shuffle-salts WP_CACHE_KEY_SALT --force" +eval "$RUN" +RUN="$WP_RUN config shuffle-salts" +eval "$RUN" + +echo "Cache flushed and salts refreshed." + +echo +echo "Done." + +exit 0 diff --git a/bin/v-clean-garbage b/bin/v-clean-garbage index 80d7f165..11e29122 100644 --- a/bin/v-clean-garbage +++ b/bin/v-clean-garbage @@ -14,6 +14,10 @@ if [ "$whoami" != "root" ]; then exit 1 fi +echo "===== Before cleaning =====" +df -h +echo "===========================" + # Includes source /usr/local/vesta/func/main.sh @@ -65,6 +69,8 @@ clean_home() { find $1/*/web/*/public_html/wp-content/wpvividbackups/ -type f -not -name ".htaccess" -not -name "index.php" -not -name "index.html" -not -name "web.config" -delete > /dev/null 2>&1 find $1/*/web/*/public_html/wp-content/updraft/ -type f -not -name ".htaccess" -not -name "index.php" -not -name "index.html" -not -name "web.config" -delete > /dev/null 2>&1 find $1/*/web/*/public_html/wp-content/plugins/ezpz-one-click-backup/backups/ -type f -not -name ".htaccess" -not -name "index.php" -not -name "index.html" -not -name "web.config" -delete > /dev/null 2>&1 + find $1/*/web/*/public_html/wp-content/backups-dup-lite/ -type f -not -name ".htaccess" -not -name "index.php" -not -name "index.html" -not -name "web.config" -delete > /dev/null 2>&1 + find $1/*/web/*/public_html/wp-content/cache/ -type f -not -name ".htaccess" -delete > /dev/null 2>&1 find $1/*/web/*/public_html/ -type f -name "*.wpress" -delete > /dev/null 2>&1 nice -n 19 ionice -c 3 find $1/*/tmp/ -type f -mtime +1 -delete > /dev/null 2>&1 nice -n 19 ionice -c 3 find $1/*/web/*/public_html/ -type f -name "error_log" -exec truncate -s 0 {} \; @@ -84,6 +90,13 @@ if [ $fail2ban_running -eq 1 ]; then fi if [ -f "/var/lib/fail2ban/fail2ban.sqlite3" ]; then rm /var/lib/fail2ban/fail2ban.sqlite3 + if [ -f "/etc/nginx/conf.d/block.conf" ]; then + truncate -s 0 /etc/nginx/conf.d/block.conf + nginx_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'nginx' | grep -c 'running') + if [ $nginx_running -eq 1 ]; then + systemctl restart nginx + fi + fi fi if [ $fail2ban_running -eq 1 ]; then systemctl start fail2ban @@ -97,11 +110,23 @@ if [ -f "/usr/local/bin/tailf_exim.php" ]; then nohup php /usr/local/bin/tailf_exim.php > /var/log/tailf_exim.log 2>&1 & fi +exim_installed=$(/usr/local/vesta/bin/v-list-sys-services | grep -c 'exim') +if [ $exim_installed -gt 0 ]; then + systemctl restart exim4 +fi + + #----------------------------------------------------------# # Vesta # #----------------------------------------------------------# -echo "=== Garbage cleaned ===" +echo "" +echo "***** Garbage cleaned *****" +echo "" +echo "===== After cleaning ======" +df -h +echo "===========================" + log_event "$OK" "$ARGUMENTS" diff --git a/bin/v-clear-fail2ban b/bin/v-clear-fail2ban new file mode 100644 index 00000000..ab3ab30c --- /dev/null +++ b/bin/v-clear-fail2ban @@ -0,0 +1,59 @@ +#!/bin/bash +# info: Clean fail2ban database +# options: NONE +# +# The function is cleaning fail2ban database + +#----------------------------------------------------------# +# Verifications & Variable & Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# check if fail2ban is installed +fail2ban_installed=$(/usr/local/vesta/bin/v-list-sys-services | grep -c 'fail2ban') +if [ $fail2ban_installed -eq 0 ]; then + echo "Fail2ban is not installed" + exit 1 +fi + +# Includes +source /usr/local/vesta/func/main.sh + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Cleaning fail2ban database +fail2ban_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'fail2ban' | grep -c 'running') +if [ $fail2ban_running -eq 1 ]; then + echo "== Stopping fail2ban" + systemctl stop fail2ban +fi +if [ -f "/var/lib/fail2ban/fail2ban.sqlite3" ]; then + echo "== Cleaning fail2ban database" + rm /var/lib/fail2ban/fail2ban.sqlite3 + if [ -f "/etc/nginx/conf.d/block.conf" ]; then + echo "== Cleaning nginx block.conf" + truncate -s 0 /etc/nginx/conf.d/block.conf + nginx_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'nginx' | grep -c 'running') + if [ $nginx_running -eq 1 ]; then + echo "== Restarting nginx" + systemctl restart nginx + fi + fi +fi +if [ $fail2ban_running -eq 1 ]; then + echo "== Starting fail2ban" + systemctl start fail2ban +fi + +echo "== Done, fail2ban database cleaned" + +log_event "$OK" "$ARGUMENTS" + +exit diff --git a/bin/v-clone-website b/bin/v-clone-website index 0daf403c..9bebbffd 100644 --- a/bin/v-clone-website +++ b/bin/v-clone-website @@ -20,6 +20,7 @@ if [ $# -lt 2 ]; then echo "--TO_DATABASE_USERNAME=..." echo "--TO_DATABASE_PASSWORD=..." echo "--SITE_SUBFOLDER=..." + echo "--EXCLUDE_UPLOADS=1 (or do not set it)" exit 1 fi @@ -263,12 +264,6 @@ if [ $IT_IS_WP -eq 0 ]; then cd /root git clone https://github.com/interconnectit/Search-Replace-DB.git fi -else - if [ ! -f "/usr/local/bin/wp" ]; then - echo "=== Downloading latest wp-cli" - wget -nv https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/local/bin/wp - chmod +x /usr/local/bin/wp - fi fi CREATE_TO_DATABASE=0 @@ -313,6 +308,7 @@ echo "FROM_DOMAIN_PROXY_TPL = $FROM_DOMAIN_PROXY_TPL" echo "FROM_DOMAIN_PROXY_EXT = $FROM_DOMAIN_PROXY_EXT" echo "SEARCH_FOR_CONFIGS_DATABASE_NAME = $SEARCH_FOR_CONFIGS_DATABASE_NAME" echo "SEARCH_FOR_CONFIGS_DATABASE_USERNAME = $SEARCH_FOR_CONFIGS_DATABASE_USERNAME" +echo "EXCLUDE_UPLOADS = $EXCLUDE_UPLOADS" echo "===============================================================================" read -p "=== Press Enter to continue ===" @@ -370,17 +366,25 @@ if [ -d "/root/temp" ]; then fi mkdir -p /root/temp cd /root/temp -mysqldump $FROM_DATABASE_NAME > $FROM_DATABASE_NAME.sql +mysqldump --max_allowed_packet=1024M $FROM_DATABASE_NAME > $FROM_DATABASE_NAME.sql echo "=== Importing to database $TO_DATABASE_NAME" mysql $TO_DATABASE_NAME < $FROM_DATABASE_NAME.sql +rm $FROM_DATABASE_NAME.sql + +EXCLUDE='' +if [ ! -z "$EXCLUDE_UPLOADS" ]; then + EXCLUDE="--exclude '/wp-content/uploads/*'" +fi echo "=== Copying files from $FROM_FOLDER to folder $TO_FOLDER" if [ "$SITE_SUBFOLDER" != ".." ]; then - echo "====== Executing: rsync -a --delete $FROM_FOLDER/ $TO_FOLDER/" - rsync -a --delete $FROM_FOLDER/ $TO_FOLDER/ + run="rsync -a --delete $EXCLUDE $FROM_FOLDER/ $TO_FOLDER/" + echo "====== Executing: $run" + eval $run else - echo "====== Executing: rsync -a --delete --exclude 'logs/*' $FROM_FOLDER/ $TO_FOLDER/" - rsync -a --delete --exclude 'logs/*' $FROM_FOLDER/ $TO_FOLDER/ + run="rsync -a --delete $EXCLUDE --exclude 'logs/*' $FROM_FOLDER/ $TO_FOLDER/" + echo "====== Executing: $run" + eval $run fi echo "=== Chowning to $TO_USER:$TO_USER in folder $TO_FOLDER" chown -R $TO_USER:$TO_USER $TO_FOLDER @@ -419,16 +423,15 @@ if [ $IT_IS_WP -eq 0 ]; then php /root/Search-Replace-DB/srdb.cli.php -h localhost -n "$TO_DATABASE_NAME" -u "$TO_DATABASE_USERNAME" -p "$TO_DATABASE_PASSWORD" -s "/home/$FROM_USER/" -r "/home/$TO_USER/" fi else - cd $TO_FOLDER echo "=== Replacing $FROM_DOMAIN to $TO_DOMAIN in database $TO_DATABASE_NAME" - sudo -H -u$TO_USER wp search-replace "$FROM_DOMAIN" "$TO_DOMAIN" --precise --all-tables --skip-columns=guid + /usr/local/vesta/bin/v-run-wp-cli $TO_DOMAIN search-replace "$FROM_DOMAIN" "$TO_DOMAIN" --precise --all-tables --skip-columns=guid --skip-plugins --skip-themes; if [ "$FROM_USER" != "$TO_USER" ]; then echo "=== Replacing /home/$FROM_USER/ to /home/$TO_USER/ in database $TO_DATABASE_NAME" - sudo -H -u$TO_USER wp search-replace "/home/$FROM_USER/" "/home/$TO_USER/" --precise --all-tables --skip-columns=guid + /usr/local/vesta/bin/v-run-wp-cli $TO_DOMAIN search-replace "/home/$FROM_USER/" "/home/$TO_USER/" --precise --all-tables --skip-columns=guid --skip-plugins --skip-themes; fi - sudo -H -u$TO_USER wp cache flush - sudo -H -u$TO_USER wp config shuffle-salts WP_CACHE_KEY_SALT --force - sudo -H -u$TO_USER wp config shuffle-salts + /usr/local/vesta/bin/v-run-wp-cli $TO_DOMAIN cache flush --skip-plugins --skip-themes; + /usr/local/vesta/bin/v-run-wp-cli $TO_DOMAIN config shuffle-salts WP_CACHE_KEY_SALT --force --skip-plugins --skip-themes; + /usr/local/vesta/bin/v-run-wp-cli $TO_DOMAIN config shuffle-salts --skip-plugins --skip-themes; fi # ----------- Update Wordfence WAF Path ------------- diff --git a/bin/v-commander b/bin/v-commander index 2bf2242d..a7fbf454 100644 --- a/bin/v-commander +++ b/bin/v-commander @@ -13,11 +13,14 @@ fi source /etc/profile PATH=$PATH:/usr/local/vesta/bin && export PATH -echo "======================= mvVesta-commander ================================" +if [ $SHOWHEADER -eq 1 ]; then + echo "======================= mvVesta-commander ================================" +fi if [ -f /root/kernelupdate ]; then rm /root/kernelupdate fi +apt_updated=0 apt_upgraded=0 quit_on_empty=0 @@ -73,6 +76,8 @@ myhelp() { echo "q = quit" echo "r = reboot" echo "s = download sury.org apt-get key" + echo "n = download nginx gpg key" + echo "freexian = add Freexian repository" echo "t = clean the trash" echo "u = apt-get update" echo "v = update myVesta" @@ -88,8 +93,8 @@ myhelp() { echo "inst nginx-rate-limit = install nginx-rate-limit templates" echo "dis fb = stop and disable fail2ban" echo "dis dove = stop and disable dovecot" - echo "dis spam = stop and disable spam" - echo "dis clam = stop and disable clamav" + echo "dis spam = stop and disable spamassassin" + echo "dis clam = stop and disable ClamAV" echo "p 7.0 = set default php 7.0" echo "p 7.3 = set default php 7.3" echo "p 7.4 = set default php 7.4" @@ -98,20 +103,38 @@ myhelp() { echo "m def = install php-memcached if needed" echo "check fc = check if FreshClam is up" echo "-----------------------------" - echo "enable-ssh-root-password-login = Allow root password authentication via SSH and set the root password to match the password for the admin account" + echo "enable-ssh-root-password-login = Allow root password authentication via SSH" + echo "id_rsa = generate id_rsa and id_rsa.pub if it does not exist and show id_rsa.pub" echo "-----------------------------" } +apt_update() { + echo "=============================" + echo "== running: apt-get update" + release=$(cat /etc/debian_version | tr "." "\n" | head -n1) + if [ "$release" -lt 10 ]; then + apt-get update + else + apt-get update --allow-releaseinfo-change + fi + apt_updated=1 +} + COUNTER=0 +HAS_PARAMETERS=0 while true do COUNTER=$((COUNTER + 1)) if [ $COUNTER -le $numargs ]; then + HAS_PARAMETERS=1 answer=$1 shift else + if [ $HAS_PARAMETERS -eq 1 ]; then + exit; + fi read -p 'What to do: ' answer fi @@ -128,6 +151,7 @@ do if [ "$answer" = 'quit-on-empty' ]; then echo "== the script will quit on next enter" quit_on_empty=1 + HAS_PARAMETERS=0 fi @@ -162,14 +186,7 @@ do if [ "$answer" = 'u' ] || [ "$answer" = 'U' ]; then - echo "=============================" - echo "== running: apt-get update" - release=$(cat /etc/debian_version | tr "." "\n" | head -n1) - if [ "$release" -lt 10 ]; then - apt-get update - else - apt-get update --allow-releaseinfo-change - fi + apt_update fi if [ "$answer" = 'g' ] || [ "$answer" = 'G' ]; then @@ -186,11 +203,10 @@ do apt_upgraded=1 kernelupdate=$(grep -c 'linux-image-' /var/log/apt/history.log) - if [ $kernelupdate -gt 0 ]; then + dbusupdate=$(grep -c ' dbus:a' /var/log/apt/history.log) + if [ $kernelupdate -gt 0 ] || [ $dbusupdate -gt 0 ] || [ -f "/run/reboot-required" ] || [ -f "/var/run/reboot-required" ]; then touch /root/kernelupdate - echo "== kernel is updated" - else - echo "== kernel is not updated" + echo "== kernel is updated, reboot is required!" fi fi @@ -206,6 +222,33 @@ do fi fi + if [ "$answer" = 'n' ] || [ "$answer" = 'N' ]; then + if [ -f "/etc/apt/sources.list.d/nginx.list" ]; then + echo "=============================" + echo "== renewing nginx gpg key" + apt-get update + apt-get -y install curl gnupg2 ca-certificates lsb-release debian-archive-keyring + curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | tee /etc/apt/sources.list.d/nginx.list + fi + fi + + if [ "$answer" = 'freexian' ] || [ "$answer" = 'FREEXIAN' ]; then + if [ "$release" -lt 11 ]; then + echo "=============================" + echo "== adding Freexian repository" + apt-get update + apt-get install lsb-release + wget https://deb.freexian.com/extended-lts/pool/main/f/freexian-archive-keyring/freexian-archive-keyring_2022.06.08_all.deb && sudo dpkg -i freexian-archive-keyring_2022.06.08_all.deb + cat /etc/apt/sources.list + mv /etc/apt/sources.list /etc/apt/sources.list.old + echo "deb http://deb.freexian.com/extended-lts `lsb_release -cs` main contrib non-free" > /etc/apt/sources.list + rm /etc/apt/sources.list.d/hetzner* + else + echo "== Freexian is not supported on Debian 11 or higher" + fi + fi + if [ "$answer" = 'e def' ] || [ "$answer" = 'E DEF' ]; then release=$(cat /etc/debian_version | tr "." "\n" | head -n1) echo "=============================" @@ -264,6 +307,9 @@ do systemctl stop clamav-daemon.service systemctl disable clamav-daemon.service + systemctl stop clamav-daemon.socket + systemctl disable clamav-daemon.socket + systemctl stop clamav-freshclam.service systemctl disable clamav-freshclam.service @@ -274,6 +320,7 @@ do if [ "$answer" = 'dis spam' ] || [ "$answer" = 'DIS SPAM' ]; then echo "=============================" echo "== disabling SpamAssassin" + release=$(cat /etc/debian_version | tr "." "\n" | head -n1) if [ "$release" -lt 12 ]; then systemctl stop spamassassin.service systemctl disable spamassassin.service @@ -519,21 +566,13 @@ do echo "--- New settings ---" grep '^PermitRoot' /etc/ssh/sshd_config echo "--------------------" - adminline=$(grep '^admin:' /etc/shadow) - adminline=${adminline:6} - adminline="root:$adminline" - sed -i "s#^root:.*#$adminline#" /etc/shadow - echo "root password is now the same as admin password." - echo "--------------------" - grep '^root:' /etc/shadow - grep '^admin:' /etc/shadow - echo "--------------------" echo "Port 22 opened in Firewall for all IP addresses." /usr/local/vesta/bin/v-unsuspend-firewall-rule "11" echo "--------------------" + echo "Type 'passwd' in the terminal to set the root password." + echo "--------------------" fi - if [ "$answer" = 'r' ] || [ "$answer" = 'R' ]; then echo "=============================" echo "== Rebooting the server" @@ -583,4 +622,13 @@ do /root/install-new-roundcube.sh fi + if [ "$answer" = 'id_rsa' ] || [ "$answer" = 'ID_RSA' ]; then + if [ ! -f "/root/.ssh/id_rsa.pub" ]; then + ssh-keygen -q -t rsa -N '' -C "$HOSTNAME" -b 4096 -f /root/.ssh/id_rsa 2>/dev/null <<< y >/dev/null + fi + echo "=== YOUR id_rsa.pub IS BELOW ===" + cat /root/.ssh/id_rsa.pub + echo "======" + fi + done diff --git a/bin/v-delete-database-of-domain b/bin/v-delete-database-of-domain new file mode 100644 index 00000000..30fd18c0 --- /dev/null +++ b/bin/v-delete-database-of-domain @@ -0,0 +1,69 @@ +#!/bin/bash +# info: delete database if domain has database +# options: DOMAIN +# +# The function for deleting database if domain has database + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Argument definition +domain=$1 + +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh + +if [ -z "$user" ]; then + check_result $E_NOTEXIST "domain $domain doesn't exist" +fi + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'DOMAIN' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +RET=$OK + +# echo "=================================" +r=$(/usr/local/vesta/bin/v-get-database-credentials-of-domain $domain) +# echo $r +eval $r +# echo "=================================" + +if [ ! -z "$DATABASE_NAME" ]; then + echo "=== v-delete-database $USER $DATABASE_NAME" + /usr/local/vesta/bin/v-delete-database $USER $DATABASE_NAME + if [ $? -ne 0 ]; then + echo "=== v-delete-database failed" + RET=$E_NOTEXIST + fi +fi + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +log_event "$RET" "$ARGUMENTS" + +exit diff --git a/bin/v-delete-domain b/bin/v-delete-domain index b6294679..1ca3373b 100755 --- a/bin/v-delete-domain +++ b/bin/v-delete-domain @@ -37,9 +37,10 @@ is_object_unsuspended 'user' 'USER' "$user" if [ ! -z "$WEB_SYSTEM" ]; then str=$(grep "DOMAIN='$domain'" $USER_DATA/web.conf) if [ ! -z "$str" ]; then + $BIN/v-delete-database-of-domain $domain domain_found='yes' $BIN/v-delete-web-domain $user $domain 'no' - check_result $? "can't suspend web" > /dev/null + check_result $? "can't delete web" > /dev/null fi fi @@ -49,7 +50,7 @@ if [ ! -z "$DNS_SYSTEM" ]; then if [ ! -z "$str" ]; then domain_found='yes' $BIN/v-delete-dns-domain $user $domain 'no' - check_result $? "can't suspend dns" > /dev/null + check_result $? "can't delete dns" > /dev/null fi fi @@ -59,7 +60,7 @@ if [ ! -z "$MAIL_SYSTEM" ]; then if [ ! -z "$str" ]; then domain_found='yes' $BIN/v-delete-mail-domain $user $domain - check_result $? "can't suspend mail" > /dev/null + check_result $? "can't delete mail" > /dev/null fi fi diff --git a/bin/v-delete-firewall-ban b/bin/v-delete-firewall-ban index 52f3403d..cb5b352c 100755 --- a/bin/v-delete-firewall-ban +++ b/bin/v-delete-firewall-ban @@ -53,6 +53,11 @@ $iptables -D fail2ban-$chain $b 2>/dev/null # Changing permissions chmod 660 $conf +# nginx deny rules conf +if [ "$chain" = "WEB" ] && [ -f "/etc/nginx/conf.d/block.conf" ]; then + sed -i "/deny $ip;/d" /etc/nginx/conf.d/block.conf + systemctl reload nginx +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-delete-firewall-rule b/bin/v-delete-firewall-rule index 8f646644..10fd0fb9 100755 --- a/bin/v-delete-firewall-rule +++ b/bin/v-delete-firewall-rule @@ -34,12 +34,21 @@ is_object_valid '../../data/firewall/rules' 'RULE' "$rule" # Action # #----------------------------------------------------------# +oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf) + # Deleting rule sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + parse_object_kv_list_non_eval "$oldvalues" + if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then + sed -i "\#$IP#d" /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-delete-inactive-wordpress-plugins-and-themes b/bin/v-delete-inactive-wordpress-plugins-and-themes new file mode 100644 index 00000000..e9b1715c --- /dev/null +++ b/bin/v-delete-inactive-wordpress-plugins-and-themes @@ -0,0 +1,165 @@ +#!/bin/bash +# info: delete inactive WordPress plugins and themes +# options: DOMAIN + +#----------------------------------------------------------# +# Variable & Function # +#----------------------------------------------------------# + +[ "$(whoami)" != "root" ] && { echo "You must be root to run this command."; exit 1; } +source /etc/profile + +DOMAIN="$1" +[ -z "$DOMAIN" ] && { echo "Usage: v-delete-inactive-wordpress-plugins-and-themes DOMAIN"; exit 1; } + +USER="$(/usr/local/vesta/bin/v-search-domain-owner "$DOMAIN")" +[ -z "$USER" ] && { echo "Domain $DOMAIN does not exist."; exit 1; } + +WP_PATH="/home/$USER/web/$DOMAIN/public_html" +[ ! -f "$WP_PATH/wp-config.php" ] && { echo "WordPress is not installed on this domain."; exit 1; } + +# WP-CLI wrapper +if [ ! -z "$PHP" ]; then + WP_RUN="PHP=$PHP /usr/local/vesta/bin/v-run-wp-cli $DOMAIN --skip-plugins --skip-themes" +else + WP_RUN="/usr/local/vesta/bin/v-run-wp-cli $DOMAIN --skip-plugins --skip-themes" +fi + +quarantined=0; + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +cd "$WP_PATH" || exit 1 +echo "Inactive WordPress plugins for $DOMAIN:" +echo "-------------------------------------" + +RUN="$WP_RUN plugin list --format=csv --skip-plugins --skip-themes" +PLUGINS_LIST_CSV=$(eval "$RUN") +return_code=$? + +if [ $return_code -ne 0 ]; then + echo "WP-CLI error:" + echo "return code: $return_code" + cat /home/$USER/web/$DOMAIN/wp-cli-error.log + exit $return_code +fi + +PLUGINS_LIST_CSV=$(echo "$PLUGINS_LIST_CSV" | tail -n +2) + +DEACTIVATED_PLUGINS_LIST_CSV="" + +if [ ! -z "$PLUGINS_LIST_CSV" ]; then + printf "%-30s %-20s %-20s %-20s %-20s %-20s\n" "name" "status" "update" "version" "update_version" "auto_update" + while IFS=',' read -r NAME STATUS UPDATE VERSION UPDATE_VERSION AUTO_UPDATE; do + if [ "$STATUS" = "inactive" ]; then + printf "%-30s %-20s %-20s %-20s %-20s %-20s\n" "$NAME" "$STATUS" "$UPDATE" "$VERSION" "$UPDATE_VERSION" "$AUTO_UPDATE" + DEACTIVATED_PLUGINS_LIST_CSV="$DEACTIVATED_PLUGINS_LIST_CSV\n$NAME" + fi + done <<< "$PLUGINS_LIST_CSV" +else + echo "No plugins found." +fi + +if [ ! -z "$DEACTIVATED_PLUGINS_LIST_CSV" ]; then + echo "" + read -r -p "Do you want to move inactive plugins to quarantine? (y/n, default: y): " RESPONSE < /dev/tty + if [ "$RESPONSE" == "y" ] || [ "$RESPONSE" == "Y" ] || [ -z "$RESPONSE" ]; then + while IFS=',' read -r NAME STATUS UPDATE VERSION UPDATE_VERSION AUTO_UPDATE; do + if [ "$STATUS" = "inactive" ]; then + folder="/home/$USER/web/$DOMAIN/public_html/wp-content/plugins/$NAME" + file="/home/$USER/web/$DOMAIN/public_html/wp-content/plugins/$NAME.php" + if [ -d "$folder" ] || [ -f "$file" ]; then + destination_base_folder="/srv/wp-deactivated-plugins/$DOMAIN" + if [ -d "$folder" ]; then + source_path="$folder" + destination_path="$destination_base_folder/$NAME" + elif [ -f "$file" ]; then + source_path="$file" + destination_path="$destination_base_folder/$NAME.php" + fi + mkdir -p $destination_base_folder + chown $USER:$USER $destination_base_folder + mv $source_path $destination_path + if [ -d "$destination_path" ]; then + echo "= Folder $source_path moved to $destination_path" + quarantined=1; + fi + if [ -f "$destination_path" ]; then + echo "= File $source_path moved to $destination_path" + quarantined=1; + fi + else + echo "=== ERROR: Folder $folder or file $file not found - it does not exist?" + fi + fi + done <<< "$PLUGINS_LIST_CSV" + fi +fi + +echo "" +echo "Inactive WordPress themes for $DOMAIN:" +echo "-------------------------------------" + +RUN="$WP_RUN theme list --format=csv --skip-plugins --skip-themes" +THEMES_LIST_CSV=$(eval "$RUN") +return_code=$? + +if [ $return_code -ne 0 ]; then + echo "WP-CLI error:" + echo "return code: $return_code" + cat /home/$USER/web/$DOMAIN/wp-cli-error.log + exit $return_code +fi + +THEMES_LIST_CSV=$(echo "$THEMES_LIST_CSV" | tail -n +2) + +DEACTIVATED_THEMES_LIST_CSV="" + +if [ ! -z "$THEMES_LIST_CSV" ]; then + printf "%-30s %-20s %-20s %-20s %-20s %-20s\n" "name" "status" "update" "version" "update_version" "auto_update" + while IFS=',' read -r NAME STATUS UPDATE VERSION UPDATE_VERSION AUTO_UPDATE; do + if [ "$STATUS" = "inactive" ]; then + printf "%-30s %-20s %-20s %-20s %-20s %-20s\n" "$NAME" "$STATUS" "$UPDATE" "$VERSION" "$UPDATE_VERSION" "$AUTO_UPDATE" + DEACTIVATED_THEMES_LIST_CSV="$DEACTIVATED_THEMES_LIST_CSV\n$NAME" + fi + done <<< "$THEMES_LIST_CSV" +else + echo "No themes found." +fi + +if [ ! -z "$DEACTIVATED_THEMES_LIST_CSV" ]; then + echo "" + read -r -p "Do you want to move inactive themes to quarantine? (y/n, default: y): " RESPONSE < /dev/tty + if [ "$RESPONSE" == "y" ] || [ "$RESPONSE" == "Y" ] || [ -z "$RESPONSE" ]; then + while IFS=',' read -r NAME STATUS UPDATE VERSION UPDATE_VERSION AUTO_UPDATE; do + if [ "$STATUS" = "inactive" ]; then + folder="/home/$USER/web/$DOMAIN/public_html/wp-content/themes/$NAME" + if [ -d "$folder" ]; then + destination_base_folder="/srv/wp-deactivated-themes/$DOMAIN" + source_path="$folder" + destination_path="$destination_base_folder/$NAME" + mkdir -p $destination_base_folder + chown $USER:$USER $destination_base_folder + mv $source_path $destination_path + if [ -d "$destination_path" ]; then + echo "= Folder $source_path moved to $destination_path" + quarantined=1; + fi + else + echo "=== ERROR: Folder $folder not found - it does not exist?" + fi + fi + done <<< "$THEMES_LIST_CSV" + fi +fi + +echo "" +if [ $quarantined -eq 1 ]; then + echo "= All deactivated plugins and themes moved to quarantine." + echo "= You can find them in /srv/wp-deactivated-plugins/$DOMAIN and /srv/wp-deactivated-themes/$DOMAIN" +else + echo "= No deactivated plugins or themes found." +fi +exit 0; diff --git a/bin/v-delete-mail-domain b/bin/v-delete-mail-domain index ee727aa9..9be565bb 100755 --- a/bin/v-delete-mail-domain +++ b/bin/v-delete-mail-domain @@ -51,6 +51,9 @@ if [[ "$MAIL_SYSTEM" =~ exim ]]; then rm -f /etc/$MAIL_SYSTEM/domains/$domain_idn rm -rf $HOMEDIR/$user/conf/mail/$domain rm -rf $HOMEDIR/$user/mail/$domain_idn + if [ -d "/hdd/home/$user/mail/$domain_idn" ]; then + rm -rf /hdd/home/$user/mail/$domain_idn + fi fi # Deleting dkim dns record diff --git a/bin/v-delete-mail-domain-dkim b/bin/v-delete-mail-domain-dkim index f11e48d4..7cfbab58 100755 --- a/bin/v-delete-mail-domain-dkim +++ b/bin/v-delete-mail-domain-dkim @@ -48,7 +48,7 @@ fi # Deleting dns record if [ ! -z "$DNS_SYSTEM" ] && [ -e "$USER_DATA/dns/$domain.conf" ]; then records=$($BIN/v-list-dns-records $user $domain plain) - dkim_records=$(echo "$records" |grep -w '_domainkey' | cut -f 1 -d ' ') + dkim_records=$(echo "$records" |grep -w '_domainkey' | awk '{print $1}') for id in $dkim_records; do $BIN/v-delete-dns-record $user $domain $id done diff --git a/bin/v-delete-mails b/bin/v-delete-mails new file mode 100644 index 00000000..24ac68e5 --- /dev/null +++ b/bin/v-delete-mails @@ -0,0 +1,127 @@ +#!/bin/bash +# info: delete old emails (by mtime) for user/domain/account, with optional scope +# usage: v-delete-mails USER DOMAIN ACCOUNT MTIME_DAYS|all SCOPE +# SCOPE: all – clean every Maildir folder (cur, new, tmp, custom subfolders) +# trash – clean only Trash/Junk/Spam folders + +# load Vesta functions & config +source "$VESTA/func/main.sh" +source "$VESTA/conf/vesta.conf" + +# read arguments +user="$1" +domain="$2" +account="$3" +mtime="$4" +scope="$5" + +# verify argument count +check_args '5' "$#" 'USER DOMAIN ACCOUNT MTIME_DAYS|all SCOPE' + +# validate scope +if [[ "$scope" != "all" && "$scope" != "trash" ]]; then + echo "ERROR: SCOPE must be 'all' or 'trash'." + exit 1 +fi + +# validate logical combinations +if [[ "$user" == "all" ]]; then + if [[ "$domain" != "all" || "$account" != "all" ]]; then + echo "ERROR: When USER is 'all', both DOMAIN and ACCOUNT must be 'all'." + exit 1 + fi +elif [[ "$domain" == "all" && "$account" != "all" ]]; then + echo "ERROR: When DOMAIN is 'all', ACCOUNT must also be 'all'." + exit 1 +fi + +# build a detailed summary for the warning +declare -a summary_parts +if [[ "$user" == "all" ]]; then + summary_parts+=("all users") +else + summary_parts+=("user '$user'") +fi + +if [[ "$domain" == "all" ]]; then + summary_parts+=("all domains") +else + summary_parts+=("domain '$domain'") +fi + +if [[ "$account" == "all" ]]; then + summary_parts+=("all accounts") +else + summary_parts+=("account '$account'") +fi + +# join with commas +summary=$(printf ", %s" "${summary_parts[@]}") +summary=${summary:2} + +# only warn if any of them is 'all' or if mtime is 'all' +if [[ "$mtime" == "all" || "$user" == "all" || "$domain" == "all" || "$account" == "all" ]]; then + echo "WARNING: This will delete emails older than '$mtime' days for ${summary}." + read -p "Are you sure? (yes/no): " confirm + [[ "$confirm" != "yes" ]] && { echo "Aborted."; exit 1; } +fi + +# function to delete emails +delete_emails() { + local u="$1" d="$2" a="$3" + local maildir="/home/$u/mail/$d/$a" + + [[ ! -d "$maildir" ]] && return + + echo "→ Cleaning '$a@$d' (user: $u), scope: $scope, mtime: $mtime" + + # build find predicates + if [[ "$scope" == "all" ]]; then + folder_expr=( -path "*/cur/*" -o -path "*/new/*" -o -path "*/tmp/*" ) + else + folder_expr=( -ipath "*/trash/*" -o -ipath "*/junk/*" -o -ipath "*/spam/*" ) + fi + + # assemble and run find + if [[ "$mtime" == "all" ]]; then + find "$maildir" -type f \( "${folder_expr[@]}" \) -print -delete 2>/dev/null + else + find "$maildir" -type f \( "${folder_expr[@]}" \) -mtime +"$mtime" -print -delete 2>/dev/null + fi +} + +# collect users +if [[ "$user" == "all" ]]; then + users=$(v-list-users plain | awk '{print $1}') +else + users="$user" +fi + +# iterate through users, domains, accounts +for u in $users; do + if [[ "$domain" == "all" ]]; then + domains=$(v-list-mail-domains "$u" plain | awk '{print $1}') + else + domains="$domain" + fi + + for d in $domains; do + if [[ "$account" == "all" ]]; then + accounts=$(v-list-mail-accounts "$u" "$d" plain | awk '{print $1}') + else + accounts="$account" + fi + + for a in $accounts; do + delete_emails "$u" "$d" "$a" + done + done +done + +# restart dovecot to refresh mailbox state +systemctl restart dovecot + +# log the action (status first, then message) +log_event "$OK" "Deleted emails (>$mtime days, scope=$scope) for $user $domain $account" + +exit 0 diff --git a/bin/v-delete-user b/bin/v-delete-user index c452f0a0..cdf809eb 100755 --- a/bin/v-delete-user +++ b/bin/v-delete-user @@ -94,6 +94,9 @@ fi # Deleting user directories chattr -i $HOMEDIR/$user/conf rm -rf $HOMEDIR/$user +if [ -d "/hdd/home/$user" ]; then + rm -rf /hdd/home/$user +fi rm -f /var/spool/mail/$user rm -f /var/spool/cron/$user rm -f /var/spool/cron/crontabs/$user diff --git a/bin/v-delete-web-domain b/bin/v-delete-web-domain index 43362e34..e64dd9a7 100755 --- a/bin/v-delete-web-domain +++ b/bin/v-delete-web-domain @@ -130,6 +130,9 @@ rm -f /var/log/$WEB_SYSTEM/domains/$domain.error* # Deleting directory rm -rf $HOMEDIR/$user/web/$domain +if [ -d "/hdd/home/$user/web/$domain" ]; then + rm -rf /hdd/home/$user/web/$domain +fi #----------------------------------------------------------# diff --git a/bin/v-delete-wordpress-uploads-php-files b/bin/v-delete-wordpress-uploads-php-files new file mode 100644 index 00000000..ce72c0c4 --- /dev/null +++ b/bin/v-delete-wordpress-uploads-php-files @@ -0,0 +1,64 @@ +#!/bin/bash +# info: delete PHP files from WordPress uploads folder +# options: DOMAIN + +#----------------------------------------------------------# +# Variable & Function # +#----------------------------------------------------------# + +[ "$(whoami)" != "root" ] && { echo "You must be root to run this command."; exit 1; } +source /etc/profile + +DOMAIN="$1" +[ -z "$DOMAIN" ] && { echo "Usage: v-delete-wordpress-uploads-php-files DOMAIN"; exit 1; } + +USER="$(/usr/local/vesta/bin/v-search-domain-owner "$DOMAIN")" +[ -z "$USER" ] && { echo "Domain $DOMAIN does not exist."; exit 1; } + +WP_PATH="/home/$USER/web/$DOMAIN/public_html" +[ ! -f "$WP_PATH/wp-config.php" ] && { echo "WordPress is not installed on this domain."; exit 1; } + +quarantined=0; + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +cd "$WP_PATH" || exit 1 + +files=$(find wp-content/uploads/ -type f -name "*.php") + +if [ -z "$files" ]; then + echo "= No PHP files found in WordPress uploads folder." + exit 0; +fi + +echo "= Found PHP files in WordPress uploads folder for domain $DOMAIN :" +echo "-------------------------------------" +echo "$files" +echo "-------------------------------------" + +read -r -p "Do you want to move these files to quarantine? (y/n, default: y): " RESPONSE < /dev/tty +if [ "$RESPONSE" == "y" ] || [ "$RESPONSE" == "Y" ] || [ -z "$RESPONSE" ]; then + for file in $files; do + source_file="/home/$USER/web/$DOMAIN/public_html/$file" + destination_file="/srv/wp-uploads-php-files-quarantine/$DOMAIN/$file" + destination_folder=$(dirname "$destination_file") + mkdir -p "$destination_folder" + chown $USER:$USER "$destination_folder" + mv "$source_file" "$destination_file" + echo "= File $source_file moved to $destination_file" + quarantined=1; + done + chown -R $USER:$USER "/srv/wp-uploads-php-files-quarantine/$DOMAIN" +fi + +echo "" +if [ $quarantined -eq 1 ]; then + echo "= All PHP files moved to quarantine." + echo "= You can find them in /srv/wp-uploads-php-files-quarantine/$DOMAIN" +else + echo "= No PHP files found in WordPress uploads folder." +fi + +exit 0; \ No newline at end of file diff --git a/bin/v-desinfect-wordpress b/bin/v-desinfect-wordpress new file mode 100644 index 00000000..51ee217e --- /dev/null +++ b/bin/v-desinfect-wordpress @@ -0,0 +1,86 @@ +#!/bin/bash +# info: disinfect a WordPress site with several maintenance commands +# options: DOMAIN + +# -------------------------------------------------------- # +# variables and checks # +# -------------------------------------------------------- # + +if [ "$(whoami)" != "root" ]; then + echo "You must be root to run this command." + exit 1 +fi + +# make sure all Vesta helper scripts are reachable +export PATH="/usr/local/vesta/bin:$PATH" +source /etc/profile + +domain="$1" +if [ -z "$domain" ]; then + echo "Usage: v-desinfect-wp DOMAIN" + exit 1 +fi + +user=$(/usr/local/vesta/bin/v-search-domain-owner "$domain") +if [ -z "$user" ]; then + echo "Domain $domain does not exist." + exit 1 +fi + +if [ ! -f "/usr/local/vesta/bin/v-wf-malware-hyperscan-with-remediate" ]; then + echo "= WordFence CLI is not installed. Installing..." + /usr/local/vesta/bin/v-install-wordfence-cli +fi + +# absolute paths to maintenance scripts, in desired order +declare -a tasks=( + "/usr/local/vesta/bin/v-change-database-password-for-wordpress" + "/usr/local/vesta/bin/v-change-wordpress-admin-passwords" + "/usr/local/vesta/bin/v-fix-wordpress-core" + "/usr/local/vesta/bin/v-delete-inactive-wordpress-plugins-and-themes" + "/usr/local/vesta/bin/v-delete-wordpress-uploads-php-files" + "/usr/local/vesta/bin/v-wf-malware-hyperscan-with-remediate" + "INTERACTIVE=1 /usr/local/vesta/bin/v-wf-malware-hyperscan-with-remediate" +) + +# -------------------------------------------------------- # +# execution strategy # +# -------------------------------------------------------- # + +echo +read -r -p "Run all maintenance steps automatically? (y/n) " run_all < /dev/tty + +if [[ "$run_all" =~ ^[Yy]$ ]]; then + echo "Running all maintenance steps for $domain" + automatic=true +else + echo + echo "Selective mode. You will be asked for each step." + automatic=false +fi + +for cmd in "${tasks[@]}"; do + if [ ! -x "$cmd" ]; then + echo "Command $cmd not found or not executable, skipping." + continue + fi + + if [ "$automatic" = false ]; then + while true; do + read -r -p "Run $(basename "$cmd") for $domain? (y/n) " yn < /dev/tty + case "$yn" in + [Yy]* ) break ;; + [Nn]* ) echo "Skipping $(basename "$cmd")."; continue 2 ;; + * ) echo "Please answer y or n." ;; + esac + done + fi + + echo + echo "=== $(basename "$cmd") $domain ===" + "$cmd" "$domain" +done + +echo +echo "Done." +exit 0 diff --git a/bin/v-df-snapshot-diff b/bin/v-df-snapshot-diff new file mode 100644 index 00000000..ee427bd2 --- /dev/null +++ b/bin/v-df-snapshot-diff @@ -0,0 +1,102 @@ +#!/bin/bash +# info: Make a diff between two snapshots of the disk usage +# options: FILE1 FILE2 + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Let's declare three associative arrays +declare -A FILE1 +declare -A FILE2 +declare -A FILED + +file1=$1 +file2=$2 + +if [[ ! "$file1" =~ ^/usr/local/vesta/data/df/snapshot-.*\.txt$ ]]; then + file1="/usr/local/vesta/data/df/$file1" +fi + +if [[ ! "$file2" =~ ^/usr/local/vesta/data/df/snapshot-.*\.txt$ ]]; then + file2="/usr/local/vesta/data/df/$file2" +fi + +if [ ! -f "$file1" ]; then + echo "File $file1 not found" + exit 1 +fi + +if [ ! -f "$file2" ]; then + echo "File $file2 not found" + exit 1 +fi + +timestamp=$(date +%Y-%m-%d-%H-%M-%S) +mkdir -p /usr/local/vesta/data/df-diff +file0="/usr/local/vesta/data/df-diff/diff-$timestamp.txt" +file0s="/usr/local/vesta/data/df-diff/diff-size-sorted-$timestamp.txt" +file0f="/usr/local/vesta/data/df-diff/diff-folder-sorted-$timestamp.txt" +touch $file0 + +# Let's load the first file and fill the array FILE1 +while IFS=$'\t' read SIZE DIRECTORY; do + # Skip blank lines or lines that are not in the correct format + [[ -z "$DIRECTORY" ]] && continue + [[ "$DIRECTORY" = "total" ]] && continue + # Insert values into the array + FILE1["$DIRECTORY"]="$SIZE" +done < "$file1" + +# Let's load the second file and fill the array FILE2 +while IFS=$'\t' read SIZE DIRECTORY; do + # Skip blank lines or lines that are not in the correct format + [[ -z "$DIRECTORY" ]] && continue + [[ "$DIRECTORY" = "total" ]] && continue + # Insert values into the array + FILE2["$DIRECTORY"]="$SIZE" +done < "$file2" + +# We iterate through FILE1 and look for the matching key in FILE2 +for k in "${!FILE1[@]}"; do + if [[ -v FILE2["$k"] ]]; then + # If there is the same folder (KEY) in FILE2 + DIFF=$(( ${FILE2[$k]} - ${FILE1[$k]} )) + FILED["$k"]=$DIFF + echo -e "${DIFF}\t${k}" >> $file0 + else + # If the folder (KEY) is not found in FILE2 + FILED["$k"]=${FILE1["$k"]} + echo -e "${FILE1["$k"]}\t${k}" >> $file0 + fi +done + +# sorted by size +sort -nr -k1,1 $file0 > $file0s + +# sorted by folders +while IFS=$'\t' read SIZE DIRECTORY; do + [[ -z "$DIRECTORY" ]] && continue + [[ "$DIRECTORY" = "total" ]] && continue + echo -e "$DIRECTORY\t${FILED["$DIRECTORY"]}" >> $file0f +done < "$file2" + +chmod 600 $file0 $file0s $file0f +chown root:root $file0 $file0s $file0f + +echo "Done." +echo "You can do:" +echo "mcview $file0" +echo "mcview $file0s" +echo "mcview $file0f" +echo "--------------------------------" +echo "Here is the first 30 lines of the diff, sorted by size (descending, in MB):" +head -n 30 $file0s +echo "--------------------------------" +echo "Here is the first 30 lines of the diff, sorted by folders (in MB):" +head -n 30 $file0f +echo "--------------------------------" + +exit 0 diff --git a/bin/v-df-snapshot-logs-cleaner b/bin/v-df-snapshot-logs-cleaner new file mode 100644 index 00000000..63275034 --- /dev/null +++ b/bin/v-df-snapshot-logs-cleaner @@ -0,0 +1,11 @@ +#!/bin/bash +# info: Clean up old snapshots of the disk usage +# options: NONE + +folder="/usr/local/vesta/data/df" +mkdir -p $folder +find $folder -type f -mtime +30 -delete + +folder="/usr/local/vesta/data/df-diff" +mkdir -p $folder +find $folder -type f -mtime +30 -delete diff --git a/bin/v-df-snapshot-make b/bin/v-df-snapshot-make new file mode 100644 index 00000000..985aab15 --- /dev/null +++ b/bin/v-df-snapshot-make @@ -0,0 +1,52 @@ +#!/bin/bash +# info: Make a snapshot of the disk usage +# options: NONE + +folder="/usr/local/vesta/data/df" + +mkdir -p $folder +timestamp=$(date +%Y-%m-%d-%H-%M-%S) + +du --max-depth=1 -m -x / > $folder/snapshot-$timestamp.txt + +du --max-depth=6 -m -x /home > $folder/snapshot-temp.txt +for i in {2..7}; do + while IFS= read -r line; do + count=0 + for (( j=0; j<${#line}; j++ )); do + if [[ ${line:j:1} == "/" ]]; then + ((count++)) + fi + done + if [ $count -eq $i ]; then + printf '%s\n' "$line" >> $folder/snapshot-$timestamp.txt + fi + done < $folder/snapshot-temp.txt +done +rm $folder/snapshot-temp.txt + +if [ -d "/hdd" ]; then + du --max-depth=7 -m -x /hdd > $folder/snapshot-temp.txt + for i in {1..8}; do + while IFS= read -r line; do + count=0 + for (( j=0; j<${#line}; j++ )); do + if [[ ${line:j:1} == "/" ]]; then + ((count++)) + fi + done + if [ $count -eq $i ]; then + printf '%s\n' "$line" >> $folder/snapshot-$timestamp.txt + fi + done < $folder/snapshot-temp.txt + done + rm $folder/snapshot-temp.txt +fi + +du --max-depth=1 -m -x /var/lib/mysql >> $folder/snapshot-$timestamp.txt +du --max-depth=1 -m -x /var/log >> $folder/snapshot-$timestamp.txt + +chmod 600 $folder/snapshot-$timestamp.txt +chown root:root $folder/snapshot-$timestamp.txt + +exit 0 diff --git a/bin/v-edit-domain-php-ini b/bin/v-edit-domain-php-ini new file mode 100644 index 00000000..9eadfcee --- /dev/null +++ b/bin/v-edit-domain-php-ini @@ -0,0 +1,90 @@ +#!/bin/bash +# info: Edit php.ini for certain domain +# options: DOMAIN + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +SILENT_MODE=1 + +# Argument definition +domain=$1 + +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh +source /usr/local/vesta/func/domain.sh + +if [ -z "$user" ]; then + check_result $E_NOTEXIST "domain $domain doesn't exist" +fi + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'DOMAIN' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" + +if [ ! -d "/home/$user" ]; then + # echo "User doesn't exist"; + exit 1; +fi + +if [ ! -d "/home/$user/web/$domain/public_html" ]; then + # echo "Domain doesn't exist"; + exit 1; +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +fpm_ver=$(/usr/local/vesta/bin/v-get-php-version-of-domain $domain) + +if [ -z "$fpm_ver" ]; then + echo "PHP version for domain $domain could not be determined." + exit 1 +fi + +config_file="/etc/php/${fpm_ver}/fpm/pool.d/${domain}.conf" + +if command -v mcedit >/dev/null; then + mcedit "$config_file" +else + nano "$config_file" +fi + +echo "Restarting PHP-FPM service for PHP version ${fpm_ver}" +systemctl restart php${fpm_ver}-fpm +if [ $? -ne 0 ]; then + systemctl status php${fpm_ver}-fpm + echo "=========================" + echo "" + echo "ERROR: php${fpm_ver}-fpm restart failed - please re-run the command and fix the problem !!!" + echo "" + exit $E_RESTART; +else + echo "The PHP-FPM service for PHP version ${fpm_ver} has been restarted successfully." +fi +echo "" + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit 0; diff --git a/bin/v-edit-php-ini b/bin/v-edit-php-ini new file mode 100644 index 00000000..0155e6bb --- /dev/null +++ b/bin/v-edit-php-ini @@ -0,0 +1,70 @@ +#!/bin/bash +# info: Edit php.ini for a specific PHP version + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Includes +source $VESTA/func/main.sh + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# List available PHP versions and store them into an array +mapfile -t php_versions < <(/usr/local/vesta/bin/v-list-php) + +echo "Available PHP versions:" +PS3="Please select the PHP version you want to edit php.ini for: " + +select php_version in "${php_versions[@]}"; do + if [[ -n $php_version ]]; then + break + else + echo "Invalid choice. Please try again." + fi +done + +# Define path to the php.ini file +php_ini_path="/etc/php/${php_version}/fpm/php.ini" + +# Check if php.ini exists for the selected version +if [[ ! -f "$php_ini_path" ]]; then + echo "The php.ini file for the selected PHP version ($php_version) does not exist." + exit 1 +fi + +# Determine the text editor to use +if command -v mcedit >/dev/null 2>&1; then + editor_cmd="mcedit" +elif command -v nano >/dev/null 2>&1; then + editor_cmd="nano" +else + echo "No supported text editor found. Please install 'mcedit' or 'nano'." + exit 1 +fi + +# Open php.ini for the chosen PHP version in the selected editor +echo "Opening $php_ini_path in editor $editor_cmd..." +$editor_cmd "$php_ini_path" + +# Restart the PHP-FPM service for the selected version +echo "Restarting the PHP-FPM service for PHP version $php_version..." +systemctl restart php${php_version}-fpm +if [ $? -ne 0 ]; then + systemctl status php${php_version}-fpm + echo "=========================" + echo "" + echo "ERROR: php${php_version}-fpm restart failed - please re-run the command and fix the problem !!!" + echo "" + exit $E_RESTART; +else + echo "The PHP-FPM service for PHP version ${php_version} has been restarted successfully." +fi + +#----------------------------------------------------------# +# Exit # +#----------------------------------------------------------# + +exit 0; diff --git a/bin/v-fix-php-ini-disable-functions b/bin/v-fix-php-ini-disable-functions new file mode 100644 index 00000000..3bce868f --- /dev/null +++ b/bin/v-fix-php-ini-disable-functions @@ -0,0 +1,35 @@ +#!/bin/bash + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1; +fi + +if [ -f "/tmp/patched" ]; then rm /tmp/patched; fi; + +echo "=== Fixing php.ini files to have the correct disable_functions line" + +export NOTFOUNDVAL="exec,system,passthru,shell_exec" +export LINEBEGINSWITH="disable_functions =" +export NEWVAL="disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,system,passthru,shell_exec,proc_open,popen" + +find /etc/php/*/fpm/ -type f -name "php.ini" -exec grep -L "$NOTFOUNDVAL" {} \; | xargs sh -c 'found=0; for arg do if [ ! -f "$arg.disable_patching" ]; then if [ $found -eq 0 ]; then echo "== Fixing existing lines"; found=1; touch /tmp/patched; fi; echo "= Patching $arg"; sed -i "s|^$LINEBEGINSWITH.*|$NEWVAL|g" $arg; fi; done' _ + +export NOTFOUNDVAL2="^$LINEBEGINSWITH" +export REMOVELINETHATCONTAINS=$LINEBEGINSWITH + +find /etc/php/*/fpm/ -type f -name "php.ini" -exec grep -L "$NOTFOUNDVAL2" {} \; | xargs sh -c 'found=0; for arg do if [ ! -f "$arg.disable_patching" ]; then if [ $found -eq 0 ]; then echo "== Adding missing lines"; found=1; touch /tmp/patched; fi; echo "= Patching $arg"; sed -i "s|.*$REMOVELINETHATCONTAINS.*||g" $arg; echo "$NEWVAL" >> $arg; fi; done' _ + +if [ -f "/tmp/patched" ]; then + rm /tmp/patched + + echo "== Restarting all PHP-FPM services" + systemctl --full --type service --all | grep "php...-fpm" | sed 's#●##g' | awk '{print $1}' | xargs systemctl restart + + echo "=== Everything done." +else + echo "=== Everything is already correct." +fi + +exit 0; diff --git a/bin/v-fix-user-permissions b/bin/v-fix-user-permissions index ae798992..47690477 100644 --- a/bin/v-fix-user-permissions +++ b/bin/v-fix-user-permissions @@ -44,14 +44,15 @@ find /home/$user/mail/*/ -type d -exec chmod u+rwx {} \; find /home/$user/mail/*/ -type d -exec chmod g+rwx {} \; find /home/$user/mail/*/ -type f -exec chmod u+rw {} \; find /home/$user/mail/*/ -type f -exec chmod g+rw {} \; - +find /home/$user/mail/*/ -maxdepth 1 -type d -exec chmod g-rwx {} \; find /home/$user/conf/dns/ -type f -exec chown root:bind {} \; find /home/$user/conf/ -type d -exec chown root:root {} \; -find /home/$user/web/*/public_html/ -type d -exec chmod 755 {} + -find /home/$user/web/*/public_html/ -type f -exec chmod 644 {} + -find /home/$user/web/*/public_html/ -exec chown $user:$user {} \; +for domain in $(/usr/local/vesta/bin/v-list-web-domains $user plain |cut -f 1); do + /usr/local/vesta/bin/v-fix-website-permissions $domain $user + echo "--------------------------------" +done echo "Done, permissions fixed for user: $user" diff --git a/bin/v-fix-website-permissions b/bin/v-fix-website-permissions index a63954eb..50b143c8 100644 --- a/bin/v-fix-website-permissions +++ b/bin/v-fix-website-permissions @@ -1,6 +1,6 @@ #!/bin/bash -# info: Fixing chown and chmod permissions in the public_html directory -# options: DOMAIN +# info: Fixing chown and chmod permissions for a website +# options: DOMAIN [USER] #----------------------------------------------------------# # Variable&Function # @@ -18,17 +18,22 @@ source /etc/profile # Argument definition domain=$1 -user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +# Check if number of arguments is 2 +if [ $# -eq 2 ]; then + user=$2 +else + user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +fi +USER=$user # Includes source /usr/local/vesta/func/main.sh +source /usr/local/vesta/conf/vesta.conf if [ -z "$user" ]; then check_result $E_NOTEXIST "domain $domain doesn't exist" fi -USER=$user - #----------------------------------------------------------# # Verifications # #----------------------------------------------------------# @@ -38,12 +43,12 @@ is_format_valid 'domain' is_object_valid 'user' 'USER' "$user" if [ ! -d "/home/$user" ]; then - echo "User doesn't exist"; + echo "Error: Folder /home/$user doesn't exist"; exit 1; fi if [ ! -d "/home/$user/web/$domain/public_html" ]; then - echo "Domain doesn't exist"; + echo "Error: Folder /home/$user/web/$domain/public_html doesn't exist"; exit 1; fi @@ -54,14 +59,103 @@ fi # Going to domain directory cd /home/$USER/web/$domain -echo "Updating permissions for /home/$USER/web/$domain/public_html/" -find public_html/ -type d -exec chmod 755 {} + -find public_html/ -type f -exec chmod 644 {} + -chown -R $USER:$USER public_html/ +# Ownership check +if [ -z "$SKIP_OWNERSHIP_CHECK" ] && [ -f "public_html/index.php" ]; then + owner=$(stat -c '%U' "public_html/index.php") + if [ "$owner" = "root" ] || [ "$owner" = "www-data" ]; then + echo "Skipping permission fix for $domain, because v-lock-wordpress is used (index.php is owned by $owner)" + exit 1 + fi +fi + +echo "Updating permissions and ownership for /home/$USER/web/$domain/" + +php_chmod_allowed=1 +if [ -f "/home/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi +if [ -f "/home/$USER/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi +if [ -f "/home/$USER/web/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi +if [ -f "/home/$USER/web/$domain/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi + +# === General files and directories permissions === +if [ "$php_chmod_allowed" -eq 1 ]; then + # New way of fixing permissions + # Fixing permissions + find public_html/ -type d ! -perm 755 -exec chmod 755 {} + + find public_html/ -type f ! \( -name "*.php" -o -name "*.env" \) ! -perm 644 -exec chmod 644 {} + + + # Fixing ownership + find public_html/ -type d ! -user $USER -exec chown $USER:$USER {} + + find public_html/ -type f ! \( -name "*.php" -o -name "*.env" \) ! -user $USER -exec chown $USER:$USER {} + +else + # Old way of fixing permissions + # Fixing permissions + find public_html/ -type d ! -perm 755 -exec chmod 755 {} + + find public_html/ -type f ! -perm 644 -exec chmod 644 {} + + + # Fixing ownership + find public_html/ -type d ! -user $USER -exec chown $USER:$USER {} + + find public_html/ -type f ! -user $USER -exec chown $USER:$USER {} + +fi + +# === PHP and .env permissions === +if [ "$php_chmod_allowed" -eq 1 ]; then + php_chmod="600" + + if [ "$WEB_SYSTEM" = 'nginx' ]; then + php_chmod="644" + fi + + if [ -f "/home/php_chmod" ]; then + php_chmod=$(cat /home/php_chmod) + fi + if [ -f "/home/$USER/php_chmod" ]; then + php_chmod=$(cat /home/$USER/php_chmod) + fi + if [ -f "/home/$USER/web/php_chmod" ]; then + php_chmod=$(cat /home/$USER/web/php_chmod) + fi + if [ -f "/home/$USER/web/$domain/php_chmod" ]; then + php_chmod=$(cat /home/$USER/web/$domain/php_chmod) + fi + + # Setting chmod 600 for all .php and .env files + echo "= Setting chmod $php_chmod for all .php and .env files" + # Fixing permissions + find -type f \( -name "*.php" -o -name "*.env" \) ! -perm $php_chmod -exec chmod $php_chmod {} + + # Fixing ownership + find -type f \( -name "*.php" -o -name "*.env" \) ! -user $USER -exec chown $USER:$USER {} + +fi + +# === Symlinks ownership === +symlink_chown_allowed=1 +if [ -f "/home/symlink_chown_disabled" ]; then + symlink_chown_allowed=0 +fi +if [ -f "/home/$USER/symlink_chown_disabled" ]; then + symlink_chown_allowed=0 +fi +if [ -f "/home/$USER/web/symlink_chown_disabled" ]; then + symlink_chown_allowed=0 +fi +if [ -f "/home/$USER/web/$domain/symlink_chown_disabled" ]; then + symlink_chown_allowed=0 +fi + +if [ "$symlink_chown_allowed" -eq 1 ]; then + find -type l ! -user $USER -exec chown -h $USER:$USER {} + +fi #----------------------------------------------------------# # Vesta # #----------------------------------------------------------# echo "Permissions for $domain have been successfully updated." -exit +exit 0 diff --git a/bin/v-fix-website-permissions-for-all-websites b/bin/v-fix-website-permissions-for-all-websites new file mode 100644 index 00000000..9b1501bd --- /dev/null +++ b/bin/v-fix-website-permissions-for-all-websites @@ -0,0 +1,41 @@ +#!/bin/bash +# info: fix website permissions for all websites +# options: +# +# The command is used for fixing website permissions for all websites on the server. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Importing system variables +source /etc/profile + +# Includes +source $VESTA/func/main.sh + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +for user in $(grep '@' /etc/passwd |cut -f1 -d:); do + if [ ! -f "/usr/local/vesta/data/users/$user/user.conf" ]; then + continue; + fi + + for domain in $(/usr/local/vesta/bin/v-list-web-domains $user plain |cut -f 1); do + /usr/local/vesta/bin/v-fix-website-permissions $domain $user + echo "--------------------------------" + done + +done + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$ARGUMENTS" + +exit diff --git a/bin/v-fix-website-permissions-for-all-websites-only-php b/bin/v-fix-website-permissions-for-all-websites-only-php new file mode 100644 index 00000000..a89d2416 --- /dev/null +++ b/bin/v-fix-website-permissions-for-all-websites-only-php @@ -0,0 +1,44 @@ +#!/bin/bash +# info: fix website permissions for all websites +# options: +# +# The command is used for fixing website permissions for all websites on the server. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Importing system variables +source /etc/profile + +# Includes +source $VESTA/func/main.sh + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +touch /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log +truncate -s 0 /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log + +for user in $(grep '@' /etc/passwd |cut -f1 -d:); do + if [ ! -f "/usr/local/vesta/data/users/$user/user.conf" ]; then + continue; + fi + + for domain in $(/usr/local/vesta/bin/v-list-web-domains $user plain |cut -f 1); do + /usr/local/vesta/bin/v-fix-website-permissions-only-php $domain $user >> /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log 2>&1 + echo "--------------------------------" >> /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log + done + +done + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$ARGUMENTS" + +exit diff --git a/bin/v-fix-website-permissions-only-php b/bin/v-fix-website-permissions-only-php new file mode 100644 index 00000000..cf548e6b --- /dev/null +++ b/bin/v-fix-website-permissions-only-php @@ -0,0 +1,121 @@ +#!/bin/bash +# info: Fixing PHP and .env permissions and ownership for a website +# options: DOMAIN [USER] + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Argument definition +domain=$1 + +# Check if number of arguments is 2 +if [ $# -eq 2 ]; then + user=$2 +else + user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +fi +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh +source /usr/local/vesta/conf/vesta.conf + +if [ -z "$user" ]; then + check_result $E_NOTEXIST "domain $domain doesn't exist" +fi + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'DOMAIN' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" + +if [ ! -d "/home/$user" ]; then + echo "Error: Folder /home/$user doesn't exist"; + exit 1; +fi + +if [ ! -d "/home/$user/web/$domain/public_html" ]; then + echo "Error: Folder /home/$user/web/$domain/public_html doesn't exist"; + exit 1; +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Going to domain directory +cd /home/$USER/web/$domain + +# Ownership check +if [ -z "$SKIP_OWNERSHIP_CHECK" ] && [ -f "public_html/index.php" ]; then + owner=$(stat -c '%U' "public_html/index.php") + if [ "$owner" = "root" ] || [ "$owner" = "www-data" ]; then + echo "Skipping permission fix for $domain, because v-lock-wordpress is used (index.php is owned by $owner)" + exit 1 + fi +fi + +echo "Updating PHP and .env permissions and ownership for /home/$USER/web/$domain/" + +php_chmod_allowed=1 +if [ -f "/home/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi +if [ -f "/home/$USER/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi +if [ -f "/home/$USER/web/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi +if [ -f "/home/$USER/web/$domain/php_chmod_disabled" ]; then + php_chmod_allowed=0 +fi + +# === PHP and .env permissions === +if [ "$php_chmod_allowed" -eq 1 ]; then + php_chmod="600" + + if [ "$WEB_SYSTEM" = 'nginx' ]; then + php_chmod="644" + fi + + if [ -f "/home/php_chmod" ]; then + php_chmod=$(cat /home/php_chmod) + fi + if [ -f "/home/$USER/php_chmod" ]; then + php_chmod=$(cat /home/$USER/php_chmod) + fi + if [ -f "/home/$USER/web/php_chmod" ]; then + php_chmod=$(cat /home/$USER/web/php_chmod) + fi + if [ -f "/home/$USER/web/$domain/php_chmod" ]; then + php_chmod=$(cat /home/$USER/web/$domain/php_chmod) + fi + + # Setting chmod 600 for all .php and .env files + echo "= Setting chmod $php_chmod for all .php and .env files" + # Fixing permissions + find -type f \( -name "*.php" -o -name "*.env" \) ! -perm $php_chmod -exec chmod $php_chmod {} + + # Fixing ownership + find -type f \( -name "*.php" -o -name "*.env" \) ! -user $USER -exec chown $USER:$USER {} + +fi + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# +echo "PHP and .env permissions and ownership for $domain have been successfully updated." + +exit 0 diff --git a/bin/v-fix-wordpress-core b/bin/v-fix-wordpress-core new file mode 100644 index 00000000..2bcd6c34 --- /dev/null +++ b/bin/v-fix-wordpress-core @@ -0,0 +1,115 @@ +#!/bin/bash +# info: fix compromised wp-admin and wp-includes +# options: DOMAIN [CACHE_DIR] +# +# Replaces wp-admin and wp-includes with clean copies that match +# the WordPress core version detected on the site. +# +# Example: +# v-fix-wp-core example.com +# v-fix-wp-core example.com /srv/wp-cache + +#----------------------------------------------------------# +# Variable & Function # +#----------------------------------------------------------# + +# Arguments +DOMAIN="$1" +CACHE_DIR="${2-/srv/wp-cache}" # default cache location + +QUARANTINE_DIR="/srv/wp-quarantine" + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# +check_args '1' "$#" 'DOMAIN [CACHE_DIR]' +is_format_valid 'domain' + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +TMP_DIR="$(mktemp -d /tmp/wpfix.XXXXXX)" # temp workspace +trap 'rm -rf "$TMP_DIR"' EXIT + +# 1etermine WP version +if [ -z "$PHP" ]; then + WP_VERSION="$(/usr/local/vesta/bin/v-run-wp-cli "$DOMAIN" core version | tr -d '[:space:]')" +else + WP_VERSION="$(PHP=$PHP /usr/local/vesta/bin/v-run-wp-cli "$DOMAIN" core version | tr -d '[:space:]')" +fi + +check_result $? "cannot detect WP version" > /dev/null +if [ -z "$WP_VERSION" ]; then + check_result 1 "empty WP version string" +fi +echo "Detected WordPress version $WP_VERSION" + +# 2ind site owner and path +USER="$(/usr/local/vesta/bin/v-search-domain-owner "$DOMAIN")" +check_result $? "cannot find domain owner" > /dev/null +SITE_PATH="/home/$USER/web/$DOMAIN/public_html" +if [ ! -d "$SITE_PATH" ]; then + check_result 1 "site path $SITE_PATH does not exist" +fi + +# ensure cached core is present +CACHE_PATH="$CACHE_DIR/$WP_VERSION" +if [ ! -d "$CACHE_PATH/wp-admin" ] || [ ! -d "$CACHE_PATH/wp-includes" ]; then + echo "Cache for $WP_VERSION missing, downloading ZIP..." + + mkdir -p "$CACHE_PATH" + ZIP_URL="https://wordpress.org/wordpress-${WP_VERSION}.zip" + ZIP_FILE="$TMP_DIR/wp.zip" + + curl -fSL "$ZIP_URL" -o "$ZIP_FILE" + check_result $? "download failed" > /dev/null + + unzip -q "$ZIP_FILE" -d "$TMP_DIR" + check_result $? "unzip failed" > /dev/null + + mv "$TMP_DIR/wordpress/wp-admin" "$CACHE_PATH/" + mv "$TMP_DIR/wordpress/wp-includes" "$CACHE_PATH/" + cp "$TMP_DIR/wordpress"/*.php "$CACHE_PATH/" +fi + +# backup current core folders +TIMESTAMP="$(date +%Y%m%d%H%M%S)" +BACKUP_DIR="$QUARANTINE_DIR/$DOMAIN/backup-core-$TIMESTAMP" +mkdir -p "$BACKUP_DIR" +mv "$SITE_PATH/wp-admin" "$BACKUP_DIR/" +mv "$SITE_PATH/wp-includes" "$BACKUP_DIR/" + +for f in "$SITE_PATH"/*.php; do + [[ $(basename "$f") == "wp-config.php" ]] && continue + mv "$f" "$BACKUP_DIR/" +done +if [ -f "$SITE_PATH/.user.ini" ]; then + mv "$SITE_PATH/.user.ini" "$BACKUP_DIR/" +fi + +# chown -R www-data:www-data "$BACKUP_DIR" +check_result $? "backup failed" > /dev/null +echo "Old core folders moved to $BACKUP_DIR" + +# deploy clean core +rsync -a --delete "$CACHE_PATH/wp-admin/" "$SITE_PATH/wp-admin/" +rsync -a --delete "$CACHE_PATH/wp-includes/" "$SITE_PATH/wp-includes/" +check_result $? "rsync failed" > /dev/null + +for corephp in "$CACHE_PATH"/*.php; do + base=$(basename "$corephp") + [ "$base" = "wp-config.php" ] && continue + rsync -a "$corephp" "$SITE_PATH/$base" +done + +# fix permissions +SKIP_OWNERSHIP_CHECK=1 /usr/local/vesta/bin/v-fix-website-permissions $DOMAIN +# chown -R www-data:www-data "$BACKUP_DIR" + +echo "Done, core WP files, wp-admin and wp-includes replaced for $DOMAIN" +exit diff --git a/bin/v-get-dns-config b/bin/v-get-dns-config new file mode 100644 index 00000000..d759c489 --- /dev/null +++ b/bin/v-get-dns-config @@ -0,0 +1,70 @@ +#!/bin/bash +# info: Get domain DNS config.db file content +# options: DOMAIN + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +SILENT_MODE=1 + +# Argument definition +domain=$1 + +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh +source /usr/local/vesta/func/domain.sh + +if [ -z "$user" ]; then + check_result $E_NOTEXIST "domain $domain doesn't exist" +fi + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'DOMAIN' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" + +if [ ! -d "/home/$user" ]; then + # echo "User doesn't exist"; + exit 1; +fi + +if [ ! -d "/home/$user/web/$domain/public_html" ]; then + # echo "Domain doesn't exist"; + exit 1; +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +DNS_FILE="/home/$user/conf/dns/$domain.db" + +if [ -f "$DNS_FILE" ]; then + cat "$DNS_FILE" +else + echo "DNS configuration file for $domain does not exist." + exit 1 +fi + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit 0; diff --git a/bin/v-import-cpanel-backup b/bin/v-import-cpanel-backup index f92ae5af..43e8c3bf 100644 --- a/bin/v-import-cpanel-backup +++ b/bin/v-import-cpanel-backup @@ -157,9 +157,15 @@ for sk_dbr in $sk_db_list echo " Create and restore ${sk_dbr} " sed -i "s/utf8mb4_unicode_520_ci/utf8mb4_unicode_ci/g" mysql/${sk_dbr}.create sed -i "s/utf8mb4_0900_ai_ci/utf8mb4_unicode_ci/g" mysql/${sk_dbr}.create + if grep -q ' enable the sandbox mode ' mysql/${sk_dbr}.create; then + v-sed '/*!999999\- enable the sandbox mode */' '' mysql/${sk_dbr}.create + fi mysql < mysql/${sk_dbr}.create sed -i "s/utf8mb4_unicode_520_ci/utf8mb4_unicode_ci/g" mysql/${sk_dbr}.sql sed -i "s/utf8mb4_0900_ai_ci/utf8mb4_unicode_ci/g" mysql/${sk_dbr}.sql + if grep -q ' enable the sandbox mode ' mysql/${sk_dbr}.sql; then + v-sed '/*!999999\- enable the sandbox mode */' '' mysql/${sk_dbr}.sql + fi mysql ${sk_dbr} < mysql/${sk_dbr}.sql else echo "Error: Cant restore database $sk_dbr alredy exists in mysql server" diff --git a/bin/v-install-unsigned-ssl b/bin/v-install-unsigned-ssl index 8df023c9..9ac2f188 100644 --- a/bin/v-install-unsigned-ssl +++ b/bin/v-install-unsigned-ssl @@ -52,7 +52,9 @@ fi # Action # #----------------------------------------------------------# -/usr/local/vesta/bin/v-delete-web-domain-ssl "$user" "$domain" +if [ -f "/home/$user/conf/web/ssl.$domain.crt" ]; then + /usr/local/vesta/bin/v-delete-web-domain-ssl "$user" "$domain" +fi release=$(cat /etc/debian_version | tr "." "\n" | head -n1) diff --git a/bin/v-install-wordfence-cli b/bin/v-install-wordfence-cli new file mode 100644 index 00000000..fc6ca0b5 --- /dev/null +++ b/bin/v-install-wordfence-cli @@ -0,0 +1,37 @@ +#!/bin/bash +# info: Script for installing WordFence CLI +# options: NONE + +if ! command -v git &> /dev/null; then + echo "= Git is not installed. Installing..." + apt-get update > /dev/null 2>&1 + apt-get install -y git +fi + +cd /root + +if [ ! -d "myvesta-wordfence-cli" ]; then + git clone https://github.com/isscbta/myvesta-wordfence-cli.git + cd ~/myvesta-wordfence-cli/ +else + cd ~/myvesta-wordfence-cli/ + git pull +fi + +echo "" +echo "----------------------------------------------------------------" +echo "" +echo "Which Docker container do you want to install for WordFence CLI?" +echo "1. WordFence CLI official Docker container" +echo "2. WordFence CLI Docker container maintained by myVesta" +read -r -p "Enter your choice: " choice < /dev/tty + +if [ "$choice" == "1" ]; then + bash wf-cli-install.sh +fi + +if [ "$choice" == "2" ]; then + bash wf-cli-install-our-image.sh +fi + +exit 0; diff --git a/bin/v-install-wordpress b/bin/v-install-wordpress index 5758e358..25e38f3e 100644 --- a/bin/v-install-wordpress +++ b/bin/v-install-wordpress @@ -57,17 +57,26 @@ if [ -z "$database" ]; then fi fi +# Convert domain to IDN if available +if command -v idn2 >/dev/null 2>&1; then + database=$(idn2 "$database") + idn_domain=$(idn2 "$domain") +elif command -v idn >/dev/null 2>&1; then + database=$(idn "$database") + idn_domain=$(idn "$domain") +fi + if [ -z "$email" ]; then - email="info@$domain"; + email="info@$idn_domain"; fi if [ ! -d "/home/$user" ]; then - echo "User doesn't exist"; + echo "= Error: Folder /home/$user doesn't exist"; exit 1; fi if [ ! -d "/home/$user/web/$domain/public_html" ]; then - echo "Domain doesn't exist"; + echo "= Error: Folder /home/$user/web/$domain/public_html doesn't exist"; exit 1; fi @@ -95,63 +104,72 @@ PASSWDDB=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1) # Action # #----------------------------------------------------------# -PROTOCOL='http' -if [ -z "$SKIP_LE" ]; then - if [ ! -f "/home/$user/conf/web/ssl.$domain.ca" ]; then - /usr/local/vesta/bin/v-add-letsencrypt-domain "$user" "$domain" "www.