Merge branch 'stable-3.1' of https://git.ispconfig.org/ispconfig/ispconfig3 into stable-3.1

ms217 · ms217 · commit 07cef89e51a0 · 2020-09-02T10:56:52.000+02:00
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
@@ -745,7 +745,7 @@ public function process_postfix_config($configfile) {
 			copy($full_file_name, $config_dir.$configfile.'~');
 			chmod($config_dir.$configfile.'~',0600);
 		}
-		
+
 		//* Replace variables in config file template
 		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
 		$content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content);
@@ -754,13 +754,13 @@ public function process_postfix_config($configfile) {
 		$content = str_replace('{mysql_server_ip}', $conf['mysql']['ip'], $content);
 		$content = str_replace('{server_id}', $conf['server_id'], $content);
 		wf($full_file_name, $content);
-		
+
 		//* Changing mode and group of the new created config file
 		caselog('chmod u=rw,g=r,o= '.escapeshellarg($full_file_name).' &> /dev/null',
 			__FILE__, __LINE__, 'chmod on '.$full_file_name, 'chmod on '.$full_file_name.' failed');
 		caselog('chgrp '.escapeshellarg($postfix_group).' '.escapeshellarg($full_file_name).' &> /dev/null',
 			__FILE__, __LINE__, 'chgrp on '.$full_file_name, 'chgrp on '.$full_file_name.' failed');
-		
+
 	}
 
 	public function configure_jailkit() {
@@ -1097,7 +1097,7 @@ public function configure_postfix($options = '') {
 		}
 
 		unset($server_ini_array);
-		
+
 		$myhostname = str_replace('.','\.',$conf['hostname']);
 
 		$postconf_placeholders = array('{config_dir}' => $config_dir,
@@ -1680,7 +1680,7 @@ public function configure_amavis() {
 
 	public function configure_rspamd() {
 		global $conf;
-		
+
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
@@ -2503,6 +2503,16 @@ public function configure_apps_vhost() {
 			$tpl->setVar('apps_vhost_dir',$conf['web']['website_basedir'].'/apps');
 			$tpl->setVar('apps_vhost_basedir',$conf['web']['website_basedir']);
 			$tpl->setVar('apps_vhost_servername',$apps_vhost_servername);
+			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
+				$tpl->setVar('ssl_comment','');
+			} else {
+				$tpl->setVar('ssl_comment','#');
+			}
+			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key') && is_file($install_dir.'/interface/ssl/ispserver.bundle')) {
+				$tpl->setVar('ssl_bundle_comment','');
+			} else {
+				$tpl->setVar('ssl_bundle_comment','#');
+			}
 			$tpl->setVar('apache_version',getapacheversion());
 			if($this->is_update == true) {
 				$tpl->setVar('logging',get_logging_state());
diff --git a/install/tpl/apache_apps.vhost.master b/install/tpl/apache_apps.vhost.master
@@ -1,4 +1,3 @@
-
 ######################################################
 # This virtual host contains the configuration
 # for the ISPConfig apps vhost
@@ -15,6 +14,56 @@
     SetHandler None
   </FilesMatch>
 
+  # SSL Configuration
+  <tmpl_var name="ssl_comment">SSLEngine On
+  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
+  <tmpl_else>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
+  </tmpl_if>
+  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
+  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
+
+  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
+  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLCompression Off
+  </tmpl_if>
+  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
+  <tmpl_var name="ssl_comment">SSLSessionTickets Off
+  </tmpl_if>
+
+  <IfModule mod_headers.c>
+    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    Header set X-Content-Type-Options: nosniff
+    Header set X-Frame-Options: SAMEORIGIN
+    Header set X-XSS-Protection: "1; mode=block"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
+    <IfVersion >= 2.4.7>
+        Header setifempty Strict-Transport-Security "max-age=15768000"
+    </IfVersion>
+    <IfVersion < 2.4.7>
+        Header set Strict-Transport-Security "max-age=15768000"
+    </IfVersion>
+    RequestHeader unset Proxy early
+  </IfModule>
+
+  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLUseStapling On
+  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
+  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
+  </tmpl_if>
+
+<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+<IfModule mod_ssl.c>
+  <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>
+
   <IfModule mod_headers.c>
 	RequestHeader unset Proxy early
   </IfModule>
diff --git a/interface/lib/classes/sites_database_plugin.inc.php b/interface/lib/classes/sites_database_plugin.inc.php
@@ -49,8 +49,8 @@ public function processDatabaseUpdate($form_page) {
 			$backup_format_db = $web['backup_format_db'];
 			$backup_copies = $app->functions->intval($web['backup_copies']);
 
