IPV6: Preparation for IPV6 compatibility of backend hestia-nginx (hestiacp#3882)

Co-authored-by: asmcc <root@test.hestiacp.com>

Author: asmcc

bin/v-add-firewall-chain

@@ -31,7 +31,7 @@ source $HESTIA/func/firewall.sh
 source_conf "$HESTIA/conf/hestia.conf"
 
 # Get hestia port by reading nginx.conf
-hestiaport=$(grep -m 1 'listen' $HESTIA/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
+hestiaport=$(sed -ne "/listen/{s/.*listen[^0-9]*\([0-9][0-9]*\)[ \t]*ssl\;/\1/p;q}" "$HESTIA/nginx/conf/nginx.conf")
 if [ -z "$hestiaport" ]; then
 	hestiaport=8083
 fi

bin/v-add-sys-ip

@@ -42,6 +42,8 @@ source $HESTIA/func/main.sh
 source $HESTIA/func/ip.sh
 # shellcheck source=/usr/local/hestia/func/domain.sh
 source $HESTIA/func/domain.sh
+# shellcheck source=/usr/local/hestia/func/syshealth.sh
+source "$HESTIA/func/syshealth.sh"
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
@@ -193,6 +195,9 @@ if [ -n "$PROXY_SYSTEM" ]; then
 	fi
 fi
 
+# Adapt Port Listing in HESTIA NGINX Backend
+syshealth_adapt_hestia_nginx_listen_ports
+
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
@@ -227,6 +232,12 @@ if [ -n "$FIREWALL_SYSTEM" ]; then
 	$BIN/v-update-firewall
 fi
 
+# Restarting hestia service if nginx backend config was changed
+if [ "$NGINX_BCONF_CHANGED" = "yes" -a -f "/etc/init.d/hestia" ]; then
+	systemctl restart hestia > /dev/null 2>&1
+	check_result $? "Hestia backend restart failed" > /dev/null
+fi
+
 # Logging
 $BIN/v-log-action "system" "Info" "Network" "Added new IP address to the system (IP: $ip)."
 log_event "$OK" "$ARGUMENTS"

bin/v-change-sys-port

@@ -18,7 +18,7 @@ NGINX_CONFIG="$HESTIA/nginx/conf/nginx.conf"
 # shellcheck source=/etc/hestiacp/hestia.conf
 source /etc/hestiacp/hestia.conf
 # shellcheck source=/usr/local/hestia/func/main.sh
-source $HESTIA/func/main.sh
+source "$HESTIA/func/main.sh"
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
@@ -55,18 +55,18 @@ check_hestia_demo_mode
 #----------------------------------------------------------#
 
 # Get original port
-LISTEN_ROWS=$(cat ${NGINX_CONFIG} | grep -c "listen")
-ORIGINAL_PORT=$(cat ${NGINX_CONFIG} | grep -m1 "listen" | sed 's/[^0-9]*//g')
+LISTEN_ROWS=$(cat "$NGINX_CONFIG" | grep -c "listen")
+ORIGINAL_PORT=$(sed -ne "/listen/{s/.*listen[^0-9]*\([0-9][0-9]*\)[ \t]*ssl\;/\1/p;q}" "$NGINX_CONFIG")
 
 # Check if port is different to nginx.conf
 if [ "$ORIGINAL_PORT" = "$PORT" ]; then
 	# Nothing to do, exit
 	exit
 else
 	# Set new port in config via v-change-sys-config-value
-	$BIN/v-change-sys-config-value "BACKEND_PORT" "$PORT"
+	"$BIN/v-change-sys-config-value" "BACKEND_PORT" "$PORT"
 	# Replace port in config files.
-	sed -i "s/\(listen[ \t]*.*[: \t]\)[0-9][0-9]*\([^0-9]*ssl\;$\)/\1$PORT\2/" ${NGINX_CONFIG}
+	sed -i "s/\(listen[ \t]*.*[: \t]\)[0-9][0-9]*\([^0-9]*ssl\;$\)/\1$PORT\2/" "$NGINX_CONFIG"
 	if [ -d /etc/roundcube/ ]; then
 		sed -i "/password_hestia_port/c\$rcmail_config['password_hestia_port'] = '$PORT';" /etc/roundcube/plugins/password/config.inc.php
 	fi
@@ -75,21 +75,21 @@ else
 	fi
 
 	if [ -f "$HESTIA/data/firewall/rules.conf" ]; then
-		sed -i "/COMMENT='HESTIA'/c\RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='$PORT' IP='0.0.0.0/0' COMMENT='HESTIA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'" $HESTIA/data/firewall/rules.conf
+		sed -i "/COMMENT='HESTIA'/c\RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='$PORT' IP='0.0.0.0/0' COMMENT='HESTIA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'" "$HESTIA/data/firewall/rules.conf"
 	fi
 
-	if [ -f $HESTIA/data/firewall/chains.conf ]; then
-		sed -i "/CHAIN='HESTIA'/c\CHAIN='HESTIA' PORT='$PORT' PROTOCOL='TCP'" $HESTIA/data/firewall/chains.conf
+	if [ -f "$HESTIA/data/firewall/chains.conf" ]; then
+		sed -i "/CHAIN='HESTIA'/c\CHAIN='HESTIA' PORT='$PORT' PROTOCOL='TCP'" "$HESTIA/data/firewall/chains.conf"
 	fi
 
