Merge remote-tracking branch 'origin/develop' into patch-bind-zonefiles-prefix

Author: helmo

.gitignore

@@ -1,5 +1,6 @@
 .idea
 /nbproject/private/
+.vscode
 .phplint-cache
 *.swp
 

docs/autoinstall_samples/autoinstall.conf_sample.php

@@ -61,7 +61,7 @@
 $autoupdate['ispconfig_postfix_ssl_symlink'] = 'y';
 $autoupdate['ispconfig_pureftpd_ssl_symlink'] = 'y';
 
-/* These are for service-detection (defaulting to old behaviour where alle changes were automatically accepted) */
+/* These are for service-detection (defaulting to old behaviour where all changes were automatically accepted) */
 $autoupdate['svc_detect_change_mail_server'] = 'yes'; // yes (default), no
 $autoupdate['svc_detect_change_web_server'] = 'yes'; // yes (default), no
 $autoupdate['svc_detect_change_dns_server'] = 'yes'; // yes (default), no

docs/autoinstall_samples/autoinstall.ini.sample

@@ -60,7 +60,7 @@ ignore_hostname_dns=n
 ispconfig_postfix_ssl_symlink=y
 ispconfig_pureftpd_ssl_symlink=y
 
-; These are for service-detection (defaulting to old behaviour where alle changes were automatically accepted)
+; These are for service-detection (defaulting to old behaviour where all changes were automatically accepted)
 svc_detect_change_mail_server=yes
 svc_detect_change_web_server=yes
 svc_detect_change_dns_server=yes

install/dist/lib/gentoo.lib.php

@@ -4,41 +4,83 @@
 # for the ISPConfig controlpanel
 ######################################################
 
-{vhost_port_listen} Listen {vhost_port}
-<tmpl_if name='apache_version' op='<' value='2.4' format='version'>
-  # NameVirtualHost *:{vhost_port}
-</tmpl_if>
+<tmpl_var name="vhost_port_listen"> Listen <tmpl_var name="vhost_port">
+NameVirtualHost *:<tmpl_var name="vhost_port">
 
-<VirtualHost _default_:{vhost_port}>
+<VirtualHost _default_:<tmpl_var name="vhost_port">>
   ServerAdmin webmaster@localhost
 
   Alias /mail /var/www/ispconfig/mail
 
+  <Directory /var/www/ispconfig/>
+    <FilesMatch "\.ph(p3?|tml)$">
+      SetHandler None
+    </FilesMatch>
+  </Directory>
+  <Directory /usr/local/ispconfig/interface/web/>
+    <FilesMatch "\.ph(p3?|tml)$">
+      SetHandler None
+    </FilesMatch>
+  </Directory>
+  
   <IfModule mod_fcgid.c>
     DocumentRoot /var/www/ispconfig/
     SuexecUserGroup ispconfig ispconfig
     <Directory /var/www/ispconfig/>
-      Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
+      Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
       AllowOverride AuthConfig Indexes Limit Options FileInfo
-      <FilesMatch "\.ph(p[3-5]?|tml)$">
+      <FilesMatch "\.php$">
            SetHandler fcgid-script
       </FilesMatch>
       FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
+      <tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+      Require all granted
+      <tmpl_else>
       Order allow,deny
       Allow from all
+      </tmpl_if>
     </Directory>
     DirectoryIndex index.php
+    IPCCommTimeout  7200
+    MaxRequestLen 15728640
+  </IfModule>
+  
+  <IfModule mod_proxy_fcgi.c>
+    DocumentRoot /usr/local/ispconfig/interface/web
+    SuexecUserGroup ispconfig ispconfig
+    DirectoryIndex index.php
+
+    <Directory /usr/local/ispconfig/interface/web>
+      Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
+      AllowOverride AuthConfig Indexes Limit Options FileInfo
+      <tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+      Require all granted
+      <tmpl_else>
+      Order allow,deny
+      Allow from all
+      </tmpl_if>
+      <FilesMatch \.php$>
+         #SetHandler "proxy:unix:/var/lib/php5-fpm/ispconfig.sock|fcgi://localhost"
+         SetHandler "proxy:fcgi://127.0.0.1:9000"
+      </FilesMatch>
+    </Directory>
   </IfModule>
 
-  <IfModule mod_php5.c>
+  <IfModule mpm_itk_module>
     DocumentRoot /usr/local/ispconfig/interface/web/
+    AssignUserId ispconfig ispconfig
     AddType application/x-httpd-php .php
     <Directory /usr/local/ispconfig/interface/web>
+      # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
       Options +FollowSymLinks
       AllowOverride None
+      <tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+      Require all granted
+      <tmpl_else>
       Order allow,deny
       Allow from all
-	  php_value magic_quotes_gpc        0
+      </tmpl_if>
+      php_value magic_quotes_gpc        0
     </Directory>
   </IfModule>
 
