bayrepo/hestiacp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial

Browse Source
This commit is contained in:
Alexey Berezhok
2024-03-19 22:05:27 +03:00
commit 346a50856b
1572 changed files with 182163 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
install/deb/apache2/apache2.conf Normal file
View File

@@ -0,0 +1,96 @@
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf.d
# | `-- *
# Global configuration
PidFile ${APACHE_PID_FILE}
Timeout 30
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 10
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#User www-data
#Group www-data
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
DefaultType None
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf
# Include list of ports to listen on and which to use for name based vhosts
Include ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%b" bytes
IncludeOptional conf.d/*.conf
IncludeOptional conf.d/domains/webmail.*.conf
IncludeOptional conf.d/domains/*.conf
# Include the virtual host configurations:
#Include sites-enabled/
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 500 /error/50x.html
ErrorDocument 501 /error/50x.html
ErrorDocument 502 /error/50x.html
ErrorDocument 503 /error/50x.html
ErrorDocument 506 /error/50x.html

5
install/deb/apache2/hestia-event.conf Normal file
View File

@@ -0,0 +1,5 @@
<IfModule mpm_event_module>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</IfModule>

7
install/deb/apache2/status.conf Normal file
View File

@@ -0,0 +1,7 @@
Listen 127.0.0.1:8081
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

18
install/deb/apache2/unassigned.conf Normal file
View File

@@ -0,0 +1,18 @@
<VirtualHost directIP:directPORT>
ServerName directIP
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
</VirtualHost>
<VirtualHost directIP:directSSLPORT>
ServerName directIP
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/hestia/ssl/certificate.crt
SSLCertificateKeyFile /usr/local/hestia/ssl/certificate.key
</VirtualHost>

12
install/deb/bind/named.conf Normal file
View File

@@ -0,0 +1,12 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

24
install/deb/bind/named.conf.options Normal file
View File

@@ -0,0 +1,24 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no;
allow-recursion { 127.0.0.1; ::1; };
allow-transfer {"none";};
hostname none;
server-id none;
version none;
};

88
install/deb/clamav/clamd.conf Normal file
View File

@@ -0,0 +1,88 @@
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose true
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
PidFile /run/clamav/clamd.pid
OnAccessMaxFileSize 5M

30
install/deb/deb_signing.key Normal file
View File

@@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQENBFJIGbEBCAC8SHOOFo7iDTbnC2GhNZ+uBGCh226Dn1QPoFZNFM/DNakHZ6rD
G3wzr8++eKz4fJual/VLllE2N9XDPuxbozb3LLkcyY1WzJqtIXbXhFGQ/SuIeT+x
QY90XU6t2Ckze2c+zUniAWmJ8GSyVmXOoc9JxAQ1u47wvGXLzrjWXc8u8PNRYXuf
fZplTL+dFu9P0d6lP8FGsV+r9wXvvazpRTz3+H8PKrGCYT55ZQIEdG9Jgamylto2
oVPFXkwGML+TLw6oeCIBuz2y2vtivphW4MJ3ifQjDj7k3n+DTIxfDFs8lB6VRhhY
2nMHCrcZC6U2mhmXmr6O4s1fu6irBVx05ejPABEBAAG0IFNlcmdoZXkgUm9kaW4g
PHNraWRAdmVzdGFjcC5jb20+iQE4BBMBAgAiBQJSSBmxAhsDBgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRBCxbITCh93FPdqB/93GjV9g+wBfeZYLHQK9MDU2wBb
VloYOJJae6IvYKYQVAJayD3PbHdpxrF8s9e23vdnmb9jKu6jX6oV54EIyqP2HPiN
QYc8wcea+eSHerznBixCtoQh8mtdWGFeN71zU/ig7L5qlOVF/EmxDVZTFUeivFxh
IV6qyBnktQKktE45585yKZyyLtfGoXA54DGK69OtJFh+wdkKEMmUXocMl7wUrxW6
Cx2CuKeEXEgvwu8mRHQi3S3T9XP456qWEn5dWyMVcP660IzEuZfSJApZusNK7zG3
WMy0/EuX7xHNY3mcNxTOUN1LsO7iHnhHD9+iKWJo9parGkMZzc92MpjDK/g7uQEN
BFJIGbEBCAC7k5QEA9WQM7E3ceNaeLMrA9lXfuzaNCcySq7ONdVAa5PxzbSKdHvz
QFoL1VFqBTYQ038lbil1XqnoM0zvIfAI3LcpS8sq92El/vPxp6jZh2Ari9Uw7x95
k2cZMgI67g+zQMGdjVRA155nFQRCgg000xU4F7JA6+WsuLlVUmccsDv7YWJExMtC
YPxiuz5DFu8RALnw4Ckts+dbwsrcvUHhkm9b6RAsdCKjjRpUZjLgdltjH83gUVvt
i1YmdjjsVpt95dtsaG+ad852g/Rk8EdxNMkjPF6HLA67CLADP9wYaj80yPcPtylS
ycvPtcclVeHkFBRVM8xZpQd4iD19MWI1ABEBAAGJAR8EGAECAAkFAlJIGbECGwwA
CgkQQsWyEwofdxQ7tQgAhB0FwTs7L8Qr63DHC2yAnXVxgtTAY1/36CccNXVculyR
+EkLcwahms9AKhz7eQb+Mud+5vH0GRohLp2npgO38CjVUfIP5d+Y6dsthmrkF6p8
XdV1dVK9vWX+i/YZSw/Mded30Cq4P2Yhq9EaemMT0rtli8lz2NnkZ9dFJZk1lzJC
CZmRpbjSNWqRU4f7qyh21lYk/OC/0XE8fh8CaO23TZ+6gBionoCztwb7NyC9OArN
qYlNnbmh9iNqdblykPS3bkjf34n2xyMgnIehNrM89tk8PY4UfNPhgT1TMD9W3Svq
ynNZvLuF/FIDwDeC1qcfjGbfDn9fXO/lMIIRooQYKQ==
=J2HJ
-----END PGP PUBLIC KEY BLOCK-----

2
install/deb/exim/dnsbl.conf Normal file
View File

@@ -0,0 +1,2 @@
bl.spamcop.net
zen.spamhaus.org

476
install/deb/exim/exim4.conf.4.94.template Normal file
View File

@@ -0,0 +1,476 @@
######################################################################
# #
# Exim configuration file for Hestia Control Panel #
# #
######################################################################
#SPAMASSASSIN = yes
#SPAM_SCORE = 50
#SPAM_REJECT_SCORE = 100
#CLAMD = yes
smtp_banner = $smtp_active_hostname
smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${listextract{1}{$value}}}{$primary_hostname}}
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
disable_ipv6 = true
smtputf8_advertise_hosts =
domainlist local_domains = dsearch;/etc/exim4/domains/
domainlist relay_to_domains = dsearch;/etc/exim4/domains/
hostlist relay_from_hosts = 127.0.0.1
hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf
hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf
no_local_from_check
untrusted_set_sender = *
acl_smtp_connect = acl_check_spammers
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
.ifdef SPAMASSASSIN
spamd_address = 127.0.0.1 783
.endif
.ifdef CLAMD
av_scanner = clamd: /run/clamav/clamd.ctl
.endif
log_selector = +tls_sni
tls_advertise_hosts = *
# We test that $tls_in_sni is a valid domain, by an arbitrary email address foo@domain.tld .
# Then, we extract the domain with a function that would fail if the email address is invalid.
# If the certificate exists, we will use it, otherwise the default certificate in /etc/ssl will be used.
tls_certificate = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
{/usr/local/hestia/ssl/certificate.crt}\
}
tls_privatekey = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
{/usr/local/hestia/ssl/certificate.key}\
}
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/domains/${lookup{${lc:${domain:$h_from:}}}dsearch{/etc/exim4/domains/}}/dkim.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
OUTGOING_IP = /etc/exim4/domains/${lookup{$sender_address_domain}dsearch{/etc/exim4/domains}}/ip
SMTP_RELAY_FILE = ${if exists{/etc/exim4/domains/${lookup{$sender_address_domain}dsearch{/etc/exim4/domains}}/smtp_relay.conf}{/etc/exim4/domains/${lookup{$sender_address_domain}dsearch{/etc/exim4/domains}}/smtp_relay.conf}{/etc/exim4/smtp_relay.conf}}
SMTP_RELAY_HOST = ${lookup{host}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PORT = ${lookup{port}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_USER = ${lookup{user}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PASS = ${lookup{pass}lsearch{SMTP_RELAY_FILE}}
# Custom Filter
system_filter = /etc/exim4/system.filter
system_filter_user = Debian-exim
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
acl_not_smtp = acl_not_smtp
begin acl
# Limit per user for PHP scripts
acl_not_smtp:
deny message = Website of user $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
ratelimit = 200 / 1h / $authenticated_id
warn ratelimit = 100 / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period
accept
acl_check_spammers:
accept hosts = +whitelist
drop message = Your host in blacklist on this server.
log_message = Host in blacklist
hosts = +spammers
accept
acl_check_mail:
deny condition = ${if eq{$sender_helo_name}{}}
message = HELO required before MAIL
drop !authenticated = *
message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
delay = 45s
drop !authenticated = *
condition = ${if isip{$sender_helo_name}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
drop !authenticated = *
condition = ${if eq{[$interface_address]}{$sender_helo_name}}
message = $interface_address is _my_ address
accept
acl_check_rcpt:
accept hosts = :
# Limit per email account for SMTP auhenticated users
deny message = Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
set acl_c_msg_limit = ${if exists{/etc/exim4/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{${lookup {$authenticated_id} lsearch{/etc/exim4/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{$value}{${readfile{/etc/exim4/limit.conf}}}}}{${readfile{/etc/exim4/limit.conf}}} }
ratelimit = $acl_c_msg_limit / 1h / strict/ $authenticated_id
warn ratelimit = ${eval:$acl_c_msg_limit / 2} / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify = sender
accept hosts = +relay_from_hosts
control = submission
accept authenticated = *
control = submission/domain=
deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
hosts = !+whitelist
dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
require verify = recipient
.ifdef CLAMD
warn set acl_m0 = no
warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}
set acl_m0 = yes
.endif
.ifdef SPAMASSASSIN
warn set acl_m1 = no
set acl_m3 = no
warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}}
set acl_m1 = yes
warn condition = ${if exists {/etc/exim4/domains/$domain/reject_spam}{yes}{no}}
set acl_m3 = yes
.endif
accept
acl_check_data:
.ifdef CLAMD
deny message = Message contains a virus ($malware_name) and has been rejected
malware = */defer_ok
condition = ${if eq{$acl_m0}{yes}{yes}{no}}
.endif
.ifdef SPAMASSASSIN
warn !authenticated = *
hosts = !+relay_from_hosts
condition = ${if < {$message_size}{1024K}}
condition = ${if eq{$acl_m1}{yes}{yes}{no}}
spam = debian-spamd:true/defer_ok
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
set acl_m2 = $spam_score_int
warn condition = ${if !eq{$acl_m2}{} {yes}{no}}
condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
add_header = X-Spam-Status: Yes
message = SpamAssassin detected spam (from $sender_address to $recipients).
# Deny spam at high score if spam score > SPAM_REJECT_SCORE and delete_spam is enabled
deny message = This message scored $spam_score spam points
spam = debian-spamd:true
condition = ${if eq{$acl_m3}{yes}{yes}{no}}
condition = ${if >{$spam_score_int}{SPAM_REJECT_SCORE}{1}{0}}
.endif
accept
acl_check_mime:
deny message = Blacklisted file extension detected
condition = ${if match {${lc:$mime_filename}}{\N(\.ace|\.ade|\.adp|\.app|\.arj|\.asp|\.aspx|\.asx|\.bas|\.bat|\.cab|\.cer|\.chm|\.cmd|\.cnt|\.com|\.cpl|\.crt|\.csh|\.der|\.diagcab|\.dll|\.efi|\.exe|\.fla|\.fon|\.fxp|\.gadget|\.grp|\.hlp|\.hpj|\.hta|\.htc|\.img|\.inf|\.ins|\.iso|\.isp|\.its|\.jar|\.jnlp|\.js|\.jse|\.ksh|\.lib|\.lnk|\.mad|\.maf|\.mag|\.mam|\.maq|\.mar|\.mas|\.mat|\.mau|\.mav|\.maw|\.mcf|\.mda|\.mdb|\.mde|\.mdt|\.mdw|\.mdz|\.msc|\.msh|\.msh1|\.msh1xml|\.msh2|\.msh2xml|\.mshxml|\.msi|\.msp|\.mst|\.msu|\.ops|\.osd|\.pcd|\.pif|\.pl|\.plg|\.prf|\.prg|\.printerexport|\.ps1|\.ps1xml|\.ps2|\.ps2xml|\.psc1|\.psc2|\.psd1|\.psdm1|\.pst|\.py|\.pyc|\.pyo|\.pyw|\.pyz|\.pyzw|\.reg|\.scf|\.scr|\.sct|\.sfx|\.shb|\.shs|\.swf|\.sys|\.theme|\.tmp|\.ttf|\.url|\.vb|\.vba|\.vbe|\.vbp|\.vbs|\.vhd|\.vhdx|\.vsmacros|\.vsw|\.vxd|\.webpnp|\.website|\.wim|\.ws|\.wsc|\.wsf|\.wsh|\.xbap|\.xll|\.xnk)$\N}{1}{0}}
accept
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
smtp_relay_login:
driver = plaintext
public_name = LOGIN
hide client_send = : SMTP_RELAY_USER : SMTP_RELAY_PASS
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
send_via_unauthenticated_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
condition = ${if eq{SMTP_RELAY_USER}{}}
transport = remote_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
send_via_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
transport = smtp_relay_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
no_more
userforward:
driver = redirect
check_local_user
file = $home/.forward
require_files = ${local_part}:+${home}/.forward
domains = +local_domains
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify
autoreplay:
driver = accept
require_files = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg
condition = ${if exists{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg}{yes}{no}}
retry_use_local_part
transport = userautoreply
unseen
aliases:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}}
require_files = /etc/exim4/domains/$domain/aliases
redirect_router = dnslookup
pipe_transport = address_pipe
unseen
localuser_fwd_only:
driver = accept
transport = devnull
condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/fwd_only}{true}{false}}}}
localuser_spam:
driver = accept
transport = local_spam_delivery
condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{yes}{no_such_user}}}}
localuser:
driver = accept
transport = local_delivery
condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{true}{false}}
catchall:
driver = redirect
headers_add = X-redirected: yes
require_files = /etc/exim4/domains/$domain/aliases
data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}}
file_transport = local_delivery
redirect_router = dnslookup
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}
terminate_alias:
driver = accept
transport = devnull
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}}
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
smtp_relay_smtp:
driver = smtp
hosts_require_auth = $host_address
hosts_require_tls = $host_address
remote_smtp:
driver = smtp
helo_data = ${lookup dnsdb{>: defer_never,ptr=$sending_ip_address}{${listextract{1}{$value}}}{$primary_hostname}}
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
hosts_try_fastopen = !*.l.google.com
interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output
local_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M
quota_warn_threshold = 75%
local_spam_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}/.Spam"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M
quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}"
quota_warn_threshold = 75%
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
userautoreply:
driver = autoreply
file = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}.msg
from = "${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}@${lookup{$domain}dsearch{/etc/exim4/domains/}}"
headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
to = "${sender_address}"
devnull:
driver = appendfile
file = /dev/null
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################

