Merge branch 'master' into dev-0714

Author: Lupul

CHANGELOG.md

@@ -3,10 +3,20 @@ All notable changes to this project will be documented in this file.
 
 ## [CURRENT] - Development
 ### Features
-- Add read only/demo mode function if DEMO_MODE is set to yes in hestia.conf
+- Add read only/demo mode function if DEMO_MODE is set to yes in hestia.conf.
+- Add php-imagick module to installer and upgrade scripts.
+- Add recidive filter function to fail2ban.
 
 ### Bugfixes
-- 
+- Add a detection of web root for add .well-known acme challenge.
+- Rework Let's Encrypt acme staging to use hestia conform standard.
+- Fix if condition, use nginx for Let's Encrypt acme request if present.
+- Rework v-add-sys-ip, remove centos/redhat support and rework conditions.
+- Enable hsts and force ssl on v-add-letsencrypt-host.
+- Prevent login action for webmail in list user view.
+- Remove hardcoded mail in helo data (cosmetic fix).
+- Fix sftp server validation check, thanks to @dbannik!
+- Implement warning message for creating web domains under admin user.
 
 ## [1.0.4] - 2019-07-09 - Hotfix
 ### Bugfixes

bin/v-add-backup-host

@@ -38,8 +38,7 @@ EOF
 sftpc() {
     expect -f "-" <<EOF "$@"
         set count 0
-        spawn "/usr/bin/sftp -o StrictHostKeyChecking=no -o \
-            Port=$port '$user@$host'"
+        spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o Port=$port $user@$host
         expect {
             "password:" {
                 send "$password\r"

bin/v-add-letsencrypt-domain

@@ -23,7 +23,7 @@ source $HESTIA/conf/hestia.conf
 # LE API
 LE_API='https://acme-v02.api.letsencrypt.org'
 
-if [[ "$LE_STAGING" =~ ^(YES|TRUE)$ ]]; then
+if [[ "$LE_STAGING" = 'yes' ]]; then
     LE_API='https://acme-staging-v02.api.letsencrypt.org'
 fi
 
@@ -228,30 +228,33 @@ for auth in $authz; do
         check_result $? "DNS _acme-challenge record wasn't created"
     else
         if [ -z "$mail" ]; then
-            if [ "$WEB_SYSTEM" = 'nginx' ] && [ ! -z "$PROXY_SYSTEM" ]; then
-                if [ ! -z "$mail" ]; then
-                    conf="$HOMEDIR/$user/conf/mail/$root_domain/$PROXY_SYSTEM.conf_letsencrypt"
-                    sconf="$HOMEDIR/$user/conf/mail/$root_domain/$PROXY_SYSTEM.ssl.conf_letsencrypt"
-                else
-                    conf="$HOMEDIR/$user/conf/web/$domain/$PROXY_SYSTEM.conf_letsencrypt"
-                    sconf="$HOMEDIR/$user/conf/web/$domain/$PROXY_SYSTEM.ssl.conf_letsencrypt"
-                fi
-
-                if [ ! -e "$conf" ]; then
-                    echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
-                        > $conf
-                    echo '    default_type text/plain;' >> $conf
-                    echo '    return 200 "$1.'$THUMB'";' >> $conf
-                    echo '}' >> $conf
-                fi
+            if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
+                conf="$HOMEDIR/$user/conf/web/$domain/nginx.conf_letsencrypt"
+                sconf="$HOMEDIR/$user/conf/web/$domain/nginx.ssl.conf_letsencrypt"
+                echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
+                    > $conf
+                echo '    default_type text/plain;' >> $conf
+                echo '    return 200 "$1.'$THUMB'";' >> $conf
+                echo '}' >> $conf
                 if [ ! -e "$sconf" ]; then
                     ln -s "$conf" "$sconf"
                 fi
-                $BIN/v-restart-proxy
-                check_result $? "Proxy restart failed" > /dev/null
-
+                if [ ! -z "$PROXY_SYSTEM" ]; then
+                    $BIN/v-restart-proxy
+                    check_result $? "Proxy restart failed" > /dev/null
+                fi
             else
-                well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
+                # Get root directory from configuration
+                domain_config="$HOMEDIR/$user/conf/web/$domain"
+                if [ -f "$domain_config/apache2.conf" ]; then
+                    well_known="$(cat $domain_config/apache2.conf | egrep \
+                                '^\s+DocumentRoot'| awk '{split($0, a, " "); \
+                                print a[2]}')/.well-known"
+                else
+                    well_known="$(cat $domain_config/nginx.conf | egrep '^\s+root'| \
+                                awk '{split($0, a, " "); print a[2]}' | \
+                                sed 's/;$//')/.well-known"
+                fi
                 acme_challenge="$well_known/acme-challenge"
                 mkdir -p $acme_challenge
                 echo "$token.$THUMB" > $acme_challenge/$token
@@ -264,8 +267,10 @@ for auth in $authz; do
             echo "$token.$THUMB" > $acme_challenge/$token
             chown -R $user:$user $well_known
         fi
-        $BIN/v-restart-web
-        check_result $? "Web restart failed" > /dev/null
+        if [ "$WEB_SYSTEM" = 'nginx' ]; then
+            $BIN/v-restart-web
+            check_result $? "Web restart failed" > /dev/null
+        fi
     fi
 
