Merge branch 'develop' of git.ispconfig.org:ispconfig/ispconfig3 into 3443-firewall

Author: thom

install/install.php

@@ -574,6 +574,8 @@
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
     if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
         $inst->make_ispconfig_ssl_cert();
+} else {
+	swriteln('Certificate exists. Not creating a new one.');
 }
 
 if($conf['services']['web'] == true) {

install/lib/installer_base.lib.php

@@ -33,7 +33,6 @@ class installer_base {
 	var $wb = array();
 	var $language = 'en';
 	var $db;
-	public $conf;
 	public $install_ispconfig_interface = true;
 	public $is_update = false; // true if it is an update, falsi if it is a new install
 	public $min_php = '5.3.3'; // minimal php-version for update / install
@@ -42,7 +41,6 @@ class installer_base {
 
 	public function __construct() {
 		global $conf; //TODO: maybe $conf  should be passed to constructor
-		//$this->conf = $conf;
 	}
 
 	//: TODO  Implement the translation function and language files for the installer.
@@ -2720,7 +2718,7 @@ private function curl_request($url, $use_ipv6 = false) {
 		return $response;
 	}
 
-	private function make_acme_vhost($server_name, $server = 'apache') {
+	private function make_acme_vhost($server_name, $server = 'apache', $restart = true) {
 		global $conf;
 
 		$use_template = 'apache_acme.conf.master';
@@ -2758,12 +2756,13 @@ private function make_acme_vhost($server_name, $server = 'apache') {
 		if(!@is_link($vhost_conf_enabled_dir.'' . $use_symlink)) {
 			symlink($vhost_conf_dir.'/' . $use_name, $vhost_conf_enabled_dir.'/' . $use_symlink);
 		}
-
-		if($conf[$server]['installed'] == true && $conf[$server]['init_script'] != '') {
-			if($this->is_update) {
-				system($this->getinitcommand($conf[$server]['init_script'], 'force-reload').' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
-			} else {
-				system($this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+		if($restart === true) {
+			if($conf[$server]['installed'] == true && $conf[$server]['init_script'] != '') {
+				if($this->is_update) {
+					system($this->getinitcommand($conf[$server]['init_script'], 'force-reload').' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+				} else {
+					system($this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+				}
 			}
 		}
 	}
@@ -2822,6 +2821,8 @@ public function make_ispconfig_ssl_cert() {
 
 		// Request for certs if no LE SSL folder for server fqdn exist
 
+		swriteln('Checking / creating certificate for ' . $hostname);
+
 		$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
 		$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
 		if(!@is_dir($acme_cert_dir)) {
@@ -2832,6 +2833,13 @@ public function make_ispconfig_ssl_cert() {
 				$check_acme_file = $acme_cert_dir . '/cert.pem';
 			}
 		}
+
+		swriteln('Using certificate path ' . $acme_cert_dir);
+		if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
+			swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
+		}
+
+
 		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
 
 			// This script is needed earlier to check and open http port 80 or standalone might fail
@@ -2881,8 +2889,10 @@ public function make_ispconfig_ssl_cert() {
 
 			// first of all create the acme vhosts if not existing
 			if($conf['nginx']['installed'] == true) {
+				swriteln('Using nginx for certificate validation');
 				$this->make_acme_vhost($hostname, 'nginx');
 			} elseif($conf['apache']['installed'] == true) {
+				swriteln('Using apache for certificate validation');
 				if($this->is_update == false && @is_link($vhost_conf_enabled_dir.'/000-ispconfig.conf')) {
 					$restore_conf_symlink = true;
 					unlink($vhost_conf_enabled_dir.'/000-ispconfig.conf');
@@ -2899,7 +2909,7 @@ public function make_ispconfig_ssl_cert() {
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
-					exec("$acme --issue -w /usr/local/ispconfig/interface/acme -d $hostname $renew_hook", $out, $ret);
+					exec("$acme --issue -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
 				}
 				// Else, it is not webserver, so we use standalone
 				else {
@@ -2909,6 +2919,7 @@ public function make_ispconfig_ssl_cert() {
 				if($ret == 0 || ($ret == 2 && file_exists($check_acme_file))) {
 					// acme.sh returns with 2 on issue for already existing certificate
 
+
 					// Backup existing ispserver ssl files
 					if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
 						rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
@@ -2924,8 +2935,10 @@ public function make_ispconfig_ssl_cert() {
 					//$acme_cert = "--cert-file $acme_cert_dir/cert.pem";
 					$acme_key = "--key-file " . escapeshellarg($ssl_key_file);
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
-					exec("$acme --install-cert -d $hostname $acme_key $acme_chain");
+					exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
 					$issued_successfully = true;
+				} else {
+					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 				}
 			// Else, we attempt to use the official LE certbot client certbot
 			} else {
@@ -2947,11 +2960,11 @@ public function make_ispconfig_ssl_cert() {
 
