You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
299 lines
25 KiB
299 lines
25 KiB
#!/bin/bash
|
|
|
|
# Hestia Control Panel upgrade script for target version 1.8.0
|
|
|
|
#######################################################################################
|
|
####### Place additional commands below. #######
|
|
#######################################################################################
|
|
####### upgrade_config_set_value only accepts true or false. #######
|
|
####### #######
|
|
####### Pass through information to the end user in case of a issue or problem #######
|
|
####### #######
|
|
####### Use add_upgrade_message "My message here" to include a message #######
|
|
####### in the upgrade notification email. Example: #######
|
|
####### #######
|
|
####### add_upgrade_message "My message here" #######
|
|
####### #######
|
|
####### You can use \n within the string to create new lines. #######
|
|
#######################################################################################
|
|
|
|
upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'true'
|
|
upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
|
|
upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'true'
|
|
upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'true'
|
|
upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
|
|
|
|
os_release="$(lsb_release -s -i | tr "[:upper:]" "[:lower:]")-$(lsb_release -s -r)"
|
|
|
|
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
|
|
if ! grep -qw "^extra_groups = mail$" /etc/dovecot/conf.d/10-master.conf 2> /dev/null; then
|
|
sed -i "s/^service auth {/service auth {\n extra_groups = mail\n/g" /etc/dovecot/conf.d/10-master.conf
|
|
fi
|
|
|
|
if [ -f /etc/dovecot/conf.d/90-sieve.conf ]; then
|
|
if ! grep -q "sieve_vacation_send_from_recipient" /etc/dovecot/conf.d/90-sieve.conf 2> /dev/null; then
|
|
sed -i "s/^plugin {/plugin {\n # This setting determines whether vacation messages are sent with the SMTP MAIL FROM envelope address set to the recipient address of the Sieve script owner.\n sieve_vacation_send_from_recipient = yes\n/g" /etc/dovecot/conf.d/90-sieve.conf
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if [ -f /etc/fail2ban/jail.local ]; then
|
|
# Add phpmyadmin rule
|
|
if ! grep -qw "phpmyadmin-auth" /etc/fail2ban/jail.local 2> /dev/null; then
|
|
sed -i '/\[recidive\]/i [phpmyadmin-auth]\nenabled = true\nfilter = phpmyadmin-syslog\naction = hestia[name=WEB]\nlogpath = /var/log/auth.log\nmaxretry = 5\n' /etc/fail2ban/jail.local
|
|
fi
|
|
fi
|
|
|
|
if [ "$MAIL_SYSTEM" = "exim4" ]; then
|
|
if [ "$os_release" != "debian-10" ]; then
|
|
# Exclude Debian 10...
|
|
echo "[ * ] Disable SMTPUTF8 for Exim for now"
|
|
if ! grep -qw "^smtputf8_advertise_hosts =" /etc/exim4/exim4.conf.template 2> /dev/null; then
|
|
sed -i "/^domainlist local_domains = dsearch;\/etc\/exim4\/domains/i smtputf8_advertise_hosts =" /etc/exim4/exim4.conf.template
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Apply the update for existing users to enable the "Enhanced and Optimized TLS" feature
|
|
echo '[ * ] Enable the "Enhanced and Optimized TLS" feature...'
