Merge pull request hestiacp#1473 from hestiacp/staging/release/v1.3.2

Release Hestia v1.3.2

Author: ScIT-Raphael

CHANGELOG.md

@@ -1,6 +1,17 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.3.2] - Service Release
+### Features
+- Added PHP v8.0 support for multiphp environment.
+
+### Bugfixes
+- Improved session token handling in login as function, thanks to Vulnerability Laboratory - [Evolution Security GmbH]™.
+- Fixed an where fpm pool config was not deleted when changing backend template.
+- Improved bats testing with multiphp (5.6-8.0) tests.
+- Fixed an issue where full webmail path was loaded as default value.
+
+
 ## [1.3.1] - Service Release
 ### Features
 - No new features have been introduced in this release.

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.3.0 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
+**Latest stable release:** Version 1.3.1 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
@@ -19,17 +19,18 @@ Hestia Control Panel is designed to provide administrators an easy to use web an
 Features and Services
 ----------------------------
 * Apache2 and NGINX with PHP-FPM
-* Multiple PHP versions (5.6 - 7.4, 7.3 as default for optimal compatibility)
+* Multiple PHP versions (5.6 - 7.4, 7.4 as default)
 * DNS Server (Bind) with clustering capabilities
 * POP/IMAP/SMTP mail services with Anti-Virus, Anti-Spam, and Webmail (ClamAV, SpamAssassin, and Roundcube)
 * MariaDB or PostgreSQL databases
 * Let's Encrypt SSL support with wildcard certificates
 * Firewall with brute-force attack detection and IP lists (iptables, fail2ban, and ipset).
 
-Supported operating systems
+Supported platforms and operating systems
 ----------------------------
-* Debian 10, 9
-* Ubuntu 20.04 LTS, 18.04 LTS, or 16.04 LTS
+* **CPU Architecture:** AMD64 (x86_64 Intel/AMD)
+* **Debian:** 10, 9
+* **Ubuntu:** 20.04 LTS, 18.04 LTS, or 16.04 LTS
 * **NOTE:** Hestia Control Panel must be installed on top of a fresh operating system installation to ensure proper functionality.
 
