forked from hestiacp/hestiacp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path1.8.0.sh
More file actions
298 lines (251 loc) · 25.2 KB
/
1.8.0.sh
File metadata and controls
298 lines (251 loc) · 25.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
#!/bin/bash
# Hestia Control Panel upgrade script for target version 1.8.0
#######################################################################################
####### Place additional commands below. #######
#######################################################################################
####### upgrade_config_set_value only accepts true or false. #######
####### #######
####### Pass through information to the end user in case of a issue or problem #######
####### #######
####### Use add_upgrade_message "My message here" to include a message #######
####### in the upgrade notification email. Example: #######
####### #######
####### add_upgrade_message "My message here" #######
####### #######
####### You can use \n within the string to create new lines. #######
#######################################################################################
upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'true'
upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'true'
upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'true'
upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
os_release="$(lsb_release -s -i | tr "[:upper:]" "[:lower:]")-$(lsb_release -s -r)"
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
if ! grep -qw "^extra_groups = mail$" /etc/dovecot/conf.d/10-master.conf 2> /dev/null; then
sed -i "s/^service auth {/service auth {\n extra_groups = mail\n/g" /etc/dovecot/conf.d/10-master.conf
fi
if [ -f /etc/dovecot/conf.d/90-sieve.conf ]; then
if ! grep -q "sieve_vacation_send_from_recipient" /etc/dovecot/conf.d/90-sieve.conf 2> /dev/null; then
sed -i "s/^plugin {/plugin {\n # This setting determines whether vacation messages are sent with the SMTP MAIL FROM envelope address set to the recipient address of the Sieve script owner.\n sieve_vacation_send_from_recipient = yes\n/g" /etc/dovecot/conf.d/90-sieve.conf
fi
fi
fi
if [ -f /etc/fail2ban/jail.local ]; then
# Add phpmyadmin rule
if ! grep -qw "phpmyadmin-auth" /etc/fail2ban/jail.local 2> /dev/null; then
sed -i '/\[recidive\]/i [phpmyadmin-auth]\nenabled = true\nfilter = phpmyadmin-syslog\naction = hestia[name=WEB]\nlogpath = /var/log/auth.log\nmaxretry = 5\n' /etc/fail2ban/jail.local
fi
fi
if [ "$MAIL_SYSTEM" = "exim4" ]; then
if [ "$os_release" != "debian-10" ]; then
# Exclude Debian 10...
echo "[ * ] Disable SMTPUTF8 for Exim for now"
if ! grep -qw "^smtputf8_advertise_hosts =" /etc/exim4/exim4.conf.template 2> /dev/null; then
sed -i "/^domainlist local_domains = dsearch;\/etc\/exim4\/domains/i smtputf8_advertise_hosts =" /etc/exim4/exim4.conf.template
fi
fi
fi
# Apply the update for existing users to enable the "Enhanced and Optimized TLS" feature
echo '[ * ] Enable the "Enhanced and Optimized TLS" feature...'