|
|
|
|
# Configuring global OpenSSL options
|
|
tls13_ciphers="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
|
|
|
|
if ! grep -qw "^[hestia_openssl_sect]$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
if [ "$os_release" = "debian-10" ] || [ "$os_release" = "debian-11" ]; then
|
|
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
|
|
elif [ "$os_release" = "debian-12" ]; then
|
|
if ! grep -qw "^ssl_conf = ssl_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
sed -i '/providers = provider_sect$/a ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
|
|
fi
|
|
|
|
if ! grep -qw "^[ssl_sect]$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
sed -i '$a \\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
|
|
elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
|
|
fi
|
|
elif [ "$os_release" = "ubuntu-20.04" ]; then
|
|
if ! grep -qw "^openssl_conf = default_conf$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
sed -i '/^oid_section = new_oids$/a \\n# System default\nopenssl_conf = default_conf' /etc/ssl/openssl.cnf
|
|
fi
|
|
|
|
if ! grep -qw "^[default_conf]$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
sed -i '$a [default_conf]\nssl_conf = ssl_sect\n\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
|
|
elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
|
|
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
|
|
fi
|
|
elif [ "$os_release" = "ubuntu-22.04" ]; then
|
|
sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
|
|
fi
|
|
fi
|
|
|
|
# Update server configuration files
|
|
tls12_ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
|
|
|
|
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
|
|
if grep -qw "^ssl_min_protocol = TLSv1.2$" /etc/dovecot/conf.d/10-ssl.conf 2> /dev/null; then
|
|
sed -i '/^# See #2012 for TLSv1.1 to 1.2 upgrade$/d;/^ssl_cipher_list = .\+$/d;s/^ssl_min_protocol = TLSv1.2/ssl_cipher_list = '"$tls12_ciphers"'\nssl_min_protocol = TLSv1.2/' /etc/dovecot/conf.d/10-ssl.conf
|
|
elif grep -qw "^ssl_protocols = \!SSLv3 \!TLSv1 \!TLSv1.1$" /etc/dovecot/conf.d/10-ssl.conf 2> /dev/null; then
|
|
sed -i '/^# See #2012 for TLSv1.1 to 1.2 upgrade$/d;/^ssl_cipher_list = .\+$/d;s/^ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1/ssl_cipher_list = '"$tls12_ciphers"'\nssl_protocols = !SSLv3 !TLSv1 !TLSv1.1/' /etc/dovecot/conf.d/10-ssl.conf
|
|
fi
|
|
fi
|
|
|
|
if [ "$MAIL_SYSTEM" = "exim4" ]; then
|
|
if grep -qw "^tls_on_connect_ports = 465$" /etc/exim4/exim4.conf.template 2> /dev/null; then
|
|
sed -i '/^tls_require_ciphers = .\+$/d;s/^tls_on_connect_ports = 465/tls_on_connect_ports = 465\ntls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE/' /etc/exim4/exim4.conf.template
|
|
fi
|
|
fi
|
|
|
|
if [ "$FTP_SYSTEM" = "proftpd" ]; then
|
|
if grep -qw "^TLSProtocol TLSv1.2$" /etc/proftpd/tls.conf 2> /dev/null; then
|
|
sed -i '/^TLSCipherSuite .\+$/d;/^TLSServerCipherPreference .\+$/d;s/^TLSProtocol TLSv1.2/TLSCipherSuite '"$tls12_ciphers"'\nTLSProtocol TLSv1.2 TLSv1.3\nTLSServerCipherPreference on/;s/^#TLSOptions AllowClientRenegotiations/#TLSOptions AllowClientRenegotiations/;s/^TLSOptions NoSessionReuseRequired AllowClientRenegotiations/TLSOptions NoSessionReuseRequired AllowClientRenegotiations/' /etc/proftpd/tls.conf
|
|
fi
|
|
fi
|
|
|
|
if [ "$FTP_SYSTEM" = "vsftpd" ]; then
|
|
if grep -q "^ssl_ciphers=.\+$" /etc/vsftpd/vsftpd.conf 2> /dev/null; then
|
|
sed -i 's/^ssl_ciphers=.\+$/ssl_ciphers='"$tls12_ciphers"'/' /etc/vsftpd/vsftpd.conf
|
|
fi
|
|
fi
|
|
|
|
if [ "$WEB_SYSTEM" = "nginx" ] || [ "$PROXY_SYSTEM" = "nginx" ]; then
|
|
# Little trick to bypass on my private fork :)
|
|
if ! grep -q "quic_bpf" /etc/nginx/nginx.conf && ! grep -q "spdy_headers_comp" /etc/nginx/nginx.conf; then
|
|
# Syncing "/etc/nginx/nginx.conf" with mainline, to fix the **** caused by formatter or forgetting to apply updates
|
|
echo "[ * ] Syncing NGINX configuration with mainline..."
