Merge main in to staging

jaapmarcus · jaapmarcus · commit 3cfe05b4a4b9 · 2021-05-25T09:04:09.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -91,6 +91,7 @@ All notable changes to this project will be documented in this file.
 - Standardize headers for upgrade scripts
 - Improved how we handle custom themes
 - Refactored HMTL / PHP code WebUI
+- Updated ClamAV configuration
 - Fixed issue where file manger key got the wrong permissions
 - Update version Laveral @mariojgt
 
diff --git a/bin/v-backup-user b/bin/v-backup-user
@@ -390,7 +390,7 @@ if [ ! -z "$MAIL_SYSTEM" ] && [ "$MAIL" != '*' ]; then
         accounts=()
         for account in $(ls); do
             exclusion=$(echo "$MAIL" |tr ',' '\n' |grep "$domain:")
-            exclusion=$(echo "$exclusion" |tr ':' '\n' |grep "^$account$")
+            exclusion=$(echo "$exclusion" |tr ':' '\n' |grep -E "^$account|\*")
 
             # Checking exlusions
             if [ -z "$exclusion" ] && [[ "$MAIL_SYSTEM" =~ exim ]]; then
diff --git a/bin/v-delete-web-domain b/bin/v-delete-web-domain
@@ -67,7 +67,7 @@ fi
 
 # Deleting web backend
 if [ ! -z "$WEB_BACKEND" ]; then
-    $BIN/v-delete-web-domain-backend $user $domain $restart
+    $BIN/v-delete-web-domain-backend $user $domain 'no'
 fi
 
 # Deleting vhost configuration
@@ -142,10 +142,14 @@ fi
 $BIN/v-restart-web $restart
 check_result $? "Web restart failed" >/dev/null
 
-# Restartinh proxy server
+# Restarting proxy server
 $BIN/v-restart-proxy $restart
 check_result $? "Proxy restart failed" >/dev/null
 
+# Restarting backend server
+$BIN/v-restart-web-backend $restart
+check_result $? "Backend restart failed" >/dev/null
+
 # Logging
 $BIN/v-log-action "$user" "Info" "Web" "Deleted web domain (Name: $domain)."
 log_event "$OK" "$ARGUMENTS"
diff --git a/bin/v-list-sys-ips b/bin/v-list-sys-ips
@@ -53,13 +53,16 @@ json_list() {
 
 # SHELL list function
 shell_list() {
-    echo "IP   MASK   NAT    HELO    STATUS   WEB  DATE"
-    echo "--   ----   ---    ----    ------   ---  ----"
+    echo "IP   MASK   NAT    HELO                    STATUS   WEB  DATE"
+    echo "--   ----   ---    --------------------    ------   ---  ----"
     while read IP; do
         source $HESTIA/data/ips/$IP
         if [ -z "$NAT" ]; then
             NAT='no'
         fi
+        if [ -z "$HELO" ]; then
+            HELO='unset'
+        fi
         echo "$IP $NETMASK $NAT $HELO $STATUS $U_WEB_DOMAINS $DATE"
     done < <(ls $HESTIA/data/ips/)
 }
diff --git a/bin/v-purge-nginx-cache b/bin/v-purge-nginx-cache
@@ -1,9 +1,9 @@
 #!/bin/bash
 # info: Purge nginx cache
-# options: USER DOMAIN MODE
+# options: USER DOMAINå
 # labels: hestia web
 #
-# example: v-purge-nginx-cache user domain.tld proxy
+# example: v-purge-nginx-cache user domain.tld
 #
 # The function purges nginx cache.
 
