bayrepo/hestiacp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial

Browse Source
This commit is contained in:
Alexey Berezhok
2024-03-19 22:05:27 +03:00
commit 346a50856b
1572 changed files with 182163 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
install/rpm/bind/named.conf Normal file
View File

@@ -0,0 +1,3 @@
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.conf.options";

24
install/rpm/bind/named.conf.options Normal file
View File

@@ -0,0 +1,24 @@
options {
directory "/var/named";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no;
allow-recursion { 127.0.0.1; ::1; };
allow-transfer {"none";};
hostname none;
server-id none;
version none;
};

60
install/rpm/clamav/clamd.conf Normal file
View File

@@ -0,0 +1,60 @@
#Automatically Generated by clamav-base postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-base
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
LocalSocket /run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
# AllowSupplementaryGroups true
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogFacility LOG_LOCAL6
LogClean false
LogVerbose true
PidFile /run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
Foreground false
Debug false
ScanPE true
ScanOLE2 true
ScanHTML true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OfficialDatabaseOnly false
CrossFilesystems true

1
install/rpm/clamav/clamd.tmpfiles Normal file
View File

@@ -0,0 +1 @@
d /run/clamav 777 clamav mail

210
install/rpm/clamav/freshclam.conf Normal file
View File

@@ -0,0 +1,210 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamav
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
# http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/whitelist.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 0
#ReceiveTimeout 1800
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file
# (safebrowsing.cvd) which will be automatically loaded by clamd and
# clamscan during the next reload, provided that the heuristic phishing
# detection is turned on. This database includes information about websites
# that may be phishing sites or possible sources of malware. When using this
# option, it's mandatory to run freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use.
# See https://transparencyreport.google.com/safe-browsing/overview
# and https://www.clamav.net/documents/safebrowsing for more information.
# Default: no
#SafeBrowsing yes
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no
# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

5
install/rpm/dovecot/conf.d/10-auth.conf Normal file
View File

@@ -0,0 +1,5 @@
disable_plaintext_auth = no
auth_username_format = %Lu
auth_verbose = yes
auth_mechanisms = plain login
!include auth-passwdfile.conf.ext

1
install/rpm/dovecot/conf.d/10-logging.conf Normal file
View File

@@ -0,0 +1 @@
log_path = /var/log/dovecot.log

8
install/rpm/dovecot/conf.d/10-mail.conf Normal file
View File

@@ -0,0 +1,8 @@
mail_privileged_group = mail
mail_access_groups = mail
mail_location = maildir:%h/mail/%d/%n
pop3_uidl_format = %08Xu%08Xv
mailbox_list_index = yes
mailbox_idle_check_interval = 30 secs
maildir_copy_with_hardlinks = yes

31
install/rpm/dovecot/conf.d/10-master.conf Normal file
View File

@@ -0,0 +1,31 @@
service imap-login {
inet_listener imap {
}
inet_listener imaps {
}
}
service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
}
}
service imap {
}
service pop3 {
}
service auth {
extra_groups = mail
unix_listener auth-client {
group = mail
mode = 0660
user = dovecot
}
user = dovecot
}

9
install/rpm/dovecot/conf.d/10-ssl.conf Normal file
View File

@@ -0,0 +1,9 @@
ssl = yes
#ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
ssl_cipher_list = PROFILE=SYSTEM
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_cert = </usr/local/hestia/ssl/certificate.crt
ssl_key = </usr/local/hestia/ssl/certificate.key
ssl_dh = </etc/pki/tls/dhparam.pem

59
install/rpm/dovecot/conf.d/20-imap.conf Normal file
View File

@@ -0,0 +1,59 @@
##
## IMAP specific settings
##
protocol imap {
# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 64k
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
mail_plugins = quota imap_quota
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
#imap_logout_format = bytes=%i/%o
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
#imap_capability =
# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
#imap_id_send =
# ID fields sent by client to log. * means everything.
#imap_id_log =
# Workarounds for various client bugs:
# delay-newmail:
# Send EXISTS/RECENT new mail notifications only when replying to NOOP
# and CHECK commands. Some clients ignore them otherwise, for example OSX
# Mail (<v2.1). Outlook Express breaks more badly though, without this it
# may show user "Message no longer in server" errors. Note that OE6 still
# breaks even with this workaround if synchronization is set to
# "Headers Only".
# tb-extra-mailbox-sep:
# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
# ignore the extra '/' instead of treating it as invalid mailbox name.
# tb-lsub-flags:
# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
# This makes Thunderbird realize they aren't selectable and show them
# greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
#imap_client_workarounds =
}

92
install/rpm/dovecot/conf.d/20-pop3.conf Normal file
View File

@@ -0,0 +1,92 @@
##
## POP3 specific settings
##
protocol pop3 {
# Don't try to set mails non-recent or seen with POP3 sessions. This is
# mostly intended to reduce disk I/O. With maildir it doesn't move files
# from new/ to cur/, with mbox it doesn't write Status-header.
#pop3_no_flag_updates = no
# Support LAST command which exists in old POP3 specs, but has been removed
# from new ones. Some clients still wish to use this though. Enabling this
# makes RSET command clear all \Seen flags from messages.
#pop3_enable_last = no
# If mail has X-UIDL header, use it as the mail's UIDL.
#pop3_reuse_xuidl = no
# Keep the mailbox locked for the entire POP3 session.
#pop3_lock_session = no
# POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
# Many POP3 servers violate this by returning the sizes with LF linefeeds,
# because it's faster to get. When this setting is enabled, Dovecot still
# tries to do the right thing first, but if that requires opening the
# message, it fallbacks to the easier (but incorrect) size.
#pop3_fast_size_lookups = no
# POP3 UIDL (unique mail identifier) format to use. You can use following
# variables, along with the variable modifiers described in
# doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
#
# %v - Mailbox's IMAP UIDVALIDITY
# %u - Mail's IMAP UID
# %m - MD5 sum of the mailbox headers in hex (mbox only)
# %f - filename (maildir only)
# %g - Mail's GUID
#
# If you want UIDL compatibility with other POP3 servers, use:
# UW's ipop3d : %08Xv%08Xu
# Courier : %f or %v-%u (both might be used simultaneosly)
# Cyrus (<= 2.1.3) : %u
# Cyrus (>= 2.1.4) : %v.%u
# Dovecot v0.99.x : %v.%u
# tpop3d : %Mf
#
# Note that Outlook 2003 seems to have problems with %v.%u format which was
# Dovecot's default, so if you're building a new server it would be a good
# idea to change this. %08Xu%08Xv should be pretty fail-safe.
#
#pop3_uidl_format = %08Xu%08Xv
# Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
# won't change those UIDLs. Currently this works only with Maildir.
#pop3_save_uidl = no
# What to do about duplicate UIDLs if they exist?
# allow: Show duplicates to clients.
# rename: Append a temporary -2, -3, etc. counter after the UIDL.
#pop3_uidl_duplicates = allow
# POP3 logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %t - number of TOP commands
# %p - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %b - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
# Maximum number of POP3 connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
mail_plugins = quota
# Workarounds for various client bugs:
# outlook-no-nuls:
# Outlook and Outlook Express hang if mails contain NUL characters.
# This setting replaces them with 0x80 character.
# oe-ns-eoh:
# Outlook Express and Netscape Mail breaks if end of headers-line is
# missing. This option simply sends it if it's missing.
# The list is space-separated.
#pop3_client_workarounds =
}

84
install/rpm/dovecot/conf.d/90-quota.conf Normal file
View File

@@ -0,0 +1,84 @@
##
## Quota configuration.
##
# Note that you also have to enable quota plugin in mail_plugins setting.
# <doc/wiki/Quota.txt>
##
## Quota limits
##
# Quota limits are set using "quota_rule" parameters. To get per-user quota
# limits, you can set/override them by returning "quota_rule" extra field
# from userdb. It's also possible to give mailbox-specific limits, for example
# to give additional 100 MB when saving to Trash:
plugin {
#quota_rule = *:storage=1G
#quota_rule2 = Trash:storage=+100M
# LDA/LMTP allows saving the last mail to bring user from under quota to
# over quota, if the quota doesn't grow too high. Default is to allow as
# long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
#quota_grace = 10%%
# Quota plugin can also limit the maximum accepted mail size.
#quota_max_mail_size = 100M
}
##
## Quota warnings
##
# You can execute a given command when user exceeds a specified quota limit.
# Each quota root has separate limits. Only the command for the first
# exceeded limit is excecuted, so put the highest limit first.
# The commands are executed via script service by connecting to the named
# UNIX socket (quota-warning below).
# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
plugin {
#quota_warning = storage=95%% quota-warning 95 %u
#quota_warning2 = storage=80%% quota-warning 80 %u
}
# Example quota-warning service. The unix listener's permissions should be
# set in a way that mail processes can connect to it. Below example assumes
# that mail processes run as vmail user. If you use mode=0666, all system users
# can generate quota warnings to anyone.
#service quota-warning {
# executable = script /usr/local/bin/quota-warning.sh
# user = dovecot
# unix_listener quota-warning {
# user = vmail
# }
#}
##
## Quota backends
##
# Multiple backends are supported:
# dirsize: Find and sum all the files found from mail directory.
# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
# dict: Keep quota stored in dictionary (eg. SQL)
# maildir: Maildir++ quota
# fs: Read-only support for filesystem quota
plugin {
#quota = dirsize:User quota
quota = maildir:User quota
#quota = dict:User quota::proxy::quota
#quota = fs:User quota
}
# Multiple quota roots are also possible, for example this gives each user
# their own 100MB quota and one shared 1GB quota within the domain:
plugin {
#quota = dict:user::proxy::quota
#quota2 = dict:domain:%d:proxy::quota_domain
#quota_rule = *:storage=102400
#quota2_rule = *:storage=1048576
}

9
install/rpm/dovecot/conf.d/auth-passwdfile.conf.ext Normal file
View File

@@ -0,0 +1,9 @@
passdb {
driver = passwd-file
args = scheme=MD5-CRYPT username_format=%n /etc/exim/domains/%d/passwd
}
userdb {
driver = passwd-file
args = username_format=%n /etc/exim/domains/%d/passwd
}

66
install/rpm/dovecot/dovecot.conf Normal file
View File

@@ -0,0 +1,66 @@
protocols = imap pop3
listen = *, ::
base_dir = /run/dovecot/
login_greeting = Mail Delivery Agent
!include conf.d/*.conf
!include_try conf.d/domains/*.conf
service stats {
unix_listener stats-writer {
group = mail
mode = 0660
user = dovecot
}
}
namespace {
type = private
separator = /
inbox = yes
list = yes
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Junk {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Mail" {
auto = no
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
}

88
install/rpm/dovecot/sieve/20-managesieve.conf Normal file
View File

@@ -0,0 +1,88 @@
##
## ManageSieve specific settings
##
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
# Service definitions
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
#service managesieve {
# Max. number of ManageSieve processes (connections)
#process_limit = 1024
#}
# Service configuration
protocol sieve {
# Maximum ManageSieve command line length in bytes. ManageSieve usually does
# not involve overly long command lines, so this setting will not normally
# need adjustment
managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP
# address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far).
# Do NOT try to load IMAP plugins here.
#mail_plugins =
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %{put_bytes} - Number of bytes saved using PUTSCRIPT command
# %{put_count} - Number of scripts saved using PUTSCRIPT command
# %{get_bytes} - Number of bytes read using GETCRIPT command
# %{get_count} - Number of scripts read using GETSCRIPT command
# %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
# %{get_count} - Number of scripts checked using CHECKSCRIPT command
# %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
# %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
# according to what the Sieve interpreter supports by default (after login
# this may differ depending on the user).
#managesieve_sieve_capability =
#managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon
# script upload or script verification.
#managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of
# Sieve execution limits.
#log_path = /var/log/dovecot-sieve-errors.log
#info_log_path = /var/log/dovecot-sieve.log
}