$domain" "yes" - fi -else - PROTOCOL='https' +PROTOCOL='https' + +if [ ! -f "/home/$user/conf/web/ssl.$domain.ca" ]; then + echo "== Trying to install LetsEncrypt for domain $domain" + /usr/local/vesta/bin/v-add-letsencrypt-domain "$user" "$domain" "www.$domain" "yes" +fi + +if [ ! -z "$FORCE_HTTP" ]; then + # Switch to http:// only if --FORCE_HTTP parameter is set + echo "== Force http://" + PROTOCOL='http' fi TPL_CHANGED=0; -if [ -f "/home/$user/conf/web/ssl.$domain.ca" ] || [ ! -z "$SKIP_LE" ]; then - PROTOCOL='https' - if [ -f "/usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.stpl" ] && [ $TPL_CHANGED -eq 0 ]; then - TPL_CHANGED=1; - /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "force-https-firewall-wordpress" "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,ttf,otf,webp,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf,woff,woff2" "yes" +if [ "$WEB_SYSTEM" != 'nginx' ]; then + if [ "$PROTOCOL" = "https" ]; then + if [ -f "/usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress.stpl" ] && [ $TPL_CHANGED -eq 0 ]; then + TPL_CHANGED=1; + /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "force-https-firewall-wordpress" "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,ttf,otf,webp,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf,woff,woff2" "yes" + fi + if [ -f "/usr/local/vesta/data/templates/web/nginx/force-https.stpl" ] && [ $TPL_CHANGED -eq 0 ]; then + TPL_CHANGED=1; + /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "force-https" "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,ttf,otf,webp,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf,woff,woff2" "yes" + fi fi - if [ -f "/usr/local/vesta/data/templates/web/nginx/force-https.stpl" ] && [ $TPL_CHANGED -eq 0 ]; then - TPL_CHANGED=1; - /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "force-https" "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,ttf,otf,webp,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf,woff,woff2" "yes" - fi -else - if [ -f "/usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.stpl" ] && [ $TPL_CHANGED -eq 0 ]; then - TPL_CHANGED=1; - /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "hosting-firewall-wordpress" "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,ttf,otf,webp,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf,woff,woff2" "yes" + if [ "$PROTOCOL" = "http" ]; then + if [ -f "/usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.stpl" ] && [ $TPL_CHANGED -eq 0 ]; then + TPL_CHANGED=1; + /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "hosting-firewall-wordpress" "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,ttf,otf,webp,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf,woff,woff2" "yes" + fi fi fi /usr/local/vesta/bin/v-add-database "$user" "$DBUSERSUF" "$DBUSERSUF" "$PASSWDDB" "mysql" -if [ ! -f "/usr/local/bin/wp" ]; then - echo "=== Downloading latest wp-cli" - wget -nv https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/local/bin/wp - chmod +x /usr/local/bin/wp -fi - WORKINGDIR="/home/$user/web/$domain/public_html" rm -rf $WORKINGDIR/* cd $WORKINGDIR -sudo -H -u$user wp core download -sudo -H -u$user wp core config --dbname=$DBUSER --dbuser=$DBUSER --dbpass=$PASSWDDB +/usr/local/vesta/bin/v-run-wp-cli $domain core download +if [ ! -f "$WORKINGDIR/index.php" ]; then + echo "= WordPress installation failed: WordPress core download failed." + exit 1; +fi + +/usr/local/vesta/bin/v-run-wp-cli $domain core config --dbname=$DBUSER --dbuser=$DBUSER --dbpass=$PASSWDDB +if [ ! -f "$WORKINGDIR/wp-config.php" ]; then + echo "= WordPress installation failed: WordPress core config failed, wp-config.php not found." + exit 1; +fi password=$(LC_CTYPE=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\)-+= < /dev/urandom | head -c 12) wpadmin=$(echo "$domain" | sed 's#\.#_#g')_4dm1n -sudo -H -u$user wp core install --url="$domain" --title="$domain" --admin_user="$wpadmin" --admin_password="$password" --admin_email="$email" --path=$WORKINGDIR +/usr/local/vesta/bin/v-run-wp-cli $domain core install --url="$domain" --title="$domain" --admin_user="$wpadmin" --admin_password="$password" --admin_email="$email" --path=$WORKINGDIR mysql -u$DBUSER -p$PASSWDDB -e "USE $DBUSER; update wp_options set option_value = '$PROTOCOL://$domain' where option_name = 'siteurl'; update wp_options set option_value = '$PROTOCOL://$domain' where option_name = 'home';" echo "=================================================================" -echo "Installation is complete. Your username/password is listed below." +echo "Your WordPress installation is complete." echo "" -echo "Site: $PROTOCOL://$domain/" +echo "Website URL: $PROTOCOL://$domain/" echo "" -echo "Login: $PROTOCOL://$domain/wp-admin/" +echo "WordPress admin login: $PROTOCOL://$domain/wp-admin/" echo "Username: $wpadmin" echo "Password: $password" echo "" diff --git a/bin/v-install-wp-cli b/bin/v-install-wp-cli new file mode 100644 index 00000000..17df71e8 --- /dev/null +++ b/bin/v-install-wp-cli @@ -0,0 +1,27 @@ +#!/bin/bash +# info: Download WP CLI +# options: NONE + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +echo "= Installing WP CLI by downloading phar file..." +wget -nv https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/local/bin/wp +chmod +x /usr/local/bin/wp + +if [ -f "/usr/local/bin/wp" ]; then + echo "= WP CLI installed successfully." + echo "= Usage: v-run-wp-cli DOMAIN WP_CLI_COMMAND" + exit 0; +else + echo "= WP CLI installation failed." + echo "= Please install it manually." + exit 1; +fi diff --git a/bin/v-install-wp-cli-myvesta b/bin/v-install-wp-cli-myvesta new file mode 100644 index 00000000..b65479f6 --- /dev/null +++ b/bin/v-install-wp-cli-myvesta @@ -0,0 +1,79 @@ +#!/bin/bash +# info: Download myVesta WP CLI +# options: NONE + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +if [ ! -f "/usr/local/bin/composer" ]; then + echo "= Composer is not installed. Installing..." + php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + php composer-setup.php --install-dir=/usr/local/bin --filename=composer + php -r "unlink('composer-setup.php');" + echo "= Composer installed successfully." +fi + +if [ -d "/usr/local/bin/wp-cli" ]; then + echo "= Removing old myVesta WP CLI..." + rm -rf /usr/local/bin/wp-cli +fi + +echo "= Installing myVesta WP CLI..." + +cd /usr/local/bin +git clone https://github.com/wp-cli/wp-cli.git + +chown -R www-data:www-data wp-cli + +ver_ge() { + # usage: ver_ge 7.2 5.6 --> returns true if $1 is greater than or equal to $2 + [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$2" ] +} + +current_php_version=$(readlink -f /usr/bin/php | grep -oP 'php\K[0-9]+\.[0-9]+') + +php_versions=$(/usr/local/vesta/bin/v-list-php) +for php_version in $php_versions; do + if ver_ge "$php_version" "7.2"; then + oldest_allowed_php_version=$php_version + break + fi +done + +echo "= Setting PHP version to $oldest_allowed_php_version" +update-alternatives --set php /usr/bin/php$oldest_allowed_php_version + +cd wp-cli/ +sudo -H -u www-data composer install + +echo "= Installing search-replace-command package..." +sudo -H -u www-data WP_CLI_PACKAGES_DIR=/usr/local/bin/wp-cli/packages php /usr/local/bin/wp-cli/php/boot-fs.php package install wp-cli/search-replace-command + +echo "= Setting PHP version to $current_php_version" +update-alternatives --set php /usr/bin/php$current_php_version + +# Fix terminal columns issue for WP CLI +echo "= Fixing terminal columns issue for WP CLI..." +/usr/local/vesta/bin/v-sed '$columns = 80;' "if (file_exists('/usr/local/bin/wp-cli/COLUMNS')) \$columns=intval(file_get_contents('/usr/local/bin/wp-cli/COLUMNS')); else \$columns = 80;" '/usr/local/bin/wp-cli/vendor/wp-cli/php-cli-tools/lib/cli/Shell.php' + +echo "" + +if [ -f "/usr/local/bin/wp-cli/php/boot-fs.php" ]; then + echo "= myVesta WP CLI installed successfully." + echo "= Usage: v-run-wp-cli-myvesta DOMAIN WP_CLI_COMMAND" + exit 0; +else + echo "= myVesta WP CLI installation failed." + echo "= Please install it manually." + exit 1; +fi diff --git a/bin/v-list-php b/bin/v-list-php new file mode 100644 index 00000000..846e40de --- /dev/null +++ b/bin/v-list-php @@ -0,0 +1,76 @@ +#!/bin/bash +# info: list of installed php versions +# options: [FORMAT] +# +# The function for obtaining the list of installed PHP versions. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument definition +format=${1-shell} + +# Includes +source $VESTA/func/main.sh + +# JSON list function +json_list() { + counter=$(echo "$phpversions" | wc -l) + i=1 + echo '[' + for phpversion in $phpversions; do + if [ "$i" -lt "$counter" ]; then + echo -e "\t\"$phpversion\"," + else + echo -e "\t\"$phpversion\"" + fi + (( ++i)) + done + echo "]" +} + +# shell list function +shell_list() { + for phpversion in $phpversions; do + echo "$phpversion" + done +} + +# PLAIN list function +plain_list() { + for phpversion in $phpversions; do + echo "$phpversion" + done +} + +# CSV list function +csv_list() { + for phpversion in $phpversions; do + echo "$phpversion" + done +} + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Obtaining the list of installed PHP-FPM versions +phpversions=$(find /etc/php/ -type d -name 'fpm' | sed "s|/etc/php/||" | sed "s|/fpm||" | sort) + +# Listing data +case $format in + json) json_list ;; + plain) plain_list ;; + csv) csv_list ;; + shell) shell_list ;; +esac + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit diff --git a/bin/v-list-php-apache b/bin/v-list-php-apache new file mode 100644 index 00000000..e2e431b1 --- /dev/null +++ b/bin/v-list-php-apache @@ -0,0 +1,91 @@ +#!/bin/bash +# info: list of installed php versions that have Apache template. +# options: [FORMAT] +# +# The function obtains the list of installed PHP versions that have Apache template. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument definition +format=${1-shell} + +# Includes +source $VESTA/func/main.sh + +# JSON list function +json_list() { + counter=$(echo "$phpversions" | wc -l) + i=1 + echo '[' + for phpversion in $phpversions; do + if [ "$i" -lt "$counter" ]; then + echo -e "\t\"$phpversion\"," + else + echo -e "\t\"$phpversion\"" + fi + (( ++i)) + done + echo "]" +} + +# shell list function +shell_list() { + for phpversion in $phpversions; do + echo "$phpversion" + done +} + +# PLAIN list function +plain_list() { + for phpversion in $phpversions; do + echo "$phpversion" + done +} + +# CSV list function +csv_list() { + for phpversion in $phpversions; do + echo "$phpversion" + done +} + +echo_phpversions_list() { + for element in "${phpversions_list[@]}"; do + echo "$element" + done +} + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Obtaining the list of installed PHP-FPM versions +fpmphpversions=$(/usr/local/vesta/bin/v-list-php) + +for phpversion in $fpmphpversions; do + phpversiontpl=${phpversion//./} + tpl="/usr/local/vesta/data/templates/web/apache2/PHP-FPM-$phpversiontpl.tpl" + if [ -f "$tpl" ]; then + phpversions_list+=("$phpversion") + fi +done + +phpversions=$(echo_phpversions_list) + +# Listing data +case $format in + json) json_list ;; + plain) plain_list ;; + csv) csv_list ;; + shell) shell_list ;; +esac + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit diff --git a/bin/v-list-sys-config b/bin/v-list-sys-config index 127f2176..a0fdbbbc 100755 --- a/bin/v-list-sys-config +++ b/bin/v-list-sys-config @@ -54,7 +54,8 @@ json_list() { "SOFTACULOUS": "'$SOFTACULOUS'", "MAX_DBUSER_LEN": "'$MAX_DBUSER_LEN'", "MAIL_CERTIFICATE": "'$MAIL_CERTIFICATE'", - "VESTA_CERTIFICATE": "'$VESTA_CERTIFICATE'" + "VESTA_CERTIFICATE": "'$VESTA_CERTIFICATE'", + "DISABLE_IP_CHECK": "'$DISABLE_IP_CHECK'" } }' } diff --git a/bin/v-make-main-apache-log b/bin/v-make-main-apache-log new file mode 100644 index 00000000..6a6dfadd --- /dev/null +++ b/bin/v-make-main-apache-log @@ -0,0 +1,14 @@ +#!/bin/bash + +touch /var/log/apache2/time.log +# truncate -s 0 /var/log/apache2/time.log +chmod 0640 /var/log/apache2/time.log +chown root:adm /var/log/apache2/time.log +find /home/*/conf/web/ -type f \( -name "apache2.conf" -or -name "sapache2.conf" -or -name "*.apache2.conf" -or -name "*.apache2.ssl.conf" \) -exec grep -L "time\.log" {} \; | xargs sed -i 's|ServerName |CustomLog /var/log/apache2/time.log time\n ServerName |g' +find /usr/local/vesta/data/templates/web/apache2 -type f \( -name "*.tpl" -or -name "*.stpl" \) -exec grep -L "time\.log" {} \; | xargs sed -i 's|ServerName |CustomLog /var/log/apache2/time.log time\n ServerName |g' +if ! /usr/local/vesta/bin/v-grep 'LogFormat "%t %v %a %D %r %>s \"%{User-Agent}i\"" time' '/etc/apache2/apache2.conf' '-q'; then + sed -i 's|LogFormat "%b" bytes|LogFormat "%b" bytes\nLogFormat "%t %v %a %D %r %>s \\\"%{User-Agent}i\\\" pid=%P" time|g' /etc/apache2/apache2.conf +fi +systemctl restart apache2 + +wget -nv http://dl.myvestacp.com/vesta/apache_requests_analyzer/analyze-traffic.php -O /root/analyze-traffic.php diff --git a/bin/v-make-separated-ip-for-email b/bin/v-make-separated-ip-for-email index 49d31f45..15e42c05 100644 --- a/bin/v-make-separated-ip-for-email +++ b/bin/v-make-separated-ip-for-email @@ -1,4 +1,4 @@ -#!/bin/bash + #!/bin/bash # info: add new ip and makes email to be sent via that IP only for SMTP authenticated users # options: MAIL_HOSTNAME MAIL_IP @@ -45,7 +45,7 @@ is_domain_format_valid "$MAIL_HOSTNAME" is_ip_format_valid "$MAIL_IP" HOST_USER=$($VESTA/bin/v-search-domain-owner "$HOSTNAME") -if [ -z "$HOST_USER" ]; then +if [ -z "$HOST_USER" ]; then echo "Error: hostname $HOSTNAME is not created as web domain" exit 4 fi @@ -139,6 +139,17 @@ if [ "$check_grep" -eq 0 ]; then echo "=== patching exim4.conf.template" mv /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-backup cp /usr/local/vesta/install/debian/12/exim/exim4.conf.template /etc/exim4/exim4.conf.template + + eximversion=$(exim4 --version | grep '^Exim version ' | awk '{print $3}') + if (( $(echo "$eximversion < 4.96" | bc -l) )); then + cp /usr/local/vesta/install/debian/12/exim/exim4.conf.template.without-srs /etc/exim4/exim4.conf.template + sed -i "s|message_linelength_limit|#message_linelength_limit|g" /etc/exim4/exim4.conf.template + fi + + if (( $(echo "$eximversion < 4.94" | bc -l) )); then + sed -i "s|smtputf8_advertise_hosts|#smtputf8_advertise_hosts|g" /etc/exim4/exim4.conf.template + fi + sed -i "s|FIRSTIP|$HOST_IP|g" /etc/exim4/exim4.conf.template sed -i "s|SECONDIP|$MAIL_IP|g" /etc/exim4/exim4.conf.template sed -i "s|FIRSTHOST|$HOSTNAME|g" /etc/exim4/exim4.conf.template @@ -168,9 +179,10 @@ if [ "$check_grep" -eq 0 ]; then fi systemctl restart exim4 if [ $? -ne 0 ]; then + systemctl status exim4 cp /etc/exim4/exim4.conf.template-backup /etc/exim4/exim4.conf.template systemctl restart exim4 - echo "=== Patching failed, aborting" + echo "=== Patching failed, old exim conf returned, exim4 restarted again." exit 1 fi echo "=== Patching successful" diff --git a/bin/v-migrate-site-to-https b/bin/v-migrate-site-to-https index 6c6c8653..c15a521e 100644 --- a/bin/v-migrate-site-to-https +++ b/bin/v-migrate-site-to-https @@ -40,6 +40,7 @@ is_format_valid 'domain' 'user' is_object_valid 'user' 'USER' "$user" is_object_unsuspended 'user' 'USER' "$user" + FROM_DATABASE_NAME='' FROM_DATABASE_USERNAME='' FROM_DATABASE_PASSWORD='' @@ -94,6 +95,8 @@ if [ "$DB_EXISTS" = "no" ]; then exit 6 fi +phpver=$(/usr/local/vesta/bin/v-get-php-version-of-domain "$FROM_DOMAIN") + # ----------- CHECK ------------- FROM_REPLACE1="http://$FROM_DOMAIN" @@ -102,19 +105,13 @@ FROM_REPLACE2="http://www.$FROM_DOMAIN" TO_REPLACE2="https://www.$FROM_DOMAIN" if [ $IT_IS_WP -eq 0 ]; then - if [ ! -f "/root/Search-Replace-DB-master/srdb.cli.php" ]; then - echo "Please download https://interconnectit.com/products/search-and-replace-for-wordpress-databases/ and extract to /root/Search-Replace-DB-master/" - exit 7 - fi - if [ ! -f "/usr/bin/php7.0" ]; then - echo "Please download https://c.myvestacp.com/tools/multi-php-install.sh and install php 7.0" - exit 8 - fi -else - if [ ! -f "/usr/local/bin/wp" ]; then - echo "=== Downloading latest wp-cli" - wget -nv https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/local/bin/wp - chmod +x /usr/local/bin/wp + if [ ! -f "/root/Search-Replace-DB/srdb.cli.php" ]; then + if [ ! -f "/usr/bin/git" ]; then + apt-get update > /dev/null 2>&1 + apt-get -y install git > /dev/null 2>&1 + fi + cd /root + git clone https://github.com/interconnectit/Search-Replace-DB.git fi fi @@ -164,15 +161,15 @@ grep -rl "$FROM_DOMAIN" $SITE_FOLDER | xargs sed -i "s#$FROM_REPLACE2#$TO_REPLAC if [ $IT_IS_WP -eq 0 ]; then echo "=== Replacing $FROM_REPLACE1 to $TO_REPLACE1 in database $FROM_DATABASE_NAME" - php7.0 /root/Search-Replace-DB-master/srdb.cli.php -h localhost -n "$FROM_DATABASE_NAME" -u "$FROM_DATABASE_USERNAME" -p "$FROM_DATABASE_PASSWORD" -s "$FROM_REPLACE1" -r "$TO_REPLACE1" + php /root/Search-Replace-DB/srdb.cli.php -h localhost -n "$FROM_DATABASE_NAME" -u "$FROM_DATABASE_USERNAME" -p "$FROM_DATABASE_PASSWORD" -s "$FROM_REPLACE1" -r "$TO_REPLACE1" echo "=== Replacing $FROM_REPLACE2 to $TO_REPLACE2 in database $FROM_DATABASE_NAME" - php7.0 /root/Search-Replace-DB-master/srdb.cli.php -h localhost -n "$FROM_DATABASE_NAME" -u "$FROM_DATABASE_USERNAME" -p "$FROM_DATABASE_PASSWORD" -s "$FROM_REPLACE2" -r "$TO_REPLACE2" + php /root/Search-Replace-DB/srdb.cli.php -h localhost -n "$FROM_DATABASE_NAME" -u "$FROM_DATABASE_USERNAME" -p "$FROM_DATABASE_PASSWORD" -s "$FROM_REPLACE2" -r "$TO_REPLACE2" else cd $SITE_FOLDER echo "=== Replacing $FROM_REPLACE1 to $TO_REPLACE1 in database $FROM_DATABASE_NAME" - sudo -H -u$FROM_USER wp search-replace "$FROM_REPLACE1" "$TO_REPLACE1" --precise --all-tables --skip-columns=guid + /usr/local/vesta/bin/v-run-wp-cli $FROM_DOMAIN search-replace "$FROM_REPLACE1" "$TO_REPLACE1" --precise --all-tables --skip-columns=guid --skip-plugins --skip-themes; echo "=== Replacing $FROM_REPLACE2 to $TO_REPLACE2 in database $FROM_DATABASE_NAME" - sudo -H -u$FROM_USER wp search-replace "$FROM_REPLACE2" "$TO_REPLACE2" --precise --all-tables --skip-columns=guid + /usr/local/vesta/bin/v-run-wp-cli $FROM_DOMAIN search-replace "$FROM_REPLACE2" "$TO_REPLACE2" --precise --all-tables --skip-columns=guid --skip-plugins --skip-themes; fi echo "===== DONE ====" diff --git a/bin/v-move-domain-and-database-to-account b/bin/v-move-domain-and-database-to-account index 08180d99..383fd26e 100644 --- a/bin/v-move-domain-and-database-to-account +++ b/bin/v-move-domain-and-database-to-account @@ -92,31 +92,51 @@ fi # Update Wordfence WAF Path # #----------------------------------------------------------# -# Path to .user.ini file -user_ini="$USER_DATA/web/$domain/public_html/.user.ini" +filepath="/home/USER_TO/web/$domain/public_html/.user.ini" +filename=$(basename $filepath) -# Check if .user.ini exists -if [ -f "$user_ini" ]; then - echo "Updating .user.ini with new user path..." +# Check if file exists +if [ -f "$filepath" ]; then + echo "Updating $filename with new user path..." # Temporary file for modification tmp_file=$(mktemp) # Change path from old USER to new USER_TO - sed "s|/home/$owner/public_html|/home/$USER_TO/public_html|g" "$user_ini" > "$tmp_file" + sed "s|/home/$owner/public_html|/home/$USER_TO/public_html|g" "$filepath" > "$tmp_file" - # Check if replacement was successful and update .user.ini + # Check if replacement was successful and update file if [ $? -eq 0 ]; then - mv "$tmp_file" "$user_ini" - echo ".user.ini updated successfully." + mv "$tmp_file" "$filepath" + echo "$filename updated successfully." else - echo "Failed to update .user.ini file." + echo "Failed to update $filename file." rm "$tmp_file" # Deletes temporary file fi -else - echo ".user.ini does not exist, no changes made." fi +filepath="/home/USER_TO/web/$domain/public_html/wordfence-waf.php" +filename=$(basename $filepath) + +# Check if file exists +if [ -f "$filepath" ]; then + echo "Updating $filename with new user path..." + + # Temporary file for modification + tmp_file=$(mktemp) + + # Change path from old USER to new USER_TO + sed "s|/home/$owner/public_html|/home/$USER_TO/public_html|g" "$filepath" > "$tmp_file" + + # Check if replacement was successful and update file + if [ $? -eq 0 ]; then + mv "$tmp_file" "$filepath" + echo "$filename updated successfully." + else + echo "Failed to update $filename file." + rm "$tmp_file" # Deletes temporary file + fi +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-move-folder-and-make-symlink b/bin/v-move-folder-and-make-symlink index 81561a97..ccd66b7c 100644 --- a/bin/v-move-folder-and-make-symlink +++ b/bin/v-move-folder-and-make-symlink @@ -19,6 +19,8 @@ fi FROMFOLDER=$1 TOFOLDER=$2 +echo "Executing: v-move-folder-and-make-symlink $1 $2" + # Includes source $VESTA/func/main.sh @@ -26,6 +28,16 @@ source $VESTA/func/main.sh # Verifications # #----------------------------------------------------------# +if [ -z "$FROMFOLDER" ]; then + echo "First parameter is empty, aborting" + exit 1 +fi + +if [ -z "$TOFOLDER" ]; then + echo "Second parameter is empty, aborting" + exit 1 +fi + # Trimming the ending slash, just in case FROMFOLDER=$(echo "$FROMFOLDER" | sed 's:/*$::') TOFOLDER=$(echo "$TOFOLDER" | sed 's:/*$::') @@ -66,19 +78,21 @@ fi # Action # #----------------------------------------------------------# -rsync -a "$FROMFOLDER/" "$TOFOLDER/" -# with slashes on the end of the path of both folders -if [ "$?" -ne 0 ]; then - echo "Error happened, aborting" - exit 1 -fi - if [ "$FROMFOLDER" = "/home/$USER" ] && [ -d "$FROMFOLDER/conf" ]; then # if we are moving myVesta home folder, we must remove immutable attribute from conf/ files chattr -R -i "$FROMFOLDER/conf/" > /dev/null 2>&1 # with slashes on the end of the path of the folder fi +# rsync -a "$FROMFOLDER/" "$TOFOLDER/" +# with slashes on the end of the path of both folders + +mv "$FROMFOLDER" "$TOFOLDER" +if [ "$?" -ne 0 ]; then + echo "Error happened, aborting" + exit 1 +fi + rm -rf "$FROMFOLDER" # without slash on the end of the path of the folder diff --git a/bin/v-restore-user b/bin/v-restore-user index af451d88..a2dab574 100755 --- a/bin/v-restore-user +++ b/bin/v-restore-user @@ -417,6 +417,7 @@ if [ "$web" != 'no' ] && [ ! -z "$WEB_SYSTEM" ]; then # Restoring web domain data chown $user $tmpdir chmod u+w $HOMEDIR/$user/web/$domain + chmod 0755 $tmpdir/web/$domain sudo -u $user tar -xzpf $tmpdir/web/$domain/domain_data.tar.gz \ -C $HOMEDIR/$user/web/$domain/ --exclude=./logs/* \ 2> $HOMEDIR/$user/web/$domain/restore_errors.log @@ -618,6 +619,7 @@ if [ "$mail" != 'no' ] && [ ! -z "$MAIL_SYSTEM" ]; then if [ -e "$tmpdir/mail/$domain/accounts.tar.gz" ]; then chown $user $tmpdir chmod u+w $HOMEDIR/$user/mail/$domain_idn + chmod 0755 $tmpdir/mail/$domain sudo -u $user tar -xzpf $tmpdir/mail/$domain/accounts.tar.gz \ -C $HOMEDIR/$user/mail/$domain_idn/ if [ "$?" -ne 0 ]; then diff --git a/bin/v-run-wp-cli b/bin/v-run-wp-cli new file mode 100644 index 00000000..b1e4e6aa --- /dev/null +++ b/bin/v-run-wp-cli @@ -0,0 +1,146 @@ +#!/bin/bash +# info: Run WP CLI command for a specific domain +# options: DOMAIN WP_CLI_COMMAND + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +SILENT_MODE=1 + +# Argument definition +domain=$1 +wp_command=${@:2} + +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +USER=$user + +# Includes +source /usr/local/vesta/func/main.sh +source /usr/local/vesta/func/domain.sh + +if [ -z "$user" ]; then + check_result $E_NOTEXIST "domain $domain doesn't exist" +fi + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +VERBOSE_MODE=1 + +check_args '2' "$#" 'DOMAIN WP_CLI_COMMAND' +is_format_valid 'domain' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" +is_object_unsuspended 'web' 'DOMAIN' "$domain" + +if [ ! -d "/home/$user" ]; then + echo "= User doesn't exist"; + exit 1; +fi + +if [[ "$wp_command" != core\ download* ]] && [[ "$wp_command" != core\ config* ]] && [ ! -f "/home/$user/web/$domain/public_html/wp-config.php" ]; then + echo '= Please install WordPress first.' + exit 1; +fi + +wpcli="" + +if [ ! -f "/usr/local/bin/wp" ]; then + echo "= WP CLI is not installed. Installing..." + /usr/local/vesta/bin/v-install-wp-cli +fi + +if [ -z "$USE_WP_CLI_MYVESTA" ]; then + if [ -f "/usr/local/bin/wp" ]; then + # Get current time and file ctime in seconds since epoch + current_time=$(date +%s) + file_ctime=$(stat -c %Z /usr/local/bin/wp) + # Calculate age in days + age_days=$(( (current_time - file_ctime) / 86400 )) + if [ "$age_days" -gt 30 ]; then + echo "= The /usr/local/bin/wp file is older than 30 days (based on CTime)." + echo "= Updating WP CLI..." + /usr/local/vesta/bin/v-install-wp-cli + fi + fi +fi + +if [ -t 1 ]; then + output='terminal' +else + output='file' +fi + +if [ -f "/usr/local/bin/wp" ]; then + wpcli="/usr/local/bin/wp" + WP_CLI_PACKAGES_DIR="" +fi + +if [ ! -z "$USE_WP_CLI_MYVESTA" ] && [ -f "/usr/local/bin/wp-cli/php/boot-fs.php" ] && [ -d "/usr/local/bin/wp-cli/packages/vendor/wp-cli/search-replace-command" ] && [ "$output" == "terminal" ]; then + wpcli="/usr/local/bin/wp-cli/php/boot-fs.php" + COLUMNS=$(/usr/bin/env stty size 2>/dev/null | awk '{print $2}') + echo $COLUMNS > /usr/local/bin/wp-cli/COLUMNS + WP_CLI_PACKAGES_DIR="WP_CLI_PACKAGES_DIR=/usr/local/bin/wp-cli/packages" +fi + +if [ -z "$wpcli" ]; then + echo "= WP CLI is not installed. Please install it manually." + exit 1; +fi + +mkdir -p /home/$user/.wp-cli +chown $user:$user /home/$user/.wp-cli + +if [ -z "$PHP" ]; then + phpver=$(/usr/local/vesta/bin/v-get-php-version-of-domain "$domain") +else + phpver=$PHP +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +cd /home/$USER/web/$domain/public_html + +if [ -z "$OPEN_BASEDIR" ]; then + OPEN_BASEDIR="/home/$user/web/$domain:/home/$user/.wp-cli:/home/$user/tmp:/usr/local/bin:/tmp" +fi + +if [ -z "$DISABLE_FUNCTIONS" ]; then + DISABLE_FUNCTIONS="pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,system,passthru,shell_exec,proc_open,popen" +fi + +if [ -z "$SHOW_ERRORS" ]; then + sudo -u $USER $WP_CLI_PACKAGES_DIR /usr/bin/php$phpver -d disable_functions=$DISABLE_FUNCTIONS -d open_basedir=$OPEN_BASEDIR $wpcli --path=/home/$user/web/$domain/public_html/ $wp_command 2>/home/$user/web/$domain/wp-cli-error.log +else + sudo -u $USER $WP_CLI_PACKAGES_DIR /usr/bin/php$phpver -d disable_functions=$DISABLE_FUNCTIONS -d open_basedir=$OPEN_BASEDIR $wpcli --path=/home/$user/web/$domain/public_html/ $wp_command +fi + +return_code=$? + +if [ -f "/usr/local/bin/wp-cli/COLUMNS" ]; then + rm /usr/local/bin/wp-cli/COLUMNS +fi + +if [ -z "$SHOW_ERRORS" ]; then + if grep -q "PHP Fatal error" /home/$user/web/$domain/wp-cli-error.log || [ $return_code -ne 0 ]; then + cat /home/$user/web/$domain/wp-cli-error.log + fi +fi +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit $return_code; diff --git a/bin/v-run-wp-cli-myvesta b/bin/v-run-wp-cli-myvesta new file mode 100644 index 00000000..5947edfa --- /dev/null +++ b/bin/v-run-wp-cli-myvesta @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ ! -f "/usr/local/bin/wp-cli/php/boot-fs.php" ]; then + echo "= myVesta WP CLI is not installed. Installing..." + /usr/local/vesta/bin/v-install-wp-cli-myvesta +fi + +if [ -f "/usr/local/bin/wp-cli/php/boot-fs.php" ]; then + # Get current time and file ctime in seconds since epoch + current_time=$(date +%s) + file_ctime=$(stat -c %Z /usr/local/bin/wp-cli/php/boot-fs.php) + # Calculate age in days + age_days=$(( (current_time - file_ctime) / 86400 )) + if [ "$age_days" -gt 30 ]; then + echo "= The /usr/local/bin/wp-cli/php/boot-fs.php file is older than 30 days (based on CTime)." + echo "= Updating myVesta WP CLI..." + /usr/local/vesta/bin/v-install-wp-cli-myvesta + fi +fi + +USE_WP_CLI_MYVESTA=1 /usr/local/vesta/bin/v-run-wp-cli "$@" diff --git a/bin/v-suspend-firewall-rule b/bin/v-suspend-firewall-rule index 67f14cec..9191fed0 100755 --- a/bin/v-suspend-firewall-rule +++ b/bin/v-suspend-firewall-rule @@ -32,12 +32,21 @@ is_object_unsuspended '../../data/firewall/rules' 'RULE' "$rule" # Action # #----------------------------------------------------------# +oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf) + # Suspending rule update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' yes # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + parse_object_kv_list_non_eval "$oldvalues" + if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then + sed -i "\#$IP#d" /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-unlock-wordpress b/bin/v-unlock-wordpress index 1e2cccc6..4a2c42c3 100644 --- a/bin/v-unlock-wordpress +++ b/bin/v-unlock-wordpress @@ -58,6 +58,8 @@ chown -R $user:$user public_html/ rm public_html/wp-content/uploads/.htaccess +/usr/local/vesta/bin/v-fix-website-permissions $domain + #----------------------------------------------------------# # Vesta # #----------------------------------------------------------# diff --git a/bin/v-unsuspend-firewall-rule b/bin/v-unsuspend-firewall-rule index be6320d4..f0e00c96 100755 --- a/bin/v-unsuspend-firewall-rule +++ b/bin/v-unsuspend-firewall-rule @@ -32,12 +32,25 @@ is_object_suspended '../../data/firewall/rules' 'RULE' "$rule" # Action # #----------------------------------------------------------# +oldvalues=$(grep "RULE='$rule'" $VESTA/data/firewall/rules.conf) + # Suspending rule update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' no # Updating system firewall $BIN/v-update-firewall +if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then + parse_object_kv_list_non_eval "$oldvalues" + if [ "$PORT" == "80,443" ] && [ "$ACTION" == "DROP" ]; then + touch /etc/nginx/conf.d/block-firewall.conf + if ! grep -q "deny $IP;" /etc/nginx/conf.d/block-firewall.conf; then + echo "deny $IP;" >> /etc/nginx/conf.d/block-firewall.conf + systemctl restart nginx + fi + fi +fi + #----------------------------------------------------------# # Vesta # diff --git a/bin/v-update-document-errors-files b/bin/v-update-document-errors-files new file mode 100644 index 00000000..c044a80a --- /dev/null +++ b/bin/v-update-document-errors-files @@ -0,0 +1,48 @@ +#!/bin/bash +# info: fix website permissions for all websites +# options: +# +# The command is used for fixing website permissions for all websites on the server. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Importing system variables +source /etc/profile + +# Includes +source $VESTA/func/main.sh + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +for user in $(grep '@' /etc/passwd |cut -f1 -d:); do + if [ ! -f "/usr/local/vesta/data/users/$user/user.conf" ]; then + continue; + fi + + for domain in $(/usr/local/vesta/bin/v-list-web-domains $user plain |cut -f 1); do + cp /usr/local/vesta/data/templates/web/skel/document_errors/403.html /home/$user/web/$domain/document_errors/403.html + cp /usr/local/vesta/data/templates/web/skel/document_errors/404.html /home/$user/web/$domain/document_errors/404.html + cp /usr/local/vesta/data/templates/web/skel/document_errors/50x.html /home/$user/web/$domain/document_errors/50x.html + sed -i "s/%domain%/$domain/g" /home/$user/web/$domain/document_errors/403.html + sed -i "s/%domain%/$domain/g" /home/$user/web/$domain/document_errors/404.html + sed -i "s/%domain%/$domain/g" /home/$user/web/$domain/document_errors/50x.html + chown $user:$user /home/$user/web/$domain/document_errors/* + chmod 644 /home/$user/web/$domain/document_errors/* + done + +done + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$ARGUMENTS" + +exit diff --git a/bin/v-update-firewall b/bin/v-update-firewall index d3a46686..6d359f07 100755 --- a/bin/v-update-firewall +++ b/bin/v-update-firewall @@ -67,7 +67,7 @@ echo "$iptables -P INPUT ACCEPT" >> $tmp echo "$iptables -F INPUT" >> $tmp # Enabling stateful support -if [ "$conntrack" != 'no' ] || grep --quiet container=lxc /proc/1/environ; then +if [ "$FIREWALL_STATEFUL" == "yes" ] || [ "$conntrack" != 'no' ] || grep --quiet container=lxc /proc/1/environ; then str="$iptables -A INPUT -m state" str="$str --state ESTABLISHED,RELATED -j ACCEPT" echo "$str" >> $tmp @@ -164,12 +164,12 @@ if [ ! -z "$FIREWALL_EXTENSION" ]; then fi # Saving rules to the master iptables file -if [ -d "/etc/sysconfig" ]; then - /sbin/iptables-save > /etc/sysconfig/iptables - if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then - /sbin/chkconfig iptables on - fi -else +# if [ -d "/etc/sysconfig" ]; then +# /sbin/iptables-save > /etc/sysconfig/iptables +# if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then +# /sbin/chkconfig iptables on +# fi +# else /sbin/iptables-save > /etc/iptables.rules preup="/etc/network/if-pre-up.d/iptables" if [ ! -e "$preup" ]; then @@ -178,7 +178,7 @@ else echo "exit 0" >> $preup chmod +x $preup fi -fi +# fi # Worarkound for OpenVZ if [ -e "/proc/vz/veinfo" ]; then diff --git a/bin/v-update-mail-domain-disk b/bin/v-update-mail-domain-disk index 451dbd37..be5502e7 100755 --- a/bin/v-update-mail-domain-disk +++ b/bin/v-update-mail-domain-disk @@ -49,7 +49,8 @@ dom_diks=0 for account in $(search_objects "mail/$domain" 'SUSPENDED' "no" 'ACCOUNT'); do home_dir=$HOMEDIR/$user/mail/$domain/$account if [ -e "$home_dir" ]; then - udisk=$(nice -n 19 du -shm $home_dir | cut -f 1 ) + cd $home_dir + udisk=$(nice -n 19 du -shm ./ | cut -f 1 ) else udisk=0 fi diff --git a/bin/v-update-mail-domains-disk b/bin/v-update-mail-domains-disk index 1dae64cf..807218e3 100755 --- a/bin/v-update-mail-domains-disk +++ b/bin/v-update-mail-domains-disk @@ -35,9 +35,9 @@ fi #----------------------------------------------------------# # Starting loop -for domain in $(search_objects 'mail' 'SUSPENDED' "no" 'DOMAIN'); do +for domain in $(list_objects 'mail' 'DOMAIN'); do dom_diks=0 - accounts=$(search_objects "mail/$domain" 'SUSPENDED' "no" 'ACCOUNT') + accounts=$(list_objects "mail/$domain" 'ACCOUNT') for account in $accounts; do home_dir=$HOMEDIR/$user/mail/$domain/$account if [ -e "$home_dir" ]; then diff --git a/bin/v-update-sys-rrd-net b/bin/v-update-sys-rrd-net index e9c642e4..d59eefd9 100755 --- a/bin/v-update-sys-rrd-net +++ b/bin/v-update-sys-rrd-net @@ -35,13 +35,15 @@ if [ ! -d "$RRD/net" ]; then mkdir $RRD/net fi +find $RRD/net -name "veth*" -delete + # Parsing network interfaces ndev=$(cat /proc/net/dev) ifaces=$(echo "$ndev" |grep : |cut -f 1 -d : | sed "s/ //g") # Parsing excludes if [ -z "$RRD_IFACE_EXCLUDE" ]; then - RRD_IFACE_EXCLUDE='lo' + RRD_IFACE_EXCLUDE='lo,' fi for exclude in $(echo ${RRD_IFACE_EXCLUDE//,/ }); do ifaces=$(echo "$ifaces" |grep -vw "$exclude" ) @@ -62,6 +64,8 @@ for iface in $ifaces; do RRA:MAX:0.5:6:700 \ RRA:MAX:0.5:24:775 \ RRA:MAX:0.5:288:797 + else + touch $RRD/net/$iface.rrd fi # Parsing device stats @@ -112,6 +116,8 @@ for iface in $ifaces; do done +find $RRD/net -name "*.png" -mtime +1 -delete +find $RRD/net -name "*.rrd" -mtime +1 -delete #----------------------------------------------------------# # Vesta # diff --git a/bin/v-update-web-domain-disk b/bin/v-update-web-domain-disk index ac851b92..1bee4685 100755 --- a/bin/v-update-web-domain-disk +++ b/bin/v-update-web-domain-disk @@ -50,6 +50,14 @@ if [ -e "$home_dir" ]; then disk_usage=$(nice -n 19 du -shm $home_dir | cut -f 1 ) fi +# Defining hdd home directory +home_dir="/hdd$HOMEDIR/$user/web/$domain/" + +# Checking home directory exist +if [ -e "$home_dir" ] && [[ ! -L "$home_dir" ]]; then + disk_usage2=$(nice -n 19 du -shm $home_dir | cut -f 1 ) + disk_usage=$(( disk_usage + disk_usage2 )) +fi #----------------------------------------------------------# # Vesta # diff --git a/bin/v-update-web-domains-disk b/bin/v-update-web-domains-disk index 5951f289..5ee58abf 100755 --- a/bin/v-update-web-domains-disk +++ b/bin/v-update-web-domains-disk @@ -32,11 +32,16 @@ is_object_valid 'user' 'USER' "$user" #----------------------------------------------------------# # Domain loop -for domain in $(search_objects 'web' 'SUSPENDED' "no" 'DOMAIN'); do +for domain in $(list_objects 'web' 'DOMAIN'); do home_dir="$HOMEDIR/$user/web/$domain/" if [ -e "$home_dir" ]; then disk_usage=$(nice -n 19 du -shm $home_dir | cut -f 1 ) fi + home_dir="/hdd$HOMEDIR/$user/web/$domain/" + if [ -e "$home_dir" ] && [[ ! -L "$home_dir" ]]; then + disk_usage2=$(nice -n 19 du -shm $home_dir | cut -f 1 ) + disk_usage=$(( disk_usage + disk_usage2 )) + fi update_object_value 'web' 'DOMAIN' "$domain" '$U_DISK' "$disk_usage" done diff --git a/bin/v-whitelist-email-account b/bin/v-whitelist-email-account new file mode 100644 index 00000000..4a6e6329 --- /dev/null +++ b/bin/v-whitelist-email-account @@ -0,0 +1,119 @@ +#!/bin/bash +# info: Add a specific email address to SpamAssassin whitelist +# usage: v-whitelist-email-account EMAIL + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Determine Debian version and set SpamAssassin service name +release=$(cat /etc/debian_version | tr "." "\n" | head -n1) +if [ "$release" -lt 12 ]; then + SPAMD_SERVICE="spamassassin.service" +else + SPAMD_SERVICE="spamd.service" +fi + +SPAMASSASSIN_FILE="/etc/spamassassin/local.cf" + +# Flags to track changes +SPAMASSASSIN_CHANGED=false + +# Function to check if an entry already exists in a file +check_entry_exists() { + local entry=$1 + local file=$2 + grep -qF "$entry" "$file" +} + +# Function to check if a domain/email is already blacklisted +check_blacklisted() { + local pattern=$1 + local file=$2 + grep -qE "blacklist_from.*${pattern}" "$file" +} + +# Function to add an entry to a file +add_entry_to_file() { + local entry=$1 + local file=$2 + echo "$entry" >> "$file" +} + +# Display usage if no arguments are provided +if [ $# -lt 1 ]; then + echo "Usage: v-whitelist-email-account EMAIL" + exit 1 +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +EMAIL=$1 + +# Validate email format +if [[ ! "$EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then + echo "Invalid email address format." + exit 1 +fi + +# Extract the domain from the email address +DOMAIN=$(echo "$EMAIL" | awk -F '@' '{print $2}') + +# Prepare entries for SpamAssassin +WHITELIST_ENTRY="whitelist_from $EMAIL" +BLACKLIST_ENTRY_MAIN="*@${DOMAIN}" +BLACKLIST_ENTRY_SUB="*.$DOMAIN" + +#----------------------------------------------------------# +# SpamAssassin Whitelist # +#----------------------------------------------------------# + +echo "Updating $SPAMASSASSIN_FILE..." + +# Check if the email address or its domain is already blacklisted +if check_blacklisted "$EMAIL" "$SPAMASSASSIN_FILE"; then + echo "Cannot whitelist $EMAIL. It is already blacklisted." + exit 1 +fi + +if check_blacklisted "$BLACKLIST_ENTRY_MAIN" "$SPAMASSASSIN_FILE"; then + echo "Cannot whitelist $EMAIL. The domain $DOMAIN is already blacklisted." + exit 1 +fi + +if check_blacklisted "$BLACKLIST_ENTRY_SUB" "$SPAMASSASSIN_FILE"; then + echo "Cannot whitelist $EMAIL. The subdomain of $DOMAIN is already blacklisted." + exit 1 +fi + +# Add the email to whitelist if not already present +if ! check_entry_exists "$WHITELIST_ENTRY" "$SPAMASSASSIN_FILE"; then + add_entry_to_file "$WHITELIST_ENTRY" "$SPAMASSASSIN_FILE" + echo "Added $WHITELIST_ENTRY to $SPAMASSASSIN_FILE." + SPAMASSASSIN_CHANGED=true +else + echo "$WHITELIST_ENTRY already exists in $SPAMASSASSIN_FILE." +fi + +# Restart SpamAssassin only if changes were made +if [ "$SPAMASSASSIN_CHANGED" == "true" ]; then + systemctl restart "$SPAMD_SERVICE" + echo "SpamAssassin service ($SPAMD_SERVICE) restarted." +fi + +#----------------------------------------------------------# +# Done # +#----------------------------------------------------------# + +exit 0 diff --git a/bin/v-whitelist-email-domain b/bin/v-whitelist-email-domain new file mode 100644 index 00000000..9d877ad4 --- /dev/null +++ b/bin/v-whitelist-email-domain @@ -0,0 +1,119 @@ +#!/bin/bash +# info: Add a domain to SpamAssassin whitelist +# usage: v-whitelist-email-domain DOMAIN SUBDOMAIN(YES/NO) + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +whoami=$(whoami) +if [ "$whoami" != "root" ]; then + echo "You must be root to execute this script" + exit 1 +fi + +# Importing system environment +source /etc/profile + +# Determine Debian version and set SpamAssassin service name +release=$(cat /etc/debian_version | tr "." "\n" | head -n1) +if [ "$release" -lt 12 ]; then + SPAMD_SERVICE="spamassassin.service" +else + SPAMD_SERVICE="spamd.service" +fi + +SPAMASSASSIN_FILE="/etc/spamassassin/local.cf" + +# Flags to track changes +SPAMASSASSIN_CHANGED=false + +# Function to check if a SpamAssassin whitelist entry already exists +check_whitelist_exists() { + local entry=$1 + local file=$2 + grep -qF "whitelist_from $entry" "$file" +} + +# Function to check if a domain/email is already blacklisted +check_blacklist_exists() { + local domain=$1 + local file=$2 + grep -qE "blacklist_from.*${domain}$" "$file" +} + +# Function to add whitelist entry to file +add_whitelist_to_file() { + local entry=$1 + local file=$2 + echo "whitelist_from $entry" >> "$file" +} + +# Display usage if no arguments are provided +if [ $# -lt 2 ]; then + echo "Usage: v-whitelist-email-domain DOMAIN SUBDOMAIN(YES/NO)" + exit 1 +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +DOMAIN=$1 +SUBDOMAIN=${2^^} # Convert to uppercase for consistency (YES/NO) + +# Validate SUBDOMAIN parameter +if [[ "$SUBDOMAIN" != "YES" && "$SUBDOMAIN" != "NO" ]]; then + echo "Invalid parameter for SUBDOMAIN. Use YES or NO." + exit 1 +fi + +# Prepare entries for SpamAssassin +WHITELIST_ENTRY_MAIN="*@${DOMAIN}" +WHITELIST_ENTRY_SUB="*.$DOMAIN" +BLACKLIST_ENTRY_MAIN="*@${DOMAIN}" +BLACKLIST_ENTRY_SUB="*.$DOMAIN" + +#----------------------------------------------------------# +# SpamAssassin Whitelist # +#----------------------------------------------------------# + +echo "Updating $SPAMASSASSIN_FILE..." + +# Check if the domain is already blacklisted +if check_blacklist_exists "$DOMAIN" "$SPAMASSASSIN_FILE"; then + echo "Cannot whitelist $DOMAIN. It is already blacklisted." + exit 1 +fi + +# Add the main entry +if ! check_whitelist_exists "$WHITELIST_ENTRY_MAIN" "$SPAMASSASSIN_FILE"; then + add_whitelist_to_file "$WHITELIST_ENTRY_MAIN" "$SPAMASSASSIN_FILE" + echo "Added whitelist_from $WHITELIST_ENTRY_MAIN to $SPAMASSASSIN_FILE." + SPAMASSASSIN_CHANGED=true +else + echo "whitelist_from $WHITELIST_ENTRY_MAIN already exists in $SPAMASSASSIN_FILE." +fi + +# Add the subdomain entry if needed +if [ "$SUBDOMAIN" == "YES" ]; then + if ! check_whitelist_exists "$WHITELIST_ENTRY_SUB" "$SPAMASSASSIN_FILE"; then + add_whitelist_to_file "$WHITELIST_ENTRY_SUB" "$SPAMASSASSIN_FILE" + echo "Added whitelist_from $WHITELIST_ENTRY_SUB to $SPAMASSASSIN_FILE." + SPAMASSASSIN_CHANGED=true + else + echo "whitelist_from $WHITELIST_ENTRY_SUB already exists in $SPAMASSASSIN_FILE." + fi +fi + +# Restart SpamAssassin only if changes were made +if [ "$SPAMASSASSIN_CHANGED" == "true" ]; then + systemctl restart "$SPAMD_SERVICE" + echo "SpamAssassin service ($SPAMD_SERVICE) restarted." +fi + +#----------------------------------------------------------# +# Done # +#----------------------------------------------------------# + +exit 0 diff --git a/func/db.sh b/func/db.sh index 20230fec..7e4f4d97 100644 --- a/func/db.sh +++ b/func/db.sh @@ -29,6 +29,9 @@ mysql_connect() { mysql --defaults-file=$mycnf -e 'SELECT VERSION()' > $mysql_out 2>&1 if [ '0' -ne "$?" ]; then if [ "$notify" != 'no' ]; then + subj="Error: Connection to $HOST failed" + email=$($BIN/v-get-user-value admin CONTACT) + echo -e "Can't connect to MySQL $HOST\n$(cat $mysql_out)" |\ $SENDMAIL -s "$subj" $email fi @@ -55,10 +58,13 @@ mysql_query() { mysql_dump() { err="/tmp/e.mysql" - mysqldump --defaults-file=$mycnf --single-transaction --max_allowed_packet=100M -r $1 $2 2> $err + mysqldump --defaults-file=$mycnf --complete-insert --force --quick --single-transaction --max-allowed-packet=1024MB -r $1 $2 2> $err if [ '0' -ne "$?" ]; then rm -rf $tmpdir if [ "$notify" != 'no' ]; then + subj="Error: dump $database failed" + email=$($BIN/v-get-user-value admin CONTACT) + echo -e "Can't dump database $database\n$(cat $err)" |\ $SENDMAIL -s "$subj" $email fi @@ -82,6 +88,9 @@ psql_connect() { psql -h $HOST -U $USER -c "SELECT VERSION()" > /dev/null 2>/tmp/e.psql if [ '0' -ne "$?" ]; then if [ "$notify" != 'no' ]; then + subj="Error: Connection to $HOST failed" + email=$($BIN/v-get-user-value admin CONTACT) + echo -e "Can't connect to PostgreSQL $HOST\n$(cat /tmp/e.psql)" |\ $SENDMAIL -s "$subj" $email fi @@ -103,6 +112,9 @@ psql_dump() { if [ '0' -ne "$?" ]; then rm -rf $tmpdir if [ "$notify" != 'no' ]; then + subj="Error: dump $database failed" + email=$($BIN/v-get-user-value admin CONTACT) + echo -e "Can't dump database $database\n$(cat /tmp/e.psql)" |\ $SENDMAIL -s "$subj" $email fi diff --git a/func/main.php b/func/main.php index 22834d42..4628c92a 100644 --- a/func/main.php +++ b/func/main.php @@ -53,6 +53,7 @@ function myvesta_check_args ($requried_arguments, $arguments) { $argument_counter=count($argv); $argument_counter--; $argv[0]=str_replace('/usr/local/vesta/bin/', '', $argv[0]); + $command=$argv[0]; // myvesta_echo ( "-------------------- ".$argv[0]." --------------------\n"); if ($argument_counter<$requried_arguments) { $arguments=str_replace(" ", "' '", $arguments); diff --git a/func/main.sh b/func/main.sh index 10de469a..4dfc087b 100644 --- a/func/main.sh +++ b/func/main.sh @@ -254,6 +254,9 @@ is_object_unsuspended() { spnd=$(grep "$2='$3'" $USER_DATA/$1.conf |grep "SUSPENDED='yes'") fi if [ ! -z "$spnd" ]; then + if [ ! -z "$VERBOSE_MODE" ]; then + echo "Error: $(basename $1) $3 is suspended" + fi check_result $E_SUSPENDED "$(basename $1) $3 is suspended" fi } @@ -359,6 +362,17 @@ search_objects() { IFS="$OLD_IFS" } +# List objects +list_objects() { + OLD_IFS="$IFS" + IFS=$'\n' + for line in $(cat $USER_DATA/$1.conf); do + eval $line + eval echo \$$2 + done + IFS="$OLD_IFS" +} + # Get user value get_user_value() { grep "^${1//$/}=" $USER_DATA/user.conf |awk -F "'" '{print $2}' @@ -1143,3 +1157,105 @@ check_if_service_exists() { echo "0" fi } + +# Parsing config variables with key='value' and key="value" pairs and setting them as variables, without using Perl. +# Inspired by HestiaCP function and improved +parse_object_kv_list_non_eval() { + # Let's combine all the parameters into one string, replace the new lines with a space + local str="${*//$'\n'/ }" + str=${str//\\\'/---QUOTE---} + str=${str//\\\"/---DQUOTE---} + local backup_str=$str + + local key val match i length length_val prefix position cut + i=0 + # Searching for key='value' blocks + # Loop until we find the next key='value' + while [[ $str =~ ([A-Za-z][[:alnum:]_]*)=\'([^\']*)\' ]]; do + key="${BASH_REMATCH[1]}" + val="${BASH_REMATCH[2]}" + match="${BASH_REMATCH[0]}" + length=${#match} + length_val=${#match} + + # Key validation: alphanumeric, length 2–66 (key must start and end with a letter/number) + if ! [[ "$key" =~ ^[[:alnum:]][_[:alnum:]]{0,64}[[:alnum:]]$ ]]; then + check_result "$E_INVALID" "Invalid key format [$key]" + fi + + # Declaring a global variable + val=${val/---QUOTE---/\\\'} + val=${val/---DQUOTE---/\\\"} + declare -g "$key"="$val" + + # Let's remove the processed part from str to continue + prefix=${str%%"$key="*} + position=${#prefix} + cut=$((position + 1 + length_val)) + str=${str:cut} + ((i++)) + if [ $i -eq 100 ]; then + check_result "$E_INVALID" "Potentially conf-parsing infinite loop detected" + fi + done + + # Terminate function if we don't expect strings with double apostrophes + if [ -z "$PARSE_DOUBLE_QUOTES_VAR" ]; then + return; + fi + + # Searching for key="value" blocks + str=$backup_str + i=0 + # Loop until we find the next key="value" + while [[ $str =~ ([A-Za-z][[:alnum:]_]*)=\"([^\"]*)\" ]]; do + key="${BASH_REMATCH[1]}" + val="${BASH_REMATCH[2]}" + match="${BASH_REMATCH[0]}" + length=${#match} + length_val=${#match} + + # Key validation: alphanumeric, length 2–66 (key must start and end with a letter/number) + if ! [[ "$key" =~ ^[[:alnum:]][_[:alnum:]]{0,64}[[:alnum:]]$ ]]; then + check_result "$E_INVALID" "Invalid key format [$key]" + fi + + # Declaring a global variable + val=${val/---QUOTE---/\\\'} + val=${val/---DQUOTE---/\\\"} + declare -g "$key"="$val" + + # Let's remove the processed part from str to continue + prefix=${str%%"$key="*} + position=${#prefix} + cut=$((position + 1 + length_val)) + str=${str:cut} + ((i++)) + if [ $i -eq 100 ]; then + check_result "$E_INVALID" "Potentially conf-parsing infinite loop detected" + fi + done +} + +# Return OK (0) if domain is unsupended +# Parameters: +# $1 - user +# $2 - domain +return_ok_if_domain_is_unsuspended() { + spnd=$(grep "DOMAIN='$2'" /usr/local/vesta/data/users/$1/web.conf | grep "SUSPENDED='yes'") + if [ ! -z "$spnd" ]; then + return $E_SUSPENDED + fi + return $OK +} + +# Return OK (0) if user is unsupended +# Parameters: +# $1 - user +return_ok_if_user_is_unsuspended() { + spnd=$(cat /usr/local/vesta/data/users/$1/user.conf | grep "SUSPENDED='yes'") + if [ ! -z "$spnd" ]; then + return $E_SUSPENDED + fi + return $OK +} diff --git a/func/rebuild.sh b/func/rebuild.sh index b4a5f73d..ae267e8b 100644 --- a/func/rebuild.sh +++ b/func/rebuild.sh @@ -610,6 +610,9 @@ rebuild_pgsql_database() { if [ -z $HOST ] || [ -z $USER ] || [ -z $PASSWORD ] || [ -z $TPL ]; then echo "Error: postgresql config parsing failed" if [ ! -z "$SENDMAIL" ]; then + subj="Error: postgresql config parsing failed" + email=$($BIN/v-get-user-value admin CONTACT) + echo "Can't parse PostgreSQL config" | $SENDMAIL -s "$subj" $email fi log_event "$E_PARSING" "$ARGUMENTS" @@ -621,6 +624,9 @@ rebuild_pgsql_database() { if [ '0' -ne "$?" ]; then echo "Error: Connection failed" if [ ! -z "$SENDMAIL" ]; then + subj="Error: Connection failed" + email=$($BIN/v-get-user-value admin CONTACT) + echo "Database connection to PostgreSQL host $HOST failed" |\ $SENDMAIL -s "$subj" $email fi diff --git a/install/debian/10/exim/dnsbl.conf b/install/debian/10/exim/dnsbl.conf index 5166b255..279bafcd 100644 --- a/install/debian/10/exim/dnsbl.conf +++ b/install/debian/10/exim/dnsbl.conf @@ -1,2 +1 @@ bl.spamcop.net -zen.spamhaus.org diff --git a/install/debian/10/templates/web/awstats/awstats.tpl b/install/debian/10/templates/web/awstats/awstats.tpl index 9a92e0fd..6bb51c50 100755 --- a/install/debian/10/templates/web/awstats/awstats.tpl +++ b/install/debian/10/templates/web/awstats/awstats.tpl @@ -24,7 +24,7 @@ PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=1 DefaultFile="index.php index.html" -SkipHosts="127.0.0.1 +SkipHosts="127.0.0.1" SkipUserAgents="" SkipFiles="" SkipReferrersBlackList="" diff --git a/install/debian/10/templates/web/nginx/private-hosting.sh b/install/debian/10/templates/web/nginx/private-hosting.sh index abc9155d..eeed37ef 100755 --- a/install/debian/10/templates/web/nginx/private-hosting.sh +++ b/install/debian/10/templates/web/nginx/private-hosting.sh @@ -1,11 +1,11 @@ -#!/bin/bash -# Changing public_html permission -user="$1" -domain="$2" -ip="$3" -home_dir="$4" -docroot="$5" - -chmod 755 $docroot - -exit 0 +#!/bin/bash +# Changing public_html permission +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +chmod 755 $docroot + +exit 0 diff --git a/install/debian/11/exim/dnsbl.conf b/install/debian/11/exim/dnsbl.conf index 5166b255..279bafcd 100644 --- a/install/debian/11/exim/dnsbl.conf +++ b/install/debian/11/exim/dnsbl.conf @@ -1,2 +1 @@ bl.spamcop.net -zen.spamhaus.org diff --git a/install/debian/11/templates/web/awstats/awstats.tpl b/install/debian/11/templates/web/awstats/awstats.tpl index 9a92e0fd..6bb51c50 100755 --- a/install/debian/11/templates/web/awstats/awstats.tpl +++ b/install/debian/11/templates/web/awstats/awstats.tpl @@ -24,7 +24,7 @@ PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=1 DefaultFile="index.php index.html" -SkipHosts="127.0.0.1 +SkipHosts="127.0.0.1" SkipUserAgents="" SkipFiles="" SkipReferrersBlackList="" diff --git a/install/debian/11/templates/web/nginx/private-hosting.sh b/install/debian/11/templates/web/nginx/private-hosting.sh index abc9155d..eeed37ef 100755 --- a/install/debian/11/templates/web/nginx/private-hosting.sh +++ b/install/debian/11/templates/web/nginx/private-hosting.sh @@ -1,11 +1,11 @@ -#!/bin/bash -# Changing public_html permission -user="$1" -domain="$2" -ip="$3" -home_dir="$4" -docroot="$5" - -chmod 755 $docroot - -exit 0 +#!/bin/bash +# Changing public_html permission +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +chmod 755 $docroot + +exit 0 diff --git a/install/debian/12/exim/dnsbl.conf b/install/debian/12/exim/dnsbl.conf index 5166b255..279bafcd 100644 --- a/install/debian/12/exim/dnsbl.conf +++ b/install/debian/12/exim/dnsbl.conf @@ -1,2 +1 @@ bl.spamcop.net -zen.spamhaus.org diff --git a/install/debian/12/exim/exim4.conf.template b/install/debian/12/exim/exim4.conf.template index 81746a7a..15264797 100644 --- a/install/debian/12/exim/exim4.conf.template +++ b/install/debian/12/exim/exim4.conf.template @@ -13,6 +13,8 @@ add_environment=<; PATH=/bin:/usr/bin keep_environment= smtputf8_advertise_hosts = +SRS_SECRET = ${readfile{/etc/exim4/srs.conf}} + #local_interfaces = 0.0.0.0 #smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/exim4/virtual/helo_data}{$value}} #smtp_banner = "$smtp_active_hostname ESMTP $tod_full" @@ -145,6 +147,7 @@ acl_check_rcpt: warn !authenticated = * hosts = !+relay_from_hosts + condition = ${if eq{${lookup{$domain}dsearch{/etc/exim4/domains/}}}{}{false}{true}} condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} set acl_m3 = yes @@ -267,8 +270,11 @@ begin routers dnslookup: driver = dnslookup - domains = !+local_domains - transport = remote_smtp + # if outbound, and forwarding has been done, use an alternate transport + domains = ! +local_domains + transport = ${if eq {$local_part@$domain} \ + {$original_local_part@$original_domain} \ + {remote_smtp} {remote_forwarded_smtp}} no_more localuser_spam: @@ -305,6 +311,23 @@ autoreplay: transport = userautoreply unseen +inbound_srs: + driver = redirect + senders = : + domains = +local_domains + # detect inbound bounces which are converted to SRS, and decode them + condition = ${if inbound_srs {$local_part} {SRS_SECRET}} + data = $srs_recipient + +inbound_srs_failure: + driver = redirect + senders = : + domains = +local_domains + # detect inbound bounces which look converted to SRS but are invalid + condition = ${if inbound_srs {$local_part} {}} + allow_fail + data = :fail: Invalid SRS recipient address + aliases: driver = redirect headers_add = X-redirected: yes @@ -355,6 +378,21 @@ remote_smtp: dkim_strict = 0 hosts_try_fastopen = hosts_try_chunking = !93.188.3.0/24 + message_linelength_limit = 1G + +remote_forwarded_smtp: + driver = smtp + dkim_domain = DKIM_DOMAIN + dkim_selector = mail + dkim_private_key = DKIM_PRIVATE_KEY + dkim_canon = relaxed + dkim_strict = 0 + hosts_try_fastopen = + hosts_try_chunking = !93.188.3.0/24 + message_linelength_limit = 1G + # modify the envelope from, for mails that we forward + max_rcpt = 1 + return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} procmail: driver = pipe diff --git a/install/debian/12/exim/exim4.conf.template.without-srs b/install/debian/12/exim/exim4.conf.template.without-srs new file mode 100644 index 00000000..78eda468 --- /dev/null +++ b/install/debian/12/exim/exim4.conf.template.without-srs @@ -0,0 +1,451 @@ +###################################################################### +# # +# Exim configuration file for Vesta Control Panel # +# # +###################################################################### + +#SPAMASSASSIN = yes +#SPAM_SCORE = 50 +#CLAMD = yes + +disable_ipv6=true +add_environment=<; PATH=/bin:/usr/bin +keep_environment= +smtputf8_advertise_hosts = + +#local_interfaces = 0.0.0.0 +#smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/exim4/virtual/helo_data}{$value}} +#smtp_banner = "$smtp_active_hostname ESMTP $tod_full" + +domainlist local_domains = dsearch;/etc/exim4/domains/ +domainlist relay_to_domains = dsearch;/etc/exim4/domains/ +hostlist relay_from_hosts = 127.0.0.1 +hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf +hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf +no_local_from_check +untrusted_set_sender = * +acl_smtp_connect = acl_check_spammers +acl_smtp_mail = acl_check_mail +acl_smtp_rcpt = acl_check_rcpt +acl_smtp_data = acl_check_data +acl_smtp_mime = acl_check_mime + +LIMIT_PER_EMAIL_ACCOUNT_MAX_RECIPIENTS = 15 +LIMIT_PER_HOSTING_ACCOUNT_MAX_RECIPIENTS = 5 +LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR = 40 +LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR = 40 + +recipients_max = 150 +recipients_max_reject = true + +# log_selector = +smtp_connection +smtp_accept_max = 50 +smtp_accept_max_per_host = 4 + +.ifdef SPAMASSASSIN +spamd_address = 127.0.0.1 783 +.endif + +.ifdef CLAMD +av_scanner = clamd: /var/run/clamav/clamd.ctl +.endif + +tls_advertise_hosts = * +tls_certificate = /usr/local/vesta/ssl/certificate.crt +tls_privatekey = /usr/local/vesta/ssl/certificate.key + +daemon_smtp_ports = 25 : 465 : 587 : 2525 +tls_on_connect_ports = 465 +never_users = root +host_lookup = * +rfc1413_hosts = * +rfc1413_query_timeout = 0s +ignore_bounce_errors_after = 2d +timeout_frozen_after = 7d + +DKIM_DOMAIN = ${lc:${domain:$h_from:}} +DKIM_FILE = /etc/exim4/domains/${lookup{${lc:${domain:$h_from:}}}dsearch{/etc/exim4/domains/}}/dkim.pem +DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} + + + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### + +acl_not_smtp = acl_not_smtp + +begin acl + +acl_not_smtp: + deny message = Too many recipients, limit is $acl_c_max_recipients recipients + set acl_c_max_recipients=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_recipients}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_RECIPIENTS}} + condition = ${if >{$rcpt_count}{$acl_c_max_recipients}} + + deny message = Hosting account is sending too much emails [limitlog]: deny / account / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + ratelimit = $acl_c_limit_per_hour / 1h / $authenticated_id + + warn ratelimit = 0 / 1h / strict / $authenticated_id + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + + warn set acl_m3 = yes + + accept + +acl_check_spammers: + accept hosts = +whitelist + + drop message = Your host in blacklist on this server. + log_message = Host in blacklist + hosts = +spammers + + accept + + +acl_check_mail: + deny condition = ${if eq{$sender_helo_name}{}} + message = HELO required before MAIL + + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} + condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} + delay = 45s + + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} + message = Access denied - Invalid HELO name (See RFC2821 4.1.3) + + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} + message = $interface_address is _my_ address + + accept + + +acl_check_rcpt: + accept hosts = : + + deny message = Too many recipients, limit is $acl_c_max_recipients recipients + set acl_c_max_recipients=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_recipients}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_RECIPIENTS}} + condition = ${if >{$rcpt_count}{$acl_c_max_recipients}} + + deny message = Email account is sending too much emails [limitlog]: deny / email / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + ratelimit = $acl_c_limit_per_hour / 1h / $authenticated_id + + warn ratelimit = 0 / 1h / strict / $authenticated_id + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + + warn set acl_m3 = no + + warn !authenticated = * + hosts = !+relay_from_hosts + condition = ${if eq{${lookup{$domain}dsearch{/etc/exim4/domains/}}}{}{false}{true}} + condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} + set acl_m3 = yes + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + require verify = sender + + accept hosts = +relay_from_hosts + control = submission + + accept authenticated = * + control = submission/domain= + + deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + hosts = !+whitelist + dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + deny message = smtp auth requried + sender_domains = +local_domains + !authenticated = * + + require verify = recipient + +.ifdef CLAMD + warn set acl_m0 = no + + warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}} + set acl_m0 = yes +.endif + +.ifdef SPAMASSASSIN + warn set acl_m1 = no + + warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}} + set acl_m1 = yes +.endif + + accept + + +acl_check_data: + + deny senders = /etc/exim4/deny_senders + +.ifdef CLAMD + deny message = Message contains a virus ($malware_name) and has been rejected + malware = */defer_ok + condition = ${if eq{$acl_m0}{yes}{yes}{no}} +.endif + +.ifdef SPAMASSASSIN + warn !authenticated = * + hosts = !+relay_from_hosts + condition = ${if < {$message_size}{600K}} + condition = ${if eq{$acl_m1}{yes}{yes}{no}} + spam = nobody:true/defer_ok + add_header = X-Spam-Score: $spam_score_int + add_header = X-Spam-Bar: $spam_bar + add_header = X-Spam-Report: $spam_report + set acl_m2 = $spam_score_int + + warn condition = ${if !eq{$acl_m2}{} {yes}{no}} + condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}} + add_header = X-Spam-Status: Yes + message = SpamAssassin detected spam (from $sender_address to $recipients). +.endif + + accept + + +acl_check_mime: + deny message = Blacklisted file extension detected + condition = ${if match {${lc:$mime_filename}}{\N(\.ade|\.adp|\.bat|\.chm|\.cmd|\.com|\.cpl|\.exe|\.hta|\.ins|\.isp|\.jse|\.lib|\.lnk|\.mde|\.msc|\.msp|\.mst|\.pif|\.scr|\.sct|\.shb|\.sys|\.vb|\.vbe|\.vbs|\.vxd|\.wsc|\.wsf|\.wsh|\.jar)$\N}{1}{0}} + + accept + + + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### +begin authenticators + +dovecot_plain: + driver = dovecot + public_name = PLAIN + server_socket = /var/run/dovecot/auth-client + server_set_id = $auth1 + +dovecot_login: + driver = dovecot + public_name = LOGIN + server_socket = /var/run/dovecot/auth-client + server_set_id = $auth1 + + + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +begin routers + +#smarthost: +# driver = manualroute +# domains = ! +local_domains +# transport = remote_smtp +# route_list = * smartrelay.vestacp.com +# no_more +# no_verify + +dnslookup: + driver = dnslookup + domains = !