|
|
|
|
trap 'rm -fr "$dir_for_compare" /etc/nginx/nginx.conf-staging' EXIT
|
|
dir_for_compare="$(mktemp -d)"
|
|
nginx_conf_local="$dir_for_compare"/nginx.conf-local
|
|
nginx_conf_commit="$dir_for_compare"/nginx.conf-commit
|
|
|
|
sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' /etc/nginx/nginx.conf | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_local"
|
|
|
|
# For installations before v1.6.8 (from commit 9b544be to commit b2ad154)
|
|
curl -fsLm5 --retry 2 https://raw.githubusercontent.com/hestiacp/hestiacp/b2ad1549a21655837056e4b7883970d51a4b324f/install/deb/nginx/nginx.conf \
|
|
| sed 's/fastcgi_buffers 4 256k;/fastcgi_buffers 8 256k;/g;s|/var/run/|/run/|g;/set_real_ip_from/d;/real_ip_header/d;s|# Cloudflare https://www.cloudflare.com/ips|# Cloudflare https://www.cloudflare.com/ips\n include /etc/nginx/conf.d/cloudflare.inc;|g' \
|
|
| sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_commit"-b2ad154
|
|
|
|
# For installations after v1.6.8 but before v1.7.0 (from commit b2ad154 to commit 015b20a)
|
|
curl -fsLm5 --retry 2 https://raw.githubusercontent.com/hestiacp/hestiacp/015b20ae1ffb82faaf58b41a5dc9ad1b078b785f/install/deb/nginx/nginx.conf \
|
|
| sed 's|/var/run/|/run/|g;/set_real_ip_from/d;/real_ip_header/d;s|# Cloudflare https://www.cloudflare.com/ips|# Cloudflare https://www.cloudflare.com/ips\n include /etc/nginx/conf.d/cloudflare.inc;|g' \
|
|
| sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_commit"-015b20a
|
|
|
|
# For installations after v1.7.0 (commit 555f892)
|
|
curl -fsLm5 --retry 2 https://raw.githubusercontent.com/hestiacp/hestiacp/555f89243e54e02458586ae4f7999458cc9d33e9/install/deb/nginx/nginx.conf \
|
|
| sed 's|https://www.cloudflare.com/||;/^[ \t]\+resolver .\+;$/d;/^[ \t]\+# Cache settings$/d;/^[ \t]\+# Proxy cache$/d' | sed ':l;N;$!bl;s/[ \n\t]*//g' > "$nginx_conf_commit"-555f892
|
|
|
|
for commit in b2ad154 015b20a 555f892; do
|
|
if cmp -s "$nginx_conf_local" "$nginx_conf_commit"-"$commit" 2> /dev/null; then
|
|
nginx_conf_compare="same"
|
|
cp -f "$HESTIA_INSTALL_DIR"/nginx/nginx.conf /etc/nginx
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ "$nginx_conf_compare" != "same" ]; then
|
|
echo -e "[ ! ] Manual action required, please view:\n[ - ] $HESTIA_BACKUP/message.log"
|
|
add_upgrade_message "Manual Action Required [IMPORTANT]\n\nTo enable the \"Enhanced and Optimized TLS\" feature, we must update the NGINX configuration file (/etc/nginx/nginx.conf).\n\nBut for unknown reason or you edited it, may not be fully apply all the changes in this upgrade.\n\nPlease follow the default configuration file to sync it:\n$HESTIA_INSTALL_DIR/nginx/nginx.conf\n\nBacked up configuration file:\n$HESTIA_BACKUP/conf/nginx/nginx.conf\n\nLearn more:\nhttps://github.com/hestiacp/hestiacp/pull/3555\n\n"
|
|
"$BIN"/v-add-user-notification admin "IMPORTANT: Manual Action Required" '<p>To enable the "Enhanced and Optimized TLS" feature, we must update the NGINX configuration file at <code>/etc/nginx/nginx.conf</code>.</p><p>But for unknown reason or you edited it, may not be fully apply all the changes in this upgrade.</p><p>Please follow the default configuration file to sync it:<br><code>'"$HESTIA_INSTALL_DIR"'/nginx/nginx.conf</code></p><p>Backed up configuration file:<br><code>'"$HESTIA_BACKUP"'/conf/nginx/nginx.conf</code></p><p>Visit PR <a href="https://github.com/hestiacp/hestiacp/pull/3555" target="_blank">#3555</a> on GitHub to learn more.</p>'
|
|
|
|