44
install/rpm/dovecot/sieve/90-sieve-extprograms.conf Normal file
View File

@@ -0,0 +1,44 @@
# Sieve Extprograms plugin configuration
# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
# vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the
# sieve_extensions or sieve_global_extensions settings. Restricting these
# extensions to a global context using sieve_global_extensions is recommended.
plugin {
# The directory where the program sockets are located for the
# vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
# respectively. The name of each unix socket contained in that directory
# directly maps to a program-name referenced from the Sieve script.
#sieve_pipe_socket_dir = sieve-pipe
#sieve_filter_socket_dir = sieve-filter
#sieve_execute_socket_dir = sieve-execute
# The directory where the scripts are located for direct execution by the
# vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
# respectively. The name of each script contained in that directory
# directly maps to a program-name referenced from the Sieve script.
#sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
#sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
#sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
}
# An example program service called 'do-something' to pipe messages to
#service do-something {
# Define the executed script as parameter to the sieve service
#executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
# Use some unprivileged user for executing the program
#user = dovenull
# The unix socket located in the sieve_pipe_socket_dir (as defined in the
# plugin {} section above)
#unix_listener sieve-pipe/do-something {
# LDA/LMTP must have access
# user = vmail
# mode = 0600
#}
#}

211
install/rpm/dovecot/sieve/90-sieve.conf Normal file
View File

@@ -0,0 +1,211 @@
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.
plugin {
# The location of the user's main Sieve script or script storage. The LDA
# Sieve plugin uses this to find the active script for Sieve filtering at
# delivery. The "include" extension uses this location for retrieving
# :personal" scripts. This is also where the ManageSieve service will store
# the user's scripts, if supported.
#
# Currently only the 'file:' location type supports ManageSieve operation.
# Other location types like 'dict:' and 'ldap:' can currently only
# be used as a read-only script source ().
#
# For the 'file:' type: use the ';active=' parameter to specify where the
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
#sieve = file:~/sieve;active=~/.dovecot.sieve
sieve = file:~/mail/%d/%n/sieve;active=~/mail/%d/%n/dovecot.sieve
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
# script doesn't exist. Be sure to pre-compile this script manually using the
# sievec command line tool if the binary is not stored in a global location.
# --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# The name by which the default Sieve script (as configured by the
# sieve_default setting) is visible to the user through ManageSieve.
#sieve_default_name =
# Location for ":global" include scripts as used by the "include" extension.
#sieve_global =
# The location of a Sieve script that is run for any message that is about to
# be discarded; i.e., it is not delivered anywhere by the normal Sieve
# execution. This only happens when the "implicit keep" is canceled, by e.g.
# the "discard" action, and no actions that deliver the message are executed.
# This "discard script" can prevent discarding the message, by executing
# alternative actions. If the discard script does nothing, the message is
# still discarded as it would be when no discard script is configured.
#sieve_discard =
# Location Sieve of scripts that need to be executed before the user's
# personal script. If a 'file' location path points to a directory, all the
# Sieve scripts contained therein (with the proper `.sieve' extension) are
# executed. The order of execution within that directory is determined by the
# file names, using a normal 8bit per-character comparison.
#
# Multiple script locations can be specified by appending an increasing number
# to the setting name. The Sieve scripts found from these locations are added
# to the script execution sequence in the specified order. Reading the
# numbered sieve_before settings stops at the first missing setting, so no
# numbers may be skipped.
#sieve_before = /var/lib/dovecot/sieve.d/
#sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script
# locations can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_pipe_bin_dir = /etc/dovecot/sieve
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
# The primary e-mail address for the user. This is used as a default when no
# other appropriate address is available for sending messages. If this setting
# is not configured, either the postmaster or null "<>" address is used as a
# sender, depending on the action involved. This setting is important when
# there is no message envelope to extract addresses from, such as when the
# script is executed in IMAP.
#sieve_user_email =
# The path to the file where the user log is written. If not configured, a
# default location is used. If the main user's personal Sieve (as configured
# with sieve=) is a file, the logfile is set to <filename>.log by default. If
# it is not a file, the default user log file is ~/.dovecot.sieve.log.
#sieve_user_log =
# Specifies what envelope sender address is used for redirected messages.
# The following values are supported for this setting:
#
# "sender" - The sender address is used (default).
# "recipient" - The final recipient address is used.
# "orig_recipient" - The original recipient is used.
# "user_email" - The user's primary address is used. This is
# configured with the "sieve_user_email" setting. If
# that setting is unconfigured, "user_mail" is equal to
# "recipient".
# "postmaster" - The postmaster_address configured for the LDA.
# "<user@domain>" - Redirected messages are always sent from user@domain.
# The angle brackets are mandatory. The null "<>" address
# is also supported.
#
# This setting is ignored when the envelope sender is "<>". In that case the
# sender of the redirected message is also always "<>".
#sieve_redirect_envelope_from = sender
## TRACE DEBUGGING
# Trace debugging provides detailed insight in the operations performed by
# the Sieve script. These settings apply to both the LDA Sieve plugin and the
# IMAPSIEVE plugin.
#
# WARNING: On a busy server, this functionality can quickly fill up the trace
# directory with a lot of trace files. Enable this only temporarily and as
# selective as possible.
# The directory where trace files are written. Trace debugging is disabled if
# this setting is not configured or if the directory does not exist. If the
# path is relative or it starts with "~/" it is interpreted relative to the
# current user's home directory.
#sieve_trace_dir =
# The verbosity level of the trace messages. Trace debugging is disabled if
# this setting is not configured. Possible values are:
#
# "actions" - Only print executed action commands, like keep,
# fileinto, reject and redirect.
# "commands" - Print any executed command, excluding test commands.
# "tests" - Print all executed commands and performed tests.
# "matching" - Print all executed commands, performed tests and the
# values matched in those tests.
#sieve_trace_level =
# Enables highly verbose debugging messages that are usually only useful for
# developers.
#sieve_trace_debug = no
# Enables showing byte code addresses in the trace output, rather than only
# the source line numbers.
#sieve_trace_addresses = no
# This setting determines whether vacation messages are sent with the SMTP MAIL FROM envelope address set to the recipient address of the Sieve script owner.
sieve_vacation_send_from_recipient = yes
}

2
install/rpm/exim/dnsbl.conf Normal file
View File

@@ -0,0 +1,2 @@
bl.spamcop.net
zen.spamhaus.org

429
install/rpm/exim/exim.conf Normal file
View File

@@ -0,0 +1,429 @@
######################################################################
# #
# Exim configuration file for Hestia Control Panel #
# #
######################################################################
#SPAMASSASSIN = yes
#SPAM_SCORE = 50
#CLAMD = yes
smtp_banner = $smtp_active_hostname
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
disable_ipv6 = true
smtputf8_advertise_hosts =
domainlist local_domains = dsearch;/etc/exim/domains/
domainlist relay_to_domains = dsearch;/etc/exim/domains/
hostlist relay_from_hosts = 127.0.0.1
hostlist whitelist = net-iplsearch;/etc/exim/white-blocks.conf
hostlist spammers = net-iplsearch;/etc/exim/spam-blocks.conf
no_local_from_check
untrusted_set_sender = *
acl_smtp_connect = acl_check_spammers
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
.ifdef SPAMASSASSIN
spamd_address = 127.0.0.1 783
.endif
.ifdef CLAMD
av_scanner = clamd: /run/clamav/clamd.ctl
.endif
log_selector = +tls_sni
tls_advertise_hosts = *
# We test that $tls_in_sni is a valid domain, by an arbitrary email address foo@domain.tld .
# Then, we extract the domain with a function that would fail if the email address is invalid.
# If the certificate exists, we will use it, otherwise the default certificate in /etc/pki will be used.
tls_certificate = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
{/usr/local/hestia/ssl/certificate.crt}\
}
tls_privatekey = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
{/usr/local/hestia/ssl/certificate.key}\
}
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim/domains/${lookup{${lc:${domain:$h_from:}}}dsearch{/etc/exim/domains/}}/dkim.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
OUTGOING_IP = /etc/exim/domains/$sender_address_domain/ip
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
acl_not_smtp = acl_not_smtp
begin acl
# Limit per user for PHP scripts
acl_not_smtp:
deny message = Website of user $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
ratelimit = 200 / 1h / $authenticated_id
warn ratelimit = 100 / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period
accept
acl_check_spammers:
accept hosts = +whitelist
drop message = Your host in blacklist on this server.
log_message = Host in blacklist
hosts = +spammers
accept
acl_check_mail:
deny condition = ${if eq{$sender_helo_name}{}}
message = HELO required before MAIL
drop message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
delay = 45s
drop condition = ${if isip{$sender_helo_name}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
drop condition = ${if eq{[$interface_address]}{$sender_helo_name}}
message = $interface_address is _my_ address
accept
acl_check_rcpt:
accept hosts = :
# Limit per email account for SMTP auhenticated users
deny message = Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
ratelimit = 200 / 1h / $authenticated_id
warn ratelimit = 100 / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify = sender
accept hosts = +relay_from_hosts
control = submission
accept authenticated = *
control = submission/domain=
deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
hosts = !+whitelist
dnslists = ${readfile {/etc/exim/dnsbl.conf}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
require verify = recipient
.ifdef CLAMD
warn set acl_m0 = no
warn condition = ${if exists {/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/antivirus}{yes}{no}}
set acl_m0 = yes
.endif
.ifdef SPAMASSASSIN
warn set acl_m1 = no
warn condition = ${if exists {/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/antispam}{yes}{no}}
set acl_m1 = yes
.endif
accept
acl_check_data:
.ifdef CLAMD
deny message = Message contains a virus ($malware_name) and has been rejected
malware = */defer_ok
condition = ${if eq{$acl_m0}{yes}{yes}{no}}
.endif
.ifdef SPAMASSASSIN
warn !authenticated = *
hosts = !+relay_from_hosts
condition = ${if < {$message_size}{1024K}}
condition = ${if eq{$acl_m1}{yes}{yes}{no}}
spam = debian-spamd:true/defer_ok
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
set acl_m2 = $spam_score_int
warn condition = ${if !eq{$acl_m2}{} {yes}{no}}
condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
add_header = X-Spam-Status: Yes
message = SpamAssassin detected spam (from $sender_address to $recipients).
.endif
accept
acl_check_mime:
deny message = Blacklisted file extension detected
condition = ${if match {${lc:$mime_filename}}{\N(\.ade|\.adp|\.bat|\.chm|\.cmd|\.com|\.cpl|\.exe|\.hta|\.ins|\.isp|\.jse|\.lib|\.lnk|\.mde|\.msc|\.msp|\.mst|\.pif|\.scr|\.sct|\.shb|\.sys|\.vb|\.vbe|\.vbs|\.vxd|\.wsc|\.wsf|\.wsh)$\N}{1}{0}}
accept
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
#smarthost:
# driver = manualroute
# domains = ! +local_domains
# transport = remote_smtp
# route_list = * smartrelay.hestiacp.com
# no_more
# no_verify
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
no_more
userforward:
driver = redirect
check_local_user
file = $home/.forward
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify
autoreplay:
driver = accept
require_files = /etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/autoreply.${local_part}.msg
condition = ${if exists{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/autoreply.${local_part}.msg}{yes}{no}}
retry_use_local_part
transport = userautoreply
unseen
aliases:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{1}{:}{${lookup{$local_part@${lookup{$domain}dsearch{/etc/exim/domains/}}}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/aliases}}}}
require_files = /etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/aliases
redirect_router = dnslookup
pipe_transport = address_pipe
unseen
localuser_fwd_only:
driver = accept
transport = devnull
condition = ${if exists{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/fwd_only}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/fwd_only}{true}{false}}}}
localuser_spam:
driver = accept
transport = local_spam_delivery
condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/passwd}{yes}{no_such_user}}}}
localuser:
driver = accept
transport = local_delivery
condition = ${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/passwd}{true}{false}}
catchall:
driver = redirect
headers_add = X-redirected: yes
require_files = /etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/aliases
data = ${extract{1}{:}{${lookup{*@${lookup{$domain}dsearch{/etc/exim/domains/}}}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/aliases}}}}
file_transport = local_delivery
redirect_router = dnslookup
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}
terminate_alias:
driver = accept
transport = devnull
condition = ${lookup{$local_part@${lookup{$domain}dsearch{/etc/exim/domains/}}}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/aliases}{true}{false}}
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
remote_smtp:
driver = smtp
helo_data = ${primary_hostname}
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output
local_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/passwd}}}}/mail/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/passwd}}}}/mail/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}}}"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/passwd}}}}M
quota_warn_threshold = 75%
local_spam_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/passwd}}}}/mail/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/passwd}}}}/mail/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}}}/.Spam"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/passwd}}}}M
quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/passwd}}}}/mail/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}/passwd}}}}/mail/${lookup{${lookup{$domain}dsearch{/etc/exim/domains/}}}dsearch{/etc/exim/domains/}}}}"
quota_warn_threshold = 75%
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
userautoreply:
driver = autoreply
file = /etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/autoreply.${local_part}.msg
from = "${local_part}@${domain}"
headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
to = "${sender_address}"
devnull:
driver = appendfile
file = /dev/null
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################