 Installing Hestia Control Panel
@@ -65,6 +66,14 @@ bash hst-install.sh -h
 ```
 Alternatively, @gabizz has made available a command-line script generator at https://gabizz.github.io/hestiacp-scriptline-generator/ which allows you to easily generate the installation command via GUI.
 
+How to upgrade an existing installation
+============================
+Automatic Updates are enabled by default on new installations of Hestia Control Panel and can be managed from **Server Settings > Updates**. To manually check for and install available updates, use the apt package manager:
+```bash
+apt-get update
+apt-get upgrade
+```
+
 Issues
 =============================
 If you've run into a problem, [file a new issue report via GitHub](https://github.com/hestiacp/hestiacp/issues) so that we may investigate further.

bin/v-add-letsencrypt-domain

@@ -55,7 +55,8 @@ query_le_v2() {
     # Save http response to file passed as "$4" arg or print to stdout if not provided
     # http response headers are always sent to stdout
     local save_to_file=${4:-"/dev/stdout"}
-    curl --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
+    curl --location --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
+    debug_log "API call" "exit status: $?"
 }
 
 
@@ -100,17 +101,36 @@ fi
 
 
 
+# Dump debug info
+debug_log() {
+    echo -e "\n==[${1}]==\n${2}\n" >> "$log_file"
+}
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
+
+
+
 # Generate correct variables for mail domain SSL certificates
 if [ ! -z "$mail" ]; then
     root_domain=$domain
     domain="mail.$root_domain"
     aliases="$WEBMAIL_ALIAS.$root_domain"
 fi
 
+log_file="/var/log/hestia/LE-${user}-${domain}-$(date +%Y%m%d-%H%M%S).log"
+touch "$log_file"
+chmod 600 "$log_file"
+
+echo -e "\n\n=============================
+WEB_SYSTEM: ${WEB_SYSTEM}
+PROXY_SYSTEM: ${PROXY_SYSTEM}
+user: ${user}
+domain: ${domain}
+" >> "$log_file"
+
 # Registering LetsEncrypt user account
 $BIN/v-add-letsencrypt-user $user
 if [ "$?" -ne 0  ]; then
@@ -134,6 +154,12 @@ else
     proto="http-01"
 fi
 
+echo -e "
+- aliases: ${aliases}
+- proto: ${proto}
+- wildcard: ${wildcard}
+" >> "$log_file"
+
 # Check if dns records exist for requested domain/aliases
 if [ "$proto" = "http-01" ]; then
     for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
@@ -164,6 +190,9 @@ fi
 answer=$(curl -s -I "$LE_API/directory")
 nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
 status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
+
+debug_log "Step 1" "- status: ${status}\n- nonce: ${nonce}\n- answer: ${answer}"
+
 if [[ "$status" -ne 200 ]]; then
     # Delete DNS CAA record
     if [ ! -z "$DNS_SYSTEM" ]; then
@@ -192,6 +221,9 @@ nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
 authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
 finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
 status=$(echo "$answer" |grep HTTP/ |tail -n1 |cut -f2 -d ' ')
+
+debug_log "Step 2" "- status: ${status}\n- nonce: ${nonce}\n- authz: ${authz}\n- finalize: ${finalize}\n- payload: ${payload}\n- answer: ${answer}"
+
 if [[ "$status" -ne 201 ]]; then
     # Delete DNS CAA record
     if [ ! -z "$DNS_SYSTEM" ]; then
@@ -212,6 +244,9 @@ for auth in $authz; do
     token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
     nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
     status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
+
+    debug_log "Step 3" "- status: ${status}\n- nonce: ${nonce}\n- url: ${url}\n- token: ${token}\n- answer: ${answer}"
+
     if [[ "$status" -ne 200 ]]; then
         # Delete DNS CAA record
         if [ ! -z "$DNS_SYSTEM" ]; then
@@ -303,6 +338,9 @@ for auth in $authz; do
         nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
         status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
         details=$(echo "$answer"| grep detail | cut -f 1 -d ',' | cut -f 2-4 -d ':' | cut -f 2 -d '"')
+
+        debug_log "Step 5" "- status: ${status}\n- nonce: ${nonce}\n- validation: ${validation}\n- details: ${details}\n- answer: ${answer}"
+
         if [[ "$status" -ne 200 ]]; then
             # Delete DNS CAA record
             if [ ! -z "$DNS_SYSTEM" ]; then
@@ -315,6 +353,7 @@ for auth in $authz; do
                     fi
                 fi
             fi
+            debug_log "Abort Step 5" "=> Wrong status"
             check_result $E_CONNECT "Let's Encrypt validation status $status. Details: $details"
         fi
 
@@ -331,6 +370,7 @@ for auth in $authz; do
                     fi
                 fi
             fi
+            debug_log "Abort Step 5" "=> Too many validation retries"
             check_result $E_CONNECT "Let's Encrypt domain validation timeout"
         fi
         sleep $((i*2))
@@ -362,14 +402,44 @@ answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
 nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
 status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
 certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
+
+debug_log "Step 6" "- status: ${status}\n- nonce: ${nonce}\n- payload: ${payload}\n- certificate: ${certificate}\n- answer: ${answer}"
+
 if [[ "$status" -ne 200 ]]; then
     [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
     check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
 fi
 
 # Downloading signed certificate / STEP 7
-answer=$(query_le_v2 "$certificate" "" "$nonce" "$ssl_dir/$domain.pem")
-status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
+status=0
+retry=0
+
+while [[ $status != 200 && $retry -lt 3 ]]; do
+
+    answer=$(query_le_v2 "$certificate" "" "$nonce" "$ssl_dir/$domain.pem")
+    status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
+
+    debug_log "Step 7" "- status: ${status}\n- retry: ${retry}\n- answer: ${answer}"
+
+    if [[ $status != 200 ]]; then
