Sync with upstream development branch

Kristan Kenney · Kristan Kenney · commit a97f37d5a4c9 · 2019-04-25T22:05:51.000-04:00
diff --git a/install/deb/nginx/nginx.conf b/install/deb/nginx/nginx.conf
@@ -32,7 +32,7 @@ http {
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
     charset                         utf-8;
-    
+
     # FastCGI settings
     fastcgi_buffers                 4 256k;
     fastcgi_buffer_size             256k;
@@ -103,23 +103,22 @@ http {
     #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-    # SSL PCI Compliance
-    ssl_session_cache   shared:SSL:10m;
+    # SSL PCI compliance
+    ssl_session_cache   shared:SSL:20m;
+    ssl_buffer_size     1400;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
     ssl_dhparam         /etc/ssl/dhparam.pem;
-    ssl_ecdh_curve secp384r1;
-    ssl_session_cache shared:SSL:10m;
+    ssl_ecdh_curve      secp384r1;
     ssl_session_tickets off;
-    ssl_stapling on;
+    ssl_stapling        on;
     ssl_stapling_verify on;
-    ssl_buffer_size 1400;
     resolver 1.0.0.1 1.1.1.1 valid=300s;
-    resolver_timeout 5s;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
-    add_header X-Frame-Options SAMEORIGIN;
-    add_header X-Content-Type-Options nosniff;
+    resolver_timeout    5s;
+    add_header          Strict-Transport-Security "max-age=31536000; includeSubDomains";
+    add_header          X-Frame-Options SAMEORIGIN;
+    add_header          X-Content-Type-Options nosniff;
 
     # Error pages
     error_page          403          /error/403.html;
@@ -141,7 +140,7 @@ http {
         ~wordpress_logged_in 1;
     }
 
-    # File cache settings
+    # File cache (static assets)
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
@@ -150,4 +149,4 @@ http {
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
     include             /etc/nginx/conf.d/domains/*.conf;
-}
+}
diff --git a/src/deb/nginx/control b/src/deb/nginx/control
@@ -1,7 +1,7 @@
 Source: hestia-nginx
 Package: hestia-nginx
 Priority: optional
-Version: 1.15.10
+Version: 1.16.0
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com
diff --git a/src/deb/nginx/nginx.conf b/src/deb/nginx/nginx.conf
@@ -75,12 +75,15 @@ http {
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
 
-    # SSL PCI Compliance
+    # SSL PCI compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_session_timeout 10m;
+    ssl_buffer_size     1400;
+    ssl_session_timeout 60m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    add_header          X-Frame-Options SAMEORIGIN;
+    add_header          X-Content-Type-Options nosniff;
 
     # Error pages
     error_page          403          /error/403.html;
diff --git a/src/deb/php/php.ini b/src/deb/php/php.ini
@@ -600,9 +600,10 @@ syslog.ident = hestia-php
 ; control characters. If your logger accepts everything, then no filtering
 ; is needed at all.
 ; Allowed values are:
-;   ascii (only base ASCII characters)
-;   no_ctrl (all characters except control characters)
+;   ascii (all printable ASCII characters and NL)
+;   no-ctrl (all characters except control characters)
 ;   all (all characters)
+; http://php.net/syslog.filter
 ;syslog.filter = ascii
 
 ;windows.show_crt_warning
@@ -1011,8 +1012,19 @@ date.timezone = UTC
 ;intl.use_exceptions = 0
 
 [sqlite3]
+; Directory pointing to SQLite3 extensions
+; http://php.net/sqlite3.extension-dir
 ;sqlite3.extension_dir =
 
+; SQLite defensive mode flag (only available from SQLite 3.26+)
+; When the defensive flag is enabled, language features that allow ordinary
+; SQL to deliberately corrupt the database file are disabled. This forbids
+; writing directly to the schema, shadow tables (eg. FTS data tables), or
+; the sqlite_dbpage virtual table.
+; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+; (for older SQLite versions, this flag has no use)
+sqlite3.defensive = 1
+
 [Pcre]
 ; PCRE library backtracking limit.
 ; http://php.net/pcre.backtrack-limit
diff --git a/src/hst_autocompile.sh b/src/hst_autocompile.sh
@@ -7,9 +7,9 @@ INSTALL_DIR='/usr/local/hestia'
 
 # Set Version for compiling
 HESTIA_V='0.9.8-29_amd64'
-NGINX_V='1.15.11'
+NGINX_V='1.16.0'
 OPENSSL_V='1.1.1b'
-PCRE_V='8.42'
+PCRE_V='8.43'
 ZLIB_V='1.2.11'
 PHP_V='7.3.4'
 
@@ -345,4 +345,4 @@ if [ "$install" = 'yes' ] || [ "$install" = 'YES' ] || [ "$install" = 'y' ] || [
       dpkg -i $i
     done
     unset $answer
-fi
+fi