512
install/deb/exim/exim4.conf.4.95.template Normal file
View File

@@ -0,0 +1,512 @@
######################################################################
# #
# Exim configuration file for Hestia Control Panel #
# #
######################################################################
#SPAMASSASSIN = yes
#SPAM_SCORE = 50
#SPAM_REJECT_SCORE = 100
#CLAMD = yes
smtp_banner = $smtp_active_hostname
smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${listextract{1}{$value}}}{$primary_hostname}}
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
disable_ipv6 = true
SRS_SECRET = ${readfile{/etc/exim4/srs.conf}}
smtputf8_advertise_hosts =
domainlist local_domains = dsearch;/etc/exim4/domains/
domainlist relay_to_domains = dsearch;/etc/exim4/domains/
hostlist relay_from_hosts = 127.0.0.1
hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf
hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf
no_local_from_check
untrusted_set_sender = *
acl_smtp_connect = acl_check_spammers
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
.ifdef SPAMASSASSIN
spamd_address = 127.0.0.1 783
.endif
.ifdef CLAMD
av_scanner = clamd: /run/clamav/clamd.ctl
.endif
log_selector = +tls_sni
tls_advertise_hosts = *
# We test that $tls_in_sni is a valid domain, by an arbitrary email address foo@domain.tld .
# Then, we extract the domain with a function that would fail if the email address is invalid.
# If the certificate exists, we will use it, otherwise the default certificate in /etc/ssl will be used.
tls_certificate = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
{/usr/local/hestia/ssl/certificate.crt}\
}
tls_privatekey = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
{/usr/local/hestia/ssl/certificate.key}\
}
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/domains/${lookup{${lc:${domain:$h_from:}}}dsearch{/etc/exim4/domains/}}/dkim.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
OUTGOING_IP = /etc/exim4/domains/${lookup{$sender_address_domain}dsearch{/etc/exim4/domains}}/ip
SMTP_RELAY_FILE = ${if exists{/etc/exim4/domains/${lookup{$sender_address_domain}dsearch{/etc/exim4/domains}}/smtp_relay.conf}{/etc/exim4/domains/${lookup{$sender_address_domain}dsearch{/etc/exim4/domains}}/smtp_relay.conf}{/etc/exim4/smtp_relay.conf}}
SMTP_RELAY_HOST = ${lookup{host}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PORT = ${lookup{port}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_USER = ${lookup{user}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PASS = ${lookup{pass}lsearch{SMTP_RELAY_FILE}}
# Custom Filter
system_filter = /etc/exim4/system.filter
system_filter_user = Debian-exim
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
acl_not_smtp = acl_not_smtp
begin acl
# Limit per user for PHP scripts
acl_not_smtp:
deny message = Website of user $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
ratelimit = 200 / 1h / $authenticated_id
warn ratelimit = 100 / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period
accept
acl_check_spammers:
accept hosts = +whitelist
drop message = Your host in blacklist on this server.
log_message = Host in blacklist
hosts = +spammers
accept
acl_check_mail:
deny condition = ${if eq{$sender_helo_name}{}}
message = HELO required before MAIL
drop !authenticated = *
message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
delay = 45s
drop !authenticated = *
condition = ${if isip{$sender_helo_name}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
drop !authenticated = *
condition = ${if eq{[$interface_address]}{$sender_helo_name}}
message = $interface_address is _my_ address
accept
acl_check_rcpt:
accept hosts = :
# Limit per email account for SMTP auhenticated users
deny message = Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
set acl_c_msg_limit = ${if exists{/etc/exim4/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{${lookup {$authenticated_id} lsearch{/etc/exim4/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{$value}{${readfile{/etc/exim4/limit.conf}}}}}{${readfile{/etc/exim4/limit.conf}}} }
ratelimit = $acl_c_msg_limit / 1h / strict/ $authenticated_id
warn ratelimit = ${eval:$acl_c_msg_limit / 2} / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify = sender
accept hosts = +relay_from_hosts
control = submission
accept authenticated = *
control = submission/domain=
deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
hosts = !+whitelist
dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
require verify = recipient
.ifdef CLAMD
warn set acl_m0 = no
warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}
set acl_m0 = yes
.endif
.ifdef SPAMASSASSIN
warn set acl_m1 = no
set acl_m3 = no
warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}}
set acl_m1 = yes
warn condition = ${if exists {/etc/exim4/domains/$domain/reject_spam}{yes}{no}}
set acl_m3 = yes
.endif
accept
acl_check_data:
.ifdef CLAMD
deny message = Message contains a virus ($malware_name) and has been rejected
malware = */defer_ok
condition = ${if eq{$acl_m0}{yes}{yes}{no}}
.endif
.ifdef SPAMASSASSIN
warn !authenticated = *
hosts = !+relay_from_hosts
condition = ${if < {$message_size}{1024K}}
condition = ${if eq{$acl_m1}{yes}{yes}{no}}
spam = debian-spamd:true/defer_ok
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
set acl_m2 = $spam_score_int
warn condition = ${if !eq{$acl_m2}{} {yes}{no}}
condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
add_header = X-Spam-Status: Yes
message = SpamAssassin detected spam (from $sender_address to $recipients).
# Deny spam at high score if spam score > SPAM_REJECT_SCORE and delete_spam is enabled
deny message = This message scored $spam_score spam points
spam = debian-spamd:true
condition = ${if eq{$acl_m3}{yes}{yes}{no}}
condition = ${if >{$spam_score_int}{SPAM_REJECT_SCORE}{1}{0}}
.endif
accept
acl_check_mime:
deny message = Blacklisted file extension detected
condition = ${if match {${lc:$mime_filename}}{\N(\.ace|\.ade|\.adp|\.app|\.arj|\.asp|\.aspx|\.asx|\.bas|\.bat|\.cab|\.cer|\.chm|\.cmd|\.cnt|\.com|\.cpl|\.crt|\.csh|\.der|\.diagcab|\.dll|\.efi|\.exe|\.fla|\.fon|\.fxp|\.gadget|\.grp|\.hlp|\.hpj|\.hta|\.htc|\.img|\.inf|\.ins|\.iso|\.isp|\.its|\.jar|\.jnlp|\.js|\.jse|\.ksh|\.lib|\.lnk|\.mad|\.maf|\.mag|\.mam|\.maq|\.mar|\.mas|\.mat|\.mau|\.mav|\.maw|\.mcf|\.mda|\.mdb|\.mde|\.mdt|\.mdw|\.mdz|\.msc|\.msh|\.msh1|\.msh1xml|\.msh2|\.msh2xml|\.mshxml|\.msi|\.msp|\.mst|\.msu|\.ops|\.osd|\.pcd|\.pif|\.pl|\.plg|\.prf|\.prg|\.printerexport|\.ps1|\.ps1xml|\.ps2|\.ps2xml|\.psc1|\.psc2|\.psd1|\.psdm1|\.pst|\.py|\.pyc|\.pyo|\.pyw|\.pyz|\.pyzw|\.reg|\.scf|\.scr|\.sct|\.sfx|\.shb|\.shs|\.swf|\.sys|\.theme|\.tmp|\.ttf|\.url|\.vb|\.vba|\.vbe|\.vbp|\.vbs|\.vhd|\.vhdx|\.vsmacros|\.vsw|\.vxd|\.webpnp|\.website|\.wim|\.ws|\.wsc|\.wsf|\.wsh|\.xbap|\.xll|\.xnk)$\N}{1}{0}}
accept
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
smtp_relay_login:
driver = plaintext
public_name = LOGIN
hide client_send = : SMTP_RELAY_USER : SMTP_RELAY_PASS
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
send_via_unauthenticated_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
condition = ${if eq{SMTP_RELAY_USER}{}}
transport = remote_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
send_via_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
transport = smtp_relay_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
dnslookup:
driver = dnslookup
# if outbound, and forwarding has been done, use an alternate transport
domains = ! +local_domains
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
no_more
userforward:
driver = redirect
check_local_user
file = $home/.forward
require_files = ${local_part}:+${home}/.forward
domains = +local_domains
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify
autoreplay:
driver = accept
require_files = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg
condition = ${if exists{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${local_part}.msg}{yes}{no}}
retry_use_local_part
transport = userautoreply
unseen
inbound_srs:
driver = redirect
senders = :
domains = +local_domains
# detect inbound bounces which are SRS'd, and decode them
condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
data = $srs_recipient
inbound_srs_failure:
driver = redirect
senders = :
domains = +local_domains
# detect inbound bounces which look SRS'd but are invalid
condition = ${if inbound_srs {$local_part} {}}
allow_fail
data = :fail: Invalid SRS recipient address
aliases:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}}
require_files = /etc/exim4/domains/$domain/aliases
redirect_router = dnslookup
pipe_transport = address_pipe
unseen
localuser_fwd_only:
driver = accept
transport = devnull
condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/fwd_only}{true}{false}}}}
localuser_spam:
driver = accept
transport = local_spam_delivery
condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{yes}{no_such_user}}}}
localuser:
driver = accept
transport = local_delivery
condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{true}{false}}
catchall:
driver = redirect
headers_add = X-redirected: yes
require_files = /etc/exim4/domains/$domain/aliases
data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}}}}
file_transport = local_delivery
redirect_router = dnslookup
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}
terminate_alias:
driver = accept
transport = devnull
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{true}{false}}
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
smtp_relay_smtp:
driver = smtp
hosts_require_auth = $host_address
hosts_require_tls = $host_address
remote_smtp:
driver = smtp
helo_data = ${lookup dnsdb{>: defer_never,ptr=$sending_ip_address}{${listextract{1}{$value}}}{$primary_hostname}}
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
hosts_try_fastopen = !*.l.google.com
interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
remote_forwarded_smtp:
driver = smtp
helo_data = ${lookup dnsdb{>: defer_never,ptr=$sending_ip_address}{${listextract{1}{$value}}}{$primary_hostname}}
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
hosts_try_fastopen = !*.l.google.com
interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
# modify the envelope from, for mails that we forward
max_rcpt = 1
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output
local_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M
quota_warn_threshold = 75%
local_spam_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}/.Spam"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M
quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}"
quota_warn_threshold = 75%
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
userautoreply:
driver = autoreply
file = /etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/autoreply.${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}.msg
from = "${extract{1}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/accounts}}}}@${lookup{$domain}dsearch{/etc/exim4/domains/}}"
headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
to = "${sender_address}"
devnull:
driver = appendfile
file = /dev/null
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################