 					// If this is a webserver
 					if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
-						exec("$le_client $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email " . escapeshellarg('postmaster@$hostname') . " -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
+						exec("$le_client $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
 					}
 					// Else, it is not webserver, so we use standalone
 					else {
-						exec("$le_client $certonly $acme_version --standalone --email " . escapeshellarg('postmaster@$hostname') . " -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
+						exec("$le_client $certonly $acme_version --standalone --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
 					}
 
 					if($ret == 0) {
@@ -2969,7 +2982,11 @@ public function make_ispconfig_ssl_cert() {
 						}
 
 						$issued_successfully = true;
+					} else {
+						swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
 					}
+				} else {
+					swriteln('Did not find any valid acme client (acme.sh or certbot)');
 				}
 			}
 
@@ -2978,13 +2995,24 @@ public function make_ispconfig_ssl_cert() {
 					symlink($vhost_conf_dir.'/ispconfig.conf', $vhost_conf_enabled_dir.'/000-ispconfig.conf');
 				}
 			}
-		} elseif(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {
-			// the directory already exists so we have to assume that it was created previously
-			$issued_successfully = true;
+		} else {
+			if($conf['apache']['installed'] == true) {
+				$this->make_acme_vhost($hostname, 'apache', false); // we need this config file but we don't want apache to be restarted at this point
+			}
+			if(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {
+				// the directory already exists so we have to assume that it was created previously
+				$issued_successfully = true;
+			}
 		}
 
 		// If the LE SSL certs for this hostname exists
 		if(!is_dir($acme_cert_dir) || !file_exists($check_acme_file) || !$issued_successfully) {
+			if(!$issued_successfully) {
+				swriteln('Could not issue letsencrypt certificate, falling back to self-signed.');
+			} else {
+				swriteln('Issuing certificate seems to have succeeded but ' . $check_acme_file . ' seems to be missing. Falling back to self-signed.');
+			}
+
 			// We can still use the old self-signed method
 			$ssl_pw = substr(md5(mt_rand()), 0, 6);
 			exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");

install/sql/incremental/upd_0090.sql

@@ -0,0 +1,5 @@
+ALTER TABLE `web_domain` ADD  `jailkit_chroot_app_sections` mediumtext NULL DEFAULT NULL;
+ALTER TABLE `web_domain` ADD  `jailkit_chroot_app_programs` mediumtext NULL DEFAULT NULL;
+ALTER TABLE `web_domain` ADD  `delete_unused_jailkit` enum('n','y') NOT NULL DEFAULT 'n';
+ALTER TABLE `web_domain` ADD  `last_jailkit_update` date NULL DEFAULT NULL;
+ALTER TABLE `web_domain` ADD  `last_jailkit_hash` varchar(255) DEFAULT NULL;

install/sql/incremental/upd_dev_collection.sql

@@ -0,0 +1 @@
+

install/sql/ispconfig3.sql

@@ -2084,6 +2084,11 @@ CREATE TABLE `web_domain` (
   `log_retention` int(11) NOT NULL DEFAULT '10',
   `proxy_protocol` enum('n','y') NOT NULL default 'n',
   `server_php_id` INT(11) UNSIGNED NOT NULL DEFAULT 0,
+  `jailkit_chroot_app_sections` mediumtext NULL DEFAULT NULL,
+  `jailkit_chroot_app_programs` mediumtext NULL DEFAULT NULL,
+  `delete_unused_jailkit` enum('n','y') NOT NULL default 'n',
+  `last_jailkit_update` date NULL DEFAULT NULL,
+  `last_jailkit_hash` varchar(255) DEFAULT NULL,
   PRIMARY KEY  (`domain_id`),
   UNIQUE KEY `serverdomain` (  `server_id` , `ip_address`,  `domain` )
 ) DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;

install/tpl/apache_acme.conf.master

@@ -1,11 +1,13 @@
-	Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
-
-	<Directory /usr/local/ispconfig/interface/acme>
-		AllowOverride None
+Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
+<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
 		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
 		Require all granted
 		<tmpl_else>
-		Order allow,deny
-		Allow from all
+        Order allow,deny
+        Allow from all
 		</tmpl_if>
-	</Directory>
+        <IfModule mpm_itk_module>
+           AssignUserId ispconfig ispconfig
+        </IfModule>
+</Directory>
+

install/tpl/apache_ispconfig.conf.master

@@ -12,10 +12,10 @@ SetEnvIf Request_URI "^/datalogstatus.php$" dontlog
 
 LogFormat "%v %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
 <tmpl_if name='logging' op='==' value='anon'>
-CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -p -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig env=!dontlog
+CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -p -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig
 </tmpl_if>
 <tmpl_if name='logging' op='==' value='yes'>
-CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig env=!dontlog
+CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig
 </tmpl_if>
 