# Configuring global OpenSSL options
tls13_ciphers="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
if ! grep -qw "^[hestia_openssl_sect]$" /etc/ssl/openssl.cnf 2> /dev/null; then
if [ "$os_release" = "debian-10" ] || [ "$os_release" = "debian-11" ]; then
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
elif [ "$os_release" = "debian-12" ]; then
if ! grep -qw "^ssl_conf = ssl_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
sed -i '/providers = provider_sect$/a ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
fi
if ! grep -qw "^[ssl_sect]$" /etc/ssl/openssl.cnf 2> /dev/null; then
sed -i '$a \\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
fi
elif [ "$os_release" = "ubuntu-20.04" ]; then
if ! grep -qw "^openssl_conf = default_conf$" /etc/ssl/openssl.cnf 2> /dev/null; then
sed -i '/^oid_section = new_oids$/a \\n# System default\nopenssl_conf = default_conf' /etc/ssl/openssl.cnf
fi
if ! grep -qw "^[default_conf]$" /etc/ssl/openssl.cnf 2> /dev/null; then
sed -i '$a [default_conf]\nssl_conf = ssl_sect\n\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
fi
elif [ "$os_release" = "ubuntu-22.04" ]; then
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
fi
fi
# Update server configuration files
tls12_ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
if grep -qw "^ssl_min_protocol = TLSv1.2$" /etc/dovecot/conf.d/10-ssl.conf 2> /dev/null; then
sed -i '/^# See #2012 for TLSv1.1 to 1.2 upgrade$/d;/^ssl_cipher_list = .\+$/d;s/^ssl_min_protocol = TLSv1.2/ssl_cipher_list = '"$tls12_ciphers"'\nssl_min_protocol = TLSv1.2/' /etc/dovecot/conf.d/10-ssl.conf
elif grep -qw "^ssl_protocols = \!SSLv3 \!TLSv1 \!TLSv1.1$" /etc/dovecot/conf.d/10-ssl.conf 2> /dev/null; then
sed -i '/^# See #2012 for TLSv1.1 to 1.2 upgrade$/d;/^ssl_cipher_list = .\+$/d;s/^ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1/ssl_cipher_list = '"$tls12_ciphers"'\nssl_protocols = !SSLv3 !TLSv1 !TLSv1.1/' /etc/dovecot/conf.d/10-ssl.conf
fi
fi
if [ "$MAIL_SYSTEM" = "exim4" ]; then
if grep -qw "^tls_on_connect_ports = 465$" /etc/exim4/exim4.conf.template 2> /dev/null; then
sed -i '/^tls_require_ciphers = .\+$/d;s/^tls_on_connect_ports = 465/tls_on_connect_ports = 465\ntls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE/' /etc/exim4/exim4.conf.template
fi
fi
if [ "$FTP_SYSTEM" = "proftpd" ]; then
if grep -qw "^TLSProtocol TLSv1.2$" /etc/proftpd/tls.conf 2> /dev/null; then
sed -i '/^TLSCipherSuite .\+$/d;/^TLSServerCipherPreference .\+$/d;s/^TLSProtocol TLSv1.2/TLSCipherSuite '"$tls12_ciphers"'\nTLSProtocol TLSv1.2 TLSv1.3\nTLSServerCipherPreference on/;s/^#TLSOptions AllowClientRenegotiations/#TLSOptions AllowClientRenegotiations/;s/^TLSOptions NoSessionReuseRequired AllowClientRenegotiations/TLSOptions NoSessionReuseRequired AllowClientRenegotiations/' /etc/proftpd/tls.conf
fi
fi
if [ "$FTP_SYSTEM" = "vsftpd" ]; then
if grep -q "^ssl_ciphers=.\+$" /etc/vsftpd/vsftpd.conf 2> /dev/null; then
sed -i 's/^ssl_ciphers=.\+$/ssl_ciphers='"$tls12_ciphers"'/' /etc/vsftpd/vsftpd.conf
fi
fi
if [ "$WEB_SYSTEM" = "nginx" ] || [ "$PROXY_SYSTEM" = "nginx" ]; then
# Little trick to bypass on my private fork :)
if ! grep -q "quic_bpf" /etc/nginx/nginx.conf && ! grep -q "spdy_headers_comp" /etc/nginx/nginx.conf; then
# Syncing "/etc/nginx/nginx.conf" with mainline, to fix the **** caused by formatter or forgetting to apply updates
echo "[ * ] Syncing NGINX configuration with mainline..."