478
install/deb/exim/exim4.conf.template Normal file
View File

@@ -0,0 +1,478 @@
######################################################################
# #
# Exim configuration file for Hestia Control Panel #
# #
######################################################################
#SPAMASSASSIN = yes
#SPAM_SCORE = 50
#SPAM_REJECT_SCORE = 100
#CLAMD = yes
smtp_banner = $smtp_active_hostname
smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${listextract{1}{$value}}}{$primary_hostname}}
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
disable_ipv6 = true
smtputf8_advertise_hosts =
domainlist local_domains = dsearch;/etc/exim4/domains/
domainlist relay_to_domains = dsearch;/etc/exim4/domains/
hostlist relay_from_hosts = 127.0.0.1
hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf
hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf
no_local_from_check
untrusted_set_sender = *
acl_smtp_connect = acl_check_spammers
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
.ifdef SPAMASSASSIN
spamd_address = 127.0.0.1 783
.endif
.ifdef CLAMD
av_scanner = clamd: /run/clamav/clamd.ctl
.endif
log_selector = +tls_sni
tls_advertise_hosts = *
# We test that $tls_in_sni is a valid domain, by an arbitrary email address foo@domain.tld .
# Then, we extract the domain with a function that would fail if the email address is invalid.
# If the certificate exists, we will use it, otherwise the default certificate in /etc/ssl will be used.
tls_certificate = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
{/usr/local/hestia/ssl/certificate.crt}\
}
tls_privatekey = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
{/usr/local/hestia/ssl/certificate.key}\
}
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/domains/${lc:${domain:$h_from:}}/dkim.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip
SMTP_RELAY_FILE = ${if exists{/etc/exim4/domains/${sender_address_domain}/smtp_relay.conf}{/etc/exim4/domains/$sender_address_domain/smtp_relay.conf}{/etc/exim4/smtp_relay.conf}}
SMTP_RELAY_HOST = ${lookup{host}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PORT = ${lookup{port}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_USER = ${lookup{user}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PASS = ${lookup{pass}lsearch{SMTP_RELAY_FILE}}
# Custom Filter
system_filter = /etc/exim4/system.filter
system_filter_user = Debian-exim
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
acl_not_smtp = acl_not_smtp
begin acl
# Limit per user for PHP scripts
acl_not_smtp:
deny message = Website of user $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
ratelimit = 200 / 1h / $authenticated_id
warn ratelimit = 100 / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period
accept
acl_check_spammers:
accept hosts = +whitelist
drop message = Your host in blacklist on this server.
log_message = Host in blacklist
hosts = +spammers
accept
acl_check_mail:
deny condition = ${if eq{$sender_helo_name}{}}
message = HELO required before MAIL
drop !authenticated = *
message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
delay = 45s
drop !authenticated = *
condition = ${if isip{$sender_helo_name}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
drop !authenticated = *
condition = ${if eq{[$interface_address]}{$sender_helo_name}}
message = $interface_address is _my_ address
accept
acl_check_rcpt:
accept hosts = :
# Limit per email account for SMTP auhenticated users
deny message = Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
set acl_c_msg_limit = ${if exists{/etc/exim4/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{${lookup {$authenticated_id} lsearch{/etc/exim4/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim4/domains/}}/limits}{$value}{${readfile{/etc/exim4/limit.conf}}}}}{${readfile{/etc/exim4/limit.conf}}} }
ratelimit = $acl_c_msg_limit / 1h / strict/ $authenticated_id
warn ratelimit = ${eval:$acl_c_msg_limit / 2} / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify = sender
accept hosts = +relay_from_hosts
control = submission
accept authenticated = *
control = submission/domain=
deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
hosts = !+whitelist
dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
require verify = recipient
.ifdef CLAMD
warn set acl_m0 = no
warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}
set acl_m0 = yes
.endif
.ifdef SPAMASSASSIN
warn set acl_m1 = no
set acl_m3 = no
warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}}
set acl_m1 = yes
warn condition = ${if exists {/etc/exim4/domains/$domain/reject_spam}{yes}{no}}
set acl_m3 = yes
.endif
accept
acl_check_data:
.ifdef CLAMD
deny message = Message contains a virus ($malware_name) and has been rejected
malware = */defer_ok
condition = ${if eq{$acl_m0}{yes}{yes}{no}}
.endif
.ifdef SPAMASSASSIN
warn !authenticated = *
hosts = !+relay_from_hosts
condition = ${if < {$message_size}{1024K}}
condition = ${if eq{$acl_m1}{yes}{yes}{no}}
spam = debian-spamd:true/defer_ok
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
set acl_m2 = $spam_score_int
warn condition = ${if !eq{$acl_m2}{} {yes}{no}}
condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
add_header = X-Spam-Status: Yes
message = SpamAssassin detected spam (from $sender_address to $recipients).
# Deny spam at high score if spam score > SPAM_REJECT_SCORE and delete_spam is enabled
deny message = This message scored $spam_score spam points
spam = debian-spamd:true
condition = ${if eq{$acl_m3}{yes}{yes}{no}}
condition = ${if >{$spam_score_int}{SPAM_REJECT_SCORE}{1}{0}}
.endif
accept
acl_check_mime:
deny message = Blacklisted file extension detected
condition = ${if match {${lc:$mime_filename}}{\N(\.ace|\.ade|\.adp|\.app|\.arj|\.asp|\.aspx|\.asx|\.bas|\.bat|\.cab|\.cer|\.chm|\.cmd|\.cnt|\.com|\.cpl|\.crt|\.csh|\.der|\.diagcab|\.dll|\.efi|\.exe|\.fla|\.fon|\.fxp|\.gadget|\.grp|\.hlp|\.hpj|\.hta|\.htc|\.img|\.inf|\.ins|\.iso|\.isp|\.its|\.jar|\.jnlp|\.js|\.jse|\.ksh|\.lib|\.lnk|\.mad|\.maf|\.mag|\.mam|\.maq|\.mar|\.mas|\.mat|\.mau|\.mav|\.maw|\.mcf|\.mda|\.mdb|\.mde|\.mdt|\.mdw|\.mdz|\.msc|\.msh|\.msh1|\.msh1xml|\.msh2|\.msh2xml|\.mshxml|\.msi|\.msp|\.mst|\.msu|\.ops|\.osd|\.pcd|\.pif|\.pl|\.plg|\.prf|\.prg|\.printerexport|\.ps1|\.ps1xml|\.ps2|\.ps2xml|\.psc1|\.psc2|\.psd1|\.psdm1|\.pst|\.py|\.pyc|\.pyo|\.pyw|\.pyz|\.pyzw|\.reg|\.scf|\.scr|\.sct|\.sfx|\.shb|\.shs|\.swf|\.sys|\.theme|\.tmp|\.ttf|\.url|\.vb|\.vba|\.vbe|\.vbp|\.vbs|\.vhd|\.vhdx|\.vsmacros|\.vsw|\.vxd|\.webpnp|\.website|\.wim|\.ws|\.wsc|\.wsf|\.wsh|\.xbap|\.xll|\.xnk)$\N}{1}{0}}
accept
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
smtp_relay_login:
driver = plaintext
public_name = LOGIN
hide client_send = : SMTP_RELAY_USER : SMTP_RELAY_PASS
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
send_via_unauthenticated_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
condition = ${if eq{SMTP_RELAY_USER}{}}
transport = remote_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
send_via_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
transport = smtp_relay_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
no_more
userforward:
driver = redirect
check_local_user
file = $home/.forward
require_files = ${local_part}:+${home}/.forward
domains = +local_domains
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify
autoreplay:
driver = accept
require_files = /etc/exim4/domains/$domain/autoreply.${local_part}.msg
condition = ${if exists{/etc/exim4/domains/$domain/autoreply.${local_part}.msg}{yes}{no}}
retry_use_local_part
transport = userautoreply
unseen
aliases:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/$domain/aliases}}}}
require_files = /etc/exim4/domains/$domain/aliases
redirect_router = dnslookup
pipe_transport = address_pipe
unseen
localuser_fwd_only:
driver = accept
transport = devnull
condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/fwd_only}{true}{false}}}}
localuser_spam:
driver = accept
transport = local_spam_delivery
condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{yes}{no_such_user}}}}
localuser:
driver = accept
transport = local_delivery
condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{true}{false}}
catchall:
driver = redirect
headers_add = X-redirected: yes
require_files = /etc/exim4/domains/$domain/aliases
data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/$domain/aliases}}}}
file_transport = local_delivery
redirect_router = dnslookup
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}
terminate_alias:
driver = accept
transport = devnull
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/$domain/aliases}{true}{false}}
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
smtp_relay_smtp:
driver = smtp
hosts_require_auth = $host_address
hosts_require_tls = $host_address
remote_smtp:
driver = smtp
helo_data = ${lookup dnsdb{>: defer_never,ptr=$sending_ip_address}{${listextract{1}{$value}}}{$primary_hostname}}
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
hosts_try_fastopen = !*.l.google.com
interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output
local_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}/mail/$domain/$local_part"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M
quota_warn_threshold = 75%
local_spam_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}/mail/$domain/$local_part/.Spam"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M
quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}/mail/$domain/$local_part"
quota_warn_threshold = 75%
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
userautoreply:
driver = autoreply
file = /etc/exim4/domains/$domain/autoreply.${local_part}.msg
from = "${local_part}@${domain}"
headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
to = "${sender_address}"
devnull:
driver = appendfile
file = /dev/null
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################

1
install/deb/exim/limit.conf Normal file
View File

@@ -0,0 +1 @@
200

0
install/deb/exim/spam-blocks.conf Normal file
View File

1
install/deb/exim/srs.conf Normal file
View File

@@ -0,0 +1 @@
TOBEREPLACED

16
install/deb/exim/system.filter Normal file
View File

@@ -0,0 +1,16 @@
if $h_X-Spam-Status: contains "Yes"
then
headers add "Old-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** SPAM *** $h_old-subject"
headers remove "Old-Subject"
endif
# X-Anti-Virus: infected
if $h_X-Anti-Virus: contains "infected"
then
headers add "Old-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** VIRUS *** $h_old-subject"
headers remove "Old-Subject"
endif

9
install/deb/fail2ban/action.d/hestia.conf Normal file
View File

@@ -0,0 +1,9 @@
# Fail2Ban configuration file for hestia
[Definition]
actionstart = /usr/local/hestia/bin/v-add-firewall-chain <name>
actionstop = /usr/local/hestia/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/hestia/bin/v-add-firewall-ban <ip> <name>
actionunban = /usr/local/hestia/bin/v-delete-firewall-ban <ip> <name>

10
install/deb/fail2ban/filter.d/hestia.conf Normal file
View File

@@ -0,0 +1,10 @@
# Fail2Ban filter for unsuccessful hestia authentication attempts
#
[INCLUDES]
before = common.conf
[Definition]
failregex = .* <HOST> failed to login
ignoreregex =

66
install/deb/fail2ban/jail.local Normal file
View File

@@ -0,0 +1,66 @@
[ssh-iptables]
enabled = true
filter = sshd
action = hestia[name=SSH]
logpath = /var/log/auth.log
maxretry = 5
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = hestia[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 5
[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim4/mainlog
[dovecot-iptables]
enabled = true
filter = dovecot
action = hestia[name=MAIL]
logpath = /var/log/dovecot.log
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = hestia[name=DB]
logpath = /var/log/mysql/error.log
maxretry = 5
[hestia-iptables]
enabled = true
filter = hestia
action = hestia[name=HESTIA]
logpath = /var/log/hestia/auth.log
maxretry = 5
[roundcube-auth]
enabled = false
filter = roundcube-auth
action = hestia[name=WEB]
logpath = /var/log/roundcube/errors.log
maxretry = 5
[phpmyadmin-auth]
enabled = true
filter = phpmyadmin-syslog
action = hestia[name=WEB]
logpath = /var/log/auth.log
maxretry = 5
[recidive]
enabled = true
filter = recidive
action = hestia[name=RECIDIVE]
logpath = /var/log/fail2ban.log
maxretry = 5
findtime = 86400
bantime = 864000
#Uncomment and add your IPs and or domains to the Whitelist
#[DEFAULT]
#ignoreip = 111.111.111.111 222.222.222.222 subdomain.example.tld example.tld 333.333.333.333

48
install/deb/filemanager/filegator/backend/Services/Archiver/Adapters/HestiaZipArchiver.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
namespace Filegator\Services\Archiver\Adapters;
use Filegator\Container\Container;
use Filegator\Services\Archiver\ArchiverInterface;
use Filegator\Services\Service;
use Filegator\Services\Storage\Filesystem as Storage;
use Filegator\Services\Tmpfs\TmpfsInterface;
use function Hestiacp\quoteshellarg\quoteshellarg;
class HestiaZipArchiver extends ZipArchiver implements Service, ArchiverInterface {
protected $container;
public function __construct(TmpfsInterface $tmpfs, Container $container) {
$this->tmpfs = $tmpfs;
$this->container = $container;
}
public function uncompress(string $source, string $destination, Storage $storage) {
$auth = $this->container->get("Filegator\Services\Auth\AuthInterface");
$v_user = basename($auth->user()->getUsername());
if (!strlen($v_user)) {
return;
}
if (strpos($source, "/home") === false) {
$source = "/home/$v_user/" . $source;
}
if (strpos($destination, "/home") === false) {
$destination = "/home/$v_user/" . $destination;
}
exec(
"sudo /usr/local/hestia/bin/v-extract-fs-archive " .
quoteshellarg($v_user) .
" " .
quoteshellarg($source) .
" " .
quoteshellarg($destination),
$output,
$return_var,
);
}
}

122
install/deb/filemanager/filegator/backend/Services/Auth/Adapters/HestiaAuth.php Normal file
View File

@@ -0,0 +1,122 @@
<?php
/*
* This file is part of the FileGator package.
*
* (c) Milos Stojanovic <alcalbg@gmail.com>
*
* For the full copyright and license information, please view the LICENSE file
*/
namespace Filegator\Services\Auth\Adapters;
use Filegator\Services\Auth\AuthInterface;
use Filegator\Services\Auth\User;
use Filegator\Services\Auth\UsersCollection;
use Filegator\Services\Service;
use function Hestiacp\quoteshellarg\quoteshellarg;
/**
* @codeCoverageIgnore
*/
class HestiaAuth implements Service, AuthInterface {
protected $permissions = [];
protected $private_repos = false;
protected $hestia_user = "";
public function init(array $config = []) {
if (isset($_SESSION["user"])) {
$v_user = $_SESSION["user"];
}
if (!empty($_SESSION["look"])) {
if (isset($_SESSION["look"]) && $_SESSION["userContext"] === "admin") {
$v_user = $_SESSION["look"];
}
if (
$_SESSION["look"] == "admin" &&
$_SESSION["POLICY_SYSTEM_PROTECTED_ADMIN"] == "yes"
) {
// Go away do not login
header("Location: /");
exit();
}
}
$this->hestia_user = $v_user;
$this->permissions = isset($config["permissions"]) ? (array) $config["permissions"] : [];
$this->private_repos = isset($config["private_repos"])
? (bool) $config["private_repos"]
: false;
}
public function user(): ?User {
$cmd = "/usr/bin/sudo /usr/local/hestia/bin/v-list-user";
exec($cmd . " " . quoteshellarg($this->hestia_user) . " json", $output, $return_var);
if ($return_var == 0) {
$data = json_decode(implode("", $output), true);
$hestia_user_info = $data[$this->hestia_user];
return $this->transformUser($hestia_user_info);
}
return $this->getGuest();
}
public function transformUser($hstuser): User {
$user = new User();
$user->setUsername($this->hestia_user);
$user->setName($this->hestia_user . " (" . $hstuser["NAME"] . ")");
$user->setRole("user");
$user->setPermissions($this->permissions);
$user->setHomedir("/");
return $user;
}
public function authenticate($username, $password): bool {
# Auth is handled by Hestia
return false;
}
public function forget() {
// Logout return to Hestia
return $this->getGuest();
}
public function store(User $user) {
return null; // not used
}
public function update($username, User $user, $password = ""): User {
// Password change is handled by Hestia
return $this->user();
}
public function add(User $user, $password): User {
return new User(); // not used
}
public function delete(User $user) {
return true; // not used
}
public function find($username): ?User {
return null; // not used
}
public function allUsers(): UsersCollection {
return new UsersCollection(); // not used
}
public function getGuest(): User {
$guest = new User();
$guest->setUsername("guest");
$guest->setName("Guest");
$guest->setRole("guest");
$guest->setHomedir("/");
$guest->setPermissions([]);
return $guest;
}
}