480
install/rpm/exim/exim.conf.template Normal file
View File

@@ -0,0 +1,480 @@
######################################################################
# #
# Exim configuration file for Hestia Control Panel #
# #
######################################################################
#SPAMASSASSIN = yes
#SPAM_SCORE = 50
#SPAM_REJECT_SCORE = 100
#CLAMD = yes
smtp_banner = $smtp_active_hostname
smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${listextract{1}{$value}}}{$primary_hostname}}
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
disable_ipv6 = true
smtputf8_advertise_hosts =
domainlist local_domains = dsearch;/etc/exim/domains/
domainlist relay_to_domains = dsearch;/etc/exim/domains/
hostlist relay_from_hosts = 127.0.0.1
hostlist whitelist = net-iplsearch;/etc/exim/white-blocks.conf
hostlist spammers = net-iplsearch;/etc/exim/spam-blocks.conf
no_local_from_check
untrusted_set_sender = *
acl_smtp_connect = acl_check_spammers
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
.ifdef SPAMASSASSIN
spamd_address = 127.0.0.1 783
.endif
.ifdef CLAMD
av_scanner = clamd: /run/clamav/clamd.ctl
.endif
log_selector = +tls_sni
tls_advertise_hosts = *
# We test that $tls_in_sni is a valid domain, by an arbitrary email address foo@domain.tld .
# Then, we extract the domain with a function that would fail if the email address is invalid.
# If the certificate exists, we will use it, otherwise the default certificate in /etc/ssl will be used.
tls_certificate = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
{/usr/local/hestia/ssl/certificate.crt}\
}
tls_privatekey = \
${if and {\
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
}\
{/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
{/usr/local/hestia/ssl/certificate.key}\
}
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim/domains/${lc:${domain:$h_from:}}/dkim.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
OUTGOING_IP = /etc/exim/domains/$sender_address_domain/ip
SMTP_RELAY_FILE = ${if exists{/etc/exim/domains/${sender_address_domain}/smtp_relay.conf}{/etc/exim/domains/$sender_address_domain/smtp_relay.conf}{/etc/exim/smtp_relay.conf}}
SMTP_RELAY_HOST = ${lookup{host}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PORT = ${lookup{port}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_USER = ${lookup{user}lsearch{SMTP_RELAY_FILE}}
SMTP_RELAY_PASS = ${lookup{pass}lsearch{SMTP_RELAY_FILE}}
# Custom Filter
system_filter = /etc/exim/system.filter
system_filter_user = exim
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
acl_not_smtp = acl_not_smtp
begin acl
# Limit per user for PHP scripts
acl_not_smtp:
deny message = Website of user $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
ratelimit = 200 / 1h / $authenticated_id
warn ratelimit = 100 / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period
accept
acl_check_spammers:
accept hosts = +whitelist
drop message = Your host in blacklist on this server.
log_message = Host in blacklist
hosts = +spammers
accept
acl_check_mail:
deny condition = ${if eq{$sender_helo_name}{}}
message = HELO required before MAIL
drop !authenticated = *
message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
delay = 45s
drop !authenticated = *
condition = ${if isip{$sender_helo_name}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
drop !authenticated = *
condition = ${if eq{[$interface_address]}{$sender_helo_name}}
message = $interface_address is _my_ address
accept
acl_check_rcpt:
accept hosts = :
# Limit per email account for SMTP auhenticated users
deny message = Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
set acl_c_msg_limit = ${if exists{/etc/exim/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim/domains/}}/limits}{${lookup {$authenticated_id} lsearch{/etc/exim/domains/${lookup{${domain:$authenticated_id}}dsearch{/etc/exim/domains/}}/limits}{$value}{${readfile{/etc/exim/limit.conf}}}}}{${readfile{/etc/exim/limit.conf}}} }
ratelimit = $acl_c_msg_limit / 1h / strict/ $authenticated_id
warn ratelimit = ${eval:$acl_c_msg_limit / 2} / 1h / strict / $authenticated_id
log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify = sender
accept hosts = +relay_from_hosts
control = submission
accept authenticated = *
control = submission/domain=
deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
hosts = !+whitelist
dnslists = ${readfile {/etc/exim/dnsbl.conf}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
require verify = recipient
.ifdef CLAMD
warn set acl_m0 = no
warn condition = ${if exists {/etc/exim/domains/$domain/antivirus}{yes}{no}}
set acl_m0 = yes
.endif
.ifdef SPAMASSASSIN
warn set acl_m1 = no
set acl_m3 = no
warn condition = ${if exists {/etc/exim/domains/$domain/antispam}{yes}{no}}
set acl_m1 = yes
warn condition = ${if exists {/etc/exim/domains/$domain/reject_spam}{yes}{no}}
set acl_m3 = yes
.endif
accept
acl_check_data:
.ifdef CLAMD
deny message = Message contains a virus ($malware_name) and has been rejected
malware = */defer_ok
condition = ${if eq{$acl_m0}{yes}{yes}{no}}
.endif
.ifdef SPAMASSASSIN
warn !authenticated = *
hosts = !+relay_from_hosts
condition = ${if < {$message_size}{1024K}}
condition = ${if eq{$acl_m1}{yes}{yes}{no}}
spam = debian-spamd:true/defer_ok
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
set acl_m2 = $spam_score_int
warn condition = ${if !eq{$acl_m2}{} {yes}{no}}
condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
add_header = X-Spam-Status: Yes
message = SpamAssassin detected spam (from $sender_address to $recipients).
# Deny spam at high score if spam score > SPAM_REJECT_SCORE and delete_spam is enabled
deny message = This message scored $spam_score spam points
spam = debian-spamd:true
condition = ${if eq{$acl_m3}{yes}{yes}{no}}
condition = ${if >{$spam_score_int}{SPAM_REJECT_SCORE}{1}{0}}
.endif
accept
acl_check_mime:
deny message = Blacklisted file extension detected
condition = ${if match {${lc:$mime_filename}}{\N(\.ace|\.ade|\.adp|\.app|\.arj|\.asp|\.aspx|\.asx|\.bas|\.bat|\.cab|\.cer|\.chm|\.cmd|\.cnt|\.com|\.cpl|\.crt|\.csh|\.der|\.diagcab|\.dll|\.efi|\.exe|\.fla|\.fon|\.fxp|\.gadget|\.grp|\.hlp|\.hpj|\.hta|\.htc|\.img|\.inf|\.ins|\.iso|\.isp|\.its|\.jar|\.jnlp|\.js|\.jse|\.ksh|\.lib|\.lnk|\.mad|\.maf|\.mag|\.mam|\.maq|\.mar|\.mas|\.mat|\.mau|\.mav|\.maw|\.mcf|\.mda|\.mdb|\.mde|\.mdt|\.mdw|\.mdz|\.msc|\.msh|\.msh1|\.msh1xml|\.msh2|\.msh2xml|\.mshxml|\.msi|\.msp|\.mst|\.msu|\.ops|\.osd|\.pcd|\.pif|\.pl|\.plg|\.prf|\.prg|\.printerexport|\.ps1|\.ps1xml|\.ps2|\.ps2xml|\.psc1|\.psc2|\.psd1|\.psdm1|\.pst|\.py|\.pyc|\.pyo|\.pyw|\.pyz|\.pyzw|\.reg|\.scf|\.scr|\.sct|\.sfx|\.shb|\.shs|\.swf|\.sys|\.theme|\.tmp|\.ttf|\.url|\.vb|\.vba|\.vbe|\.vbp|\.vbs|\.vhd|\.vhdx|\.vsmacros|\.vsw|\.vxd|\.webpnp|\.website|\.wim|\.ws|\.wsc|\.wsf|\.wsh|\.xbap|\.xll|\.xnk)$\N}{1}{0}}
accept
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
smtp_relay_login:
driver = plaintext
public_name = LOGIN
hide client_send = : SMTP_RELAY_USER : SMTP_RELAY_PASS
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
send_via_unauthenticated_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
condition = ${if eq{SMTP_RELAY_USER}{}}
transport = remote_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
send_via_smtp_relay:
driver = manualroute
address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
domains = !+local_domains
require_files = SMTP_RELAY_FILE
transport = smtp_relay_smtp
route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
no_more
no_verify
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
no_more
userforward:
driver = redirect
check_local_user
file = $home/.forward
require_files = ${local_part}:+${home}/.forward
domains = +local_domains
allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
transport = procmail
no_verify
autoreplay:
driver = accept
require_files = /etc/exim/domains/$domain/autoreply.${local_part}.msg
condition = ${if exists{/etc/exim/domains/$domain/autoreply.${local_part}.msg}{yes}{no}}
retry_use_local_part
transport = userautoreply
unseen
aliases:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/domains/$domain/aliases}}}}
require_files = /etc/exim/domains/$domain/aliases
redirect_router = dnslookup
pipe_transport = address_pipe
unseen
localuser_fwd_only:
driver = accept
transport = devnull
condition = ${if exists{/etc/exim/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/fwd_only}{true}{false}}}}
localuser_spam:
driver = accept
transport = local_spam_delivery
condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}{yes}{no_such_user}}}}
localuser:
driver = accept
transport = local_delivery
condition = ${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}{true}{false}}
catchall:
driver = redirect
headers_add = X-redirected: yes
require_files = /etc/exim/domains/$domain/aliases
data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim/domains/$domain/aliases}}}}
file_transport = local_delivery
redirect_router = dnslookup
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/domains/${lookup{$domain}dsearch{/etc/exim/domains/}}/aliases}{false}{true}}
terminate_alias:
driver = accept
transport = devnull
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/domains/$domain/aliases}{true}{false}}
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
smtp_relay_smtp:
driver = smtp
hosts_require_auth = $host_address
hosts_require_tls = $host_address
remote_smtp:
driver = smtp
helo_data = ${lookup dnsdb{>: defer_never,ptr=$sending_ip_address}{${listextract{1}{$value}}}{$primary_hostname}}
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = relaxed
dkim_strict = 0
hosts_try_fastopen = !*.l.google.com
interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
procmail:
driver = pipe
command = "/usr/bin/procmail -d $local_part"
return_path_add
delivery_date_add
envelope_to_add
user = $local_part
initgroups
return_output
local_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}/mail/$domain/$local_part"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}M
quota_warn_threshold = 75%
local_spam_delivery:
driver = appendfile
maildir_format
maildir_use_size_file
user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}
group = mail
create_directory
directory_mode = 770
mode = 660
use_lockfile = no
delivery_date_add
envelope_to_add
return_path_add
directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}/mail/$domain/$local_part/.Spam"
quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}M
quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}/mail/$domain/$local_part"
quota_warn_threshold = 75%
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
userautoreply:
driver = autoreply
file = /etc/exim/domains/$domain/autoreply.${local_part}.msg
from = "${local_part}@${domain}"
headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
to = "${sender_address}"
devnull:
driver = appendfile
file = /dev/null
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################