trap 'rm -fr "$dir_for_compare" /etc/nginx/nginx.conf-staging' EXIT
dir_for_compare="$(mktemp -d)"
nginx_conf_local="$dir_for_compare"/nginx.conf-local
nginx_conf_commit="$dir_for_compare"/nginx.conf-commit
sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' /etc/nginx/nginx.conf | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_local"
# For installations before v1.6.8 (from commit 9b544be to commit b2ad154)
curl -fsLm5 --retry 2 https://raw.githubusercontent.com/hestiacp/hestiacp/b2ad1549a21655837056e4b7883970d51a4b324f/install/deb/nginx/nginx.conf \
| sed 's/fastcgi_buffers 4 256k;/fastcgi_buffers 8 256k;/g;s|/var/run/|/run/|g;/set_real_ip_from/d;/real_ip_header/d;s|# Cloudflare https://www.cloudflare.com/ips|# Cloudflare https://www.cloudflare.com/ips\n include /etc/nginx/conf.d/cloudflare.inc;|g' \
| sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_commit"-b2ad154
# For installations after v1.6.8 but before v1.7.0 (from commit b2ad154 to commit 015b20a)
curl -fsLm5 --retry 2 https://raw.githubusercontent.com/hestiacp/hestiacp/015b20ae1ffb82faaf58b41a5dc9ad1b078b785f/install/deb/nginx/nginx.conf \
| sed 's|/var/run/|/run/|g;/set_real_ip_from/d;/real_ip_header/d;s|# Cloudflare https://www.cloudflare.com/ips|# Cloudflare https://www.cloudflare.com/ips\n include /etc/nginx/conf.d/cloudflare.inc;|g' \
| sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_commit"-015b20a
# For installations after v1.7.0 (commit 555f892)
curl -fsLm5 --retry 2 https://raw.githubusercontent.com/hestiacp/hestiacp/555f89243e54e02458586ae4f7999458cc9d33e9/install/deb/nginx/nginx.conf \
| sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_commit"-555f892
for commit in b2ad154 015b20a 555f892; do
if cmp -s "$nginx_conf_local" "$nginx_conf_commit"-"$commit" 2> /dev/null; then
nginx_conf_compare="same"
cp -f "$HESTIA_INSTALL_DIR"/nginx/nginx.conf /etc/nginx
break
fi
done
if [ "$nginx_conf_compare" != "same" ]; then
echo -e "[ ! ] Manual action required, please view:\n[ - ] $HESTIA_BACKUP/message.log"
add_upgrade_message "Manual Action Required [IMPORTANT]\n\nTo enable the \"Enhanced and Optimized TLS\" feature, we must update the NGINX configuration file (/etc/nginx/nginx.conf).\n\nBut for unknown reason or you edited it, may not be fully apply all the changes in this upgrade.\n\nPlease follow the default configuration file to sync it:\n$HESTIA_INSTALL_DIR/nginx/nginx.conf\n\nBacked up configuration file:\n$HESTIA_BACKUP/conf/nginx/nginx.conf\n\nLearn more:\nhttps://github.com/hestiacp/hestiacp/pull/3555\n\n"
"$BIN"/v-add-user-notification admin "IMPORTANT: Manual Action Required" '<p>To enable the "Enhanced and Optimized TLS" feature, we must update the NGINX configuration file at <code>/etc/nginx/nginx.conf</code>.</p><p>But for unknown reason or you edited it, may not be fully apply all the changes in this upgrade.</p><p>Please follow the default configuration file to sync it:<br><code>'"$HESTIA_INSTALL_DIR"'/nginx/nginx.conf</code></p><p>Backed up configuration file:<br><code>'"$HESTIA_BACKUP"'/conf/nginx/nginx.conf</code></p><p>Visit PR <a href="https://github.com/hestiacp/hestiacp/pull/3555" target="_blank">#3555</a> on GitHub to learn more.</p>'
sed -i "s/""$(grep -m 1 "IMPORTANT: Manual Action Required" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='1'/" "$HESTIA"/data/users/admin/notifications.conf
cp -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf-staging
# Apply previously missed updates
sed -i 's/fastcgi_buffers 4 256k;/fastcgi_buffers 8 256k;/;s|https://www.cloudflare.com/||;s/# Cache settings/# Proxy cache/' /etc/nginx/nginx.conf-staging
# Formatting
echo "" >> /etc/nginx/nginx.conf-staging