64
install/deb/filemanager/filegator/backend/Services/Session/Adapters/SessionStorage.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
/*
* This file is part of the FileGator package.
*
* (c) Milos Stojanovic <alcalbg@gmail.com>
*
* For the full copyright and license information, please view the LICENSE file
*/
namespace Filegator\Services\Session\Adapters;
use Filegator\Kernel\Request;
use Filegator\Services\Service;
use Filegator\Services\Session\Session;
use Filegator\Services\Session\SessionStorageInterface;
class SessionStorage implements Service, SessionStorageInterface {
protected $request;
protected $config;
public function __construct(Request $request) {
$this->request = $request;
}
public function init(array $config = []) {
// we don't have a previous session attached
if (!$this->getSession()) {
$handler = $config["handler"];
$session = new Session($handler());
//$session->setName('filegator');
$this->setSession($session);
}
}
public function save() {
$this->getSession()->save();
}
public function set(string $key, $data) {
return $this->getSession()->set($key, $data);
}
public function get(string $key, $default = null) {
return $this->getSession() ? $this->getSession()->get($key, $default) : $default;
}
public function invalidate() {
if (!$this->getSession()->isStarted()) {
$this->getSession()->start();
}
$this->getSession()->invalidate();
}
private function setSession(Session $session) {
return $this->request->setSession($session);
}
private function getSession(): ?Session {
return $this->request->getSession();
}
}

47
install/deb/filemanager/filegator/composer.json Normal file
View File

@@ -0,0 +1,47 @@
{
"name": "filegator/filegator",
"description": "Filegator",
"license": "MIT",
"type": "project",
"config": {
"platform": {
"php": "7.2.5"
}
},
"require": {
"php": "^7.2",
"monolog/monolog": "^1.24",
"nikic/fast-route": "^1.3",
"symfony/security-csrf": "^4.4",
"symfony/http-foundation": "^4.4",
"dibi/dibi": "^4.1",
"php-di/php-di": "^6.0",
"rakit/validation": "^1.1",
"league/flysystem": "^1.1",
"league/flysystem-ziparchive": "^1.0",
"league/flysystem-sftp": "^1.0",
"hestiacp/phpquoteshellarg": "^1.0"
},
"authors": [
{
"name": "Milos Stojanovic",
"email": "alcalbg@gmail.com"
}
],
"autoload": {
"psr-4": {
"Filegator\\": "backend"
}
},
"autoload-dev": {
"psr-4": {
"Tests\\": "tests/backend/"
}
},
"require-dev": {
"phpunit/phpunit": "^8.0",
"symfony/var-dumper": "^4.4",
"league/flysystem-memory": "^1.0",
"phpstan/phpstan": "^0.11.8"
}
}

4771
install/deb/filemanager/filegator/composer.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

175
install/deb/filemanager/filegator/configuration.php Normal file
View File

@@ -0,0 +1,175 @@
<?php
use function Hestiacp\quoteshellarg\quoteshellarg;
$dist_config = require __DIR__ . "/configuration_sample.php";
$dist_config["public_path"] = "/fm/";
$dist_config["frontend_config"]["app_name"] = "File Manager - Hestia Control Panel";
$dist_config["frontend_config"]["logo"] = "../images/logo.svg";
$dist_config["frontend_config"]["editable"] = [
".txt",
".css",
".js",
".ts",
".html",
".php",
".py",
".yml",
".xml",
".md",
".log",
".csv",
".conf",
".config",
".ini",
".scss",
".sh",
".env",
".example",
".htaccess",
".twig",
".tpl",
".yaml",
];
$dist_config["frontend_config"]["guest_redirection"] = "/login/";
$dist_config["frontend_config"]["upload_max_size"] = 1024 * 1024 * 1024;
$dist_config["services"]["Filegator\Services\Storage\Filesystem"]["config"][
"adapter"
] = function () {
if (!empty($_SESSION["INACTIVE_SESSION_TIMEOUT"])) {
if ($_SESSION["INACTIVE_SESSION_TIMEOUT"] * 60 + $_SESSION["LAST_ACTIVITY"] < time()) {
$v_user = quoteshellarg($_SESSION["user"]);
$v_session_id = quoteshellarg($_SESSION["token"]);
exec(
"/usr/local/hestia/bin/v-log-user-logout " . $v_user . " " . $v_session_id,
$output,
$return_var,
);
unset($_SESSION);
session_unset();
session_destroy();
session_start();
echo '<meta http-equiv="refresh" content="0; url=/">';
exit();
} else {
$_SESSION["LAST_ACTIVITY"] = time();
}
} else {
echo '<meta http-equiv="refresh" content="0; url=/">';
}
if (isset($_SESSION["user"])) {
$v_user = $_SESSION["user"];
}
if (!empty($_SESSION["look"])) {
if (isset($_SESSION["look"]) && $_SESSION["userContext"] === "admin") {
$v_user = $_SESSION["look"];
}
if (
isset($_SESSION["look"]) &&
$_SESSION["look"] == "admin" &&
$_SESSION["POLICY_SYSTEM_PROTECTED_ADMIN"] == "yes"
) {
header("Location: /");
}
}
# Create filemanager sftp key if missing and trash it after 30 min
if (!file_exists("/home/" . basename($v_user) . "/.ssh/hst-filemanager-key")) {
exec(
"sudo /usr/local/hestia/bin/v-add-user-sftp-key " .
quoteshellarg(basename($v_user)) .
" 30",
$output,
$return_var,
);
// filemanager also requires .ssh chmod o+x ... hopefully we can improve it to g+x or u+x someday
// current minimum for filemanager: chmod 0701 .ssh
shell_exec("sudo chmod o+x " . quoteshellarg("/home/" . basename($v_user) . "/.ssh"));
}
if (!isset($_SESSION["SFTP_PORT"])) {
exec("sudo /usr/local/hestia/bin/v-list-sys-sshd-port json", $output, $result);
$port = json_decode(implode("", $output));
if (is_numeric($port[0]) && $port[0] > 0) {
$_SESSION["SFTP_PORT"] = $port[0];
} elseif (
preg_match('/^\s*Port\s+(\d+)$/im', file_get_contents("/etc/ssh/sshd_config"), $matches)
) {
$_SESSION["SFTP_PORT"] = $matches[1] ?? 22;
} else {
$_SESSION["SFTP_PORT"] = 22;
}
}
preg_match(
'/(Hestia SFTP Chroot\nMatch User)(.*)/i',
file_get_contents("/etc/ssh/sshd_config"),
$matches,
);
$user_list = explode(",", $matches[2]);
if (in_array($v_user, $user_list)) {
$root = "/";
} else {
$root = "/home/" . $v_user;
}
return new \League\Flysystem\Sftp\SftpAdapter([
"host" => "127.0.0.1",
"port" => intval($_SESSION["SFTP_PORT"]),
"username" => basename($v_user),
"privateKey" => "/home/" . basename($v_user) . "/.ssh/hst-filemanager-key",
"root" => $root,
"timeout" => 10,
"directoryPerm" => 0755,
]);
};
$dist_config["services"]["Filegator\Services\Archiver\ArchiverInterface"] = [
"handler" => "\Filegator\Services\Archiver\Adapters\HestiaZipArchiver",
"config" => [],
];
$dist_config["services"]["Filegator\Services\Auth\AuthInterface"] = [
"handler" => "\Filegator\Services\Auth\Adapters\HestiaAuth",
"config" => [
"permissions" => ["read", "write", "upload", "download", "batchdownload", "zip"],
"private_repos" => false,
],
];
$dist_config["services"]["Filegator\Services\View\ViewInterface"]["config"] = [
"add_to_head" => '
<style>
.logo {
width: 46px;
}
</style>
',
"add_to_body" => '
<script>
var checkVueLoaded = setInterval(function() {
if (document.getElementsByClassName("container").length) {
clearInterval(checkVueLoaded);
var navProfile = document.getElementsByClassName("navbar-item profile")[0]; navProfile.replaceWith(navProfile.cloneNode(true))
document.getElementsByClassName("navbar-item logout")[0].text="Exit to Control Panel \u00BB";
div = document.getElementsByClassName("container")[0];
callback = function(){
if (document.getElementsByClassName("navbar-item logout")[0]){
if ( document.getElementsByClassName("navbar-item logout")[0].text != "Exit to Control Panel \u00BB" ){
var navProfile = document.getElementsByClassName("navbar-item profile")[0]; navProfile.replaceWith(navProfile.cloneNode(true))
document.getElementsByClassName("navbar-item logout")[0].text="Exit to Control Panel \u00BB";
}
}
}
config = {
childList:true,
subtree:true
}
observer = new MutationObserver(callback);
observer.observe(div,config);
}
}, 200);
</script>',
];
return $dist_config;

71
install/deb/filemanager/install-fm.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
# Checking root permissions
if [ "x$(id -u)" != 'x0' ]; then
echo "Error: Script can be run executed only by root"
exit 10
fi
if [ -z "$HESTIA" ]; then
HESTIA="/usr/local/hestia"
fi
user='admin'
fm_error='no'
source $HESTIA/func/main.sh
source $HESTIA/install/upgrade/upgrade.conf
if [ -z "$HOMEDIR" ] || [ -z "$HESTIA_INSTALL_DIR" ]; then
echo "Error: Hestia environment vars not present"
exit 2
fi
FM_INSTALL_DIR="$HESTIA/web/fm"
FM_FILE="filegator_latest"
FM_URL="https://github.com/filegator/static/raw/master/builds/filegator_latest.zip"
COMPOSER_BIN="$HOMEDIR/$user/.composer/composer"
if [ ! -f "$COMPOSER_BIN" ]; then
$BIN/v-add-user-composer "$user"
if [ $? -ne 0 ]; then
$BIN/v-add-user-notification admin 'Composer installation failed!' '<p class="u-text-bold">The File Manager will not work without Composer.</p><p>Please try running the installer from a shell session:<br><code>bash $HESTIA/install/deb/filemanager/install-fm.sh</code></p><p>If this issue continues, please <a href="https://github.com/hestiacp/hestiacp/issues" target="_blank">open an issue on GitHub</a>.</p>'
fm_error='yes'
fi
fi
if [ "$fm_error" != "yes" ]; then
rm --recursive --force "$FM_INSTALL_DIR"
mkdir -p "$FM_INSTALL_DIR"
cd "$FM_INSTALL_DIR"
[ ! -f "${FM_INSTALL_DIR}/${FM_FILE}" ] && wget "$FM_URL" --quiet -O "${FM_INSTALL_DIR}/${FM_FILE}.zip"
unzip -qq "${FM_INSTALL_DIR}/${FM_FILE}.zip"
mv --force ${FM_INSTALL_DIR}/filegator/* "${FM_INSTALL_DIR}"
rm --recursive --force ${FM_INSTALL_DIR}/${FM_FILE}
[[ -f "${FM_INSTALL_DIR}/${FM_FILE}" ]] && rm "${FM_INSTALL_DIR}/${FM_FILE}"
cp --recursive --force ${HESTIA_INSTALL_DIR}/filemanager/filegator/* "${FM_INSTALL_DIR}"
chown $user: -R "${FM_INSTALL_DIR}"
# Check if php7.3 is available and run the installer
if [ -f "/usr/bin/php7.3" ]; then
COMPOSER_HOME="$HOMEDIR/$user/.config/composer" user_exec /usr/bin/php7.3 $COMPOSER_BIN --quiet --no-dev install
if [ $? -ne 0 ]; then
$BIN/v-add-user-notification admin 'File Manager installation failed!' '<p>Please try running the installer from a shell session:<br><code>bash $HESTIA/install/deb/filemanager/install-fm.sh</code></p><p>If this issue continues, please <a href="https://github.com/hestiacp/hestiacp/issues" target="_blank">open an issue on GitHub</a>.</p>'
fm_error="yes"
fi
else
$BIN/v-add-user-notification admin 'File Manager installation failed!' '<p class="u-text-bold">Unable to proceed with installation of File Manager.</p><p>Package <span class="u-text-bold">php7.3-cli</span> is missing from your system. Please check your PHP installation and environment settings.</p>'
fm_error="yes"
fi
if [ "$fm_error" != "yes" ]; then
chown root: -R "${FM_INSTALL_DIR}"
chown $user: "${FM_INSTALL_DIR}/private"
chown $user: "${FM_INSTALL_DIR}/private/logs"
chown $user: "${FM_INSTALL_DIR}/repository"
fi
fi

19
install/deb/logrotate/apache2 Normal file
View File

@@ -0,0 +1,19 @@
/var/log/apache2/*.log /var/log/apache2/domains/*log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
create 640
sharedscripts
postrotate
/etc/init.d/apache2 reload > /dev/null || true
[ ! -f /run/nginx.pid ] || kill -USR1 `cat /run/nginx.pid`
endscript
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi; \
endscript
}

12
install/deb/logrotate/dovecot Normal file
View File

@@ -0,0 +1,12 @@
/var/log/dovecot*.log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
doveadm log reopen
endscript
}

7
install/deb/logrotate/hestia Normal file
View File

@@ -0,0 +1,7 @@
/var/log/hestia/*.log {
rotate 12
monthly
missingok
notifempty
create 0600 root root
}

4
install/deb/logrotate/httpd-prerotate/awstats Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Changes made by HestiaCP due to https://github.com/hestiacp/hestiacp/issues/3289
/usr/local/hestia/bin/v-update-sys-queue webstats

13
install/deb/logrotate/nginx Normal file
View File

@@ -0,0 +1,13 @@
/var/log/nginx/*log /var/log/nginx/domains/*log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
create 640
sharedscripts
postrotate
[ -f /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
endscript
}

7
install/deb/logrotate/roundcube Normal file
View File

@@ -0,0 +1,7 @@
/var/log/roundcube/*.log {
rotate 12
monthly
missingok
notifempty
create 644 www-data www-data
}

50
install/deb/mysql/my-large.cnf Normal file
View File

@@ -0,0 +1,50 @@
[client]
port=3306
socket=/run/mysqld/mysqld.sock
default-character-set=utf8mb4
[mysql]
default-character-set=utf8mb4
[mysqld_safe]
socket=/run/mysqld/mysqld.sock
[mysqld]
user=mysql
pid-file=/run/mysqld/mysqld.pid
socket=/run/mysqld/mysqld.sock
port=3306
basedir=/usr
datadir=/var/lib/mysql
tmpdir=/tmp
lc-messages-dir=/usr/share/mysql
log_error=/var/log/mysql/error.log
collation-server = utf8mb4_unicode_520_ci
init-connect='SET NAMES utf8mb4'
character-set-server = utf8mb4
symbolic-links=0
local-infile=0
skip-external-locking
key_buffer_size = 256M
max_allowed_packet = 32M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=200
max_user_connections=50
wait_timeout=10
interactive_timeout=50
long_query_time=5
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