1
install/rpm/exim/limit.conf Normal file
View File

@@ -0,0 +1 @@
200

0
install/rpm/exim/spam-blocks.conf Normal file
View File

16
install/rpm/exim/system.filter Normal file
View File

@@ -0,0 +1,16 @@
if $h_X-Spam-Status: contains "Yes"
then
headers add "Old-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** SPAM *** $h_old-subject"
headers remove "Old-Subject"
endif
# X-Anti-Virus: infected
if $h_X-Anti-Virus: contains "infected"
then
headers add "Old-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** VIRUS *** $h_old-subject"
headers remove "Old-Subject"
endif

9
install/rpm/fail2ban/action.d/hestia.conf Normal file
View File

@@ -0,0 +1,9 @@
# Fail2Ban configuration file for hestia
[Definition]
actionstart = /usr/local/hestia/bin/v-add-firewall-chain <name>
actionstop = /usr/local/hestia/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/hestia/bin/v-add-firewall-ban <ip> <name>
actionunban = /usr/local/hestia/bin/v-delete-firewall-ban <ip> <name>

10
install/rpm/fail2ban/filter.d/hestia.conf Normal file
View File

@@ -0,0 +1,10 @@
# Fail2Ban filter for unsuccessful hestia authentication attempts
#
[INCLUDES]
before = common.conf
[Definition]
failregex = .* <HOST> failed to login
ignoreregex =

66
install/rpm/fail2ban/jail.local Normal file
View File

@@ -0,0 +1,66 @@
[ssh-iptables]
enabled = true
filter = sshd
action = hestia[name=SSH]
logpath = /var/log/secure
maxretry = 5
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = hestia[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 5
[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim/main.log
[dovecot-iptables]
enabled = true
filter = dovecot
action = hestia[name=MAIL]
logpath = /var/log/dovecot.log
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = hestia[name=DB]
logpath = /var/log/mysql/error.log
maxretry = 5
[hestia-iptables]
enabled = true
filter = hestia
action = hestia[name=HESTIA]
logpath = /var/log/hestia/secure
maxretry = 5
[roundcube-auth]
enabled = false
filter = roundcube-auth
action = hestia[name=WEB]
logpath = /var/log/roundcube/errors
maxretry = 5
[phpmyadmin-auth]
enabled = true
filter = phpmyadmin-syslog
action = hestia[name=WEB]
logpath = /var/log/secure
maxretry = 5
[recidive]
enabled = true
filter = recidive
action = hestia[name=HESTIA]
logpath = /var/log/fail2ban.log
maxretry = 5
findtime = 86400
bantime = 864000
#Uncomment and add your IPs and or domains to the Whitelist
#[DEFAULT]
#ignoreip = 111.111.111.111 222.222.222.222 subdomain.example.tld example.tld 333.333.333.333

7
install/rpm/hestia/hestia.repo Normal file
View File

@@ -0,0 +1,7 @@
[hestiacp]
name=HestiaCP Repository for RHEL $releasever - $basearch
#baseurl=https://rpm.hestiacp.com/rhel/$releasever/$basearch/
baseurl=https://pkgs.dyn.su/hestiacp/el$releasever/$basearch/
#gpgkey=https://rpm.hestiacp.com/RPM-GPG-KEY-HESTIACP
gpgcheck=0
enabled=1

5
install/rpm/httpd/hestia-event.conf Normal file
View File

@@ -0,0 +1,5 @@
<IfModule mpm_event_module>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</IfModule>

58
install/rpm/httpd/hestia.conf Normal file
View File

@@ -0,0 +1,58 @@
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride All
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride All
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
DirectoryIndex index.php index.html
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%b" bytes
CustomLog "logs/access_log" combined
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
#AddHandler cgi-script .cgi
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
<IfModule remoteip_module>
RemoteIPHeader X-Real-IP
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b" common
</IfModule>
IncludeOptional conf.d/*.conf

80
install/rpm/httpd/httpd.conf Normal file
View File

@@ -0,0 +1,80 @@
#=========================================================================#
# Hestia Apache configuration file #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST! #
#=========================================================================#
ServerRoot "/etc/httpd"
Timeout 30
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 10
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
User apache
Group apache
AccessFileName .htaccess
<Files ~ "^\.ht">
Require all denied
</Files>
TypesConfig /etc/mime.types
DefaultType None
HostnameLookups Off
ErrorLog /var/log/httpd/error.log
LogLevel warn
# Include module configuration:
Include conf.modules.d/*.conf
# Include list of ports to listen on and which to use for name based vhosts
Include conf/ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%b" bytes
Include conf.d/*.conf
IncludeOptional conf.d/domains/webmail.*.conf
IncludeOptional conf.d/domains/*.conf
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 500 /error/50x.html
ErrorDocument 501 /error/50x.html
ErrorDocument 502 /error/50x.html
ErrorDocument 503 /error/50x.html
ErrorDocument 506 /error/50x.html

6
install/rpm/httpd/status.conf Normal file
View File

@@ -0,0 +1,6 @@
Listen 127.0.0.1:8081
<Location /server-status>
SetHandler server-status
Require ip 127.0.0.1
# Require all granted
</Location>

18
install/rpm/httpd/unassigned.conf Normal file
View File

@@ -0,0 +1,18 @@
<VirtualHost directIP:directPORT>
ServerName directIP
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
</VirtualHost>
<VirtualHost directIP:directSSLPORT>
ServerName directIP
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/hestia/ssl/certificate.crt
SSLCertificateKeyFile /usr/local/hestia/ssl/certificate.key
</VirtualHost>

12
install/rpm/logrotate/dovecot Normal file
View File

@@ -0,0 +1,12 @@
/var/log/dovecot*.log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
doveadm log reopen
endscript
}

7
install/rpm/logrotate/hestia Normal file
View File

@@ -0,0 +1,7 @@
/usr/local/hestia/log/*.log {
rotate 12
monthly
missingok
notifempty
create 0600 root root
}

15
install/rpm/logrotate/httpd Normal file
View File

@@ -0,0 +1,15 @@
/var/log/httpd/*log /var/log/httpd/domains/*log {
missingok
notifempty
compress
sharedscripts
postrotate
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
[ ! -f /run/nginx.pid ] || kill -USR1 `cat /run/nginx.pid`
endscript
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi; \
endscript
}

4
install/rpm/logrotate/httpd-prerotate/awstats Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Changes made by HestiaCP due to https://github.com/hestiacp/hestiacp/issues/3289
/usr/local/hestia/bin/v-update-sys-queue webstats

13
install/rpm/logrotate/nginx Normal file
View File

@@ -0,0 +1,13 @@
/var/log/nginx/*log /var/log/nginx/domains/*log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
create 640
sharedscripts
postrotate
[ -f /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
endscript
}

7
install/rpm/logrotate/roundcube Normal file
View File

@@ -0,0 +1,7 @@
/var/log/roundcube/*.log {
rotate 12
monthly
missingok
notifempty
create 644 apache apache
}

6
install/rpm/mysql/mariadb-aarch64.repo Normal file
View File

@@ -0,0 +1,6 @@
[mariadb]
name = MariaDB 10.11 for RHEL $releasever - $basearch
baseurl = https://ftp.osuosl.org/pub/mariadb/yum/10.11/rhel$releasever-$basearch
gpgkey=https://ftp.osuosl.org/pub/mariadb/yum/RPM-GPG-KEY-MariaDB
gpgcheck=1
enabled=1

6
install/rpm/mysql/mariadb-x86_64.repo Normal file
View File

@@ -0,0 +1,6 @@
[mariadb]
name = MariaDB 10.11 for RHEL $releasever - $basearch
baseurl = https://ftp.osuosl.org/pub/mariadb/yum/10.11/rhel$releasever-amd64
gpgkey=https://ftp.osuosl.org/pub/mariadb/yum/RPM-GPG-KEY-MariaDB
gpgcheck=1
enabled=1

42
install/rpm/mysql/my-large.cnf Normal file
View File

@@ -0,0 +1,42 @@
[client]
port=3306
socket=/var/lib/mysql/mysql.sock
[mysqld_safe]
socket=/var/lib/mysql/mysql.sock
[mysqld]
user=mysql
#pid-file=/run/mysqld/mysqld.pid
socket=/var/lib/mysql/mysql.sock
port=3306
basedir=/usr
datadir=/var/lib/mysql
tmpdir=/tmp
lc-messages-dir=/usr/share/mysql
log_error=/var/log/mysql/error.log
symbolic-links=0
local-infile=0
skip-external-locking
key_buffer_size = 256M
max_allowed_packet = 32M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=200
max_user_connections=50
wait_timeout=10
interactive_timeout=50
long_query_time=5
!includedir /etc/my.cnf.d/

41
install/rpm/mysql/my-medium.cnf Normal file
View File

@@ -0,0 +1,41 @@
[client]
port=3306
socket=/var/lib/mysql/mysql.sock
[mysqld_safe]
socket=/var/lib/mysql/mysql.sock
[mysqld]
user=mysql
#pid-file=/run/mysqld/mysqld.pid
socket=/var/lib/mysql/mysql.sock
port=3306
basedir=/usr
datadir=/var/lib/mysql
tmpdir=/tmp
lc-messages-dir=/usr/share/mysql
log_error=/var/log/mysql/error.log
symbolic-links=0
local-infile=0
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 16M
table_open_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=70
max_user_connections=30
wait_timeout=10
interactive_timeout=50
long_query_time=5
!includedir /etc/my.cnf.d/

41
install/rpm/mysql/my-small.cnf Normal file
View File

@@ -0,0 +1,41 @@
[client]
port=3306
socket=/var/lib/mysql/mysql.sock
[mysqld_safe]
socket=/var/lib/mysql/mysql.sock
[mysqld]
user=mysql
#pid-file=/run/mysqld/mysqld.pid
socket=/var/lib/mysql/mysql.sock
port=3306
basedir=/usr
datadir=/var/lib/mysql
tmpdir=/tmp
lc-messages-dir=/usr/share/mysql
log_error=/var/log/mysql/error.log
symbolic-links=0
local-infile=0
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 1M
table_open_cache = 10
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=30
max_user_connections=20
wait_timeout=10
interactive_timeout=50
long_query_time=5
!includedir /etc/my.cnf.d/

7
install/rpm/mysql/mysql.repo Normal file
View File

@@ -0,0 +1,7 @@
[mysql80-community]
name = MySQL 8.0 Server for RHEL $releasever - $basearch
baseurl = http://repo.mysql.com/yum/mysql-8.0-community/el/$releasever/$basearch/
module_hotfixes=1
gpgkey=https://repo.mysql.com/RPM-GPG-KEY-mysql-2022
gpgcheck=1
enabled=1

39
install/rpm/nginx/0rtt-anti-replay.conf Normal file
View File

@@ -0,0 +1,39 @@
# Implement TLS 1.3 0-RTT anti-replay for NGINX
# Requires: NGINX directive "ssl_early_data" on
# Usage:
# Make sure these "map" blocks are included in "http" block
# Put the following two lines in SSL "server" block, before any "location" blocks
# if ($anti_replay = 307) { return 307 https://$host$request_uri; }
# if ($anti_replay = 425) { return 425; }
# Pass "Early-Data" header to backend/upstream
# Only for 0-RTT requests from clients that understand 425 status code (RFC 8470)
# fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
# proxy_set_header Early-Data $rfc_early_data;
# Copyright © myrevery
# Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team)
map "$request_method:$is_args" $ar_idempotent {
default 0;
"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
}
map $http_user_agent $ar_support_425 {
default 0;
"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
}
map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
1:0:0 307;
1:0:1 425;
}
map "$ssl_early_data:$ar_support_425" $rfc_early_data {
1:1 1;
}

