Merge branch '6579-http2-directive-deprecated' into 'develop'

Till Brehm · Till Brehm · commit fa4d805ca43e · 2024-05-26T14:21:56.000Z
Use new http2 directive for Nginx versions &gt; 1.25.0

See merge request ispconfig/ispconfig3!1891
diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
@@ -17,10 +17,10 @@ server {
         listen [::]:<tmpl_var name='http_port'>;
 </tmpl_if>
 <tmpl_if name='ssl_enabled'>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl http2;
+        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 <tmpl_if name='use_proxy_protocol' op='==' value='y'>
 <tmpl_if name='proxy_protocol_https' op='>' value='0'>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl http2 proxy_protocol;
+        listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl<tmpl_var name='http2_directive_compat_quirk'> proxy_protocol;
 </tmpl_if>
 </tmpl_if>
 
@@ -32,18 +32,22 @@ server {
 		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 		# ssl_prefer_server_ciphers on;
 <tmpl_if name='ipv6_enabled'>
-        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl http2;
+        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 <tmpl_if name='use_proxy_protocol_ipv6' op='==' value='y'>
 <tmpl_if name='proxy_protocol_https' op='>' value='0'>
-        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='proxy_protocol_https'> ssl http2 proxy_protocol;
+        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='proxy_protocol_https'> ssl<tmpl_var name='http2_directive_compat_quirk'> proxy_protocol;
 </tmpl_if>
 </tmpl_if>
 </tmpl_if>
 <tmpl_if name='ipv6_wildcard'>
-        listen [::]:<tmpl_var name='https_port'> ssl http2;
+        listen [::]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 </tmpl_if>
         ssl_certificate <tmpl_var name='ssl_crt_file'>;
         ssl_certificate_key <tmpl_var name='ssl_key_file'>;
+<tmpl_if name='nginx_full_version' op='>' value='1.25.0' format='version'>
+
+	http2 on;
+</tmpl_if>
 </tmpl_if>
 
         server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
@@ -383,17 +387,22 @@ server {
 
 
 <tmpl_if name='ssl_enabled'>
-        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl http2;
+        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 <tmpl_if name='ipv6_enabled'>
-        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl http2;
+        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 </tmpl_if>
 <tmpl_if name='ipv6_wildcard'>
-        listen [::]:<tmpl_var name='https_port'> ssl http2;
+        listen [::]:<tmpl_var name='https_port'> ssl<tmpl_var name='http2_directive_compat_quirk'>;
 </tmpl_if>
         ssl_certificate <tmpl_var name='ssl_crt_file'>;
         ssl_certificate_key <tmpl_var name='ssl_key_file'>;
 </tmpl_if>
 
+<tmpl_if name='nginx_full_version' op='>' value='1.25.0' format='version'>
+
+	http2 on;
+</tmpl_if>
+
         server_name <tmpl_var name='rewrite_domain'>;
 
 <tmpl_if name='alias_seo_redirects2'>
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
@@ -1338,7 +1338,7 @@ function update($event_name, $data) {
 			$trans = array(
 				'{DOCROOT}' => $vhost_data['web_document_root_www'],
 				'{DOCROOT_CLIENT}' => $vhost_data['web_document_root'],
-        '{DOMAIN}' => $vhost_data['domain'],
+				'{DOMAIN}' => $vhost_data['domain'],
 				'{FASTCGIPASS}' => 'fastcgi_pass '.($data['new']['php_fpm_use_socket'] == 'y'? 'unix:'.$fpm_socket : '127.0.0.1:'.$vhost_data['fpm_port']).';'
 			);
 			foreach($nginx_directive_lines as $nginx_directive_line){
@@ -1614,17 +1614,28 @@ function update($event_name, $data) {
 		$vhost_data['logging'] = $web_config['logging'];
 
 		// Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time and when it was linked against OpenSSL(>=1.1.1) at runtime.
-		$nginx_openssl_build_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'built with OpenSSL\' | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
-		$nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with OpenSSL\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
-		if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=')
-			&& version_compare($nginx_openssl_build_ver, '1.1.1', '>=')
-			&& (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))) {
-			$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
-			$vhost_data['tls13_supported'] = "y";
+		if($data['new']['ssl'] == 'y') {
+			$nginx_openssl_build_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'built with OpenSSL\' | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
+			$nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with OpenSSL\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
+			if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=')
+				&& version_compare($nginx_openssl_build_ver, '1.1.1', '>=')
+				&& (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))) {
+					$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
+					$vhost_data['tls13_supported'] = "y";
+			}
+		}
+
+		// Nginx >= 1.25.1 uses a dedicated directive to enable HTTP/2 support
+		// This is a quirk for Nginx legacy versions (or simply Nginx < 1.25.1) and restores the required http2 parameter in the listen directive
+		if(version_compare($app->system->getnginxversion(true), '1.25.1', '<')) {
+			$vhost_data['http2_directive_compat_quirk'] = " http2";
 		}
 
 		$tpl->setVar($vhost_data);
 
