Skip to content

Commit 23f5456

Browse files
author
Till Brehm
committed
Merge branch 'panel_reverse_proxy' into 'stable-3.1'
Panel reverse proxy See merge request ispconfig/ispconfig3!871
2 parents 0fd2a1c + bb4bf28 commit 23f5456

File tree

2 files changed

+62
-25
lines changed

2 files changed

+62
-25
lines changed

interface/lib/app.inc.php

Lines changed: 59 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -68,20 +68,31 @@ public function __construct() {
6868
$this->db = false;
6969
}
7070
}
71+
$this->uses('functions'); // we need this before all others!
72+
$this->uses('auth,plugin,ini_parser,getconf');
73+
74+
}
7175

76+
public function __get($prop) {
77+
if(property_exists($this, $prop)) return $this->{$prop};
78+
79+
$this->uses($prop);
80+
if(property_exists($this, $prop)) return $this->{$prop};
81+
else return null;
82+
}
83+
84+
public function __destruct() {
85+
session_write_close();
86+
}
87+
88+
public function initialize_session() {
7289
//* Start the session
7390
if($this->_conf['start_session'] == true) {
74-
7591
$this->uses('session');
7692
$sess_timeout = $this->conf('interface', 'session_timeout');
77-
$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
78-
79-
// Workaround for Nginx servers
80-
if($cookie_domain == '_') {
81-
$tmp = explode(':',$_SERVER["HTTP_HOST"]);
82-
$cookie_domain = $tmp[0];
83-
unset($tmp);
84-
}
93+
$cookie_domain = $this->get_cookie_domain();
94+
$this->log("cookie_domain is ".$cookie_domain,0);
95+
$cookie_domain = '';
8596
$cookie_secure = ($_SERVER["HTTPS"] == 'on')?true:false;
8697
if($sess_timeout) {
8798
/* check if user wants to stay logged in */
@@ -122,23 +133,8 @@ public function __construct() {
122133
if(empty($_SESSION['s']['language'])) $_SESSION['s']['language'] = $conf['language'];
123134
}
124135

125-
$this->uses('functions'); // we need this before all others!
126-
$this->uses('auth,plugin,ini_parser,getconf');
127-
128-
}
129-
130-
public function __get($prop) {
131-
if(property_exists($this, $prop)) return $this->{$prop};
132-
133-
$this->uses($prop);
134-
if(property_exists($this, $prop)) return $this->{$prop};
135-
else return null;
136136
}
137137

138-
public function __destruct() {
139-
session_write_close();
140-
}
141-
142138
public function uses($classes) {
143139
$cl = explode(',', $classes);
144140
if(is_array($cl)) {
@@ -336,12 +332,51 @@ public function tpl_defaults() {
336332
$this->tpl->setVar('globalsearch_noresults_limit_txt', $this->lng('globalsearch_noresults_limit_txt'));
337333
$this->tpl->setVar('globalsearch_searchfield_watermark_txt', $this->lng('globalsearch_searchfield_watermark_txt'));
338334
}
335+
336+
private function get_cookie_domain() {
337+
$proxy_panel_allowed = $this->getconf->get_security_config('permissions')['reverse_proxy_panel_allowed'];
338+
if ($proxy_panel_allowed == 'all') {
339+
return '';
340+
}
341+
/*
342+
* See ticket #5238: It should be ensured, that _SERVER_NAME is always set.
343+
* Otherwise the security improvement doesn't work with nginx. If this is done,
344+
* the check for HTTP_HOST and workaround for nginx is obsolete.
345+
*/
346+
$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
347+
// Workaround for Nginx servers
348+
if($cookie_domain == '_') {
349+
$tmp = explode(':',$_SERVER["HTTP_HOST"]);
350+
$cookie_domain = $tmp[0];
351+
unset($tmp);
352+
}
353+
if($proxy_panel_allowed == 'sites') {
354+
$forwarded_host = (isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : null );
355+
if($forwarded_host !== null && $forwarded_host !== $cookie_domain) {
356+
// Just check for complete domain name and not auto subdomains
357+
$sql = "SELECT domain_id from web_domain where domain = '$forwarded_host'";
358+
$recs = $this->db->queryOneRecord($sql);
359+
if($recs !== null) {
360+
$cookie_domain = $forwarded_host;
361+
}
362+
unset($forwarded_host);
363+
}
364+
}
365+
366+
return $cookie_domain;
367+
}
339368

340369
} // end class
341370

342371
//** Initialize application (app) object
343372
//* possible future = new app($conf);
344373
$app = new app();
374+
/*
375+
split session creation out of constructor is IMHO better.
376+
otherwise we have some circular references to global $app like in
377+
getconfig property of App - RA
378+
*/
379+
$app->initialize_session();
345380

346381
// load and enable PHP Intrusion Detection System (PHPIDS)
347382
$ids_security_config = $app->getconf->get_security_config('ids');

security/security_settings.ini

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ admin_allow_software_repo=superadmin
1717
remote_api_allowed=yes
1818
password_reset_allowed=yes
1919
session_regenerate_id=yes
20+
reverse_proxy_panel_allowed=none
2021

2122
[ids]
2223
ids_anon_enabled=yes
@@ -42,4 +43,5 @@ security_admin_email_subject=Security alert from server
4243
warn_new_admin=yes
4344
warn_passwd_change=no
4445
warn_shadow_change=no
45-
warn_group_change=no
46+
warn_group_change=no
47+

0 commit comments

Comments
 (0)