16
install/rpm/nginx/agents.conf Normal file
View File

@@ -0,0 +1,16 @@
map $http_user_agent $mobile_request {
default desktopversion;
"~*ipad" mobileversion;
"~*android.*mobile" mobileversion;
"~*iphone" mobileversion;
"~*ipod.*mobile" mobileversion;
"~*BlackBerry*Mobile Safari" mobileversion;
"~*BB*Mobile Safari" mobileversion;
"~*Opera.*Mini/7" mobileversion;
"~*IEMobile/10.*Touch" mobileversion;
"~*IEMobile/11.*Touch" mobileversion;
"~*IEMobile/7.0" mobileversion;
"~*IEMobile/9.0" mobileversion;
"~*Firefox.*Mobile" mobileversion;
"~*webOS" mobileversion;
}

130
install/rpm/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,130 @@
# Server globals
user apache;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /etc/nginx/conf.d/main/*.conf;
include /etc/nginx/modules-enabled/*.conf;
# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 180s;
client_body_timeout 180s;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 1024m;
large_client_header_buffers 4 8k;
send_timeout 60s;
keepalive_timeout 30s;
keepalive_requests 10000;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
charset utf-8;
# FastCGI settings
fastcgi_buffers 512 4k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_connect_timeout 30s;
fastcgi_read_timeout 300s;
fastcgi_send_timeout 180s;
fastcgi_cache_lock on;
fastcgi_cache_lock_timeout 5s;
fastcgi_cache_background_update on;
fastcgi_cache_revalidate on;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Early-Data $rfc_early_data;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_buffers 256 4k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 32k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_read_timeout 300s;
proxy_send_timeout 180s;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
log_not_found off;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_vary on;
gzip_static on;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_buffers 128 4k;
gzip_http_version 1.1;
gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
gzip_proxied any;
# Cloudflare IPs
include /etc/nginx/conf.d/cloudflare.inc;
# SSL PCI compliance
ssl_buffer_size 1369;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
ssl_dhparam /etc/pki/tls/dhparam.pem;
ssl_early_data on;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets on;
ssl_session_timeout 7d;
resolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
resolver_timeout 5s;
# Error pages
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 410 /error/410.html;
error_page 500 501 502 503 504 505 /error/50x.html;
# Proxy cache
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Cache-Control Expires;
proxy_cache_use_stale error timeout invalid_header updating http_502;
proxy_cache_valid any 1d;
# FastCGI cache
fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
add_header X-FastCGI-Cache $upstream_cache_status;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# File cache (static assets)
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/domains/*.conf;
}

6
install/rpm/nginx/nginx.repo Normal file
View File

@@ -0,0 +1,6 @@
[nginx]
name=Nginx Repository for RHEL $releasever - $basearch
baseurl=https://nginx.org/packages/rhel/$releasever/$basearch/
gpgkey=https://nginx.org/keys/nginx_signing.key
gpgcheck=1
enabled=1

26
install/rpm/nginx/phpmyadmin.inc Normal file
View File

@@ -0,0 +1,26 @@
location /%pma_alias% {
alias /usr/share/phpmyadmin/;
location ~ /(libraries|setup|templates|locale) {
deny all;
return 404;
}
location ~ /(.+\.(json|lock|md)) {
deny all;
return 404;
}
location ~ ^/%pma_alias%/(.*\.php)$ {
alias /usr/share/phpmyadmin/$1;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
location /%pma_alias%/(.+\.(jpg|jpeg|gif|css|png|webp|js|ico|html|xml|txt))$ {
root /usr/share/phpmyadmin/;
}
}

12
install/rpm/nginx/phppgadmin.inc Normal file
View File

@@ -0,0 +1,12 @@
location /%pga_alias% {
alias /usr/share/phppgadmin/;
location ~ ^/%pga_alias%/(.*\.php)$ {
alias /usr/share/phppgadmin/$1;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}

11
install/rpm/nginx/status.conf Normal file
View File

@@ -0,0 +1,11 @@
server {
listen 127.0.0.1:8084 default_server;
server_name _;
server_name_in_redirect off;
location / {
stub_status on;
access_log off;
error_log /dev/null;
}
}

52
install/rpm/nginx/unassigned.inc Normal file
View File

@@ -0,0 +1,52 @@
server {
listen directIP:80 default_server;
server_name _;
access_log off;
error_log /dev/null;
location / {
root /var/www/html;
location /phpmyadmin/ {
alias /var/www/document_errors/;
return 404;
}
location /phppgadmin/ {
alias /var/www/document_errors/;
return 404;
}
location /webmail {
alias /var/www/document_errors/;
return 404;
}
location /webmail/ {
alias /var/www/document_errors/;
return 404;
}
location /error/ {
alias /var/www/document_errors/;
}
}
}
server {
listen directIP:443 default_server ssl;
server_name _;
access_log off;
error_log /dev/null;
ssl_certificate /usr/local/hestia/ssl/certificate.crt;
ssl_certificate_key /usr/local/hestia/ssl/certificate.key;
return 301 http://$host$request_uri;
location / {
root /var/www/document_errors/;
}
location /error/ {
alias /var/www/document_errors/;
}
}

166
install/rpm/pga/config.inc.php Normal file
View File

@@ -0,0 +1,166 @@
<?php
/**
* Central phpPgAdmin configuration. As a user you may modify the
* settings here for your particular configuration.
*
* $Id: config.inc.php-dist,v 1.55 2008/02/18 21:10:31 xzilla Exp $
*/
// An example server. Create as many of these as you wish,
// indexed from zero upwards.
// Display name for the server on the login screen
$conf["servers"][0]["desc"] = "PostgreSQL";
// Hostname or IP address for server. Use '' for UNIX domain socket.
// use 'localhost' for TCP/IP connection on this computer
$conf["servers"][0]["host"] = "localhost";
// Database port on server (5432 is the PostgreSQL default)
$conf["servers"][0]["port"] = 5432;
// Database SSL mode
// Possible options: disable, allow, prefer, require
// To require SSL on older servers use option: legacy
// To ignore the SSL mode, use option: unspecified
$conf["servers"][0]["sslmode"] = "allow";
// Change the default database only if you cannot connect to template1.
// For a PostgreSQL 8.1+ server, you can set this to 'postgres'.
$conf["servers"][0]["defaultdb"] = "template1";
// Specify the path to the database dump utilities for this server.
// You can set these to '' if no dumper is available.
$conf["servers"][0]["pg_dump_path"] = "/usr/bin/pg_dump";
$conf["servers"][0]["pg_dumpall_path"] = "/usr/bin/pg_dumpall";
// Slony (www.slony.info) support?
$conf["servers"][0]["slony_support"] = false;
// Specify the path to the Slony SQL scripts (where slony1_base.sql is located, etc.)
// No trailing slash.
$conf["servers"][0]["slony_sql"] = "/usr/share/pgsql";
// Example for a second server (PostgreSQL for Windows)
//$conf['servers'][1]['desc'] = 'Test Server';
//$conf['servers'][1]['host'] = '127.0.0.1';
//$conf['servers'][1]['port'] = 5432;
//$conf['servers'][1]['sslmode'] = 'allow';
//$conf['servers'][1]['defaultdb'] = 'template1';
//$conf['servers'][1]['pg_dump_path'] = 'C:\\Program Files\\PostgreSQL\\8.0\\bin\\pg_dump.exe';
//$conf['servers'][1]['pg_dumpall_path'] = 'C:\\Program Files\\PostgreSQL\\8.0\\bin\\pg_dumpall.exe';
//$conf['servers'][1]['slony_support'] = false;
//$conf['servers'][1]['slony_sql'] = 'C:\\Program Files\\PostgreSQL\\8.0\\share';
// Example of groups definition.
// Groups allow administrators to logically group servers together under group nodes in the left browser tree
//
// The group '0' description
//$conf['srv_groups'][0]['desc'] = 'group one';
//
// Add here server indexes belonging to the group '0' separated by comma
//$conf['srv_groups'][0]['servers'] = '0,1,2';
//
// A server can belong to multi groups
//$conf['srv_groups'][1]['desc'] = 'group two';
//$conf['srv_groups'][1]['servers'] = '3,1';
// Default language. E.g.: 'english', 'polish', etc. See lang/ directory
// for all possibilities. If you specify 'auto' (the default) it will use
// your browser preference.
$conf["default_lang"] = "auto";
// AutoComplete uses AJAX interaction to list foreign key values
// on insert fields. It currently only works on single column
// foreign keys. You can choose one of the following values:
// 'default on' enables AutoComplete and turns it on by default.
// 'default off' enables AutoComplete but turns it off by default.
// 'disable' disables AutoComplete.
$conf["autocomplete"] = "default on";
// If extra login security is true, then logins via phpPgAdmin with no
// password or certain usernames (pgsql, postgres, root, administrator)
// will be denied. Only set this false once you have read the FAQ and
// understand how to change PostgreSQL's pg_hba.conf to enable
// passworded local connections.
$conf["extra_login_security"] = true;
// Only show owned databases?
// Note: This will simply hide other databases in the list - this does
// not in any way prevent your users from seeing other database by
// other means. (e.g. Run 'SELECT * FROM pg_database' in the SQL area.)
$conf["owned_only"] = false;
// Display comments on objects? Comments are a good way of documenting
// a database, but they do take up space in the interface.
$conf["show_comments"] = true;
// Display "advanced" objects? Setting this to true will show
// aggregates, types, operators, operator classes, conversions,
// languages and casts in phpPgAdmin. These objects are rarely
// administered and can clutter the interface.
$conf["show_advanced"] = false;
// Display "system" objects?
$conf["show_system"] = false;
// Display reports feature? For this feature to work, you must
// install the reports database as explained in the INSTALL file.
$conf["show_reports"] = true;
// Database and table for reports
$conf["reports_db"] = "phppgadmin";
$conf["reports_schema"] = "public";
$conf["reports_table"] = "ppa_reports";
// Only show owned reports?
// Note: This does not prevent people from accessing other reports by
// other means.
$conf["owned_reports_only"] = false;
// Minimum length users can set their password to.
$conf["min_password_length"] = 1;
// Width of the left frame in pixels (object browser)
$conf["left_width"] = 200;
// Which look & feel theme to use
$conf["theme"] = "default";
// Show OIDs when browsing tables?
$conf["show_oids"] = false;
// Max rows to show on a page when browsing record sets
$conf["max_rows"] = 30;
// Max chars of each field to display by default in browse mode
$conf["max_chars"] = 50;
// Send XHTML strict headers?
$conf["use_xhtml_strict"] = false;
// Base URL for PostgreSQL documentation.
// '%s', if present, will be replaced with the PostgreSQL version
// (e.g. 8.4 )
$conf["help_base"] = "http://www.postgresql.org/docs/%s/interactive/";
// Configuration for ajax scripts
// Time in seconds. If set to 0, refreshing data using ajax will be disabled (locks and activity pages)
$conf["ajax_refresh"] = 3;
// If extra session security is true, then PHP's session cookies will have
// SameSite cookie flags set to prevent CSRF attacks. If you're using
// auto-start sessions, autostarted sessions will be destroyed and
// restarted with SameSite on. If this this solution is not acceptable for
// your situation, you will need to either turn off auot-start sessions, or
// turn off secure sessions. Versions of PHP below 7.3 do not have access
// to this feature and will be vulnerable to CSRF attacks.
$conf["extra_session_security"] = true;
/*****************************************
* Don't modify anything below this line *
*****************************************/
$conf["version"] = 19;
?>

31
install/rpm/pga/phppgadmin.conf Normal file
View File

@@ -0,0 +1,31 @@
Alias /phppgadmin /usr/share/phppgadmin
<Directory /usr/share/phppgadmin>
DirectoryIndex index.php
AllowOverride None
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0 ::1/128
allow from all
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_value include_path .
</IfModule>
<IfModule !mod_php5.c>
<IfModule mod_actions.c>
<IfModule mod_cgi.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
<IfModule mod_cgid.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
</IfModule>
</IfModule>
</Directory>