+		$tpl->setVar('nginx_version', $app->system->getnginxversion());
+		$tpl->setVar('nginx_full_version', $app->system->getnginxversion(true));
+
 		$server_alias = array();
 
 		// get autoalias
@@ -1982,25 +1993,25 @@ function update($event_name, $data) {
 			$this->awstats_update($data, $web_config);
 		}
 
-                //* Create GoAccess configuration
-                if($data['new']['stats_type'] == 'goaccess' && ($data['new']['type'] == 'vhost' || $data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias')) {
-                        $this->goaccess_update($data, $web_config);
-                }
+		//* Create GoAccess configuration
+		if($data['new']['stats_type'] == 'goaccess' && ($data['new']['type'] == 'vhost' || $data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias')) {
+			$this->goaccess_update($data, $web_config);
+		}
 
-                //* Remove the AWstats configuration file
+		//* Remove the AWstats configuration file
 		if($data['old']['stats_type'] == 'awstats' && $data['new']['stats_type'] != 'awstats') {
 			$this->awstats_delete($data, $web_config);
-                }
+		}
 
 		//* Remove the GoAccess configuration file
 		if($data['old']['stats_type'] == 'goaccess' && $data['new']['stats_type'] != 'goaccess') {
 			$this->goaccess_delete($data, $web_config);
 		}
 
-                //* Remove the Webalizer configuration file
+		//* Remove the Webalizer configuration file
 		if($data['old']['stats_type'] == 'webalizer' && $data['new']['stats_type'] != 'webalizer') {
 			$this->webalizer_delete($data, $web_config);
-                }
+		}
 
 		//* Remove Stats-Folder when Statistics set to none
 		if($data['new']['stats_type'] == '' && ($data['new']['type'] == 'vhost' || $data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias')) {
@@ -2625,96 +2636,92 @@ function _create_web_folder_auth_configuration($website){
 
 	//* Update the GoAccess configuration file
 	private function goaccess_update ($data, $web_config) {
-                global $app;
-
-                $web_folder = $data['new']['web_folder'];
-                if($data['new']['type'] == 'vhost') $web_folder = 'web';
-
-                $goaccess_conf_locs = array('/etc/goaccess.conf', '/etc/goaccess/goaccess.conf');
-                $count = 0;
-
-                foreach($goaccess_conf_locs as $goa_loc) {
-                        if(is_file($goa_loc) && (filesize($goa_loc) > 0)) {
-                                $goaccess_conf_main = $goa_loc;
-                                break;
-                        } else {
-                                $count++;
-                                if($count == 2) {
-                                        $app->log("No GoAccess base config found. Make sure that GoAccess is installed and that the goaccess.conf does exist in /etc or /etc/goaccess", LOGLEVEL_WARN);
-                                }
-                        }
-                }
-
-                if(!is_dir($data['new']['document_root'] . "/log/goaccess_db")) $app->system->mkdirpath($data['new']['document_root'] . "/log/goaccess_db");
-		$goaccess_conf = $data['new']['document_root'].'/log/goaccess.conf';
+		global $app;
 
-                /*
-                In case that you use a different log format, you should use a custom goaccess.conf which you'll have to put into /usr/local/ispconfig/server/conf-custom/.
-                By default the originaly with GoAccess shipped goaccess.conf from /etc/ will be used along with the log-format value COMBINED.
-                */
+		$web_folder = $data['new']['web_folder'];
+		if($data['new']['type'] == 'vhost') $web_folder = 'web';
 
-                if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess.conf.master")) {
-                        $app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $goaccess_conf);
+		$goaccess_conf_locs = array('/etc/goaccess.conf', '/etc/goaccess/goaccess.conf');
+		$count = 0;
 
-                } elseif(!file_exists($goaccess_conf)) {
+		foreach($goaccess_conf_locs as $goa_loc) {
+			if(is_file($goa_loc) && (filesize($goa_loc) > 0)) {
+				$goaccess_conf_main = $goa_loc;
+				break;
+			} else {
+				$count++;
+				if($count == 2) {
+					$app->log("No GoAccess base config found. Make sure that GoAccess is installed and that the goaccess.conf does exist in /etc or /etc/goaccess", LOGLEVEL_WARN);
+				}
+			}
+		}
 
-                        /*
-                         By default the goaccess.conf should get copied by the webserver plugin but in case it wasn't, or it got deleted by accident we gonna copy it again to the destination dir.
-                         Also there was no /usr/local/ispconfig/server/conf-custom/goaccess.conf.master, so we gonna use /etc/goaccess.conf as the base conf.
-                         */
+		if(!is_dir($data['new']['document_root'] . "/log/goaccess_db")) $app->system->mkdirpath($data['new']['document_root'] . "/log/goaccess_db");
+		$goaccess_conf = $data['new']['document_root'].'/log/goaccess.conf';
 