diff --git a/install/deb/clamav/clamd.conf b/install/deb/clamav/clamd.conf
@@ -1,14 +1,13 @@
-#Automatically Generated by clamav-base postinst
-#To reconfigure clamd run #dpkg-reconfigure clamav-base
-#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
+#Automatically Generated by clamav-daemon postinst
+#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
+#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
 LocalSocket /var/run/clamav/clamd.ctl
 FixStaleSocket true
 LocalSocketGroup clamav
 LocalSocketMode 666
 # TemporaryDirectory is not set to its default /tmp here to make overriding
 # the default with environment variables TMPDIR/TMP/TEMP possible
 User clamav
-# AllowSupplementaryGroups true
 ScanMail true
 ScanArchive true
 ArchiveBlockEncrypted false
@@ -19,26 +18,38 @@ ReadTimeout 180
 MaxThreads 12
 MaxConnectionQueueLength 15
 LogSyslog false
+LogRotate true
 LogFacility LOG_LOCAL6
 LogClean false
 LogVerbose true
-PidFile /var/run/clamav/clamd.pid
+PreludeEnable no
+PreludeAnalyzerName ClamAV
 DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
 SelfCheck 3600
 Foreground false
 Debug false
 ScanPE true
+MaxEmbeddedPE 10M
 ScanOLE2 true
+ScanPDF true
 ScanHTML true
+MaxHTMLNormalize 10M
+MaxHTMLNoTags 2M
+MaxScriptNormalize 5M
+MaxZipTypeRcg 1M
+ScanSWF true
 ExitOnOOM false
 LeaveTemporaryFiles false
 AlgorithmicDetection true
 ScanELF true
 IdleTimeout 30
+CrossFilesystems true
 PhishingSignatures true
 PhishingScanURLs true
 PhishingAlwaysBlockSSLMismatch false
 PhishingAlwaysBlockCloak false
+PartitionIntersection false
 DetectPUA false
 ScanPartialMessages false
 HeuristicScanPrecedence false
@@ -48,6 +59,23 @@ SendBufTimeout 200
 MaxQueue 100
 ExtendedDetectionInfo true
 OLE2BlockMacros false
+AllowAllMatchScan true
+ForceToDisk false
+DisableCertCheck false
+DisableCache false
+MaxScanTime 120000
+MaxScanSize 100M
+MaxFileSize 25M
+MaxRecursion 16
+MaxFiles 10000
+MaxPartitions 50
+MaxIconsPE 100
+PCREMatchLimit 10000
+PCRERecMatchLimit 5000
+PCREMaxFileSize 25M
+ScanXMLDOCS true
+ScanHWP3 true
+MaxRecHWP3 16
 StreamMaxLength 25M
 LogFile /var/log/clamav/clamav.log
 LogTime true
@@ -56,5 +84,5 @@ LogFileMaxSize 0
 Bytecode true
 BytecodeSecurity TrustSigned
 BytecodeTimeout 60000
-OfficialDatabaseOnly false
-CrossFilesystems true
+PidFile /var/run/clamav/clamd.pid
+OnAccessMaxFileSize 5M
diff --git a/install/deb/firewall/ipset/blacklist.sh b/install/deb/firewall/ipset/blacklist.sh
@@ -8,7 +8,6 @@ BLACKLISTS=(
     "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
     "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
     "https://www.maxmind.com/en/high-risk-ip-sample-list" # MaxMind GeoIP Anonymous Proxies
-    "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
     "https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
     "https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
     "https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
diff --git a/install/deb/templates/mail/nginx/default_rainloop.stpl b/install/deb/templates/mail/nginx/default_rainloop.stpl
@@ -11,6 +11,11 @@ ssl_certificate_key %ssl_key%;
 ssl_stapling on;
 ssl_stapling_verify on;
 
+location ^~ /data {
+    deny all;
+    return 404;
+}
+
 location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
     deny all;
     return 404;
diff --git a/install/deb/templates/mail/nginx/default_rainloop.tpl b/install/deb/templates/mail/nginx/default_rainloop.tpl
@@ -13,7 +13,12 @@ location ~ /\.(?!well-known\/) {
     return 404;
 }
 
-location ~ /data/ {
+location ^~ /data {
+    deny all;
+    return 404;
+}
+
+location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
     deny all;
     return 404;
 }
diff --git a/install/deb/templates/mail/nginx/rainloop.stpl b/install/deb/templates/mail/nginx/rainloop.stpl
@@ -16,6 +16,11 @@ location ~ /\.(?!well-known\/) {
     return 404;
 }
 
+location ^~ /data {
+    deny all;
+    return 404;
+}
+
 location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
     deny all;
     return 404;
diff --git a/install/deb/templates/mail/nginx/rainloop.tpl b/install/deb/templates/mail/nginx/rainloop.tpl
@@ -13,6 +13,11 @@ location ~ /\.(?!well-known\/) {
     return 404;
 }
 