+local_domains + transport = remote_smtp + no_more + +localuser_spam: + driver = accept + transport = local_spam_delivery + condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{yes}{no_such_user}}}} + +userforward: + driver = redirect + check_local_user + file = $home/.forward + require_files = ${local_part}:+${home}/.forward + domains = +local_domains + allow_filter + no_verify + no_expn + check_ancestor + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + +procmail: + driver = accept + check_local_user + require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail + transport = procmail + no_verify + +autoreplay: + driver = accept + require_files = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg + condition = ${if exists{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg}{yes}{no}} + retry_use_local_part + transport = userautoreply + unseen + +aliases: + driver = redirect + headers_add = X-redirected: yes + data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}} + require_files = /etc/exim4/domains/$domain/aliases + redirect_router = dnslookup + pipe_transport = address_pipe + unseen + +localuser_fwd_only: + driver = accept + transport = devnull + condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/fwd_only}{true}{false}}}} + +localuser: + driver = accept + transport = local_delivery + condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{true}{false}} + +catchall: + driver = redirect + headers_add = X-redirected: yes + require_files = /etc/exim4/domains/$domain/aliases + data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}} + file_transport = local_delivery + redirect_router = dnslookup + +terminate_alias: + driver = accept + transport = devnull + condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} + + + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +begin transports + +remote_smtp: + driver = smtp + #interface = ${if eq{$acl_m3}{yes}{FIRSTIP}{${lookup{$sender_address_domain}lsearch{/etc/exim4/virtual/interfaces} {$value}{SECONDIP}}}} + #helo_data = "${if eq{$acl_m3}{yes}{FIRSTHOST}{${lookup{$sending_ip_address}lsearch{/etc/exim4/virtual/helo_data}{$value}{SECONDHOST}}}}" + dkim_domain = DKIM_DOMAIN + dkim_selector = mail + dkim_private_key = DKIM_PRIVATE_KEY + dkim_canon = relaxed + dkim_strict = 0 + hosts_try_fastopen = + hosts_try_chunking = !93.188.3.0/24 + message_linelength_limit = 1G + +procmail: + driver = pipe + command = "/usr/bin/procmail -d $local_part" + return_path_add + delivery_date_add + envelope_to_add + user = $local_part + initgroups + return_output + +local_delivery: + driver = appendfile + maildir_format + maildir_use_size_file + user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} + group = mail + create_directory + directory_mode = 770 + mode = 660 + use_lockfile = no + delivery_date_add + envelope_to_add + return_path_add + directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}" + quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M + quota_warn_threshold = 75% + +local_spam_delivery: + driver = appendfile + maildir_format + maildir_use_size_file + user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} + group = mail + create_directory + directory_mode = 770 + mode = 660 + use_lockfile = no + delivery_date_add + envelope_to_add + return_path_add + directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}/.Spam" + quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M + quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}" + quota_warn_threshold = 75% + +address_pipe: + driver = pipe + return_output + +address_file: + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + +address_reply: + driver = autoreply + +userautoreply: + driver = autoreply + file = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}.msg + from = "${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}@${lookup{$domain}dsearch{/etc/exim4/domains/}}" + headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit + subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}" + to = "${sender_address}" + +devnull: + driver = appendfile + file = /dev/null + + + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### +begin retry + +# Address or Domain Error Retries +# ----------------- ----- ------- +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### +begin rewrite + + + +###################################################################### diff --git a/install/debian/12/templates/web/awstats/awstats.tpl b/install/debian/12/templates/web/awstats/awstats.tpl index 9a92e0fd..6bb51c50 100755 --- a/install/debian/12/templates/web/awstats/awstats.tpl +++ b/install/debian/12/templates/web/awstats/awstats.tpl @@ -24,7 +24,7 @@ PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=1 DefaultFile="index.php index.html" -SkipHosts="127.0.0.1 +SkipHosts="127.0.0.1" SkipUserAgents="" SkipFiles="" SkipReferrersBlackList="" diff --git a/install/debian/12/templates/web/nginx/private-hosting.sh b/install/debian/12/templates/web/nginx/private-hosting.sh index abc9155d..eeed37ef 100755 --- a/install/debian/12/templates/web/nginx/private-hosting.sh +++ b/install/debian/12/templates/web/nginx/private-hosting.sh @@ -1,11 +1,11 @@ -#!/bin/bash -# Changing public_html permission -user="$1" -domain="$2" -ip="$3" -home_dir="$4" -docroot="$5" - -chmod 755 $docroot - -exit 0 +#!/bin/bash +# Changing public_html permission +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +chmod 755 $docroot + +exit 0 diff --git a/install/debian/13/apache2/apache2.conf b/install/debian/13/apache2/apache2.conf new file mode 100644 index 00000000..2be3e50d --- /dev/null +++ b/install/debian/13/apache2/apache2.conf @@ -0,0 +1,95 @@ +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf.d +# | `-- * + +# Global configuration +PidFile ${APACHE_PID_FILE} +Timeout 900 +ProxyTimeout 900 +KeepAlive Off +MaxKeepAliveRequests 100 +KeepAliveTimeout 10 + + + StartServers 8 + MinSpareServers 5 + MaxSpareServers 20 + ServerLimit 256 + MaxClients 200 + MaxRequestsPerChild 4000 + + + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxClients 200 + MaxRequestsPerChild 4000 + + + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxClients 200 + MaxRequestsPerChild 4000 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} +#User www-data +#Group www-data + +AccessFileName .htaccess + + + Order allow,deny + Deny from all + Satisfy all + + +DefaultType None +HostnameLookups Off + +ErrorLog ${APACHE_LOG_DIR}/error.log +LogLevel warn + +# Include module configuration: +Include mods-enabled/*.load +Include mods-enabled/*.conf + +# Include list of ports to listen on and which to use for name based vhosts +Include ports.conf + +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent +LogFormat "%b" bytes + +Include conf.d/ + +# Include the virtual host configurations: +#Include sites-enabled/ + +ErrorDocument 403 /error/403.html +ErrorDocument 404 /error/404.html +ErrorDocument 500 /error/50x.html +ErrorDocument 501 /error/50x.html +ErrorDocument 502 /error/50x.html +ErrorDocument 503 /error/50x.html +ErrorDocument 506 /error/50x.html diff --git a/install/debian/13/apache2/status.conf b/install/debian/13/apache2/status.conf new file mode 100644 index 00000000..0d82a356 --- /dev/null +++ b/install/debian/13/apache2/status.conf @@ -0,0 +1,8 @@ +Listen 127.0.0.1:8081 + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + # Allow from all + diff --git a/install/debian/13/bind/named.conf b/install/debian/13/bind/named.conf new file mode 100644 index 00000000..ed6ece88 --- /dev/null +++ b/install/debian/13/bind/named.conf @@ -0,0 +1,12 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; + diff --git a/install/debian/13/clamav/clamd.conf b/install/debian/13/clamav/clamd.conf new file mode 100644 index 00000000..c636b6d3 --- /dev/null +++ b/install/debian/13/clamav/clamd.conf @@ -0,0 +1,61 @@ +#Automatically Generated by clamav-base postinst +#To reconfigure clamd run #dpkg-reconfigure clamav-base +#Please read /usr/share/doc/clamav-base/README.Debian.gz for details +LocalSocket /var/run/clamav/clamd.ctl +FixStaleSocket true +LocalSocketGroup clamav +LocalSocketMode 666 +# TemporaryDirectory is not set to its default /tmp here to make overriding +# the default with environment variables TMPDIR/TMP/TEMP possible +User clamav +# AllowSupplementaryGroups true +ScanMail true +ScanArchive true +ArchiveBlockEncrypted false +MaxDirectoryRecursion 15 +FollowDirectorySymlinks false +FollowFileSymlinks false +ReadTimeout 180 +MaxThreads 12 +MaxConnectionQueueLength 15 +LogSyslog false +LogFacility LOG_LOCAL6 +LogClean true +LogVerbose true +PidFile /var/run/clamav/clamd.pid +DatabaseDirectory /var/lib/clamav +SelfCheck 3600 +Foreground false +Debug false +ScanPE true +ScanOLE2 true +ScanHTML true +ExitOnOOM false +LeaveTemporaryFiles false +AlgorithmicDetection true +ScanELF true +IdleTimeout 30 +PhishingSignatures true +PhishingScanURLs true +PhishingAlwaysBlockSSLMismatch false +PhishingAlwaysBlockCloak false +DetectPUA false +ScanPartialMessages false +HeuristicScanPrecedence false +StructuredDataDetection false +CommandReadTimeout 5 +SendBufTimeout 200 +MaxQueue 100 +ExtendedDetectionInfo true +OLE2BlockMacros false +StreamMaxLength 2M +MaxFileSize 2M +LogFile /var/log/clamav/clamav.log +LogTime true +LogFileUnlock false +LogFileMaxSize 0 +Bytecode true +BytecodeSecurity TrustSigned +BytecodeTimeout 60000 +OfficialDatabaseOnly false +CrossFilesystems true diff --git a/install/debian/13/deb_signing.key b/install/debian/13/deb_signing.key new file mode 100644 index 00000000..d279abbd --- /dev/null +++ b/install/debian/13/deb_signing.key @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGDsPogBDADT7jiPewIuavqJZJMZ18c+kEC8N+/EK15k9zdBvcluxZ7gb5D6 +sKT3fVmLWD49mux+OoFs8DJH1LkpFe2Ax58NVMgDwCNUtcqeR8eB6nEWpZLjzJhZ +RD5+ZpUaX/emXrr7mxJ1SvT8PgWWerl2ZuPSlpPm4Ls6JO53AvPAsUVgMTHkfHNj +4/GqKtORkanzBwimC0bcB3BBRLH/kiW/TNi3hQnR5GYIaKWrc8oGpHHqX5BNw72O +JTSqTj8OZXKG7US6cXgBQuLN68sKd9TIy2HZdTKlqR1yQyc2BiPwVYDrJemM72VT +kuW0qbsOwji7rG2B6Pg1yggWXpB8Znczzi8AfzoFgXeOTi/hzcaf3YnAxfeL1Ofq +aOW+ReqsF1wxpgVwNj0DVquPTqzd4uCIGNNGGHhlIR434FyA4YNfxK63YxZS5SAR +leQGTUtBRdh1SOKPDZMcSlJ3wEfHKbp72qmnLdqUkGl//FZsCDdPFxx3wDCPPS2e +++g3ImqeaQ553nUAEQEAAbQhbXlWZXN0YSB0ZWFtIDxpbmZvQG15dmVzdGFjcC5j +b20+iQHOBBMBCgA4FiEEDcdTLoRXCPbKaPuqiIB9SyIhM4wFAmDsPogCGwMFCwkI +BwIGFQoJCAsCBBYCAwECHgECF4AACgkQiIB9SyIhM4yADAv+M62/6N+uFx9Izbj5 +HxZCzLEgvlQzdQcLJPDwFWYByVRiQRkRJWt5kqwNpndWoDo5zEtyKn3Yulbj6zyy +UqYhN0ctXyaFjKFIHIqrrz9P9AF2uGr17rTWbnRpjlMSkDSmUGXNEKO7gMtKiTo3 +olWldDELuM0MQddwMGgnqZPb3/Z+om68U1/6NS8A5hAHL+HuwcKGFZpFRJYXSOLY +lIpHyicifvkRAMkPp025Y3Who3EZMWq3Bpo78djtxfA4CoUn+OH64Hn0llkJ3vU6 +bM+KuC2ZrkHrzcqZbPbYnmEmVD1rkxVoOgzqE76fAY2I6YFY09uhdg0FbZeeMjA+ +DReBwINRFYsk6/maY7Zc82clfc7+vr3xmR+f+KEiUCU4mI72PnlU9LT9RuoCkKbo +znUZo+Xj6ezM6lCKGnOmqhvQmWR+hdsn1zX1ufxPA5uQyeFfR5VpAjvDOFykPA93 +3Et0ZdrKB2U6jjlGzWhsCkYphF7M0DVIRPOm1xLUJvLx+zB+uQGNBGDsPogBDADG +rJuQBsLJ6MWAGLydwaIBttwG3GOysSsQ1P09mbeOqiyCaWfEladePorTpKsbOHA/ +USAfjN8Eik81Un1Kik6rYU8ieGERKpCMiBkcNLQH/DnYyCNT5oaGqXtIQ+5GNn71 +mt7sLmf0yL3C320RJa8KSP+rAaey4ttLyl7rM1q8RPmlsRSxVjeiMw01i6cXmA1G +EJDuRbXdzDuo5utHDBMHgN0T0g8kgoTX9G2uwUTnJm9qzW2Lg3d4xoe2+H5/86Qm +0lVl5vLSMEPl01NcoTVgQpGO/yR3nJ4ubMkkbzCM0e0MByHqOKJ2LfW77BcvcoXg +coa7tF+6DZBB4UGyb1VuSZJoVOYN2tnSj2/taPk0yHJf/tLvNm/hVHEvXNXk09hy +fne0FZmHKwwp0TGSC8tzsHPRSbIOazifIC8pdN4fPTQyfI9tKxi26opCIAHHkcTr +7VOUvUNyAGVB9TU/nmzpvkv8BLCKSQM1FxUQ0owgFtrtIoMVxkYG5hb6EjAHyUcA +EQEAAYkBtgQYAQoAIBYhBA3HUy6EVwj2ymj7qoiAfUsiITOMBQJg7D6IAhsMAAoJ +EIiAfUsiITOMR40MALn5sqKFZ9FMe7982XMamanjPqO3Odi5/9rUXYKbJGjsaSof +lSC3OtqnRTVGE6KEuYErCKCpAk2ZvEf5eQHi264fC255zuxWihdcEQpiPK1DdlN3 +m9JNp/4Pns38Nn/zG3cFQuDEvDsC75xmxN7pi+ZkokodwA0PgaiMVh5mSos+Mc/G +fLcEes21xVk2DQ3Vw6p1P/39uujBPZ3J2unWBqv0rCFEpwgXm/d80Y0x31tq0ToZ +hf1r/GcoB6rC3sSAtUykrTZUaRv57BouvnAP9zfFlFSrYpJZ5L9/IawBH+O9yUu2 +N1jGq9eJ/RwHG1lKUBJd6wCWz1ZKzxnaoH9CfRC/aG9vRQWLSjiHCl2cnNDxElKx +JOT7RUjxlri4zvxdum49Vr8iEpjUFXzhRYq79SsmqkLuXZYQnccNFAdde8ZcPpKA +zhfavTutAPNJRyg9hbwxQYUH6N1i5J7ZZsqHB/GIBaSReXroacHjFYcU6uiBt/da +qiC8NLvRaE3PVkma9Q== +=RAbI +-----END PGP PUBLIC KEY BLOCK----- diff --git a/install/debian/13/dovecot/conf.d/10-auth.conf b/install/debian/13/dovecot/conf.d/10-auth.conf new file mode 100644 index 00000000..dfcc8311 --- /dev/null +++ b/install/debian/13/dovecot/conf.d/10-auth.conf @@ -0,0 +1,4 @@ +disable_plaintext_auth = no +auth_verbose = yes +auth_mechanisms = plain login +!include auth-passwdfile.conf.ext diff --git a/install/debian/13/dovecot/conf.d/10-logging.conf b/install/debian/13/dovecot/conf.d/10-logging.conf new file mode 100644 index 00000000..a5f207d5 --- /dev/null +++ b/install/debian/13/dovecot/conf.d/10-logging.conf @@ -0,0 +1 @@ +log_path = /var/log/dovecot.log diff --git a/install/debian/13/dovecot/conf.d/10-mail.conf b/install/debian/13/dovecot/conf.d/10-mail.conf new file mode 100644 index 00000000..55313419 --- /dev/null +++ b/install/debian/13/dovecot/conf.d/10-mail.conf @@ -0,0 +1,4 @@ +mail_privileged_group = mail +mail_access_groups = mail +mail_location = maildir:%h/mail/%d/%n +pop3_uidl_format = %08Xu%08Xv diff --git a/install/debian/13/dovecot/conf.d/10-master.conf b/install/debian/13/dovecot/conf.d/10-master.conf new file mode 100644 index 00000000..a75a9aaa --- /dev/null +++ b/install/debian/13/dovecot/conf.d/10-master.conf @@ -0,0 +1,29 @@ +service imap-login { + inet_listener imap { + } + inet_listener imaps { + } +} + +service pop3-login { + inet_listener pop3 { + } + inet_listener pop3s { + } +} + + +service imap { +} + +service pop3 { +} + +service auth { + unix_listener auth-client { + group = mail + mode = 0660 + user = dovecot + } + user = dovecot +} diff --git a/install/debian/13/dovecot/conf.d/10-ssl.conf b/install/debian/13/dovecot/conf.d/10-ssl.conf new file mode 100644 index 00000000..3aaff6ee --- /dev/null +++ b/install/debian/13/dovecot/conf.d/10-ssl.conf @@ -0,0 +1,3 @@ +ssl = yes +ssl_cert = = 2.1.4) : %v.%u + # Dovecot v0.99.x : %v.%u + # tpop3d : %Mf + # + # Note that Outlook 2003 seems to have problems with %v.%u format which was + # Dovecot's default, so if you're building a new server it would be a good + # idea to change this. %08Xu%08Xv should be pretty fail-safe. + # + #pop3_uidl_format = %08Xu%08Xv + + # Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes + # won't change those UIDLs. Currently this works only with Maildir. + #pop3_save_uidl = no + + # What to do about duplicate UIDLs if they exist? + # allow: Show duplicates to clients. + # rename: Append a temporary -2, -3, etc. counter after the UIDL. + #pop3_uidl_duplicates = allow + + # POP3 logout format string: + # %i - total number of bytes read from client + # %o - total number of bytes sent to client + # %t - number of TOP commands + # %p - number of bytes sent to client as a result of TOP command + # %r - number of RETR commands + # %b - number of bytes sent to client as a result of RETR command + # %d - number of deleted messages + # %m - number of messages (before deletion) + # %s - mailbox size in bytes (before deletion) + # %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly + #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s + + # Maximum number of POP3 connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + mail_max_userip_connections = 50 + + # Space separated list of plugins to load (default is global mail_plugins). + #mail_plugins = $mail_plugins + + # Workarounds for various client bugs: + # outlook-no-nuls: + # Outlook and Outlook Express hang if mails contain NUL characters. + # This setting replaces them with 0x80 character. + # oe-ns-eoh: + # Outlook Express and Netscape Mail breaks if end of headers-line is + # missing. This option simply sends it if it's missing. + # The list is space-separated. + #pop3_client_workarounds = +} diff --git a/install/debian/13/dovecot/conf.d/auth-passwdfile.conf.ext b/install/debian/13/dovecot/conf.d/auth-passwdfile.conf.ext new file mode 100644 index 00000000..75e6e115 --- /dev/null +++ b/install/debian/13/dovecot/conf.d/auth-passwdfile.conf.ext @@ -0,0 +1,9 @@ +passdb { + driver = passwd-file + args = scheme=MD5-CRYPT username_format=%n /etc/exim4/domains/%d/passwd +} + +userdb { + driver = passwd-file + args = username_format=%n /etc/exim4/domains/%d/passwd +} diff --git a/install/debian/13/dovecot/dovecot.conf b/install/debian/13/dovecot/dovecot.conf new file mode 100644 index 00000000..0a855351 --- /dev/null +++ b/install/debian/13/dovecot/dovecot.conf @@ -0,0 +1,4 @@ +protocols = imap pop3 +listen = *, :: +base_dir = /var/run/dovecot/ +!include conf.d/*.conf diff --git a/install/debian/13/exim/deny_senders b/install/debian/13/exim/deny_senders new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/install/debian/13/exim/deny_senders @@ -0,0 +1 @@ + diff --git a/install/debian/13/exim/dnsbl.conf b/install/debian/13/exim/dnsbl.conf new file mode 100644 index 00000000..279bafcd --- /dev/null +++ b/install/debian/13/exim/dnsbl.conf @@ -0,0 +1 @@ +bl.spamcop.net diff --git a/install/debian/13/exim/exim4.conf.template b/install/debian/13/exim/exim4.conf.template new file mode 100644 index 00000000..15264797 --- /dev/null +++ b/install/debian/13/exim/exim4.conf.template @@ -0,0 +1,487 @@ +###################################################################### +# # +# Exim configuration file for Vesta Control Panel # +# # +###################################################################### + +#SPAMASSASSIN = yes +#SPAM_SCORE = 50 +#CLAMD = yes + +disable_ipv6=true +add_environment=<; PATH=/bin:/usr/bin +keep_environment= +smtputf8_advertise_hosts = + +SRS_SECRET = ${readfile{/etc/exim4/srs.conf}} + +#local_interfaces = 0.0.0.0 +#smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/exim4/virtual/helo_data}{$value}} +#smtp_banner = "$smtp_active_hostname ESMTP $tod_full" + +domainlist local_domains = dsearch;/etc/exim4/domains/ +domainlist relay_to_domains = dsearch;/etc/exim4/domains/ +hostlist relay_from_hosts = 127.0.0.1 +hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf +hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf +no_local_from_check +untrusted_set_sender = * +acl_smtp_connect = acl_check_spammers +acl_smtp_mail = acl_check_mail +acl_smtp_rcpt = acl_check_rcpt +acl_smtp_data = acl_check_data +acl_smtp_mime = acl_check_mime + +LIMIT_PER_EMAIL_ACCOUNT_MAX_RECIPIENTS = 15 +LIMIT_PER_HOSTING_ACCOUNT_MAX_RECIPIENTS = 5 +LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR = 40 +LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR = 40 + +recipients_max = 150 +recipients_max_reject = true + +# log_selector = +smtp_connection +smtp_accept_max = 50 +smtp_accept_max_per_host = 4 + +.ifdef SPAMASSASSIN +spamd_address = 127.0.0.1 783 +.endif + +.ifdef CLAMD +av_scanner = clamd: /var/run/clamav/clamd.ctl +.endif + +tls_advertise_hosts = * +tls_certificate = /usr/local/vesta/ssl/certificate.crt +tls_privatekey = /usr/local/vesta/ssl/certificate.key + +daemon_smtp_ports = 25 : 465 : 587 : 2525 +tls_on_connect_ports = 465 +never_users = root +host_lookup = * +rfc1413_hosts = * +rfc1413_query_timeout = 0s +ignore_bounce_errors_after = 2d +timeout_frozen_after = 7d + +DKIM_DOMAIN = ${lc:${domain:$h_from:}} +DKIM_FILE = /etc/exim4/domains/${lookup{${lc:${domain:$h_from:}}}dsearch{/etc/exim4/domains/}}/dkim.pem +DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} + + + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### + +acl_not_smtp = acl_not_smtp + +begin acl + +acl_not_smtp: + deny message = Too many recipients, limit is $acl_c_max_recipients recipients + set acl_c_max_recipients=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_recipients}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_RECIPIENTS}} + condition = ${if >{$rcpt_count}{$acl_c_max_recipients}} + + deny message = Hosting account is sending too much emails [limitlog]: deny / account / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + ratelimit = $acl_c_limit_per_hour / 1h / $authenticated_id + + warn ratelimit = 0 / 1h / strict / $authenticated_id + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + + warn set acl_m3 = yes + + accept + +acl_check_spammers: + accept hosts = +whitelist + + drop message = Your host in blacklist on this server. + log_message = Host in blacklist + hosts = +spammers + + accept + + +acl_check_mail: + deny condition = ${if eq{$sender_helo_name}{}} + message = HELO required before MAIL + + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} + condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} + delay = 45s + + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} + message = Access denied - Invalid HELO name (See RFC2821 4.1.3) + + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} + message = $interface_address is _my_ address + + accept + + +acl_check_rcpt: + accept hosts = : + + deny message = Too many recipients, limit is $acl_c_max_recipients recipients + set acl_c_max_recipients=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_recipients}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_RECIPIENTS}} + condition = ${if >{$rcpt_count}{$acl_c_max_recipients}} + + deny message = Email account is sending too much emails [limitlog]: deny / email / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + ratelimit = $acl_c_limit_per_hour / 1h / $authenticated_id + + warn ratelimit = 0 / 1h / strict / $authenticated_id + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + + warn set acl_m3 = no + + warn !authenticated = * + hosts = !+relay_from_hosts + condition = ${if eq{${lookup{$domain}dsearch{/etc/exim4/domains/}}}{}{false}{true}} + condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} + set acl_m3 = yes + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + require verify = sender + + accept hosts = +relay_from_hosts + control = submission + + accept authenticated = * + control = submission/domain= + + deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + hosts = !+whitelist + dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + deny message = smtp auth requried + sender_domains = +local_domains + !authenticated = * + + require verify = recipient + +.ifdef CLAMD + warn set acl_m0 = no + + warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}} + set acl_m0 = yes +.endif + +.ifdef SPAMASSASSIN + warn set acl_m1 = no + + warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}} + set acl_m1 = yes +.endif + + accept + + +acl_check_data: + + deny senders = /etc/exim4/deny_senders + +.ifdef CLAMD + deny message = Message contains a virus ($malware_name) and has been rejected + malware = */defer_ok + condition = ${if eq{$acl_m0}{yes}{yes}{no}} +.endif + +.ifdef SPAMASSASSIN + warn !authenticated = * + hosts = !+relay_from_hosts + condition = ${if < {$message_size}{600K}} + condition = ${if eq{$acl_m1}{yes}{yes}{no}} + spam = nobody:true/defer_ok + add_header = X-Spam-Score: $spam_score_int + add_header = X-Spam-Bar: $spam_bar + add_header = X-Spam-Report: $spam_report + set acl_m2 = $spam_score_int + + warn condition = ${if !eq{$acl_m2}{} {yes}{no}} + condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}} + add_header = X-Spam-Status: Yes + message = SpamAssassin detected spam (from $sender_address to $recipients). +.endif + + accept + + +acl_check_mime: + deny message = Blacklisted file extension detected + condition = ${if match {${lc:$mime_filename}}{\N(\.ade|\.adp|\.bat|\.chm|\.cmd|\.com|\.cpl|\.exe|\.hta|\.ins|\.isp|\.jse|\.lib|\.lnk|\.mde|\.msc|\.msp|\.mst|\.pif|\.scr|\.sct|\.shb|\.sys|\.vb|\.vbe|\.vbs|\.vxd|\.wsc|\.wsf|\.wsh|\.jar)$\N}{1}{0}} + + accept + + + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### +begin authenticators + +dovecot_plain: + driver = dovecot + public_name = PLAIN + server_socket = /var/run/dovecot/auth-client + server_set_id = $auth1 + +dovecot_login: + driver = dovecot + public_name = LOGIN + server_socket = /var/run/dovecot/auth-client + server_set_id = $auth1 + + + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +begin routers + +#smarthost: +# driver = manualroute +# domains = ! +local_domains +# transport = remote_smtp +# route_list = * smartrelay.vestacp.com +# no_more +# no_verify + +dnslookup: + driver = dnslookup + # if outbound, and forwarding has been done, use an alternate transport + domains = ! +local_domains + transport = ${if eq {$local_part@$domain} \ + {$original_local_part@$original_domain} \ + {remote_smtp} {remote_forwarded_smtp}} + no_more + +localuser_spam: + driver = accept + transport = local_spam_delivery + condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{yes}{no_such_user}}}} + +userforward: + driver = redirect + check_local_user + file = $home/.forward + require_files = ${local_part}:+${home}/.forward + domains = +local_domains + allow_filter + no_verify + no_expn + check_ancestor + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + +procmail: + driver = accept + check_local_user + require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail + transport = procmail + no_verify + +autoreplay: + driver = accept + require_files = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg + condition = ${if exists{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg}{yes}{no}} + retry_use_local_part + transport = userautoreply + unseen + +inbound_srs: + driver = redirect + senders = : + domains = +local_domains + # detect inbound bounces which are converted to SRS, and decode them + condition = ${if inbound_srs {$local_part} {SRS_SECRET}} + data = $srs_recipient + +inbound_srs_failure: + driver = redirect + senders = : + domains = +local_domains + # detect inbound bounces which look converted to SRS but are invalid + condition = ${if inbound_srs {$local_part} {}} + allow_fail + data = :fail: Invalid SRS recipient address + +aliases: + driver = redirect + headers_add = X-redirected: yes + data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}} + require_files = /etc/exim4/domains/$domain/aliases + redirect_router = dnslookup + pipe_transport = address_pipe + unseen + +localuser_fwd_only: + driver = accept + transport = devnull + condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/fwd_only}{true}{false}}}} + +localuser: + driver = accept + transport = local_delivery + condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{true}{false}} + +catchall: + driver = redirect + headers_add = X-redirected: yes + require_files = /etc/exim4/domains/$domain/aliases + data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}} + file_transport = local_delivery + redirect_router = dnslookup + +terminate_alias: + driver = accept + transport = devnull + condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} + + + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +begin transports + +remote_smtp: + driver = smtp + #interface = ${if eq{$acl_m3}{yes}{FIRSTIP}{${lookup{$sender_address_domain}lsearch{/etc/exim4/virtual/interfaces} {$value}{SECONDIP}}}} + #helo_data = "${if eq{$acl_m3}{yes}{FIRSTHOST}{${lookup{$sending_ip_address}lsearch{/etc/exim4/virtual/helo_data}{$value}{SECONDHOST}}}}" + dkim_domain = DKIM_DOMAIN + dkim_selector = mail + dkim_private_key = DKIM_PRIVATE_KEY + dkim_canon = relaxed + dkim_strict = 0 + hosts_try_fastopen = + hosts_try_chunking = !93.188.3.0/24 + message_linelength_limit = 1G + +remote_forwarded_smtp: + driver = smtp + dkim_domain = DKIM_DOMAIN + dkim_selector = mail + dkim_private_key = DKIM_PRIVATE_KEY + dkim_canon = relaxed + dkim_strict = 0 + hosts_try_fastopen = + hosts_try_chunking = !93.188.3.0/24 + message_linelength_limit = 1G + # modify the envelope from, for mails that we forward + max_rcpt = 1 + return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} + +procmail: + driver = pipe + command = "/usr/bin/procmail -d $local_part" + return_path_add + delivery_date_add + envelope_to_add + user = $local_part + initgroups + return_output + +local_delivery: + driver = appendfile + maildir_format + maildir_use_size_file + user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} + group = mail + create_directory + directory_mode = 770 + mode = 660 + use_lockfile = no + delivery_date_add + envelope_to_add + return_path_add + directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}" + quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M + quota_warn_threshold = 75% + +local_spam_delivery: + driver = appendfile + maildir_format + maildir_use_size_file + user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} + group = mail + create_directory + directory_mode = 770 + mode = 660 + use_lockfile = no + delivery_date_add + envelope_to_add + return_path_add + directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}/.Spam" + quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M + quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}" + quota_warn_threshold = 75% + +address_pipe: + driver = pipe + return_output + +address_file: + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + +address_reply: + driver = autoreply + +userautoreply: + driver = autoreply + file = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}.msg + from = "${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}@${lookup{$domain}dsearch{/etc/exim4/domains/}}" + headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit + subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}" + to = "${sender_address}" + +devnull: + driver = appendfile + file = /dev/null + + + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### +begin retry + +# Address or Domain Error Retries +# ----------------- ----- ------- +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### +begin rewrite + + + +###################################################################### diff --git a/install/debian/13/exim/exim4.conf.template.without-srs b/install/debian/13/exim/exim4.conf.template.without-srs new file mode 100644 index 00000000..78eda468 --- /dev/null +++ b/install/debian/13/exim/exim4.conf.template.without-srs @@ -0,0 +1,451 @@ +###################################################################### +# # +# Exim configuration file for Vesta Control Panel # +# # +###################################################################### + +#SPAMASSASSIN = yes +#SPAM_SCORE = 50 +#CLAMD = yes + +disable_ipv6=true +add_environment=<; PATH=/bin:/usr/bin +keep_environment= +smtputf8_advertise_hosts = + +#local_interfaces = 0.0.0.0 +#smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/exim4/virtual/helo_data}{$value}} +#smtp_banner = "$smtp_active_hostname ESMTP $tod_full" + +domainlist local_domains = dsearch;/etc/exim4/domains/ +domainlist relay_to_domains = dsearch;/etc/exim4/domains/ +hostlist relay_from_hosts = 127.0.0.1 +hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf +hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf +no_local_from_check +untrusted_set_sender = * +acl_smtp_connect = acl_check_spammers +acl_smtp_mail = acl_check_mail +acl_smtp_rcpt = acl_check_rcpt +acl_smtp_data = acl_check_data +acl_smtp_mime = acl_check_mime + +LIMIT_PER_EMAIL_ACCOUNT_MAX_RECIPIENTS = 15 +LIMIT_PER_HOSTING_ACCOUNT_MAX_RECIPIENTS = 5 +LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR = 40 +LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR = 40 + +recipients_max = 150 +recipients_max_reject = true + +# log_selector = +smtp_connection +smtp_accept_max = 50 +smtp_accept_max_per_host = 4 + +.ifdef SPAMASSASSIN +spamd_address = 127.0.0.1 783 +.endif + +.ifdef CLAMD +av_scanner = clamd: /var/run/clamav/clamd.ctl +.endif + +tls_advertise_hosts = * +tls_certificate = /usr/local/vesta/ssl/certificate.crt +tls_privatekey = /usr/local/vesta/ssl/certificate.key + +daemon_smtp_ports = 25 : 465 : 587 : 2525 +tls_on_connect_ports = 465 +never_users = root +host_lookup = * +rfc1413_hosts = * +rfc1413_query_timeout = 0s +ignore_bounce_errors_after = 2d +timeout_frozen_after = 7d + +DKIM_DOMAIN = ${lc:${domain:$h_from:}} +DKIM_FILE = /etc/exim4/domains/${lookup{${lc:${domain:$h_from:}}}dsearch{/etc/exim4/domains/}}/dkim.pem +DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} + + + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### + +acl_not_smtp = acl_not_smtp + +begin acl + +acl_not_smtp: + deny message = Too many recipients, limit is $acl_c_max_recipients recipients + set acl_c_max_recipients=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_recipients}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_RECIPIENTS}} + condition = ${if >{$rcpt_count}{$acl_c_max_recipients}} + + deny message = Hosting account is sending too much emails [limitlog]: deny / account / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + ratelimit = $acl_c_limit_per_hour / 1h / $authenticated_id + + warn ratelimit = 0 / 1h / strict / $authenticated_id + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_hosting_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_HOSTING_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + + warn set acl_m3 = yes + + accept + +acl_check_spammers: + accept hosts = +whitelist + + drop message = Your host in blacklist on this server. + log_message = Host in blacklist + hosts = +spammers + + accept + + +acl_check_mail: + deny condition = ${if eq{$sender_helo_name}{}} + message = HELO required before MAIL + + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} + condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} + delay = 45s + + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} + message = Access denied - Invalid HELO name (See RFC2821 4.1.3) + + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} + message = $interface_address is _my_ address + + accept + + +acl_check_rcpt: + accept hosts = : + + deny message = Too many recipients, limit is $acl_c_max_recipients recipients + set acl_c_max_recipients=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_recipients}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_RECIPIENTS}} + condition = ${if >{$rcpt_count}{$acl_c_max_recipients}} + + deny message = Email account is sending too much emails [limitlog]: deny / email / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + ratelimit = $acl_c_limit_per_hour / 1h / $authenticated_id + + warn ratelimit = 0 / 1h / strict / $authenticated_id + set acl_c_limit_per_hour=${lookup{$authenticated_id}lsearch{/etc/exim4/limit_per_email_account_max_sent_emails_per_hour}{$value}{LIMIT_PER_EMAIL_ACCOUNT_MAX_SENT_EMAILS_PER_HOUR}} + log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period [limit=$acl_c_limit_per_hour] + + warn set acl_m3 = no + + warn !authenticated = * + hosts = !+relay_from_hosts + condition = ${if eq{${lookup{$domain}dsearch{/etc/exim4/domains/}}}{}{false}{true}} + condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} + set acl_m3 = yes + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + require verify = sender + + accept hosts = +relay_from_hosts + control = submission + + accept authenticated = * + control = submission/domain= + + deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + hosts = !+whitelist + dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + deny message = smtp auth requried + sender_domains = +local_domains + !authenticated = * + + require verify = recipient + +.ifdef CLAMD + warn set acl_m0 = no + + warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}} + set acl_m0 = yes +.endif + +.ifdef SPAMASSASSIN + warn set acl_m1 = no + + warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}} + set acl_m1 = yes +.endif + + accept + + +acl_check_data: + + deny senders = /etc/exim4/deny_senders + +.ifdef CLAMD + deny message = Message contains a virus ($malware_name) and has been rejected + malware = */defer_ok + condition = ${if eq{$acl_m0}{yes}{yes}{no}} +.endif + +.ifdef SPAMASSASSIN + warn !authenticated = * + hosts = !+relay_from_hosts + condition = ${if < {$message_size}{600K}} + condition = ${if eq{$acl_m1}{yes}{yes}{no}} + spam = nobody:true/defer_ok + add_header = X-Spam-Score: $spam_score_int + add_header = X-Spam-Bar: $spam_bar + add_header = X-Spam-Report: $spam_report + set acl_m2 = $spam_score_int + + warn condition = ${if !eq{$acl_m2}{} {yes}{no}} + condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}} + add_header = X-Spam-Status: Yes + message = SpamAssassin detected spam (from $sender_address to $recipients). +.endif + + accept + + +acl_check_mime: + deny message = Blacklisted file extension detected + condition = ${if match {${lc:$mime_filename}}{\N(\.ade|\.adp|\.bat|\.chm|\.cmd|\.com|\.cpl|\.exe|\.hta|\.ins|\.isp|\.jse|\.lib|\.lnk|\.mde|\.msc|\.msp|\.mst|\.pif|\.scr|\.sct|\.shb|\.sys|\.vb|\.vbe|\.vbs|\.vxd|\.wsc|\.wsf|\.wsh|\.jar)$\N}{1}{0}} + + accept + + + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### +begin authenticators + +dovecot_plain: + driver = dovecot + public_name = PLAIN + server_socket = /var/run/dovecot/auth-client + server_set_id = $auth1 + +dovecot_login: + driver = dovecot + public_name = LOGIN + server_socket = /var/run/dovecot/auth-client + server_set_id = $auth1 + + + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +begin routers + +#smarthost: +# driver = manualroute +# domains = ! +local_domains +# transport = remote_smtp +# route_list = * smartrelay.vestacp.com +# no_more +# no_verify + +dnslookup: + driver = dnslookup + domains = !+local_domains + transport = remote_smtp + no_more + +localuser_spam: + driver = accept + transport = local_spam_delivery + condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{yes}{no_such_user}}}} + +userforward: + driver = redirect + check_local_user + file = $home/.forward + require_files = ${local_part}:+${home}/.forward + domains = +local_domains + allow_filter + no_verify + no_expn + check_ancestor + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + +procmail: + driver = accept + check_local_user + require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail + transport = procmail + no_verify + +autoreplay: + driver = accept + require_files = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg + condition = ${if exists{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg}{yes}{no}} + retry_use_local_part + transport = userautoreply + unseen + +aliases: + driver = redirect + headers_add = X-redirected: yes + data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}} + require_files = /etc/exim4/domains/$domain/aliases + redirect_router = dnslookup + pipe_transport = address_pipe + unseen + +localuser_fwd_only: + driver = accept + transport = devnull + condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/fwd_only}{true}{false}}}} + +localuser: + driver = accept + transport = local_delivery + condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{true}{false}} + +catchall: + driver = redirect + headers_add = X-redirected: yes + require_files = /etc/exim4/domains/$domain/aliases + data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}} + file_transport = local_delivery + redirect_router = dnslookup + +terminate_alias: + driver = accept + transport = devnull + condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}} + + + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +begin transports + +remote_smtp: + driver = smtp + #interface = ${if eq{$acl_m3}{yes}{FIRSTIP}{${lookup{$sender_address_domain}lsearch{/etc/exim4/virtual/interfaces} {$value}{SECONDIP}}}} + #helo_data = "${if eq{$acl_m3}{yes}{FIRSTHOST}{${lookup{$sending_ip_address}lsearch{/etc/exim4/virtual/helo_data}{$value}{SECONDHOST}}}}" + dkim_domain = DKIM_DOMAIN + dkim_selector = mail + dkim_private_key = DKIM_PRIVATE_KEY + dkim_canon = relaxed + dkim_strict = 0 + hosts_try_fastopen = + hosts_try_chunking = !93.188.3.0/24 + message_linelength_limit = 1G + +procmail: + driver = pipe + command = "/usr/bin/procmail -d $local_part" + return_path_add + delivery_date_add + envelope_to_add + user = $local_part + initgroups + return_output + +local_delivery: + driver = appendfile + maildir_format + maildir_use_size_file + user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} + group = mail + create_directory + directory_mode = 770 + mode = 660 + use_lockfile = no + delivery_date_add + envelope_to_add + return_path_add + directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}" + quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M + quota_warn_threshold = 75% + +local_spam_delivery: + driver = appendfile + maildir_format + maildir_use_size_file + user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} + group = mail + create_directory + directory_mode = 770 + mode = 660 + use_lockfile = no + delivery_date_add + envelope_to_add + return_path_add + directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}/.Spam" + quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M + quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}" + quota_warn_threshold = 75% + +address_pipe: + driver = pipe + return_output + +address_file: + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + +address_reply: + driver = autoreply + +userautoreply: + driver = autoreply + file = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}.msg + from = "${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}@${lookup{$domain}dsearch{/etc/exim4/domains/}}" + headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit + subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}" + to = "${sender_address}" + +devnull: + driver = appendfile + file = /dev/null + + + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### +begin retry + +# Address or Domain Error Retries +# ----------------- ----- ------- +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### +begin rewrite + + + +###################################################################### diff --git a/install/debian/13/exim/spam-blocks.conf b/install/debian/13/exim/spam-blocks.conf new file mode 100644 index 00000000..e69de29b diff --git a/install/debian/13/fail2ban/action.d/vesta.conf b/install/debian/13/fail2ban/action.d/vesta.conf new file mode 100644 index 00000000..0edfc349 --- /dev/null +++ b/install/debian/13/fail2ban/action.d/vesta.conf @@ -0,0 +1,9 @@ +# Fail2Ban configuration file for vesta + +[Definition] + +actionstart = /usr/local/vesta/bin/v-add-firewall-chain +actionstop = /usr/local/vesta/bin/v-delete-firewall-chain +actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-[ \t]' +actionban = /usr/local/vesta/bin/v-add-firewall-ban +actionunban = /usr/local/vesta/bin/v-delete-firewall-ban diff --git a/install/debian/13/fail2ban/filter.d/vesta.conf b/install/debian/13/fail2ban/filter.d/vesta.conf new file mode 100644 index 00000000..36ec1001 --- /dev/null +++ b/install/debian/13/fail2ban/filter.d/vesta.conf @@ -0,0 +1,10 @@ +# Fail2Ban filter for unsuccessful Vesta authentication attempts +# + +[INCLUDES] +before = common.conf + +[Definition] +failregex = .* failed to login +ignoreregex = + diff --git a/install/debian/13/fail2ban/jail.local b/install/debian/13/fail2ban/jail.local new file mode 100644 index 00000000..eccea068 --- /dev/null +++ b/install/debian/13/fail2ban/jail.local @@ -0,0 +1,39 @@ +[ssh-iptables] +enabled = true +filter = sshd +action = vesta[name=SSH] +logpath = /var/log/auth.log +maxretry = 5 + +[vsftpd-iptables] +enabled = false +filter = vsftpd +action = vesta[name=FTP] +logpath = /var/log/vsftpd.log +maxretry = 5 + +[exim-iptables] +enabled = true +filter = exim +action = vesta[name=MAIL] +logpath = /var/log/exim4/mainlog + +[dovecot-iptables] +enabled = true +filter = dovecot +action = vesta[name=MAIL] +logpath = /var/log/dovecot.log + +[mysqld-iptables] +enabled = false +filter = mysqld-auth +action = vesta[name=DB] +logpath = /var/log/mysql.log +maxretry = 5 + +[vesta-iptables] +enabled = true +filter = vesta +action = vesta[name=VESTA] +logpath = /var/log/vesta/auth.log +maxretry = 5 diff --git a/install/debian/13/firewall/ports.conf b/install/debian/13/firewall/ports.conf new file mode 100644 index 00000000..b730d012 --- /dev/null +++ b/install/debian/13/firewall/ports.conf @@ -0,0 +1,17 @@ +PROTOCOL='TCP' PORT='20' +PROTOCOL='TCP' PORT='21' +PROTOCOL='TCP' PORT='22' +PROTOCOL='TCP' PORT='25' +PROTOCOL='TCP' PORT='53' +PROTOCOL='UDP' PORT='53' +PROTOCOL='TCP' PORT='80' +PROTOCOL='TCP' PORT='443' +PROTOCOL='TCP' PORT='110' +PROTOCOL='UDP' PORT='123' +PROTOCOL='TCP' PORT='143' +PROTOCOL='TCP' PORT='3306' +PROTOCOL='TCP' PORT='5432' +PROTOCOL='TCP' PORT='8080' +PROTOCOL='TCP' PORT='8433' +PROTOCOL='TCP' PORT='8083' +PROTOCOL='TCP' PORT='12000:12100' diff --git a/install/debian/13/firewall/rules.conf b/install/debian/13/firewall/rules.conf new file mode 100644 index 00000000..6da5a1c4 --- /dev/null +++ b/install/debian/13/firewall/rules.conf @@ -0,0 +1,11 @@ +RULE='1' ACTION='ACCEPT' PROTOCOL='ICMP' PORT='0' IP='0.0.0.0/0' COMMENT='PING' SUSPENDED='no' TIME='17:13:48' DATE='2014-09-16' +RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='8083' IP='0.0.0.0/0' COMMENT='VESTA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='3' ACTION='ACCEPT' PROTOCOL='TCP' PORT='3306,5432' IP='0.0.0.0/0' COMMENT='DB' SUSPENDED='yes' TIME='07:40:16' DATE='2014-05-25' +RULE='4' ACTION='ACCEPT' PROTOCOL='TCP' PORT='143,993' IP='0.0.0.0/0' COMMENT='IMAP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='5' ACTION='ACCEPT' PROTOCOL='TCP' PORT='110,995' IP='0.0.0.0/0' COMMENT='POP3' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='6' ACTION='ACCEPT' PROTOCOL='TCP' PORT='25,465,587,2525' IP='0.0.0.0/0' COMMENT='SMTP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='7' ACTION='ACCEPT' PROTOCOL='TCP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='8' ACTION='ACCEPT' PROTOCOL='UDP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='9' ACTION='ACCEPT' PROTOCOL='TCP' PORT='21,12000-12100' IP='0.0.0.0/0' COMMENT='FTP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25' +RULE='10' ACTION='ACCEPT' PROTOCOL='TCP' PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB' SUSPENDED='no' TIME='17:04:27' DATE='2014-09-24' +RULE='11' ACTION='ACCEPT' PROTOCOL='TCP' PORT='22' IP='0.0.0.0/0' COMMENT='SSH' SUSPENDED='no' TIME='17:14:41' DATE='2014-09-16' diff --git a/install/debian/13/logrotate/apache2 b/install/debian/13/logrotate/apache2 new file mode 100644 index 00000000..27629d0d --- /dev/null +++ b/install/debian/13/logrotate/apache2 @@ -0,0 +1,19 @@ +/var/log/apache2/*.log /var/log/apache2/domains/*log { + weekly + missingok + rotate 52 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + /etc/init.d/apache2 reload > /dev/null || true + [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid` + endscript + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ + run-parts /etc/logrotate.d/httpd-prerotate; \ + fi; \ + endscript +} diff --git a/install/debian/13/logrotate/dovecot b/install/debian/13/logrotate/dovecot new file mode 100644 index 00000000..ac4fd6e9 --- /dev/null +++ b/install/debian/13/logrotate/dovecot @@ -0,0 +1,12 @@ +/var/log/dovecot*.log { + weekly + rotate 4 + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + doveadm log reopen + endscript +} diff --git a/install/debian/13/logrotate/nginx b/install/debian/13/logrotate/nginx new file mode 100644 index 00000000..d667f213 --- /dev/null +++ b/install/debian/13/logrotate/nginx @@ -0,0 +1,13 @@ +/var/log/nginx/*log /var/log/nginx/domains/*log { + daily + missingok + rotate 52 + compress + delaycompress + notifempty + create 640 nginx adm + sharedscripts + postrotate + [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid` + endscript +} diff --git a/install/debian/13/logrotate/vesta b/install/debian/13/logrotate/vesta new file mode 100644 index 00000000..027a3439 --- /dev/null +++ b/install/debian/13/logrotate/vesta @@ -0,0 +1,7 @@ +/usr/local/vesta/log/*.log { + missingok + notifempty + size 30k + yearly + create 0600 root root +} diff --git a/install/debian/13/mysql/my-large.cnf b/install/debian/13/mysql/my-large.cnf new file mode 100644 index 00000000..b056c316 --- /dev/null +++ b/install/debian/13/mysql/my-large.cnf @@ -0,0 +1,51 @@ +[client] +default-character-set=utf8mb4 +port=3306 +socket=/var/run/mysqld/mysqld.sock + +[mysqld_safe] +socket=/var/run/mysqld/mysqld.sock + +[mysql] +default-character-set=utf8mb4 + +[mysqld] +collation-server = utf8mb4_unicode_520_ci +init-connect='SET NAMES utf8mb4' +character-set-server = utf8mb4 +user=mysql +pid-file=/var/run/mysqld/mysqld.pid +socket=/var/run/mysqld/mysqld.sock +port=3306 +basedir=/usr +datadir=/var/lib/mysql +tmpdir=/tmp +lc-messages-dir=/usr/share/mysql +log_error=/var/log/mysql/error.log + +symbolic-links=0 + +skip-external-locking +key_buffer_size = 256M +max_allowed_packet = 32M +table_open_cache = 256 +sort_buffer_size = 1M +read_buffer_size = 1M +read_rnd_buffer_size = 4M +myisam_sort_buffer_size = 64M +thread_cache_size = 8 +query_cache_size= 16M +thread_concurrency = 8 + +#innodb_use_native_aio = 0 +innodb_file_per_table + +max_connections=200 +max_user_connections=50 +wait_timeout=10 +interactive_timeout=50 +long_query_time=5 + +sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + +!includedir /etc/mysql/conf.d/ diff --git a/install/debian/13/mysql/my-medium.cnf b/install/debian/13/mysql/my-medium.cnf new file mode 100644 index 00000000..33aa04c2 --- /dev/null +++ b/install/debian/13/mysql/my-medium.cnf @@ -0,0 +1,49 @@ +[client] +default-character-set=utf8mb4 +port=3306 +socket=/var/run/mysqld/mysqld.sock + +[mysqld_safe] +socket=/var/run/mysqld/mysqld.sock + +[mysql] +default-character-set=utf8mb4 + +[mysqld] +collation-server = utf8mb4_unicode_520_ci +init-connect='SET NAMES utf8mb4' +character-set-server = utf8mb4 +user=mysql +pid-file=/var/run/mysqld/mysqld.pid +socket=/var/run/mysqld/mysqld.sock +port=3306 +basedir=/usr +datadir=/var/lib/mysql +tmpdir=/tmp +lc-messages-dir=/usr/share/mysql +log_error=/var/log/mysql/error.log + +symbolic-links=0 + +skip-external-locking +key_buffer_size = 16M +max_allowed_packet = 16M +table_open_cache = 64 +sort_buffer_size = 512K +net_buffer_length = 8K +read_buffer_size = 256K +read_rnd_buffer_size = 512K +myisam_sort_buffer_size = 8M + +#innodb_use_native_aio = 0 +innodb_file_per_table + +max_connections=70 +max_user_connections=30 +wait_timeout=10 +interactive_timeout=50 +long_query_time=5 + +sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + +!includedir /etc/mysql/conf.d/ diff --git a/install/debian/13/mysql/my-small.cnf b/install/debian/13/mysql/my-small.cnf new file mode 100644 index 00000000..857f48ce --- /dev/null +++ b/install/debian/13/mysql/my-small.cnf @@ -0,0 +1,49 @@ +[client] +default-character-set=utf8mb4 +port=3306 +socket=/var/run/mysqld/mysqld.sock + +[mysqld_safe] +socket=/var/run/mysqld/mysqld.sock + +[mysql] +default-character-set=utf8mb4 + +[mysqld] +collation-server = utf8mb4_unicode_520_ci +init-connect='SET NAMES utf8mb4' +character-set-server = utf8mb4 +user=mysql +pid-file=/var/run/mysqld/mysqld.pid +socket=/var/run/mysqld/mysqld.sock +port=3306 +basedir=/usr +datadir=/var/lib/mysql +tmpdir=/tmp +lc-messages-dir=/usr/share/mysql +log_error=/var/log/mysql/error.log + +symbolic-links=0 + +skip-external-locking +key_buffer_size = 16K +max_allowed_packet = 1M +table_open_cache = 4 +sort_buffer_size = 64K +read_buffer_size = 256K +read_rnd_buffer_size = 256K +net_buffer_length = 2K +thread_stack = 240K + +#innodb_use_native_aio = 0 +innodb_file_per_table + +max_connections=30 +max_user_connections=20 +wait_timeout=10 +interactive_timeout=50 +long_query_time=5 + +sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + +!includedir /etc/mysql/conf.d/ diff --git a/install/debian/13/nginx/nginx.conf b/install/debian/13/nginx/nginx.conf new file mode 100644 index 00000000..6efe2337 --- /dev/null +++ b/install/debian/13/nginx/nginx.conf @@ -0,0 +1,140 @@ +# Server globals +user www-data; +worker_processes auto; +worker_rlimit_nofile 65535; +timer_resolution 50ms; #In order to free some CPU cycles +error_log /var/log/nginx/error.log crit; +pid /var/run/nginx.pid; + + +# Worker config +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + + +http { + # Main settings + sendfile on; + tcp_nopush on; + tcp_nodelay on; + client_header_timeout 1m; + client_body_timeout 1m; + client_header_buffer_size 2k; + client_body_buffer_size 256k; + client_max_body_size 256m; + large_client_header_buffers 4 8k; + send_timeout 30; + keepalive_timeout 60 60; + reset_timedout_connection on; + server_tokens off; + server_name_in_redirect off; + server_names_hash_max_size 512; + server_names_hash_bucket_size 512; + + + # Log format + log_format main '$remote_addr - $remote_user [$time_local] $request ' + '"$status" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format bytes '$body_bytes_sent'; + #access_log /var/log/nginx/access.log main; + access_log off; + + + # Mime settings + include /etc/nginx/mime.types; + default_type application/octet-stream; + + + # Compression + gzip on; + gzip_comp_level 9; + gzip_min_length 512; + gzip_buffers 8 64k; + gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype; + gzip_proxied any; + gzip_disable "MSIE [1-6]\."; + + # Proxy settings + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Set-Cookie; + proxy_connect_timeout 900; + proxy_send_timeout 900; + proxy_read_timeout 900; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + + # Cloudflare https://www.cloudflare.com/ips + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 104.16.0.0/13; + set_real_ip_from 104.24.0.0/14; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 172.64.0.0/13; + set_real_ip_from 131.0.72.0/22; + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + set_real_ip_from 2a06:98c0::/29; + set_real_ip_from 2c0f:f248::/32; + real_ip_header CF-Connecting-IP; + + + # SSL PCI Compliance + ssl_session_cache shared:SSL:10m; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + + # Error pages + error_page 403 /error/403.html; + error_page 404 /error/404.html; + error_page 502 503 504 /error/50x.html; + + + # Cache settings + proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m; + proxy_cache_key "$host$request_uri $cookie_user"; + proxy_temp_path /var/cache/nginx/temp; + proxy_ignore_headers Expires Cache-Control; + proxy_cache_use_stale error timeout invalid_header http_502; + proxy_cache_valid any 1d; + + + # Cache bypass + map $http_cookie $no_cache { + default 0; + ~SESS 1; + ~wordpress_logged_in 1; + } + + + # File cache settings + open_file_cache max=10000 inactive=30s; + open_file_cache_valid 60s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + + + # Wildcard include + include /etc/nginx/conf.d/*.conf; +} diff --git a/install/debian/13/nginx/phpmyadmin.inc b/install/debian/13/nginx/phpmyadmin.inc new file mode 100644 index 00000000..cdfc93c4 --- /dev/null +++ b/install/debian/13/nginx/phpmyadmin.inc @@ -0,0 +1,18 @@ +location /phpmyadmin { + alias /usr/share/phpmyadmin; + + location ~ /(libraries|setup) { + return 404; + } + + location ~ ^/phpmyadmin/(.*\.php)$ { + alias /usr/share/phpmyadmin/$1; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { + root /usr/share/; + } +} diff --git a/install/debian/13/nginx/phppgadmin.inc b/install/debian/13/nginx/phppgadmin.inc new file mode 100644 index 00000000..47cfcf4e --- /dev/null +++ b/install/debian/13/nginx/phppgadmin.inc @@ -0,0 +1,11 @@ +location /phppgadmin { + alias /usr/share/phppgadmin; + + location ~ ^/phppgadmin/(.*\.php)$ { + alias /usr/share/phppgadmin/$1; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } +} diff --git a/install/debian/13/nginx/status.conf b/install/debian/13/nginx/status.conf new file mode 100644 index 00000000..c0bcd069 --- /dev/null +++ b/install/debian/13/nginx/status.conf @@ -0,0 +1,9 @@ +server { + listen 127.0.0.1:8084 default; + server_name _; + server_name_in_redirect off; + location / { + stub_status on; + access_log off; + } +} diff --git a/install/debian/13/nginx/webmail.inc b/install/debian/13/nginx/webmail.inc new file mode 100644 index 00000000..768c9049 --- /dev/null +++ b/install/debian/13/nginx/webmail.inc @@ -0,0 +1,15 @@ +location /webmail { + alias /var/lib/roundcube; + + location ~ /(config|temp|logs) { + return 404; + } + + location ~ ^/webmail/(.*\.php)$ { + alias /var/lib/roundcube/$1; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } +} diff --git a/install/debian/13/packages/default.pkg b/install/debian/13/packages/default.pkg new file mode 100644 index 00000000..cd1cbba1 --- /dev/null +++ b/install/debian/13/packages/default.pkg @@ -0,0 +1,18 @@ +WEB_TEMPLATE='PHP-FPM-82' +PROXY_TEMPLATE='hosting' +DNS_TEMPLATE='default' +WEB_DOMAINS='unlimited' +WEB_ALIASES='unlimited' +DNS_DOMAINS='unlimited' +DNS_RECORDS='unlimited' +MAIL_DOMAINS='unlimited' +MAIL_ACCOUNTS='unlimited' +DATABASES='unlimited' +CRON_JOBS='unlimited' +DISK_QUOTA='unlimited' +BANDWIDTH='unlimited' +NS='YOURHOSTNAME1,YOURHOSTNAME2' +SHELL='nologin' +BACKUPS='2' +TIME='18:00:00' +DATE='2017-12-28' diff --git a/install/debian/13/pga/config.inc.php b/install/debian/13/pga/config.inc.php new file mode 100644 index 00000000..1eec9776 --- /dev/null +++ b/install/debian/13/pga/config.inc.php @@ -0,0 +1,159 @@ + diff --git a/install/debian/13/pga/phppgadmin.conf b/install/debian/13/pga/phppgadmin.conf new file mode 100644 index 00000000..f39247d6 --- /dev/null +++ b/install/debian/13/pga/phppgadmin.conf @@ -0,0 +1,31 @@ +Alias /phppgadmin /usr/share/phppgadmin + + + +DirectoryIndex index.php +AllowOverride None + +order deny,allow +deny from all +allow from 127.0.0.0/255.0.0.0 ::1/128 +allow from all + + + php_flag magic_quotes_gpc Off + php_flag track_vars On + php_value include_path . + + + + + AddType application/x-httpd-php .php + Action application/x-httpd-php /cgi-bin/php + + + AddType application/x-httpd-php .php + Action application/x-httpd-php /cgi-bin/php + + + + + diff --git a/install/debian/13/php-fpm/www.conf b/install/debian/13/php-fpm/www.conf new file mode 100644 index 00000000..3c87f33c --- /dev/null +++ b/install/debian/13/php-fpm/www.conf @@ -0,0 +1,11 @@ +[www] +listen = 127.0.0.1:9000 +listen.allowed_clients = 127.0.0.1 + +user = www-data +group = www-data + +pm = ondemand +pm.max_children = 2 +pm.max_requests = 4000 +pm.process_idle_timeout = 10s diff --git a/install/debian/13/php/php7.3-dedi.patch b/install/debian/13/php/php7.3-dedi.patch new file mode 100644 index 00000000..c044e002 --- /dev/null +++ b/install/debian/13/php/php7.3-dedi.patch @@ -0,0 +1,78 @@ +--- /etc/php/7.3/fpm/php.ini.orig 2019-07-18 16:11:18.856589963 +0200 ++++ /etc/php/7.3/fpm/php.ini 2019-07-18 17:45:51.000000000 +0200 +@@ -312,7 +312,8 @@ + ; This directive allows you to disable certain functions for security reasons. + ; It receives a comma-delimited list of function names. + ; http://php.net/disable-functions +-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, ++; disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, ++disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,shell_exec,proc_open,popen + + ; This directive allows you to disable certain classes for security reasons. + ; It receives a comma-delimited list of class names. +@@ -399,11 +400,11 @@ + ;max_input_nesting_level = 64 + + ; How many GET/POST/COOKIE input variables may be accepted +-;max_input_vars = 1000 ++max_input_vars = 6000 + + ; Maximum amount of memory a script may consume (128MB) + ; http://php.net/memory-limit +-memory_limit = 128M ++memory_limit = 256M + + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ; Error handling and logging ; +@@ -690,7 +691,7 @@ + ; Its value may be 0 to disable the limit. It is ignored if POST data reading + ; is disabled through enable_post_data_reading. + ; http://php.net/post-max-size +-post_max_size = 8M ++post_max_size = 60M + + ; Automatically add files before PHP document. + ; http://php.net/auto-prepend-file +@@ -842,7 +843,7 @@ + + ; Maximum allowed size for uploaded files. + ; http://php.net/upload-max-filesize +-upload_max_filesize = 2M ++upload_max_filesize = 50M + + ; Maximum number of files that can be uploaded via a single request + max_file_uploads = 20 +@@ -1087,7 +1088,7 @@ + + ; The path to a log file that will log all mail() calls. Log entries include + ; the full path of the script, line number, To address and headers. +-;mail.log = ++mail.log = /var/log/php-mail.log + ; Log mail to syslog (Event Log on Windows). + ;mail.log = syslog + +@@ -1791,20 +1792,20 @@ + + [opcache] + ; Determines if Zend OPCache is enabled +-;opcache.enable=1 ++opcache.enable=1 + + ; Determines if Zend OPCache is enabled for the CLI version of PHP +-;opcache.enable_cli=0 ++opcache.enable_cli=0 + + ; The OPcache shared memory storage size. +-;opcache.memory_consumption=128 ++opcache.memory_consumption=2048 + + ; The amount of memory for interned strings in Mbytes. + ;opcache.interned_strings_buffer=8 + + ; The maximum number of keys (scripts) in the OPcache hash table. + ; Only numbers between 200 and 1000000 are allowed. +-;opcache.max_accelerated_files=10000 ++opcache.max_accelerated_files=100000 + + ; The maximum percentage of "wasted" memory until a restart is scheduled. + ;opcache.max_wasted_percentage=5 diff --git a/install/debian/13/php/php7.3-vps.patch b/install/debian/13/php/php7.3-vps.patch new file mode 100644 index 00000000..803b93e8 --- /dev/null +++ b/install/debian/13/php/php7.3-vps.patch @@ -0,0 +1,78 @@ +--- /etc/php/7.3/fpm/php.ini.orig 2019-07-18 16:11:18.856589963 +0200 ++++ /etc/php/7.3/fpm/php.ini 2019-07-18 17:45:51.000000000 +0200 +@@ -312,7 +312,8 @@ + ; This directive allows you to disable certain functions for security reasons. + ; It receives a comma-delimited list of function names. + ; http://php.net/disable-functions +-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, ++; disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, ++disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,shell_exec,proc_open,popen + + ; This directive allows you to disable certain classes for security reasons. + ; It receives a comma-delimited list of class names. +@@ -399,11 +400,11 @@ + ;max_input_nesting_level = 64 + + ; How many GET/POST/COOKIE input variables may be accepted +-;max_input_vars = 1000 ++max_input_vars = 6000 + + ; Maximum amount of memory a script may consume (128MB) + ; http://php.net/memory-limit +-memory_limit = 128M ++memory_limit = 256M + + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ; Error handling and logging ; +@@ -690,7 +691,7 @@ + ; Its value may be 0 to disable the limit. It is ignored if POST data reading + ; is disabled through enable_post_data_reading. + ; http://php.net/post-max-size +-post_max_size = 8M ++post_max_size = 60M + + ; Automatically add files before PHP document. + ; http://php.net/auto-prepend-file +@@ -842,7 +843,7 @@ + + ; Maximum allowed size for uploaded files. + ; http://php.net/upload-max-filesize +-upload_max_filesize = 2M ++upload_max_filesize = 50M + + ; Maximum number of files that can be uploaded via a single request + max_file_uploads = 20 +@@ -1087,7 +1088,7 @@ + + ; The path to a log file that will log all mail() calls. Log entries include + ; the full path of the script, line number, To address and headers. +-;mail.log = ++mail.log = /var/log/php-mail.log + ; Log mail to syslog (Event Log on Windows). + ;mail.log = syslog + +@@ -1791,20 +1792,20 @@ + + [opcache] + ; Determines if Zend OPCache is enabled +-;opcache.enable=1 ++opcache.enable=1 + + ; Determines if Zend OPCache is enabled for the CLI version of PHP +-;opcache.enable_cli=0 ++opcache.enable_cli=0 + + ; The OPcache shared memory storage size. +-;opcache.memory_consumption=128 ++opcache.memory_consumption=512 + + ; The amount of memory for interned strings in Mbytes. + ;opcache.interned_strings_buffer=8 + + ; The maximum number of keys (scripts) in the OPcache hash table. + ; Only numbers between 200 and 1000000 are allowed. +-;opcache.max_accelerated_files=10000 ++opcache.max_accelerated_files=100000 + + ; The maximum percentage of "wasted" memory until a restart is scheduled. + ;opcache.max_wasted_percentage=5 diff --git a/install/debian/13/php/php7.4-dedi.patch b/install/debian/13/php/php7.4-dedi.patch new file mode 100644 index 00000000..3e5bd2fb --- /dev/null +++ b/install/debian/13/php/php7.4-dedi.patch @@ -0,0 +1,78 @@ +--- /etc/php/7.4/fpm/php.ini.orig 2021-07-16 16:12:30.027464762 +0200 ++++ /etc/php/7.4/fpm/php.ini 2021-07-16 16:25:15.000000000 +0200 +@@ -309,7 +309,8 @@ + ; This directive allows you to disable certain functions. + ; It receives a comma-delimited list of function names. + ; http://php.net/disable-functions +-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, ++; disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, ++disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,shell_exec,proc_open,popen + + ; This directive allows you to disable certain classes. + ; It receives a comma-delimited list of class names. +@@ -402,11 +403,11 @@ + ;max_input_nesting_level = 64 + + ; How many GET/POST/COOKIE input variables may be accepted +-;max_input_vars = 1000 ++max_input_vars = 6000 + + ; Maximum amount of memory a script may consume + ; http://php.net/memory-limit +-memory_limit = 128M ++memory_limit = 256M + + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ; Error handling and logging ; +@@ -691,7 +692,7 @@ + ; Its value may be 0 to disable the limit. It is ignored if POST data reading + ; is disabled through enable_post_data_reading. + ; http://php.net/post-max-size +-post_max_size = 8M ++post_max_size = 60M + + ; Automatically add files before PHP document. + ; http://php.net/auto-prepend-file +@@ -843,7 +844,7 @@ + + ; Maximum allowed size for uploaded files. + ; http://php.net/upload-max-filesize +-upload_max_filesize = 2M ++upload_max_filesize = 50M + + ; Maximum number of files that can be uploaded via a single request + max_file_uploads = 20 +@@ -1089,7 +1090,7 @@ + + ; The path to a log file that will log all mail() calls. Log entries include + ; the full path of the script, line number, To address and headers. +-;mail.log = ++mail.log = /var/log/php-mail.log + ; Log mail to syslog (Event Log on Windows). + ;mail.log = syslog + +@@ -1766,20 +1767,20 @@ + + [opcache] + ; Determines if Zend OPCache is enabled +-;opcache.enable=1 ++opcache.enable=1 + + ; Determines if Zend OPCache is enabled for the CLI version of PHP +-;opcache.enable_cli=0 ++opcache.enable_cli=0 + + ; The OPcache shared memory storage size. +-;opcache.memory_consumption=128 ++opcache.memory_consumption=2048 + + ; The amount of memory for interned strings in Mbytes. + ;opcache.interned_strings_buffer=8 + + ; The maximum number of keys (scripts) in the OPcache hash table. + ; Only numbers between 200 and 1000000 are allowed. +-;opcache.max_accelerated_files=10000 ++opcache.max_accelerated_files=100000 + + ; The