security fix / thanks to Christopher Tarquini

Author: Serghey Rodin

bin/v-add-web-domain-stats-user

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add password protection to web domain statistics
-# options: USER DOMAIN STATS_USER STATS_PASSWORD
+# options: USER DOMAIN STATS_USER STATS_PASSWORD [RESTART]
 #
 # The call is used for securing the web statistics page.
 
@@ -14,6 +14,7 @@ user=$1
 domain=$2
 stats_user=$3
 password=$4; HIDE=4
+restart=$5
 
 # Includes
 source $VESTA/func/main.sh
@@ -25,7 +26,7 @@ source $VESTA/conf/vesta.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '4' "$#" 'USER DOMAIN STATS_USER STATS_PASS'
+check_args '4' "$#" 'USER DOMAIN STATS_USER STATS_PASS [RESTART]'
 is_format_valid 'user' 'domain' 'stats_user'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
@@ -41,11 +42,12 @@ is_password_valid
 
 # Defining statistic dir
 stats_dir="$HOMEDIR/$user/web/$domain/stats"
+conf_dir="$HOMEDIR/$user/conf/web"
 
 # Adding htaccess file
 if [ "$WEB_SYSTEM" = 'nginx' ]; then
-    echo "auth_basic \"Web Statistics\";" > $stats_dir/auth.conf
-    echo "auth_basic_user_file $stats_dir/.htpasswd;" >> $stats_dir/auth.conf
+    echo "auth_basic \"Web Statistics\";" > $conf_dir/$domain.auth
+    echo "auth_basic_user_file $stats_dir/.htpasswd;" >> $conf_dir/$domain.auth
 else
     echo "AuthUserFile $stats_dir/.htpasswd" > $stats_dir/.htaccess
     echo "AuthName \"Web Statistics\"" >> $stats_dir/.htaccess
@@ -67,6 +69,12 @@ echo "$stats_user:$stats_pass" > $stats_dir/.htpasswd
 update_object_value 'web' 'DOMAIN' "$domain" '$STATS_USER' "$stats_user"
 update_object_value 'web' 'DOMAIN' "$domain" '$STATS_CRYPT' "$stats_pass"
 
+# Restarting web server
+if [ "$WEB_SYSTEM" = 'nginx' ]; then
+    $BIN/v-restart-web $restart
+    check_result $? "Web restart failed" >/dev/null
+fi
+
 # Logging
 log_history "added password protection for web stats on $domain"
 log_event "$OK" "$ARGUMENTS"

bin/v-delete-web-domain-stats-user

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: disable webdomain stats  authentication support
-# options: USER DOMAIN
+# options: USER DOMAIN [RESTART]
 #
 # The function removes authentication of statistics system. If the script is
 # called without naming a certain user, all users will be removed. After
@@ -15,6 +15,7 @@
 # Argument definition
 user=$1
 domain=$(idn -t --quiet -u "$2" )
+restart=$3
 
 # Includes
 source $VESTA/func/main.sh
@@ -26,7 +27,7 @@ source $VESTA/conf/vesta.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER DOMAIN'
+check_args '2' "$#" 'USER DOMAIN [RESTART]'
 is_format_valid 'user' 'domain'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
@@ -44,6 +45,14 @@ is_object_value_exist 'web' 'DOMAIN' "$domain" '$STATS_USER'
 rm -f $HOMEDIR/$user/web/$domain/stats/.htpasswd
 rm -f $HOMEDIR/$user/web/$domain/stats/.htaccess
 
+# Deleting nginx auth config
+if [ "$WEB_SYSTEM" = 'nginx' ]; then
+    conf_dir="$HOMEDIR/$user/conf/web"
+    rm -f $conf_dir/$domain.auth 2>/dev/null
+    $BIN/v-restart-web $restart
+    check_result $? "Web restart failed" >/dev/null
+fi
+
 
 #----------------------------------------------------------#
 #                       Vesta                              #

bin/v-rebuild-web-domains

@@ -61,7 +61,7 @@ fi
 for domain in $($BIN/v-list-web-domains $user plain |cut -f 1); do
     if [ ! -z "$WEB_BACKEND" ]; then
         template=$(get_object_value 'web' 'DOMAIN' "$domain" '$BACKEND')
-        $BIN/v-add-web-domain-backend $user $domain $template
+        $BIN/v-add-web-domain-backend $user $domain $template $restart
     fi
     rebuild_web_domain_conf
 done

install/debian/7/templates/web/nginx/php5-fpm/cms_made_simple.stpl

@@ -45,7 +45,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;

install/debian/7/templates/web/nginx/php5-fpm/cms_made_simple.tpl

@@ -41,7 +41,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;

install/debian/7/templates/web/nginx/php5-fpm/codeigniter2.stpl

@@ -50,7 +50,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;

install/debian/7/templates/web/nginx/php5-fpm/codeigniter2.tpl

@@ -46,7 +46,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;

install/debian/7/templates/web/nginx/php5-fpm/codeigniter3.stpl

@@ -45,7 +45,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;

install/debian/7/templates/web/nginx/php5-fpm/codeigniter3.tpl

@@ -41,7 +41,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;

install/debian/7/templates/web/nginx/php5-fpm/datalife_engine.stpl

@@ -116,7 +116,7 @@ server {
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
-        include %home%/%user%/web/%domain%/stats/auth.conf*;
+        include %home%/%user%/conf/web/%domain%.auth
     }
 
     include     /etc/nginx/conf.d/phpmyadmin.inc*;