     # Requesting ACME validation / STEP 5

bin/v-add-letsencrypt-host

@@ -73,6 +73,10 @@ fi
 # Add certificate to backend
 $BIN/v-update-host-certificate $user $domain
 
+# Enable automatic ssl forward and hsts
+$BIN/v-add-web-domain-ssl-force $user $domain
+$BIN/v-add-web-domain-ssl-hsts $user $domain
+
 
 #----------------------------------------------------------#
 #                        Hestia                            #

bin/v-add-letsencrypt-user

@@ -19,7 +19,7 @@ source $HESTIA/conf/hestia.conf
 # LE API
 LE_API='https://acme-v02.api.letsencrypt.org'
 
-if [[ "$LE_STAGING" =~ ^(YES|TRUE)$ ]]; then
+if [[ "$LE_STAGING" = 'yes' ]]; then
     LE_API='https://acme-staging-v02.api.letsencrypt.org'
 fi
 

bin/v-add-sys-ip

@@ -66,43 +66,29 @@ if [ -z "$sys_ip_check" ]; then
     /sbin/ip addr add $ip/$cidr dev $iface \
         broadcast $broadcast label $iface
 
-    # Adding RHEL/CentOS/Fedora/Amazon startup script
-    if [ -d "/etc/sysconfig" ]; then
-        sys_ip="# Added by hestia"
-        sys_ip="$sys_ip\nDEVICE=$iface"
-        sys_ip="$sys_ip\nBOOTPROTO=static"
-        sys_ip="$sys_ip\nONBOOT=yes"
-        sys_ip="$sys_ip\nIPADDR=$ip"
-        sys_ip="$sys_ip\nNETMASK=$netmask"
-        echo -e $sys_ip > /etc/sysconfig/network-scripts/ifcfg-$iface
-    fi
-
-    # Adding Debian/Ubuntu startup script
-    if [ -e "/etc/debian_version" ]; then
-        if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed"; then
-            if [ -f "/etc/netplan/60-hestia.yaml" ]; then
-                sys_ip="        - $ip/$cidr"
-            else
-                sys_ip="# Added by hestia, please do not edit the file manually!"
-                sys_ip="$sys_ip\nnetwork:"
-                sys_ip="$sys_ip\n  version: 2"
-                sys_ip="$sys_ip\n  renderer: networkd"
-                sys_ip="$sys_ip\n  ethernets:"
-                sys_ip="$sys_ip\n    eth0:"
-                sys_ip="$sys_ip\n      addresses:"
-                sys_ip="$sys_ip\n        - $ip/$cidr"
-            fi
-            IFS='%'
-            echo -e $sys_ip >> /etc/netplan/60-hestia.yaml
-            unset IFS
+    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed"; then
+        if [ -f "/etc/netplan/60-hestia.yaml" ]; then
+            sys_ip="        - $ip/$cidr"
         else
-            sys_ip="\n# Added by hestia"
-            sys_ip="$sys_ip\nauto $iface"
-            sys_ip="$sys_ip\niface $iface inet static"
-            sys_ip="$sys_ip\naddress $ip"
-            sys_ip="$sys_ip\nnetmask $netmask"
-            echo -e $sys_ip >> /etc/network/interfaces
+            sys_ip="# Added by hestia, please do not edit the file manually!"
+            sys_ip="$sys_ip\nnetwork:"
+            sys_ip="$sys_ip\n  version: 2"
+            sys_ip="$sys_ip\n  renderer: networkd"
+            sys_ip="$sys_ip\n  ethernets:"
+            sys_ip="$sys_ip\n    eth0:"
+            sys_ip="$sys_ip\n      addresses:"
+            sys_ip="$sys_ip\n        - $ip/$cidr"
         fi
+        IFS='%'
+        echo -e $sys_ip >> /etc/netplan/60-hestia.yaml
+        unset IFS
+    else
+        sys_ip="\n# Added by hestia"
+        sys_ip="$sys_ip\nauto $iface"
+        sys_ip="$sys_ip\niface $iface inet static"
+        sys_ip="$sys_ip\naddress $ip"
+        sys_ip="$sys_ip\nnetmask $netmask"
+        echo -e $sys_ip >> /etc/network/interfaces
     fi
 fi
 