 <Directory /var/www/clients>
@@ -132,19 +132,6 @@ CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m
 
 Alias /awstats-icon "/usr/share/awstats/icon"
 
-Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
-<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-        Order allow,deny
-        Allow from all
-		</tmpl_if>
-        <IfModule mpm_itk_module>
-           AssignUserId ispconfig ispconfig
-        </IfModule>
-</Directory>
-
 NameVirtualHost *:80
 NameVirtualHost *:443
 <tmpl_loop name="ip_adresses">

install/tpl/server.ini.master

@@ -146,6 +146,7 @@ jailkit_chroot_app_sections=basicshell editors extendedshell netutils ssh sftp s
 jailkit_chroot_app_programs=/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico /usr/bin/mysql /usr/bin/mysqldump /usr/bin/git /usr/bin/git-receive-pack /usr/bin/git-upload-pack /usr/bin/unzip /usr/bin/zip /bin/tar /bin/rm /usr/bin/patch /usr/bin/which /usr/lib/x86_64-linux-gnu/libmemcached.so.11 /usr/lib/x86_64-linux-gnu/libmemcachedutil.so.2 /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.2 /opt/php-5.6.8/bin/php /opt/php-5.6.8/include /opt/php-5.6.8/lib
 jailkit_chroot_cron_programs=/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php
 jailkit_chroot_authorized_keys_template=/root/.ssh/authorized_keys
+jailkit_hardlinks=allow
 
 [vlogger]
 config_dir=/etc

install/update.php

@@ -30,30 +30,30 @@
 
 /*
 	ISPConfig 3 updater.
-	
+
 	-------------------------------------------------------------------------------------
 	- Interactive update
 	-------------------------------------------------------------------------------------
 	run:
-	
+
 	php update.php
-	
+
 	-------------------------------------------------------------------------------------
 	- Noninteractive (autoupdate) mode
 	-------------------------------------------------------------------------------------
-	
+
 	The autoupdate mode can read the updater questions from a .ini style file or from
-	a php config file. Examples for both file types are in the docs folder. 
+	a php config file. Examples for both file types are in the docs folder.
 	See autoinstall.ini.sample and autoinstall.conf_sample.php.
-	
+
 	run:
-	
+
 	php update.php --autoinstall=autoinstall.ini
-	
+
 	or
-	
+
 	php update.php --autoinstall=autoinstall.conf.php
-	
+
 */
 
 error_reporting(E_ALL|E_STRICT);
@@ -263,7 +263,7 @@
 	do {
 		$tmp_mysql_server_host = $inst->free_query('MySQL master server hostname', $conf['mysql']['master_host'],'mysql_master_hostname');
 		$tmp_mysql_server_port = $inst->free_query('MySQL master server port', $conf['mysql']['master_port'],'mysql_master_port');
-		$tmp_mysql_server_admin_user = $inst->free_query('MySQL master server root username', $conf['mysql']['master_admin_user'],'mysql_master_root_user');	 
+		$tmp_mysql_server_admin_user = $inst->free_query('MySQL master server root username', $conf['mysql']['master_admin_user'],'mysql_master_root_user');
 		$tmp_mysql_server_admin_password = $inst->free_query('MySQL master server root password', $conf['mysql']['master_admin_password'],'mysql_master_root_password');
 		$tmp_mysql_server_database = $inst->free_query('MySQL master server database name', $conf['mysql']['master_database'],'mysql_master_database');
 
@@ -474,7 +474,7 @@
 				$inst->configure_apps_vhost();
 			} else swriteln('Skipping config of Apps vhost');
 		}
-	
+
 		//* Configure Jailkit
 		if($inst->reconfigure_app('Jailkit', $reconfigure_services_answer)) {
 			swriteln('Configuring Jailkit');
@@ -540,6 +540,8 @@
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
     if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
         $inst->make_ispconfig_ssl_cert();
+} else {
+	swriteln('Certificate exists. Not creating a new one.');
 }
 
 $inst->install_ispconfig();

interface/lib/classes/remoting.inc.php

@@ -59,11 +59,6 @@ public function __construct($methods = array())
 		$app->uses('remoting_lib');
 
 		$this->_methods = $methods;
-
-		/*
-        $this->app = $app;
-        $this->conf = $conf;
-		*/
 	}
 
 	//* remote login function