+location ^~ /data {
+    deny all;
+    return 404;
+}
+
 location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
     deny all;
     return 404;
diff --git a/install/upgrade/manual/migrate_roundcube.sh b/install/upgrade/manual/migrate_roundcube.sh
@@ -17,7 +17,7 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-if [ ! -d "/usr/share/phpmyadmin/" ]; then
+if [ ! -d "/usr/share/roundcube/" ]; then
     echo "Install Roundcube not done via APT"
     exit 2;
 fi
@@ -46,4 +46,4 @@ then
     # restore backup
     mysql roundcube < ~/roundcube.sql
     /var/lib/roundcube/bin/update.sh --version "$version"
-fi
+fi
diff --git a/install/upgrade/versions/1.4.0.sh b/install/upgrade/versions/1.4.0.sh
@@ -58,12 +58,15 @@ if [ "$MAIL_SYSTEM" == "exim4" ]; then
         echo '[ * ] Enabling SMTP relay support...'
         if grep -q "driver = plaintext" /etc/exim4/exim4.conf.template; then
             disable_smtp_relay=true
-            echo '[ ! ] ERROR: Manual intervention required to enable SMTP Relay:'
+            echo '[ ! ] ERROR: SMTP Relay upgrade failed:'
             echo ''
-            echo '      Exim only supports one plaintext authenticator.'
-            echo '      If you want to use the Hestia smtp relay feature,'
-            echo '      please review the /etc/exim4/exim4.conf.template'
-            echo '      file and resolve any conflicts.'
+            echo 'Because of the complexity of the SMTP Relay upgrade,'
+            echo 'we were unable to safely modify your existing exim config file.'
+            echo 'If you would like to use the new SMTP Relay features,'
+            echo 'you will have to replace or modify your config with the one found'
+            echo 'on GitHub at https://github.com/hestiacp/hestiacp/blob/release/install/deb/exim/exim4.conf.template.'
+            echo 'Your exim config file will be found here: /etc/exim4/exim4.conf.template'
+            $HESTIA/bin/v-add-user-notification admin 'SMTP Relay upgrade failed' 'Because of the complexity of the SMTP Relay upgrade, we were unable to safely modify your existing exim config file.<br><br>If you would like to use the new SMTP Relay features, you will have to replace or modify your config with the one found on <a href="https://github.com/hestiacp/hestiacp/blob/release/install/deb/exim/exim4.conf.template" target="_new"><i class="fab fa-github"></i> GitHub</a>.<br><br>Your exim config file will be found here:<br><br><code>/etc/exim4/exim4.conf.template</code>'
         else
             disable_smtp_relay=false
         fi
@@ -178,6 +181,15 @@ if [ -d "$HESTIA/web/images/webapps/" ]; then
     rm -rf $HESTIA/web/src/app/WebApp/Installers/Joomla
 fi
 
+# Update ClamAV configuration file
+if [ -f "/etc/clamav/clamd.conf" ]; then
+    cp -f $HESTIA_INSTALL_DIR/clamav/clamd.conf /etc/clamav/
+    $HESTIA/bin/v-add-user-notification admin 'ClamAV config has been overwritten' 'Warning: If you have manualy changed /etc/clamav/clamd.conf and any changes you made will be lost an backup has been created in the /root/hst_backups folder with the original config. If you have not changed the config file you can ignore this message'
+fi
+
+if [ -f "$HESTIA/data/firewall/ipset/blacklist.sh" ]; then
+    sed -i  '/BruteForceBlocker/d' $HESTIA/data/firewall/ipset/blacklist.sh
+fi
 
 ##### COMMANDS FOR V1.5.X
 
diff --git a/web/bulk/web/index.php b/web/bulk/web/index.php
@@ -45,6 +45,7 @@
     exec (HESTIA_CMD."v-restart-web", $output, $return_var);
     exec (HESTIA_CMD."v-restart-proxy", $output, $return_var);
     exec (HESTIA_CMD."v-restart-dns", $output, $return_var);
+    exec (HESTIA_CMD."v-restart-web-backend", $output, $return_var);
 }
 
 header("Location: /list/web/");
diff --git a/web/delete/web/index.php b/web/delete/web/index.php
@@ -19,7 +19,7 @@
 if (!empty($_GET['domain'])) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec (HESTIA_CMD."v-delete-web-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec (HESTIA_CMD."v-delete-web-domain ".$v_username." ".$v_domain." 'yes'", $output, $return_var);
     check_return_code($return_var,$output);
     unset($output);
 }
diff --git a/web/locale/fr/LC_MESSAGES/hestiacp.mo b/web/locale/fr/LC_MESSAGES/hestiacp.mo
diff --git a/web/locale/ru/LC_MESSAGES/hestiacp.mo b/web/locale/ru/LC_MESSAGES/hestiacp.mo
diff --git a/web/locale/uk/LC_MESSAGES/hestiacp.mo b/web/locale/uk/LC_MESSAGES/hestiacp.mo
diff --git a/web/templates/pages/edit_server.html b/web/templates/pages/edit_server.html
diff --git a/web/templates/pages/edit_web.html b/web/templates/pages/edit_web.html

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`	`1`	`#!/bin/bash`
`2`	`2`	`# info: Purge nginx cache`
`3`		`-# options: USER DOMAIN MODE`
	`3`	`+# options: USER DOMAINå`
`4`	`4`	`# labels: hestia web`
`5`	`5`	`#`
`6`		`-# example: v-purge-nginx-cache user domain.tld proxy`
	`6`	`+# example: v-purge-nginx-cache user domain.tld`
`7`	`7`	`#`
`8`	`8`	`# The function purges nginx cache.`
`9`	`9`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,12 @@ location ~ /\.(?!well-known\/) {`
`13`	`13`	`return 404;`
`14`	`14`	`}`
`15`	`15`
`16`		`-location ~ /data/ {`
	`16`	`+location ^~ /data {`
	`17`	`+ deny all;`
	`18`	`+ return 404;`
	`19`	`+}`
	`20`	`+`
	`21`	`+location ~ ^/(README.md\|config\|temp\|logs\|bin\|SQL\|INSTALL\|LICENSE\|CHANGELOG\|UPGRADING)$ {`
`17`	`22`	`deny all;`
`18`	`23`	`return 404;`
`19`	`24`	`}`