* Support HTTP/2 directive for Nginx > 1.25.0

* Fix intentions
* Only set TLS 1.3 template var and print the debug message if SSL is activated

Author: ms217

server/conf/nginx_vhost.conf.master

@@ -17,15 +17,10 @@ server {
         listen [::]:<tmpl_var name='http_port'>;
 </tmpl_if>
 <tmpl_if name='ssl_enabled'>
-<tmpl_if name='http2_directive_compat_quirk' op='==' value='y'>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl;
-	http2 on;
-<tmpl_else>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl http2;
-</tmpl_if>
+        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 <tmpl_if name='use_proxy_protocol' op='==' value='y'>
 <tmpl_if name='proxy_protocol_https' op='>' value='0'>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl http2 proxy_protocol;
+        listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl<tmpl_var name='http2_directive_compat_quirk'> proxy_protocol;
 </tmpl_if>
 </tmpl_if>
 
@@ -37,18 +32,22 @@ server {
 		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 		# ssl_prefer_server_ciphers on;
 <tmpl_if name='ipv6_enabled'>
-        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl http2;
+        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 <tmpl_if name='use_proxy_protocol_ipv6' op='==' value='y'>
 <tmpl_if name='proxy_protocol_https' op='>' value='0'>
-        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='proxy_protocol_https'> ssl http2 proxy_protocol;
+        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='proxy_protocol_https'> ssl<tmpl_var name='http2_directive_compat_quirk'> proxy_protocol;
 </tmpl_if>
 </tmpl_if>
 </tmpl_if>
 <tmpl_if name='ipv6_wildcard'>
-        listen [::]:<tmpl_var name='https_port'> ssl http2;
+        listen [::]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 </tmpl_if>
         ssl_certificate <tmpl_var name='ssl_crt_file'>;
         ssl_certificate_key <tmpl_var name='ssl_key_file'>;
+<tmpl_if name='nginx_full_version' op='>' value='1.25.0' format='version'>
+
+	http2 on;
+</tmpl_if>
 </tmpl_if>
 
         server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
@@ -386,12 +385,12 @@ server {
 
 
 <tmpl_if name='ssl_enabled'>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl http2;
+        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 <tmpl_if name='ipv6_enabled'>
-        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl http2;
+        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 </tmpl_if>
 <tmpl_if name='ipv6_wildcard'>
-        listen [::]:<tmpl_var name='https_port'> ssl http2;
+        listen [::]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 </tmpl_if>
         ssl_certificate <tmpl_var name='ssl_crt_file'>;
         ssl_certificate_key <tmpl_var name='ssl_key_file'>;

server/plugins-available/nginx_plugin.inc.php

@@ -1617,19 +1617,24 @@ function update($event_name, $data) {
 		$nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with OpenSSL\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
 		if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=')
 			&& version_compare($nginx_openssl_build_ver, '1.1.1', '>=')
-			&& (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))) {
+			&& (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))
+			&& $data['new']['ssl'] == 'y') {
 			$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
 			$vhost_data['tls13_supported'] = "y";
 		}
 
-		// Nginx >= 1.25.0 uses a dedicated directive to enable HTTP/2 support
-		if(version_compare($app->system->getnginxversion(true), '1.25.0', '>=')) {
-			$vhost_data['http2_directive_compat_quirk'] = "y";
 
+
+		// Nginx >= 1.25.1 uses a dedicated directive to enable HTTP/2 support
+		if(version_compare($app->system->getnginxversion(true), '1.25.1', '<')) {
+			$vhost_data['http2_directive_compat_quirk'] = " http2";
 		}
 
 		$tpl->setVar($vhost_data);
 
+		$tpl->setVar('nginx_version', $app->system->getnginxversion());
+		$tpl->setVar('nginx_full_version', $app->system->getnginxversion(true));
+
 		$server_alias = array();
 
 		// get autoalias
@@ -2630,96 +2635,92 @@ function _create_web_folder_auth_configuration($website){
 