@@ -51,20 +93,53 @@
   </IfModule>
 
   # SSL Configuration
-  {ssl_comment}SSLEngine On
-  {ssl_comment}SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
-  {ssl_comment}SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+  <tmpl_var name="ssl_comment">SSLEngine On
+  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
+  <tmpl_else>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
+  </tmpl_if>
+  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
+  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
 
-</VirtualHost>
+  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
+  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLCompression Off
+  </tmpl_if>
+  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
+  <tmpl_var name="ssl_comment">SSLSessionTickets Off
+  </tmpl_if>
 
-<Directory /var/www/php-cgi-scripts>
-    AllowOverride None
-    Order Deny,Allow
-    Deny from all
-</Directory>
+  <IfModule mod_headers.c>
+    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    Header set X-Content-Type-Options: nosniff
+    Header set X-Frame-Options: SAMEORIGIN
+    Header set X-XSS-Protection: "1; mode=block"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
+    <IfModule mod_version.c>
+      <IfVersion >= 2.4.7>
+          Header setifempty Strict-Transport-Security "max-age=15768000"
+      </IfVersion>
+      <IfVersion < 2.4.7>
+          Header set Strict-Transport-Security "max-age=15768000"
+      </IfVersion>
+    </IfModule>
+    RequestHeader unset Proxy early
+  </IfModule>
+
+  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLUseStapling On
+  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
+  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
+  </tmpl_if>
+  
+  # Redirect http to https
+  ErrorDocument 400 "<script>document.location.href='https://'+location.hostname+':'+location.port';</script><h1>Error 400 - trying to redirect</h1>"
+
+</VirtualHost>
 
-<Directory /var/www/php-fcgi-scripts>
-    AllowOverride None
-    Order Deny,Allow
-    Deny from all
-</Directory>

install/dist/tpl/gentoo/apache_ispconfig.vhost.master

@@ -547,16 +547,15 @@ function remove_blank_lines($input, $file = 1){
 		$content = $input;
 	}
 	$lines = explode("\n", $content);
+	$new_lines = array();
 	if(!empty($lines)){
 		foreach($lines as $line){
 			if(trim($line) != '') $new_lines[] = $line;
 		}
 	}
-	if(is_array($new_lines)){
-		$content = implode("\n", $new_lines);
-	} else {
-		$content = '';
-	}
+
+	$content = implode("\n", $new_lines);
+
 	if($file){
 		wf($input, $content);
 	}else{

install/lib/install.lib.php

@@ -52,7 +52,7 @@ private function install_acme() {
 	}
 
 	public function update_acme() {
-		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh 2> /dev/null'));
+		$acme = explode("\n", (string)shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh 2> /dev/null'));
 		$acme = reset($acme);
 		$val = 0;
 
@@ -838,9 +838,9 @@ public function process_postfix_config($configfile) {
 			$addr_cleanup = "'%u'";
 			foreach (str_split($out[0]) as $delim) {
 				$recipient_delimiter = $this->db->escape( str_replace('%', '%%', $delim) );
-				$addr_cleanup = "SUBSTRING_INDEX(${addr_cleanup}, '${recipient_delimiter}', 1)";
+				$addr_cleanup = "SUBSTRING_INDEX({$addr_cleanup}, '{$recipient_delimiter}', 1)";
 			}
-			$no_addr_extension = "CONCAT(${addr_cleanup}, '@%d')";
+			$no_addr_extension = "CONCAT({$addr_cleanup}, '@%d')";
 		} else {
 			$no_addr_extension = "''";
 		}
@@ -1525,15 +1525,15 @@ public function configure_dovecot() {
 		foreach ($options as $value) {
 			$value = trim($value);
 			if ($value == '') continue;
-			if (preg_match("|check_recipient_access\s+proxy:mysql:${quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+			if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
 				continue;
 			}
 			$new_options[] = $value;
 		}
 		if ($configure_lmtp && (!isset($conf['mail']['content_filter']) || $conf['mail']['content_filter'] === 'amavisd')) {
 			for ($i = 0; isset($new_options[$i]); $i++) {
 				if ($new_options[$i] == 'reject_unlisted_recipient') {
-					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${config_dir}/mysql-verify_recipients.cf"));
+					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:{$config_dir}/mysql-verify_recipients.cf"));
 					break;
 				}
 			}
@@ -1712,7 +1712,7 @@ public function configure_amavis() {
 			// Check for amavisd -> pure webserver with postfix for mailing without antispam
 			if ($conf['amavis']['installed']) {
 				$content_filter_service = ($configure_lmtp) ? 'lmtp' : 'amavis';
-				$postconf_commands[] = "content_filter = ${content_filter_service}:[127.0.0.1]:10024";
+				$postconf_commands[] = "content_filter = {$content_filter_service}:[127.0.0.1]:10024";
 				$postconf_commands[] = 'receive_override_options = no_address_mappings';
 				$postconf_commands[] = 'address_verify_virtual_transport = smtp:[127.0.0.1]:10025';
 				$postconf_commands[] = 'address_verify_transport_maps = static:smtp:[127.0.0.1]:10025';
@@ -1723,15 +1723,15 @@ public function configure_amavis() {
 			foreach ($options as $value) {
 				$value = trim($value);
 				if ($value == '') continue;
-				if (preg_match("|check_recipient_access\s+proxy:mysql:${quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+				if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
 					continue;
 				}
 				$new_options[] = $value;
 			}
 			if ($configure_lmtp) {
 				for ($i = 0; isset($new_options[$i]); $i++) {
 					if ($new_options[$i] == 'reject_unlisted_recipient') {
-						array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${config_dir}/mysql-verify_recipients.cf"));
+						array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:{$config_dir}/mysql-verify_recipients.cf"));
 						break;
 					}
 				}
@@ -1868,7 +1868,7 @@ public function configure_rspamd() {
 				if (preg_match('/check_policy_service\s+inet:127.0.0.1:10023/', $value)) {
 					continue;
 				}
-				if (preg_match("|check_recipient_access\s+proxy:mysql:${quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+				if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
 					continue;
 				}
 				$new_options[] = $value;
@@ -1935,10 +1935,10 @@ public function configure_rspamd() {
 		);
 		foreach ($local_d as $f) {
 			$tpl = new tpl();
-			if (file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
-				$tpl->newTemplate($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master");
+			if (file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				$tpl->newTemplate($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master");
 			} else {
-				$tpl->newTemplate("rspamd_${f}.master");
+				$tpl->newTemplate("rspamd_{$f}.master");
 			}
 