49
install/deb/mysql/my-medium.cnf Normal file
View File

@@ -0,0 +1,49 @@
[client]
port=3306
socket=/run/mysqld/mysqld.sock
default-character-set=utf8mb4
[mysql]
default-character-set=utf8mb4
[mysqld_safe]
socket=/run/mysqld/mysqld.sock
[mysqld]
user=mysql
pid-file=/run/mysqld/mysqld.pid
socket=/run/mysqld/mysqld.sock
port=3306
basedir=/usr
datadir=/var/lib/mysql
tmpdir=/tmp
lc-messages-dir=/usr/share/mysql
log_error=/var/log/mysql/error.log
collation-server = utf8mb4_unicode_520_ci
init-connect='SET NAMES utf8mb4'
character-set-server = utf8mb4
symbolic-links=0
local-infile=0
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 16M
table_open_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=70
max_user_connections=30
wait_timeout=10
interactive_timeout=50
long_query_time=5
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

49
install/deb/mysql/my-small.cnf Normal file
View File

@@ -0,0 +1,49 @@
[client]
port=3306
socket=/run/mysqld/mysqld.sock
default-character-set=utf8mb4
[mysql]
default-character-set=utf8mb4
[mysqld_safe]
socket=/run/mysqld/mysqld.sock
[mysqld]
user=mysql
pid-file=/run/mysqld/mysqld.pid
socket=/run/mysqld/mysqld.sock
port=3306
basedir=/usr
datadir=/var/lib/mysql
tmpdir=/tmp
lc-messages-dir=/usr/share/mysql
log_error=/var/log/mysql/error.log
collation-server = utf8mb4_unicode_520_ci
init-connect='SET NAMES utf8mb4'
character-set-server = utf8mb4
symbolic-links=0
local-infile=0
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 1M
table_open_cache = 10
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=30
max_user_connections=20
wait_timeout=10
interactive_timeout=50
long_query_time=5
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

39
install/deb/nginx/0rtt-anti-replay.conf Normal file
View File

@@ -0,0 +1,39 @@
# Implement TLS 1.3 0-RTT anti-replay for NGINX
# Requires: NGINX directive "ssl_early_data" on
# Usage:
# Make sure these "map" blocks are included in "http" block
# Put the following two lines in SSL "server" block, before any "location" blocks
# if ($anti_replay = 307) { return 307 https://$host$request_uri; }
# if ($anti_replay = 425) { return 425; }
# Pass "Early-Data" header to backend/upstream
# Only for 0-RTT requests from clients that understand 425 status code (RFC 8470)
# fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
# proxy_set_header Early-Data $rfc_early_data;
# Copyright © myrevery
# Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team)
map "$request_method:$is_args" $ar_idempotent {
default 0;
"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
}
map $http_user_agent $ar_support_425 {
default 0;
"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
}
map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
1:0:0 307;
1:0:1 425;
}
map "$ssl_early_data:$ar_support_425" $rfc_early_data {
1:1 1;
}

16
install/deb/nginx/agents.conf Normal file
View File

@@ -0,0 +1,16 @@
map $http_user_agent $mobile_request {
default desktopversion;
"~*ipad" mobileversion;
"~*android.*mobile" mobileversion;
"~*iphone" mobileversion;
"~*ipod.*mobile" mobileversion;
"~*BlackBerry*Mobile Safari" mobileversion;
"~*BB*Mobile Safari" mobileversion;
"~*Opera.*Mini/7" mobileversion;
"~*IEMobile/10.*Touch" mobileversion;
"~*IEMobile/11.*Touch" mobileversion;
"~*IEMobile/7.0" mobileversion;
"~*IEMobile/9.0" mobileversion;
"~*Firefox.*Mobile" mobileversion;
"~*webOS" mobileversion;
}

130
install/deb/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,130 @@
# Server globals
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /etc/nginx/conf.d/main/*.conf;
include /etc/nginx/modules-enabled/*.conf;
# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 180s;
client_body_timeout 180s;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 1024m;
large_client_header_buffers 4 8k;
send_timeout 60s;
keepalive_timeout 30s;
keepalive_requests 10000;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
charset utf-8;
# FastCGI settings
fastcgi_buffers 512 4k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_connect_timeout 30s;
fastcgi_read_timeout 300s;
fastcgi_send_timeout 180s;
fastcgi_cache_lock on;
fastcgi_cache_lock_timeout 5s;
fastcgi_cache_background_update on;
fastcgi_cache_revalidate on;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Early-Data $rfc_early_data;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_buffers 256 4k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 32k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_read_timeout 300s;
proxy_send_timeout 180s;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
log_not_found off;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_vary on;
gzip_static on;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_buffers 128 4k;
gzip_http_version 1.1;
gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
gzip_proxied any;
# Cloudflare IPs
include /etc/nginx/conf.d/cloudflare.inc;
# SSL PCI compliance
ssl_buffer_size 1369;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_early_data on;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets on;
ssl_session_timeout 7d;
resolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
resolver_timeout 5s;
# Error pages
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 410 /error/410.html;
error_page 500 501 502 503 504 505 /error/50x.html;
# Proxy cache
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Cache-Control Expires;
proxy_cache_use_stale error timeout invalid_header updating http_502;
proxy_cache_valid any 1d;
# FastCGI cache
fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
add_header X-FastCGI-Cache $upstream_cache_status;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# File cache (static assets)
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/domains/*.conf;
}

26
install/deb/nginx/phpmyadmin.inc Normal file
View File

@@ -0,0 +1,26 @@
location /%pma_alias% {
alias /usr/share/phpmyadmin/;
location ~ /(libraries|setup|templates|locale) {
deny all;
return 404;
}
location ~ /(.+\.(json|lock|md)) {
deny all;
return 404;
}
location ~ ^/%pma_alias%/(.*\.php)$ {
alias /usr/share/phpmyadmin/$1;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
location /%pma_alias%/(.+\.(jpg|jpeg|gif|css|png|webp|js|ico|html|xml|txt))$ {
root /usr/share/phpmyadmin/;
}
}

12
install/deb/nginx/phppgadmin.inc Normal file
View File

@@ -0,0 +1,12 @@
location /%pga_alias% {
alias /usr/share/phppgadmin/;
location ~ ^/%pga_alias%/(.*\.php)$ {
alias /usr/share/phppgadmin/$1;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}

11
install/deb/nginx/status.conf Normal file
View File

@@ -0,0 +1,11 @@
server {
listen 127.0.0.1:8084 default_server;
server_name _;
server_name_in_redirect off;
location / {
stub_status on;
access_log off;
error_log /dev/null;
}
}

52
install/deb/nginx/unassigned.inc Normal file
View File

@@ -0,0 +1,52 @@
server {
listen directIP:80 default_server;
server_name _;
access_log off;
error_log /dev/null;
location / {
root /var/www/html;
location /phpmyadmin/ {
alias /var/www/document_errors/;
return 404;
}
location /phppgadmin/ {
alias /var/www/document_errors/;
return 404;
}
location /webmail {
alias /var/www/document_errors/;
return 404;
}
location /webmail/ {
alias /var/www/document_errors/;
return 404;
}
location /error/ {
alias /var/www/document_errors/;
}
}
}
server {
listen directIP:443 default_server ssl;
server_name _;
access_log off;
error_log /dev/null;
ssl_certificate /usr/local/hestia/ssl/certificate.crt;
ssl_certificate_key /usr/local/hestia/ssl/certificate.key;
return 301 http://$host$request_uri;
location / {
root /var/www/document_errors/;
}
location /error/ {
alias /var/www/document_errors/;
}
}

166
install/deb/pga/config.inc.php Normal file
View File

@@ -0,0 +1,166 @@
<?php
/**
* Central phpPgAdmin configuration. As a user you may modify the
* settings here for your particular configuration.
*
* $Id: config.inc.php-dist,v 1.55 2008/02/18 21:10:31 xzilla Exp $
*/
// An example server. Create as many of these as you wish,
// indexed from zero upwards.
// Display name for the server on the login screen
$conf["servers"][0]["desc"] = "PostgreSQL";
// Hostname or IP address for server. Use '' for UNIX domain socket.
// use 'localhost' for TCP/IP connection on this computer
$conf["servers"][0]["host"] = "localhost";
// Database port on server (5432 is the PostgreSQL default)
$conf["servers"][0]["port"] = 5432;
// Database SSL mode
// Possible options: disable, allow, prefer, require
// To require SSL on older servers use option: legacy
// To ignore the SSL mode, use option: unspecified
$conf["servers"][0]["sslmode"] = "allow";
// Change the default database only if you cannot connect to template1.
// For a PostgreSQL 8.1+ server, you can set this to 'postgres'.
$conf["servers"][0]["defaultdb"] = "template1";
// Specify the path to the database dump utilities for this server.
// You can set these to '' if no dumper is available.
$conf["servers"][0]["pg_dump_path"] = "/usr/bin/pg_dump";
$conf["servers"][0]["pg_dumpall_path"] = "/usr/bin/pg_dumpall";
// Slony (www.slony.info) support?
$conf["servers"][0]["slony_support"] = false;
// Specify the path to the Slony SQL scripts (where slony1_base.sql is located, etc.)
// No trailing slash.
$conf["servers"][0]["slony_sql"] = "/usr/share/pgsql";
// Example for a second server (PostgreSQL for Windows)
//$conf['servers'][1]['desc'] = 'Test Server';
//$conf['servers'][1]['host'] = '127.0.0.1';
//$conf['servers'][1]['port'] = 5432;
//$conf['servers'][1]['sslmode'] = 'allow';
//$conf['servers'][1]['defaultdb'] = 'template1';
//$conf['servers'][1]['pg_dump_path'] = 'C:\\Program Files\\PostgreSQL\\8.0\\bin\\pg_dump.exe';
//$conf['servers'][1]['pg_dumpall_path'] = 'C:\\Program Files\\PostgreSQL\\8.0\\bin\\pg_dumpall.exe';
//$conf['servers'][1]['slony_support'] = false;
//$conf['servers'][1]['slony_sql'] = 'C:\\Program Files\\PostgreSQL\\8.0\\share';
// Example of groups definition.
// Groups allow administrators to logically group servers together under group nodes in the left browser tree
//
// The group '0' description
//$conf['srv_groups'][0]['desc'] = 'group one';
//
// Add here server indexes belonging to the group '0' separated by comma
//$conf['srv_groups'][0]['servers'] = '0,1,2';
//
// A server can belong to multi groups
//$conf['srv_groups'][1]['desc'] = 'group two';
//$conf['srv_groups'][1]['servers'] = '3,1';
// Default language. E.g.: 'english', 'polish', etc. See lang/ directory
// for all possibilities. If you specify 'auto' (the default) it will use
// your browser preference.
$conf["default_lang"] = "auto";
// AutoComplete uses AJAX interaction to list foreign key values
// on insert fields. It currently only works on single column
// foreign keys. You can choose one of the following values:
// 'default on' enables AutoComplete and turns it on by default.
// 'default off' enables AutoComplete but turns it off by default.
// 'disable' disables AutoComplete.
$conf["autocomplete"] = "default on";
// If extra session security is true, then PHP's session cookies will have
// SameSite cookie flags set to prevent CSRF attacks. If you're using
// auto-start sessions, autostarted sessions will be destroyed and
// restarted with SameSite on. If this this solution is not acceptable for
// your situation, you will need to either turn off auot-start sessions, or
// turn off secure sessions. Versions of PHP below 7.3 do not have access
// to this feature and will be vulnerable to CSRF attacks.
$conf["extra_session_security"] = true;
// If extra login security is true, then logins via phpPgAdmin with no
// password or certain usernames (pgsql, postgres, root, administrator)
// will be denied. Only set this false once you have read the FAQ and
// understand how to change PostgreSQL's pg_hba.conf to enable
// passworded local connections.
$conf["extra_login_security"] = true;
// Only show owned databases?
// Note: This will simply hide other databases in the list - this does
// not in any way prevent your users from seeing other database by
// other means. (e.g. Run 'SELECT * FROM pg_database' in the SQL area.)
$conf["owned_only"] = false;
// Display comments on objects? Comments are a good way of documenting
// a database, but they do take up space in the interface.
$conf["show_comments"] = true;
// Display "advanced" objects? Setting this to true will show
// aggregates, types, operators, operator classes, conversions,
// languages and casts in phpPgAdmin. These objects are rarely
// administered and can clutter the interface.
$conf["show_advanced"] = false;
// Display "system" objects?
$conf["show_system"] = false;
// Display reports feature? For this feature to work, you must
// install the reports database as explained in the INSTALL file.
$conf["show_reports"] = true;
// Database and table for reports
$conf["reports_db"] = "phppgadmin";
$conf["reports_schema"] = "public";
$conf["reports_table"] = "ppa_reports";
// Only show owned reports?
// Note: This does not prevent people from accessing other reports by
// other means.
$conf["owned_reports_only"] = false;
// Minimum length users can set their password to.
$conf["min_password_length"] = 1;
// Width of the left frame in pixels (object browser)
$conf["left_width"] = 200;
// Which look & feel theme to use
$conf["theme"] = "default";
// Show OIDs when browsing tables?
$conf["show_oids"] = false;
// Max rows to show on a page when browsing record sets
$conf["max_rows"] = 30;
// Max chars of each field to display by default in browse mode
$conf["max_chars"] = 50;
// Send XHTML strict headers?
$conf["use_xhtml_strict"] = false;
// Base URL for PostgreSQL documentation.
// '%s', if present, will be replaced with the PostgreSQL version
// (e.g. 8.4 )
$conf["help_base"] = "http://www.postgresql.org/docs/%s/interactive/";
// Configuration for ajax scripts
// Time in seconds. If set to 0, refreshing data using ajax will be disabled (locks and activity pages)
$conf["ajax_refresh"] = 3;
/*****************************************
* Don't modify anything below this line *
*****************************************/
$conf["version"] = 19;
?>

37
install/deb/pga/phppgadmin.conf Normal file
View File

@@ -0,0 +1,37 @@
Alias /%pga_alias% /usr/share/phppgadmin
<Directory /usr/share/phppgadmin>
DirectoryIndex index.php
AllowOverride None
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0 ::1/128
allow from all
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_value include_path .
</IfModule>
<IfModule mpm_event_module>
# Use www.conf instead
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</IfModule>
<IfModule !mod_php5.c>
<IfModule mod_actions.c>
<IfModule mod_cgi.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
<IfModule mod_cgid.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
</IfModule>
</IfModule>
</Directory>