-                        $app->system->copy($goaccess_conf_main, $goaccess_conf);
-                        $content = $app->system->file_get_contents($goaccess_conf, true);
-                        $content = preg_replace('/^(#)?log-format COMBINED/m', "log-format COMBINED", $content);
-                        $app->system->file_put_contents($goaccess_conf, $content, true);
-                        unset($content);
+		/*
+		In case that you use a different log format, you should use a custom goaccess.conf which you'll have to put into /usr/local/ispconfig/server/conf-custom/.
+		By default the originaly with GoAccess shipped goaccess.conf from /etc/ will be used along with the log-format value COMBINED.
+		*/
 
-                }
+		if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess.conf.master")) {
+			$app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $goaccess_conf);
+		} elseif(!file_exists($goaccess_conf)) {
+			/*
+			By default the goaccess.conf should get copied by the webserver plugin but in case it wasn't, or it got deleted by accident we gonna copy it again to the destination dir.
+			Also there was no /usr/local/ispconfig/server/conf-custom/goaccess.conf.master, so we gonna use /etc/goaccess.conf as the base conf.
+			*/
 
-                if(file_exists($goaccess_conf)) {
-                        $domain = $data['new']['domain'];
-                        $content = $app->system->file_get_contents($goaccess_conf, true);
-                        $content = preg_replace('/^(#)?html-report-title(.*)/m', "html-report-title $domain", $content);
-                        $app->system->file_put_contents($goaccess_conf, $content, true);
-                        unset($content);
+			$app->system->copy($goaccess_conf_main, $goaccess_conf);
+			$content = $app->system->file_get_contents($goaccess_conf, true);
+			$content = preg_replace('/^(#)?log-format COMBINED/m', "log-format COMBINED", $content);
+			$app->system->file_put_contents($goaccess_conf, $content, true);
+			unset($content);
+		}
 
-                }
+		if(file_exists($goaccess_conf)) {
+			$domain = $data['new']['domain'];
+			$content = $app->system->file_get_contents($goaccess_conf, true);
+			$content = preg_replace('/^(#)?html-report-title(.*)/m', "html-report-title $domain", $content);
+			$app->system->file_put_contents($goaccess_conf, $content, true);
+			unset($content);
+		}
 
-                if(is_file($goaccess_conf) && (filesize($goaccess_conf) > 0)) {
-                        $app->log('Created GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
-                }
+		if(is_file($goaccess_conf) && (filesize($goaccess_conf) > 0)) {
+			$app->log('Created GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
+		}
 
-                if(is_file($data['new']['document_root']."/" . $web_folder . "/stats/index.html")) $app->system->unlink($data['new']['document_root']."/" . $web_folder . "/stats/index.html");
-                if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master")) {
-                        $app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
-                } else {
-                        $app->system->copy("/usr/local/ispconfig/server/conf/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
+		if(is_file($data['new']['document_root']."/" . $web_folder . "/stats/index.html")) $app->system->unlink($data['new']['document_root']."/" . $web_folder . "/stats/index.html");
+		if(file_exists("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master")) {
+			$app->system->copy("/usr/local/ispconfig/server/conf-custom/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
+		} else {
+			$app->system->copy("/usr/local/ispconfig/server/conf/goaccess_index.php.master", $data['new']['document_root']."/" . $web_folder . "/stats/index.php");
 		}
 	}
 
-        //* Delete the GoAccess configuration file
-        private function goaccess_delete ($data, $web_config) {
-                global $app;
+	//* Delete the GoAccess configuration file
+	private function goaccess_delete ($data, $web_config) {
+		global $app;
 
-                $goaccess_conf = $data['old']['document_root'] . "/log/goaccess.conf";
+		$goaccess_conf = $data['old']['document_root'] . "/log/goaccess.conf";
 
-                if ( @is_file($goaccess_conf) ) {
-                        $app->system->unlink($goaccess_conf);
-                        $app->log('Removed GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
-                }
-        }
+		if ( @is_file($goaccess_conf) ) {
+			$app->system->unlink($goaccess_conf);
+			$app->log('Removed GoAccess config file: '.$goaccess_conf, LOGLEVEL_DEBUG);
+			}
+	}
 
-        //* Delete the Webalizer configuration file
-        private function webalizer_delete ($data, $web_config) {
-                global $app;
+	//* Delete the Webalizer configuration file
+	private function webalizer_delete ($data, $web_config) {
+		global $app;
 
-                $webalizer_conf = $data['old']['document_root'] . "/log/webalizer.conf";
+		$webalizer_conf = $data['old']['document_root'] . "/log/webalizer.conf";
 
-                if ( @is_file($webalizer_conf) ) {
-                        $app->system->unlink($webalizer_conf);
-                        $app->log('Removed Webalizer config file: '.$webalizer_conf, LOGLEVEL_DEBUG);
-                }
-        }
+		if ( @is_file($webalizer_conf) ) {
+			$app->system->unlink($webalizer_conf);
+			$app->log('Removed Webalizer config file: '.$webalizer_conf, LOGLEVEL_DEBUG);
+		}
+	}
 
 	//* Update the awstats configuration file
 	private function awstats_update ($data, $web_config) {