 			$tpl->setVar('dkim_path', $mail_config['dkim_path']);
@@ -1950,7 +1950,7 @@ public function configure_rspamd() {
 				$tpl->setLoop('local_addrs', $local_addrs);
 			}
 
-			wf("/etc/rspamd/local.d/${f}", $tpl->grab());
+			wf("/etc/rspamd/local.d/{$f}", $tpl->grab());
 		}
 
 
@@ -1967,10 +1967,10 @@ public function configure_rspamd() {
 			'arc.conf',
 		);
 		foreach ($local_d as $f) {
-			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
-				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/local.d/${f}");
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master /etc/rspamd/local.d/{$f}");
 			} else {
-				exec("cp tpl/rspamd_${f}.master /etc/rspamd/local.d/${f}");
+				exec("cp tpl/rspamd_{$f}.master /etc/rspamd/local.d/{$f}");
 			}
 		}
 
@@ -1980,10 +1980,10 @@ public function configure_rspamd() {
 			'surbl_group.conf',
 		);
 		foreach ($override_d as $f) {
-			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
-				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/override.d/${f}");
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master /etc/rspamd/override.d/{$f}");
 			} else {
-				exec("cp tpl/rspamd_${f}.master /etc/rspamd/override.d/${f}");
+				exec("cp tpl/rspamd_{$f}.master /etc/rspamd/override.d/{$f}");
 			}
 		}
 
@@ -1995,10 +1995,10 @@ public function configure_rspamd() {
 			'spf_whitelist.inc.ispc',
 		);
 		foreach ($maps_d as $f) {
-			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
-				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/local.d/maps.d/${f}");
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master /etc/rspamd/local.d/maps.d/{$f}");
 			} else {
-				exec("cp tpl/rspamd_${f}.master /etc/rspamd/local.d/maps.d/${f}");
+				exec("cp tpl/rspamd_{$f}.master /etc/rspamd/local.d/maps.d/{$f}");
 			}
 		}
 
@@ -3145,11 +3145,11 @@ public function make_ispconfig_ssl_cert() {
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
-					exec("$acme --issue --log $acme_log -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
+					exec("$acme --issue --keylength 4096 --log $acme_log -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
 				}
 				// Else, it is not webserver, so we use standalone
 				else {
-					exec("$acme --issue --log $acme_log --standalone -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
+					exec("$acme --issue --keylength 4096 --log $acme_log --standalone -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
 				}
 
 				if($ret == 0 || ($ret == 2 && file_exists($check_acme_file))) {

install/lib/installer_base.lib.php

@@ -1,10 +1,15 @@
+alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
+alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
 virtual_alias_domains = proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf
 virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_maps.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
 virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
 virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
 virtual_mailbox_base = {vmail_mailbox_base}
 virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
 virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
+sender_bcc_maps = proxy:mysql:{config_dir}/mysql-virtual_outgoing_bcc.cf
+inet_protocols=all
+inet_interfaces = all
 smtpd_sasl_auth_enable = yes
 broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
@@ -35,7 +40,7 @@ header_checks = regexp:{config_dir}/header_checks
 mime_header_checks = regexp:{config_dir}/mime_header_checks
 nested_header_checks = regexp:{config_dir}/nested_header_checks
 body_checks = regexp:{config_dir}/body_checks
-inet_interfaces = all
+owner_request_special = no
 smtp_tls_security_level = may
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_protocols = !SSLv2,!SSLv3