sed -i '/^[ \t]*$/d;s/^ worker_connections 1024;/\tworker_connections 1024;/;s/^ use epoll;/\tuse epoll;/;s/^ multi_accept on;/\tmulti_accept on;/;s/^ /\t\t/g;s/^ /\t/g;s/^# Worker config/\n# Worker config/;s/^http {/\nhttp {/;s/^\t# Cache bypass/\n\t# Cache bypass/;s/^\t# File cache (static assets)/\n\t# File cache (static assets)/;s/^user www-data;/user www-data;/;s/^worker_processes auto;/worker_processes auto;/;s/^worker_rlimit_nofile 65535;/worker_rlimit_nofile 65535;/;s|^error_log /var/log/nginx/error.log;|error_log /var/log/nginx/error.log;|;s|^pid /run/nginx.pid;|pid /run/nginx.pid;|;s|^include /etc/nginx/modules-enabled/\*.conf;|include /etc/nginx/modules-enabled/\*.conf;|;s/log_not_found off;/log_not_found off;/;s/access_log off;/access_log off;/;s|include /etc/nginx/mime.types;|include /etc/nginx/mime.types;|;s|default_type application/octet-stream;|default_type application/octet-stream;|;s/default 0;/default 0;/;s/~SESS 1;/~SESS 1;/;s|include /etc/nginx/conf.d/|include /etc/nginx/conf.d/|g' /etc/nginx/nginx.conf-staging
# Prepare for update
sed -i '/proxy_bu/d;/proxy_temp/d;/log_format/d;/body_bytes_sent/d;/http_user_agent/d;/gzip/d;/application\/j/d;/application\/x/d;/ssl_/d;/resolver/d;/error_page/d;/\/var\/cache\/nginx/d;/max_size=/d;/_cache_key/d;/_ignore_headers/d;/_cache_use_stale/d;/_cache_valid/d;/_cache_methods/d;/add_header/d;/open_file_cache/d' /etc/nginx/nginx.conf-staging
# Apply the update
sed -i 's/client_max_body_size 256m;/client_max_body_size 1024m;/;s/keepalive_requests 100000;/keepalive_requests 10000;/;s/fastcgi_buffers 8 256k;/fastcgi_buffers 512 4k;/;s/proxy_pass_header Set-Cookie;/proxy_pass_header Set-Cookie;\n\tproxy_buffers 256 4k;\n\tproxy_buffer_size 32k;\n\tproxy_busy_buffers_size 32k;\n\tproxy_temp_file_write_size 256k;/;s/# Log format/# Log format\n\tlog_format main '"'"'$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'"'"';\n\tlog_format bytes '"'"'$body_bytes_sent'"'"';/;s|# Compression|# Compression\n\tgzip on;\n\tgzip_vary on;\n\tgzip_static on;\n\tgzip_comp_level 6;\n\tgzip_min_length 1024;\n\tgzip_buffers 128 4k;\n\tgzip_http_version 1.1;\n\tgzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;\n\tgzip_proxied any;|;s/# Cloudflare ips/# Cloudflare IPs/;s|# SSL PCI compliance|# SSL PCI compliance\n\tssl_buffer_size 1369;\n\tssl_ciphers "'"$tls12_ciphers"'";\n\tssl_dhparam /etc/ssl/dhparam.pem;\n\tssl_early_data on;\n\tssl_ecdh_curve auto;\n\tssl_prefer_server_ciphers on;\n\tssl_protocols TLSv1.2 TLSv1.3;\n\tssl_session_cache shared:SSL:20m;\n\tssl_session_tickets on;\n\tssl_session_timeout 7d;\n\tresolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;\n\tresolver_timeout 5s;|;s|# Error pages|# Error pages\n\terror_page 403 /error/404.html;\n\terror_page 404 /error/404.html;\n\terror_page 410 /error/410.html;\n\terror_page 500 501 502 503 504 505 /error/50x.html;|;s|# Proxy cache|# Proxy cache\n\tproxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;\n\tproxy_cache_key "$scheme$request_method$host$request_uri";\n\tproxy_temp_path /var/cache/nginx/temp;\n\tproxy_ignore_headers Cache-Control Expires;\n\tproxy_cache_use_stale error timeout invalid_header updating http_502;\n\tproxy_cache_valid any 1d;|;s|# FastCGI cache|# FastCGI cache\n\tfastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;\n\tfastcgi_cache_key "$scheme$request_method$host$request_uri";\n\tfastcgi_ignore_headers Cache-Control Expires Set-Cookie;\n\tfastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;\n\tadd_header X-FastCGI-Cache $upstream_cache_status;|;s/# File cache (static assets)/# File cache (static assets)\n\topen_file_cache max=10000 inactive=30s;\n\topen_file_cache_valid 60s;\n\topen_file_cache_min_uses 2;\n\topen_file_cache_errors off;/' /etc/nginx/nginx.conf-staging