13
install/deb/php-fpm/dummy.conf Normal file
View File

@@ -0,0 +1,13 @@
; origin-src: deb/php-fpm/dummy.conf
[www]
listen = 127.0.0.1:9999
listen.allowed_clients = 127.0.0.1
user = www-data
group = www-data
pm = ondemand
pm.max_children = 4
pm.max_requests = 4000
pm.process_idle_timeout = 10s

31
install/deb/php-fpm/multiphp.tpl Normal file
View File

@@ -0,0 +1,31 @@
; origin-src: deb/php-fpm/multiphp.tpl
;#=========================================================================#
;# Default Web Domain Template #
;# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
;# https://hestiacp.com/docs/server-administration/web-templates.html #
;#=========================================================================#
[%domain%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = www-data
listen.mode = 0660
user = %user%
group = %user%
pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status
php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /home/%user%/.composer:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/tmp:/var/www/html:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp

145
install/deb/php-fpm/php-fpm.conf Normal file
View File

@@ -0,0 +1,145 @@
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;
; All relative paths in this configuration file are relative to PHP's install
; prefix (/usr). This prefix can be dynamically changed by using the
; '-p' argument from the command line.
;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;
[global]
; Pid file
; Note: the default prefix is /var
; Default Value: none
; Warning: if you change the value here, you need to modify systemd
; service PIDFile= setting to match the value here.
pid = /run/php/phpfpm_v-fpm.pid
; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; into a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
error_log = /var/log/phpfpm_v-fpm.log
; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon
; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php$fpm_v-fpm
; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
log_level = error
; Log limit on number of characters in the single line (log entry). If the
; line is over the limit, it is wrapped on multiple lines. The limit is for
; all logged characters including message prefix and suffix if present. However
; the new line character does not count into it as it is present only when
; logging to a file descriptor. It means the new line character is not present
; when logging to syslog.
; Default Value: 1024
;log_limit = 4096
; Log buffering specifies if the log line is buffered which means that the
; line is written in a single write operation. If the value is false, then the
; data is written directly into the file descriptor. It is an experimental
; option that can potentially improve logging performance and memory usage
; for some heavy logging scenarios. This option is ignored if logging to syslog
; as it has to be always buffered.
; Default value: yes
;log_buffering = no
; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
emergency_restart_threshold = 10
; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated. This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
emergency_restart_interval = 60s
; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
process_control_timeout = 10s
; The maximum number of processes FPM will fork. This has been designed to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
; process.max = 128
; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lowest priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool process will inherit the master process priority
; unless specified otherwise
; Default Value: no set
; process.priority = -19
; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
;daemonize = yes
; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Specify the event mechanism FPM will use. The following is available:
; - select (any POSIX os)
; - poll (any POSIX os)
; - epoll (linux >= 2.5.44)
; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
; - /dev/poll (Solaris >= 7)
; - port (Solaris >= 10)
; Default Value: not set (auto detection)
events.mechanism = epoll
; When FPM is built with systemd integration, specify the interval,
; in seconds, between health report notification to systemd.
; Set to 0 to disable.
; Available Units: s(econds), m(inutes), h(ours)
; Default Unit: seconds
; Default value: 10
;systemd_interval = 10
;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;
; Multiple pools of child processes may be started with different listening
; ports and different management options. The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools which
; FPM can handle. Your system will tell you anyway :)
; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
; Relative path can also be used. They will be prefixed by:
; - the global prefix if it's been set (-p argument)
; - /usr otherwise
include=/etc/php/fpm_v/fpm/pool.d/*.conf

13
install/deb/php-fpm/www.conf Normal file
View File

@@ -0,0 +1,13 @@
; origin-src: deb/php-fpm/www.conf
[www]
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
user = www-data
group = www-data
pm = ondemand
pm.max_children = 4
pm.max_requests = 4000
pm.process_idle_timeout = 10s

36
install/deb/phpmyadmin/config.inc.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
/* PHPmyadmin config for Hestia 1.3.3 > */
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* All directives are explained in documentation in the doc/ folder
* or at <https://docs.phpmyadmin.net/>.
*
* @package PhpMyAdmin
*/
declare(strict_types=1);
/**
* This is needed for cookie based authentication to encrypt password in
* cookie. Needs to be 32 chars long.
*/
$cfg["blowfish_secret"] = "%blowfish_secret%"; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
/**
* Directories for saving/loading files from server
*/
$cfg["UploadDir"] = "";
$cfg["SaveDir"] = "";
/**
* You can find more configuration options in the documentation
* in the doc/ folder or at <https://docs.phpmyadmin.net/>.
*/
//start with 1 other wise it doesn't work
$i = 1;
foreach (glob("/etc/phpmyadmin/conf.d/*.php") as $filename) {
include $filename;
/*Don't remove / alter code here below this will add SSO support for all servers*/
//Add Hestia SSO code here
$i++;
}

389
install/deb/phpmyadmin/create_tables.sql Normal file
View File

@@ -0,0 +1,389 @@
-- --------------------------------------------------------
-- SQL Commands to set up the pmadb as described in the documentation.
--
-- This file is meant for use with MySQL 5 and above!
--
-- This script expects the user pma to already be existing. If we would put a
-- line here to create him too many users might just use this script and end
-- up with having the same password for the controluser.
--
-- This user "pma" must be defined in config.inc.php (controluser/controlpass)
--
-- Please don't forget to set up the tablenames in config.inc.php
--
-- --------------------------------------------------------
--
-- Database : `phpmyadmin`
--
CREATE DATABASE IF NOT EXISTS `phpmyadmin` DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
USE phpmyadmin;
-- --------------------------------------------------------
--
-- Privileges
--
-- (activate this statement if necessary)
-- GRANT SELECT, INSERT, DELETE, UPDATE, ALTER ON `phpmyadmin`.* TO
-- 'pma'@localhost;
-- --------------------------------------------------------
--
-- Table structure for table `pma__usergroups`
--
CREATE TABLE
IF NOT EXISTS `pma__usergroups` (
`usergroup` varchar(64) NOT NULL,
`tab` varchar(64) NOT NULL,
`allowed` enum ('Y', 'N') NOT NULL DEFAULT 'N',
PRIMARY KEY (`usergroup`, `tab`, `allowed`)
) COMMENT = 'User groups with configured menu items' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__designer_coords`
--
CREATE TABLE
IF NOT EXISTS `pma__designer_coords` (
`db_name` varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '',
`table_name` varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '',
`x` int (11) DEFAULT NULL,
`y` int (11) DEFAULT NULL,
`v` tinyint (4) DEFAULT NULL,
`h` tinyint (4) DEFAULT NULL,
PRIMARY KEY (`db_name`, `table_name`)
) ENGINE = MyISAM DEFAULT CHARSET = utf8 COLLATE = utf8_bin COMMENT = 'Table coordinates for Designer';
-- --------------------------------------------------------
--
-- Table structure for table `pma__bookmark`
--
CREATE TABLE
IF NOT EXISTS `pma__bookmark` (
`id` int (11) NOT NULL auto_increment,
`dbase` varchar(255) NOT NULL default '',
`user` varchar(255) NOT NULL default '',
`label` varchar(255) COLLATE utf8_general_ci NOT NULL default '',
`query` text NOT NULL,
PRIMARY KEY (`id`)
) COMMENT = 'Bookmarks' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__column_info`
--
CREATE TABLE
IF NOT EXISTS `pma__column_info` (
`id` int (5) unsigned NOT NULL auto_increment,
`db_name` varchar(64) NOT NULL default '',
`table_name` varchar(64) NOT NULL default '',
`column_name` varchar(64) NOT NULL default '',
`comment` varchar(255) COLLATE utf8_general_ci NOT NULL default '',
`mimetype` varchar(255) COLLATE utf8_general_ci NOT NULL default '',
`transformation` varchar(255) NOT NULL default '',
`transformation_options` varchar(255) NOT NULL default '',
`input_transformation` varchar(255) NOT NULL default '',
`input_transformation_options` varchar(255) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `db_name` (`db_name`, `table_name`, `column_name`)
) COMMENT = 'Column information for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__history`
--
CREATE TABLE
IF NOT EXISTS `pma__history` (
`id` bigint (20) unsigned NOT NULL auto_increment,
`username` varchar(64) NOT NULL default '',
`db` varchar(64) NOT NULL default '',
`table` varchar(64) NOT NULL default '',
`timevalue` timestamp NOT NULL default CURRENT_TIMESTAMP,
`sqlquery` text NOT NULL,
PRIMARY KEY (`id`),
KEY `username` (`username`, `db`, `table`, `timevalue`)
) COMMENT = 'SQL history for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__pdf_pages`
--
CREATE TABLE
IF NOT EXISTS `pma__pdf_pages` (
`db_name` varchar(64) NOT NULL default '',
`page_nr` int (10) unsigned NOT NULL auto_increment,
`page_descr` varchar(50) COLLATE utf8_general_ci NOT NULL default '',
PRIMARY KEY (`page_nr`),
KEY `db_name` (`db_name`)
) COMMENT = 'PDF relation pages for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__recent`
--
CREATE TABLE
IF NOT EXISTS `pma__recent` (
`username` varchar(64) NOT NULL,
`tables` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'Recently accessed tables' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__favorite`
--
CREATE TABLE
IF NOT EXISTS `pma__favorite` (
`username` varchar(64) NOT NULL,
`tables` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'Favorite tables' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__table_uiprefs`
--
CREATE TABLE
IF NOT EXISTS `pma__table_uiprefs` (
`username` varchar(64) NOT NULL,
`db_name` varchar(64) NOT NULL,
`table_name` varchar(64) NOT NULL,
`prefs` text NOT NULL,
`last_update` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`username`, `db_name`, `table_name`)
) COMMENT = 'Tables'' UI preferences' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__relation`
--
CREATE TABLE
IF NOT EXISTS `pma__relation` (
`master_db` varchar(64) NOT NULL default '',
`master_table` varchar(64) NOT NULL default '',
`master_field` varchar(64) NOT NULL default '',
`foreign_db` varchar(64) NOT NULL default '',
`foreign_table` varchar(64) NOT NULL default '',
`foreign_field` varchar(64) NOT NULL default '',
PRIMARY KEY (`master_db`, `master_table`, `master_field`),
KEY `foreign_field` (`foreign_db`, `foreign_table`)
) COMMENT = 'Relation table' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__table_coords`
--
CREATE TABLE
IF NOT EXISTS `pma__table_coords` (
`db_name` varchar(64) NOT NULL default '',
`table_name` varchar(64) NOT NULL default '',
`pdf_page_number` int (11) NOT NULL default '0',
`x` float unsigned NOT NULL default '0',
`y` float unsigned NOT NULL default '0',
PRIMARY KEY (`db_name`, `table_name`, `pdf_page_number`)
) COMMENT = 'Table coordinates for phpMyAdmin PDF output' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__table_info`
--
CREATE TABLE
IF NOT EXISTS `pma__table_info` (
`db_name` varchar(64) NOT NULL default '',
`table_name` varchar(64) NOT NULL default '',
`display_field` varchar(64) NOT NULL default '',
PRIMARY KEY (`db_name`, `table_name`)
) COMMENT = 'Table information for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__tracking`
--
CREATE TABLE
IF NOT EXISTS `pma__tracking` (
`db_name` varchar(64) NOT NULL,
`table_name` varchar(64) NOT NULL,
`version` int (10) unsigned NOT NULL,
`date_created` datetime NOT NULL,
`date_updated` datetime NOT NULL,
`schema_snapshot` text NOT NULL,
`schema_sql` text,
`data_sql` longtext,
`tracking`
set
(
'UPDATE',
'REPLACE',
'INSERT',
'DELETE',
'TRUNCATE',
'CREATE DATABASE',
'ALTER DATABASE',
'DROP DATABASE',
'CREATE TABLE',
'ALTER TABLE',
'RENAME TABLE',
'DROP TABLE',
'CREATE INDEX',
'DROP INDEX',
'CREATE VIEW',
'ALTER VIEW',
'DROP VIEW'
) default NULL,
`tracking_active` int (1) unsigned NOT NULL default '1',
PRIMARY KEY (`db_name`, `table_name`, `version`)
) COMMENT = 'Database changes tracking for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__userconfig`
--
CREATE TABLE
IF NOT EXISTS `pma__userconfig` (
`username` varchar(64) NOT NULL,
`timevalue` timestamp NOT NULL default CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`config_data` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'User preferences storage for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__users`
--
CREATE TABLE
IF NOT EXISTS `pma__users` (
`username` varchar(64) NOT NULL,
`usergroup` varchar(64) NOT NULL,
PRIMARY KEY (`username`, `usergroup`)
) COMMENT = 'Users and their assignments to user groups' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__usergroups`
--
CREATE TABLE
IF NOT EXISTS `pma__usergroups` (
`usergroup` varchar(64) NOT NULL,
`tab` varchar(64) NOT NULL,
`allowed` enum ('Y', 'N') NOT NULL DEFAULT 'N',
PRIMARY KEY (`usergroup`, `tab`, `allowed`)
) COMMENT = 'User groups with configured menu items' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__navigationhiding`
--
CREATE TABLE
IF NOT EXISTS `pma__navigationhiding` (
`username` varchar(64) NOT NULL,
`item_name` varchar(64) NOT NULL,
`item_type` varchar(64) NOT NULL,
`db_name` varchar(64) NOT NULL,
`table_name` varchar(64) NOT NULL,
PRIMARY KEY (
`username`,
`item_name`,
`item_type`,
`db_name`,
`table_name`
)
) COMMENT = 'Hidden items of navigation tree' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__savedsearches`
--
CREATE TABLE
IF NOT EXISTS `pma__savedsearches` (
`id` int (5) unsigned NOT NULL auto_increment,
`username` varchar(64) NOT NULL default '',
`db_name` varchar(64) NOT NULL default '',
`search_name` varchar(64) NOT NULL default '',
`search_data` text NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `u_savedsearches_username_dbname` (`username`, `db_name`, `search_name`)
) COMMENT = 'Saved searches' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__central_columns`
--
CREATE TABLE
IF NOT EXISTS `pma__central_columns` (
`db_name` varchar(64) NOT NULL,
`col_name` varchar(64) NOT NULL,
`col_type` varchar(64) NOT NULL,
`col_length` text,
`col_collation` varchar(64) NOT NULL,
`col_isNull` boolean NOT NULL,
`col_extra` varchar(255) default '',
`col_default` text,
PRIMARY KEY (`db_name`, `col_name`)
) COMMENT = 'Central list of columns' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__designer_settings`
--
CREATE TABLE
IF NOT EXISTS `pma__designer_settings` (
`username` varchar(64) NOT NULL,
`settings_data` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'Settings related to Designer' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__export_templates`
--
CREATE TABLE
IF NOT EXISTS `pma__export_templates` (
`id` int (5) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(64) NOT NULL,
`export_type` varchar(10) NOT NULL,
`template_name` varchar(64) NOT NULL,
`template_data` text NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `u_user_type_template` (`username`, `export_type`, `template_name`)
) COMMENT = 'Saved export templates' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;

