Minor fixes (hestiacp#2199)

* Add rate limit to forget password

Max 1 email / 15 min / user same time length as key remains valid

* Optional download generated SSL certificates / keys 

Closes hestiacp#2181

* Block access to .xxxx files (Exception for .well-know 

Same rules as PHP-FPM templates!

* Fix hestiacp#2177 List available php version detection wrong

Closes hestiacp#2177

* Update permissions RC log

hestiacp#2173

* Update web/js/pages/list_ssl.js

Co-authored-by: Wojciech Smoliński <wojsmol@wp.pl>

* Add support for B2 download

Co-authored-by: Wojciech Smoliński <wojsmol@wp.pl>

Author: jaapmarcus

bin/v-add-sys-roundcube

@@ -132,7 +132,7 @@ if [ "$UPDATE" == "no" ]; then
     if [ ! -d  $RC_LOG ];then
         mkdir $RC_LOG
     fi
-    chown www-data:root $RC_LOG
+    chown www-data:www-data $RC_LOG
     chmod 751 $RC_LOG
 
     if [ ! -z "$(echo "$DB_SYSTEM" | grep -w 'mysql')" ]; then

bin/v-get-user-value

@@ -14,7 +14,7 @@
 
 # Argument definition
 user=$1
-key=$(echo "$2"| tr '[:lower:]' '[:upper:]' | sed "s/^/$/")
+key=$(echo "$2"| tr '[:lower:]' '[:upper:]')
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf

bin/v-restart-web-backend

@@ -50,9 +50,8 @@ if [ "$1" = 'scheduled' ] || [ -z "$1" ] && [ "$SCHEDULED_RESTART" = 'yes' ]; th
 fi
 
 tmpfile=$(mktemp)
-php_versions=$(ls /usr/sbin/php*fpm* | cut -d'/' -f4 | sed 's|php-fpm||')
 # Substitute php-fpm service name formats
-for version in $php_versions; do
+for version in $($BIN/v-list-sys-php plain); do
     v_php="php$version-fpm"
     if [ ! -f "/etc/php/${version}/fpm/pool.d/dummy.conf" ]; then
         cp -f "$HESTIA_INSTALL_DIR/php-fpm/dummy.conf" "/etc/php/${version}/fpm/pool.d/"

bin/v-restore-user

@@ -85,11 +85,19 @@ if [ ! -e "$BACKUP/$backup" ]; then
         ftp_download "$backup"
         downloaded='yes'
     fi
+    if [[ "$BACKUP_SYSTEM" =~ "b2" ]] && [ -z "$downloaded" ]; then
+        b2_download "$backup"
+        downloaded='yes'
+    fi
     if [ -z "$downloaded" ]; then
         check_result "$E_NOTEXIST" "backup file $backup doesn't exist in '${BACKUP}' folder"
     fi
 fi
 
+if [ ! -e "$BACKUP/$backup" ]; then 
+   check_result "$E_NOTEXIST" "backup file $backup doesn't exist in '${BACKUP}' folder"
+fi 
+
 # Checking user existence on the server
 check_user=$(is_object_valid 'user' 'USER' "$user")
 if [ -z "$check_user" ]; then

func/backup.sh

@@ -459,3 +459,17 @@ b2_backup() {
         done
     fi
 }
+
+b2_download() {
+    # Defining backblaze b2 settings
+    source_conf "$HESTIA/conf/b2.backup.conf"
+
+    # Recreate backblaze auth file ~/.b2_account_info (for situation when key was changed in b2.backup.conf)
+    b2 clear-account > /dev/null 2>&1
+    b2 authorize-account $B2_KEYID $B2_KEY > /dev/null 2>&1
+    cd $BACKUP
+    b2 download-file-by-name $BUCKET $user/$1 $1 > /dev/null 2>&1
+    if [ "$?" -ne 0 ]; then
+    check_result "$E_CONNECT" "b2 failed to download $user.$1"
+    fi
+}

install/deb/templates/web/nginx/caching.stpl

@@ -53,11 +53,10 @@ server {
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
 
-    location ~ /\.ht    {return 404;}
-    location ~ /\.svn/  {return 404;}
-    location ~ /\.git/  {return 404;}
-    location ~ /\.hg/   {return 404;}
-    location ~ /\.bzr/  {return 404;}
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
+    }
 
     proxy_hide_header Upgrade;
 

install/deb/templates/web/nginx/caching.tpl

@@ -48,11 +48,10 @@ server {
         proxy_pass      http://%ip%:%web_port%;
     }
 
-    location ~ /\.ht    {return 404;}
-    location ~ /\.svn/  {return 404;}
-    location ~ /\.git/  {return 404;}
-    location ~ /\.hg/   {return 404;}
-    location ~ /\.bzr/  {return 404;}
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
+    }
 
     include %home%/%user%/conf/web/%domain%/nginx.conf_*;
 }

install/deb/templates/web/nginx/default.stpl

@@ -33,11 +33,10 @@ server {
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
 
-    location ~ /\.ht    {return 404;}
-    location ~ /\.svn/  {return 404;}
-    location ~ /\.git/  {return 404;}
-    location ~ /\.hg/   {return 404;}
-    location ~ /\.bzr/  {return 404;}
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
+    }
 
     proxy_hide_header Upgrade;
 

install/deb/templates/web/nginx/default.tpl

@@ -28,11 +28,10 @@ server {
         proxy_pass      http://%ip%:%web_port%;
     }
 
-    location ~ /\.ht    {return 404;}
-    location ~ /\.svn/  {return 404;}
-    location ~ /\.git/  {return 404;}
-    location ~ /\.hg/   {return 404;}
-    location ~ /\.bzr/  {return 404;}
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
+    }
 
     include %home%/%user%/conf/web/%domain%/nginx.conf_*;
 }

install/deb/templates/web/nginx/hosting.stpl

@@ -33,11 +33,10 @@ server {
         proxy_pass      https://%ip%:%web_ssl_port%;
     }
 
-    location ~ /\.ht    {return 404;}
-    location ~ /\.svn/  {return 404;}
-    location ~ /\.git/  {return 404;}
-    location ~ /\.hg/   {return 404;}
-    location ~ /\.bzr/  {return 404;}
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
+    }
 
     disable_symlinks if_not_owner from=%docroot%;