13
install/rpm/php-fpm/dummy.conf Normal file
View File

@@ -0,0 +1,13 @@
; origin-src: rhel/php-fpm/dummy.conf
[www]
listen = 127.0.0.1:9999
listen.allowed_clients = 127.0.0.1
user = apache
group = apache
pm = ondemand
pm.max_children = 4
pm.max_requests = 4000
pm.process_idle_timeout = 10s

26
install/rpm/php-fpm/multiphp.tpl Normal file
View File

@@ -0,0 +1,26 @@
; origin-src: rhel/php-fpm/multiphp.tpl
[%domain%]
listen = /run/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = apache
listen.mode = 0660
user = %user%
group = %user%
pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status
php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /home/%user%/.composer:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/var/www/html:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcube:/var/lib/roundcube:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp

13
install/rpm/php-fpm/www.conf Normal file
View File

@@ -0,0 +1,13 @@
; origin-src: rhel/php-fpm/www.conf
[www]
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
user = apache
group = apache
pm = ondemand
pm.max_children = 4
pm.max_requests = 4000
pm.process_idle_timeout = 10s

389
install/rpm/phpmyadmin/create_tables.sql Normal file
View File

@@ -0,0 +1,389 @@
-- --------------------------------------------------------
-- SQL Commands to set up the pmadb as described in the documentation.
--
-- This file is meant for use with MySQL 5 and above!
--
-- This script expects the user pma to already be existing. If we would put a
-- line here to create him too many users might just use this script and end
-- up with having the same password for the controluser.
--
-- This user "pma" must be defined in config.inc.php (controluser/controlpass)
--
-- Please don't forget to set up the tablenames in config.inc.php
--
-- --------------------------------------------------------
--
-- Database : `phpmyadmin`
--
CREATE DATABASE IF NOT EXISTS `phpmyadmin` DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
USE phpmyadmin;
-- --------------------------------------------------------
--
-- Privileges
--
-- (activate this statement if necessary)
-- GRANT SELECT, INSERT, DELETE, UPDATE, ALTER ON `phpmyadmin`.* TO
-- 'pma'@localhost;
-- --------------------------------------------------------
--
-- Table structure for table `pma__usergroups`
--
CREATE TABLE
IF NOT EXISTS `pma__usergroups` (
`usergroup` varchar(64) NOT NULL,
`tab` varchar(64) NOT NULL,
`allowed` enum ('Y', 'N') NOT NULL DEFAULT 'N',
PRIMARY KEY (`usergroup`, `tab`, `allowed`)
) COMMENT = 'User groups with configured menu items' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__designer_coords`
--
CREATE TABLE
IF NOT EXISTS `pma__designer_coords` (
`db_name` varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '',
`table_name` varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '',
`x` int (11) DEFAULT NULL,
`y` int (11) DEFAULT NULL,
`v` tinyint (4) DEFAULT NULL,
`h` tinyint (4) DEFAULT NULL,
PRIMARY KEY (`db_name`, `table_name`)
) ENGINE = MyISAM DEFAULT CHARSET = utf8 COLLATE = utf8_bin COMMENT = 'Table coordinates for Designer';
-- --------------------------------------------------------
--
-- Table structure for table `pma__bookmark`
--
CREATE TABLE
IF NOT EXISTS `pma__bookmark` (
`id` int (11) NOT NULL auto_increment,
`dbase` varchar(255) NOT NULL default '',
`user` varchar(255) NOT NULL default '',
`label` varchar(255) COLLATE utf8_general_ci NOT NULL default '',
`query` text NOT NULL,
PRIMARY KEY (`id`)
) COMMENT = 'Bookmarks' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__column_info`
--
CREATE TABLE
IF NOT EXISTS `pma__column_info` (
`id` int (5) unsigned NOT NULL auto_increment,
`db_name` varchar(64) NOT NULL default '',
`table_name` varchar(64) NOT NULL default '',
`column_name` varchar(64) NOT NULL default '',
`comment` varchar(255) COLLATE utf8_general_ci NOT NULL default '',
`mimetype` varchar(255) COLLATE utf8_general_ci NOT NULL default '',
`transformation` varchar(255) NOT NULL default '',
`transformation_options` varchar(255) NOT NULL default '',
`input_transformation` varchar(255) NOT NULL default '',
`input_transformation_options` varchar(255) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `db_name` (`db_name`, `table_name`, `column_name`)
) COMMENT = 'Column information for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__history`
--
CREATE TABLE
IF NOT EXISTS `pma__history` (
`id` bigint (20) unsigned NOT NULL auto_increment,
`username` varchar(64) NOT NULL default '',
`db` varchar(64) NOT NULL default '',
`table` varchar(64) NOT NULL default '',
`timevalue` timestamp NOT NULL default CURRENT_TIMESTAMP,
`sqlquery` text NOT NULL,
PRIMARY KEY (`id`),
KEY `username` (`username`, `db`, `table`, `timevalue`)
) COMMENT = 'SQL history for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__pdf_pages`
--
CREATE TABLE
IF NOT EXISTS `pma__pdf_pages` (
`db_name` varchar(64) NOT NULL default '',
`page_nr` int (10) unsigned NOT NULL auto_increment,
`page_descr` varchar(50) COLLATE utf8_general_ci NOT NULL default '',
PRIMARY KEY (`page_nr`),
KEY `db_name` (`db_name`)
) COMMENT = 'PDF relation pages for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__recent`
--
CREATE TABLE
IF NOT EXISTS `pma__recent` (
`username` varchar(64) NOT NULL,
`tables` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'Recently accessed tables' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__favorite`
--
CREATE TABLE
IF NOT EXISTS `pma__favorite` (
`username` varchar(64) NOT NULL,
`tables` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'Favorite tables' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__table_uiprefs`
--
CREATE TABLE
IF NOT EXISTS `pma__table_uiprefs` (
`username` varchar(64) NOT NULL,
`db_name` varchar(64) NOT NULL,
`table_name` varchar(64) NOT NULL,
`prefs` text NOT NULL,
`last_update` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`username`, `db_name`, `table_name`)
) COMMENT = 'Tables'' UI preferences' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__relation`
--
CREATE TABLE
IF NOT EXISTS `pma__relation` (
`master_db` varchar(64) NOT NULL default '',
`master_table` varchar(64) NOT NULL default '',
`master_field` varchar(64) NOT NULL default '',
`foreign_db` varchar(64) NOT NULL default '',
`foreign_table` varchar(64) NOT NULL default '',
`foreign_field` varchar(64) NOT NULL default '',
PRIMARY KEY (`master_db`, `master_table`, `master_field`),
KEY `foreign_field` (`foreign_db`, `foreign_table`)
) COMMENT = 'Relation table' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__table_coords`
--
CREATE TABLE
IF NOT EXISTS `pma__table_coords` (
`db_name` varchar(64) NOT NULL default '',
`table_name` varchar(64) NOT NULL default '',
`pdf_page_number` int (11) NOT NULL default '0',
`x` float unsigned NOT NULL default '0',
`y` float unsigned NOT NULL default '0',
PRIMARY KEY (`db_name`, `table_name`, `pdf_page_number`)
) COMMENT = 'Table coordinates for phpMyAdmin PDF output' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__table_info`
--
CREATE TABLE
IF NOT EXISTS `pma__table_info` (
`db_name` varchar(64) NOT NULL default '',
`table_name` varchar(64) NOT NULL default '',
`display_field` varchar(64) NOT NULL default '',
PRIMARY KEY (`db_name`, `table_name`)
) COMMENT = 'Table information for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__tracking`
--
CREATE TABLE
IF NOT EXISTS `pma__tracking` (
`db_name` varchar(64) NOT NULL,
`table_name` varchar(64) NOT NULL,
`version` int (10) unsigned NOT NULL,
`date_created` datetime NOT NULL,
`date_updated` datetime NOT NULL,
`schema_snapshot` text NOT NULL,
`schema_sql` text,
`data_sql` longtext,
`tracking`
set
(
'UPDATE',
'REPLACE',
'INSERT',
'DELETE',
'TRUNCATE',
'CREATE DATABASE',
'ALTER DATABASE',
'DROP DATABASE',
'CREATE TABLE',
'ALTER TABLE',
'RENAME TABLE',
'DROP TABLE',
'CREATE INDEX',
'DROP INDEX',
'CREATE VIEW',
'ALTER VIEW',
'DROP VIEW'
) default NULL,
`tracking_active` int (1) unsigned NOT NULL default '1',
PRIMARY KEY (`db_name`, `table_name`, `version`)
) COMMENT = 'Database changes tracking for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__userconfig`
--
CREATE TABLE
IF NOT EXISTS `pma__userconfig` (
`username` varchar(64) NOT NULL,
`timevalue` timestamp NOT NULL default CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`config_data` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'User preferences storage for phpMyAdmin' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__users`
--
CREATE TABLE
IF NOT EXISTS `pma__users` (
`username` varchar(64) NOT NULL,
`usergroup` varchar(64) NOT NULL,
PRIMARY KEY (`username`, `usergroup`)
) COMMENT = 'Users and their assignments to user groups' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__usergroups`
--
CREATE TABLE
IF NOT EXISTS `pma__usergroups` (
`usergroup` varchar(64) NOT NULL,
`tab` varchar(64) NOT NULL,
`allowed` enum ('Y', 'N') NOT NULL DEFAULT 'N',
PRIMARY KEY (`usergroup`, `tab`, `allowed`)
) COMMENT = 'User groups with configured menu items' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__navigationhiding`
--
CREATE TABLE
IF NOT EXISTS `pma__navigationhiding` (
`username` varchar(64) NOT NULL,
`item_name` varchar(64) NOT NULL,
`item_type` varchar(64) NOT NULL,
`db_name` varchar(64) NOT NULL,
`table_name` varchar(64) NOT NULL,
PRIMARY KEY (
`username`,
`item_name`,
`item_type`,
`db_name`,
`table_name`
)
) COMMENT = 'Hidden items of navigation tree' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__savedsearches`
--
CREATE TABLE
IF NOT EXISTS `pma__savedsearches` (
`id` int (5) unsigned NOT NULL auto_increment,
`username` varchar(64) NOT NULL default '',
`db_name` varchar(64) NOT NULL default '',
`search_name` varchar(64) NOT NULL default '',
`search_data` text NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `u_savedsearches_username_dbname` (`username`, `db_name`, `search_name`)
) COMMENT = 'Saved searches' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__central_columns`
--
CREATE TABLE
IF NOT EXISTS `pma__central_columns` (
`db_name` varchar(64) NOT NULL,
`col_name` varchar(64) NOT NULL,
`col_type` varchar(64) NOT NULL,
`col_length` text,
`col_collation` varchar(64) NOT NULL,
`col_isNull` boolean NOT NULL,
`col_extra` varchar(255) default '',
`col_default` text,
PRIMARY KEY (`db_name`, `col_name`)
) COMMENT = 'Central list of columns' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__designer_settings`
--
CREATE TABLE
IF NOT EXISTS `pma__designer_settings` (
`username` varchar(64) NOT NULL,
`settings_data` text NOT NULL,
PRIMARY KEY (`username`)
) COMMENT = 'Settings related to Designer' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;
-- --------------------------------------------------------
--
-- Table structure for table `pma__export_templates`
--
CREATE TABLE
IF NOT EXISTS `pma__export_templates` (
`id` int (5) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(64) NOT NULL,
`export_type` varchar(10) NOT NULL,
`template_name` varchar(64) NOT NULL,
`template_data` text NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `u_user_type_template` (`username`, `export_type`, `template_name`)
) COMMENT = 'Saved export templates' DEFAULT CHARACTER
SET
utf8 COLLATE utf8_bin;