bin/v-list-sys-config

@@ -44,6 +44,7 @@ json_list() {
         "REPOSITORY": "'$REPOSITORY'",
         "VERSION": "'$VERSION'",
         "RELEASE_BRANCH": "'$RELEASE_BRANCH'",
+        "DEMO_MODE": "'$DEMO_MODE'",
         "THEME": "'$THEME'",
         "LANGUAGE": "'$LANGUAGE'",
         "BACKUP_GZIP": "'$BACKUP_GZIP'",
@@ -130,6 +131,9 @@ shell_list() {
         echo "Language:         $LANGUAGE"
     fi
     echo "Version:          $VERSION"
+    if [ ! -z "$DEMO_MODE" ]; then
+        echo "Demo Mode:        $DEMO_MODE"
+    fi
     echo "Release Branch:   $RELEASE_BRANCH"
     echo "Theme:            $THEME"
 }
@@ -141,8 +145,8 @@ plain_list() {
     echo -ne "$PROXY_SSL_PORT\t$FTP_SYSTEM\t$MAIL_SYSTEM\t$IMAP_SYSTEM\t"
     echo -ne "$ANTIVIRUS_SYSTEM\t$ANTISPAM_SYSTEM\t$DB_SYSTEM\t"
     echo -ne "$DNS_SYSTEM\t$DNS_CLUSTER\t$STATS_SYSTEM\t$BACKUP_SYSTEM\t"
-    echo -ne "$CRON_SYSTEM\t$DISK_QUOTA\t$FIREWALL_SYSTEM\t"
-    echo -ne "$FIREWALL_EXTENSION\t$REPOSITORY\t$VERSION\t$RELEASE_BRANCH\t$THEME\t$LANGUAGE\t"
+    echo -ne "$CRON_SYSTEM\t$DISK_QUOTA\t$FIREWALL_SYSTEM\t$FIREWALL_EXTENSION\t"
+    echo -ne "$REPOSITORY\t$VERSION\t$DEMO_MODE\t$RELEASE_BRANCH\t$THEME\t$LANGUAGE\t"
     echo -e "$BACKUP_GZIP\t$BACKUP\t$WEBMAIL_ALIAS\t$DB_PMA_URL\t$DB_PGA_URL"
 }
 
@@ -162,11 +166,11 @@ csv_list() {
     echo -n "'$WEB_SYSTEM','$WEB_RGROUPS','$WEB_PORT','$WEB_SSL',"
     echo -n "'$WEB_SSL_PORT','$WEB_BACKEND','$PROXY_SYSTEM','$PROXY_PORT',"
     echo -n "'$PROXY_SSL_PORT','$FTP_SYSTEM','$MAIL_SYSTEM','$IMAP_SYSTEM',"
-    echo -n "'$ANTIVIRUS_SYSTEM','$ANTISPAM_SYSTEM','$DB_SYSTEM',"
-    echo -n "'$DNS_SYSTEM','$DNS_CLUSTER','$STATS_SYSTEM','$BACKUP_SYSTEM',"
-    echo -n "'$CRON_SYSTEM','$DISK_QUOTA','$FIREWALL_SYSTEM','$REPOSITORY',"
-    echo -n "'$FIREWALL_EXTENSION','$VERSION','$RELEASE_BRANCH','$THEME','$LANGUAGE','$BACKUP_GZIP',"
-    echo -n "'$BACKUP','$WEBMAIL_ALIAS','$DB_PMA_URL','$DB_PGA_URL'"
+    echo -n "'$ANTIVIRUS_SYSTEM','$ANTISPAM_SYSTEM','$DB_SYSTEM','$DNS_SYSTEM',"
+    echo -n "'$DNS_CLUSTER','$STATS_SYSTEM','$BACKUP_SYSTEM','$CRON_SYSTEM',"
+    echo -n "'$DISK_QUOTA','$FIREWALL_SYSTEM','$REPOSITORY','$FIREWALL_EXTENSION',"
+    echo -n "'$VERSION','$DEMO_MODE','$RELEASE_BRANCH','$THEME','$LANGUAGE',"
+    echo -n "'$BACKUP_GZIP','$BACKUP','$WEBMAIL_ALIAS','$DB_PMA_URL','$DB_PGA_URL'"
     echo
 }
 

install/deb/exim/exim4.conf.template

@@ -324,7 +324,7 @@ begin transports
 
 remote_smtp:
   driver = smtp
-  helo_data = mail.${sender_address_domain}
+  helo_data = ${sender_address_domain}
   dkim_domain = DKIM_DOMAIN
   dkim_selector = mail
   dkim_private_key = DKIM_PRIVATE_KEY