213
install/deb/phpmyadmin/hestia-sso.php Normal file
View File

@@ -0,0 +1,213 @@
<?php
/* Hestia way to enable support for SSO to PHPmyAdmin */
/* To install please run v-add-sys-pma-sso */
/* Following keys will get replaced when calling v-add-sys-pma-sso */
define("PHPMYADMIN_KEY", "%PHPMYADMIN_KEY%");
define("API_HOST_NAME", "%API_HOST_NAME%");
define("API_HESTIA_PORT", "%API_HESTIA_PORT%");
define("API_KEY", "%API_KEY%");
class Hestia_API {
/** @var string */
public $hostname;
/** @var string */
public $key;
/** @var string */
public $pma_key;
/** @var string */
private $api_url;
public function __construct() {
$this->hostname = "https://" . API_HOST_NAME . ":" . API_HESTIA_PORT . "/api/";
$this->key = API_KEY;
$this->pma_key = PHPMYADMIN_KEY;
}
/* Creates curl request */
public function request($postvars) {
$postdata = http_build_query($postvars);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $this->hostname);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $postdata);
$answer = curl_exec($curl);
return $answer;
}
/* Creates an new temp user in mysql */
public function create_temp_user($database, $user, $host) {
$post_request = [
"hash" => $this->key,
"returncode" => "no",
"cmd" => "v-add-database-temp-user",
"arg1" => $user,
"arg2" => $database,
"arg3" => "mysql",
"arg4" => $host,
];
$request = $this->request($post_request);
$json = json_decode($request);
if (json_last_error() == JSON_ERROR_NONE) {
return $json;
} else {
trigger_error("Unable to connect over API please check api connection", E_USER_WARNING);
return false;
}
}
/* Delete an new temp user in mysql */
public function delete_temp_user($database, $user, $dbuser, $host) {
$post_request = [
"hash" => $this->key,
"returncode" => "yes",
"cmd" => "v-delete-database-temp-user",
"arg1" => $user,
"arg2" => $database,
"arg3" => $dbuser,
"arg4" => "mysql",
"arg5" => $host,
];
$request = $this->request($post_request);
if (is_numeric($request) && $request == 0) {
return true;
} else {
return false;
}
}
public function get_user_ip() {
// Saving user IPs to the session for preventing session hijacking
$user_combined_ip = [];
if ($_SERVER["REMOTE_ADDR"] != $_SERVER["SERVER_ADDR"]) {
$user_combined_ip[] = $_SERVER["REMOTE_ADDR"];
}
if (isset($_SERVER["HTTP_CLIENT_IP"])) {
$user_combined_ip .= "|" . $_SERVER["HTTP_CLIENT_IP"];
}
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
if ($_SERVER["REMOTE_ADDR"] != $_SERVER["HTTP_X_FORWARDED_FOR"]) {
$user_combined_ip[] = $_SERVER["HTTP_X_FORWARDED_FOR"];
}
}
if (isset($_SERVER["HTTP_FORWARDED_FOR"])) {
if ($_SERVER["REMOTE_ADDR"] != $_SERVER["HTTP_FORWARDED_FOR"]) {
$user_combined_ip[] = $_SERVER["HTTP_FORWARDED_FOR"];
}
}
if (isset($_SERVER["HTTP_X_FORWARDED"])) {
if ($_SERVER["REMOTE_ADDR"] != $_SERVER["HTTP_X_FORWARDED"]) {
$user_combined_ip[] = $_SERVER["HTTP_X_FORWARDED"];
}
}
if (isset($_SERVER["HTTP_FORWARDED"])) {
if ($_SERVER["REMOTE_ADDR"] != $_SERVER["HTTP_FORWARDED"]) {
$user_combined_ip[] = "|" . $_SERVER["HTTP_FORWARDED"];
}
}
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
if (!empty($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$user_combined_ip[] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}
}
return implode("|", $user_combined_ip);
}
}
function verify_token($database, $user, $ip, $time, $token) {
if (!password_verify($database . $user . $ip . $time . PHPMYADMIN_KEY, $token)) {
if (
!password_verify(
$database . $user . $_SERVER["SERVER_ADDR"] . "|" . $ip . $time . PHPMYADMIN_KEY,
$token,
)
) {
trigger_error(
"Access denied: There is a security token mismatch " . $time,
E_USER_WARNING,
);
session_invalid();
}
}
return;
}
/* Need to have cookie visible from parent directory */
session_set_cookie_params(0, "/", "", true, true);
/* Create signon session */
$session_name = "SignonSession";
session_name($session_name);
@session_start();
function session_invalid() {
global $session_name;
//delete all current sessions
session_destroy();
setcookie($session_name, null, -1, "/");
header("Location: " . dirname($_SERVER["PHP_SELF"]) . "/index.php");
die();
}
$api = new Hestia_API();
if (!empty($_GET)) {
if (isset($_GET["logout"])) {
$api->delete_temp_user(
$_SESSION["HESTIA_sso_database"],
$_SESSION["HESTIA_sso_user"],
$_SESSION["PMA_single_signon_user"],
$_SESSION["HESTIA_sso_host"],
);
//remove session
session_invalid();
} else {
if (isset($_GET["user"]) && isset($_GET["hestia_token"])) {
$database = $_GET["database"];
$user = $_GET["user"];
$host = "localhost";
$token = $_GET["hestia_token"];
if (is_numeric($_GET["exp"])) {
$time = $_GET["exp"];
} else {
$time = 0;
}
if ($time + 60 > time()) {
//note: Possible issues with cloudflare due to ip obfuscation
$ip = $api->get_user_ip();
verify_token($database, $user, $ip, $time, $token);
$id = session_id();
//create a new temp user
$data = $api->create_temp_user($database, $user, $host);
if ($data) {
$_SESSION["PMA_single_signon_user"] = $data->login->user;
$_SESSION["PMA_single_signon_password"] = $data->login->password;
$_SESSION["PMA_single_signon_host"] = $host;
//save database / username to be used for sending logout notification.
$_SESSION["HESTIA_sso_user"] = $user;
$_SESSION["HESTIA_sso_database"] = $database;
$_SESSION["HESTIA_sso_host"] = $host;
@session_write_close();
setcookie($session_name, $id, 0, "/");
header("Location: " . dirname($_SERVER["PHP_SELF"]) . "/index.php");
die();
} else {
session_invalid();
}
} else {
trigger_error(
"Link has been expired: System time: " .
time() .
" / Time provided in link: " .
$time,
E_USER_WARNING,
);
session_invalid();
}
}
}
} else {
session_invalid();
}

103
install/deb/phpmyadmin/pma.sh Normal file
View File

@@ -0,0 +1,103 @@
#!/bin/bash
#
# phpmyadmin-fixer
#
# Fixes for phpmyadmin (configuration storage and some extended features)
#
# Original Version by Pavel Galkin (https://skurudo.ru)
# https://github.com/skurudo/phpmyadmin-fixer
#
# Changed some lines to fit to Hestia Configuration.
#
PASS=$(gen_pass)
#ubuntu phpmyadmin path
pmapath="/etc/phpmyadmin/conf.d/01-localhost.php"
echo "<?php " >> $pmapath
echo "\$cfg['Servers'][\$i]['host'] = 'localhost';" >> $pmapath
echo "\$cfg['Servers'][\$i]['port'] = '3306';" >> $pmapath
echo "\$cfg['Servers'][\$i]['favorite'] = 'pma__favorite';" >> $pmapath
echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath
echo "\$cfg['Servers'][\$i]['central_columns'] = 'pma__central_columns';" >> $pmapath
echo "\$cfg['Servers'][\$i]['designer_settings'] = 'pma__designer_settings';" >> $pmapath
echo "\$cfg['Servers'][\$i]['export_templates'] = 'pma__export_templates';" >> $pmapath
echo "\$cfg['Servers'][\$i]['savedsearches'] = 'pma__savedsearches';" >> $pmapath
echo "\$cfg['Servers'][\$i]['navigationhiding'] = 'pma__navigationhiding';" >> $pmapath
echo "\$cfg['Servers'][\$i]['users'] = 'pma__users';" >> $pmapath
echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath
echo "\$cfg['Servers'][\$i]['pmadb'] = 'phpmyadmin';" >> $pmapath
echo "\$cfg['Servers'][\$i]['controluser'] = 'pma';" >> $pmapath
echo "\$cfg['Servers'][\$i]['controlpass'] = '$PASS';" >> $pmapath
echo "\$cfg['Servers'][\$i]['bookmarktable'] = 'pma__bookmark';" >> $pmapath
echo "\$cfg['Servers'][\$i]['relation'] = 'pma__relation';" >> $pmapath
echo "\$cfg['Servers'][\$i]['userconfig'] = 'pma__userconfig';" >> $pmapath
echo "\$cfg['Servers'][\$i]['table_info'] = 'pma__table_info';" >> $pmapath
echo "\$cfg['Servers'][\$i]['column_info'] = 'pma__column_info';" >> $pmapath
echo "\$cfg['Servers'][\$i]['history'] = 'pma__history';" >> $pmapath
echo "\$cfg['Servers'][\$i]['recent'] = 'pma__recent';" >> $pmapath
echo "\$cfg['Servers'][\$i]['table_uiprefs'] = 'pma__table_uiprefs';" >> $pmapath
echo "\$cfg['Servers'][\$i]['tracking'] = 'pma__tracking';" >> $pmapath
echo "\$cfg['Servers'][\$i]['table_coords'] = 'pma__table_coords';" >> $pmapath
echo "\$cfg['Servers'][\$i]['pdf_pages'] = 'pma__pdf_pages';" >> $pmapath
echo "\$cfg['Servers'][\$i]['designer_coords'] = 'pma__designer_coords';" >> $pmapath
echo "\$cfg['Servers'][\$i]['hide_db'] = 'information_schema';" >> $pmapath
#SOME WORK with DATABASE (table / user)
PMADB=phpmyadmin
PMAUSER=pma
#DROP USER and TABLE
#mysql -uroot <<MYSQL_PMA1
#DROP USER '$PMAUSER'@'localhost';
#DROP DATABASE $PMADB;
#FLUSH PRIVILEGES;
#MYSQL_PMA1
#CREATE PMA USER
if [ -f '/usr/bin/mariadb' ]; then
mysql_server="mariadb"
else
mysql_server="mysql"
fi
mysql_out=$(mktemp)
$mysql -e 'SELECT VERSION()' > $mysql_out
mysql_ver=$(cat $mysql_out | tail -n1 | cut -f 1 -d -)
mysql_ver_sub=$(echo $mysql_ver | cut -d '.' -f1)
mysql_ver_sub_sub=$(echo $mysql_ver | cut -d '.' -f2)
if [ "$mysql" = "mysql" ] && [ "$mysql_ver_sub" -ge 8 ]; then
query="CREATE USER '$PMAUSER'@'localhost' IDENTIFIED BY '$PASS';"
$mysql_server -uroot -e "$query" > /dev/null
query="CREATE DATABASE $PMADB;"
$mysql_server -uroot -e "$query" > /dev/null
query="GRANT USAGE ON $PMADB.* TO '$PMAUSER'@'localhost';"
$mysql_server -uroot -e "$query" > /dev/null
query="GRANT ALL PRIVILEGES ON $PMADB.* TO '$PMAUSER'@'localhost';"
$mysql_server -uroot -e "$query" > /dev/null
query="FLUSH PRIVILEGES;"
$mysql_server -uroot -e "$query" > /dev/null
else
query="CREATE USER '$PMAUSER'@'localhost' IDENTIFIED BY '$PASS';"
$mysql_server -uroot -e "$query" > /dev/null
query="CREATE DATABASE $PMADB;"
$mysql_server -uroot -e "$query" > /dev/null
query="GRANT USAGE ON $PMADB.* TO '$PMAUSER'@'localhost' IDENTIFIED BY '$PASS';"
$mysql_server -uroot -e "$query" > /dev/null
query="GRANT ALL PRIVILEGES ON $PMADB.* TO '$PMAUSER'@'localhost';"
$mysql_server -uroot -e "$query" > /dev/null
query="FLUSH PRIVILEGES;"
$mysql_server -uroot -e "$query" > /dev/null
fi
#MYSQL DB and TABLES ADDITION
$mysql_server -uroot < "$HESTIA_INSTALL_DIR/phpmyadmin/create_tables.sql"

40
install/deb/pma/apache.conf Normal file
View File

@@ -0,0 +1,40 @@
# phpMyAdmin default Apache configuration
Alias /%pma_alias% /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
<IfModule mpm_event_module>
# Use www.conf instead
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/sql>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/vendor>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/templates>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/locale>
Order Deny,Allow
Deny from All
</Directory>

11
install/deb/postgresql/pg_hba.conf Normal file
View File

@@ -0,0 +1,11 @@
# "local" is for Unix domain socket connections only
local all all ident
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Others
host all all 0.0.0.0/0 md5

33
install/deb/proftpd/proftpd.conf Normal file
View File

@@ -0,0 +1,33 @@
ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
DefaultRoot ~ !adm
Include /etc/proftpd/tls.conf
<IfModule mod_vroot.c>
VRootEngine on
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
</IfModule>
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User proftpd
Group nogroup
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ListOptions -a
RequireValidShell off
PassivePorts 12000 12100
<Global>
Umask 002
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>

65
install/deb/proftpd/tls.conf Normal file
View File

@@ -0,0 +1,65 @@
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_dso.c>
# If mod_tls was built as a shared/DSO module, load it
LoadModule mod_tls.c
</IfModule>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
TLSProtocol TLSv1.2 TLSv1.3
TLSServerCipherPreference on
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
TLSRSACertificateFile /usr/local/hestia/ssl/certificate.crt
TLSRSACertificateKeyFile /usr/local/hestia/ssl/certificate.key
#
# CA the server trusts...
#TLSCACertificateFile /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
#TLSOptions NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions AllowClientRenegotiations
#
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired off
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
TLSRenegotiate required off
</IfModule>