maximum percentage of "wasted" memory until a restart is scheduled. + ;opcache.max_wasted_percentage=5 diff --git a/install/debian/13/php/php7.4-vps.patch b/install/debian/13/php/php7.4-vps.patch new file mode 100644 index 00000000..7c52d402 --- /dev/null +++ b/install/debian/13/php/php7.4-vps.patch @@ -0,0 +1,78 @@ +--- /etc/php/7.4/fpm/php.ini.orig 2021-07-16 16:12:30.027464762 +0200 ++++ /etc/php/7.4/fpm/php.ini 2021-07-16 16:24:26.000000000 +0200 +@@ -309,7 +309,8 @@ + ; This directive allows you to disable certain functions. + ; It receives a comma-delimited list of function names. + ; http://php.net/disable-functions +-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, ++; disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, ++disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,shell_exec,proc_open,popen + + ; This directive allows you to disable certain classes. + ; It receives a comma-delimited list of class names. +@@ -402,11 +403,11 @@ + ;max_input_nesting_level = 64 + + ; How many GET/POST/COOKIE input variables may be accepted +-;max_input_vars = 1000 ++max_input_vars = 6000 + + ; Maximum amount of memory a script may consume + ; http://php.net/memory-limit +-memory_limit = 128M ++memory_limit = 256M + + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ; Error handling and logging ; +@@ -691,7 +692,7 @@ + ; Its value may be 0 to disable the limit. It is ignored if POST data reading + ; is disabled through enable_post_data_reading. + ; http://php.net/post-max-size +-post_max_size = 8M ++post_max_size = 60M + + ; Automatically add files before PHP document. + ; http://php.net/auto-prepend-file +@@ -843,7 +844,7 @@ + + ; Maximum allowed size for uploaded files. + ; http://php.net/upload-max-filesize +-upload_max_filesize = 2M ++upload_max_filesize = 50M + + ; Maximum number of files that can be uploaded via a single request + max_file_uploads = 20 +@@ -1089,7 +1090,7 @@ + + ; The path to a log file that will log all mail() calls. Log entries include + ; the full path of the script, line number, To address and headers. +-;mail.log = ++mail.log = /var/log/php-mail.log + ; Log mail to syslog (Event Log on Windows). + ;mail.log = syslog + +@@ -1766,20 +1767,20 @@ + + [opcache] + ; Determines if Zend OPCache is enabled +-;opcache.enable=1 ++opcache.enable=1 + + ; Determines if Zend OPCache is enabled for the CLI version of PHP +-;opcache.enable_cli=0 ++opcache.enable_cli=0 + + ; The OPcache shared memory storage size. +-;opcache.memory_consumption=128 ++opcache.memory_consumption=512 + + ; The amount of memory for interned strings in Mbytes. + ;opcache.interned_strings_buffer=8 + + ; The maximum number of keys (scripts) in the OPcache hash table. + ; Only numbers between 200 and 1000000 are allowed. +-;opcache.max_accelerated_files=10000 ++opcache.max_accelerated_files=100000 + + ; The maximum percentage of "wasted" memory until a restart is scheduled. + ;opcache.max_wasted_percentage=5 diff --git a/install/debian/13/pma/apache.conf b/install/debian/13/pma/apache.conf new file mode 100644 index 00000000..2a8f69e2 --- /dev/null +++ b/install/debian/13/pma/apache.conf @@ -0,0 +1,42 @@ +# phpMyAdmin default Apache configuration + +Alias /phpmyadmin /usr/share/phpmyadmin + + + Options FollowSymLinks + DirectoryIndex index.php + + + AddType application/x-httpd-php .php + + php_flag magic_quotes_gpc Off + php_flag track_vars On + php_flag register_globals Off + php_admin_flag allow_url_fopen Off + php_value include_path . + php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp + php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext + + + + +# Authorize for setup + + + AuthType Basic + AuthName "phpMyAdmin Setup" + AuthUserFile /etc/phpmyadmin/htpasswd.setup + + Require valid-user + + +# Disallow web access to directories that don't need it + + Order Deny,Allow + Deny from All + + + Order Deny,Allow + Deny from All + + diff --git a/install/debian/13/pma/config.inc.php b/install/debian/13/pma/config.inc.php new file mode 100644 index 00000000..eafc6d67 --- /dev/null +++ b/install/debian/13/pma/config.inc.php @@ -0,0 +1,146 @@ +> $pmapath1 +sed -i '/savedsearches/d' $pmapath1 +sed -i '/navigationhiding/d' $pmapath1 +sed -i '/users/d' $pmapath1 +sed -i '/controlpass/d' $pmapath1 +sed -i '/favorite/d' $pmapath1 +sed -i '/usergroups/d' $pmapath1 +sed -i '/central_columns/d' $pmapath1 +sed -i '/designer_settings/d' $pmapath1 +sed -i '/export_templates/d' $pmapath1 +echo "\$cfg['Servers'][\$i]['favorite'] = 'pma__favorite';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['central_columns'] = 'pma__central_columns';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['designer_settings'] = 'pma__designer_settings';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['export_templates'] = 'pma__export_templates';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['savedsearches'] = 'pma__savedsearches';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['navigationhiding'] = 'pma__navigationhiding';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['users'] = 'pma__users';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['pmadb'] = 'phpmyadmin';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['controluser'] = 'pma';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['controlpass'] = '$PASS';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['bookmarktable'] = 'pma__bookmark';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['relation'] = 'pma__relation';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['userconfig'] = 'pma__userconfig';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['table_info'] = 'pma__table_info';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['column_info'] = 'pma__column_info';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['history'] = 'pma__history';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['recent'] = 'pma__recent';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['table_uiprefs'] = 'pma__table_uiprefs';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['tracking'] = 'pma__tracking';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['table_coords'] = 'pma__table_coords';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['pdf_pages'] = 'pma__pdf_pages';" >> $pmapath1 +echo "\$cfg['Servers'][\$i]['designer_coords'] = 'pma__designer_coords';" >> $pmapath1 + +sed -i '/pmadb/d' $pmapath2 +sed -i '/controluser/d' $pmapath2 +sed -i '/bookmarktable/d' $pmapath2 +sed -i '/relation/d' $pmapath2 +sed -i '/userconfig/d' $pmapath2 +sed -i '/table_info/d' $pmapath2 +sed -i '/column_info/d' $pmapath2 +sed -i '/history/d' $pmapath2 +sed -i '/recent/d' $pmapath2 +sed -i '/table_uiprefs/d' $pmapath2 +sed -i '/tracking/d' $pmapath2 +sed -i '/table_coords/d' $pmapath2 +sed -i '/pdf_pages/d' $pmapath2 +sed -i '/designer_coords/d' $pmapath2 +sed -i '/controlpass/d' $pmapath2 +sed -i '/savedsearches/d' $pmapath2 +sed -i '/navigationhiding/d' $pmapath2 +sed -i '/users/d' $pmapath2 +sed -i '/controlpass/d' $pmapath2 +sed -i '/favorite/d' $pmapath2 +sed -i '/usergroups/d' $pmapath2 +sed -i '/central_columns/d' $pmapath2 +sed -i '/designer_settings/d' $pmapath2 +sed -i '/export_templates/d' $pmapath2 +echo "\$cfg['Servers'][\$i]['favorite'] = 'pma__favorite';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['central_columns'] = 'pma__central_columns';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['designer_settings'] = 'pma__designer_settings';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['export_templates'] = 'pma__export_templates';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['savedsearches'] = 'pma__savedsearches';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['navigationhiding'] = 'pma__navigationhiding';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['users'] = 'pma__users';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['pmadb'] = 'phpmyadmin';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['controluser'] = 'pma';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['controlpass'] = '$PASS';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['bookmarktable'] = 'pma__bookmark';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['relation'] = 'pma__relation';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['userconfig'] = 'pma__userconfig';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['table_info'] = 'pma__table_info';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['column_info'] = 'pma__column_info';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['history'] = 'pma__history';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['recent'] = 'pma__recent';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['table_uiprefs'] = 'pma__table_uiprefs';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['tracking'] = 'pma__tracking';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['table_coords'] = 'pma__table_coords';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['pdf_pages'] = 'pma__pdf_pages';" >> $pmapath2 +echo "\$cfg['Servers'][\$i]['designer_coords'] = 'pma__designer_coords';" >> $pmapath2 + +#SOME WORK with DATABASE (table / user) +PMADB=phpmyadmin +PMAUSER=pma + +#DROP USER and TABLE +mysql -uroot < + VRootEngine on + VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf + + +AuthPAMConfig proftpd +AuthOrder mod_auth_pam.c* mod_auth_unix.c +UseReverseDNS off +User proftpd +Group nogroup +MaxInstances 100 +UseSendfile off +LogFormat default "%h %l %u %t \"%r\" %s %b" +LogFormat auth "%v [%P] %h %t \"%r\" %s" +ListOptions -a +RequireValidShell off +PassivePorts 12000 12100 +TransferLog /var/log/proftpd/xferlog +SystemLog /var/log/proftpd/proftpd.log + + + Umask 002 + + IdentLookups off + + AllowOverwrite yes + + AllowAll + + diff --git a/install/debian/13/proftpd/tls.conf b/install/debian/13/proftpd/tls.conf new file mode 100644 index 00000000..9da0017b --- /dev/null +++ b/install/debian/13/proftpd/tls.conf @@ -0,0 +1,63 @@ +# +# Proftpd sample configuration for FTPS connections. +# +# Note that FTPS impose some limitations in NAT traversing. +# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html +# for more information. +# + + # If mod_tls was built as a shared/DSO module, load it + LoadModule mod_tls.c + + +TLSEngine on +TLSLog /var/log/proftpd/tls.log +# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2 +TLSProtocol TLSv1.1 TLSv1.2 +# +# Server SSL certificate. You can generate a self-signed certificate using +# a command like: +# +# openssl req -x509 -newkey rsa:1024 \ +# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \ +# -nodes -days 365 +# +# The proftpd.key file must be readable by root only. The other file can be +# readable by anyone. +# +# chmod 0600 /etc/ssl/private/proftpd.key +# chmod 0640 /etc/ssl/private/proftpd.key +# +TLSRSACertificateFile /usr/local/vesta/ssl/certificate.crt +TLSRSACertificateKeyFile /usr/local/vesta/ssl/certificate.key +# +# CA the server trusts... +#TLSCACertificateFile /etc/ssl/certs/CA.pem +# ...or avoid CA cert and be verbose +#TLSOptions NoCertRequest EnableDiags +# ... or the same with relaxed session use for some clients (e.g. FireFtp) +#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired +# +# +# Per default drop connection if client tries to start a renegotiate +# This is a fix for CVE-2009-3555 but could break some clients. +# +#TLSOptions AllowClientRenegotiations +# +TLSOptions NoSessionReuseRequired AllowClientRenegotiations +# Authenticate clients that want to use FTP over TLS? +# +#TLSVerifyClient off +# +# Are clients required to use FTP over TLS when talking to this server? +# +TLSRequired off +# +# Allow SSL/TLS renegotiations when the client requests them, but +# do not force the renegotations. Some clients do not support +# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these +# clients will close the data connection, or there will be a timeout +# on an idle data connection. +# +TLSRenegotiate required off + diff --git a/install/debian/13/roundcube/apache.conf b/install/debian/13/roundcube/apache.conf new file mode 100644 index 00000000..a0c87bcc --- /dev/null +++ b/install/debian/13/roundcube/apache.conf @@ -0,0 +1,40 @@ +Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/ +Alias /roundcube /var/lib/roundcube +Alias /webmail /var/lib/roundcube + +# Access to tinymce files + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order allow,deny + allow from all + + + + Options +FollowSymLinks + # This is needed to parse /var/lib/roundcube/.htaccess. See its + # content before setting AllowOverride to None. + AllowOverride All + order allow,deny + allow from all + + +# Protecting basic directories: + + Options -FollowSymLinks + AllowOverride None + + + + Options -FollowSymLinks + AllowOverride None + Order allow,deny + Deny from all + + + + Options -FollowSymLinks + AllowOverride None + Order allow,deny + Deny from all + diff --git a/install/debian/13/roundcube/config.inc.php b/install/debian/13/roundcube/config.inc.php new file mode 100644 index 00000000..0c82b1bc --- /dev/null +++ b/install/debian/13/roundcube/config.inc.php @@ -0,0 +1,33 @@ + diff --git a/install/debian/13/roundcube/main.inc.php b/install/debian/13/roundcube/main.inc.php new file mode 100644 index 00000000..91f32000 --- /dev/null +++ b/install/debian/13/roundcube/main.inc.php @@ -0,0 +1,850 @@ +/sendmail or to syslog +$rcmail_config['smtp_log'] = true; + +// Log successful logins to /userlogins or to syslog +$rcmail_config['log_logins'] = false; + +// Log session authentication errors to /session or to syslog +$rcmail_config['log_session'] = false; + +// Log SQL queries to /sql or to syslog +$rcmail_config['sql_debug'] = false; + +// Log IMAP conversation to /imap or to syslog +$rcmail_config['imap_debug'] = false; + +// Log LDAP conversation to /ldap or to syslog +$rcmail_config['ldap_debug'] = false; + +// Log SMTP conversation to /smtp or to syslog +$rcmail_config['smtp_debug'] = false; + +// ---------------------------------- +// IMAP +// ---------------------------------- + +// the mail host chosen to perform the log-in +// leave blank to show a textbox at login, give a list of hosts +// to display a pulldown menu or set one host as string. +// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls:// +// Supported replacement variables: +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// %s - domain name after the '@' from e-mail address provided at login screen +// For example %n = mail.domain.tld, %d = domain.tld +$rcmail_config['default_host'] = 'localhost'; + +// TCP port used for IMAP connections +$rcmail_config['default_port'] = 143; + +// IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use +// best server supported one) +$rcmail_config['imap_auth_type'] = null; + +// If you know your imap's folder delimiter, you can specify it here. +// Otherwise it will be determined automatically +$rcmail_config['imap_delimiter'] = null; + +// If IMAP server doesn't support NAMESPACE extension, but you're +// using shared folders or personal root folder is non-empty, you'll need to +// set these options. All can be strings or arrays of strings. +// Folders need to be ended with directory separator, e.g. "INBOX." +// (special directory "~" is an exception to this rule) +// These can be used also to overwrite server's namespaces +$rcmail_config['imap_ns_personal'] = null; +$rcmail_config['imap_ns_other'] = null; +$rcmail_config['imap_ns_shared'] = null; + +// By default IMAP capabilities are readed after connection to IMAP server +// In some cases, e.g. when using IMAP proxy, there's a need to refresh the list +// after login. Set to True if you've got this case. +$rcmail_config['imap_force_caps'] = false; + +// By default list of subscribed folders is determined using LIST-EXTENDED +// extension if available. Some servers (dovecot 1.x) returns wrong results +// for shared namespaces in this case. http://trac.roundcube.net/ticket/1486225 +// Enable this option to force LSUB command usage instead. +$rcmail_config['imap_force_lsub'] = false; + +// Some server configurations (e.g. Courier) doesn't list folders in all namespaces +// Enable this option to force listing of folders in all namespaces +$rcmail_config['imap_force_ns'] = false; + +// IMAP connection timeout, in seconds. Default: 0 (no limit) +$rcmail_config['imap_timeout'] = 0; + +// Optional IMAP authentication identifier to be used as authorization proxy +$rcmail_config['imap_auth_cid'] = null; + +// Optional IMAP authentication password to be used for imap_auth_cid +$rcmail_config['imap_auth_pw'] = null; + +// Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache'. +$rcmail_config['imap_cache'] = null; + +// Enables messages cache. Only 'db' cache is supported. +$rcmail_config['messages_cache'] = false; + + +// ---------------------------------- +// SMTP +// ---------------------------------- + +// SMTP server host (for sending mails). +// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls:// +// If left blank, the PHP mail() function is used +// Supported replacement variables: +// %h - user's IMAP hostname +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// %z - IMAP domain (IMAP hostname without the first part) +// For example %n = mail.domain.tld, %d = domain.tld +$rcmail_config['smtp_server'] = ''; + +// SMTP port (default is 25; use 587 for STARTTLS or 465 for the +// deprecated SSL over SMTP (aka SMTPS)) +$rcmail_config['smtp_port'] = 25; + +// SMTP username (if required) if you use %u as the username Roundcube +// will use the current username for login +$rcmail_config['smtp_user'] = ''; + +// SMTP password (if required) if you use %p as the password Roundcube +// will use the current user's password for login +$rcmail_config['smtp_pass'] = ''; + +// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use +// best server supported one) +$rcmail_config['smtp_auth_type'] = ''; + +// Optional SMTP authentication identifier to be used as authorization proxy +$rcmail_config['smtp_auth_cid'] = null; + +// Optional SMTP authentication password to be used for smtp_auth_cid +$rcmail_config['smtp_auth_pw'] = null; + +// SMTP HELO host +// Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages +// Leave this blank and you will get the server variable 'server_name' or +// localhost if that isn't defined. +$rcmail_config['smtp_helo_host'] = ''; + +// SMTP connection timeout, in seconds. Default: 0 (no limit) +$rcmail_config['smtp_timeout'] = 0; + +// ---------------------------------- +// SYSTEM +// ---------------------------------- +include_once("/etc/roundcube/debian-db-roundcube.php"); + + +// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA. +// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING! +$rcmail_config['enable_installer'] = false; + +// provide an URL where a user can get support for this Roundcube installation +// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE! +$rcmail_config['support_url'] = ''; + +// replace Roundcube logo with this image +// specify an URL relative to the document root of this Roundcube installation +$rcmail_config['skin_logo'] = null; + +// automatically create a new Roundcube user when log-in the first time. +// a new user will be created once the IMAP login succeeds. +// set to false if only registered users can use this service +$rcmail_config['auto_create_user'] = true; + +// use this folder to store log files (must be writeable for apache user) +// This is used by the 'file' log driver. +$rcmail_config['log_dir'] = '/var/log/roundcubemail/'; + +// use this folder to store temp files (must be writeable for apache user) +$rcmail_config['temp_dir'] = '/tmp'; + +// lifetime of message cache +// possible units: s, m, h, d, w +$rcmail_config['message_cache_lifetime'] = '10d'; + +// enforce connections over https +// with this option enabled, all non-secure connections will be redirected. +// set the port for the ssl connection as value of this option if it differs from the default 443 +$rcmail_config['force_https'] = true; + +// tell PHP that it should work as under secure connection +// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set) +// e.g. when you're running Roundcube behind a https proxy +// this option is mutually exclusive to 'force_https' and only either one of them should be set to true. +$rcmail_config['use_https'] = false; + +// Allow browser-autocompletion on login form. +// 0 - disabled, 1 - username and host only, 2 - username, host, password +$rcmail_config['login_autocomplete'] = 0; + +// Forces conversion of logins to lower case. +// 0 - disabled, 1 - only domain part, 2 - domain and local part. +// If users authentication is not case-sensitive this must be enabled. +// After enabling it all user records need to be updated, e.g. with query: +// UPDATE users SET username = LOWER(username); +$rcmail_config['login_lc'] = 0; + +// Includes should be interpreted as PHP files +$rcmail_config['skin_include_php'] = false; + +// display software version on login screen +$rcmail_config['display_version'] = false; + +// Session lifetime in minutes +// must be greater than 'keep_alive'/60 +$rcmail_config['session_lifetime'] = 10; + +// session domain: .example.org +$rcmail_config['session_domain'] = ''; + +// session name. Default: 'roundcube_sessid' +$rcmail_config['session_name'] = null; + +// Backend to use for session storage. Can either be 'db' (default) or 'memcache' +// If set to memcache, a list of servers need to be specified in 'memcache_hosts' +// Make sure the Memcache extension (http://pecl.php.net/package/memcache) version >= 2.0.0 is installed +$rcmail_config['session_storage'] = 'db'; + +// Use these hosts for accessing memcached +// Define any number of hosts in the form of hostname:port or unix:///path/to/sock.file +$rcmail_config['memcache_hosts'] = null; // e.g. array( 'localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock' ); + +// check client IP in session athorization +$rcmail_config['ip_check'] = false; + +// check referer of incoming requests +$rcmail_config['referer_check'] = false; + +// X-Frame-Options HTTP header value sent to prevent from Clickjacking. +// Possible values: sameorigin|deny. Set to false in order to disable sending them +$rcmail_config['x_frame_options'] = 'sameorigin'; + +// this key is used to encrypt the users imap password which is stored +// in the session record (and the client cookie if remember password is enabled). +// please provide a string of exactly 24 chars. +$rcmail_config['des_key'] = 'vtIOjLZo9kffJoqzpSbm5r1r'; + +// Automatically add this domain to user names for login +// Only for IMAP servers that require full e-mail addresses for login +// Specify an array with 'host' => 'domain' values to support multiple hosts +// Supported replacement variables: +// %h - user's IMAP hostname +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// %z - IMAP domain (IMAP hostname without the first part) +// For example %n = mail.domain.tld, %d = domain.tld +$rcmail_config['username_domain'] = ''; + +// This domain will be used to form e-mail addresses of new users +// Specify an array with 'host' => 'domain' values to support multiple hosts +// Supported replacement variables: +// %h - user's IMAP hostname +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// %z - IMAP domain (IMAP hostname without the first part) +// For example %n = mail.domain.tld, %d = domain.tld +$rcmail_config['mail_domain'] = ''; + +// Password charset. +// Use it if your authentication backend doesn't support UTF-8. +// Defaults to ISO-8859-1 for backward compatibility +$rcmail_config['password_charset'] = 'ISO-8859-1'; + +// How many seconds must pass between emails sent by a user +$rcmail_config['sendmail_delay'] = 0; + +// Maximum number of recipients per message. Default: 0 (no limit) +$rcmail_config['max_recipients'] = 0; + +// Maximum allowednumber of members of an address group. Default: 0 (no limit) +// If 'max_recipients' is set this value should be less or equal +$rcmail_config['max_group_members'] = 0; + +// add this user-agent to message headers when sending +$rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION; + +// use this name to compose page titles +$rcmail_config['product_name'] = 'Roundcube Webmail'; + +// try to load host-specific configuration +// see http://trac.roundcube.net/wiki/Howto_Config for more details +$rcmail_config['include_host_config'] = false; + +// path to a text file which will be added to each sent message +// paths are relative to the Roundcube root folder +$rcmail_config['generic_message_footer'] = ''; + +// path to a text file which will be added to each sent HTML message +// paths are relative to the Roundcube root folder +$rcmail_config['generic_message_footer_html'] = ''; + +// add a received header to outgoing mails containing the creators IP and hostname +$rcmail_config['http_received_header'] = false; + +// Whether or not to encrypt the IP address and the host name +// these could, in some circles, be considered as sensitive information; +// however, for the administrator, these could be invaluable help +// when tracking down issues. +$rcmail_config['http_received_header_encrypt'] = false; + +// This string is used as a delimiter for message headers when sending +// a message via mail() function. Leave empty for auto-detection +$rcmail_config['mail_header_delimiter'] = NULL; + +// number of chars allowed for line when wrapping text. +// text wrapping is done when composing/sending messages +$rcmail_config['line_length'] = 72; + +// send plaintext messages as format=flowed +$rcmail_config['send_format_flowed'] = true; + +// don't allow these settings to be overriden by the user +$rcmail_config['dont_override'] = array(); + +// Set identities access level: +// 0 - many identities with possibility to edit all params +// 1 - many identities with possibility to edit all params but not email address +// 2 - one identity with possibility to edit all params +// 3 - one identity with possibility to edit all params but not email address +$rcmail_config['identities_level'] = 0; + +// Mimetypes supported by the browser. +// attachments of these types will open in a preview window +// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf' +$rcmail_config['client_mimetypes'] = null; # null == default + +// mime magic database +$rcmail_config['mime_magic'] = null; + +// path to imagemagick identify binary +$rcmail_config['im_identify_path'] = null; + +// path to imagemagick convert binary +$rcmail_config['im_convert_path'] = null; + +// maximum size of uploaded contact photos in pixel +$rcmail_config['contact_photo_size'] = 160; + +// Enable DNS checking for e-mail address validation +$rcmail_config['email_dns_check'] = false; + +// ---------------------------------- +// PLUGINS +// ---------------------------------- + +// List of active plugins (in plugins/ directory) +$rcmail_config['plugins'] = array('password'); + +// ---------------------------------- +// USER INTERFACE +// ---------------------------------- + +// default messages sort column. Use empty value for default server's sorting, +// or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc' +$rcmail_config['message_sort_col'] = ''; + +// default messages sort order +$rcmail_config['message_sort_order'] = 'DESC'; + +// These cols are shown in the message list. Available cols are: +// subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, 'priority' +$rcmail_config['list_cols'] = array('subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment'); + +// the default locale setting (leave empty for auto-detection) +// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR +$rcmail_config['language'] = null; + +// use this format for date display (date or strftime format) +$rcmail_config['date_format'] = 'Y-m-d'; + +// give this choice of date formats to the user to select from +$rcmail_config['date_formats'] = array('Y-m-d', 'd-m-Y', 'Y/m/d', 'm/d/Y', 'd/m/Y', 'd.m.Y', 'j.n.Y'); + +// use this format for time display (date or strftime format) +$rcmail_config['time_format'] = 'H:i'; + +// give this choice of time formats to the user to select from +$rcmail_config['time_formats'] = array('G:i', 'H:i', 'g:i a', 'h:i A'); + +// use this format for short date display (derived from date_format and time_format) +$rcmail_config['date_short'] = 'D H:i'; + +// use this format for detailed date/time formatting (derived from date_format and time_format) +$rcmail_config['date_long'] = 'Y-m-d H:i'; + +// store draft message is this mailbox +// leave blank if draft messages should not be stored +// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP) +$rcmail_config['drafts_mbox'] = 'Drafts'; + +// store spam messages in this mailbox +// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP) +$rcmail_config['junk_mbox'] = 'Spam'; + +// store sent message is this mailbox +// leave blank if sent messages should not be stored +// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP) +$rcmail_config['sent_mbox'] = 'Sent'; + +// move messages to this folder when deleting them +// leave blank if they should be deleted directly +// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP) +$rcmail_config['trash_mbox'] = 'Trash'; + +// display these folders separately in the mailbox list. +// these folders will also be displayed with localized names +// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP) +$rcmail_config['default_folders'] = array('INBOX', 'Drafts', 'Sent', 'Spam', 'Trash'); +$rcmail_config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Spam', 'Trash'); + +// automatically create the above listed default folders on first login +$rcmail_config['create_default_folders'] = true; + +// protect the default folders from renames, deletes, and subscription changes +$rcmail_config['protect_default_folders'] = true; + +// if in your system 0 quota means no limit set this option to true +$rcmail_config['quota_zero_as_unlimited'] = false; + +// Make use of the built-in spell checker. It is based on GoogieSpell. +// Since Google only accepts connections over https your PHP installatation +// requires to be compiled with Open SSL support +$rcmail_config['enable_spellcheck'] = true; + +// Enables spellchecker exceptions dictionary. +// Setting it to 'shared' will make the dictionary shared by all users. +$rcmail_config['spellcheck_dictionary'] = false; + +// Set the spell checking engine. 'googie' is the default. 'pspell' is also available, +// but requires the Pspell extensions. When using Nox Spell Server, also set 'googie' here. +$rcmail_config['spellcheck_engine'] = 'googie'; + +// For a locally installed Nox Spell Server, please specify the URI to call it. +// Get Nox Spell Server from http://orangoo.com/labs/?page_id=72 +// Leave empty to use the Google spell checking service, what means +// that the message content will be sent to Google in order to check spelling +$rcmail_config['spellcheck_uri'] = ''; + +// These languages can be selected for spell checking. +// Configure as a PHP style hash array: array('en'=>'English', 'de'=>'Deutsch'); +// Leave empty for default set of available language. +$rcmail_config['spellcheck_languages'] = NULL; + +// Makes that words with all letters capitalized will be ignored (e.g. GOOGLE) +$rcmail_config['spellcheck_ignore_caps'] = false; + +// Makes that words with numbers will be ignored (e.g. g00gle) +$rcmail_config['spellcheck_ignore_nums'] = false; + +// Makes that words with symbols will be ignored (e.g. g@@gle) +$rcmail_config['spellcheck_ignore_syms'] = false; + +// Use this char/string to separate recipients when composing a new message +$rcmail_config['recipients_separator'] = ','; + +// don't let users set pagesize to more than this value if set +$rcmail_config['max_pagesize'] = 200; + +// Minimal value of user's 'keep_alive' setting (in seconds) +// Must be less than 'session_lifetime' +$rcmail_config['min_keep_alive'] = 60; + +// Enables files upload indicator. Requires APC installed and enabled apc.rfc1867 option. +// By default refresh time is set to 1 second. You can set this value to true +// or any integer value indicating number of seconds. +$rcmail_config['upload_progress'] = false; + +// Specifies for how many seconds the Undo button will be available +// after object delete action. Currently used with supporting address book sources. +// Setting it to 0, disables the feature. +$rcmail_config['undo_timeout'] = 0; + +// ---------------------------------- +// ADDRESSBOOK SETTINGS +// ---------------------------------- + +// This indicates which type of address book to use. Possible choises: +// 'sql' (default) and 'ldap'. +// If set to 'ldap' then it will look at using the first writable LDAP +// address book as the primary address book and it will not display the +// SQL address book in the 'Address Book' view. +$rcmail_config['address_book_type'] = 'sql'; + +// In order to enable public ldap search, configure an array like the Verisign +// example further below. if you would like to test, simply uncomment the example. +// Array key must contain only safe characters, ie. a-zA-Z0-9_ +$rcmail_config['ldap_public'] = array(); + +// If you are going to use LDAP for individual address books, you will need to +// set 'user_specific' to true and use the variables to generate the appropriate DNs to access it. +// +// The recommended directory structure for LDAP is to store all the address book entries +// under the users main entry, e.g.: +// +// o=root +// ou=people +// uid=user@domain +// mail=contact@contactdomain +// +// So the base_dn would be uid=%fu,ou=people,o=root +// The bind_dn would be the same as based_dn or some super user login. +/* + * example config for Verisign directory + * +$rcmail_config['ldap_public']['Verisign'] = array( + 'name' => 'Verisign.com', + // Replacement variables supported in host names: + // %h - user's IMAP hostname + // %n - http hostname ($_SERVER['SERVER_NAME']) + // %d - domain (http hostname without the first part) + // %z - IMAP domain (IMAP hostname without the first part) + // For example %n = mail.domain.tld, %d = domain.tld + 'hosts' => array('directory.verisign.com'), + 'port' => 389, + 'use_tls' => false, + 'ldap_version' => 3, // using LDAPv3 + 'user_specific' => false, // If true the base_dn, bind_dn and bind_pass default to the user's IMAP login. + // %fu - The full username provided, assumes the username is an email + // address, uses the username_domain value if not an email address. + // %u - The username prior to the '@'. + // %d - The domain name after the '@'. + // %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com" + // %dn - DN found by ldap search when search_filter/search_base_dn are used + 'base_dn' => '', + 'bind_dn' => '', + 'bind_pass' => '', + // It's possible to bind for an individual address book + // The login name is used to search for the DN to bind with + 'search_base_dn' => '', + 'search_filter' => '', // e.g. '(&(objectClass=posixAccount)(uid=%u))' + // DN and password to bind as before searching for bind DN, if anonymous search is not allowed + 'search_bind_dn' => '', + 'search_bind_pw' => '', + // Default for %dn variable if search doesn't return DN value + 'search_dn_default' => '', + // Optional authentication identifier to be used as SASL authorization proxy + // bind_dn need to be empty + 'auth_cid' => '', + // SASL authentication method (for proxy auth), e.g. DIGEST-MD5 + 'auth_method' => '', + // Indicates if the addressbook shall be hidden from the list. + // With this option enabled you can still search/view contacts. + 'hidden' => false, + // Indicates if the addressbook shall not list contacts but only allows searching. + 'searchonly' => false, + // Indicates if we can write to the LDAP directory or not. + // If writable is true then these fields need to be populated: + // LDAP_Object_Classes, required_fields, LDAP_rdn + 'writable' => false, + // To create a new contact these are the object classes to specify + // (or any other classes you wish to use). + 'LDAP_Object_Classes' => array('top', 'inetOrgPerson'), + // The RDN field that is used for new entries, this field needs + // to be one of the search_fields, the base of base_dn is appended + // to the RDN to insert into the LDAP directory. + 'LDAP_rdn' => 'cn', + // The required fields needed to build a new contact as required by + // the object classes (can include additional fields not required by the object classes). + 'required_fields' => array('cn', 'sn', 'mail'), + 'search_fields' => array('mail', 'cn'), // fields to search in + // mapping of contact fields to directory attributes + // for every attribute one can specify the number of values (limit) allowed. + // default is 1, a wildcard * means unlimited + 'fieldmap' => array( + // Roundcube => LDAP:limit + 'name' => 'cn', + 'surname' => 'sn', + 'firstname' => 'givenName', + 'title' => 'title', + 'email' => 'mail:*', + 'phone:home' => 'homePhone', + 'phone:work' => 'telephoneNumber', + 'phone:mobile' => 'mobile', + 'phone:pager' => 'pager', + 'street' => 'street', + 'zipcode' => 'postalCode', + 'region' => 'st', + 'locality' => 'l', +// if you uncomment country, you need to modify 'sub_fields' above +// 'country' => 'c', + 'department' => 'departmentNumber', + 'notes' => 'description', +// these currently don't work: +// 'phone:workfax' => 'facsimileTelephoneNumber', +// 'photo' => 'jpegPhoto', +// 'organization' => 'o', +// 'manager' => 'manager', +// 'assistant' => 'secretary', + ), + // Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country' + 'sub_fields' => array(), + 'sort' => 'cn', // The field to sort the listing by. + 'scope' => 'sub', // search mode: sub|base|list + 'filter' => '(objectClass=inetOrgPerson)', // used for basic listing (if not empty) and will be &'d with search queries. example: status=act + 'fuzzy_search' => true, // server allows wildcard search + 'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it) + 'numsub_filter' => '(objectClass=organizationalUnit)', // with VLV, we also use numSubOrdinates to query the total number of records. Set this filter to get all numSubOrdinates attributes for counting + 'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit. + 'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit. + 'referrals' => true|false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups + + // definition for contact groups (uncomment if no groups are supported) + // for the groups base_dn, the user replacements %fu, %u, $d and %dc work as for base_dn (see above) + // if the groups base_dn is empty, the contact base_dn is used for the groups as well + // -> in this case, assure that groups and contacts are separated due to the concernig filters! + 'groups' => array( + 'base_dn' => '', + 'scope' => 'sub', // search mode: sub|base|list + 'filter' => '(objectClass=groupOfNames)', + 'object_classes' => array("top", "groupOfNames"), + 'member_attr' => 'member', // name of the member attribute, e.g. uniqueMember + 'name_attr' => 'cn', // attribute to be used as group name + ), +); +*/ + +// An ordered array of the ids of the addressbooks that should be searched +// when populating address autocomplete fields server-side. ex: array('sql','Verisign'); +$rcmail_config['autocomplete_addressbooks'] = array('sql'); + +// The minimum number of characters required to be typed in an autocomplete field +// before address books will be searched. Most useful for LDAP directories that +// may need to do lengthy results building given overly-broad searches +$rcmail_config['autocomplete_min_length'] = 1; + +// Number of parallel autocomplete requests. +// If there's more than one address book, n parallel (async) requests will be created, +// where each request will search in one address book. By default (0), all address +// books are searched in one request. +$rcmail_config['autocomplete_threads'] = 0; + +// Max. numer of entries in autocomplete popup. Default: 15. +$rcmail_config['autocomplete_max'] = 15; + +// show address fields in this order +// available placeholders: {street}, {locality}, {zipcode}, {country}, {region} +$rcmail_config['address_template'] = '{street}
{locality} {zipcode}
{country} {region}'; + +// Matching mode for addressbook search (including autocompletion) +// 0 - partial (*abc*), default +// 1 - strict (abc) +// 2 - prefix (abc*) +// Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode +$rcmail_config['addressbook_search_mode'] = 0; + +// ---------------------------------- +// USER PREFERENCES +// ---------------------------------- + +// Use this charset as fallback for message decoding +//$rcmail_config['default_charset'] = 'ISO-8859-1'; +$rcmail_config['default_charset'] = 'UTF-8'; + +// skin name: folder from skins/ +$rcmail_config['skin'] = 'elastic'; + +// show up to X items in messages list view +$rcmail_config['mail_pagesize'] = 50; + +// show up to X items in contacts list view +$rcmail_config['addressbook_pagesize'] = 50; + +// sort contacts by this col (preferably either one of name, firstname, surname) +$rcmail_config['addressbook_sort_col'] = 'surname'; + +// the way how contact names are displayed in the list +// 0: display name +// 1: (prefix) firstname middlename surname (suffix) +// 2: (prefix) surname firstname middlename (suffix) +// 3: (prefix) surname, firstname middlename (suffix) +$rcmail_config['addressbook_name_listing'] = 0; + +// use this timezone to display date/time +// valid timezone identifers are listed here: php.net/manual/en/timezones.php +// 'auto' will use the browser's timezone settings +$rcmail_config['timezone'] = 'auto'; + +// prefer displaying HTML messages +$rcmail_config['prefer_html'] = true; + +// display remote inline images +// 0 - Never, always ask +// 1 - Ask if sender is not in address book +// 2 - Always show inline images +$rcmail_config['show_images'] = 0; + +// compose html formatted messages by default +// 0 - never, 1 - always, 2 - on reply to HTML message only +$rcmail_config['htmleditor'] = 0; + +// show pretty dates as standard +$rcmail_config['prettydate'] = true; + +// save compose message every 300 seconds (5min) +$rcmail_config['draft_autosave'] = 300; + +// default setting if preview pane is enabled +$rcmail_config['preview_pane'] = false; + +// Mark as read when viewed in preview pane (delay in seconds) +// Set to -1 if messages in preview pane should not be marked as read +$rcmail_config['preview_pane_mark_read'] = 0; + +// Clear Trash on logout +$rcmail_config['logout_purge'] = false; + +// Compact INBOX on logout +$rcmail_config['logout_expunge'] = false; + +// Display attached images below the message body +$rcmail_config['inline_images'] = true; + +// Encoding of long/non-ascii attachment names: +// 0 - Full RFC 2231 compatible +// 1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default) +// 2 - Full 2047 compatible +$rcmail_config['mime_param_folding'] = 1; + +// Set true if deleted messages should not be displayed +// This will make the application run slower +$rcmail_config['skip_deleted'] = false; + +// Set true to Mark deleted messages as read as well as deleted +// False means that a message's read status is not affected by marking it as deleted +$rcmail_config['read_when_deleted'] = true; + +// Set to true to never delete messages immediately +// Use 'Purge' to remove messages marked as deleted +$rcmail_config['flag_for_deletion'] = false; + +// Default interval for keep-alive/check-recent requests (in seconds) +// Must be greater than or equal to 'min_keep_alive' and less than 'session_lifetime' +$rcmail_config['keep_alive'] = 60; + +// If true all folders will be checked for recent messages +$rcmail_config['check_all_folders'] = false; + +// If true, after message delete/move, the next message will be displayed +$rcmail_config['display_next'] = false; + +// 0 - Do not expand threads +// 1 - Expand all threads automatically +// 2 - Expand only threads with unread messages +$rcmail_config['autoexpand_threads'] = 0; + +// When replying place cursor above original message (top posting) +$rcmail_config['top_posting'] = false; + +// When replying strip original signature from message +$rcmail_config['strip_existing_sig'] = true; + +// Show signature: +// 0 - Never +// 1 - Always +// 2 - New messages only +// 3 - Forwards and Replies only +$rcmail_config['show_sig'] = 1; + +// When replying or forwarding place sender's signature above existing message +$rcmail_config['sig_above'] = false; + +// Use MIME encoding (quoted-printable) for 8bit characters in message body +$rcmail_config['force_7bit'] = false; + +// Defaults of the search field configuration. +// The array can contain a per-folder list of header fields which should be considered when searching +// The entry with key '*' stands for all folders which do not have a specific list set. +// Please note that folder names should to be in sync with $rcmail_config['default_folders'] +$rcmail_config['search_mods'] = null; // Example: array('*' => array('subject'=>1, 'from'=>1), 'Sent' => array('subject'=>1, 'to'=>1)); + +// Defaults of the addressbook search field configuration. +$rcmail_config['addressbook_search_mods'] = null; // Example: array('name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1); + +// 'Delete always' +// This setting reflects if mail should be always deleted +// when moving to Trash fails. This is necessary in some setups +// when user is over quota and Trash is included in the quota. +$rcmail_config['delete_always'] = false; + +// Directly delete messages in Junk instead of moving to Trash +$rcmail_config['delete_junk'] = true; + +// Behavior if a received message requests a message delivery notification (read receipt) +// 0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask) +// 3 = send automatically if sender is in addressbook, otherwise ask the user +// 4 = send automatically if sender is in addressbook, otherwise ignore +$rcmail_config['mdn_requests'] = 0; + +// Return receipt checkbox default state +$rcmail_config['mdn_default'] = 0; + +// Delivery Status Notification checkbox default state +$rcmail_config['dsn_default'] = 0; + +// Place replies in the folder of the message being replied to +$rcmail_config['reply_same_folder'] = false; + +// Sets default mode of Forward feature to "forward as attachment" +$rcmail_config['forward_attachment'] = false; + +// Defines address book (internal index) to which new contacts will be added +// By default it is the first writeable addressbook. +// Note: Use '0' for built-in address book. +$rcmail_config['default_addressbook'] = null; + +// Enables spell checking before sending a message. +$rcmail_config['spellcheck_before_send'] = false; + +// Skip alternative email addresses in autocompletion (show one address per contact) +$rcmail_config['autocomplete_single'] = false; + +// Default font for composed HTML message. +// Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New, +// Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana +$rcmail_config['default_font'] = ''; + +// end of config file diff --git a/install/debian/13/roundcube/vesta.php b/install/debian/13/roundcube/vesta.php new file mode 100644 index 00000000..b3dd167f --- /dev/null +++ b/install/debian/13/roundcube/vesta.php @@ -0,0 +1,73 @@ + + */ +class rcube_vesta_password { + function save($curpass, $passwd) + { + $rcmail = rcmail::get_instance(); + $vesta_host = $rcmail->config->get('password_vesta_host'); + + if (empty($vesta_host)) + { + $vesta_host = 'localhost'; + } + + $vesta_port = $rcmail->config->get('password_vesta_port'); + if (empty($vesta_port)) + { + $vesta_port = '8083'; + } + + $postvars = array( + 'email' => $_SESSION['username'], + 'password' => $curpass, + 'new' => $passwd + ); + + $postdata = http_build_query($postvars); + + $send = 'POST /reset/mail/ HTTP/1.1' . PHP_EOL; + $send .= 'Host: ' . $vesta_host . PHP_EOL; + $send .= 'User-Agent: PHP Script' . PHP_EOL; + $send .= 'Content-length: ' . strlen($postdata) . PHP_EOL; + $send .= 'Content-type: application/x-www-form-urlencoded' . PHP_EOL; + $send .= 'Connection: close' . PHP_EOL; + $send .= PHP_EOL; + $send .= $postdata . PHP_EOL . PHP_EOL; + + //$fp = fsockopen('ssl://' . $vesta_host, $vesta_port); + $errno = ""; + $errstr = ""; + $context = stream_context_create(); + + $result = stream_context_set_option($context, 'ssl', 'verify_peer', false); + $result = stream_context_set_option($context, 'ssl', 'verify_peer_name', false); + $result = stream_context_set_option($context, 'ssl', 'verify_host', false); + $result = stream_context_set_option($context, 'ssl', 'allow_self_signed', true); + + $fp = stream_socket_client('ssl://' . $vesta_host . ':'.$vesta_port, $errno, $errstr, 60, STREAM_CLIENT_CONNECT, $context); + fputs($fp, $send); + $result = fread($fp, 2048); + fclose($fp); + + $fp = fopen("/tmp/roundcube.log", 'w'); + fwrite($fp, "test ok"); + fwrite($fp, "\n"); + fclose($fp); + + + if(strpos($result, 'ok') && !strpos($result, 'error')) + { + return PASSWORD_SUCCESS; + } + else { + return PASSWORD_ERROR; + } + + } +} diff --git a/install/debian/13/sudo/admin b/install/debian/13/sudo/admin new file mode 100644 index 00000000..331fa1f2 --- /dev/null +++ b/install/debian/13/sudo/admin @@ -0,0 +1,8 @@ +# Created by vesta installer +Defaults env_keep="VESTA" +Defaults:admin !syslog +Defaults:admin !requiretty +Defaults:root !requiretty + +# sudo is limited to vesta scripts +admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/debian/13/templates/dns/child-ns.tpl b/install/debian/13/templates/dns/child-ns.tpl new file mode 100644 index 00000000..42c046e4 --- /dev/null +++ b/install/debian/13/templates/dns/child-ns.tpl @@ -0,0 +1,14 @@ +ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='ns1.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='ns2.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='3' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='4' RECORD='ns1' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='5' RECORD='ns2' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='6' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='7' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='8' RECORD='mail' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='9' RECORD='smtp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='10' RECORD='pop' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='11' RECORD='imap' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='12' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mail.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='13' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% ~all"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='14' RECORD='_dmarc' TYPE='TXT' PRIORITY='' VALUE='"v=DMARC1; p=none"' SUSPENDED='no' TIME='%time%' DATE='%date%' diff --git a/install/debian/13/templates/dns/default.tpl b/install/debian/13/templates/dns/default.tpl new file mode 100644 index 00000000..e0a37e62 --- /dev/null +++ b/install/debian/13/templates/dns/default.tpl @@ -0,0 +1,18 @@ +ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns1%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns2%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='3' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns3%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='4' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns4%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='5' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns5%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='6' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns6%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='7' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns7%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='8' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns8%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='9' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='10' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='11' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='12' RECORD='mail' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='13' RECORD='smtp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='14' RECORD='pop' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='15' RECORD='imap' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='16' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mail.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='17' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% ~all"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='18' RECORD='_dmarc' TYPE='TXT' PRIORITY='' VALUE='"v=DMARC1; p=none"' SUSPENDED='no' TIME='%time%' DATE='%date%' diff --git a/install/debian/13/templates/dns/gmail.tpl b/install/debian/13/templates/dns/gmail.tpl new file mode 100644 index 00000000..219c9d24 --- /dev/null +++ b/install/debian/13/templates/dns/gmail.tpl @@ -0,0 +1,12 @@ +ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns1%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns2%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='3' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='4' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='5' RECORD='localhost' TYPE='A' PRIORITY='' VALUE='127.0.0.1' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='6' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='7' RECORD='@' TYPE='MX' PRIORITY='1' VALUE='ASPMX.L.GOOGLE.COM.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='8' RECORD='@' TYPE='MX' PRIORITY='5' VALUE='ALT1.ASPMX.L.GOOGLE.COM.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='9' RECORD='@' TYPE='MX' PRIORITY='5' VALUE='ALT2.ASPMX.L.GOOGLE.COM.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='10' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='ALT3.ASPMX.L.GOOGLE.COM.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='11' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='ALT4.ASPMX.L.GOOGLE.COM.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='12' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% include:_spf.google.com ~all"' SUSPENDED='no' TIME='%time%' DATE='%date%' diff --git a/install/debian/13/templates/dns/office365.tpl b/install/debian/13/templates/dns/office365.tpl new file mode 100644 index 00000000..dcf556e1 --- /dev/null +++ b/install/debian/13/templates/dns/office365.tpl @@ -0,0 +1,22 @@ +ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns1%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns2%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='3' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns3%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='4' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns4%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='5' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns5%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='6' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns6%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='7' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns7%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='8' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns8%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='9' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='10' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='11' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='12' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% include:spf.protection.outlook.com -all"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='13' RECORD='_dmarc' TYPE='TXT' PRIORITY='' VALUE='"v=DMARC1; p=none"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='14' RECORD='@' TYPE='MX' PRIORITY='0' VALUE='XXXXXXX.mail.protection.outlook.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='15' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"MS=msXXXX"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='16' RECORD='autodiscover' TYPE='CNAME' PRIORITY='' VALUE='autodiscover.outlook.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='17' RECORD='sip' TYPE='CNAME' PRIORITY='' VALUE='sipdir.online.lync.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='18' RECORD='lyncdiscover' TYPE='CNAME' PRIORITY='' VALUE='webdir.online.lync.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='19' RECORD='enterpriseregistration' TYPE='CNAME' PRIORITY='' VALUE='enterpriseregistration.windows.net.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='20' RECORD='enterpriseenrollment' TYPE='CNAME' PRIORITY='' VALUE='enterpriseenrollment.manage.microsoft.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='21' RECORD='_sip._tls' TYPE='SRV' PRIORITY='100 1 443' VALUE='sipdir.online.lync.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='22' RECORD='_sipfederationtls._tcp' TYPE='SRV' PRIORITY='100 1 5061' VALUE='sipfed.online.lync.com.' SUSPENDED='no' TIME='%time%' DATE='%date%' diff --git a/install/debian/13/templates/dns/yandex.tpl b/install/debian/13/templates/dns/yandex.tpl new file mode 100644 index 00000000..4ce768fe --- /dev/null +++ b/install/debian/13/templates/dns/yandex.tpl @@ -0,0 +1,16 @@ +ID='1' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns1%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='2' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns2%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='3' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns3%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='4' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns4%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='5' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns5%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='6' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns6%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='7' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns7%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='8' RECORD='@' TYPE='NS' PRIORITY='' VALUE='%ns8%.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='9' RECORD='@' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='10' RECORD='www' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='11' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='12' RECORD='mail' TYPE='CNAME' PRIORITY='' VALUE='domain.mail.yandex.net.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='13' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mx.yandex.net.' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='14' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% include:_spf.yandex.net ~all"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='15' RECORD='_dmarc' TYPE='TXT' PRIORITY='' VALUE='"v=DMARC1; p=none"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='16' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"yandex-verification: XXXXXXXXXXXXXXX"' SUSPENDED='no' TIME='%time%' DATE='%date%' diff --git a/install/debian/13/templates/web/apache2/PHP-FPM-84-public.sh b/install/debian/13/templates/web/apache2/PHP-FPM-84-public.sh new file mode 100644 index 00000000..cbea2de9 --- /dev/null +++ b/install/debian/13/templates/web/apache2/PHP-FPM-84-public.sh @@ -0,0 +1,133 @@ +#!/bin/bash +# Adding php pool conf +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +pool_conf="[$2] + +listen = /run/php/php8.4-fpm-$2.sock +listen.owner = $1 +listen.group = $1 +listen.mode = 0666 + +user = $1 +group = $1 + +pm = ondemand +pm.max_children = 8 +request_terminate_timeout = 360s +pm.max_requests = 4000 +pm.process_idle_timeout = 10s +pm.status_path = /status + +php_admin_value[upload_tmp_dir] = /home/$1/tmp +php_admin_value[session.save_path] = /home/$1/tmp +php_admin_value[open_basedir] = $5:/home/$1/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcube:/var/log/roundcube:/var/lib/roundcube +php_admin_value[upload_max_filesize] = 800M +php_admin_value[max_execution_time] = 300 +php_admin_value[post_max_size] = 800M +php_admin_value[memory_limit] = 512M +php_admin_value[sendmail_path] = \"/usr/sbin/sendmail -t -i -f info@$2\" +php_admin_flag[mysql.allow_persistent] = off +php_admin_flag[safe_mode] = off + +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /home/$1/tmp +env[TMPDIR] = /home/$1/tmp +env[TEMP] = /home/$1/tmp +" + +pool_file_56="/etc/php/5.6/fpm/pool.d/$2.conf" +pool_file_70="/etc/php/7.0/fpm/pool.d/$2.conf" +pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf" +pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf" +pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf" +pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf" +pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf" +pool_file_81="/etc/php/8.1/fpm/pool.d/$2.conf" +pool_file_82="/etc/php/8.2/fpm/pool.d/$2.conf" +pool_file_83="/etc/php/8.3/fpm/pool.d/$2.conf" +pool_file_84="/etc/php/8.4/fpm/pool.d/$2.conf" + +if [ -f "$pool_file_56" ]; then + rm $pool_file_56 + systemctl reset-failed php5.6-fpm + systemctl restart php5.6-fpm +fi + +if [ -f "$pool_file_70" ]; then + rm $pool_file_70 + systemctl reset-failed php7.0-fpm + systemctl restart php7.0-fpm +fi + +if [ -f "$pool_file_71" ]; then + rm $pool_file_71 + systemctl reset-failed php7.1-fpm + systemctl restart php7.1-fpm +fi + +if [ -f "$pool_file_72" ]; then + rm $pool_file_72 + systemctl reset-failed php7.2-fpm + systemctl restart php7.2-fpm +fi + +if [ -f "$pool_file_73" ]; then + rm $pool_file_73 + systemctl reset-failed php7.3-fpm + systemctl restart php7.3-fpm +fi + +if [ -f "$pool_file_74" ]; then + rm $pool_file_74 + systemctl reset-failed php7.4-fpm + systemctl restart php7.4-fpm +fi + +if [ -f "$pool_file_80" ]; then + rm $pool_file_80 + systemctl reset-failed php8.0-fpm + systemctl restart php8.0-fpm +fi + +if [ -f "$pool_file_81" ]; then + rm $pool_file_81 + systemctl reset-failed php8.1-fpm + systemctl restart php8.1-fpm +fi + +if [ -f "$pool_file_82" ]; then + rm $pool_file_82 + systemctl reset-failed php8.2-fpm + systemctl restart php8.2-fpm +fi + +if [ -f "$pool_file_83" ]; then + rm $pool_file_83 + systemctl reset-failed php8.3-fpm + systemctl restart php8.3-fpm +fi + +write_file=0 +if [ ! -f "$pool_file_84" ]; then + write_file=1 +else + user_count=$(grep -c "/home/$1/" $pool_file_84) + if [ $user_count -eq 0 ]; then + write_file=1 + fi +fi +if [ $write_file -eq 1 ]; then + echo "$pool_conf" > $pool_file_84 + systemctl reset-failed php8.4-fpm + systemctl restart php8.4-fpm +fi +if [ -f "/etc/php/8.4/fpm/pool.d/www.conf" ]; then + rm /etc/php/8.4/fpm/pool.d/www.conf +fi + +exit 0 diff --git a/install/debian/13/templates/web/apache2/PHP-FPM-84-public.stpl b/install/debian/13/templates/web/apache2/PHP-FPM-84-public.stpl new file mode 100644 index 00000000..91e05b17 --- /dev/null +++ b/install/debian/13/templates/web/apache2/PHP-FPM-84-public.stpl @@ -0,0 +1,36 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %sdocroot%/public + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + SSLRequireSSL + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile %ssl_crt% + SSLCertificateKeyFile %ssl_key% + %ssl_ca_str%SSLCertificateChainFile %ssl_ca% + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/s%web_system%.%domain%.conf* + + + diff --git a/install/debian/13/templates/web/apache2/PHP-FPM-84-public.tpl b/install/debian/13/templates/web/apache2/PHP-FPM-84-public.tpl new file mode 100644 index 00000000..94acbf15 --- /dev/null +++ b/install/debian/13/templates/web/apache2/PHP-FPM-84-public.tpl @@ -0,0 +1,30 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %docroot%/public + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf* + + + diff --git a/install/debian/13/templates/web/apache2/PHP-FPM-84.sh b/install/debian/13/templates/web/apache2/PHP-FPM-84.sh new file mode 100644 index 00000000..cbea2de9 --- /dev/null +++ b/install/debian/13/templates/web/apache2/PHP-FPM-84.sh @@ -0,0 +1,133 @@ +#!/bin/bash +# Adding php pool conf +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +pool_conf="[$2] + +listen = /run/php/php8.4-fpm-$2.sock +listen.owner = $1 +listen.group = $1 +listen.mode = 0666 + +user = $1 +group = $1 + +pm = ondemand +pm.max_children = 8 +request_terminate_timeout = 360s +pm.max_requests = 4000 +pm.process_idle_timeout = 10s +pm.status_path = /status + +php_admin_value[upload_tmp_dir] = /home/$1/tmp +php_admin_value[session.save_path] = /home/$1/tmp +php_admin_value[open_basedir] = $5:/home/$1/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcube:/var/log/roundcube:/var/lib/roundcube +php_admin_value[upload_max_filesize] = 800M +php_admin_value[max_execution_time] = 300 +php_admin_value[post_max_size] = 800M +php_admin_value[memory_limit] = 512M +php_admin_value[sendmail_path] = \"/usr/sbin/sendmail -t -i -f info@$2\" +php_admin_flag[mysql.allow_persistent] = off +php_admin_flag[safe_mode] = off + +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /home/$1/tmp +env[TMPDIR] = /home/$1/tmp +env[TEMP] = /home/$1/tmp +" + +pool_file_56="/etc/php/5.6/fpm/pool.d/$2.conf" +pool_file_70="/etc/php/7.0/fpm/pool.d/$2.conf" +pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf" +pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf" +pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf" +pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf" +pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf" +pool_file_81="/etc/php/8.1/fpm/pool.d/$2.conf" +pool_file_82="/etc/php/8.2/fpm/pool.d/$2.conf" +pool_file_83="/etc/php/8.3/fpm/pool.d/$2.conf" +pool_file_84="/etc/php/8.4/fpm/pool.d/$2.conf" + +if [ -f "$pool_file_56" ]; then + rm $pool_file_56 + systemctl reset-failed php5.6-fpm + systemctl restart php5.6-fpm +fi + +if [ -f "$pool_file_70" ]; then + rm $pool_file_70 + systemctl reset-failed php7.0-fpm + systemctl restart php7.0-fpm +fi + +if [ -f "$pool_file_71" ]; then + rm $pool_file_71 + systemctl reset-failed php7.1-fpm + systemctl restart php7.1-fpm +fi + +if [ -f "$pool_file_72" ]; then + rm $pool_file_72 + systemctl reset-failed php7.2-fpm + systemctl restart php7.2-fpm +fi + +if [ -f "$pool_file_73" ]; then + rm $pool_file_73 + systemctl reset-failed php7.3-fpm + systemctl restart php7.3-fpm +fi + +if [ -f "$pool_file_74" ]; then + rm $pool_file_74 + systemctl reset-failed php7.4-fpm + systemctl restart php7.4-fpm +fi + +if [ -f "$pool_file_80" ]; then + rm $pool_file_80 + systemctl reset-failed php8.0-fpm + systemctl restart php8.0-fpm +fi + +if [ -f "$pool_file_81" ]; then + rm $pool_file_81 + systemctl reset-failed php8.1-fpm + systemctl restart php8.1-fpm +fi + +if [ -f "$pool_file_82" ]; then + rm $pool_file_82 + systemctl reset-failed php8.2-fpm + systemctl restart php8.2-fpm +fi + +if [ -f "$pool_file_83" ]; then + rm $pool_file_83 + systemctl reset-failed php8.3-fpm + systemctl restart php8.3-fpm +fi + +write_file=0 +if [ ! -f "$pool_file_84" ]; then + write_file=1 +else + user_count=$(grep -c "/home/$1/" $pool_file_84) + if [ $user_count -eq 0 ]; then + write_file=1 + fi +fi +if [ $write_file -eq 1 ]; then + echo "$pool_conf" > $pool_file_84 + systemctl reset-failed php8.4-fpm + systemctl restart php8.4-fpm +fi +if [ -f "/etc/php/8.4/fpm/pool.d/www.conf" ]; then + rm /etc/php/8.4/fpm/pool.d/www.conf +fi + +exit 0 diff --git a/install/debian/13/templates/web/apache2/PHP-FPM-84.stpl b/install/debian/13/templates/web/apache2/PHP-FPM-84.stpl new file mode 100644 index 00000000..848abf7c --- /dev/null +++ b/install/debian/13/templates/web/apache2/PHP-FPM-84.stpl @@ -0,0 +1,36 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %sdocroot% + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + SSLRequireSSL + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile %ssl_crt% + SSLCertificateKeyFile %ssl_key% + %ssl_ca_str%SSLCertificateChainFile %ssl_ca% + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/s%web_system%.%domain%.conf* + + + diff --git a/install/debian/13/templates/web/apache2/PHP-FPM-84.tpl b/install/debian/13/templates/web/apache2/PHP-FPM-84.tpl new file mode 100644 index 00000000..065c1f89 --- /dev/null +++ b/install/debian/13/templates/web/apache2/PHP-FPM-84.tpl @@ -0,0 +1,30 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %docroot% + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf* + + + diff --git a/install/debian/13/templates/web/awstats/awstats.tpl b/install/debian/13/templates/web/awstats/awstats.tpl new file mode 100644 index 00000000..6bb51c50 --- /dev/null +++ b/install/debian/13/templates/web/awstats/awstats.tpl @@ -0,0 +1,133 @@ +LogFile="/var/log/%web_system%/domains/%domain%.log" +LogType=W +LogFormat=1 +LogSeparator=" " +SiteDomain="%domain_idn%" +HostAliases="%alias_idn%" +DirData="%home%/%user%/web/%domain%/stats" +DirCgi="/vstats" +DirIcons="/vstats/icon" +AllowToUpdateStatsFromBrowser=0 +AllowFullYearView=2 +EnableLockForUpdate=1 +DNSStaticCacheFile="dnscache.txt" +DNSLastUpdateCacheFile="dnscachelastupdate.txt" +SkipDNSLookupFor="" +AllowAccessFromWebToAuthenticatedUsersOnly=0 +AllowAccessFromWebToFollowingAuthenticatedUsers="" +AllowAccessFromWebToFollowingIPAddresses="" +CreateDirDataIfNotExists=0 +BuildHistoryFormat=text +BuildReportFormat=html +SaveDatabaseFilesWithPermissionsForEveryone=0 +PurgeLogFile=0 +ArchiveLogRecords=0 +KeepBackupOfHistoricFiles=1 +DefaultFile="index.php index.html" +SkipHosts="127.0.0.1" +SkipUserAgents="" +SkipFiles="" +SkipReferrersBlackList="" +OnlyHosts="" +OnlyUserAgents="" +OnlyUsers="" +OnlyFiles="" +NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf" +ValidHTTPCodes="200 304" +ValidSMTPCodes="1 250" +AuthenticatedUsersNotCaseSensitive=0 +URLNotCaseSensitive=0 +URLWithAnchor=0 +URLQuerySeparators="?;" +URLWithQuery=0 +URLWithQueryWithOnlyFollowingParameters="" +URLWithQueryWithoutFollowingParameters="" +URLReferrerWithQuery=0 +WarningMessages=1 +ErrorMessages="" +DebugMessages=0 +NbOfLinesForCorruptedLog=50 +WrapperScript="" +DecodeUA=0 +MiscTrackerUrl="/js/awstats_misc_tracker.js" +UseFramesWhenCGI=1 +DetailedReportsOnNewWindows=1 +Expires=3600 +MaxRowsInHTMLOutput=1000 +Lang="auto" +DirLang="./lang" +ShowMenu=1 +ShowSummary=UVPHB +ShowMonthStats=UVPHB +ShowDaysOfMonthStats=VPHB +ShowDaysOfWeekStats=PHB +ShowHoursStats=PHB +ShowDomainsStats=PHB +ShowHostsStats=PHBL +ShowAuthenticatedUsers=0 +ShowRobotsStats=HBL +ShowWormsStats=0 +ShowEMailSenders=0 +ShowEMailReceivers=0 +ShowSessionsStats=1 +ShowPagesStats=PBEX +ShowFileTypesStats=HB +ShowFileSizesStats=0 +ShowDownloadsStats=HB +ShowOSStats=1 +ShowBrowsersStats=1 +ShowScreenSizeStats=0 +ShowOriginStats=PH +ShowKeyphrasesStats=1 +ShowKeywordsStats=1 +ShowMiscStats=a +ShowHTTPErrorsStats=1 +ShowSMTPErrorsStats=0 +ShowClusterStats=0 +AddDataArrayMonthStats=1 +AddDataArrayShowDaysOfMonthStats=1 +AddDataArrayShowDaysOfWeekStats=1 +AddDataArrayShowHoursStats=1 +IncludeInternalLinksInOriginSection=0 +MaxNbOfDomain = 10 +MinHitDomain = 1 +MaxNbOfHostsShown = 10 +MinHitHost = 1 +MaxNbOfLoginShown = 10 +MinHitLogin = 1 +MaxNbOfRobotShown = 10 +MinHitRobot = 1 +MaxNbOfDownloadsShown = 10 +MinHitDownloads = 1 +MaxNbOfPageShown = 10 +MinHitFile = 1 +MaxNbOfOsShown = 10 +MinHitOs = 1 +MaxNbOfBrowsersShown = 10 +MinHitBrowser = 1 +MaxNbOfScreenSizesShown = 5 +MinHitScreenSize = 1 +MaxNbOfWindowSizesShown = 5 +MinHitWindowSize = 1 +MaxNbOfRefererShown = 10 +MinHitRefer = 1 +MaxNbOfKeyphrasesShown = 10 +MinHitKeyphrase = 1 +MaxNbOfKeywordsShown = 10 +MinHitKeyword = 1 +MaxNbOfEMailsShown = 20 +MinHitEMail = 1 +FirstDayOfWeek=0 +ShowFlagLinks="" +ShowLinksOnUrl=1 +UseHTTPSLinkForUrl="" +MaxLengthOfShownURL=64 +HTMLHeadSection="" +HTMLEndSection="" +MetaRobot=0 +Logo="awstats_logo6.png" +LogoLink="http://awstats.sourceforge.net" +BarWidth = 260 +BarHeight = 90 +StyleSheet="" +ExtraTrackedRowsLimit=500 diff --git a/install/debian/13/templates/web/awstats/index.tpl b/install/debian/13/templates/web/awstats/index.tpl new file mode 100644 index 00000000..9df9bb5c --- /dev/null +++ b/install/debian/13/templates/web/awstats/index.tpl @@ -0,0 +1,10 @@ + + + + Awstats log analyzer + + + + + + diff --git a/install/debian/13/templates/web/awstats/nav.tpl b/install/debian/13/templates/web/awstats/nav.tpl new file mode 100644 index 00000000..f29bed68 --- /dev/null +++ b/install/debian/13/templates/web/awstats/nav.tpl @@ -0,0 +1,23 @@ + + + Awstats navigation + + + + + + + + +