+        retry=$((retry + 1))
+        sleep $((retry * 2))    # Sleep for 2s, 4s, 6s, 8s
+    fi
+
+done
+
+# Fallback on depreciated download method for certs (unauthenticated GET)
+if [[ $status != 200 ]]; then
+    answer=$(curl  --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout "$certificate" --output "$ssl_dir/$domain.pem")
+    status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
+
+    debug_log "Step 7 - Fallback" "- status: ${status}\n- answer: ${answer}"
+fi
+
+debug_log "CERT DIR" "$(ls -las "$ssl_dir/")"
+debug_log "CERT PEM" "$(cat "$ssl_dir/$domain.pem")"
+
+
 if [[ "$status" -ne 200 ]]; then
     [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
     check_result $E_NOTEXIST "Let's Encrypt downloading signed cert failed status:$status"
@@ -384,10 +454,13 @@ ca_end=$(grep -n  "BEGIN" $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
 ca_end=$(( pem_lines - crt_end + 1 ))
 tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
 
+debug_log "CERT CRT" "$(cat "$ssl_dir/$domain.crt")"
+debug_log "CERT CA-1" "$(cat "$ssl_dir/$domain.ca")"
 # Temporary fix for double "END CERTIFICATE"
 if [[ $(head -n 1 $ssl_dir/$domain.ca) = "-----END CERTIFICATE-----" ]]; then
     sed -i '1,2d' $ssl_dir/$domain.ca
 fi
+debug_log "CERT CA-2" "$(cat "$ssl_dir/$domain.ca")"
 
 # Rename certs for mail
 if [ ! -z "$mail" ]; then
@@ -467,4 +540,7 @@ send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
 # Logging
 log_event "$OK" "$ARGUMENTS"
 
+# Cleanup debug since the SSL was issues succesfully
+rm -f "$log_file"
+
 exit

bin/v-add-web-php

@@ -3,7 +3,7 @@
 # options: VERSION
 # labels: hestia
 #
-# example: v-add-web-php 7.4
+# example: v-add-web-php 8.0
 #
 # The function checks and delete a fpm php version if not used by any domain.
 
@@ -32,7 +32,7 @@ php_fpm="/etc/init.d/php$version-fpm"
 # Verify php version format
 if [[ ! $version =~ ^[0-9]\.[0-9]+ ]]; then
     echo "The specified PHP version format is invalid, it should look like [0-9].[0-9]."
-    echo "Example:  7.0, 7.4"
+    echo "Example:  7.0, 7.4, 8.0"
     exit
 fi
 
@@ -67,6 +67,11 @@ if [[ `echo "$version 7.2" | awk '{print ($1 < $2)}'` == 1 ]]; then
     mph="$mph php$version-mcrypt"
 fi
 
+# Check if version is 8.0 or higher and drop php json.
+if [[ ${version:0:1} == "8" ]]; then
+    mph=$(echo "$mph" | sed -e "s/php$version-json//")
+fi
+
 if ! echo "$DB_SYSTEM" | grep -w 'mysql' >/dev/null; then
     mph=$(echo "$mph" | sed -e "s/php$version-mysql//")
 fi

bin/v-change-web-domain-backend-tpl

@@ -52,12 +52,12 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Deleting current backend
-delete_web_backend
-
 # Prepare new backend configuration
 prepare_web_backend
 
+# Deleting current backend
+delete_web_backend
+
 # Allocating backend port
 backend_port=9000
 ports=$(grep -v '^;' $pool/* 2>/dev/null |grep listen |grep -o :[0-9].*)

install/deb/multiphp/apache2/PHP-56.sh

@@ -45,6 +45,7 @@ pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf"
 pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf"
 pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf"
 pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf"
+pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf"
 
 if [ ! -f "$pool_file_56" ]; then
     echo "$pool_conf" > $pool_file_56
@@ -76,4 +77,9 @@ if [ -f "$pool_file_74" ]; then
     service php7.4-fpm restart
 fi
 
+if [ -f "$pool_file_80" ]; then
+    rm $pool_file_80
+    service php8.0-fpm restart
+fi
+
 exit 0

install/deb/multiphp/apache2/PHP-70.sh

@@ -45,6 +45,7 @@ pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf"
 pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf"
 pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf"
 pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf"
+pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf"
 
 if [ -f "$pool_file_56" ]; then
     rm $pool_file_56
@@ -76,4 +77,9 @@ if [ -f "$pool_file_74" ]; then
     service php7.4-fpm restart
 fi
 
+if [ -f "$pool_file_80" ]; then
+    rm $pool_file_80
+    service php8.0-fpm restart
+fi
+
 exit 0

install/deb/multiphp/apache2/PHP-71.sh

@@ -45,6 +45,7 @@ pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf"
 pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf"
 pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf"
 pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf"
+pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf"
 
 if [ -f "$pool_file_56" ]; then
     rm $pool_file_56
@@ -76,4 +77,9 @@ if [ -f "$pool_file_74" ]; then
     service php7.4-fpm restart
 fi
 
+if [ -f "$pool_file_80" ]; then
+    rm $pool_file_80
+    service php8.0-fpm restart
+fi
+
 exit 0

install/deb/multiphp/apache2/PHP-72.sh

@@ -45,6 +45,7 @@ pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf"
 pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf"
 pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf"
 pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf"
+pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf"
 
 if [ -f "$pool_file_56" ]; then
     rm $pool_file_56
@@ -76,4 +77,9 @@ if [ -f "$pool_file_74" ]; then
     service php7.4-fpm restart
 fi
 
+if [ -f "$pool_file_80" ]; then
+    rm $pool_file_80
+    service php8.0-fpm restart
+fi
+
 exit 0

install/deb/multiphp/apache2/PHP-73.sh

@@ -45,6 +45,7 @@ pool_file_71="/etc/php/7.1/fpm/pool.d/$2.conf"
 pool_file_72="/etc/php/7.2/fpm/pool.d/$2.conf"
 pool_file_73="/etc/php/7.3/fpm/pool.d/$2.conf"
 pool_file_74="/etc/php/7.4/fpm/pool.d/$2.conf"
+pool_file_80="/etc/php/8.0/fpm/pool.d/$2.conf"
 
 if [ -f "$pool_file_56" ]; then
     rm $pool_file_56
@@ -76,4 +77,9 @@ if [ -f "$pool_file_74" ]; then
     service php7.4-fpm restart
 fi
 
+if [ -f "$pool_file_80" ]; then
+    rm $pool_file_80
+    service php8.0-fpm restart
+fi
+
 exit 0