13
install/deb/ssl/dhparam.pem Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA7N3ZOcXgACR0Rat9G/7h8krD7ysVvmEmvAdg8o5l7eKVdtp/QSNK
anF0JyInJMBEgq05GY7YwvFovglJL73T/eEjTK3qPU6eHzxNGKfR0pM6rnAb+EXL
dSNJm3Xz9wH4IKn6OJ3nD9aLmBVI5FlIMV1R4QKX3sIWUxRqRSQIzjNQTnY1e/Pk
BT/ZrUUF7fPPVbg0nPD8Y48ISr7pB6M14Kr66cggGIqUVdBdkPYyt4RpFWR1n3Tv
rz1j0U+UoVnan2FgGsSiSFT9I/CiIxgC/SrdwxZLUgbAiKsnw9H7nGW92C4cRqY0
2eKMVNEBk32GSPQXaA+Q5TILyzxuwDbXMxHMxnUVKQGFEcXjWXXyiv7tLAeu68Do
j5iNFOHbDp17SftnxYHi2vTsYk+9K6Pzc+NmUgibM52Rs92PPYd++HcgMeGrYcqi
temHP2jPtAymixch0wdqBMgeGTb29w51LR0BAU6D6BeR25pkZvPUag3bb6SU1Oli
E15DDWh3UnmfTw2M9W1uxlzQAlXOLL6/ZWuvwyqhCY6X7tIONtSgdYGjtiTFaPJp
ZBdOOrblodLxSu0ObR59SFjv8Pz3sTw4xiRFTG3lFtuIVHdBUbtJHR+2p4fHy/JG
Ccs+Z1KrmJfEzSMzKwfvZYJ526demNulglFBbcQV06ehqjc6MCG3HnMCAQI=
-----END DH PARAMETERS-----

10
install/deb/sudo/admin Normal file
View File

@@ -0,0 +1,10 @@
# Created by hestia installer
Defaults env_keep="VESTA"
Defaults env_keep+="HESTIA"
Defaults:admin !syslog
Defaults:admin !requiretty
Defaults:root !requiretty
# sudo is limited to hestia scripts
admin ALL=NOPASSWD:/usr/local/vesta/bin/*
admin ALL=NOPASSWD:/usr/local/hestia/bin/*

51
install/deb/templates/mail/apache2/default.stpl Normal file
View File

@@ -0,0 +1,51 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias%
Alias / /var/lib/roundcube/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
</VirtualHost>

48
install/deb/templates/mail/apache2/default.tpl Normal file
View File

@@ -0,0 +1,48 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/roundcube/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
</VirtualHost>

12
install/deb/templates/mail/apache2/disabled.stpl Normal file
View File

@@ -0,0 +1,12 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
</VirtualHost>

7
install/deb/templates/mail/apache2/disabled.tpl Normal file
View File

@@ -0,0 +1,7 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
#SuexecUserGroup %user% %group%
</VirtualHost>

31
install/deb/templates/mail/apache2/rainloop.stpl Normal file
View File

@@ -0,0 +1,31 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/rainloop/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
<Directory /var/lib/rainloop/>
Options +FollowSymLinks
# This is needed to parse /var/lib/rainloop/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/rainloop/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
</VirtualHost>

25
install/deb/templates/mail/apache2/rainloop.tpl Normal file
View File

@@ -0,0 +1,25 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/rainloop/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
<Directory /var/lib/rainloop/>
Options +FollowSymLinks
# This is needed to parse /var/lib/rainloop/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/rainloop/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
</VirtualHost>

31
install/deb/templates/mail/apache2/snappymail.stpl Normal file
View File

@@ -0,0 +1,31 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/snappymail/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
<Directory /var/lib/snappymail/>
Options +FollowSymLinks
# This is needed to parse /var/lib/snappymail/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/snappymail/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
</VirtualHost>

25
install/deb/templates/mail/apache2/snappymail.tpl Normal file
View File

@@ -0,0 +1,25 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/snappymail/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
<Directory /var/lib/snappymail/>
Options +FollowSymLinks
# This is needed to parse /var/lib/snappymail/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/snappymail/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
</VirtualHost>

52
install/deb/templates/mail/nginx/default.stpl Normal file
View File

@@ -0,0 +1,52 @@
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/roundcube/;
try_files $uri $uri/ =404;
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
}

43
install/deb/templates/mail/nginx/default.tpl Normal file
View File

@@ -0,0 +1,43 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/roundcube/;
try_files $uri $uri/ =404;
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
}

29
install/deb/templates/mail/nginx/default_disabled.stpl Normal file
View File

@@ -0,0 +1,29 @@
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
proxy_pass http://%ip%:%web_port%;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
}

20
install/deb/templates/mail/nginx/default_disabled.tpl Normal file
View File

@@ -0,0 +1,20 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
proxy_pass http://%ip%:%web_port%;
}
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
}

52
install/deb/templates/mail/nginx/default_snappymail.stpl Normal file
View File

@@ -0,0 +1,52 @@
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/snappymail/;
try_files $uri $uri/ =404;
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
}

48
install/deb/templates/mail/nginx/default_snappymail.tpl Normal file
View File

@@ -0,0 +1,48 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/snappymail/;
try_files $uri $uri/ =404;
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
}

34
install/deb/templates/mail/nginx/disabled.stpl Normal file
View File

@@ -0,0 +1,34 @@
server {
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/www/html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
}

25
install/deb/templates/mail/nginx/disabled.tpl Normal file
View File

@@ -0,0 +1,25 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root /var/www/html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
}

59
install/deb/templates/mail/nginx/snappymail.stpl Normal file
View File

@@ -0,0 +1,59 @@
server {
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
}

49
install/deb/templates/mail/nginx/snappymail.tpl Normal file
View File

@@ -0,0 +1,49 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
}

54
install/deb/templates/mail/nginx/web_system.stpl Normal file
View File

@@ -0,0 +1,54 @@
server {
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
}

44
install/deb/templates/mail/nginx/web_system.tpl Normal file
View File

@@ -0,0 +1,44 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
}

49
install/deb/templates/web/apache2/default.stpl Normal file
View File

@@ -0,0 +1,49 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups www-data
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

46
install/deb/templates/web/apache2/default.tpl Normal file
View File

@@ -0,0 +1,46 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups www-data
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

55
install/deb/templates/web/apache2/hosting.stpl Normal file
View File

@@ -0,0 +1,55 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups www-data
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc*
</VirtualHost>

52
install/deb/templates/web/apache2/hosting.tpl Normal file
View File

@@ -0,0 +1,52 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups www-data
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

41
install/deb/templates/web/apache2/php-fpm/default.stpl Normal file
View File

@@ -0,0 +1,41 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<FilesMatch \.php$>
SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

38
install/deb/templates/web/apache2/php-fpm/default.tpl Normal file
View File

@@ -0,0 +1,38 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

16
install/deb/templates/web/apache2/phpcgi.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Adding php wrapper
user="$1"
domain="$2"
ip="$3"
home_dir="$4"
docroot="$5"
wrapper_script='#!/usr/bin/php-cgi -cphp5-cgi.ini'
wrapper_file="$home_dir/$user/web/$domain/cgi-bin/php"
echo "$wrapper_script" > $wrapper_file
chown $user:$user $wrapper_file
chmod -f 751 $wrapper_file
exit 0

44
install/deb/templates/web/apache2/phpcgi.stpl Normal file
View File

@@ -0,0 +1,44 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php
<Files *.php>
SetHandler phpcgi-script
</Files>
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

40
install/deb/templates/web/apache2/phpcgi.tpl Normal file
View File

@@ -0,0 +1,40 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php
<Files *.php>
SetHandler phpcgi-script
</Files>
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

22
install/deb/templates/web/apache2/phpfcgid.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Adding php wrapper
user="$1"
domain="$2"
ip="$3"
home_dir="$4"
docroot="$5"
wrapper_script="#!/bin/sh
PHPRC=/usr/local/lib
export PHPRC
export PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_CHILDREN=20
exec /usr/bin/php-cgi
"
wrapper_file="$home_dir/$user/web/$domain/cgi-bin/fcgi-starter"
echo "$wrapper_script" > $wrapper_file
chown $user:$user $wrapper_file
chmod -f 751 $wrapper_file
exit 0

45
install/deb/templates/web/apache2/phpfcgid.stpl Normal file
View File

@@ -0,0 +1,45 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
<Files *.php>
SetHandler fcgid-script
</Files>
FCGIWrapper %home%/%user%/web/%domain%/cgi-bin/fcgi-starter .php
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
php_admin_value open_basedir none
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

40
install/deb/templates/web/apache2/phpfcgid.tpl Normal file
View File

@@ -0,0 +1,40 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
<Files *.php>
SetHandler fcgid-script
</Files>
FCGIWrapper %home%/%user%/web/%domain%/cgi-bin/fcgi-starter .php
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

41
install/deb/templates/web/apache2/www-data.stpl Normal file
View File

@@ -0,0 +1,41 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
# PHPMyAdmin and phppgadmin require access as www-data instead of user for security reasons
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

38
install/deb/templates/web/apache2/www-data.tpl Normal file
View File

@@ -0,0 +1,38 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
# phpMyAdmin and phpPgAdmin require access as www-data instead of user for security reasons
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

133
install/deb/templates/web/awstats/awstats.tpl Executable file
View File

@@ -0,0 +1,133 @@
LogFile="/var/log/%web_system%/domains/%domain%.log"
LogType=W
LogFormat=1
LogSeparator=" "
SiteDomain="%domain_idn%"
HostAliases="%alias_idn%"
DirData="%home%/%user%/web/%domain%/stats"
DirCgi="/vstats"
DirIcons="/vstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=1
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=1
DefaultFile="index.php index.html"
SkipHosts="127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLQuerySeparators="?;"
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=3600
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0
ShowDownloadsStats=HB
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain = 1
MaxNbOfHostsShown = 10
MinHitHost = 1
MaxNbOfLoginShown = 10
MinHitLogin = 1
MaxNbOfRobotShown = 10
MinHitRobot = 1
MaxNbOfDownloadsShown = 10
MinHitDownloads = 1
MaxNbOfPageShown = 10
MinHitFile = 1
MaxNbOfOsShown = 10
MinHitOs = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail = 1
FirstDayOfWeek=0
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
MetaRobot=0
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth = 260
BarHeight = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

10
install/deb/templates/web/awstats/index.tpl Executable file
View File

@@ -0,0 +1,10 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Awstats log analyzer </title>
</head>
<frameset rows="80,*" cols="*">
<frame src="nav.html" name="nav" scrolling="no" noresize>
<frame src="%month%/index.html" name="stats">
</frameset>
</html>

23
install/deb/templates/web/awstats/nav.tpl Executable file
View File

@@ -0,0 +1,23 @@
<html>
<head>
<title>Awstats navigation</title>
<script language="javascript">
function change() {
top.stats.location= document.period.select.value + '/';
}
</script>
</head>
<body>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><img src="logo.svg" title="Hestia Control Panel"></td>
<td><form name="period" action="" method="get">
<select name="select" ONCHANGE="change()">
%select_month%
</select>
</form>
</td>
</tr>
</table>
</body>
</html>

16
install/deb/templates/web/nginx/caching.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
user="$1"
domain="$2"
ip="$3"
home="$4"
docroot="$5"
str="proxy_cache_path /var/cache/nginx/$domain levels=1:2 use_temp_path=off keys_zone=$domain:10m inactive=60m max_size=256m;"
conf="/etc/nginx/conf.d/01_caching_pool.conf"
if grep -q "=${domain}:" "$conf" 2> /dev/null; then
sed -i "/=${domain}:/d" "$conf"
fi
echo "$str" >> $conf

76
install/deb/templates/web/nginx/caching.stpl Executable file
View File

@@ -0,0 +1,76 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
location / {
proxy_pass https://%ip%:%web_ssl_port%;
proxy_cache %domain%;
proxy_cache_valid 200 5m;
proxy_cache_valid 301 302 10m;
proxy_cache_valid 404 10m;
proxy_cache_bypass $no_cache $cookie_session $http_x_update;
proxy_no_cache $no_cache;
set $no_cache 0;
if ($request_uri ~* "/wp-admin/|/wp-json/|wp-.*.php|xmlrpc.php|/store.*|/cart.*|/my-account.*|/checkout.*|/user/|/admin/|/administrator/|/manager/|index.php") {
set $no_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart|woocommerce_cart_hash|PHPSESSID") {
set $no_cache 1;
}
if ($http_cookie ~ SESS) {
set $no_cache 1;
}
location ~* ^.+\.(%proxy_extensions%)$ {
try_files $uri @fallback;
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
proxy_cache off;
}
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

65
install/deb/templates/web/nginx/caching.tpl Executable file
View File

@@ -0,0 +1,65 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
location / {
proxy_pass http://%ip%:%web_port%;
proxy_cache %domain%;
proxy_cache_valid 200 5m;
proxy_cache_valid 301 302 10m;
proxy_cache_valid 404 10m;
proxy_cache_bypass $no_cache $cookie_session $http_x_update;
proxy_no_cache $no_cache;
set $no_cache 0;
if ($request_uri ~* "/wp-admin/|/wp-json/|wp-.*.php|xmlrpc.php|/store.*|/cart.*|/my-account.*|/checkout.*|/user/|/admin/|/administrator/|/manager/|index.php") {
set $no_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart|woocommerce_cart_hash|PHPSESSID") {
set $no_cache 1;
}
if ($http_cookie ~ SESS) {
set $no_cache 1;
}
location ~* ^.+\.(%proxy_extensions%)$ {
try_files $uri @fallback;
root %docroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
proxy_cache off;
}
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

53
install/deb/templates/web/nginx/default.stpl Executable file
View File

@@ -0,0 +1,53 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extensions%)$ {
try_files $uri @fallback;
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
}
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

42
install/deb/templates/web/nginx/default.tpl Executable file
View File

@@ -0,0 +1,42 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
location / {
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(%proxy_extensions%)$ {
try_files $uri @fallback;
root %docroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
}
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

Some files were not shown because too many files have changed in this diff Show More