-			$sql = "UPDATE web_database SET sys_groupid = ?, backup_interval = ?, backup_copies = ?, backup_format_web = ?, backup_format_db = ? WHERE database_id = ?";
-			$app->db->query($sql, $sys_groupid, $backup_interval, $backup_copies, $backup_format_web, $backup_format_db, $form_page->id);
+			$sql = "UPDATE web_database SET sys_groupid = ?, backup_interval = ?, backup_copies = ? WHERE database_id = ?";
+			$app->db->query($sql, $sys_groupid, $backup_interval, $backup_copies, $form_page->id);
 		}
 	}
 
diff --git a/interface/lib/plugins/sites_web_vhost_domain_plugin.inc.php b/interface/lib/plugins/sites_web_vhost_domain_plugin.inc.php
@@ -52,13 +52,13 @@ function sites_web_vhost_domain_edit($event_name, $page_form) {
 		if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($page_form->dataRecord["client_group_id"])) {
 			$client_group_id = $app->functions->intval($page_form->dataRecord["client_group_id"]);
 			$app->uses('getconf');
-	  	$global_config = $app->getconf->get_global_config('sites');
-	  	if($global_config['client_protection'] == 'y') {
-		    $app->db->query("UPDATE web_domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $this->id);
+			$global_config = $app->getconf->get_global_config('sites');
+			if($global_config['client_protection'] == 'y') {
+				$app->db->query("UPDATE web_domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $page_form->id);
 			} else {
 				$sysuser = $app->db->queryOneRecord('SELECT userid FROM sys_user WHERE default_group = ?',$client_group_id);
 				$sysuser_id = (is_array($sysuser) && isset($sysuser['userid']) && $sysuser['userid'] > 0)?$sysuser['userid']:1;
-				$app->db->query("UPDATE web_domain SET sys_userid = ?, sys_groupid = ?, sys_perm_group = 'riud' WHERE domain_id = ?", $sysuser_id, $client_group_id, $this->id);
+				$app->db->query("UPDATE web_domain SET sys_userid = ?, sys_groupid = ?, sys_perm_group = 'riud' WHERE domain_id = ?", $sysuser_id, $client_group_id, $page_form->id);
 			}
 		}
 		if($app->auth->has_clients($_SESSION['s']['user']['userid']) && isset($page_form->dataRecord["client_group_id"])) {
@@ -265,7 +265,7 @@ function sites_web_vhost_domain_edit($event_name, $page_form) {
 					$backup_format_db = $page_form->dataRecord['backup_format_db'];
 					$records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE parent_domain_id = ".$page_form->id);
 					foreach($records as $rec) {
-						$app->db->datalogUpdate('web_database', array("backup_interval" => $backup_interval, "backup_copies" => $backup_copies, "backup_format_web" => $backup_format_web, "backup_format_db" => $backup_format_db), 'database_id', $rec['database_id']);
+						$app->db->datalogUpdate('web_database', array("backup_interval" => $backup_interval, "backup_copies" => $backup_copies), 'database_id', $rec['database_id']);
 					}
 					unset($records);
 					unset($rec);
diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php
@@ -1382,11 +1382,11 @@ function onAfterInsert() {
 		// make sure that the record belongs to the client group and not the admin group when admin inserts it
 		// also make sure that the user can not delete domain created by a admin if client protection is enabled
 		if($_SESSION["s"]["user"]["typ"] == 'admin' && isset($this->dataRecord["client_group_id"])) {
-  	  $client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]);
-	  	$app->uses('getconf');
-	  	$global_config = $app->getconf->get_global_config('sites');
-	  	if($global_config['client_protection'] == 'y') {
-		    $app->db->query("UPDATE web_domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $this->id);
+			$client_group_id = $app->functions->intval($this->dataRecord["client_group_id"]);
+			$app->uses('getconf');
+			$global_config = $app->getconf->get_global_config('sites');
+			if($global_config['client_protection'] == 'y') {
+				$app->db->query("UPDATE web_domain SET sys_groupid = ?, sys_perm_group = 'ru' WHERE domain_id = ?", $client_group_id, $this->id);
 			} else {
 				$sysuser = $app->db->queryOneRecord('SELECT userid FROM sys_user WHERE default_group = ?',$client_group_id);
 				$sysuser_id = (is_array($sysuser) && isset($sysuser['userid']) && $sysuser['userid'] > 0)?$sysuser['userid']:1;
diff --git a/server/conf/apache_apps.vhost.master b/server/conf/apache_apps.vhost.master
@@ -1,4 +1,3 @@
-
 ######################################################
 # This virtual host contains the configuration
 # for the ISPConfig apps vhost
@@ -15,6 +14,56 @@
     SetHandler None
   </FilesMatch>
 