 	//* Update the GoAccess configuration file
 	private function goaccess_update ($data, $web_config) {
-                global $app;
-
-                $web_folder = $data['new']['web_folder'];
-                if($data['new']['type'] == 'vhost') $web_folder = 'web';
-
-                $goaccess_conf_locs = array('/etc/goaccess.conf', '/etc/goaccess/goaccess.conf');
-                $count = 0;
-
-                foreach($goaccess_conf_locs as $goa_loc) {
-                        if(is_file($goa_loc) && (filesize($goa_loc) > 0)) {
-                                $goaccess_conf_main = $goa_loc;
-                                break;
-                        } else {
-                                $count++;
-                                if($count == 2) {
-                                        $app->log("No GoAccess base config found. Make sure that GoAccess is installed and that the goaccess.conf does exist in /etc or /etc/goaccess", LOGLEVEL_WARN);
-                                }
-                        }
-                }
-
-                if(!is_dir($data['new']['document_root'] . "/log/goaccess_db")) $app->system->mkdirpath($data['new']['document_root'] . "/log/goaccess_db");
-		$goaccess_conf = $data['new']['document_root'].'/log/goaccess.conf';
+		global $app;
 
-                /*
-                In case that you use a different log format, you should use a custom goaccess.conf which you'll have to put into /usr/local/ispconfig/server/conf-custom/.
-                By default the originaly with GoAccess shipped goaccess.conf from /etc/ will be used along with the log-format value COMBINED.
-                */
+		$web_folder = $data['new']['web_folder'];
+		if($data['new']['type'] == 'vhost') $web_folder = 'web';
 
-                if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess.conf.master")) {
-                        $app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $goaccess_conf);
+		$goaccess_conf_locs = array('/etc/goaccess.conf', '/etc/goaccess/goaccess.conf');
+		$count = 0;
 
-                } elseif(!file_exists($goaccess_conf)) {
+		foreach($goaccess_conf_locs as $goa_loc) {
+			if(is_file($goa_loc) && (filesize($goa_loc) > 0)) {
+				$goaccess_conf_main = $goa_loc;
+				break;
+			} else {
+				$count++;
+				if($count == 2) {
+					$app->log("No GoAccess base config found. Make sure that GoAccess is installed and that the goaccess.conf does exist in /etc or /etc/goaccess", LOGLEVEL_WARN);
+				}
+			}
+		}
 
-                        /*
-                         By default the goaccess.conf should get copied by the webserver plugin but in case it wasn't, or it got deleted by accident we gonna copy it again to the destination dir.
-                         Also there was no /usr/local/ispconfig/server/conf-custom/goaccess.conf.master, so we gonna use /etc/goaccess.conf as the base conf.
-                         */
+		if(!is_dir($data['new']['document_root'] . "/log/goaccess_db")) $app->system->mkdirpath($data['new']['document_root'] . "/log/goaccess_db");
+		$goaccess_conf = $data['new']['document_root'].'/log/goaccess.conf';
 
-                        $app->system->copy($goaccess_conf_main, $goaccess_conf);
-                        $content = $app->system->file_get_contents($goaccess_conf, true);
-                        $content = preg_replace('/^(#)?log-format COMBINED/m', "log-format COMBINED", $content);
-                        $app->system->file_put_contents($goaccess_conf, $content, true);
-                        unset($content);
+		/*
+		In case that you use a different log format, you should use a custom goaccess.conf which you'll have to put into /usr/local/ispconfig/server/conf-custom/.
+		By default the originaly with GoAccess shipped goaccess.conf from /etc/ will be used along with the log-format value COMBINED.
+		*/
 
-                }
+		if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess.conf.master")) {
+			$app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $goaccess_conf);
+		} elseif(!file_exists($goaccess_conf)) {
+			/*
+			By default the goaccess.conf should get copied by the webserver plugin but in case it wasn't, or it got deleted by accident we gonna copy it again to the destination dir.
+			Also there was no /usr/local/ispconfig/server/conf-custom/goaccess.conf.master, so we gonna use /etc/goaccess.conf as the base conf.
+			*/
 