# Apply the update for implement TLS 1.3 0-RTT anti-replay and upcoming HTTP/3 support
sed -i '/\/etc\/nginx\/conf\.d\/main\/\*\.conf;/d;/pid \/run\/nginx.pid;/a include /etc/nginx/conf.d/main/*.conf;' /etc/nginx/nginx.conf-staging
sed -i '/Early-Data/d;/proxy_set_header Host $host;/a \\tproxy_set_header Early-Data $rfc_early_data;' /etc/nginx/nginx.conf-staging
# Verify new configuration file
if nginx -c /etc/nginx/nginx.conf-staging -t > /dev/null 2>&1; then
mv -f /etc/nginx/nginx.conf-staging /etc/nginx/nginx.conf
fi
fi
# Implement TLS 1.3 0-RTT anti-replay
echo -e "[ * ] TLS 1.3 0-RTT anti-replay for NGINX, please view:\n[ - ] $HESTIA_BACKUP/message.log"
add_upgrade_message "About TLS 1.3 0-RTT anti-replay for NGINX\n\nIf you use custom templates, please update them (*.stpl) to apply this protection.\n\nFollow the usage or other default templates:\n/etc/nginx/conf.d/0rtt-anti-replay.conf\n\nLearn more:\nhttps://github.com/hestiacp/hestiacp/pull/3692"
"$BIN"/v-add-user-notification admin "About TLS 1.3 0-RTT anti-replay for NGINX" '<p>If you use custom templates, please update them (*.stpl) to apply this protection.</p><p>Follow the usage or other default templates:<br><code>/etc/nginx/conf.d/0rtt-anti-replay.conf</code></p><p>Visit PR <a href="https://github.com/hestiacp/hestiacp/pull/3692" target="_blank">#3692</a> on GitHub to learn more.</p>'
if grep -qw "IMPORTANT: Manual Action Required" "$HESTIA"/data/users/admin/notifications.conf 2> /dev/null; then
sed -i "s/""$(grep -m 1 "About TLS 1.3 0-RTT anti-replay for NGINX" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='2'/" "$HESTIA"/data/users/admin/notifications.conf
else
sed -i "s/""$(grep -m 1 "About TLS 1.3 0-RTT anti-replay for NGINX" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='1'/" "$HESTIA"/data/users/admin/notifications.conf
fi
cp -f "$HESTIA_INSTALL_DIR"/nginx/0rtt-anti-replay.conf /etc/nginx/conf.d
# Update resolver for NGINX
for nameserver in $(grep -is '^nameserver' /etc/resolv.conf | cut -d' ' -f2 | tr '\r\n' ' ' | xargs); do
if [[ "$nameserver" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
if [ -z "$resolver" ]; then
resolver="$nameserver"
else
resolver="$resolver $nameserver"
fi
fi
done
if [ -n "$resolver" ]; then
sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
fi
# Update some configuration files
cp -f "$HESTIA_INSTALL_DIR"/nginx/phpmyadmin.inc "$HESTIA_INSTALL_DIR"/nginx/phppgadmin.inc "$HESTIA_INSTALL_DIR"/nginx/status.conf /etc/nginx/conf.d
[ -n "$DB_PMA_ALIAS" ] && sed -i "s|%pma_alias%|$DB_PMA_ALIAS|g" /etc/nginx/conf.d/phpmyadmin.inc
[ -n "$DB_PGA_ALIAS" ] && sed -i "s|%pga_alias%|$DB_PGA_ALIAS|g" /etc/nginx/conf.d/phppgadmin.inc
# Prepare for upcoming HTTP/3 support, also convenient for users to add directive to "main" context
mkdir -p /etc/nginx/conf.d/main
fi
fi
unset commit nameserver nginx_conf_commit nginx_conf_compare nginx_conf_local os_release tls12_ciphers tls13_ciphers resolver
# Finish configuring the "Enhanced and Optimized TLS" feature
# Update IPs configuration file
# shellcheck source=/usr/local/hestia/func/domain.sh
source $HESTIA/func/domain.sh
if [ "$WEB_SYSTEM" = "nginx" ]; then
while IFS= read -r IP; do
ip_conf="/etc/nginx/conf.d/$IP.conf"
cp -f "$HESTIA_INSTALL_DIR"/nginx/unassigned.inc "$ip_conf"
sed -i "s/directIP/$IP/g" "$ip_conf"
process_http2_directive "$ip_conf"
done < <(ls "$HESTIA"/data/ips/ 2> /dev/null)
elif [ "$PROXY_SYSTEM" = "nginx" ]; then
while IFS= read -r IP; do
cat "$WEBTPL"/nginx/proxy_ip.tpl \
| sed -e "s/%ip%/$IP/g" \
-e "s/%web_port%/$WEB_PORT/g" \
-e "s/%proxy_port%/$PROXY_PORT/g" \
-e "s/%proxy_ssl_port%/$PROXY_SSL_PORT/g" \
> "/etc/nginx/conf.d/$IP.conf"
process_http2_directive "/etc/nginx/conf.d/$IP.conf"
done < <(ls "$HESTIA"/data/ips/ 2> /dev/null)
fi
if [ "$MAIL_SYSTEM" = "exim4" ]; then
exim_version=$(exim4 --version | head -1 | awk '{print $3}' | cut -f -2 -d .)