vesta
+ +
+
+ + diff --git a/install/debian/13/templates/web/nginx/caching.sh b/install/debian/13/templates/web/nginx/caching.sh new file mode 100644 index 00000000..09d8efe7 --- /dev/null +++ b/install/debian/13/templates/web/nginx/caching.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +user=$1 +domain=$2 +ip=$3 +home=$4 +docroot=$5 + +str="proxy_cache_path /var/cache/nginx/$domain levels=2" +str="$str keys_zone=$domain:10m inactive=60m max_size=512m;" +conf='/etc/nginx/conf.d/01_caching_pool.conf' +if [ -e "$conf" ]; then + if [ -z "$(grep "=${domain}:" $conf)" ]; then + echo "$str" >> $conf + fi +else + echo "$str" >> $conf +fi + diff --git a/install/debian/13/templates/web/nginx/caching.stpl b/install/debian/13/templates/web/nginx/caching.stpl new file mode 100644 index 00000000..f5c9740f --- /dev/null +++ b/install/debian/13/templates/web/nginx/caching.stpl @@ -0,0 +1,44 @@ +server { + listen %ip%:%proxy_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + + proxy_cache cache; + proxy_cache_valid 15m; + proxy_cache_valid 404 1m; + proxy_no_cache $no_cache; + proxy_cache_bypass $no_cache; + proxy_cache_bypass $cookie_session $http_x_update; + + location ~* ^.+\.(%proxy_extentions%)$ { + proxy_cache off; + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/caching.tpl b/install/debian/13/templates/web/nginx/caching.tpl new file mode 100644 index 00000000..73de28d5 --- /dev/null +++ b/install/debian/13/templates/web/nginx/caching.tpl @@ -0,0 +1,42 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass http://%ip%:%web_port%; + + proxy_cache cache; + proxy_cache_valid 15m; + proxy_cache_valid 404 1m; + proxy_no_cache $no_cache; + proxy_cache_bypass $no_cache; + proxy_cache_bypass $cookie_session $http_x_update; + + location ~* ^.+\.(%proxy_extentions%)$ { + proxy_cache off; + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/force-https-legacy.stpl b/install/debian/13/templates/web/nginx/force-https-legacy.stpl new file mode 100644 index 00000000..8e636db3 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https-legacy.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/force-https-legacy.tpl b/install/debian/13/templates/web/nginx/force-https-legacy.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https-legacy.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/install/debian/13/templates/web/nginx/force-https-public.stpl b/install/debian/13/templates/web/nginx/force-https-public.stpl new file mode 100644 index 00000000..a7609b13 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https-public.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%/public; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%/public; + + include %home%/%user%/conf/web/snginx.%domain_idn%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/force-https-public.tpl b/install/debian/13/templates/web/nginx/force-https-public.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https-public.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/install/debian/13/templates/web/nginx/force-https-webmail-phpmyadmin.stpl b/install/debian/13/templates/web/nginx/force-https-webmail-phpmyadmin.stpl new file mode 100644 index 00000000..2db9a06e --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https-webmail-phpmyadmin.stpl @@ -0,0 +1,64 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /webmail { + disable_symlinks off; + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root /var/lib/roundcube; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /phpmyadmin { + disable_symlinks off; + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root /usr/share; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/force-https-webmail-phpmyadmin.tpl b/install/debian/13/templates/web/nginx/force-https-webmail-phpmyadmin.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https-webmail-phpmyadmin.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/install/debian/13/templates/web/nginx/force-https.stpl b/install/debian/13/templates/web/nginx/force-https.stpl new file mode 100644 index 00000000..55f41002 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/force-https.tpl b/install/debian/13/templates/web/nginx/force-https.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/install/debian/13/templates/web/nginx/force-https.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/install/debian/13/templates/web/nginx/hosting-legacy.sh b/install/debian/13/templates/web/nginx/hosting-legacy.sh new file mode 100644 index 00000000..eeed37ef --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-legacy.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Changing public_html permission +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +chmod 755 $docroot + +exit 0 diff --git a/install/debian/13/templates/web/nginx/hosting-legacy.stpl b/install/debian/13/templates/web/nginx/hosting-legacy.stpl new file mode 100644 index 00000000..efdd3b87 --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-legacy.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting-legacy.tpl b/install/debian/13/templates/web/nginx/hosting-legacy.tpl new file mode 100644 index 00000000..a41d4054 --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-legacy.tpl @@ -0,0 +1,36 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting-public.stpl b/install/debian/13/templates/web/nginx/hosting-public.stpl new file mode 100644 index 00000000..a7609b13 --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-public.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%/public; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%/public; + + include %home%/%user%/conf/web/snginx.%domain_idn%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting-public.tpl b/install/debian/13/templates/web/nginx/hosting-public.tpl new file mode 100644 index 00000000..f5d8b327 --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-public.tpl @@ -0,0 +1,36 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%/public; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%/public; + + include %home%/%user%/conf/web/nginx.%domain_idn%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting-webmail-phpmyadmin.stpl b/install/debian/13/templates/web/nginx/hosting-webmail-phpmyadmin.stpl new file mode 100644 index 00000000..2db9a06e --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-webmail-phpmyadmin.stpl @@ -0,0 +1,64 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /webmail { + disable_symlinks off; + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root /var/lib/roundcube; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /phpmyadmin { + disable_symlinks off; + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root /usr/share; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting-webmail-phpmyadmin.tpl b/install/debian/13/templates/web/nginx/hosting-webmail-phpmyadmin.tpl new file mode 100644 index 00000000..f84f4781 --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting-webmail-phpmyadmin.tpl @@ -0,0 +1,60 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /webmail { + disable_symlinks off; + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root /var/lib/roundcube; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /phpmyadmin { + disable_symlinks off; + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root /usr/share; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting.sh b/install/debian/13/templates/web/nginx/hosting.sh new file mode 100644 index 00000000..eeed37ef --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Changing public_html permission +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +chmod 755 $docroot + +exit 0 diff --git a/install/debian/13/templates/web/nginx/hosting.stpl b/install/debian/13/templates/web/nginx/hosting.stpl new file mode 100644 index 00000000..5745311e --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/hosting.tpl b/install/debian/13/templates/web/nginx/hosting.tpl new file mode 100644 index 00000000..61469ad2 --- /dev/null +++ b/install/debian/13/templates/web/nginx/hosting.tpl @@ -0,0 +1,36 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/php-fpm/cms_made_simple.stpl b/install/debian/13/templates/web/nginx/php-fpm/cms_made_simple.stpl new file mode 100644 index 00000000..cf8fad56 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/cms_made_simple.stpl @@ -0,0 +1,55 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + try_files $uri $uri/ /index.php?page=$request_uri; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/cms_made_simple.tpl b/install/debian/13/templates/web/nginx/php-fpm/cms_made_simple.tpl new file mode 100644 index 00000000..f9e90393 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/cms_made_simple.tpl @@ -0,0 +1,52 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + try_files $uri $uri/ /index.php?page=$request_uri; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/codeigniter2.stpl b/install/debian/13/templates/web/nginx/php-fpm/codeigniter2.stpl new file mode 100644 index 00000000..5931f617 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/codeigniter2.stpl @@ -0,0 +1,60 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + try_files $uri $uri/ /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location = /index.php { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/html/ci$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + location ~ \.php$ { + return 444; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/codeigniter2.tpl b/install/debian/13/templates/web/nginx/php-fpm/codeigniter2.tpl new file mode 100644 index 00000000..d2422be2 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/codeigniter2.tpl @@ -0,0 +1,57 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + try_files $uri $uri/ /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location = /index.php { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/html/ci$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + location ~ \.php$ { + return 444; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/codeigniter3.stpl b/install/debian/13/templates/web/nginx/php-fpm/codeigniter3.stpl new file mode 100644 index 00000000..3c2793d1 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/codeigniter3.stpl @@ -0,0 +1,55 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + try_files $uri $uri/ /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/codeigniter3.tpl b/install/debian/13/templates/web/nginx/php-fpm/codeigniter3.tpl new file mode 100644 index 00000000..54f81b99 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/codeigniter3.tpl @@ -0,0 +1,52 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + try_files $uri $uri/ /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/datalife_engine.stpl b/install/debian/13/templates/web/nginx/php-fpm/datalife_engine.stpl new file mode 100644 index 00000000..bb9a727b --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/datalife_engine.stpl @@ -0,0 +1,126 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + rewrite "^/page/([0-9]+)(/?)$" /index.php?cstart=$1 last; + + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),([0-9]+),(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&cstart=$5&news_name=$6&seourl=$6 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5&seourl=$5 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/print:page,([0-9]+),(.*).html(/?)+$" /engine/print.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5&seourl=$5 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_name=$4&seourl=$4 last; + + rewrite "^/([^.]+)/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$4&news_page=$2&cstart=$3&seourl=$5&seocat=$1 last; + rewrite "^/([^.]+)/page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$3&news_page=$2&seourl=$4&seocat=$1 last; + rewrite "^/([^.]+)/print:page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /engine/print.php?news_page=$2&newsid=$3&seourl=$4&seocat=$1 last; + rewrite "^/([^.]+)/([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$2&seourl=$3&seocat=$1 last; + + rewrite "^/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$3&news_page=$1&cstart=$2&seourl=$4 last; + rewrite "^/page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$2&news_page=$1&seourl=$3 last; + rewrite "^/print:page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /engine/print.php?news_page=$1&newsid=$2&seourl=$3 last; + rewrite "^/([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$1&seourl=$2 last; + + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})(/?)+$" /index.php?year=$1&month=$2&day=$3 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page/([0-9]+)(/?)+$" /index.php?year=$1&month=$2&day=$3&cstart=$4 last; + + rewrite "^/([0-9]{4})/([0-9]{2})(/?)+$" /index.php?year=$1&month=$2 last; + rewrite "^/([0-9]{4})/([0-9]{2})/page/([0-9]+)(/?)+$" /index.php?year=$1&month=$2&cstart=$3 last; + + rewrite "^/([0-9]{4})(/?)+$" /index.php?year=$1 last; + rewrite "^/([0-9]{4})/page/([0-9]+)(/?)+$" /index.php?year=$1&cstart=$2 last; + + rewrite "^/tags/([^/]*)(/?)+$" /index.php?do=tags&tag=$1 last; + rewrite "^/tags/([^/]*)/page/([0-9]+)(/?)+$" /index.php?do=tags&tag=$1&cstart=$2 last; + + rewrite "^/xfsearch/([^/]*)(/?)+$" /index.php?do=xfsearch&xf=$1 last; + rewrite "^/xfsearch/([^/]*)/page/([0-9]+)(/?)+$" /index.php?do=xfsearch&xf=$1&cstart=$2 last; + + rewrite "^/user/([^/]*)/rss.xml$" /engine/rss.php?subaction=allnews&user=$1 last; + rewrite "^/user/([^/]*)(/?)+$" /index.php?subaction=userinfo&user=$1 last; + rewrite "^/user/([^/]*)/page/([0-9]+)(/?)+$" /index.php?subaction=userinfo&user=$1&cstart=$2 last; + rewrite "^/user/([^/]*)/news(/?)+$" /index.php?subaction=allnews&user=$1 last; + rewrite "^/user/([^/]*)/news/page/([0-9]+)(/?)+$" /index.php?subaction=allnews&user=$1&cstart=$2 last; + rewrite "^/user/([^/]*)/news/rss.xml(/?)+$" /engine/rss.php?subaction=allnews&user=$1 last; + + rewrite "^/lastnews(/?)+$" /index.php?do=lastnews last; + rewrite "^/lastnews/page/([0-9]+)(/?)+$" /index.php?do=lastnews&cstart=$1 last; + + rewrite "^/catalog/([^/]*)/rss.xml$" /engine/rss.php?catalog=$1 last; + rewrite "^/catalog/([^/]*)(/?)+$" /index.php?catalog=$1 last; + rewrite "^/catalog/([^/]*)/page/([0-9]+)(/?)+$" /index.php?catalog=$1&cstart=$2 last; + + rewrite "^/newposts(/?)+$" /index.php?subaction=newposts last; + rewrite "^/newposts/page/([0-9]+)(/?)+$" /index.php?subaction=newposts&cstart=$1 last; + + rewrite "^/favorites(/?)+$" /index.php?do=favorites last; + rewrite "^/favorites/page/([0-9]+)(/?)+$" /index.php?do=favorites&cstart=$1 last; + + rewrite "^/rules.html$" /index.php?do=rules last; + rewrite "^/statistics.html$" /index.php?do=stats last; + rewrite "^/addnews.html$" /index.php?do=addnews last; + rewrite "^/rss.xml$" /engine/rss.php last; + rewrite "^/sitemap.xml$" /uploads/sitemap.xml last; + + if (!-d $request_filename) { + rewrite "^/([^.]+)/page/([0-9]+)(/?)+$" /index.php?do=cat&category=$1&cstart=$2 last; + rewrite "^/([^.]+)/?$" /index.php?do=cat&category=$1 last; + } + + if (!-f $request_filename) { + rewrite "^/([^.]+)/rss.xml$" /engine/rss.php?do=cat&category=$1 last; + rewrite "^/page,([0-9]+),([^/]+).html$" /index.php?do=static&page=$2&news_page=$1 last; + rewrite "^/print:([^/]+).html$" /engine/print.php?do=static&page=$1 last; + } + + if (!-f $request_filename) { + rewrite "^/([^/]+).html$" /index.php?do=static&page=$1 last; + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/datalife_engine.tpl b/install/debian/13/templates/web/nginx/php-fpm/datalife_engine.tpl new file mode 100644 index 00000000..3ea45347 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/datalife_engine.tpl @@ -0,0 +1,123 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + rewrite "^/page/([0-9]+)(/?)$" /index.php?cstart=$1 last; + + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),([0-9]+),(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&cstart=$5&news_name=$6&seourl=$6 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5&seourl=$5 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/print:page,([0-9]+),(.*).html(/?)+$" /engine/print.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5&seourl=$5 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/(.*).html(/?)+$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_name=$4&seourl=$4 last; + + rewrite "^/([^.]+)/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$4&news_page=$2&cstart=$3&seourl=$5&seocat=$1 last; + rewrite "^/([^.]+)/page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$3&news_page=$2&seourl=$4&seocat=$1 last; + rewrite "^/([^.]+)/print:page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /engine/print.php?news_page=$2&newsid=$3&seourl=$4&seocat=$1 last; + rewrite "^/([^.]+)/([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$2&seourl=$3&seocat=$1 last; + + rewrite "^/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$3&news_page=$1&cstart=$2&seourl=$4 last; + rewrite "^/page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$2&news_page=$1&seourl=$3 last; + rewrite "^/print:page,([0-9]+),([0-9]+)-(.*).html(/?)+$" /engine/print.php?news_page=$1&newsid=$2&seourl=$3 last; + rewrite "^/([0-9]+)-(.*).html(/?)+$" /index.php?newsid=$1&seourl=$2 last; + + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})(/?)+$" /index.php?year=$1&month=$2&day=$3 last; + rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page/([0-9]+)(/?)+$" /index.php?year=$1&month=$2&day=$3&cstart=$4 last; + + rewrite "^/([0-9]{4})/([0-9]{2})(/?)+$" /index.php?year=$1&month=$2 last; + rewrite "^/([0-9]{4})/([0-9]{2})/page/([0-9]+)(/?)+$" /index.php?year=$1&month=$2&cstart=$3 last; + + rewrite "^/([0-9]{4})(/?)+$" /index.php?year=$1 last; + rewrite "^/([0-9]{4})/page/([0-9]+)(/?)+$" /index.php?year=$1&cstart=$2 last; + + rewrite "^/tags/([^/]*)(/?)+$" /index.php?do=tags&tag=$1 last; + rewrite "^/tags/([^/]*)/page/([0-9]+)(/?)+$" /index.php?do=tags&tag=$1&cstart=$2 last; + + rewrite "^/xfsearch/([^/]*)(/?)+$" /index.php?do=xfsearch&xf=$1 last; + rewrite "^/xfsearch/([^/]*)/page/([0-9]+)(/?)+$" /index.php?do=xfsearch&xf=$1&cstart=$2 last; + + rewrite "^/user/([^/]*)/rss.xml$" /engine/rss.php?subaction=allnews&user=$1 last; + rewrite "^/user/([^/]*)(/?)+$" /index.php?subaction=userinfo&user=$1 last; + rewrite "^/user/([^/]*)/page/([0-9]+)(/?)+$" /index.php?subaction=userinfo&user=$1&cstart=$2 last; + rewrite "^/user/([^/]*)/news(/?)+$" /index.php?subaction=allnews&user=$1 last; + rewrite "^/user/([^/]*)/news/page/([0-9]+)(/?)+$" /index.php?subaction=allnews&user=$1&cstart=$2 last; + rewrite "^/user/([^/]*)/news/rss.xml(/?)+$" /engine/rss.php?subaction=allnews&user=$1 last; + + rewrite "^/lastnews(/?)+$" /index.php?do=lastnews last; + rewrite "^/lastnews/page/([0-9]+)(/?)+$" /index.php?do=lastnews&cstart=$1 last; + + rewrite "^/catalog/([^/]*)/rss.xml$" /engine/rss.php?catalog=$1 last; + rewrite "^/catalog/([^/]*)(/?)+$" /index.php?catalog=$1 last; + rewrite "^/catalog/([^/]*)/page/([0-9]+)(/?)+$" /index.php?catalog=$1&cstart=$2 last; + + rewrite "^/newposts(/?)+$" /index.php?subaction=newposts last; + rewrite "^/newposts/page/([0-9]+)(/?)+$" /index.php?subaction=newposts&cstart=$1 last; + + rewrite "^/favorites(/?)+$" /index.php?do=favorites last; + rewrite "^/favorites/page/([0-9]+)(/?)+$" /index.php?do=favorites&cstart=$1 last; + + rewrite "^/rules.html$" /index.php?do=rules last; + rewrite "^/statistics.html$" /index.php?do=stats last; + rewrite "^/addnews.html$" /index.php?do=addnews last; + rewrite "^/rss.xml$" /engine/rss.php last; + rewrite "^/sitemap.xml$" /uploads/sitemap.xml last; + + if (!-d $request_filename) { + rewrite "^/([^.]+)/page/([0-9]+)(/?)+$" /index.php?do=cat&category=$1&cstart=$2 last; + rewrite "^/([^.]+)/?$" /index.php?do=cat&category=$1 last; + } + + if (!-f $request_filename) { + rewrite "^/([^.]+)/rss.xml$" /engine/rss.php?do=cat&category=$1 last; + rewrite "^/page,([0-9]+),([^/]+).html$" /index.php?do=static&page=$2&news_page=$1 last; + rewrite "^/print:([^/]+).html$" /engine/print.php?do=static&page=$1 last; + } + + if (!-f $request_filename) { + rewrite "^/([^/]+).html$" /index.php?do=static&page=$1 last; + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/default.stpl b/install/debian/13/templates/web/nginx/php-fpm/default.stpl new file mode 100644 index 00000000..f9c01e40 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/default.stpl @@ -0,0 +1,54 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/default.tpl b/install/debian/13/templates/web/nginx/php-fpm/default.tpl new file mode 100644 index 00000000..a8909efb --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/default.tpl @@ -0,0 +1,51 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/dokuwiki.stpl b/install/debian/13/templates/web/nginx/php-fpm/dokuwiki.stpl new file mode 100644 index 00000000..a7564705 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/dokuwiki.stpl @@ -0,0 +1,71 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + index doku.php; + try_files $uri $uri/ @dokuwiki; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + location ~ ^/lib.*\.(gif|png|ico|jpg)$ { + expires 30d; + } + + location ^~ /conf/ { return 403; } + location ^~ /data/ { return 403; } + + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1 last; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/dokuwiki.tpl b/install/debian/13/templates/web/nginx/php-fpm/dokuwiki.tpl new file mode 100644 index 00000000..0a9a75ed --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/dokuwiki.tpl @@ -0,0 +1,67 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + index doku.php; + try_files $uri $uri/ @dokuwiki; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + location ~ ^/lib.*\.(gif|png|ico|jpg)$ { + expires 30d; + } + + location ^~ /conf/ { return 403; } + location ^~ /data/ { return 403; } + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1 last; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/drupal6.stpl b/install/debian/13/templates/web/nginx/php-fpm/drupal6.stpl new file mode 100644 index 00000000..6e67a4e0 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/drupal6.stpl @@ -0,0 +1,94 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + location / { + try_files $uri @rewrite; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ ^/sites/.*/files/imagecache/ { + try_files $uri @rewrite; + } + + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/drupal6.tpl b/install/debian/13/templates/web/nginx/php-fpm/drupal6.tpl new file mode 100644 index 00000000..d1096bff --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/drupal6.tpl @@ -0,0 +1,91 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + location / { + try_files $uri @rewrite; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ ^/sites/.*/files/imagecache/ { + try_files $uri @rewrite; + } + + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/drupal7.stpl b/install/debian/13/templates/web/nginx/php-fpm/drupal7.stpl new file mode 100644 index 00000000..32f01a6f --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/drupal7.stpl @@ -0,0 +1,94 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + location ~ ^/sites/.*/files/styles/ { + try_files $uri @rewrite; + } + + location ~ ^(/[a-z\-]+)?/system/files/ { + try_files $uri /index.php?$query_string; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/drupal7.tpl b/install/debian/13/templates/web/nginx/php-fpm/drupal7.tpl new file mode 100644 index 00000000..c9729795 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/drupal7.tpl @@ -0,0 +1,91 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + location ~ ^/sites/.*/files/styles/ { + try_files $uri @rewrite; + } + + location ~ ^(/[a-z\-]+)?/system/files/ { + try_files $uri /index.php?$query_string; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/drupal8.stpl b/install/debian/13/templates/web/nginx/php-fpm/drupal8.stpl new file mode 100644 index 00000000..32f01a6f --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/drupal8.stpl @@ -0,0 +1,94 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + location ~ ^/sites/.*/files/styles/ { + try_files $uri @rewrite; + } + + location ~ ^(/[a-z\-]+)?/system/files/ { + try_files $uri /index.php?$query_string; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/drupal8.tpl b/install/debian/13/templates/web/nginx/php-fpm/drupal8.tpl new file mode 100644 index 00000000..c9729795 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/drupal8.tpl @@ -0,0 +1,91 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ ^/sites/.*/private/ { + return 403; + } + + location ~ ^/sites/[^/]+/files/.*\.php$ { + deny all; + } + + location / { + try_files $uri /index.php?$query_string; + } + + location ~ /vendor/.*\.php$ { + deny all; + return 404; + } + + location ~ ^/sites/.*/files/styles/ { + try_files $uri @rewrite; + } + + location ~ ^(/[a-z\-]+)?/system/files/ { + try_files $uri /index.php?$query_string; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + try_files $uri @rewrite; + expires max; + log_not_found off; + } + + location ~ '\.php$|^/update.php' { + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/joomla.stpl b/install/debian/13/templates/web/nginx/php-fpm/joomla.stpl new file mode 100644 index 00000000..d4f96ee3 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/joomla.stpl @@ -0,0 +1,62 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + try_files $uri $uri/ /index.php?$args; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + # deny running scripts inside writable directories + location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ { + return 403; + error_page 403 /403_error.html; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/joomla.tpl b/install/debian/13/templates/web/nginx/php-fpm/joomla.tpl new file mode 100644 index 00000000..91b7a8f1 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/joomla.tpl @@ -0,0 +1,59 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + try_files $uri $uri/ /index.php?$args; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + # deny running scripts inside writable directories + location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ { + return 403; + error_page 403 /403_error.html; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/laravel.stpl b/install/debian/13/templates/web/nginx/php-fpm/laravel.stpl new file mode 100644 index 00000000..db0b4dde --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/laravel.stpl @@ -0,0 +1,54 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%/public; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + try_files $uri $uri/ /index.php?$query_string; + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/laravel.tpl b/install/debian/13/templates/web/nginx/php-fpm/laravel.tpl new file mode 100644 index 00000000..d14b0173 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/laravel.tpl @@ -0,0 +1,50 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%/public; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + location / { + try_files $uri $uri/ /index.php?$query_string; + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/magento.stpl b/install/debian/13/templates/web/nginx/php-fpm/magento.stpl new file mode 100644 index 00000000..f8ac30c9 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/magento.stpl @@ -0,0 +1,197 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + + root %sdocroot%/pub; + index index.php; + autoindex off; + charset UTF-8; + error_page 404 403 = /errors/404.php; + add_header "X-UA-Compatible" "IE=Edge"; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + # PHP entry point for setup application + location ~* ^/setup($|/) { + root %sdocroot%; + + location ~ ^/setup/index.php { + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + + location ~ ^/setup/(?!pub/). { + deny all; + } + + location ~ ^/setup/pub/ { + add_header X-Frame-Options "SAMEORIGIN"; + } + } + + # PHP entry point for update application + location ~* ^/update($|/) { + root %sdocroot%; + + location ~ ^/update/index.php { + fastcgi_split_path_info ^(/update/index.php)(/.+)$; + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + include /etc/nginx/fastcgi_params; + } + + # Deny everything but index.php + location ~ ^/update/(?!pub/). { + deny all; + } + + location ~ ^/update/pub/ { + add_header X-Frame-Options "SAMEORIGIN"; + } + } + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location /pub/ { + location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) { + deny all; + } + + alias %sdocroot%/pub/; + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /static/ { + # Uncomment the following line in production mode + # expires max; + + # Remove signature of the static files that is used to overcome the browser cache + location ~ ^/static/version { + rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last; + } + + location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires +1y; + + if (!-f $request_filename) { + rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last; + } + } + + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + + if (!-f $request_filename) { + rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last; + } + } + + if (!-f $request_filename) { + rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last; + } + + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /media/ { + try_files $uri $uri/ /get.php?$args; + + location ~ ^/media/theme_customization/.*\.xml { + deny all; + } + + location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires +1y; + try_files $uri $uri/ /get.php?$args; + } + + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + try_files $uri $uri/ /get.php?$args; + } + + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /media/customer/ { + deny all; + } + + location /media/downloadable/ { + deny all; + } + + location /media/import/ { + deny all; + } + + # PHP entry point for main application + location ~ (index|get|static|report|404|503)\.php$ { + try_files $uri =404; + + fastcgi_pass %backend_lsnr%; + fastcgi_buffers 1024 4k; + fastcgi_read_timeout 600s; + fastcgi_connect_timeout 600s; + + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + + gzip on; + gzip_disable "msie6"; + + gzip_comp_level 6; + gzip_min_length 1100; + gzip_buffers 16 8k; + gzip_proxied any; + gzip_types + text/plain + text/css + text/js + text/xml + text/javascript + application/javascript + application/x-javascript + application/json + application/xml + application/xml+rss + image/svg+xml; + gzip_vary on; + + # Banned locations (only reached if the earlier PHP entry point regexes don't match) + location ~* (\.php$|\.htaccess$|\.git) { + deny all; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/magento.tpl b/install/debian/13/templates/web/nginx/php-fpm/magento.tpl new file mode 100644 index 00000000..3f292fff --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/magento.tpl @@ -0,0 +1,194 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + + root %docroot%/pub; + index index.php; + autoindex off; + charset UTF-8; + error_page 404 403 = /errors/404.php; + add_header "X-UA-Compatible" "IE=Edge"; + + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + # PHP entry point for setup application + location ~* ^/setup($|/) { + root %docroot%; + + location ~ ^/setup/index.php { + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + + location ~ ^/setup/(?!pub/). { + deny all; + } + + location ~ ^/setup/pub/ { + add_header X-Frame-Options "SAMEORIGIN"; + } + } + + # PHP entry point for update application + location ~* ^/update($|/) { + root %docroot%; + + location ~ ^/update/index.php { + fastcgi_split_path_info ^(/update/index.php)(/.+)$; + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + include /etc/nginx/fastcgi_params; + } + + # Deny everything but index.php + location ~ ^/update/(?!pub/). { + deny all; + } + + location ~ ^/update/pub/ { + add_header X-Frame-Options "SAMEORIGIN"; + } + } + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location /pub/ { + location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) { + deny all; + } + + alias %docroot%/pub/; + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /static/ { + # Uncomment the following line in production mode + # expires max; + + # Remove signature of the static files that is used to overcome the browser cache + location ~ ^/static/version { + rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last; + } + + location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires +1y; + + if (!-f $request_filename) { + rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last; + } + } + + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + + if (!-f $request_filename) { + rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last; + } + } + + if (!-f $request_filename) { + rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last; + } + + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /media/ { + try_files $uri $uri/ /get.php?$args; + + location ~ ^/media/theme_customization/.*\.xml { + deny all; + } + + location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires +1y; + try_files $uri $uri/ /get.php?$args; + } + + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + try_files $uri $uri/ /get.php?$args; + } + + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /media/customer/ { + deny all; + } + + location /media/downloadable/ { + deny all; + } + + location /media/import/ { + deny all; + } + + # PHP entry point for main application + location ~ (index|get|static|report|404|503)\.php$ { + try_files $uri =404; + + fastcgi_pass %backend_lsnr%; + fastcgi_buffers 1024 4k; + fastcgi_read_timeout 600s; + fastcgi_connect_timeout 600s; + + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + + gzip on; + gzip_disable "msie6"; + + gzip_comp_level 6; + gzip_min_length 1100; + gzip_buffers 16 8k; + gzip_proxied any; + gzip_types + text/plain + text/css + text/js + text/xml + text/javascript + application/javascript + application/x-javascript + application/json + application/xml + application/xml+rss + image/svg+xml; + gzip_vary on; + + # Banned locations (only reached if the earlier PHP entry point regexes don't match) + location ~* (\.php$|\.htaccess$|\.git) { + deny all; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/modx.stpl b/install/debian/13/templates/web/nginx/php-fpm/modx.stpl new file mode 100644 index 00000000..420aeb9e --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/modx.stpl @@ -0,0 +1,68 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; +# if you need to rewrite www to non-www uncomment bellow +# if ($host != '%domain%' ) { +# rewrite ^/(.*)$ https://%domain%/$1 permanent; +# } + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ @rewrite; + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + } + location @rewrite { + rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $request_filename; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/modx.tpl b/install/debian/13/templates/web/nginx/php-fpm/modx.tpl new file mode 100644 index 00000000..342d3ecf --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/modx.tpl @@ -0,0 +1,65 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; +# if you need to rewrite www to non-www uncomment bellow +# if ($host != '%domain%' ) { +# rewrite ^/(.*)$ http://%domain%/$1 permanent; +# } + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ @rewrite; + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + } + location @rewrite { + rewrite ^/(.*)$ /index.php?q=$1; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $request_filename; + include /etc/nginx/fastcgi_params; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/moodle.stpl b/install/debian/13/templates/web/nginx/php-fpm/moodle.stpl new file mode 100644 index 00000000..8594ec94 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/moodle.stpl @@ -0,0 +1,89 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + # No no for private + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. + location ~ (^|/)\. { + return 403; + } + + location / { + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_intercept_errors on; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/moodle.tpl b/install/debian/13/templates/web/nginx/php-fpm/moodle.tpl new file mode 100644 index 00000000..c20ba648 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/moodle.tpl @@ -0,0 +1,87 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Very rarely should these ever be accessed outside of your lan + location ~* \.(txt|log)$ { + allow 192.168.0.0/16; + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + # No no for private + location ~ ^/sites/.*/private/ { + return 403; + } + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. + location ~ (^|/)\. { + return 403; + } + + location / { + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_intercept_errors on; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/no-php.stpl b/install/debian/13/templates/web/nginx/php-fpm/no-php.stpl new file mode 100644 index 00000000..4bb50383 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/no-php.stpl @@ -0,0 +1,46 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + types { + text/html html htm shtml php php5; + } + + location / { + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/no-php.tpl b/install/debian/13/templates/web/nginx/php-fpm/no-php.tpl new file mode 100644 index 00000000..7ff8aa1d --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/no-php.tpl @@ -0,0 +1,43 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + types { + text/html html htm shtml php php5; + } + + location / { + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/odoo.stpl b/install/debian/13/templates/web/nginx/php-fpm/odoo.stpl new file mode 100644 index 00000000..e28afcfc --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/odoo.stpl @@ -0,0 +1,69 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + + proxy_connect_timeout 720; + proxy_send_timeout 720; + proxy_read_timeout 720; + send_timeout 720; + + # Allow "Well-Known URIs" as per RFC 5785 + location ~* ^/.well-known/ { + allow all; + } + + location / { + proxy_pass http://127.0.0.1:8069; + } + + location /longpolling { + proxy_pass http://127.0.0.1:8072; + } + + location ~* /web/static/ { + proxy_cache_valid 200 60m; + proxy_buffering on; + expires 864000; + proxy_pass http://127.0.0.1:8069; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/odoo.tpl b/install/debian/13/templates/web/nginx/php-fpm/odoo.tpl new file mode 100644 index 00000000..b1240aae --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/odoo.tpl @@ -0,0 +1,66 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + + proxy_connect_timeout 720; + proxy_send_timeout 720; + proxy_read_timeout 720; + send_timeout 720; + + # Allow "Well-Known URIs" as per RFC 5785 + location ~* ^/.well-known/ { + allow all; + } + + location / { + proxy_pass http://127.0.0.1:8069; + } + + location /longpolling { + proxy_pass http://127.0.0.1:8072; + } + + location ~* /web/static/ { + proxy_cache_valid 200 60m; + proxy_buffering on; + expires 864000; + proxy_pass http://127.0.0.1:8069; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/opencart.stpl b/install/debian/13/templates/web/nginx/php-fpm/opencart.stpl new file mode 100644 index 00000000..52706d21 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/opencart.stpl @@ -0,0 +1,58 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + try_files $uri $uri/ @opencart; + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + location @opencart { + rewrite ^/(.+)$ /index.php?_route_=$1 last; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/opencart.tpl b/install/debian/13/templates/web/nginx/php-fpm/opencart.tpl new file mode 100644 index 00000000..d0a9060b --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/opencart.tpl @@ -0,0 +1,54 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + location / { + try_files $uri $uri/ @opencart; + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + location @opencart { + rewrite ^/(.+)$ /index.php?_route_=$1 last; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/owncloud.stpl b/install/debian/13/templates/web/nginx/php-fpm/owncloud.stpl new file mode 100644 index 00000000..1b803f97 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/owncloud.stpl @@ -0,0 +1,84 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 = /core/templates/403.php; + error_page 404 = /core/templates/404.php; + + location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){ + deny all; + } + + location / { + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ /index.php; + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + #fastcgi_param HTTPS on; + fastcgi_pass %backend_lsnr%; + } + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + # Some basic cache-control for static files to be sent to the browser + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } + + #error_page 403 /error/404.html; + #error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/owncloud.tpl b/install/debian/13/templates/web/nginx/php-fpm/owncloud.tpl new file mode 100644 index 00000000..e3ec31de --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/owncloud.tpl @@ -0,0 +1,81 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 = /core/templates/403.php; + error_page 404 = /core/templates/404.php; + + location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){ + deny all; + } + + location / { + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ /index.php; + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + #fastcgi_param HTTPS on; + fastcgi_pass %backend_lsnr%; + } + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + # Some basic cache-control for static files to be sent to the browser + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } + + #error_page 403 /error/404.html; + #error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/piwik.stpl b/install/debian/13/templates/web/nginx/php-fpm/piwik.stpl new file mode 100644 index 00000000..1b299343 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/piwik.stpl @@ -0,0 +1,72 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + try_files /favicon.ico =204; + } + + location / { + try_files $uri /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + valid_referers none blocked %domain_idn% %alias_idn%; + if ($invalid_referer) { + return 444; + } + expires max; + } + + location ~* ^/(?:index|piwik)\.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + } + + # Any other attempt to access PHP files returns a 404. + location ~* ^.+\.php$ { + return 404; + } + + # Return a 404 for all text files. + location ~* ^/(?:README|LICENSE[^.]*|LEGALNOTICE)(?:\.txt)*$ { + return 404; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/piwik.tpl b/install/debian/13/templates/web/nginx/php-fpm/piwik.tpl new file mode 100644 index 00000000..f94fb7de --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/piwik.tpl @@ -0,0 +1,69 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + try_files /favicon.ico =204; + } + + location / { + try_files $uri /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + valid_referers none blocked %domain_idn% %alias_idn%; + if ($invalid_referer) { + return 444; + } + expires max; + } + + location ~* ^/(?:index|piwik)\.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + include /etc/nginx/fastcgi_params; + } + } + + # Any other attempt to access PHP files returns a 404. + location ~* ^.+\.php$ { + return 404; + } + + # Return a 404 for all text files. + location ~* ^/(?:README|LICENSE[^.]*|LEGALNOTICE)(?:\.txt)*$ { + return 404; + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/pyrocms.stpl b/install/debian/13/templates/web/nginx/php-fpm/pyrocms.stpl new file mode 100644 index 00000000..d26ed9f4 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/pyrocms.stpl @@ -0,0 +1,65 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%/public; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location /installer { + try_files $uri $uri/ /installer/index.php?$query_string; + } + + location / { + try_files $uri $uri/ /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + location = /robots.txt { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + location ~ /\.ht { access_log off; log_not_found off; deny all; } + location ~ ~$ { access_log off; log_not_found off; deny all; } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/pyrocms.tpl b/install/debian/13/templates/web/nginx/php-fpm/pyrocms.tpl new file mode 100644 index 00000000..b92861b0 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/pyrocms.tpl @@ -0,0 +1,62 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%/public; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location /installer { + try_files $uri $uri/ /installer/index.php?$query_string; + } + + location / { + try_files $uri $uri/ /index.php; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + } + + location = /robots.txt { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + location ~ /\.ht { access_log off; log_not_found off; deny all; } + location ~ ~$ { access_log off; log_not_found off; deny all; } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/sendy.stpl b/install/debian/13/templates/web/nginx/php-fpm/sendy.stpl new file mode 100644 index 00000000..0b351000 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/sendy.stpl @@ -0,0 +1,88 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* "/\.(htaccess|htpasswd|git|svn|DS_Store)$" { + deny all; + } + + location ~ /(readme.html|license.txt) { + deny all; + } + + if (!-f $request_filename){ + rewrite ^/([a-zA-Z0-9-]+)$ /$1.php last; + } + + location / { + try_files $uri $uri/ /index.php?$args; + location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|ico|bmp|mid|midi|wav|rtf|css|js|jar|pdf)$ { + expires 1d; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + try_files $uri =404; + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + location /l/ { + rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; + } + + location /t/ { + rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; + } + + location /w/ { + rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; + } + + location /unsubscribe/ { + rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; + } + + location /subscribe/ { + rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/web/%domain%/stats/auth.conf*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/sendy.tpl b/install/debian/13/templates/web/nginx/php-fpm/sendy.tpl new file mode 100644 index 00000000..b27b427d --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/sendy.tpl @@ -0,0 +1,86 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~* "/\.(htaccess|htpasswd|git|svn|DS_Store)$" { + deny all; + } + + location ~ /(readme.html|license.txt) { + deny all; + } + + if (!-f $request_filename){ + rewrite ^/([a-zA-Z0-9-]+)$ /$1.php last; + } + + location / { + try_files $uri $uri/ /index.php?$args; + location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|ico|bmp|mid|midi|wav|rtf|css|js|jar|pdf)$ { + expires 1d; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + try_files $uri =404; + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + location /l/ { + rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; + } + + location /t/ { + rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; + } + + location /w/ { + rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; + } + + location /unsubscribe/ { + rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; + } + + location /subscribe/ { + rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/web/%domain%/stats/auth.conf*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/wordpress.stpl b/install/debian/13/templates/web/nginx/php-fpm/wordpress.stpl new file mode 100644 index 00000000..f9c01e40 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/wordpress.stpl @@ -0,0 +1,54 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location / { + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/wordpress.tpl b/install/debian/13/templates/web/nginx/php-fpm/wordpress.tpl new file mode 100644 index 00000000..a8909efb --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/wordpress.tpl @@ -0,0 +1,51 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location / { + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/wordpress2.stpl b/install/debian/13/templates/web/nginx/php-fpm/wordpress2.stpl new file mode 100644 index 00000000..01dfee5b --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/wordpress2.stpl @@ -0,0 +1,66 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %sdocroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ /index.php?$args; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/snginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/wordpress2.tpl b/install/debian/13/templates/web/nginx/php-fpm/wordpress2.tpl new file mode 100644 index 00000000..bccb8b3d --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/wordpress2.tpl @@ -0,0 +1,63 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ /index.php?$args; + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/conf/web/%domain%.auth*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/wordpress2_rewrite.stpl b/install/debian/13/templates/web/nginx/php-fpm/wordpress2_rewrite.stpl new file mode 100644 index 00000000..a5fc46fb --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/wordpress2_rewrite.stpl @@ -0,0 +1,71 @@ +server { + listen %ip%:%web_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ /index.php?$args; + + if (!-e $request_filename) + { + rewrite ^(.+)$ /index.php?q=$1 last; + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/web/%domain%/stats/auth.conf*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain_idn%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/php-fpm/wordpress2_rewrite.tpl b/install/debian/13/templates/web/nginx/php-fpm/wordpress2_rewrite.tpl new file mode 100644 index 00000000..39e366b7 --- /dev/null +++ b/install/debian/13/templates/web/nginx/php-fpm/wordpress2_rewrite.tpl @@ -0,0 +1,67 @@ +server { + listen %ip%:%web_port%; + server_name %domain_idn% %alias_idn%; + root %docroot%; + index index.php index.html index.htm; + access_log /var/log/nginx/domains/%domain%.log combined; + access_log /var/log/nginx/domains/%domain%.bytes bytes; + error_log /var/log/nginx/domains/%domain%.error.log error; + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ /index.php?$args; + + if (!-e $request_filename) + { + rewrite ^(.+)$ /index.php?q=$1 last; + } + + location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ { + expires max; + } + + location ~ [^/]\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass %backend_lsnr%; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + } + + error_page 403 /error/404.html; + error_page 404 /error/404.html; + error_page 500 502 503 504 /error/50x.html; + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~* "/\.(htaccess|htpasswd)$" { + deny all; + return 404; + } + + location /vstats/ { + alias %home%/%user%/web/%domain%/stats/; + include %home%/%user%/web/%domain%/stats/auth.conf*; + } + + include /etc/nginx/conf.d/phpmyadmin.inc*; + include /etc/nginx/conf.d/phppgadmin.inc*; + include /etc/nginx/conf.d/webmail.inc*; + + include %home%/%user%/conf/web/nginx.%domain_idn%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/private-force-https.stpl b/install/debian/13/templates/web/nginx/private-force-https.stpl new file mode 100644 index 00000000..bf805683 --- /dev/null +++ b/install/debian/13/templates/web/nginx/private-force-https.stpl @@ -0,0 +1,40 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + auth_basic "Restricted area"; + auth_basic_user_file /etc/nginx/.htpasswd; + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/install/debian/13/templates/web/nginx/private-force-https.tpl b/install/debian/13/templates/web/nginx/private-force-https.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/install/debian/13/templates/web/nginx/private-force-https.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/install/debian/13/templates/web/nginx/private-hosting.sh b/install/debian/13/templates/web/nginx/private-hosting.sh new file mode 100644 index 00000000..eeed37ef --- /dev/null +++ b/install/debian/13/templates/web/nginx/private-hosting.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Changing public_html permission +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +chmod 755 $docroot + +exit 0 diff --git a/install/debian/13/templates/web/nginx/private-hosting.stpl b/install/debian/13/templates/web/nginx/private-hosting.stpl new file mode 100644 index 00000000..8e5b3f7b --- /dev/null +++ b/install/debian/13/templates/web/nginx/private-hosting.stpl @@ -0,0 +1,42 @@ +server { + listen %ip%:%proxy_ssl_port% ssl; + http2 on; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + auth_basic "Restricted area"; + auth_basic_user_file /etc/nginx/.htpasswd; + proxy_pass https://%ip%:%web_ssl_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/snginx.%domain_idn%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/private-hosting.tpl b/install/debian/13/templates/web/nginx/private-hosting.tpl new file mode 100644 index 00000000..a8ee840e --- /dev/null +++ b/install/debian/13/templates/web/nginx/private-hosting.tpl @@ -0,0 +1,38 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + auth_basic "Restricted area"; + auth_basic_user_file /etc/nginx/.htpasswd; + proxy_pass http://%ip%:%web_port%; + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/nginx.%domain_idn%.conf*; +} + diff --git a/install/debian/13/templates/web/nginx/proxy_ip.tpl b/install/debian/13/templates/web/nginx/proxy_ip.tpl new file mode 100644 index 00000000..ae195617 --- /dev/null +++ b/install/debian/13/templates/web/nginx/proxy_ip.tpl @@ -0,0 +1,9 @@ +server { + listen %ip%:%proxy_port% default; + server_name _; + #access_log /var/log/nginx/%ip%.log main; + location / { + proxy_pass http://%ip%:%web_port%; + } +} + diff --git a/install/debian/13/templates/web/php-fpm/default.tpl b/install/debian/13/templates/web/php-fpm/default.tpl new file mode 100644 index 00000000..209e1e43 --- /dev/null +++ b/install/debian/13/templates/web/php-fpm/default.tpl @@ -0,0 +1,21 @@ +[%backend%] +listen = 127.0.0.1:%backend_port% +listen.allowed_clients = 127.0.0.1 + +user = %user% +group = %user% + +pm = ondemand +pm.max_children = 4 +pm.max_requests = 4000 +pm.process_idle_timeout = 10s +pm.status_path = /status + +php_admin_value[upload_tmp_dir] = /home/%user%/tmp +php_admin_value[session.save_path] = /home/%user%/tmp + +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /home/%user%/tmp +env[TMPDIR] = /home/%user%/tmp +env[TEMP] = /home/%user%/tmp diff --git a/install/debian/13/templates/web/php-fpm/no-php.tpl b/install/debian/13/templates/web/php-fpm/no-php.tpl new file mode 100644 index 00000000..047c33ed --- /dev/null +++ b/install/debian/13/templates/web/php-fpm/no-php.tpl @@ -0,0 +1,20 @@ +;[%backend%] +;listen = /dev/null + +;user = %user% +;group = %user% + +;listen.owner = %user% +;listen.group = www-data + +;pm = ondemand +;pm.max_children = 4 +;pm.max_requests = 4000 +;pm.process_idle_timeout = 10s +;pm.status_path = /status + +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /home/%user%/tmp +;env[TMPDIR] = /home/%user%/tmp +;env[TEMP] = /home/%user%/tmp diff --git a/install/debian/13/templates/web/php-fpm/socket.tpl b/install/debian/13/templates/web/php-fpm/socket.tpl new file mode 100644 index 00000000..a0151084 --- /dev/null +++ b/install/debian/13/templates/web/php-fpm/socket.tpl @@ -0,0 +1,24 @@ +[%backend%] +listen = /var/run/php/%backend%.sock +listen.allowed_clients = 127.0.0.1 + +user = %user% +group = %user% + +listen.owner = %user% +listen.group = www-data + +pm = ondemand +pm.max_children = 4 +pm.max_requests = 4000 +pm.process_idle_timeout = 10s +pm.status_path = /status + +php_admin_value[upload_tmp_dir] = /home/%user%/tmp +php_admin_value[session.save_path] = /home/%user%/tmp + +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /home/%user%/tmp +env[TMPDIR] = /home/%user%/tmp +env[TEMP] = /home/%user%/tmp diff --git a/install/debian/13/templates/web/skel/document_errors/403.html b/install/debian/13/templates/web/skel/document_errors/403.html new file mode 100644 index 00000000..9c3f6baa --- /dev/null +++ b/install/debian/13/templates/web/skel/document_errors/403.html @@ -0,0 +1,29 @@ + + + 403 — Forbidden + + + + + + +