146
install/rpm/phpmyadmin/pma.sh Normal file
View File

@@ -0,0 +1,146 @@
#!/bin/bash
#
# phpmyadmin-fixer
#
# Fixes for phpmyadmin (configuration storage and some extended features)
#
# Original Version by Pavel Galkin (https://skurudo.ru)
# https://github.com/skurudo/phpmyadmin-fixer
#
# Changed some lines to fit to Hestia Configuration.
#
PASS=$(gen_pass)
#ubuntu phpmyadmin path
pmapath1="/etc/phpmyadmin/config.inc.php"
pmapath2="/usr/share/phpmyadmin/config.sample.inc.php"
#delete old and paste new value
sed -i '/pmadb/d' $pmapath1
sed -i '/controluser/d' $pmapath1
sed -i '/bookmarktable/d' $pmapath1
sed -i '/relation/d' $pmapath1
sed -i '/userconfig/d' $pmapath1
sed -i '/table_info/d' $pmapath1
sed -i '/column_info/d' $pmapath1
sed -i '/history/d' $pmapath1
sed -i '/recent/d' $pmapath1
sed -i '/table_uiprefs/d' $pmapath1
sed -i '/tracking/d' $pmapath1
sed -i '/table_coords/d' $pmapath1
sed -i '/pdf_pages/d' $pmapath1
sed -i '/designer_coords/d' $pmapath1
sed -i '/controlpass/d' $pmapath1
sed -i '/\$i = 1; /d' $pmapath1
echo "\$i = 1;" >> $pmapath1
sed -i '/savedsearches/d' $pmapath1
sed -i '/navigationhiding/d' $pmapath1
sed -i '/users/d' $pmapath1
sed -i '/controlpass/d' $pmapath1
sed -i '/favorite/d' $pmapath1
sed -i '/usergroups/d' $pmapath1
sed -i '/central_columns/d' $pmapath1
sed -i '/designer_settings/d' $pmapath1
sed -i '/export_templates/d' $pmapath1
echo "\$cfg['Servers'][\$i]['favorite'] = 'pma__favorite';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['central_columns'] = 'pma__central_columns';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['designer_settings'] = 'pma__designer_settings';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['export_templates'] = 'pma__export_templates';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['savedsearches'] = 'pma__savedsearches';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['navigationhiding'] = 'pma__navigationhiding';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['users'] = 'pma__users';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['pmadb'] = 'phpmyadmin';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['controluser'] = 'pma';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['controlpass'] = '$PASS';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['bookmarktable'] = 'pma__bookmark';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['relation'] = 'pma__relation';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['userconfig'] = 'pma__userconfig';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['table_info'] = 'pma__table_info';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['column_info'] = 'pma__column_info';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['history'] = 'pma__history';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['recent'] = 'pma__recent';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['table_uiprefs'] = 'pma__table_uiprefs';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['tracking'] = 'pma__tracking';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['table_coords'] = 'pma__table_coords';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['pdf_pages'] = 'pma__pdf_pages';" >> $pmapath1
echo "\$cfg['Servers'][\$i]['designer_coords'] = 'pma__designer_coords';" >> $pmapath1
sed -i '/pmadb/d' $pmapath2
sed -i '/controluser/d' $pmapath2
sed -i '/bookmarktable/d' $pmapath2
sed -i '/relation/d' $pmapath2
sed -i '/userconfig/d' $pmapath2
sed -i '/table_info/d' $pmapath2
sed -i '/column_info/d' $pmapath2
sed -i '/history/d' $pmapath2
sed -i '/recent/d' $pmapath2
sed -i '/table_uiprefs/d' $pmapath2
sed -i '/tracking/d' $pmapath2
sed -i '/table_coords/d' $pmapath2
sed -i '/pdf_pages/d' $pmapath2
sed -i '/designer_coords/d' $pmapath2
sed -i '/controlpass/d' $pmapath2
sed -i '/savedsearches/d' $pmapath2
sed -i '/navigationhiding/d' $pmapath2
sed -i '/users/d' $pmapath2
sed -i '/controlpass/d' $pmapath2
sed -i '/favorite/d' $pmapath2
sed -i '/usergroups/d' $pmapath2
sed -i '/central_columns/d' $pmapath2
sed -i '/designer_settings/d' $pmapath2
sed -i '/export_templates/d' $pmapath2
echo "\$cfg['Servers'][\$i]['favorite'] = 'pma__favorite';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['central_columns'] = 'pma__central_columns';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['designer_settings'] = 'pma__designer_settings';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['export_templates'] = 'pma__export_templates';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['savedsearches'] = 'pma__savedsearches';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['navigationhiding'] = 'pma__navigationhiding';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['users'] = 'pma__users';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['usergroups'] = 'pma__usergroups';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['pmadb'] = 'phpmyadmin';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['controluser'] = 'pma';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['controlpass'] = '$PASS';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['bookmarktable'] = 'pma__bookmark';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['relation'] = 'pma__relation';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['userconfig'] = 'pma__userconfig';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['table_info'] = 'pma__table_info';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['column_info'] = 'pma__column_info';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['history'] = 'pma__history';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['recent'] = 'pma__recent';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['table_uiprefs'] = 'pma__table_uiprefs';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['tracking'] = 'pma__tracking';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['table_coords'] = 'pma__table_coords';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['pdf_pages'] = 'pma__pdf_pages';" >> $pmapath2
echo "\$cfg['Servers'][\$i]['designer_coords'] = 'pma__designer_coords';" >> $pmapath2
#SOME WORK with DATABASE (table / user)
PMADB=phpmyadmin
PMAUSER=pma
#DROP USER and TABLE
mysql -uroot << MYSQL_PMA1
DROP USER '$PMAUSER'@'localhost';
DROP DATABASE $PMADB;
FLUSH PRIVILEGES;
MYSQL_PMA1
#CREATE PMA USER
mysql -uroot << MYSQL_PMA2
CREATE USER '$PMAUSER'@'localhost' IDENTIFIED BY '$PASS';
CREATE DATABASE $PMADB;
MYSQL_PMA2
#GRANT PMA USE SOME RIGHTS
mysql -uroot << MYSQL_PMA3
USE $PMADB;
GRANT USAGE ON $PMADB.* TO '$PMAUSER'@'localhost' IDENTIFIED BY '$PASS';
GRANT ALL PRIVILEGES ON $PMADB.* TO '$PMAUSER'@'localhost';
FLUSH PRIVILEGES;
MYSQL_PMA3
#MYSQL DB and TABLES ADDITION
mysql -uroot < $HESTIA_COMMON_DIR/phpmyadmin/create_tables.sql

54
install/rpm/pma/apache.conf Normal file
View File

@@ -0,0 +1,54 @@
# phpMyAdmin default Apache configuration
Alias /%pma_alias% /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
<IfModule mod_php5.c>
Define PHP_ENABLED
</IfModule>
<IfModule mod_php7.c>
Define PHP_ENABLED
</IfModule>
<IfDefine PHP_ENABLED>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext:/usr/share/javascript/
</IfDefine>
<IfDefine !PHP_ENABLED>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/hestia-php.sock|fcgi://localhost"
</FilesMatch>
</IfDefine>
</Directory>
# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
Order Deny,Allow
Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Order Deny,Allow
Deny from All
</Directory>

145
install/rpm/pma/config.inc.php Normal file
View File

@@ -0,0 +1,145 @@
<?php
/**
* Debian local configuration file
*
* This file overrides the settings made by phpMyAdmin interactive setup
* utility.
*
* For example configuration see
* /usr/share/doc/phpmyadmin/examples/config.sample.inc.php
* or
* /usr/share/doc/phpmyadmin/examples/config.manyhosts.inc.php
*
* NOTE: do not add security sensitive data to this file (like passwords)
* unless you really know what you're doing. If you do, any user that can
* run PHP or CGI on your webserver will be able to read them. If you still
* want to do this, make sure to properly secure the access to this file
* (also on the filesystem level).
*/
function check_file_access($path) {
if (is_readable($path)) {
return true;
} else {
error_log(
"phpmyadmin: Failed to load " .
$path .
" Check group apache has read access and open_basedir restrictions.",
);
return false;
}
}
// Load secret generated on postinst
if (check_file_access("/var/lib/phpmyadmin/blowfish_secret.inc.php")) {
require "/var/lib/phpmyadmin/blowfish_secret.inc.php";
}
// Load autoconf local config
if (check_file_access("/var/lib/phpmyadmin/config.inc.php")) {
require "/var/lib/phpmyadmin/config.inc.php";
}
/**
* Server(s) configuration
*/
$i = 0;
// The $cfg['Servers'] array starts with $cfg['Servers'][1]. Do not use $cfg['Servers'][0].
// You can disable a server config entry by setting host to ''.
$i++;
/**
* Read configuration from dbconfig-common
* You can regenerate it using: dpkg-reconfigure -plow phpmyadmin
*/
if (check_file_access("/etc/phpmyadmin/config-db.php")) {
require "/etc/phpmyadmin/config-db.php";
}
/* Configure according to dbconfig-common if enabled */
if (!empty($dbname)) {
/* Authentication type */
$cfg["Servers"][$i]["auth_type"] = "cookie";
/* Server parameters */
if (empty($dbserver)) {
$dbserver = "localhost";
}
$cfg["Servers"][$i]["host"] = $dbserver;
if (!empty($dbport) || $dbserver != "localhost") {
$cfg["Servers"][$i]["connect_type"] = "tcp";
$cfg["Servers"][$i]["port"] = $dbport;
}
//$cfg['Servers'][$i]['compress'] = false;
/* Select mysqli if your server has it */
$cfg["Servers"][$i]["extension"] = "mysqli";
/* Optional: User for advanced features */
$cfg["Servers"][$i]["controluser"] = $dbuser;
$cfg["Servers"][$i]["controlpass"] = $dbpass;
/* Optional: Advanced phpMyAdmin features */
$cfg["Servers"][$i]["pmadb"] = $dbname;
$cfg["Servers"][$i]["bookmarktable"] = "pma_bookmark";
$cfg["Servers"][$i]["relation"] = "pma_relation";
$cfg["Servers"][$i]["table_info"] = "pma_table_info";
$cfg["Servers"][$i]["table_coords"] = "pma_table_coords";
$cfg["Servers"][$i]["pdf_pages"] = "pma_pdf_pages";
$cfg["Servers"][$i]["column_info"] = "pma_column_info";
$cfg["Servers"][$i]["history"] = "pma_history";
$cfg["Servers"][$i]["table_uiprefs"] = "pma_table_uiprefs";
$cfg["Servers"][$i]["designer_coords"] = "pma_designer_coords";
$cfg["Servers"][$i]["tracking"] = "pma_tracking";
$cfg["Servers"][$i]["userconfig"] = "pma_userconfig";
$cfg["Servers"][$i]["recent"] = "pma_recent";
/* Uncomment the following to enable logging in to passwordless accounts,
* after taking note of the associated security risks. */
// $cfg['Servers'][$i]['AllowNoPassword'] = TRUE;
/* Advance to next server for rest of config */
$i++;
}
/* Authentication type */
//$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* Server parameters */
//$cfg['Servers'][$i]['host'] = 'localhost';
//$cfg['Servers'][$i]['connect_type'] = 'tcp';
//$cfg['Servers'][$i]['compress'] = false;
/* Select mysqli if your server has it */
//$cfg['Servers'][$i]['extension'] = 'mysql';
/* Optional: User for advanced features */
// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
/* Storage database and tables */
// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
// $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
// $cfg['Servers'][$i]['relation'] = 'pma_relation';
// $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
// $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
// $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
// $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
// $cfg['Servers'][$i]['history'] = 'pma_history';
// $cfg['Servers'][$i]['table_uiprefs'] = 'pma_table_uiprefs';
// $cfg['Servers'][$i]['tracking'] = 'pma_tracking';
// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';
// $cfg['Servers'][$i]['userconfig'] = 'pma_userconfig';
// $cfg['Servers'][$i]['recent'] = 'pma_recent';
/* Uncomment the following to enable logging in to passwordless accounts,
* after taking note of the associated security risks. */
// $cfg['Servers'][$i]['AllowNoPassword'] = TRUE;
/*
* End of servers configuration
*/
/*
* Directories for saving/loading files from server
*/
$cfg["UploadDir"] = "";
$cfg["SaveDir"] = "";
/* Support additional configurations */
foreach (glob("/etc/phpmyadmin/conf.d/*.php") as $filename) {
include $filename;
}