# if Exim version > 4.95 or greater!
if version_ge "$exim_version" "4.95"; then
if ! grep -q 'SRS_SECRET' /etc/exim4/exim4.conf.template; then
srs=$(generate_password)
echo $srs > /etc/exim4/srs.conf
chmod 640 /etc/exim4/srs.conf
chown root:Debian-exim /etc/exim4/srs.conf
cp /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.staging
patch /etc/exim4/exim4.conf.template.staging $HESTIA/install/upgrade/patch/3661-exim-srs-support.patch 2>&1
exim -C /etc/exim4/exim4.conf.template.staging 2>&1
if [ "$?" -ne 0 ]; then
add_upgrade_message "Unable to successfully aply the SRS update patch for Exim.\n If you use SMTP relay with the SRS feature use the exim config found in /usr/local/hestia/install/deb/exim/exim4.conf.4.95.template"
"$BIN"/v-add-user-notification admin "Unable to apply patch to Exim config" 'Unable to successfully apply the SRS update patch for Exim.<br /> If you use SMTP relay with the SRS feature use the exim config found in /usr/local/hestia/install/deb/exim/exim4.conf.4.95.template'
if grep -qw "IMPORTANT: Manual Action Required" "$HESTIA"/data/users/admin/notifications.conf 2> /dev/null; then
sed -i "s/""$(grep -m 1 "Unable to apply patch to Exim config" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='3'/" "$HESTIA"/data/users/admin/notifications.conf
else
sed -i "s/""$(grep -m 1 "Unable to apply patch to Exim config" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='2'/" "$HESTIA"/data/users/admin/notifications.conf
fi
echo "[ ! ] Unable to apply SRS update patch for SMTP relay"
else
echo "[ * ] Update exim4.conf.template ..."
cp /etc/exim4/exim4.conf.template.staging /etc/exim4/exim4.conf.template
fi
rm /etc/exim4/exim4.conf.template.staging*
else
sed -i "s/SRS_SECRET = readfile{\/etc\/exim4\/srs.conf}/SRS_SECRET = \${readfile{\/etc\/exim4\/srs.conf}}/g" /etc/exim4/exim4.conf.template
chown root:Debian-exim /etc/exim4/srs.conf
fi
fi
exim_version=$(exim4 --version | head -1 | awk '{print $3}' | cut -f -2 -d .)
# if Exim version > 4.95 or greater!
if version_ge "$exim_version" "4.95"; then
if ! grep -q 'condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}' /etc/exim4/exim4.conf.template; then
for line in $(sed -n '/redirect_router = dnslookup/=' /etc/exim4/exim4.conf.template); do
testline=$((line - 1))
newline=$((line + 1))
if [ "$(awk NR==$testline /etc/exim4/exim4.conf.template)" = " file_transport = local_delivery" ]; then
# Add new line
sed -i "$newline i \ \ condition = \${lookup{\$local_part@\$domain}lsearch{/etc/exim4/domains/\${lookup{\$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}" /etc/exim4/exim4.conf.template
fi
done
fi
fi
fi