 	# Restart services
 	if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != no ]; then
-		$BIN/v-restart-service iptables
+		"$BIN/v-restart-service" iptables
 	fi
 
 	# Check if Hestia is running
 	if [[ $(ps -eaf | grep -i hestia | sed '/^$/d' | wc -l) -gt 1 ]]; then
-		$BIN/v-restart-service hestia
+		"$BIN/v-restart-service" hestia
 	fi
 fi
 
@@ -98,9 +98,9 @@ fi
 #----------------------------------------------------------#
 
 # Logging
-$BIN/v-log-action "system" "Warning" "System" "Hestia Control Panel backend port changed (New Value: $PORT, Old Value: $ORIGINAL_PORT)."
+"$BIN/v-log-action" "system" "Warning" "System" "Hestia Control Panel backend port changed (New Value: $PORT, Old Value: $ORIGINAL_PORT)."
 if [ $LISTEN_ROWS -gt 1 ]; then
-	$BIN/v-log-action "system" "Warning" "System" "Hestia Control Panel backend port: Use first of $LISTEN_ROWS listened ports in ${NGINX_CONFIG}"
+	"$BIN/v-log-action" "system" "Warning" "System" "Hestia Control Panel backend port: Use first of $LISTEN_ROWS listened ports in $NGINX_CONFIG"
 fi
 log_event "$OK" "$ARGUMENTS"
 

func/syshealth.sh

@@ -285,7 +285,7 @@ function syshealth_repair_system_config() {
 
 	# Backend port
 	if [[ -z $(check_key_exists 'BACKEND_PORT') ]]; then
-		ORIGINAL_PORT=$(cat $HESTIA/nginx/conf/nginx.conf | grep -m 1 "listen" | sed 's/[^0-9]*//g')
+		ORIGINAL_PORT=$(sed -ne "/listen/{s/.*listen[^0-9]*\([0-9][0-9]*\)[ \t]*ssl\;/\1/p;q}" "$HESTIA/nginx/conf/nginx.conf")
 		echo "[ ! ] Adding missing variable to hestia.conf: BACKEND_PORT ('$ORIGINAL_PORT')"
 		$BIN/v-change-sys-config-value 'BACKEND_PORT' $ORIGINAL_PORT
 	fi
@@ -451,9 +451,9 @@ function syshealth_repair_system_config() {
 		$BIN/v-change-sys-config-value "USE_SERVER_SMTP" "false"
 	fi
 
-	if [[ -z $(check_key_exists 'SERVER_SMTP_HOST') ]]; then
+	if [[ -z $(check_key_exists 'SERVER_SMTP_PORT') ]]; then
 		echo "[ ! ] Adding missing variable to hestia.conf: SERVER_SMTP_PORT ('')"
-		$BIN/v-change-sys-config-value "SERVER_SMTP_HOST" ""
+		$BIN/v-change-sys-config-value "SERVER_SMTP_PORT" ""
 	fi
 
 	if [[ -z $(check_key_exists 'SERVER_SMTP_HOST') ]]; then
@@ -575,3 +575,40 @@ function syshealth_repair_system_cronjobs() {
 	$BIN/v-add-cron-job 'admin' '*/5' '*' '*' '*' '*' "sudo $BIN/v-update-sys-rrd" '' 'no'
 	$BIN/v-restart-cron
 }
+
+# Adapt Port Listing in HESTIA NGINX Backend
+# Activates or deactivates port listing on IPV4 or/and IPV6 network interfaces
+function syshealth_adapt_hestia_nginx_listen_ports() {
+	# Detect "physical" NICs only (virtual NICs created by Docker, WireGuard etc. are excluded)
+	physical_nics="$(ip -d -j link show | jq -r '.[] | if .link_type == "loopback" // .linkinfo.info_kind then empty else .ifname end')"
+	if [ -z "$physical_nics" ]; then
+		physical_nics="$(ip -d -j link show | jq -r '.[] | if .link_type == "loopback" then empty else .ifname end')"
+	fi
+	for nic in $physical_nics; do
+		if [ -z "$ipv4_scope_global" ]; then
+			ipv4_scope_global="$(ip -4 -d -j addr show "$nic" | jq -r '.[] | select(length > 0) | .addr_info[] | if .scope == "global" then .local else empty end')"
+		fi
+		if [ -z "$ipv6_scope_global" ]; then
+			ipv6_scope_global="$(ip -6 -d -j addr show "$nic" | jq -r '.[] | select(length > 0) | .addr_info[] | if .scope == "global" then .local else empty end')"
+		fi
+	done
+
+	# Adapt port listing in nginx.conf depended on availability of IPV4 and IPV6 network interface
+	NGINX_BCONF_CHANGED=""
+	NGINX_BCONF="/usr/local/hestia/nginx/conf/nginx.conf"
+	NGINX_BCONF_TEMP="/tmp/nginx.conf"
+	cp "$NGINX_BCONF" "$NGINX_BCONF_TEMP"
+	if [ -z "$ipv4_scope_global" ]; then
+		sed -i 's/^\([ \t]*listen[ \t]*[0-9]\{1,5\}.*\)/#\1/' "$NGINX_BCONF"
+	else
+		sed -i 's/#\([ \t]*listen[ \t]*[0-9]\{1,5\}.*\)/\1/' "$NGINX_BCONF"
+	fi
+	if [ -z "$ipv6_scope_global" ]; then
+		sed -i 's/^\([ \t]*listen[ \t]*\[\:\:\]\:[0-9]\{1,5\}.*\)/#\1/' "$NGINX_BCONF"
+	else
+		sed -i 's/#\([ \t]*listen[ \t]*\[\:\:\]\:[0-9]\{1,5\}.*\)/\1/' "$NGINX_BCONF"
+	fi
+	cmp --silent "$NGINX_BCONF" "$NGINX_BCONF_TEMP"
+	[ $? -ne 0 ] && NGINX_BCONF_CHANGED="yes"
+	rm -f "$NGINX_BCONF_TEMP" > /dev/null 2>&1
+}