%domain%

+ +

403

+

Forbidden

+
+ Unfortunately, you do not have permission to view this +
+ + + diff --git a/install/debian/13/templates/web/skel/document_errors/404.html b/install/debian/13/templates/web/skel/document_errors/404.html new file mode 100644 index 00000000..2cee7708 --- /dev/null +++ b/install/debian/13/templates/web/skel/document_errors/404.html @@ -0,0 +1,28 @@ + + + 404 — Not Found + + + + + + +

%domain%

+

404

+

Page Not Found

+
+ It seems that the page you were trying to reach does not exist anymore, or maybe it has just moved. + You can start again from the home or go back to previous page. +
+ + diff --git a/install/debian/13/templates/web/skel/document_errors/50x.html b/install/debian/13/templates/web/skel/document_errors/50x.html new file mode 100644 index 00000000..85ba648b --- /dev/null +++ b/install/debian/13/templates/web/skel/document_errors/50x.html @@ -0,0 +1,29 @@ + + + 500 — Internal Sever Error + + + + + + +

%domain%

+ +

500

+

Internal Server Error

+
+ Sorry, something went wrong :( +
+ + + diff --git a/install/debian/13/templates/web/skel/public_html/index.html b/install/debian/13/templates/web/skel/public_html/index.html new file mode 100644 index 00000000..c2895cf2 --- /dev/null +++ b/install/debian/13/templates/web/skel/public_html/index.html @@ -0,0 +1,26 @@ + + + %domain% — Coming Soon + + + + + + +

%domain%

+ + + + + diff --git a/install/debian/13/templates/web/skel/public_html/robots.txt b/install/debian/13/templates/web/skel/public_html/robots.txt new file mode 100644 index 00000000..00ee83dc --- /dev/null +++ b/install/debian/13/templates/web/skel/public_html/robots.txt @@ -0,0 +1,3 @@ +# vestacp autogenerated robots.txt +User-agent: * +Crawl-delay: 10 diff --git a/install/debian/13/templates/web/skel/public_shtml/index.html b/install/debian/13/templates/web/skel/public_shtml/index.html new file mode 100644 index 00000000..c2895cf2 --- /dev/null +++ b/install/debian/13/templates/web/skel/public_shtml/index.html @@ -0,0 +1,26 @@ + + + %domain% — Coming Soon + + + + + + +

%domain%

+ + + + + diff --git a/install/debian/13/templates/web/skel/public_shtml/robots.txt b/install/debian/13/templates/web/skel/public_shtml/robots.txt new file mode 100644 index 00000000..00ee83dc --- /dev/null +++ b/install/debian/13/templates/web/skel/public_shtml/robots.txt @@ -0,0 +1,3 @@ +# vestacp autogenerated robots.txt +User-agent: * +Crawl-delay: 10 diff --git a/install/debian/13/templates/web/suspend/.htaccess b/install/debian/13/templates/web/suspend/.htaccess new file mode 100644 index 00000000..5a6df83f --- /dev/null +++ b/install/debian/13/templates/web/suspend/.htaccess @@ -0,0 +1,2 @@ +ErrorDocument 403 /index.html +ErrorDocument 404 /index.html diff --git a/install/debian/13/templates/web/suspend/index.html b/install/debian/13/templates/web/suspend/index.html new file mode 100644 index 00000000..3815354d --- /dev/null +++ b/install/debian/13/templates/web/suspend/index.html @@ -0,0 +1,25 @@ + + + Website Suspended + + + + + +

Temporary under construction

+

This website is temporary under construction.