-                if(file_exists($goaccess_conf)) {
-                        $domain = $data['new']['domain'];
-                        $content = $app->system->file_get_contents($goaccess_conf, true);
-                        $content = preg_replace('/^(#)?html-report-title(.*)/m', "html-report-title $domain", $content);
-                        $app->system->file_put_contents($goaccess_conf, $content, true);
-                        unset($content);
+			$app->system->copy($goaccess_conf_main, $goaccess_conf);
+			$content = $app->system->file_get_contents($goaccess_conf, true);
+			$content = preg_replace('/^(#)?log-format COMBINED/m', "log-format COMBINED", $content);
+			$app->system->file_put_contents($goaccess_conf, $content, true);
+			unset($content);
+		}
 
-                }
+		if(file_exists($goaccess_conf)) {
+			$domain = $data['new']['domain'];
+			$content = $app->system->file_get_contents($goaccess_conf, true);
+			$content = preg_replace('/^(#)?html-report-title(.*)/m', "html-report-title $domain", $content);
+			$app->system->file_put_contents($goaccess_conf, $content, true);
+			unset($content);
+		}
 
-                if(is_file($goaccess_conf) && (filesize($goaccess_conf) > 0)) {
-                        $app->log('Created GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
-                }
+		if(is_file($goaccess_conf) && (filesize($goaccess_conf) > 0)) {
+			$app->log('Created GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
+		}
 
-                if(is_file($data['new']['document_root']."/" . $web_folder . "/stats/index.html")) $app->system->unlink($data['new']['document_root']."/" . $web_folder . "/stats/index.html");
-                if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master")) {
-                        $app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
-                } else {
-                        $app->system->copy("/usr/local/ispconfig/server/conf/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
+		if(is_file($data['new']['document_root']."/" . $web_folder . "/stats/index.html")) $app->system->unlink($data['new']['document_root']."/" . $web_folder . "/stats/index.html");
+		if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master")) {
+			$app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
+		} else {
+			$app->system->copy("/usr/local/ispconfig/server/conf/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
 		}
 	}
 
-        //* Delete the GoAccess configuration file
-        private function goaccess_delete ($data, $web_config) {
-                global $app;
+	//* Delete the GoAccess configuration file
+	private function goaccess_delete ($data, $web_config) {
+		global $app;
 
-                $goaccess_conf = $data['old']['document_root'] . "/log/goaccess.conf";
+		$goaccess_conf = $data['old']['document_root'] . "/log/goaccess.conf";
 
-                if ( @is_file($goaccess_conf) ) {
-                        $app->system->unlink($goaccess_conf);
-                        $app->log('Removed GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
-                }
-        }
+		if ( @is_file($goaccess_conf) ) {
+			$app->system->unlink($goaccess_conf);
+			$app->log('Removed GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
+			}
+	}
 
-        //* Delete the Webalizer configuration file
-        private function webalizer_delete ($data, $web_config) {
-                global $app;
+	//* Delete the Webalizer configuration file
+	private function webalizer_delete ($data, $web_config) {
+		global $app;
 
-                $webalizer_conf = $data['old']['document_root'] . "/log/webalizer.conf";
+		$webalizer_conf = $data['old']['document_root'] . "/log/webalizer.conf";
 
-                if ( @is_file($webalizer_conf) ) {
-                        $app->system->unlink($webalizer_conf);
-                        $app->log('Removed Webalizer config file: '.$webalizer_conf, LOGLEVEL_DEBUG);
-                }
-        }
+		if ( @is_file($webalizer_conf) ) {
+			$app->system->unlink($webalizer_conf);
+			$app->log('Removed Webalizer config file: '.$webalizer_conf, LOGLEVEL_DEBUG);
+		}
+	}
 
 	//* Update the awstats configuration file
 	private function awstats_update ($data, $web_config) {