11
install/rpm/postgresql/pg_hba.conf Normal file
View File

@@ -0,0 +1,11 @@
# "local" is for Unix domain socket connections only
local all all ident
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Others
host all all 0.0.0.0/0 md5

36
install/rpm/proftpd/proftpd.conf Normal file
View File

@@ -0,0 +1,36 @@
ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
DefaultRoot ~ !adm
Include /etc/proftpd/tls.conf
<IfModule mod_vroot.c>
VRootEngine on
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
</IfModule>
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User proftpd
Group nobody
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ListOptions -a
RequireValidShell off
PassivePorts 12000 12100
<Global>
Umask 002
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>

65
install/rpm/proftpd/tls.conf Normal file
View File

@@ -0,0 +1,65 @@
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_dso.c>
# If mod_tls was built as a shared/DSO module, load it
LoadModule mod_tls.c
</IfModule>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
TLSProtocol TLSv1.2 TLSv1.3
TLSServerCipherPreference on
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/pki/tls/private/proftpd.key -out /etc/pki/tls/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/pki/tls/private/proftpd.key
# chmod 0640 /etc/pki/tls/private/proftpd.key
#
TLSRSACertificateFile /usr/local/hestia/ssl/certificate.crt
TLSRSACertificateKeyFile /usr/local/hestia/ssl/certificate.key
#
# CA the server trusts...
#TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# ...or avoid CA cert and be verbose
#TLSOptions NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions AllowClientRenegotiations
#
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired off
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
TLSRenegotiate required off
</IfModule>

13
install/rpm/ssl/dhparam.pem Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA7N3ZOcXgACR0Rat9G/7h8krD7ysVvmEmvAdg8o5l7eKVdtp/QSNK
anF0JyInJMBEgq05GY7YwvFovglJL73T/eEjTK3qPU6eHzxNGKfR0pM6rnAb+EXL
dSNJm3Xz9wH4IKn6OJ3nD9aLmBVI5FlIMV1R4QKX3sIWUxRqRSQIzjNQTnY1e/Pk
BT/ZrUUF7fPPVbg0nPD8Y48ISr7pB6M14Kr66cggGIqUVdBdkPYyt4RpFWR1n3Tv
rz1j0U+UoVnan2FgGsSiSFT9I/CiIxgC/SrdwxZLUgbAiKsnw9H7nGW92C4cRqY0
2eKMVNEBk32GSPQXaA+Q5TILyzxuwDbXMxHMxnUVKQGFEcXjWXXyiv7tLAeu68Do
j5iNFOHbDp17SftnxYHi2vTsYk+9K6Pzc+NmUgibM52Rs92PPYd++HcgMeGrYcqi
temHP2jPtAymixch0wdqBMgeGTb29w51LR0BAU6D6BeR25pkZvPUag3bb6SU1Oli
E15DDWh3UnmfTw2M9W1uxlzQAlXOLL6/ZWuvwyqhCY6X7tIONtSgdYGjtiTFaPJp
ZBdOOrblodLxSu0ObR59SFjv8Pz3sTw4xiRFTG3lFtuIVHdBUbtJHR+2p4fHy/JG
Ccs+Z1KrmJfEzSMzKwfvZYJ526demNulglFBbcQV06ehqjc6MCG3HnMCAQI=
-----END DH PARAMETERS-----

10
install/rpm/sudo/admin Normal file
View File

@@ -0,0 +1,10 @@
# Created by hestia installer
Defaults env_keep="VESTA"
Defaults env_keep+="HESTIA"
Defaults:admin !syslog
Defaults:admin !requiretty
Defaults:root !requiretty
# sudo is limited to hestia scripts
admin ALL=NOPASSWD:/usr/local/vesta/bin/*
admin ALL=NOPASSWD:/usr/local/hestia/bin/*

51
install/rpm/templates/mail/apache2/default.stpl Normal file
View File

@@ -0,0 +1,51 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias%
Alias / /var/lib/roundcube/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
</VirtualHost>

48
install/rpm/templates/mail/apache2/default.tpl Normal file
View File

@@ -0,0 +1,48 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/roundcube/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
</VirtualHost>

12
install/rpm/templates/mail/apache2/disabled.stpl Normal file
View File

@@ -0,0 +1,12 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
</VirtualHost>

7
install/rpm/templates/mail/apache2/disabled.tpl Normal file
View File

@@ -0,0 +1,7 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
DocumentRoot /var/www/html/
Alias /error/ /var/www/document_errors/
#SuexecUserGroup %user% %group%
</VirtualHost>

31
install/rpm/templates/mail/apache2/rainloop.stpl Normal file
View File

@@ -0,0 +1,31 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/rainloop/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
<Directory /var/lib/rainloop/>
Options +FollowSymLinks
# This is needed to parse /var/lib/rainloop/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/rainloop/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
</VirtualHost>

25
install/rpm/templates/mail/apache2/rainloop.tpl Normal file
View File

@@ -0,0 +1,25 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/rainloop/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
<Directory /var/lib/rainloop/>
Options +FollowSymLinks
# This is needed to parse /var/lib/rainloop/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/rainloop/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
</VirtualHost>

31
install/rpm/templates/mail/apache2/snappymail.stpl Normal file
View File

@@ -0,0 +1,31 @@
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/snappymail/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
SSLCertificateKeyFile %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
<Directory /var/lib/snappymail/>
Options +FollowSymLinks
# This is needed to parse /var/lib/snappymail/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/snappymail/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
</VirtualHost>

25
install/rpm/templates/mail/apache2/snappymail.tpl Normal file
View File

@@ -0,0 +1,25 @@
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
ServerAlias %alias_idn%
Alias / /var/lib/snappymail/
Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
#SuexecUserGroup %user% %group%
IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
<Directory /var/lib/snappymail/>
Options +FollowSymLinks
# This is needed to parse /var/lib/snappymail/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/snappymail/data>
Options -FollowSymLinks
AllowOverride None
</Directory>
IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
</VirtualHost>

52
install/rpm/templates/mail/nginx/default.stpl Normal file
View File

@@ -0,0 +1,52 @@
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/roundcube/;
try_files $uri $uri/ =404;
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
}

43
install/rpm/templates/mail/nginx/default.tpl Normal file
View File

@@ -0,0 +1,43 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/roundcube/;
try_files $uri $uri/ =404;
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
}

29
install/rpm/templates/mail/nginx/default_disabled.stpl Normal file
View File

@@ -0,0 +1,29 @@
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
proxy_pass http://%ip%:%web_port%;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
}

20
install/rpm/templates/mail/nginx/default_disabled.tpl Normal file
View File

@@ -0,0 +1,20 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
proxy_pass http://%ip%:%web_port%;
}
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
}

52
install/rpm/templates/mail/nginx/default_snappymail.stpl Normal file
View File

@@ -0,0 +1,52 @@
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/snappymail/;
try_files $uri $uri/ =404;
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
}

48
install/rpm/templates/mail/nginx/default_snappymail.tpl Normal file
View File

@@ -0,0 +1,48 @@
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
alias /var/lib/snappymail/;
try_files $uri $uri/ =404;
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
}

34
install/rpm/templates/mail/nginx/disabled.stpl Normal file
View File

@@ -0,0 +1,34 @@
server {
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/www/html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
}

25
install/rpm/templates/mail/nginx/disabled.tpl Normal file
View File

@@ -0,0 +1,25 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root /var/www/html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
}

59
install/rpm/templates/mail/nginx/snappymail.stpl Normal file
View File

@@ -0,0 +1,59 @@
server {
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
}

49
install/rpm/templates/mail/nginx/snappymail.tpl Normal file
View File

@@ -0,0 +1,49 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/snappymail;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ^~ /data {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
}

53
install/rpm/templates/mail/nginx/web_system.stpl Normal file
View File

@@ -0,0 +1,53 @@
server {
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
}

44
install/rpm/templates/mail/nginx/web_system.tpl Normal file
View File

@@ -0,0 +1,44 @@
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root /var/lib/roundcube;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
}

49
install/rpm/templates/web/apache2/default.stpl Normal file
View File

@@ -0,0 +1,49 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups apache
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

46
install/rpm/templates/web/apache2/default.tpl Normal file
View File

@@ -0,0 +1,46 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups apache
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

55
install/rpm/templates/web/apache2/hosting.stpl Normal file
View File

@@ -0,0 +1,55 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups apache
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc*
</VirtualHost>

52
install/rpm/templates/web/apache2/hosting.tpl Normal file
View File

@@ -0,0 +1,52 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups apache
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

41
install/rpm/templates/web/apache2/php-fpm/default.stpl Normal file
View File

@@ -0,0 +1,41 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<FilesMatch \.php$>
SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

38
install/rpm/templates/web/apache2/php-fpm/default.tpl Normal file
View File

@@ -0,0 +1,38 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

16
install/rpm/templates/web/apache2/phpcgi.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Adding php wrapper
user="$1"
domain="$2"
ip="$3"
home_dir="$4"
docroot="$5"
wrapper_script='#!/usr/bin/php-cgi -cphp5-cgi.ini'
wrapper_file="$home_dir/$user/web/$domain/cgi-bin/php"
echo "$wrapper_script" > $wrapper_file
chown $user:$user $wrapper_file
chmod -f 751 $wrapper_file
exit 0

44
install/rpm/templates/web/apache2/phpcgi.stpl Normal file
View File

@@ -0,0 +1,44 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php
<Files *.php>
SetHandler phpcgi-script
</Files>
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

40
install/rpm/templates/web/apache2/phpcgi.tpl Normal file
View File

@@ -0,0 +1,40 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
Action phpcgi-script /cgi-bin/php
<Files *.php>
SetHandler phpcgi-script
</Files>
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

22
install/rpm/templates/web/apache2/phpfcgid.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Adding php wrapper
user="$1"
domain="$2"
ip="$3"
home_dir="$4"
docroot="$5"
wrapper_script="#!/bin/sh
PHPRC=/usr/local/lib
export PHPRC
export PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_CHILDREN=20
exec /usr/bin/php-cgi
"
wrapper_file="$home_dir/$user/web/$domain/cgi-bin/fcgi-starter"
echo "$wrapper_script" > $wrapper_file
chown $user:$user $wrapper_file
chmod -f 751 $wrapper_file
exit 0

45
install/rpm/templates/web/apache2/phpfcgid.stpl Normal file
View File

@@ -0,0 +1,45 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
SSLRequireSSL
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
<Files *.php>
SetHandler fcgid-script
</Files>
FCGIWrapper %home%/%user%/web/%domain%/cgi-bin/fcgi-starter .php
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
php_admin_value open_basedir none
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

40
install/rpm/templates/web/apache2/phpfcgid.tpl Normal file
View File

@@ -0,0 +1,40 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
<VirtualHost %ip%:%web_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %docroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
IncludeOptional %home%/%user%/conf/web/%domain%/forcessl.apache2.conf*
<Directory %docroot%>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
<Files *.php>
SetHandler fcgid-script
</Files>
FCGIWrapper %home%/%user%/web/%domain%/cgi-bin/fcgi-starter .php
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

41
install/rpm/templates/web/apache2/www-data.stpl Normal file
View File

@@ -0,0 +1,41 @@
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
# PHPMyAdmin and phppgadmin require access as apache instead of user for security reasons
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
php_admin_value sys_temp_dir %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/httpd/conf.d/*.inc
</VirtualHost>

Some files were not shown because too many files have changed in this diff Show More