Update Nginx keepalive_requests to default (hestiacp#4055)

Author: jaapmarcus

install/deb/nginx/nginx.conf

@@ -27,7 +27,7 @@ http {
 	large_client_header_buffers     4 8k;
 	send_timeout                    60s;
 	keepalive_timeout               30s;
-	keepalive_requests              10000;
+	keepalive_requests              1000;
 	reset_timedout_connection       on;
 	server_tokens                   off;
 	server_name_in_redirect         off;
@@ -127,4 +127,4 @@ http {
 	# Wildcard include
 	include                         /etc/nginx/conf.d/*.conf;
 	include                         /etc/nginx/conf.d/domains/*.conf;
-}
+}

install/rpm/nginx/nginx.conf

@@ -27,7 +27,7 @@ http {
 	large_client_header_buffers     4 8k;
 	send_timeout                    60s;
 	keepalive_timeout               30s;
-	keepalive_requests              10000;
+	keepalive_requests              1000;
 	reset_timedout_connection       on;
 	server_tokens                   off;
 	server_name_in_redirect         off;
@@ -127,4 +127,4 @@ http {
 	# Wildcard include
 	include                         /etc/nginx/conf.d/*.conf;
 	include                         /etc/nginx/conf.d/domains/*.conf;
-}
+}

install/upgrade/versions/1.8.9.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.8.8
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### upgrade_config_set_value only accepts true or false.                    #######
+#######                                                                         #######
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
+
+# Modify existing POLICY_USER directives (POLICY_USER_CHANGE_THEME, POLICY_USER_EDIT_WEB_TEMPLATES
+# and POLICY_USER_VIEW_LOGS) that are using value 'true' instead of the correct value 'yes'
+
+hestia_conf="$HESTIA/conf/hestia.conf"
+hestia_defaults_conf="$HESTIA/conf/defaults/hestia.conf"
+
+if [ -f /etc/nginx/nginx.conf ]; then
+	echo "[ * ] Mitigate HTTP/2 Rapid Reset Attack via Nginx CVE CVE-2023-44487"
+	sed -i -E 's/(.*keepalive_requests\s{1,})10000;/\11000;/' /etc/nginx/nginx.conf /usr/local/hestia/nginx/conf/nginx.conf
+fi

src/deb/nginx/nginx.conf

@@ -27,7 +27,7 @@ http {
 	large_client_header_buffers   4 8k;
 	send_timeout                  60s;
 	keepalive_timeout             30s;
-	keepalive_requests            10000;
+	keepalive_requests            1000;
 	reset_timedout_connection     on;
 	server_tokens                 off;
 	server_name_in_redirect       off;

src/rpm/nginx/nginx.conf

@@ -27,7 +27,7 @@ http {
 	large_client_header_buffers   4 8k;
 	send_timeout                  60s;
 	keepalive_timeout             30s;
-	keepalive_requests            10000;
+	keepalive_requests            1000;
 	reset_timedout_connection     on;
 	server_tokens                 off;
 	server_name_in_redirect       off;