src/deb/nginx/hestia

@@ -31,33 +31,6 @@ set -e
 
 . /etc/profile.d/hestia.sh
 
-adapt_nginx_config() {
-	# Detect "physical" NICs only (virtual NICs created by Docker, WireGuard etc. are excluded)
-	physical_nics="$(ip -d -j link show | jq -r '.[] | if .link_type == "loopback" // .linkinfo.info_kind then empty else .ifname end')"
-	if [ -z "$physical_nics" ]; then
-		physical_nics="$(ip -d -j link show | jq -r '.[] | if .link_type == "loopback" then empty else .ifname end')"
-	fi
-	for nic in $physical_nics; do
-		if [ -z "$ipv4_scope_global" ]; then
-			ipv4_scope_global="$(ip -4 -d -j addr show "$nic" | jq -r '.[] | select(length > 0) | .addr_info[] | if .scope == "global" then .local else empty end')"
-		fi
-		if [ -z "$ipv6_scope_global" ]; then
-			ipv6_scope_global="$(ip -6 -d -j addr show "$nic" | jq -r '.[] | select(length > 0) | .addr_info[] | if .scope == "global" then .local else empty end')"
-		fi
-	done
-
-	if [ -n "$ipv4_scope_global" ]; then
-		sed -i 's/#IPV4\([ \t]*listen[ \t]*[0-9]\{1,5\}.*\)/\1/' "$NGINX_CONF"
-	else
-		sed -i 's/^\([ \t]*listen[ \t]*[0-9]\{1,5\}.*\)/#IPV4\1/' "$NGINX_CONF"
-	fi
-	if [ -n "$ipv6_scope_global" ]; then
-		sed -i 's/#IPV6\([ \t]*listen[ \t]*\[\:\:\]\:[0-9]\{1,5\}.*\)/\1/' "$NGINX_CONF"
-	else
-		sed -i 's/^\([ \t]*listen[ \t]*\[\:\:\]\:[0-9]\{1,5\}.*\)/#IPV6\1/' "$NGINX_CONF"
-	fi
-}
-
 update_nginx_resolver() {
 	if grep -qw "1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8" "$NGINX_CONF"; then
 		for nameserver in $(grep -is '^nameserver' /etc/resolv.conf | cut -d' ' -f2 | tr '\r\n' ' ' | xargs); do
@@ -77,7 +50,6 @@ update_nginx_resolver() {
 }
 
 start_nginx() {
-	#adapt_nginx_config
 	update_nginx_resolver
 	start-stop-daemon --start --quiet --pidfile $NGINX_PID \
 		--retry 5 --exec $NGINX_DAEMON --oknodo

src/deb/nginx/nginx.conf

@@ -116,6 +116,7 @@ http {
 	# Vhost
 	server {
 		listen              8083 ssl;
+		listen              [::]:8083 ssl;
 		server_name         _;
 		root                /usr/local/hestia/web;
 		# Fix error "The plain HTTP request was sent to HTTPS port"

src/deb/nginx/postinst

@@ -10,6 +10,10 @@ fi
 update-rc.d hestia defaults > /dev/null
 invoke-rc.d hestia start || true
 
+# Adapt Port Listing in HESTIA NGINX Backend
+source /usr/local/hestia/func/syshealth.sh # Load syshealth functions
+syshealth_adapt_hestia_nginx_listen_ports  # Adapt port listing
+
 # Run triggers only on updates
 if [ ! -e "/usr/local/hestia/data/users/admin" ]; then
 	exit
@@ -37,7 +41,7 @@ source /usr/local/hestia/conf/hestia.conf
 source /usr/local/hestia/install/upgrade/upgrade.conf
 
 # Reset backend port
-if [ ! -z "$BACKEND_PORT" ]; then
+if [ -n "$BACKEND_PORT" ]; then
 	/usr/local/hestia/bin/v-change-sys-port $BACKEND_PORT
 fi