+  # SSL Configuration
+  <tmpl_var name="ssl_comment">SSLEngine On
+  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
+  <tmpl_else>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
+  </tmpl_if>
+  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
+  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
+
+  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
+  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLCompression Off
+  </tmpl_if>
+  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
+  <tmpl_var name="ssl_comment">SSLSessionTickets Off
+  </tmpl_if>
+
+  <IfModule mod_headers.c>
+    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    Header set X-Content-Type-Options: nosniff
+    Header set X-Frame-Options: SAMEORIGIN
+    Header set X-XSS-Protection: "1; mode=block"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
+    <IfVersion >= 2.4.7>
+        Header setifempty Strict-Transport-Security "max-age=15768000"
+    </IfVersion>
+    <IfVersion < 2.4.7>
+        Header set Strict-Transport-Security "max-age=15768000"
+    </IfVersion>
+    RequestHeader unset Proxy early
+  </IfModule>
+
+  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLUseStapling On
+  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
+  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
+  </tmpl_if>
+
+<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+<IfModule mod_ssl.c>
+  <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>
+
   <IfModule mod_headers.c>
 	RequestHeader unset Proxy early
   </IfModule>
@@ -55,9 +104,9 @@
     <Directory {tmpl_var name='apps_vhost_dir'}>
 		Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
 		AllowOverride AuthConfig Indexes Limit Options FileInfo
-		<FilesMatch "\.php$">
-			SetHandler fcgid-script
-		</FilesMatch>
+	    <FilesMatch "\.php$">
+		  SetHandler fcgid-script
+	    </FilesMatch>
 		FCGIWrapper {tmpl_var name='apps_vhost_basedir'}/php-fcgi-scripts/apps/.php-fcgi-starter .php
 		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
 		Require all granted
@@ -78,4 +127,6 @@
   RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
 {/tmpl_if}
 
+
+
 </VirtualHost>
diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
@@ -34,6 +34,7 @@ server {
         server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
 
         root   <tmpl_var name='web_document_root_www'>;
+		disable_symlinks if_not_owner;
 
 <tmpl_if name='ssl_enabled'>
 <tmpl_if name='rewrite_to_https' op='==' value='y'>

Original file line number	Diff line number	Diff line change
`@@ -49,8 +49,8 @@ public function processDatabaseUpdate($form_page) {`
`49`	`49`	`$backup_format_db = $web['backup_format_db'];`
`50`	`50`	`$backup_copies = $app->functions->intval($web['backup_copies']);`
`51`	`51`
`52`		`- $sql = "UPDATE web_database SET sys_groupid = ?, backup_interval = ?, backup_copies = ?, backup_format_web = ?, backup_format_db = ? WHERE database_id = ?";`
`53`		`- $app->db->query($sql, $sys_groupid, $backup_interval, $backup_copies, $backup_format_web, $backup_format_db, $form_page->id);`
	`52`	`+ $sql = "UPDATE web_database SET sys_groupid = ?, backup_interval = ?, backup_copies = ? WHERE database_id = ?";`
	`53`	`+ $app->db->query($sql, $sys_groupid, $backup_interval, $backup_copies, $form_page->id);`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`