+
+ We will back again soon. +
+ + diff --git a/install/debian/13/templates/web/webalizer/webalizer.tpl b/install/debian/13/templates/web/webalizer/webalizer.tpl new file mode 100644 index 00000000..068adcfb --- /dev/null +++ b/install/debian/13/templates/web/webalizer/webalizer.tpl @@ -0,0 +1,110 @@ +HostName %domain_idn% +LogFile /var/log/%web_system%/domains/%domain%.log +OutputDir %home%/%user%/web/%domain%/stats +HistoryName %home%/%user%/web/%domain%/stats/%domain%.hist +Incremental yes +IncrementalName %home%/%user%/web/%domain%/stats/%domain%.current +PageType htm* +PageType cgi +PageType php +PageType shtml +DNSCache /var/lib/webalizer/dns_cache.db +DNSChildren 10 +Quiet yes +FoldSeqErr yes +IndexAlias index.php +HideURL *.gif +HideURL *.GIF +HideURL *.jpg +HideURL *.JPG +HideURL *.png +HideURL *.PNG +HideURL *.ra +SearchEngine abcsearch. terms= +SearchEngine alexa. q= +SearchEngine alltheweb. q= +SearchEngine alltheweb. query= +SearchEngine alot. q= +SearchEngine altavista. q= +SearchEngine aolsearch. query= +SearchEngine aport.ru r= +SearchEngine ask. q= +SearchEngine atlas.cz q= +SearchEngine bbc. q= +SearchEngine bing. q= +SearchEngine blingo. q= +SearchEngine blogs.yandex.ru text= +SearchEngine btopenworld query= +SearchEngine buscador.ya.com q= +SearchEngine busca. q= +SearchEngine business. query= +SearchEngine centrum.cz q= +SearchEngine chiff. q= +SearchEngine clusty. query= +SearchEngine comcast. q= +SearchEngine crawler. q= +SearchEngine cuil. q= +SearchEngine dmoz. search= +SearchEngine dogpile.com q= +SearchEngine dpxml qkw= +SearchEngine eureka. searchword= +SearchEngine euroseek. string= +SearchEngine exalead. q= +SearchEngine excite search= +SearchEngine ezilon. q= +SearchEngine fastbrowsersearch. q= +SearchEngine feedster.com q= +SearchEngine fireball.de q= +SearchEngine fireball. keyword= +SearchEngine freeserve. q= +SearchEngine gigablast. q= +SearchEngine gogo.ru q= +SearchEngine go.mail.ru q= +SearchEngine google. q= +SearchEngine hakia. q= +SearchEngine hotbot. query= +SearchEngine infoseek. qt= +SearchEngine iwon searchfor= +SearchEngine ixquick.com query= +SearchEngine joeant. keywords= +SearchEngine jyxo.cz s= +SearchEngine looksmart. key= +SearchEngine lycos. query= +SearchEngine mamma. q= +SearchEngine metacrawler q= +SearchEngine msn. MT= +SearchEngine msxml qkw= +SearchEngine mysearch. searchfor= +SearchEngine mywebsearch. searchfor= +SearchEngine netscape. q= +SearchEngine nigma.ru q= +SearchEngine northernlight. qr= +SearchEngine ntlworld. q= +SearchEngine orange. q= +SearchEngine overture. Keywords= +SearchEngine punto.ru text= +SearchEngine rambler. keyword= +SearchEngine search.aol. q= +SearchEngine search.babylon. q= +SearchEngine search.centrum. phrase= +SearchEngine search.conduit. q= +SearchEngine search.earthlink q= +SearchEngine search.icq. q= +SearchEngine search.live.com q= +SearchEngine search.rambler.ru words= +SearchEngine search.winamp. q= +SearchEngine searchy. q= +SearchEngine seznam.cz w= +SearchEngine snap. query= +SearchEngine teoma. q= +SearchEngine teradex.com q= +SearchEngine ukplus key= +SearchEngine verizon. q= +SearchEngine virginmedia. q= +SearchEngine voila. rdata= +SearchEngine webcrawler searchText= +SearchEngine web.search.naver. query= +SearchEngine wisenut q= +SearchEngine yahoo. p= +SearchEngine yandex. text= +SearchEngine yodao. q= diff --git a/install/debian/13/vsftpd/vsftpd.conf b/install/debian/13/vsftpd/vsftpd.conf new file mode 100644 index 00000000..1ca1a992 --- /dev/null +++ b/install/debian/13/vsftpd/vsftpd.conf @@ -0,0 +1,26 @@ +anonymous_enable=NO +local_enable=YES +write_enable=YES +local_umask=022 +anon_umask=022 +anon_upload_enable=NO +dirmessage_enable=YES +xferlog_enable=YES +connect_from_port_20=YES +xferlog_std_format=YES +dual_log_enable=YES +chroot_local_user=YES +listen=YES +pam_service_name=vsftpd +userlist_enable=NO +tcp_wrappers=YES +force_dot_files=YES +ascii_upload_enable=YES +ascii_download_enable=YES +#allow_writable_chroot=YES +allow_writeable_chroot=YES +seccomp_sandbox=NO +pasv_enable=YES +pasv_max_port=12100 +pasv_min_port=12000 +use_localtime=YES diff --git a/install/debian/8/exim/dnsbl.conf b/install/debian/8/exim/dnsbl.conf index 5166b255..279bafcd 100644 --- a/install/debian/8/exim/dnsbl.conf +++ b/install/debian/8/exim/dnsbl.conf @@ -1,2 +1 @@ bl.spamcop.net -zen.spamhaus.org diff --git a/install/debian/8/templates/web/awstats/awstats.tpl b/install/debian/8/templates/web/awstats/awstats.tpl index 9a92e0fd..6bb51c50 100755 --- a/install/debian/8/templates/web/awstats/awstats.tpl +++ b/install/debian/8/templates/web/awstats/awstats.tpl @@ -24,7 +24,7 @@ PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=1 DefaultFile="index.php index.html" -SkipHosts="127.0.0.1 +SkipHosts="127.0.0.1" SkipUserAgents="" SkipFiles="" SkipReferrersBlackList="" diff --git a/install/debian/9/exim/dnsbl.conf b/install/debian/9/exim/dnsbl.conf index 5166b255..279bafcd 100644 --- a/install/debian/9/exim/dnsbl.conf +++ b/install/debian/9/exim/dnsbl.conf @@ -1,2 +1 @@ bl.spamcop.net -zen.spamhaus.org diff --git a/install/debian/9/templates/web/awstats/awstats.tpl b/install/debian/9/templates/web/awstats/awstats.tpl index 9a92e0fd..6bb51c50 100755 --- a/install/debian/9/templates/web/awstats/awstats.tpl +++ b/install/debian/9/templates/web/awstats/awstats.tpl @@ -24,7 +24,7 @@ PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=1 DefaultFile="index.php index.html" -SkipHosts="127.0.0.1 +SkipHosts="127.0.0.1" SkipUserAgents="" SkipFiles="" SkipReferrersBlackList="" diff --git a/install/vst-install-debian.sh b/install/vst-install-debian.sh index 9ba1a2ec..98887225 100755 --- a/install/vst-install-debian.sh +++ b/install/vst-install-debian.sh @@ -20,14 +20,26 @@ codename="$(cat /etc/os-release |grep VERSION= |cut -f 2 -d \(|cut -f 1 -d \))" vestacp="$VESTA/install/$VERSION/$release" ARCH="amd64" -if [ "$release" -eq 12 ]; then +if [ "$release" -eq 13 ]; then software="nginx apache2 apache2-utils libapache2-mod-fcgid php-fpm php php-common php-cgi php-mysql php-curl php-fpm php-pgsql awstats vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy clamav-daemon spamassassin dovecot-imapd dovecot-pop3d roundcube-core roundcube-mysql roundcube-plugins mariadb-server mariadb-common - mariadb-client postgresql postgresql-contrib phppgadmin phpmyadmin mc + mariadb-client postgresql postgresql-contrib phpmyadmin mc + flex whois git idn zip sudo bc ftp lsof ntpdate rrdtool quota + e2fslibs bsdutils e2fsprogs curl imagemagick fail2ban dnsutils + bsdmainutils cron vesta vesta-nginx vesta-php expect libmail-dkim-perl + unrar-free vim-common net-tools unzip iptables xxd spamd" +elif [ "$release" -eq 12 ]; then + software="nginx apache2 apache2-utils + libapache2-mod-fcgid php-fpm php + php-common php-cgi php-mysql php-curl php-fpm php-pgsql awstats + vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy + clamav-daemon spamassassin dovecot-imapd dovecot-pop3d roundcube-core + roundcube-mysql roundcube-plugins mariadb-server mariadb-common + mariadb-client postgresql postgresql-contrib phpmyadmin mc flex whois git idn zip sudo bc ftp lsof ntpdate rrdtool quota e2fslibs bsdutils e2fsprogs curl imagemagick fail2ban dnsutils bsdmainutils cron vesta vesta-nginx vesta-php expect libmail-dkim-perl @@ -131,7 +143,11 @@ help() { # Defining password-gen function gen_pass() { MATRIX='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' - LENGTH=32 + if [ -z "$1" ]; then + LENGTH=32 + else + LENGTH=$1 + fi while [ ${n:=1} -le $LENGTH ]; do PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}" let n+=1 @@ -487,10 +503,16 @@ echo -e "\n\n" # Asking for confirmation to proceed if [ "$interactive" = 'yes' ]; then - read -p 'Would you like to continue [y/n]: ' answer - if [ "$answer" != 'y' ] && [ "$answer" != 'Y' ]; then - echo 'Goodbye' - exit 1 + prompt_to_continue=1; + if [ ! -z "$email" ] && [ ! -z "$secret_url" ] && [ ! -z "$port" ] && [ ! -z "$servername" ]; then + prompt_to_continue=0; + fi + if [ $prompt_to_continue -eq 1 ]; then + read -p 'Would you like to continue [y/n]: ' answer + if [ "$answer" != 'y' ] && [ "$answer" != 'Y' ]; then + echo 'Goodbye' + exit 1 + fi fi # Asking for contact email @@ -749,31 +771,37 @@ if [ "$mysql" = 'no' ]; then fi if [ "$mysql8" = 'yes' ]; then echo "=== Preparing MySQL 8 apt repo" - software=$(echo "$software" | sed -e 's/exim4-daemon-heavy//') - software=$(echo "$software" | sed -e 's/exim4//') - #software="$software php-mysql roundcube-mysql" - echo "### THIS FILE IS AUTOMATICALLY CONFIGURED ###" > /etc/apt/sources.list.d/mysql.list - echo "# You may comment out entries below, but any other modifications may be lost." >> /etc/apt/sources.list.d/mysql.list - echo "# Use command 'dpkg-reconfigure mysql-apt-config' as root for modifications." >> /etc/apt/sources.list.d/mysql.list - echo "deb http://repo.mysql.com/apt/debian/ $codename mysql-apt-config" >> /etc/apt/sources.list.d/mysql.list - echo "deb http://repo.mysql.com/apt/debian/ $codename mysql-8.0" >> /etc/apt/sources.list.d/mysql.list - echo "deb http://repo.mysql.com/apt/debian/ $codename mysql-tools" >> /etc/apt/sources.list.d/mysql.list - echo "#deb http://repo.mysql.com/apt/debian/ $codename mysql-tools-preview" >> /etc/apt/sources.list.d/mysql.list - echo "deb-src http://repo.mysql.com/apt/debian/ $codename mysql-8.0" >> /etc/apt/sources.list.d/mysql.list - - # apt-key adv --keyserver pgp.mit.edu --recv-keys 3A79BD29 - key="467B942D3A79BD29" - readonly key - GNUPGHOME="$(mktemp -d)" - export GNUPGHOME - for keyserver in $(shuf -e ha.pool.sks-keyservers.net hkp://p80.pool.sks-keyservers.net:80 keyserver.ubuntu.com hkp://keyserver.ubuntu.com:80) - do - gpg --keyserver "${keyserver}" --recv-keys "${key}" 2>&1 && break - done - gpg --export "${key}" > /etc/apt/trusted.gpg.d/mysql.gpg - gpgconf --kill all - rm -rf "${GNUPGHOME}" - unset GNUPGHOME + if [ "$release" -lt 12 ]; then + software=$(echo "$software" | sed -e 's/exim4-daemon-heavy//') + software=$(echo "$software" | sed -e 's/exim4//') + #software="$software php-mysql roundcube-mysql" + echo "### THIS FILE IS AUTOMATICALLY CONFIGURED ###" > /etc/apt/sources.list.d/mysql.list + echo "# You may comment out entries below, but any other modifications may be lost." >> /etc/apt/sources.list.d/mysql.list + echo "# Use command 'dpkg-reconfigure mysql-apt-config' as root for modifications." >> /etc/apt/sources.list.d/mysql.list + echo "deb http://repo.mysql.com/apt/debian/ $codename mysql-apt-config" >> /etc/apt/sources.list.d/mysql.list + echo "deb http://repo.mysql.com/apt/debian/ $codename mysql-8.0" >> /etc/apt/sources.list.d/mysql.list + echo "deb http://repo.mysql.com/apt/debian/ $codename mysql-tools" >> /etc/apt/sources.list.d/mysql.list + echo "#deb http://repo.mysql.com/apt/debian/ $codename mysql-tools-preview" >> /etc/apt/sources.list.d/mysql.list + echo "deb-src http://repo.mysql.com/apt/debian/ $codename mysql-8.0" >> /etc/apt/sources.list.d/mysql.list + + # apt-key adv --keyserver pgp.mit.edu --recv-keys 3A79BD29 + key="467B942D3A79BD29" + readonly key + GNUPGHOME="$(mktemp -d)" + export GNUPGHOME + for keyserver in $(shuf -e ha.pool.sks-keyservers.net hkp://p80.pool.sks-keyservers.net:80 keyserver.ubuntu.com hkp://keyserver.ubuntu.com:80) + do + gpg --keyserver "${keyserver}" --recv-keys "${key}" 2>&1 && break + done + gpg --export "${key}" > /etc/apt/trusted.gpg.d/mysql.gpg + gpgconf --kill all + rm -rf "${GNUPGHOME}" + unset GNUPGHOME + else + # check latest on: https://dev.mysql.com/downloads/repo/apt/ + wget https://dev.mysql.com/get/mysql-apt-config_0.8.34-1_all.deb + dpkg -i mysql-apt-config_0.8.34-1_all.deb + fi mpass=$(gen_pass) debconf-set-selections <<< "mysql-community-server mysql-community-server/root-pass password $mpass" @@ -1067,6 +1095,22 @@ if [ "$release" -eq 12 ]; then ln -s /usr/local/vesta/data/templates/web/nginx/php-fpm/default.stpl /usr/local/vesta/data/templates/web/nginx/php-fpm/PHP-FPM-82.stpl ln -s /usr/local/vesta/data/templates/web/nginx/php-fpm/default.tpl /usr/local/vesta/data/templates/web/nginx/php-fpm/PHP-FPM-82.tpl fi +if [ "$release" -eq 13 ]; then + echo "== Symlink missing templates" + ln -s /usr/local/vesta/data/templates/web/nginx/hosting.sh /usr/local/vesta/data/templates/web/nginx/default.sh + ln -s /usr/local/vesta/data/templates/web/nginx/hosting.tpl /usr/local/vesta/data/templates/web/nginx/default.tpl + ln -s /usr/local/vesta/data/templates/web/nginx/hosting.stpl /usr/local/vesta/data/templates/web/nginx/default.stpl + + ln -s /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.sh /usr/local/vesta/data/templates/web/apache2/hosting.sh + ln -s /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.tpl /usr/local/vesta/data/templates/web/apache2/hosting.tpl + ln -s /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.stpl /usr/local/vesta/data/templates/web/apache2/hosting.stpl + ln -s /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.sh /usr/local/vesta/data/templates/web/apache2/default.sh + ln -s /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.tpl /usr/local/vesta/data/templates/web/apache2/default.tpl + ln -s /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.stpl /usr/local/vesta/data/templates/web/apache2/default.stpl + + ln -s /usr/local/vesta/data/templates/web/nginx/php-fpm/default.stpl /usr/local/vesta/data/templates/web/nginx/php-fpm/PHP-FPM-84.stpl + ln -s /usr/local/vesta/data/templates/web/nginx/php-fpm/default.tpl /usr/local/vesta/data/templates/web/nginx/php-fpm/PHP-FPM-84.tpl +fi echo "== Set nameservers address" sed -i "s/YOURHOSTNAME1/ns1.$servername/" /usr/local/vesta/data/packages/default.pkg @@ -1118,7 +1162,9 @@ if [ "$nginx" = 'yes' ]; then cp -f $vestacp/nginx/nginx.conf /etc/nginx/ cp -f $vestacp/nginx/status.conf /etc/nginx/conf.d/ cp -f $vestacp/nginx/phpmyadmin.inc /etc/nginx/conf.d/ - cp -f $vestacp/nginx/phppgadmin.inc /etc/nginx/conf.d/ + if [ "$release" -lt 12 ]; then + cp -f $vestacp/nginx/phppgadmin.inc /etc/nginx/conf.d/ + fi cp -f $vestacp/nginx/webmail.inc /etc/nginx/conf.d/ cp -f $vestacp/logrotate/nginx /etc/logrotate.d/ @@ -1127,6 +1173,13 @@ if [ "$nginx" = 'yes' ]; then echo > /etc/nginx/conf.d/vesta.conf mkdir -p /var/log/nginx/domains + + if [ "$apache" = 'yes' ]; then + # SSL fix for Apache 2.4.65+ + echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf + touch /usr/local/vesta/data/upgrades/fixssl.conf + fi + #update-rc.d nginx defaults #service nginx start currentservice='nginx' @@ -1182,7 +1235,13 @@ fi if [ "$phpfpm" = 'yes' ]; then echo "=== Configure PHP-FPM" - if [ "$release" -eq 12 ]; then + if [ "$release" -eq 13 ]; then + cp -f $vestacp/php-fpm/www.conf /etc/php/8.4/fpm/pool.d/www.conf + #update-rc.d php8.4-fpm defaults + currentservice='php8.4-fpm' + ensure_startup $currentservice + ensure_start $currentservice + elif [ "$release" -eq 12 ]; then cp -f $vestacp/php-fpm/www.conf /etc/php/8.2/fpm/pool.d/www.conf #update-rc.d php8.2-fpm defaults currentservice='php8.2-fpm' @@ -1364,6 +1423,9 @@ if [ "$mysql" = 'yes' ] || [ "$mysql8" = 'yes' ]; then bash /root/phpmyadmin/pma.sh blowfish=$(gen_pass) echo "\$cfg['blowfish_secret'] = '$blowfish';" >> /etc/phpmyadmin/config.inc.php + + # disable root login + echo "\$cfg['Servers'][\$i]['AllowRoot'] = FALSE;" >> /etc/phpmyadmin/config.inc.php fi if [ "$release" -gt 10 ]; then echo "=== Configure phpMyAdmin (Debian11 custom part)" @@ -1381,6 +1443,9 @@ if [ "$mysql" = 'yes' ] || [ "$mysql8" = 'yes' ]; then bash /root/phpmyadmin/pma.sh blowfish=$(gen_pass) echo "\$cfg['blowfish_secret'] = '$blowfish';" >> /etc/phpmyadmin/config.inc.php + + # disable root login + echo "\$cfg['Servers'][\$i]['AllowRoot'] = FALSE;" >> /etc/phpmyadmin/config.inc.php fi fi @@ -1398,10 +1463,12 @@ if [ "$postgresql" = 'yes' ]; then sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" # Configuring phpPgAdmin - if [ "$apache" = 'yes' ]; then - cp -f $vestacp/pga/phppgadmin.conf /etc/apache2/conf.d/ + if [ "$release" -lt 12 ]; then + if [ "$apache" = 'yes' ]; then + cp -f $vestacp/pga/phppgadmin.conf /etc/apache2/conf.d/ + fi + cp -f $vestacp/pga/config.inc.php /etc/phppgadmin/ fi - cp -f $vestacp/pga/config.inc.php /etc/phppgadmin/ fi @@ -1422,7 +1489,7 @@ if [ "$named" = 'yes' ]; then sed -i "s#/etc/bind/\*\* r,#/etc/bind/\*\* rw,\n /home/\*\* rwm,#g" /etc/apparmor.d/usr.sbin.named # service apparmor status >/dev/null 2>&1 # if [ $? -ne 0 ]; then - service apparmor restart + systemctl restart apparmor # fi fi # update-rc.d bind9 defaults @@ -1455,6 +1522,12 @@ if [ "$exim" = 'yes' ]; then sed -i "s/#CLAMD/CLAMD/g" /etc/exim4/exim4.conf.template fi + # Generating SRS KEY - the code is taken from HestiaCP + srs=$(gen_pass 16) + echo $srs > /etc/exim4/srs.conf + chmod 640 /etc/exim4/srs.conf + chown root:Debian-exim /etc/exim4/srs.conf + chmod 640 /etc/exim4/exim4.conf.template rm -rf /etc/exim4/domains mkdir -p /etc/exim4/domains @@ -1469,7 +1542,8 @@ if [ "$exim" = 'yes' ]; then #update-rc.d exim4 defaults currentservice='exim4' ensure_startup $currentservice - ensure_start $currentservice + systemctl restart $currentservice + # ensure_start $currentservice fi @@ -1554,6 +1628,15 @@ if [ "$spamd" = 'yes' ]; then echo "=== Patching spamassassin dns_server" sed -i "s/report_safe 1/report_safe 1\n\ndns_server 127.0.0.1/g" /etc/spamassassin/local.cf + echo "== Adding myVesta rules to SpamAssassin" + cat < /etc/spamassassin/myvesta.cf +score RCVD_IN_RP_SAFE 0 +score RCVD_IN_RP_CERTIFIED 0 +score SPF_FAIL 3.0 +score SPF_SOFTFAIL 4.0 +score SPF_NONE 4.0 +EOF + wget -nv -O /etc/spamassassin/barracuda.cf http://c.myvestacp.com/tools/spamassassin/barracuda.cf ensure_startup $currentservice systemctl restart $currentservice @@ -1663,6 +1746,20 @@ if [ "$fail2ban" = 'yes' ]; then chmod 640 /var/log/auth.log chown root:adm /var/log/auth.log fi + if [ "$proftpd" = 'yes' ]; then + cat <> /etc/fail2ban/jail.local + +[proftpd] +enabled = true +filter = proftpd +action = vesta[name=FTP] +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s +backend = %(proftpd_backend)s +maxretry = 5 +EOF + fi + #update-rc.d fail2ban defaults currentservice='fail2ban' ensure_startup $currentservice @@ -1822,6 +1919,20 @@ if [ "$release" -eq 12 ]; then /usr/local/vesta/bin/v-change-web-domain-proxy-tpl 'admin' "$servername" 'hosting-webmail-phpmyadmin' 'jpg,jpeg,gif,png,ico,svg,css,zip,tgz,gz,rar,bz2,doc,xls,exe,pdf,ppt,txt,odt,ods,odp,odf,tar,wav,bmp,rtf,js,mp3,avi,mpeg,flv,woff,woff2' 'yes' fi fi +if [ "$release" -eq 13 ]; then + if [ -f "/etc/php/8.4/fpm/pool.d/$servername.conf" ]; then + echo "== FPM pool.d $servername tweaks" + sed -i "/^group =/c\group = www-data" /etc/php/8.4/fpm/pool.d/$servername.conf + sed -i "/max_execution_time/c\php_admin_value[max_execution_time] = 900" /etc/php/8.4/fpm/pool.d/$servername.conf + sed -i "/request_terminate_timeout/c\request_terminate_timeout = 900s" /etc/php/8.4/fpm/pool.d/$servername.conf + sed -i "s|80M|800M|g" /etc/php/8.4/fpm/pool.d/$servername.conf + sed -i "s|256M|512M|g" /etc/php/8.4/fpm/pool.d/$servername.conf + service php8.4-fpm restart + ln -s /var/lib/roundcube /var/lib/roundcube/webmail + /usr/local/vesta/bin/v-change-web-domain-proxy-tpl 'admin' "$servername" 'hosting-webmail-phpmyadmin' 'jpg,jpeg,gif,png,ico,svg,css,zip,tgz,gz,rar,bz2,doc,xls,exe,pdf,ppt,txt,odt,ods,odp,odf,tar,wav,bmp,rtf,js,mp3,avi,mpeg,flv,woff,woff2' 'yes' + fi +fi + echo "== Adding cron jobs" command="sudo $VESTA/bin/v-update-sys-queue disk" @@ -1838,7 +1949,13 @@ command="sudo $VESTA/bin/v-update-user-stats" $VESTA/bin/v-add-cron-job 'admin' '20' '00' '*' '*' '*' "$command" command="sudo $VESTA/bin/v-update-sys-rrd" $VESTA/bin/v-add-cron-job 'admin' '*/5' '*' '*' '*' '*' "$command" -service cron restart +command="sudo $VESTA/bin/v-fix-website-permissions-for-all-websites-only-php" +$VESTA/bin/v-add-cron-job 'admin' '05' '03' '*' '*' '*' "$command" +command="sudo $VESTA/bin/v-df-snapshot-make" +$VESTA/bin/v-add-cron-job 'admin' '05' '04' '*' '*' '*' "$command" +command="sudo $VESTA/bin/v-df-snapshot-logs-cleaner" +$VESTA/bin/v-add-cron-job 'admin' '10' '04' '*' '*' '*' "$command" +systemctl restart cron.service echo "== Building inititall rrd images" $VESTA/bin/v-update-sys-rrd @@ -1884,6 +2001,9 @@ fi if [ "$release" -eq 12 ]; then apt-get -y install php8.2-apcu php8.2-mbstring php8.2-bcmath php8.2-curl php8.2-gd php8.2-intl php8.2-mysql php8.2-mysqlnd php8.2-pdo php8.2-soap php8.2-xml php8.2-zip php8.2-memcache php8.2-memcached php8.2-zip php8.2-imagick php8.2-imap fi +if [ "$release" -eq 13 ]; then + apt-get -y install php8.4-apcu php8.4-mbstring php8.4-bcmath php8.4-curl php8.4-gd php8.4-intl php8.4-mysql php8.4-mysqlnd php8.4-pdo php8.4-soap php8.4-xml php8.4-zip php8.4-memcache php8.4-memcached php8.4-zip php8.4-imagick php8.4-imap +fi touch /var/log/php-mail.log chmod a=rw /var/log/php-mail.log @@ -1939,6 +2059,13 @@ if [ "$release" -eq 12 ]; then service php8.2-fpm restart fi +if [ "$release" -eq 13 ]; then + echo "=== Patching php8.4" + patch /etc/php/8.4/fpm/php.ini < /usr/local/vesta/src/deb/for-download/tools/patches/php8.2.patch + update-alternatives --set php /usr/bin/php8.4 + service php8.4-fpm restart +fi + # echo "=== Patching rcube_vcard.php" # wget -nv https://c.myvestacp.com/tools/patches/rcube_vcard.patch -O /root/rcube_vcard.patch # patch /usr/share/roundcube/program/lib/Roundcube/rcube_vcard.php < /root/rcube_vcard.patch @@ -2016,6 +2143,9 @@ touch /usr/local/vesta/data/upgrades/enable_cookie_httponly touch /usr/local/vesta/data/upgrades/fix_exim_494_autoreply touch /usr/local/vesta/data/upgrades/freshclam_start touch /usr/local/vesta/data/upgrades/barracuda_rbl +touch /usr/local/vesta/data/upgrades/spamhaus_dnsbl_removed +touch /usr/local/vesta/data/upgrades/v-df-snapshot-make +touch /usr/local/vesta/data/upgrades/fix-website-permissions-for-all-websites-only-php # Secret URL secretquery='' @@ -2030,7 +2160,6 @@ if [ "$port" != "8083" ]; then $VESTA/bin/v-change-vesta-port $port fi -echo "=== Set URL for phpmyadmin" echo "DB_PMA_URL='https://$servername/phpmyadmin/'" >> $VESTA/conf/vesta.conf if [ "$release" -gt 9 ]; then echo "=== Set max_length_of_MySQL_username=80" @@ -2038,10 +2167,17 @@ if [ "$release" -gt 9 ]; then fi echo "ALLOW_BACKUP_ANYTIME='yes'" >> $VESTA/conf/vesta.conf echo "NOTIFY_ADMIN_FULL_BACKUP='$email'" >> $VESTA/conf/vesta.conf -echo "================================================================" +echo "=== Adding FileManager license to vesta.conf" +echo "FILEMANAGER_KEY='FREEFM'" >> $VESTA/conf/vesta.conf # Removing old PHP sessions files -crontab -l | { cat; echo "10 2 * * 6 sudo find /home/*/tmp/ -type f -mtime +5 -exec rm {} \;"; } | crontab - +touch /var/spool/cron/crontabs/root +echo "10 2 * * 6 sudo find /home/*/tmp/ -type f -mtime +5 -exec rm {} \;" >> /var/spool/cron/crontabs/root + +if [ -f "/root/.bash_profile" ]; then + echo "=== Adding v-cd-www alias to root bash profile" + echo "alias v-cd-www='source /usr/local/vesta/bin/v-change-dir-www'" >> /root/.bash_profile +fi #----------------------------------------------------------# # myVesta Access Info # diff --git a/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.sh b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.sh new file mode 100644 index 00000000..cbea2de9 --- /dev/null +++ b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.sh @@ -0,0 +1,133 @@ +#!/bin/bash +# Adding php pool conf +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +pool_conf="[$2] + +listen = /run/php/php8.4-fpm-$2.sock +listen.owner = $1 +listen.group = $1 +listen.mode = 0666 + +user = $1 +group = $1 + +pm = ondemand +pm.max_children = 8 +request_terminate_timeout = 360s +pm.max_requests = 4000 +pm.process_idle_timeout = 10s +pm.status_path = /status + +php_admin_value[upload_tmp_dir] = /home/$1/tmp +php_admin_value[session.save_path] = /home/$1/tmp +php_admin_value[open_basedir] = $5:/home/$1/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcube:/var/log/roundcube:/var/lib/roundcube +php_admin_value[upload_max_filesize] = 800M +php_admin_value[max_execution_time] = 300 +php_admin_value[post_max_size] = 800M +php_admin_value[memory_limit] = 512M +php_admin_value[sendmail_path] = \"/usr/sbin/sendmail -t -i -f info@$2\" +php_admin_flag[mysql.allow_persistent] = off +php_admin_flag[safe_mode] = off + +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /home/$1/tmp +env[TMPDIR] = /home/$1/tmp +env[TEMP] = /home/$1/tmp +" + +pool_file_56="/etc/php/5.6/fpm/pool.d/$2.conf" +pool_file_70="/etc/php/7.0/fpm/pool.d/$2.conf" +pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf" +pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf" +pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf" +pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf" +pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf" +pool_file_81="/etc/php/8.1/fpm/pool.d/$2.conf" +pool_file_82="/etc/php/8.2/fpm/pool.d/$2.conf" +pool_file_83="/etc/php/8.3/fpm/pool.d/$2.conf" +pool_file_84="/etc/php/8.4/fpm/pool.d/$2.conf" + +if [ -f "$pool_file_56" ]; then + rm $pool_file_56 + systemctl reset-failed php5.6-fpm + systemctl restart php5.6-fpm +fi + +if [ -f "$pool_file_70" ]; then + rm $pool_file_70 + systemctl reset-failed php7.0-fpm + systemctl restart php7.0-fpm +fi + +if [ -f "$pool_file_71" ]; then + rm $pool_file_71 + systemctl reset-failed php7.1-fpm + systemctl restart php7.1-fpm +fi + +if [ -f "$pool_file_72" ]; then + rm $pool_file_72 + systemctl reset-failed php7.2-fpm + systemctl restart php7.2-fpm +fi + +if [ -f "$pool_file_73" ]; then + rm $pool_file_73 + systemctl reset-failed php7.3-fpm + systemctl restart php7.3-fpm +fi + +if [ -f "$pool_file_74" ]; then + rm $pool_file_74 + systemctl reset-failed php7.4-fpm + systemctl restart php7.4-fpm +fi + +if [ -f "$pool_file_80" ]; then + rm $pool_file_80 + systemctl reset-failed php8.0-fpm + systemctl restart php8.0-fpm +fi + +if [ -f "$pool_file_81" ]; then + rm $pool_file_81 + systemctl reset-failed php8.1-fpm + systemctl restart php8.1-fpm +fi + +if [ -f "$pool_file_82" ]; then + rm $pool_file_82 + systemctl reset-failed php8.2-fpm + systemctl restart php8.2-fpm +fi + +if [ -f "$pool_file_83" ]; then + rm $pool_file_83 + systemctl reset-failed php8.3-fpm + systemctl restart php8.3-fpm +fi + +write_file=0 +if [ ! -f "$pool_file_84" ]; then + write_file=1 +else + user_count=$(grep -c "/home/$1/" $pool_file_84) + if [ $user_count -eq 0 ]; then + write_file=1 + fi +fi +if [ $write_file -eq 1 ]; then + echo "$pool_conf" > $pool_file_84 + systemctl reset-failed php8.4-fpm + systemctl restart php8.4-fpm +fi +if [ -f "/etc/php/8.4/fpm/pool.d/www.conf" ]; then + rm /etc/php/8.4/fpm/pool.d/www.conf +fi + +exit 0 diff --git a/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.stpl b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.stpl new file mode 100644 index 00000000..91e05b17 --- /dev/null +++ b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.stpl @@ -0,0 +1,36 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %sdocroot%/public + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + SSLRequireSSL + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile %ssl_crt% + SSLCertificateKeyFile %ssl_key% + %ssl_ca_str%SSLCertificateChainFile %ssl_ca% + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/s%web_system%.%domain%.conf* + + + diff --git a/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.tpl b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.tpl new file mode 100644 index 00000000..94acbf15 --- /dev/null +++ b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84-public.tpl @@ -0,0 +1,30 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %docroot%/public + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf* + + + diff --git a/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.sh b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.sh new file mode 100644 index 00000000..cbea2de9 --- /dev/null +++ b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.sh @@ -0,0 +1,133 @@ +#!/bin/bash +# Adding php pool conf +user="$1" +domain="$2" +ip="$3" +home_dir="$4" +docroot="$5" + +pool_conf="[$2] + +listen = /run/php/php8.4-fpm-$2.sock +listen.owner = $1 +listen.group = $1 +listen.mode = 0666 + +user = $1 +group = $1 + +pm = ondemand +pm.max_children = 8 +request_terminate_timeout = 360s +pm.max_requests = 4000 +pm.process_idle_timeout = 10s +pm.status_path = /status + +php_admin_value[upload_tmp_dir] = /home/$1/tmp +php_admin_value[session.save_path] = /home/$1/tmp +php_admin_value[open_basedir] = $5:/home/$1/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcube:/var/log/roundcube:/var/lib/roundcube +php_admin_value[upload_max_filesize] = 800M +php_admin_value[max_execution_time] = 300 +php_admin_value[post_max_size] = 800M +php_admin_value[memory_limit] = 512M +php_admin_value[sendmail_path] = \"/usr/sbin/sendmail -t -i -f info@$2\" +php_admin_flag[mysql.allow_persistent] = off +php_admin_flag[safe_mode] = off + +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /home/$1/tmp +env[TMPDIR] = /home/$1/tmp +env[TEMP] = /home/$1/tmp +" + +pool_file_56="/etc/php/5.6/fpm/pool.d/$2.conf" +pool_file_70="/etc/php/7.0/fpm/pool.d/$2.conf" +pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf" +pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf" +pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf" +pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf" +pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf" +pool_file_81="/etc/php/8.1/fpm/pool.d/$2.conf" +pool_file_82="/etc/php/8.2/fpm/pool.d/$2.conf" +pool_file_83="/etc/php/8.3/fpm/pool.d/$2.conf" +pool_file_84="/etc/php/8.4/fpm/pool.d/$2.conf" + +if [ -f "$pool_file_56" ]; then + rm $pool_file_56 + systemctl reset-failed php5.6-fpm + systemctl restart php5.6-fpm +fi + +if [ -f "$pool_file_70" ]; then + rm $pool_file_70 + systemctl reset-failed php7.0-fpm + systemctl restart php7.0-fpm +fi + +if [ -f "$pool_file_71" ]; then + rm $pool_file_71 + systemctl reset-failed php7.1-fpm + systemctl restart php7.1-fpm +fi + +if [ -f "$pool_file_72" ]; then + rm $pool_file_72 + systemctl reset-failed php7.2-fpm + systemctl restart php7.2-fpm +fi + +if [ -f "$pool_file_73" ]; then + rm $pool_file_73 + systemctl reset-failed php7.3-fpm + systemctl restart php7.3-fpm +fi + +if [ -f "$pool_file_74" ]; then + rm $pool_file_74 + systemctl reset-failed php7.4-fpm + systemctl restart php7.4-fpm +fi + +if [ -f "$pool_file_80" ]; then + rm $pool_file_80 + systemctl reset-failed php8.0-fpm + systemctl restart php8.0-fpm +fi + +if [ -f "$pool_file_81" ]; then + rm $pool_file_81 + systemctl reset-failed php8.1-fpm + systemctl restart php8.1-fpm +fi + +if [ -f "$pool_file_82" ]; then + rm $pool_file_82 + systemctl reset-failed php8.2-fpm + systemctl restart php8.2-fpm +fi + +if [ -f "$pool_file_83" ]; then + rm $pool_file_83 + systemctl reset-failed php8.3-fpm + systemctl restart php8.3-fpm +fi + +write_file=0 +if [ ! -f "$pool_file_84" ]; then + write_file=1 +else + user_count=$(grep -c "/home/$1/" $pool_file_84) + if [ $user_count -eq 0 ]; then + write_file=1 + fi +fi +if [ $write_file -eq 1 ]; then + echo "$pool_conf" > $pool_file_84 + systemctl reset-failed php8.4-fpm + systemctl restart php8.4-fpm +fi +if [ -f "/etc/php/8.4/fpm/pool.d/www.conf" ]; then + rm /etc/php/8.4/fpm/pool.d/www.conf +fi + +exit 0 diff --git a/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.stpl b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.stpl new file mode 100644 index 00000000..848abf7c --- /dev/null +++ b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.stpl @@ -0,0 +1,36 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %sdocroot% + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + SSLRequireSSL + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + SSLEngine on + SSLVerifyClient none + SSLCertificateFile %ssl_crt% + SSLCertificateKeyFile %ssl_key% + %ssl_ca_str%SSLCertificateChainFile %ssl_ca% + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/s%web_system%.%domain%.conf* + + + diff --git a/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.tpl b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.tpl new file mode 100644 index 00000000..065c1f89 --- /dev/null +++ b/src/deb/for-download/tools/apache-fpm-tpl/PHP-FPM-84.tpl @@ -0,0 +1,30 @@ + + + ServerName %domain_idn% + %alias_string% + ServerAdmin %email% + DocumentRoot %docroot% + ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/ + Alias /vstats/ %home%/%user%/web/%domain%/stats/ + Alias /error/ %home%/%user%/web/%domain%/document_errors/ + #SuexecUserGroup %user% %group% + CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes + CustomLog /var/log/%web_system%/domains/%domain%.log combined + ErrorLog /var/log/%web_system%/domains/%domain%.error.log + + AllowOverride All + + + AllowOverride All + Options +Includes -Indexes -FollowSymLinks +SymLinksIfOwnerMatch + + + + SetHandler "proxy:unix:/run/php/php8.4-fpm-%domain%.sock|fcgi://localhost/" + + SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 + + IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf* + + + diff --git a/src/deb/for-download/tools/imapsync/create-mail-sync.sh b/src/deb/for-download/tools/imapsync/create-mail-sync.sh index e325754e..94762505 100644 --- a/src/deb/for-download/tools/imapsync/create-mail-sync.sh +++ b/src/deb/for-download/tools/imapsync/create-mail-sync.sh @@ -35,18 +35,35 @@ fi TESTOPT="" if [[ $TEST -eq 1 ]]; then - TESTOPT="--justlogin" + TESTOPT="--justlogin" fi if [ ! -d "accounts" ]; then mkdir accounts fi if [ -f "accounts/$EMAIL" ]; then - echo "********* $EMAIL ALREADY EXISTS !!! ************" + echo "********* EMAIL $EMAIL ALREADY EXISTS !!! ************" exit 1; exit fi +euser=$(echo $EMAIL | cut -d '@' -f 1) +domain=$(echo $EMAIL | cut -d '@' -f 2) +user=$(/usr/local/vesta/bin/v-search-domain-owner $domain) +if [ "$user" != "" ]; then + echo "=== Email '$EMAIL' has username email part '$euser', domain is '$domain', and belongs to myVesta account: $user" + if [ ! -d "/home/$user/mail/$domain" ]; then + echo "======= Creating '$domail' in MAIL section" + /usr/local/vesta/bin/v-add-mail-domain "$user" "$domain" + fi + if [ ! -d "/home/$user/mail/$domain/$euser" ]; then + echo "======= Creating '$euser' mail account for domain '$domain'" + /usr/local/vesta/bin/v-add-mail-account "$user" "$domain" "$euser" "$PASS2" + echo "" + fi +fi + + echo "Writing to: accounts/$EMAIL" echo "#!/bin/bash @@ -67,21 +84,20 @@ exit; chmod a=rwx accounts/$EMAIL if [[ $TEST -eq 0 ]]; then - exit 0; + exit 0; fi accounts/$EMAIL RET=$? if [ $RET -eq 0 ]; then - # echo "./create-mail-sync.sh $EMAIL $PASS $PASS2 $TEST" - sed -i "s/--justlogin//g" accounts/$EMAIL - echo "--- OK! ---" - echo "./create-mail-sync.sh '$SRCHOST' '$EMAIL' '$PASS' '$PASS2' $TEST" >> accounts.log + # echo "./create-mail-sync.sh $EMAIL $PASS $PASS2 $TEST" + sed -i "s/--justlogin//g" accounts/$EMAIL + echo "--- OK! ---" + echo "./create-mail-sync.sh '$SRCHOST' '$EMAIL' '$PASS' '$PASS2' $TEST" >> accounts.log else - echo "********* $EMAIL ERROR !!! [ret: $RET ] ************" - echo "********* $EMAIL ERROR !!! [ret: $RET ] ************" - echo "********* $EMAIL ERROR !!! [ret: $RET ] ************" - rm accounts/$EMAIL + echo "********* $EMAIL ERROR !!! [ret: $RET ] ************" + rm accounts/$EMAIL + read -p "=== Press ENTER to continue ===" entered fi exit $RET; diff --git a/src/deb/for-download/tools/imapsync/import-from-file.sh b/src/deb/for-download/tools/imapsync/import-from-file.sh new file mode 100644 index 00000000..ac0c42f4 --- /dev/null +++ b/src/deb/for-download/tools/imapsync/import-from-file.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# +# This script reads email and password=s in following format: +# email1 pass +# email2 pass +# email3 pass + +# The first parameter is the text file from which we read emails and passwords +# The second parameter is SMTP Hostname +# The third parameter is domain if lines contains only username part + + +host='' +if [ $# -gt 1 ]; then + host=$2 +else + echo "Usage: ./import-from-file.sh 'FILE' 'SMTPHOST' ['DOMAIN']" + exit 1; +fi + +domain='' +if [ $# -gt 2 ]; then + domain=$3 +fi + +end_of_file=0 +while [[ $end_of_file == 0 ]]; do + + read -r line + end_of_file=$? + + if [ "$line" == "" ]; then + if [[ $end_of_file == 1 ]]; then + echo "===EOF===" + break; + fi + continue + fi + + email=$(echo "$line" | awk '{print $1}') + pass=$(echo "$line" | awk '{print $2}') + + if [[ $email != *"@"* ]]; then + email="$email@$domain" + fi + + echo "Extracted: '$email' = '$pass'" + + ./create-mail-sync.sh "$host" "$email" "$pass" + + if [[ $end_of_file == 1 ]]; then + echo "===EOF===" + break; + fi + +done < $1 diff --git a/src/deb/for-download/tools/install-new-roundcube.sh b/src/deb/for-download/tools/install-new-roundcube.sh index 8838e0ab..0f6a343a 100644 --- a/src/deb/for-download/tools/install-new-roundcube.sh +++ b/src/deb/for-download/tools/install-new-roundcube.sh @@ -3,7 +3,7 @@ USER='webmail' DOMAIN='' # enter domain or subdomain -VERSION='1.6.1' +VERSION='1.6.6' DOWNLOAD="https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz" LOGINMESSAGE1='Click here for NEW Webmail' diff --git a/src/deb/for-download/tools/install-rocket-nginx.sh b/src/deb/for-download/tools/install-rocket-nginx.sh index 47768b11..ca1f8b2a 100644 --- a/src/deb/for-download/tools/install-rocket-nginx.sh +++ b/src/deb/for-download/tools/install-rocket-nginx.sh @@ -4,6 +4,8 @@ wget -nv -O /usr/local/vesta/data/templates/web/nginx/wprocket-force-https.tpl h wget -nv -O /usr/local/vesta/data/templates/web/nginx/wprocket-force-https.stpl https://c.myvestacp.com/tools/rocket-nginx-templates/wprocket-force-https.stpl wget -nv -O /usr/local/vesta/data/templates/web/nginx/wprocket-hosting.tpl https://c.myvestacp.com/tools/rocket-nginx-templates/wprocket-hosting.tpl wget -nv -O /usr/local/vesta/data/templates/web/nginx/wprocket-hosting.stpl https://c.myvestacp.com/tools/rocket-nginx-templates/wprocket-hosting.stpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/wprocket-webp-express-force-https.tpl https://c.myvestacp.com/tools/rocket-nginx-templates/wprocket-webp-express-force-https.tpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/wprocket-webp-express-force-https.stpl https://c.myvestacp.com/tools/rocket-nginx-templates/wprocket-webp-express-force-https.stpl echo "Updating apt, please wait..." apt-get update > /dev/null 2>&1 diff --git a/src/deb/for-download/tools/multi-php-install.sh b/src/deb/for-download/tools/multi-php-install.sh index bea7774f..aa1b7353 100644 --- a/src/deb/for-download/tools/multi-php-install.sh +++ b/src/deb/for-download/tools/multi-php-install.sh @@ -14,6 +14,7 @@ inst_80=0 inst_81=0 inst_82=0 inst_83=0 +inst_84=0 ####################################################################### @@ -60,8 +61,11 @@ fi if [ $# -gt 10 ]; then inst_83=${11} fi +if [ $# -gt 11 ]; then + inst_84=${12} +fi -if [ $inst_56 -eq 1 ] || [ $inst_70 -eq 1 ] || [ $inst_71 -eq 1 ] || [ $inst_72 -eq 1 ] || [ $inst_73 -eq 1 ] || [ $inst_74 -eq 1 ] || [ $inst_80 -eq 1 ] || [ $inst_81 -eq 1 ] || [ $inst_82 -eq 1 ] || [ $inst_83 -eq 1 ]; then +if [ $inst_56 -eq 1 ] || [ $inst_70 -eq 1 ] || [ $inst_71 -eq 1 ] || [ $inst_72 -eq 1 ] || [ $inst_73 -eq 1 ] || [ $inst_74 -eq 1 ] || [ $inst_80 -eq 1 ] || [ $inst_81 -eq 1 ] || [ $inst_82 -eq 1 ] || [ $inst_83 -eq 1 ] || [ $inst_84 -eq 1 ]; then inst_repo=1 fi @@ -92,6 +96,7 @@ echo "inst_80=$inst_80" echo "inst_81=$inst_81" echo "inst_82=$inst_82" echo "inst_83=$inst_83" +echo "inst_84=$inst_84" echo "wait_to_press_enter=$wait_to_press_enter" press_enter "=== Press enter to continue ===============================================================================" @@ -100,12 +105,12 @@ apt update if [ "$inst_repo" -eq 1 ]; then press_enter "=== Press enter to install sury.org repo ===============================================================================" apt -y install apt-transport-https ca-certificates - if [ $debian_version -ge 10 ]; then + if [ $debian_version -ge 11 ]; then wget -nv -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg fi - if [ $debian_version -eq 10 ]; then - sh -c 'echo "deb https://packages.sury.org/php/ buster main" > /etc/apt/sources.list.d/php.list' - fi + # if [ $debian_version -eq 10 ]; then + # sh -c 'echo "deb https://packages.sury.org/php/ buster main" > /etc/apt/sources.list.d/php.list' + # fi if [ $debian_version -eq 11 ]; then sh -c 'echo "deb https://packages.sury.org/php/ bullseye main" > /etc/apt/sources.list.d/php.list' fi @@ -113,7 +118,7 @@ if [ "$inst_repo" -eq 1 ]; then sh -c 'echo "deb https://packages.sury.org/php/ bookworm main" > /etc/apt/sources.list.d/php.list' fi apt update - apt upgrade -y + # apt upgrade -y press_enter "=== Press enter to continue ===============================================================================" fi @@ -372,9 +377,36 @@ if [ "$inst_83" -eq 1 ]; then press_enter "=== PHP 8.3 installed, press enter to continue ===============================================================================" fi +if [ "$inst_84" -eq 1 ]; then + press_enter "=== Press enter to install PHP 8.4 ===============================================================================" + apt -y install php8.4-mbstring php8.4-bcmath php8.4-cli php8.4-curl php8.4-fpm php8.4-gd php8.4-intl php8.4-mysql php8.4-soap php8.4-xml php8.4-zip php8.4-memcache php8.4-memcached php8.4-imagick + update-rc.d php8.4-fpm defaults + a2enconf php8.4-fpm + a2dismod php8.4 + apt-get -y remove libapache2-mod-php8.4 + systemctl restart apache2 + cp -r /etc/php/8.4/ /root/vst_install_backups/php8.4/ + wget -nv https://c.myvestacp.com/tools/apache-fpm-tpl/PHP-FPM-84.stpl -O /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.stpl + wget -nv https://c.myvestacp.com/tools/apache-fpm-tpl/PHP-FPM-84.tpl -O /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.tpl + wget -nv https://c.myvestacp.com/tools/apache-fpm-tpl/PHP-FPM-84.sh -O /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.sh + wget -nv https://c.myvestacp.com/tools/apache-fpm-tpl/PHP-FPM-84-public.stpl -O /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84-public.stpl + wget -nv https://c.myvestacp.com/tools/apache-fpm-tpl/PHP-FPM-84-public.tpl -O /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84-public.tpl + wget -nv https://c.myvestacp.com/tools/apache-fpm-tpl/PHP-FPM-84-public.sh -O /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84-public.sh + chmod a+x /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84.sh + chmod a+x /usr/local/vesta/data/templates/web/apache2/PHP-FPM-84-public.sh + echo "=== Patching php.ini for php8.4" + wget -nv https://c.myvestacp.com/tools/patches/php8.2.patch -O /root/php8.4.patch + patch /etc/php/8.4/fpm/php.ini < /root/php8.4.patch + if [ $memory -gt 9999999 ]; then + sed -i "s|opcache.memory_consumption=512|opcache.memory_consumption=2048|g" /etc/php/8.4/fpm/php.ini + fi + service php8.4-fpm restart + press_enter "=== PHP 8.4 installed, press enter to continue ===============================================================================" +fi -apt update > /dev/null 2>&1 -apt upgrade -y > /dev/null 2>&1 + +# apt update > /dev/null 2>&1 +# apt upgrade -y > /dev/null 2>&1 if [ $debian_version -ge 10 ]; then a2dismod ruid2 > /dev/null 2>&1 @@ -389,6 +421,7 @@ if [ $debian_version -ge 10 ]; then a2dismod php8.1 > /dev/null 2>&1 a2dismod php8.2 > /dev/null 2>&1 a2dismod php8.3 > /dev/null 2>&1 + a2dismod php8.4 > /dev/null 2>&1 a2dismod mpm_prefork > /dev/null 2>&1 a2enmod mpm_event > /dev/null 2>&1 apt-get -y remove libapache2-mod-php* > /dev/null 2>&1 @@ -421,6 +454,10 @@ if [ -f "/usr/local/bin/tailf_apache_error.php" ]; then echo "=== upgrading tailf_apache_error.php done." sleep 3 echo "" - echo "Everything done." - echo "" fi + +# Fixing php.ini files to have the correct disable_functions line +/usr/local/vesta/bin/v-fix-php-ini-disable-functions + +echo "Everything done." +echo "" diff --git a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-no-https-force.stpl b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-no-https-force.stpl index d66f80be..f49e99dc 100644 --- a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-no-https-force.stpl +++ b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-no-https-force.stpl @@ -1,53 +1,54 @@ -server { - listen %ip%:%proxy_ssl_port%; - server_name %domain_idn% %alias_idn%; - ssl on; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - # test %port_num% - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - root %sdocroot%/public; - index index.html; - - location / { - proxy_pass http://localhost:3000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host $host; - proxy_cache_bypass $http_upgrade; - - - # try_files $uri $uri/ @rewrites; - - location ~* ^.+\.(%proxy_extentions%)$ { - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - } - } - - location @rewrites { - rewrite ^(.+)$ /index.html last; - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - +server { + listen %ip%:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + # ssl on; + # http2 on; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + # test %port_num% + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + + root %sdocroot%/public; + index index.html; + + location / { + proxy_pass http://localhost:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + + + # try_files $uri $uri/ @rewrites; + + location ~* ^.+\.(%proxy_extentions%)$ { + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + } + } + + location @rewrites { + rewrite ^(.+)$ /index.html last; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~ /\.ht {return 404;} - location ~ /\.env {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; - include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; } \ No newline at end of file diff --git a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-pass-to-https.stpl b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-pass-to-https.stpl index 27dd354b..1387a879 100644 --- a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-pass-to-https.stpl +++ b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000-pass-to-https.stpl @@ -1,7 +1,8 @@ server { - listen %ip%:%proxy_ssl_port%; + listen %ip%:%proxy_ssl_port% ssl; server_name %domain_idn% %alias_idn%; - ssl on; + # ssl on; + # http2 on; ssl_certificate %ssl_pem%; ssl_certificate_key %ssl_key%; error_log /var/log/%web_system%/domains/%domain%.error.log error; diff --git a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000.stpl b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000.stpl index d66f80be..f49e99dc 100644 --- a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000.stpl +++ b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-3000.stpl @@ -1,53 +1,54 @@ -server { - listen %ip%:%proxy_ssl_port%; - server_name %domain_idn% %alias_idn%; - ssl on; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - # test %port_num% - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - root %sdocroot%/public; - index index.html; - - location / { - proxy_pass http://localhost:3000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host $host; - proxy_cache_bypass $http_upgrade; - - - # try_files $uri $uri/ @rewrites; - - location ~* ^.+\.(%proxy_extentions%)$ { - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - } - } - - location @rewrites { - rewrite ^(.+)$ /index.html last; - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - +server { + listen %ip%:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + # ssl on; + # http2 on; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + # test %port_num% + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + + root %sdocroot%/public; + index index.html; + + location / { + proxy_pass http://localhost:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + + + # try_files $uri $uri/ @rewrites; + + location ~* ^.+\.(%proxy_extentions%)$ { + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + } + } + + location @rewrites { + rewrite ^(.+)$ /index.html last; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location ~ /\.ht {return 404;} - location ~ /\.env {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; - include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; } \ No newline at end of file diff --git a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-4000-and-websocket-6001.stpl b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-4000-and-websocket-6001.stpl index d8a23009..70fa2866 100644 --- a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-4000-and-websocket-6001.stpl +++ b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-4000-and-websocket-6001.stpl @@ -1,7 +1,8 @@ server { - listen %ip%:%proxy_ssl_port%; + listen %ip%:%proxy_ssl_port% ssl; server_name %domain_idn% %alias_idn%; - ssl on; + # ssl on; + # http2 on; ssl_certificate %ssl_pem%; ssl_certificate_key %ssl_key%; error_log /var/log/%web_system%/domains/%domain%.error.log error; diff --git a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-also-handle-static-files-3000.stpl b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-also-handle-static-files-3000.stpl index a6a0b744..415b6f9c 100644 --- a/src/deb/for-download/tools/nodejs-nginx-templates/node-app-also-handle-static-files-3000.stpl +++ b/src/deb/for-download/tools/nodejs-nginx-templates/node-app-also-handle-static-files-3000.stpl @@ -1,7 +1,8 @@ server { - listen %ip%:%proxy_ssl_port%; + listen %ip%:%proxy_ssl_port% ssl; server_name %domain_idn% %alias_idn%; - ssl on; + # ssl on; + # http2 on; ssl_certificate %ssl_pem%; ssl_certificate_key %ssl_key%; error_log /var/log/%web_system%/domains/%domain%.error.log error; diff --git a/src/deb/for-download/tools/patches/php8.2.patch b/src/deb/for-download/tools/patches/php8.2.patch index 1083a720..ed127499 100644 --- a/src/deb/for-download/tools/patches/php8.2.patch +++ b/src/deb/for-download/tools/patches/php8.2.patch @@ -5,7 +5,7 @@ ; It receives a comma-delimited list of function names. ; https://php.net/disable-functions -disable_functions = -+ disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,system,passthru,shell_exec,proc_open,popen ++disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,system,passthru,shell_exec,proc_open,popen ; This directive allows you to disable certain classes. ; It receives a comma-delimited list of class names. diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl new file mode 100644 index 00000000..5c3f22ac --- /dev/null +++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl @@ -0,0 +1,95 @@ +server { + listen %ip%:%proxy_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + # ssl on; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + error_page 418 = @wordfence_lh; + error_page 419 = @wordfence_route; + error_page 420 = @wordfence_sync; + + if ($request_uri ~ "^/\?wordfence_lh") { return 418; } + if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; } + if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; } + + limit_conn addr 10; + limit_conn zone_site 30; + limit_req zone=one burst=28 delay=14; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-admin/ { + limit_conn addr 48; + limit_conn zone_site 60; + limit_req zone=one burst=80 delay=14; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-json/ { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=one burst=80 delay=14; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_lh { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_route { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_sync { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-json/wordfence/ { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /wp-config.php {return 404;} + location ~ /xmlrpc.php {return 404;} + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl index e8b5b228..b263d6b5 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl +++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.stpl @@ -79,6 +79,8 @@ server { proxy_pass https://%ip%:%web_ssl_port%; } + location ~ /wp-config.php {return 404;} + location ~ /xmlrpc.php {return 404;} location ~ /\.ht {return 404;} location ~ /\.env {return 404;} location ~ /\.svn/ {return 404;} diff --git a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl index c9cf1189..5a463370 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl +++ b/src/deb/for-download/tools/rate-limit-tpl/force-https-firewall-wordpress.tpl @@ -1,8 +1,8 @@ -server { - listen %ip%:%proxy_port%; - server_name %domain_idn% %alias_idn%; - location / { - rewrite ^(.*) https://$host$1 permanent; - } -include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; -} +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl new file mode 100644 index 00000000..5c3f22ac --- /dev/null +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl @@ -0,0 +1,95 @@ +server { + listen %ip%:%proxy_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + # ssl on; + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + error_page 418 = @wordfence_lh; + error_page 419 = @wordfence_route; + error_page 420 = @wordfence_sync; + + if ($request_uri ~ "^/\?wordfence_lh") { return 418; } + if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; } + if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; } + + limit_conn addr 10; + limit_conn zone_site 30; + limit_req zone=one burst=28 delay=14; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-admin/ { + limit_conn addr 48; + limit_conn zone_site 60; + limit_req zone=one burst=80 delay=14; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-json/ { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=one burst=80 delay=14; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_lh { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_route { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location @wordfence_sync { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /wp-json/wordfence/ { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~* ^.+\.(%proxy_extentions%)$ { + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /wp-config.php {return 404;} + location ~ /xmlrpc.php {return 404;} + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl new file mode 100644 index 00000000..44f6162c --- /dev/null +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl @@ -0,0 +1,92 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + location / { + error_page 418 = @wordfence_lh; + error_page 419 = @wordfence_route; + error_page 420 = @wordfence_sync; + + if ($request_uri ~ "^/\?wordfence_lh") { return 418; } + if ($request_uri ~ "^/\?rest_route=%2Fwordfence") { return 419; } + if ($request_uri ~ "^/\?wordfence_syncAttackData") { return 420; } + + limit_conn addr 10; + limit_conn zone_site 30; + limit_req zone=one burst=28 delay=14; + proxy_pass http://%ip%:%web_port%; + } + + location /wp-admin/ { + limit_conn addr 48; + limit_conn zone_site 60; + limit_req zone=one burst=80 delay=14; + proxy_pass http://%ip%:%web_port%; + } + + location /wp-json/ { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=one burst=80 delay=14; + proxy_pass http://%ip%:%web_port%; + } + + location @wordfence_lh { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass http://%ip%:%web_port%; + } + + location @wordfence_route { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass http://%ip%:%web_port%; + } + + location @wordfence_sync { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass http://%ip%:%web_port%; + } + + location /wp-json/wordfence/ { + limit_conn addr 16; + limit_conn zone_site 30; + limit_req zone=wfone burst=240; + proxy_pass http://%ip%:%web_port%; + } + + location ~* ^.+\.(%proxy_extentions%)$ { + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + expires max; + # try_files $uri @fallback; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location ~ /wp-config.php {return 404;} + location ~ /xmlrpc.php {return 404;} + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/nginx.%domain%.conf*; +} + diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl index e8b5b228..b263d6b5 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl @@ -79,6 +79,8 @@ server { proxy_pass https://%ip%:%web_ssl_port%; } + location ~ /wp-config.php {return 404;} + location ~ /xmlrpc.php {return 404;} location ~ /\.ht {return 404;} location ~ /\.env {return 404;} location ~ /\.svn/ {return 404;} diff --git a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl index 49da9387..7203b88c 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl +++ b/src/deb/for-download/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl @@ -76,6 +76,8 @@ server { proxy_pass http://%ip%:%web_port%; } + location ~ /wp-config.php {return 404;} + location ~ /xmlrpc.php {return 404;} location ~ /\.ht {return 404;} location ~ /\.env {return 404;} location ~ /\.svn/ {return 404;} diff --git a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh index 4a910d0f..8f4d4e88 100644 --- a/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh +++ b/src/deb/for-download/tools/rate-limit-tpl/install_rate_limit_tpl.sh @@ -71,4 +71,9 @@ wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordp wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.tpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.tpl wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress.stpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress.stpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress-2.tpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress-2.tpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/force-https-firewall-wordpress-2.stpl http://c.myvestacp.com/tools/rate-limit-tpl/force-https-firewall-wordpress-2.stpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress-2.tpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress-2.tpl +wget -nv -O /usr/local/vesta/data/templates/web/nginx/hosting-firewall-wordpress-2.stpl http://c.myvestacp.com/tools/rate-limit-tpl/hosting-firewall-wordpress-2.stpl + systemctl restart nginx diff --git a/src/deb/for-download/tools/rocket-nginx-templates/wprocket-webp-express-force-https.stpl b/src/deb/for-download/tools/rocket-nginx-templates/wprocket-webp-express-force-https.stpl new file mode 100644 index 00000000..2a6a7671 --- /dev/null +++ b/src/deb/for-download/tools/rocket-nginx-templates/wprocket-webp-express-force-https.stpl @@ -0,0 +1,73 @@ +server { + listen %ip%:%proxy_ssl_port% ssl http2; + server_name %domain_idn% %alias_idn%; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + root %sdocroot%; + + # Serve WebP if browser supports it + location ~* ^/wp-content/.*\.(png|jpe?g)$ { + add_header Vary Accept; + expires 365d; + + if ($http_accept !~* "webp") { + break; + } + + try_files + /wp-content/webp-express/webp-images/doc-root/$uri.webp + $uri.webp + @webp_on_demand; + } + + # Route .webp requests to converter if not found + location @webp_on_demand { + proxy_pass https://%ip%:%web_ssl_port%; + } + + # Allow .webp passthrough (trigger php fallback if not found) + location ~* ^/wp-content/.*\.(png|jpe?g)\.webp$ { + try_files + $uri + @webp_realizer; + } + + location @webp_realizer { + proxy_pass https://%ip%:%web_ssl_port%; + } + + # Allow PHP access to WebP Express WOD handler + location ~ ^/wp-content/plugins/webp-express/wod/.*\.php$ { + proxy_pass https://%ip%:%web_ssl_port%; + } + + # Rocket-Nginx configuration + include rocket-nginx/conf.d/default.conf; + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location ~ /\.ht {return 404;} + location ~ /\.env {return 404;} + location ~ /\.svn/ {return 404;} + location ~ /\.git/ {return 404;} + location ~ /\.hg/ {return 404;} + location ~ /\.bzr/ {return 404;} + + disable_symlinks if_not_owner from=%docroot%; + + include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*; +} diff --git a/src/deb/for-download/tools/rocket-nginx-templates/wprocket-webp-express-force-https.tpl b/src/deb/for-download/tools/rocket-nginx-templates/wprocket-webp-express-force-https.tpl new file mode 100644 index 00000000..5a463370 --- /dev/null +++ b/src/deb/for-download/tools/rocket-nginx-templates/wprocket-webp-express-force-https.tpl @@ -0,0 +1,8 @@ +server { + listen %ip%:%proxy_port%; + server_name %domain_idn% %alias_idn%; + location / { + rewrite ^(.*) https://$host$1 permanent; + } +include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; +} diff --git a/src/deb/ioncube/copyright b/src/deb/ioncube/copyright index bd92bd81..c62257d2 100644 --- a/src/deb/ioncube/copyright +++ b/src/deb/ioncube/copyright @@ -1,243 +1,243 @@ -LICENCE AGREEMENT FOR THE IONCUBE PHP LOADER, PROVIDED TO ENABLE THE USE -OF IONCUBE ENCODED FILES AND AS PART OF THE IONCUBE24 SERVICE (ioncube24.com) - -YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE -LOADER SOFTWARE. THE INSTALLATION AND/OR USE OR COPYING OF THE IONCUBE PHP -LOADER SOFTWARE INDICATES YOUR ACCEPTANCE OF THIS LICENCE AGREEMENT. IF YOU -DO NOT ACCEPT THE TERMS OF THIS LICENCE AGREEMENT, DO NOT INSTALL, COPY -AND/OR USE THE LOADER SOFTWARE. - -DEFINITIONS - -The following definitions shall apply in this document: - -LOADER shall mean the ionCube PHP Loader software package or collection -of Loaders, including any modifications or upgrades to the software, used for -executing PHP scripts previously encoded with the ionCube PHP Encoder -software to render them non-humanly readable, and any associated -documentation or electronic or online materials relating to the software. - -ENCODER shall mean any ionCube PHP Encoder software or service used for the -purpose of producing non-humanly readable encoded files from PHP scripts. - -ENCODED FILE shall mean a non-humanly readable file produced by the -Encoder and being derived from humanly readable PHP script source. - -PROVIDER shall mean ionCube Ltd. - -USER/YOU shall mean any entity who has downloaded or obtained through any -other means a version of the Loader software. - - -1 LICENSE ENTITLEMENT - -1.1 The Loader is provided without charge. Title to the Loader does not pass -to the user in any circumstances. The Loader is supplied as object code. - -1.2 The provider grants a personal, non-transferable, non-exclusive licence to -use the Loader in accordance with the terms and conditions of this Licence -Agreement. - -1.3 The installation or downloading and use of the Loader entitles the user -to install and use the Loader for its own internal lawful purposes. - - -2 DISTRIBUTION - -2.1 The Loader may be freely distributed to third parties alone or as -part of a distribution containing other items provided that this license -is also included. - -2.2 The Loader may under no circumstances be branded as another product, -whether distributed or not. - -2.3 Distribution as part of a commercial product is permitted provided such -distribution is in accordance with clauses 2.1 and 2.2 with respect to the -Loader. - - -3 ANALYSIS / REVERSE ENGINEERING / MODIFICATION - -Except insofar as the user is permitted to do so in accordance with applicable -law: - -3.1 Any analysis of the Loader and embedded data by any means and by -any entity whether human or otherwise and including but without limitation to -discover details of internal operation, to reverse engineer, to de-compile -object code, or to modify for the purposes of modifying behaviour is -forbidden. - -3.2 Any analysis of encoded files by any means and by any entity whether human -or otherwise and including but without limitation to discover details of file -format or for the purposes of modifying behaviour or scope of their usage is -forbidden. - - -4 WARRANTY - -THE LOADER SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED -WARRANTIES INCLUDING BUT WITHOUT LIMITATION THE IMPLIED WARRANTIES -OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE ARE -DISCLAIMED. THE PROVIDER DOES NOT WARRANT THAT THE LOADER IS UNINTERRUPTED -OR ERROR FREE, NOR THAT THE OPERATION OF THE LOADER WILL FUNCTION IN -CONJUNCTION WITH ANY OTHER PRODUCT. - - -5 LIMITATION OF LIABILITY - -5.1 IN NO EVENT WILL THE PROVIDER OF THE LOADER BE LIABLE TO THE USER OR ANY -PARTY FOR ANY DIRECT, INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR OTHER -CONSEQUENTIAL DAMAGES ARISING DIRECTLY OR INDIRECTLY FROM THIS LICENCE -AGREEMENT OR ANY USE OF THE LOADER OR ENCODED FILES, EVEN IF THE PROVIDER IS -EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - -5.2 THE LOADER IS PROVIDED ON AN "AS IS" BASIS. THE PROVIDER EXCLUDES ALL -WARRANTIES, CONDITIONS, TERMS, UNDERTAKINGS AND REPRESENTATIONS (EXCLUDING -FRAUDULENT MISREPRESENTATION) OF ANY KIND, EXPRESS OR IMPLIED, STATUTORY OR -OTHERWISE IN CONNECTION WITH THE LOADER TO THE FULLEST EXTENT PERMITTED BY -LAW. - -5.3 DOWNLOADING THE LOADER IS AT YOUR OWN RISK AND THE PROVIDER DOES NOT -ACCEPT LIABILITY FOR ANY DIRECT OR INDIRECT LOSS OR DAMAGE HOWSOEVER CAUSED AS -A RESULT OF ANY COMPUTER VIRUSES, BUGS, TROJAN HORSES, WORMS, SOFTWARE BOMBS -OR OTHER SIMILAR PROGRAMS ARISING FROM YOUR USE OF THE LOADER. WHILST THE -PROVIDER WILL DO ITS BEST TO ENSURE THAT THE LOADER IS FREE FROM SUCH -DESTRUCTIVE PROGRAMS, IT IS YOUR RESPONSIBILITY TO TAKE REASONABLE PRECAUTIONS -TO SCAN FOR SUCH DESTRUCTIVE PROGRAMS DOWNLOADED FROM THE INTERNET. - -5.4 THE PROVIDER'S MAXIMUM LIABILITY FOR ANY LOSS OR DAMAGE ARISING FROM THIS -LICENCE AGREEMENT SHALL IN ANY EVENT BE LIMITED IN THE SOLE DISCRETION OF THE -PROVIDER TO THE REPLACEMENT OF THE LOADER PRODUCT. - -5.5 DUE TO THE NATURE OF THE INTERNET, THE PROVIDER CANNOT GUARANTEE THAT ANY -E-MAILS OR OTHER ELECTRONIC TRANSMISSIONS WILL BE SENT TO YOU OR RECEIVED BY -THE PROVIDER OR THAT THE CONTENT OF SUCH TRANSMISSIONS WILL BE SECURE DURING -TRANSMISSION. - - -6 BUG FIXING AND PRODUCT SUPPORT - -6.1 The provider will use reasonable endeavours to provide support to users. -The provider will at their discretion only provide support for the latest -release. - -6.2 Support comprises of fault reporting via tickets and fault diagnosis, -recommendations on workarounds, and where reasonably possible a timely -resolution. - -6.3 The user accepts that on occasion the ability of the provider to meet -anticipated or published support schedules may be impaired due to, but without -limitation, Internet service provider failures or software failures that -affect the ability to communicate for an indeterminate period. - -6.4 The provider reserves the right to refuse to provide support at any time. - -6.5 The provider wishes to maintain and offer a product of the highest -possible quality, and accordingly may from time to time and at its discretion -make product changes for the purpose of correcting behaviour in variance to -the published specification or the user's reasonable expectations. - -6.6 The provider reserves the right to charge for support where the user does -not have a valid support plan in place, or where the support offered exceeds -the scope of the active support plan. - - -7 PRODUCT UPGRADES - -7.1 The provider may from time to time release product upgrades. These will -be provided free of charge and attempts made to provide a timely notification -to customers of the existence of any new release. - - -8 ERRORS AND OMISSIONS - -Whilst reasonable endeavours are made to ensure the accuracy of documentation -concerning the details of the Loader, the user accepts the possibility of -inaccuracies in information presented in any format, including email -communications and online services. The provider shall under no circumstances -be liable for any events that arise as a result of unintentional inaccuracies -or omissions. - - -9 USER INDEMNITY - -You agree to fully indemnify, defend and hold the provider harmless -immediately upon demand from and against all actions, liability, claims, -losses, damages, costs and expenses (including legal/attorney fees) incurred -by the provider arising directly or indirectly as a result of your breach of -this Licence Agreement. - - -10 INTELLECTUAL PROPERTY RIGHTS - -10.1 The user acknowledges that the Loader and associated documentation and -materials contain proprietary information of the provider and are and shall -remain the exclusive property of the provider and/or its licensors and all -title, copyright, trade marks, trade names, patents and other intellectual -property rights therein of whatever nature shall remain the sole property of -the provider and/or its licensors. - -10.2 No title to or rights of ownership, copyright or other intellectual -property in the Loader is transferred to the user (other than the licence -rights expressly granted in this Licence Agreement). - - -11 TERMINATION - -11.1 The provider reserves the right to terminate this Licence Agreement -immediately by notice in writing against the user if the user is in breach of -any terms and conditions of this Licence Agreement. - -11.2 Termination of this Licence Agreement for any reason shall be without -prejudice to any other rights or remedies of the provider which may have -arisen on or before the date of termination under this Licence Agreement or in -law. - -11.3 The provisions of the following clauses shall survive any termination of -this agreement; clause 3, 5, 10 and 13. - - -12 GENERAL - -12.1 The provider reserves the right to transfer or assign all or any of its -rights and duties and responsibilities set out in this Licence Agreement to -another party. - -12.2 Headings have been included for convenience only and will not be used in -construing any provision of this Licence Agreement. - -12.3 No delay or failure by the provider to exercise any powers, rights or -remedies under this Licence Agreement will operate as a waiver of them nor -will any single or partial exercise of any such powers, rights or remedies -include any other or further exercise of them. - -12.4 If any part of this Licence Agreement is found by a court of competent -jurisdiction or other competent authority to be invalid, unlawful or -unenforceable then such part shall be severed from the remainder of this -Licence Agreement which will continue to be valid and enforceable to the -fullest extent permitted by applicable law. - -12.5 This Licence Agreement including the documents or other sources referred -to herein supersede all prior representations, understandings and agreements -between the user and the provider relating to the Loader and sets forth the -entire agreement and understanding between the user and the provider relating -to the Loader. - -12.6 Nothing in this Licence Agreement shall be deemed to constitute a -partnership between you and the provider nor constitute either party being an -agent of the other party. - -12.7 This Agreement does not create any rights or benefits enforceable by any -person not a party to it (within the meaning of the U.K.Contracts (Rights of -Third Parties) Act 1999) except that a person who under clause 12.1 is a -permitted successor or assignee of the rights or benefits of the provider may -enforce such rights or benefits. - - -13 GOVERNING LAW AND JURISDICTION - -This License Agreement and any issues relating thereto shall be construed and -interpreted in accordance with the laws of England and subject to the -exclusive jurisdiction of the English courts. - -Copyright (c) 2002-2017 ionCube Ltd. Last revised 23-April-2015 +LICENCE AGREEMENT FOR THE IONCUBE PHP LOADER, PROVIDED TO ENABLE THE USE +OF IONCUBE ENCODED FILES AND AS PART OF THE IONCUBE24 SERVICE (ioncube24.com) + +YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE +LOADER SOFTWARE. THE INSTALLATION AND/OR USE OR COPYING OF THE IONCUBE PHP +LOADER SOFTWARE INDICATES YOUR ACCEPTANCE OF THIS LICENCE AGREEMENT. IF YOU +DO NOT ACCEPT THE TERMS OF THIS LICENCE AGREEMENT, DO NOT INSTALL, COPY +AND/OR USE THE LOADER SOFTWARE. + +DEFINITIONS + +The following definitions shall apply in this document: + +LOADER shall mean the ionCube PHP Loader software package or collection +of Loaders, including any modifications or upgrades to the software, used for +executing PHP scripts previously encoded with the ionCube PHP Encoder +software to render them non-humanly readable, and any associated +documentation or electronic or online materials relating to the software. + +ENCODER shall mean any ionCube PHP Encoder software or service used for the +purpose of producing non-humanly readable encoded files from PHP scripts. + +ENCODED FILE shall mean a non-humanly readable file produced by the +Encoder and being derived from humanly readable PHP script source. + +PROVIDER shall mean ionCube Ltd. + +USER/YOU shall mean any entity who has downloaded or obtained through any +other means a version of the Loader software. + + +1 LICENSE ENTITLEMENT + +1.1 The Loader is provided without charge. Title to the Loader does not pass +to the user in any circumstances. The Loader is supplied as object code. + +1.2 The provider grants a personal, non-transferable, non-exclusive licence to +use the Loader in accordance with the terms and conditions of this Licence +Agreement. + +1.3 The installation or downloading and use of the Loader entitles the user +to install and use the Loader for its own internal lawful purposes. + + +2 DISTRIBUTION + +2.1 The Loader may be freely distributed to third parties alone or as +part of a distribution containing other items provided that this license +is also included. + +2.2 The Loader may under no circumstances be branded as another product, +whether distributed or not. + +2.3 Distribution as part of a commercial product is permitted provided such +distribution is in accordance with clauses 2.1 and 2.2 with respect to the +Loader. + + +3 ANALYSIS / REVERSE ENGINEERING / MODIFICATION + +Except insofar as the user is permitted to do so in accordance with applicable +law: + +3.1 Any analysis of the Loader and embedded data by any means and by +any entity whether human or otherwise and including but without limitation to +discover details of internal operation, to reverse engineer, to de-compile +object code, or to modify for the purposes of modifying behaviour is +forbidden. + +3.2 Any analysis of encoded files by any means and by any entity whether human +or otherwise and including but without limitation to discover details of file +format or for the purposes of modifying behaviour or scope of their usage is +forbidden. + + +4 WARRANTY + +THE LOADER SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +WARRANTIES INCLUDING BUT WITHOUT LIMITATION THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE ARE +DISCLAIMED. THE PROVIDER DOES NOT WARRANT THAT THE LOADER IS UNINTERRUPTED +OR ERROR FREE, NOR THAT THE OPERATION OF THE LOADER WILL FUNCTION IN +CONJUNCTION WITH ANY OTHER PRODUCT. + + +5 LIMITATION OF LIABILITY + +5.1 IN NO EVENT WILL THE PROVIDER OF THE LOADER BE LIABLE TO THE USER OR ANY +PARTY FOR ANY DIRECT, INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR OTHER +CONSEQUENTIAL DAMAGES ARISING DIRECTLY OR INDIRECTLY FROM THIS LICENCE +AGREEMENT OR ANY USE OF THE LOADER OR ENCODED FILES, EVEN IF THE PROVIDER IS +EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +5.2 THE LOADER IS PROVIDED ON AN "AS IS" BASIS. THE PROVIDER EXCLUDES ALL +WARRANTIES, CONDITIONS, TERMS, UNDERTAKINGS AND REPRESENTATIONS (EXCLUDING +FRAUDULENT MISREPRESENTATION) OF ANY KIND, EXPRESS OR IMPLIED, STATUTORY OR +OTHERWISE IN CONNECTION WITH THE LOADER TO THE FULLEST EXTENT PERMITTED BY +LAW. + +5.3 DOWNLOADING THE LOADER IS AT YOUR OWN RISK AND THE PROVIDER DOES NOT +ACCEPT LIABILITY FOR ANY DIRECT OR INDIRECT LOSS OR DAMAGE HOWSOEVER CAUSED AS +A RESULT OF ANY COMPUTER VIRUSES, BUGS, TROJAN HORSES, WORMS, SOFTWARE BOMBS +OR OTHER SIMILAR PROGRAMS ARISING FROM YOUR USE OF THE LOADER. WHILST THE +PROVIDER WILL DO ITS BEST TO ENSURE THAT THE LOADER IS FREE FROM SUCH +DESTRUCTIVE PROGRAMS, IT IS YOUR RESPONSIBILITY TO TAKE REASONABLE PRECAUTIONS +TO SCAN FOR SUCH DESTRUCTIVE PROGRAMS DOWNLOADED FROM THE INTERNET. + +5.4 THE PROVIDER'S MAXIMUM LIABILITY FOR ANY LOSS OR DAMAGE ARISING FROM THIS +LICENCE AGREEMENT SHALL IN ANY EVENT BE LIMITED IN THE SOLE DISCRETION OF THE +PROVIDER TO THE REPLACEMENT OF THE LOADER PRODUCT. + +5.5 DUE TO THE NATURE OF THE INTERNET, THE PROVIDER CANNOT GUARANTEE THAT ANY +E-MAILS OR OTHER ELECTRONIC TRANSMISSIONS WILL BE SENT TO YOU OR RECEIVED BY +THE PROVIDER OR THAT THE CONTENT OF SUCH TRANSMISSIONS WILL BE SECURE DURING +TRANSMISSION. + + +6 BUG FIXING AND PRODUCT SUPPORT + +6.1 The provider will use reasonable endeavours to provide support to users. +The provider will at their discretion only provide support for the latest +release. + +6.2 Support comprises of fault reporting via tickets and fault diagnosis, +recommendations on workarounds, and where reasonably possible a timely +resolution. + +6.3 The user accepts that on occasion the ability of the provider to meet +anticipated or published support schedules may be impaired due to, but without +limitation, Internet service provider failures or software failures that +affect the ability to communicate for an indeterminate period. + +6.4 The provider reserves the right to refuse to provide support at any time. + +6.5 The provider wishes to maintain and offer a product of the highest +possible quality, and accordingly may from time to time and at its discretion +make product changes for the purpose of correcting behaviour in variance to +the published specification or the user's reasonable expectations. + +6.6 The provider reserves the right to charge for support where the user does +not have a valid support plan in place, or where the support offered exceeds +the scope of the active support plan. + + +7 PRODUCT UPGRADES + +7.1 The provider may from time to time release product upgrades. These will +be provided free of charge and attempts made to provide a timely notification +to customers of the existence of any new release. + + +8 ERRORS AND OMISSIONS + +Whilst reasonable endeavours are made to ensure the accuracy of documentation +concerning the details of the Loader, the user accepts the possibility of +inaccuracies in information presented in any format, including email +communications and online services. The provider shall under no circumstances +be liable for any events that arise as a result of unintentional inaccuracies +or omissions. + + +9 USER INDEMNITY + +You agree to fully indemnify, defend and hold the provider harmless +immediately upon demand from and against all actions, liability, claims, +losses, damages, costs and expenses (including legal/attorney fees) incurred +by the provider arising directly or indirectly as a result of your breach of +this Licence Agreement. + + +10 INTELLECTUAL PROPERTY RIGHTS + +10.1 The user acknowledges that the Loader and associated documentation and +materials contain proprietary information of the provider and are and shall +remain the exclusive property of the provider and/or its licensors and all +title, copyright, trade marks, trade names, patents and other intellectual +property rights therein of whatever nature shall remain the sole property of +the provider and/or its licensors. + +10.2 No title to or rights of ownership, copyright or other intellectual +property in the Loader is transferred to the user (other than the licence +rights expressly granted in this Licence Agreement). + + +11 TERMINATION + +11.1 The provider reserves the right to terminate this Licence Agreement +immediately by notice in writing against the user if the user is in breach of +any terms and conditions of this Licence Agreement. + +11.2 Termination of this Licence Agreement for any reason shall be without +prejudice to any other rights or remedies of the provider which may have +arisen on or before the date of termination under this Licence Agreement or in +law. + +11.3 The provisions of the following clauses shall survive any termination of +this agreement; clause 3, 5, 10 and 13. + + +12 GENERAL + +12.1 The provider reserves the right to transfer or assign all or any of its +rights and duties and responsibilities set out in this Licence Agreement to +another party. + +12.2 Headings have been included for convenience only and will not be used in +construing any provision of this Licence Agreement. + +12.3 No delay or failure by the provider to exercise any powers, rights or +remedies under this Licence Agreement will operate as a waiver of them nor +will any single or partial exercise of any such powers, rights or remedies +include any other or further exercise of them. + +12.4 If any part of this Licence Agreement is found by a court of competent +jurisdiction or other competent authority to be invalid, unlawful or +unenforceable then such part shall be severed from the remainder of this +Licence Agreement which will continue to be valid and enforceable to the +fullest extent permitted by applicable law. + +12.5 This Licence Agreement including the documents or other sources referred +to herein supersede all prior representations, understandings and agreements +between the user and the provider relating to the Loader and sets forth the +entire agreement and understanding between the user and the provider relating +to the Loader. + +12.6 Nothing in this Licence Agreement shall be deemed to constitute a +partnership between you and the provider nor constitute either party being an +agent of the other party. + +12.7 This Agreement does not create any rights or benefits enforceable by any +person not a party to it (within the meaning of the U.K.Contracts (Rights of +Third Parties) Act 1999) except that a person who under clause 12.1 is a +permitted successor or assignee of the rights or benefits of the provider may +enforce such rights or benefits. + + +13 GOVERNING LAW AND JURISDICTION + +This License Agreement and any issues relating thereto shall be construed and +interpreted in accordance with the laws of England and subject to the +exclusive jurisdiction of the English courts. + +Copyright (c) 2002-2017 ionCube Ltd. Last revised 23-April-2015 diff --git a/src/deb/latest.txt b/src/deb/latest.txt index 0f8dc00c..dcb1761c 100644 --- a/src/deb/latest.txt +++ b/src/deb/latest.txt @@ -1 +1 @@ -vesta-0.9.9-0-6 +vesta-0.9.9-0-13 \ No newline at end of file diff --git a/src/deb/vesta/postinst b/src/deb/vesta/postinst index e53fee72..186f54d5 100755 --- a/src/deb/vesta/postinst +++ b/src/deb/vesta/postinst @@ -21,9 +21,141 @@ if [ ! -d "/usr/local/vesta/data/upgrades" ]; then mkdir -p /usr/local/vesta/data/upgrades fi +VESTA="/usr/local/vesta" + # show changelog after update -# echo "1" > /usr/local/vesta/data/upgrades/show_changelog -# chmod a=rw /usr/local/vesta/data/upgrades/show_changelog +echo "1" > /usr/local/vesta/data/upgrades/show_changelog +chmod a=rw /usr/local/vesta/data/upgrades/show_changelog + +# SSL fix for Apache 2.4.65+ +if [ ! -f "/usr/local/vesta/data/upgrades/fixssl.conf" ]; then + if [ "$release" -ge 11 ]; then + if [ -f "/etc/apache2/apache2.conf" ] && [ -f "/etc/nginx/nginx.conf" ] && [ ! -f "/etc/nginx/conf.d/fixssl.conf" ]; then + echo "== Fixing SSL for Apache 2.4.65+" + echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;\nproxy_ssl_session_reuse off;" > /etc/nginx/conf.d/fixssl.conf + touch /usr/local/vesta/data/upgrades/fixssl.conf + nginx_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'nginx' | grep -c 'running') + if [ $nginx_running -eq 1 ]; then + echo "== Restarting Nginx" + systemctl restart nginx + fi + fi + fi +fi + +# Adding cron job for disk usage snapshot +if [ ! -f "/usr/local/vesta/data/upgrades/v-df-snapshot-make" ]; then + if ! grep -q "v-df-snapshot-make" /usr/local/vesta/data/users/admin/cron.conf; then + echo "== Adding cron job for disk usage snapshot" + command="sudo $VESTA/bin/v-df-snapshot-make" + $VESTA/bin/v-add-cron-job 'admin' '05' '04' '*' '*' '*' "$command" + touch /usr/local/vesta/data/upgrades/v-df-snapshot-make + systemctl restart cron.service + fi + if ! grep -q "v-df-snapshot-logs-cleaner" /usr/local/vesta/data/users/admin/cron.conf; then + echo "== Adding cron job for disk usage snapshot logs cleaner" + command="sudo $VESTA/bin/v-df-snapshot-logs-cleaner" + $VESTA/bin/v-add-cron-job 'admin' '10' '04' '*' '*' '*' "$command" + touch /usr/local/vesta/data/upgrades/v-df-snapshot-make + systemctl restart cron.service + fi +fi + +# Fixing PHP and .env permissions and ownership for all websites +if [ ! -f "/usr/local/vesta/data/upgrades/fix-website-permissions-for-all-websites-only-php" ]; then + # Renaming fix-website-permissions-for-all-websites to fix-website-permissions-for-all-websites-only-php" + if grep -q "fix-website-permissions-for-all-websites" /usr/local/vesta/data/users/admin/cron.conf; then + if ! grep -q "fix-website-permissions-for-all-websites-only-php" /usr/local/vesta/data/users/admin/cron.conf; then + echo "== Renaming fix-website-permissions-for-all-websites to fix-website-permissions-for-all-websites-only-php" + sed -i 's|v-fix-website-permissions-for-all-websites > /dev/null 2>&1|v-fix-website-permissions-for-all-websites-only-php|' /usr/local/vesta/data/users/admin/cron.conf + sed -i 's|v-fix-website-permissions-for-all-websites > /dev/null 2>&1|v-fix-website-permissions-for-all-websites-only-php|' /var/spool/cron/crontabs/admin + sed -i 's|v-fix-website-permissions-for-all-websites |v-fix-website-permissions-for-all-websites-only-php |' /usr/local/vesta/data/users/admin/cron.conf + sed -i 's|v-fix-website-permissions-for-all-websites |v-fix-website-permissions-for-all-websites-only-php |' /var/spool/cron/crontabs/admin + systemctl restart cron.service + fi + fi + echo "== Fixing PHP and .env permissions and ownership for all websites" + command="sudo $VESTA/bin/v-fix-website-permissions-for-all-websites-only-php" + $VESTA/bin/v-add-cron-job 'admin' '05' '03' '*' '*' '*' "$command" + touch /usr/local/vesta/data/upgrades/fix-website-permissions-for-all-websites-only-php + systemctl restart cron.service +fi + +if ! grep -q "FILEMANAGER_KEY='FREEFM'" /usr/local/vesta/conf/vesta.conf; then + echo "== Adding FileManager license to vesta.conf" + echo "FILEMANAGER_KEY='FREEFM'" >> /usr/local/vesta/conf/vesta.conf +fi + +if [ -f "/root/.bash_profile" ]; then + if ! grep -q "v-cd-www" /root/.bash_profile; then + echo "== Adding v-cd-www alias to root bash profile" + echo "alias v-cd-www='source /usr/local/vesta/bin/v-change-dir-www'" >> /root/.bash_profile + fi +fi + +# Adding myVesta rules to SpamAssassin +if [ -d "/etc/spamassassin" ]; then + spamassassin_modified=0 + if [ ! -f "/etc/spamassassin/myvesta.cf" ]; then + touch /etc/spamassassin/myvesta.cf + fi + if ! grep -q 'RCVD_IN_RP_SAFE' /etc/spamassassin/myvesta.cf; then + echo "== Adding RCVD_IN_RP_ myVesta rules to SpamAssassin" + echo 'score RCVD_IN_RP_SAFE 0' >> /etc/spamassassin/myvesta.cf + echo 'score RCVD_IN_RP_CERTIFIED 0' >> /etc/spamassassin/myvesta.cf + spamassassin_modified=1 + fi + if ! grep -q 'SPF_FAIL' /etc/spamassassin/myvesta.cf; then + echo "== Adding SPF_FAIL myVesta rules to SpamAssassin" + cat <> /etc/spamassassin/myvesta.cf +score SPF_FAIL 3.0 +score SPF_SOFTFAIL 4.0 +score SPF_NONE 4.0 +EOF + spamassassin_modified=1 + fi + + if [ $spamassassin_modified -eq 1 ]; then + spamassassin_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'spamassassin\|spamd' | grep -c 'running') + if [ $spamassassin_running -eq 1 ]; then + echo "== Restarting SpamAssassin" + if [ "$release" -lt 12 ]; then + systemctl restart spamassassin.service + else + systemctl restart spamd.service + fi + fi + fi +fi + +# Adding ProFTPD to Fail2Ban +if [ -f "/etc/fail2ban/jail.local" ] && [ -f "/etc/proftpd/proftpd.conf" ]; then + if ! grep -q 'proftpd' /etc/fail2ban/jail.local; then + echo "== Adding ProFTPD to Fail2Ban" + cat <> /etc/fail2ban/jail.local + +[proftpd] +enabled = true +filter = proftpd +action = vesta[name=FTP] +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s +backend = %(proftpd_backend)s +maxretry = 5 +EOF + fail2ban_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'fail2ban' | grep -c 'running') + if [ $fail2ban_running -eq 1 ]; then + echo "== Restarting Fail2Ban" + systemctl restart fail2ban + fi + fi +fi + +# Removing SpamHaus DNSBL +if [ ! -f "/usr/local/vesta/data/upgrades/spamhaus_dnsbl_removed" ]; then + sed -i '/zen.spamhaus.org/d' /etc/exim4/dnsbl.conf + touch /usr/local/vesta/data/upgrades/spamhaus_dnsbl_removed +fi # Fixing 'dh key too small' in dovecot if [ -f "/var/log/dovecot.log.1" ] && [ -f "/etc/dovecot/conf.d/10-ssl.conf" ] && [ -f "/usr/share/dovecot/dh.pem" ]; then @@ -93,14 +225,18 @@ fi # Adding Barracuda RBL to SpamAssassin if [ ! -f "/usr/local/vesta/data/upgrades/barracuda_rbl" ]; then spamassassin_installed=$(/usr/local/vesta/bin/v-list-sys-services | grep -c 'spamassassin') - spamassassin_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'spamassassin' | grep -c 'running') + spamassassin_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'spamassassin\|spamd' | grep -c 'running') if [ $spamassassin_installed -eq 1 ]; then echo "== Adding Barracuda RBL to SpamAssassin" wget -nv -O /etc/spamassassin/barracuda.cf http://c.myvestacp.com/tools/spamassassin/barracuda.cf fi if [ $spamassassin_running -eq 1 ]; then echo "== Restarting SpamAssassin" - systemctl restart spamassassin + if [ "$release" -lt 12 ]; then + systemctl restart spamassassin.service + else + systemctl restart spamd.service + fi fi touch /usr/local/vesta/data/upgrades/barracuda_rbl fi @@ -157,7 +293,11 @@ if [ ! -f "/usr/local/vesta/data/upgrades/enable-tls-in-proftpd" ]; then echo "== Enabling TLS for ProFTPD FTPS" wget -nv https://c.myvestacp.com/debian/10/proftpd/tls.conf -O /etc/proftpd/tls.conf sed -i "s|AuthPAMConfig|Include /etc/proftpd/tls.conf\n\nAuthPAMConfig|g" /etc/proftpd/proftpd.conf - systemctl restart proftpd + proftpd_running=$(/usr/local/vesta/bin/v-list-sys-services | grep 'proftpd' | grep -c 'running') + if [ $proftpd_running -eq 1 ]; then + echo "== Restarting ProFTPD" + systemctl restart proftpd + fi fi fi fi diff --git a/src/deb/vesta_compile.sh b/src/deb/vesta_compile.sh index a80316d9..2d0e4874 100644 --- a/src/deb/vesta_compile.sh +++ b/src/deb/vesta_compile.sh @@ -7,8 +7,8 @@ build_deb_package=1 add_deb_to_apt_repo=0 -TARGET_DEB_NAME='bookworm' -TARGET_DEB_VER='12' +TARGET_DEB_NAME='trixie' +TARGET_DEB_VER='13' run_apt_update_and_install=1 wait_to_press_enter=1 @@ -31,8 +31,8 @@ fi MAINTAINER_EMAIL='info@myvestacp.com' -TARGET_DEB_NAME_MAIN='bookworm' -TARGET_DEB_VER_MAIN='12' +TARGET_DEB_NAME_MAIN='trixie' +TARGET_DEB_VER_MAIN='13' # Set compiling directory BUILD_DIR="/usr/src/$TARGET_DEB_NAME" @@ -58,11 +58,12 @@ BUILD_DATE=$(date +"%d-%b-%Y") # Set Version for compiling VESTA_V=$VESTA_VER"_amd64" -NGINX_V='1.25.1' -OPENSSL_V='1.1.1u' + +NGINX_V='1.29.1' +PHP_V='8.4.11' +OPENSSL_V='1.1.1w' PCRE_V='8.45' -ZLIB_V='1.2.13' -PHP_V='5.6.40' +ZLIB_V='1.3.1' # Generate Links for sourcecode NGINX='https://nginx.org/download/nginx-'$NGINX_V'.tar.gz' @@ -73,7 +74,7 @@ OPENSSL='https://www.openssl.org/source/openssl-'$OPENSSL_V'.tar.gz' PCRE='https://sourceforge.net/projects/pcre/files/pcre/'$PCRE_V'/pcre-'$PCRE_V'.tar.gz/download' # Zlib moved archives to Github ZLIB='https://github.com/madler/zlib/archive/refs/tags/v'$ZLIB_V'.tar.gz' -PHP='http://de2.php.net/distributions/php-'$PHP_V'.tar.gz' +PHP='https://www.php.net/distributions/php-'$PHP_V'.tar.gz' # Set package dependencies for compiling release=$(cat /etc/debian_version | tr "." "\n" | head -n1) @@ -81,7 +82,7 @@ release=$(cat /etc/debian_version | tr "." "\n" | head -n1) if [ "$release" -lt 12 ]; then SOFTWARE='build-essential libxml2-dev libz-dev libcurl4-gnutls-dev unzip openssl libssl-dev pkg-config reprepro dpkg-sig git rsync' else - SOFTWARE='build-essential libxml2-dev libz-dev libcurl4-gnutls-dev unzip openssl libssl-dev pkg-config reprepro git rsync' + SOFTWARE='build-essential libxml2-dev libz-dev libcurl4-gnutls-dev unzip openssl libssl-dev pkg-config reprepro git rsync libsqlite3-dev libonig-dev' fi function press_enter { @@ -130,6 +131,9 @@ if [ $run_apt_update_and_install -eq 1 ]; then if [ ! -e /usr/local/include/curl ] && [ "$release" -lt 12 ]; then ln -s /usr/include/x86_64-linux-gnu/curl /usr/local/include/curl fi + if [ ! -e /usr/local/include/curl ] && [ "$release" -eq 13 ]; then + ln -s /usr/include/x86_64-linux-gnu/curl /usr/local/include/curl + fi press_enter "=== Press enter to continue ===============================================================================" fi @@ -258,6 +262,7 @@ EOF press_enter "*** please copy above generated key to your clipboard and then paste it after pressing enter now ***" vi $PATH_OF_APT_REPO_ROOT/deb_signing.key cp $PATH_OF_APT_REPO_ROOT/deb_signing.key $PATH_OF_C_WEB_FOLDER_ROOT/deb_signing.key + cp $PATH_OF_APT_REPO_ROOT/deb_signing.key $PATH_OF_C_WEB_FOLDER_ROOT/debian/13/deb_signing.key cp $PATH_OF_APT_REPO_ROOT/deb_signing.key $PATH_OF_C_WEB_FOLDER_ROOT/debian/12/deb_signing.key cp $PATH_OF_APT_REPO_ROOT/deb_signing.key $PATH_OF_C_WEB_FOLDER_ROOT/debian/11/deb_signing.key cp $PATH_OF_APT_REPO_ROOT/deb_signing.key $PATH_OF_C_WEB_FOLDER_ROOT/debian/10/deb_signing.key @@ -448,6 +453,34 @@ if [ "$CWEB_B" = true ]; then tar -czf dovecot.tar.gz dovecot/ echo "=== All done for Debian12" ########## + cd $PATH_OF_C_WEB_FOLDER_ROOT/debian/13 + + if [ -f "packages.tar.gz" ]; then + rm packages.tar.gz + fi + tar -czf packages.tar.gz packages/ + + if [ -f "templates.tar.gz" ]; then + rm templates.tar.gz + fi + tar -czf templates.tar.gz templates/ + + if [ -f "firewall.tar.gz" ]; then + rm firewall.tar.gz + fi + tar -czf firewall.tar.gz firewall/ + + if [ -f "fail2ban.tar.gz" ]; then + rm fail2ban.tar.gz + fi + tar -czf fail2ban.tar.gz fail2ban/ + + if [ -f "dovecot.tar.gz" ]; then + rm dovecot.tar.gz + fi + tar -czf dovecot.tar.gz dovecot/ + echo "=== All done for Debian13" + ########## cp /root/vesta/install/vst-install-debian.sh $PATH_OF_C_WEB_FOLDER_ROOT/vst-install-debian.sh @@ -498,7 +531,7 @@ if [ "$NGINX_B" = true ]; then --with-openssl-opt=no-weak-ssl-ciphers \ --with-openssl-opt=no-ssl3 \ --with-pcre=../pcre-$PCRE_V \ - --with-pcre-jit \ + --with-pcre-jit \ --with-zlib=../zlib-$ZLIB_V # Check install directory and remove if exists @@ -593,11 +626,10 @@ if [ "$PHP_B" = true ]; then --with-zlib \ --with-fpm-user=admin \ --with-fpm-group=admin \ - --with-mysql \ --with-mysqli \ --with-curl \ --enable-mbstring \ - --with-mysql-sock=/var/run/mysqld/mysqld.sock + --with-mysql-sock=/var/run/mysqld/mysqld.sock # Check install directory and remove if exists if [ -d $INSTALL_DIR/php ]; then @@ -605,7 +637,7 @@ if [ "$PHP_B" = true ]; then fi press_enter "=== Press enter to compile PHP ===============================================================================" - + make && make install press_enter "=== Press enter to continue ===============================================================================" diff --git a/web/add/dns/index.php b/web/add/dns/index.php index 7c18faab..b9e47abe 100644 --- a/web/add/dns/index.php +++ b/web/add/dns/index.php @@ -80,7 +80,7 @@ if (!empty($_POST['ok'])) { // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain])); + $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST['v_domain']),htmlentities($_POST['v_domain'])); unset($v_domain); } } @@ -128,7 +128,7 @@ if (!empty($_POST['ok_rec'])) { // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('DNS_RECORD_CREATED_OK',htmlentities($_POST[v_rec]),htmlentities($_POST[v_domain])); + $_SESSION['ok_msg'] = __('DNS_RECORD_CREATED_OK',htmlentities($_POST['v_rec']),htmlentities($_POST['v_domain'])); unset($v_domain); unset($v_rec); unset($v_val); diff --git a/web/add/mail/index.php b/web/add/mail/index.php index c761139c..6a8b6e9f 100644 --- a/web/add/mail/index.php +++ b/web/add/mail/index.php @@ -186,7 +186,7 @@ if (!empty($_POST['ok_acc'])) { // Flush field values on success if (empty($_SESSION['error_msg'])) { - $_SESSION['ok_msg'] = __('MAIL_ACCOUNT_CREATED_OK',htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST[v_domain]),htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST[v_domain])); + $_SESSION['ok_msg'] = __('MAIL_ACCOUNT_CREATED_OK',htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST['v_domain']),htmlentities(strtolower($_POST['v_account'])),htmlentities($_POST['v_domain'])); $_SESSION['ok_msg'] .= " / " . __('open webmail') . ""; unset($v_account); unset($v_password); diff --git a/web/add/web/index.php b/web/add/web/index.php index d77b8f40..e11cff23 100644 --- a/web/add/web/index.php +++ b/web/add/web/index.php @@ -323,7 +323,7 @@ if (!empty($_POST['ok'])) { } if (!empty($_SESSION['error_msg']) && $domain_added) { - $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain])); + $_SESSION['ok_msg'] = __('WEB_DOMAIN_CREATED_OK',htmlentities($_POST['v_domain']),htmlentities($_POST['v_domain'])); $_SESSION['flash_error_msg'] = $_SESSION['error_msg']; $url = '/edit/web/?domain='.strtolower(preg_replace("/^www\./i", "", $_POST['v_domain'])); header('Location: ' . $url); diff --git a/web/css/styles.min.css b/web/css/styles.min.css index 374b458c..d84a6a85 100644 --- a/web/css/styles.min.css +++ b/web/css/styles.min.css @@ -4236,3 +4236,29 @@ div.ui-dialog + div div{ padding: 5px 10px !important; border-radius: 13px; } + +.get-ip-info-btn { + cursor: pointer; + margin-left: 10px; +} +.get-ip-info-btn:hover { + color: #000000; +} +.get-ip-info-btn + .get-ip-info-result { + margin: 10px 0; +} +.get-ip-info-btn + .get-ip-info-result dl dt { + font-weight: bold; +} +.get-ip-info-btn + .get-ip-info-result dl dd { + margin: 0 0 10px 0; +} +.get-ip-info-btn + .get-ip-info-result dl .fa-exclamation-triangle { + color: red; +} +.get-ip-info-btn + .get-ip-info-result dl .fa-check-circle { + color: green; +} +.get-ip-info-btn + .get-ip-info-result dl .fa-exclamation-circle { + color: orange; +} diff --git a/web/edit/server/index.php b/web/edit/server/index.php index 49c577d8..eed4baab 100644 --- a/web/edit/server/index.php +++ b/web/edit/server/index.php @@ -339,7 +339,8 @@ if (!empty($_POST['save'])) { $v_backup_username = escapeshellarg($_POST['v_backup_username']); $v_backup_password = escapeshellarg($_POST['v_backup_password']); $v_backup_bpath = escapeshellarg($_POST['v_backup_bpath']); - exec (VESTA_CMD."v-add-backup-host ".$v_backup_type." ".$v_backup_host ." ".$v_backup_username." ".$v_backup_password." ".$v_backup_bpath, $output, $return_var); + $v_backup_port = escapeshellarg($_POST['v_backup_port']); + exec (VESTA_CMD."v-add-backup-host ".$v_backup_type." ".$v_backup_host ." ".$v_backup_username." ".$v_backup_password." ".$v_backup_bpath." ".$v_backup_port, $output, $return_var); check_return_code($return_var,$output); unset($output); if (empty($_SESSION['error_msg'])) $v_backup_host = $_POST['v_backup_host']; @@ -347,12 +348,12 @@ if (!empty($_POST['save'])) { if (empty($_SESSION['error_msg'])) $v_backup_username = $_POST['v_backup_username']; if (empty($_SESSION['error_msg'])) $v_backup_password = $_POST['v_backup_password']; if (empty($_SESSION['error_msg'])) $v_backup_bpath = $_POST['v_backup_bpath']; + if (empty($_SESSION['error_msg'])) $v_backup_port = $_POST['v_backup_port']; $v_backup_new = 'yes'; $v_backup_adv = 'yes'; $v_backup_remote_adv = 'yes'; } } - // Change remote backup host type if (empty($_SESSION['error_msg'])) { if ((!empty($_POST['v_backup_host'])) && ($_POST['v_backup_type'] != $v_backup_type)) { diff --git a/web/inc/i18n/en.php b/web/inc/i18n/en.php index 39c3bfff..09ae210f 100644 --- a/web/inc/i18n/en.php +++ b/web/inc/i18n/en.php @@ -377,6 +377,7 @@ $LANG['en'] = array( 'ErrorLog' => 'ErrorLog', 'Download AccessLog' => 'Download AccessLog', 'Download ErrorLog' => 'Download ErrorLog', + 'Continent' => 'Continent', 'Country' => 'Country', '2 letter code' => '2 letter code', 'State / Province' => 'State / Province', diff --git a/web/inc/main.php b/web/inc/main.php index 26df863e..f13e4142 100644 --- a/web/inc/main.php +++ b/web/inc/main.php @@ -38,8 +38,13 @@ if(!isset($_SESSION['user_combined_ip'])){ $_SESSION['user_combined_ip'] = $user_combined_ip; } +$SKIP_IP_CHECK = false; +if (isset($_SESSION['DISABLE_IP_CHECK']) && $_SESSION['DISABLE_IP_CHECK'] == 'yes') { + $SKIP_IP_CHECK = true; +} + // Checking user to use session from the same IP he has been logged in -if($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'] != '127.0.0.1'){ +if ($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'] != '127.0.0.1' && $SKIP_IP_CHECK==false) { session_destroy(); session_start(); $_SESSION['request_uri'] = $_SERVER['REQUEST_URI']; diff --git a/web/js/app.js b/web/js/app.js index 9ba909a5..978b7d09 100644 --- a/web/js/app.js +++ b/web/js/app.js @@ -1072,3 +1072,42 @@ function elementHideShow(elementToHideOrShow){ el.style.display = el.style.display === 'none' ? 'block' : 'none'; } +(function($) { + $(document).ready(function() { + $('.get-ip-info-btn').click(function() { + var token = $('#token').attr('token'); + var index = $(this).attr('data-index'); + var btn_el = $('.get-ip-info-btn[data-index="' + index + '"]'); + var result_el = $('.get-ip-info-btn[data-index="' + index + '"] + .get-ip-info-result'); + var ip = btn_el.attr('data-ip'); + + var url_params = new URLSearchParams(window.location.search); + var clear_cache = url_params.get('clear_cache'); + + if (!$.trim(result_el.html())) { + result_el.html(''); + + $.ajax({ + method: "POST", + url: "/list/firewall/banlist/ip_info.php", + data: { ip: ip, clear_cache: clear_cache, token: token }, + cache: false, + error: function(jqXHR, textStatus, errorThrown) { + result_el.html('GENERAL ERROR
' + errorThrown); + }, + success: function(result_data) { + if (btn_el.find('i').hasClass('fa-times')) { + result_el.html(result_data); + } + } + }); + + btn_el.find('i').removeClass('fa-search').addClass('fa-times'); + } + else { + result_el.html(''); + btn_el.find('i').removeClass('fa-times').addClass('fa-search'); + } + }); + }); +})(jQuery); diff --git a/web/list/firewall/banlist/ip_info.php b/web/list/firewall/banlist/ip_info.php new file mode 100644 index 00000000..e7888a75 --- /dev/null +++ b/web/list/firewall/banlist/ip_info.php @@ -0,0 +1,164 @@ + 'http://lists.blocklist.de/lists/all.txt', + 'BFB' => 'http://danger.rulez.sk/projects/bruteforceblocker/blist.php', + 'CIARMY' => 'http://www.ciarmy.com/list/ci-badguys.txt', + 'GREENSNOW' => 'https://blocklist.greensnow.co/greensnow.txt', + 'SPAMDROP' => 'https://www.spamhaus.org/drop/drop.txt', + 'SPAMEDROP' => 'https://www.spamhaus.org/drop/edrop.txt', + 'TOR' => 'https://check.torproject.org/cgi-bin/TorBulkExitList.py', + ]; + $today = date('Y-m-d'); + + foreach ($lists as $code => $url) { + $cache_tag = 'ip-blacklist-' . $code . '-cache'; + + // init cache + if (!isset($_SESSION[$cache_tag])) $_SESSION[$cache_tag] = ['updated' => '', 'items' => [], 'http_code' => '']; + + // invalidate cache if clear_cache parameter is 1 + if (!empty($_REQUEST['clear_cache']) && $_REQUEST['clear_cache'] == 1) $_SESSION[$cache_tag]['updated'] = '2000-01-01'; + + // if cache is not updated, fetch new data and save to cache + if (strtotime($today) > strtotime($_SESSION[$cache_tag]['updated'])) { + $new_cache_data = fetchURL($url, $url_result); + if ($url_result['http_code'] == '200') $new_cache_items = parseCacheEntries($new_cache_data); + $_SESSION[$cache_tag] = ['updated' => $today, 'items' => $new_cache_items, 'http_code' => $url_result['http_code']]; + } + + // check ip + $matched_ips = array_filter($_SESSION[$cache_tag]['items'], function ($item) use ($ip) { + if (str_contains($item, '/')) return cidrMatch($ip, $item); + if ($ip == $item) return true; + return false; + }); + + $check_results[$code]['found'] = count($matched_ips) > 0 ? true : false; + $check_results[$code]['updated'] = $_SESSION[$cache_tag]['updated']; + $check_results[$code]['http_code'] = $_SESSION[$cache_tag]['http_code']; + } + + return $check_results; +} + +// Check token +if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) { + die("Wrong token"); +} + +$ip = $_REQUEST['ip']; + +// Validate IP format +if (filter_var($ip, FILTER_VALIDATE_IP) === false) { + die('GENERAL ERROR
BAD_IP_FORMAT'); +} + +// Query host +$host = gethostbyaddr($ip); + +// Query blocklists +$result_blocklists = ''; +$ip_check = checkIP($ip); +if ($ip_check) { + foreach ($ip_check as $list_code => $list_results) { + $result_blocklists .= '
'; + $result_blocklists .= $list_results['found'] ? '' : ''; + $result_blocklists .= ' '.$list_code.' '; + $result_blocklists .= $list_results['http_code'] == '200' ? '' : ''; + $result_blocklists .= '
'; + } +} + +// Query location +$url = 'https://api.db-ip.com/v2/free/'.$ip; +$result = fetchURL($url); +$result_array = json_decode($result, true); +if (!is_array($result_array)) { + die('GENERAL ERROR
BAD_JSON'); +} +if (!empty($result_array['errorCode'])) { + die('GENERAL ERROR
'.$result_array['errorCode']); +} + +// Output +echo " +
+
".__('Host')."
+
".$host."
+
".__('Banlist')."
+
".$result_blocklists."
+
".__('Continent')."
+
".$result_array['continentName']." [".$result_array['continentCode']."]
+
".__('Country')."
+
".$result_array['countryName']." [".$result_array['countryCode']."]
+
".__('State / Province')."
+
".$result_array['stateProv']." [".$result_array['stateProvCode']."]
+
".__('City / Locality')."
+
".$result_array['city']."
+
+"; diff --git a/web/list/user/index.php b/web/list/user/index.php index da708edc..4e5ac369 100644 --- a/web/list/user/index.php +++ b/web/list/user/index.php @@ -22,7 +22,7 @@ if ($user == 'admin') { if ($show_changelog_value_int==1) { $changelog=''; $changelog_arr=file("/usr/local/vesta/Changelog.md"); - for ($i=0; $i<30; $i++) { + for ($i=0; $i<100; $i++) { if (trim($changelog_arr[$i])=="") break; if ($i>1) $changelog.="\n"; $changelog.=$changelog_arr[$i]; diff --git a/web/login/index.php b/web/login/index.php index 18841344..5de05451 100644 --- a/web/login/index.php +++ b/web/login/index.php @@ -1,5 +1,7 @@
+ + + + + + + + "> +