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ if [ "$release" -eq 8 ]; then
         apache2-suexec-custom libapache2-mod-ruid2
         libapache2-mod-fcgid libapache2-mod-php5 php5 php5-common php5-cgi
         php5-mysql php5-curl php5-pgsql awstats vsftpd net-tools
-        proftpd-basic bind9 exim4 exim4-daemon-heavy clamav-daemon
+        php5-imagick proftpd-basic bind9 exim4 exim4-daemon-heavy clamav-daemon
         spamassassin dovecot-imapd dovecot-pop3d roundcube-core
         roundcube-mysql roundcube-plugins mariadb-client mariadb-common
         mariadb-server postgresql postgresql-contrib phppgadmin phpMyAdmin mc
@@ -43,7 +43,7 @@ elif [ "$release" -eq 9 ]; then
     software="nginx apache2 apache2-utils apache2-suexec-custom
         libapache2-mod-ruid2 libapache2-mod-fcgid libapache2-mod-php php
         php-common php-cgi php-mysql php-curl php-pgsql php-imap php-ldap php-apcu
-        awstats vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy 
+        php-imagick awstats vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy 
         clamav-daemon spamassassin dovecot-imapd dovecot-pop3d roundcube-core net-tools
         roundcube-mysql roundcube-plugins mariadb-client mariadb-common
         mariadb-server postgresql postgresql-contrib phppgadmin phpmyadmin mc
@@ -55,7 +55,7 @@ else
     software="nginx apache2 apache2-utils apache2-suexec-custom
         apache2-suexec-pristine libapache2-mod-fcgid libapache2-mod-php php
         php-common php-cgi php-mysql php-curl php-pgsql php-imap php-ldap php-apcu
-        awstats vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy 
+        php-imagick awstats vsftpd proftpd-basic bind9 exim4 exim4-daemon-heavy 
         clamav-daemon spamassassin dovecot-imapd dovecot-pop3d roundcube-core net-tools
         roundcube-mysql roundcube-plugins mariadb-client mariadb-common
         mariadb-server postgresql postgresql-contrib phpmyadmin phppgadmin mc
@@ -722,7 +722,8 @@ if [ "$phpfpm" = 'yes' ]; then
     fpm="php$fpm_v php$fpm_v-common php$fpm_v-bcmath php$fpm_v-cli
          php$fpm_v-curl php$fpm_v-fpm php$fpm_v-gd php$fpm_v-intl
          php$fpm_v-mysql php$fpm_v-soap php$fpm_v-xml php$fpm_v-zip
-         php$fpm_v-mbstring php$fpm_v-json php$fpm_v-bz2 php$fpm_v-pspell"
+         php$fpm_v-mbstring php$fpm_v-json php$fpm_v-bz2 php$fpm_v-pspell
+         php$fpm_v-imagick"
     software="$software $fpm"
 fi
 

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ software="apache2 apache2.2-common apache2-suexec-custom apache2-utils
     apparmor-utils awstats bc bind9 bsdmainutils bsdutils clamav-daemon
     cron curl dnsutils dovecot-imapd dovecot-pop3d e2fslibs e2fsprogs exim4
     exim4-daemon-heavy expect fail2ban flex ftp git idn imagemagick
-    libapache2-mod-fcgid libapache2-mod-php libapache2-mod-rpaf
+    libapache2-mod-fcgid libapache2-mod-php libapache2-mod-rpaf php-imagick
     libapache2-mod-ruid2 lsof mc mariadb-client mariadb-common mariadb-server nginx
     ntpdate php php-cgi php-common php-curl phpmyadmin php-mysql php-imap php-ldap
     php-apcu phppgadmin php-pgsql postgresql postgresql-contrib proftpd-basic quota
@@ -676,7 +676,8 @@ if [ "$phpfpm" = 'yes' ]; then
     fpm="php$fpm_v php$fpm_v-common php$fpm_v-bcmath php$fpm_v-cli
          php$fpm_v-curl php$fpm_v-fpm php$fpm_v-gd php$fpm_v-intl
          php$fpm_v-mysql php$fpm_v-soap php$fpm_v-xml php$fpm_v-zip
-         php$fpm_v-mbstring php$fpm_v-json php$fpm_v-bz2 php$fpm_v-pspell"
+         php$fpm_v-mbstring php$fpm_v-json php$fpm_v-bz2 php$fpm_v-pspell
+         php$fpm_v-imagick"
     software="$software $fpm"
 fi