+ + diff --git a/web/templates/admin/list_firewall_banlist.html b/web/templates/admin/list_firewall_banlist.html index 72153940..3bc8ccb2 100644 --- a/web/templates/admin/list_firewall_banlist.html +++ b/web/templates/admin/list_firewall_banlist.html @@ -80,7 +80,7 @@
 
-
+
diff --git a/web/templates/file_manager/main.php b/web/templates/file_manager/main.php index 2e82f811..dd9095f7 100644 --- a/web/templates/file_manager/main.php +++ b/web/templates/file_manager/main.php @@ -19,6 +19,7 @@ +
©
diff --git a/web/templates/header.html b/web/templates/header.html index 7f317f94..37905032 100644 --- a/web/templates/header.html +++ b/web/templates/header.html @@ -4,7 +4,7 @@ myVesta - <?=__($TAB)?> - + diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php index 48f40b23..ce8863bb 100755 --- a/web/upload/UploadHandler.php +++ b/web/upload/UploadHandler.php @@ -1096,7 +1096,7 @@ class UploadHandler } if (count($failed_versions)) { $file->error = $this->get_error_message('image_resize') - .' ('.implode($failed_versions,', ').')'; + .' ('.implode(', ', $failed_versions).')'; } // Free memory: $this->destroy_image_object($file_path);