sed -i "s/""$(grep -m 1 "IMPORTANT: Manual Action Required" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='1'/" "$HESTIA"/data/users/admin/notifications.conf
|
|
|
|
cp -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf-staging
|
|
|
|
# Apply previously missed updates
|
|
sed -i 's/fastcgi_buffers 4 256k;/fastcgi_buffers 8 256k;/;s|https://www.cloudflare.com/||;s/# Cache settings/# Proxy cache/' /etc/nginx/nginx.conf-staging
|
|
|
|
# Formatting
|
|
echo "" >> /etc/nginx/nginx.conf-staging
|
|
sed -i '/^[ \t]*$/d;s/^ worker_connections 1024;/\tworker_connections 1024;/;s/^ use epoll;/\tuse epoll;/;s/^ multi_accept on;/\tmulti_accept on;/;s/^ /\t\t/g;s/^ /\t/g;s/^# Worker config/\n# Worker config/;s/^http {/\nhttp {/;s/^\t# Cache bypass/\n\t# Cache bypass/;s/^\t# File cache (static assets)/\n\t# File cache (static assets)/;s/^user www-data;/user www-data;/;s/^worker_processes auto;/worker_processes auto;/;s/^worker_rlimit_nofile 65535;/worker_rlimit_nofile 65535;/;s|^error_log /var/log/nginx/error.log;|error_log /var/log/nginx/error.log;|;s|^pid /run/nginx.pid;|pid /run/nginx.pid;|;s|^include /etc/nginx/modules-enabled/\*.conf;|include /etc/nginx/modules-enabled/\*.conf;|;s/log_not_found off;/log_not_found off;/;s/access_log off;/access_log off;/;s|include /etc/nginx/mime.types;|include /etc/nginx/mime.types;|;s|default_type application/octet-stream;|default_type application/octet-stream;|;s/default 0;/default 0;/;s/~SESS 1;/~SESS 1;/;s|include /etc/nginx/conf.d/|include /etc/nginx/conf.d/|g' /etc/nginx/nginx.conf-staging
|
|
|
|
# Prepare for update
|
|
sed -i '/proxy_bu/d;/proxy_temp/d;/log_format/d;/body_bytes_sent/d;/http_user_agent/d;/gzip/d;/application\/j/d;/application\/x/d;/ssl_/d;/resolver/d;/error_page/d;/\/var\/cache\/nginx/d;/max_size=/d;/_cache_key/d;/_ignore_headers/d;/_cache_use_stale/d;/_cache_valid/d;/_cache_methods/d;/add_header/d;/open_file_cache/d' /etc/nginx/nginx.conf-staging
|
|
|
|
# Apply the update
|
|
sed -i 's/client_max_body_size 256m;/client_max_body_size 1024m;/;s/keepalive_requests 100000;/keepalive_requests 10000;/;s/fastcgi_buffers 8 256k;/fastcgi_buffers 512 4k;/;s/proxy_pass_header Set-Cookie;/proxy_pass_header Set-Cookie;\n\tproxy_buffers 256 4k;\n\tproxy_buffer_size 32k;\n\tproxy_busy_buffers_size 32k;\n\tproxy_temp_file_write_size 256k;/;s/# Log format/# Log format\n\tlog_format main '"'"'$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'"'"';\n\tlog_format bytes '"'"'$body_bytes_sent'"'"';/;s|# Compression|# Compression\n\tgzip on;\n\tgzip_vary on;\n\tgzip_static on;\n\tgzip_comp_level 6;\n\tgzip_min_length 1024;\n\tgzip_buffers 128 4k;\n\tgzip_http_version 1.1;\n\tgzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;\n\tgzip_proxied any;|;s/# Cloudflare ips/# Cloudflare IPs/;s|# SSL PCI compliance|# SSL PCI compliance\n\tssl_buffer_size 1369;\n\tssl_ciphers "'"$tls12_ciphers"'";\n\tssl_dhparam /etc/ssl/dhparam.pem;\n\tssl_early_data on;\n\tssl_ecdh_curve auto;\n\tssl_prefer_server_ciphers on;\n\tssl_protocols TLSv1.2 TLSv1.3;\n\tssl_session_cache shared:SSL:20m;\n\tssl_session_tickets on;\n\tssl_session_timeout 7d;\n\tresolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;\n\tresolver_timeout 5s;|;s|# Error pages|# Error pages\n\terror_page 403 /error/404.html;\n\terror_page 404 /error/404.html;\n\terror_page 410 /error/410.html;\n\terror_page 500 501 502 503 504 505 /error/50x.html;|;s|# Proxy cache|# Proxy cache\n\tproxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;\n\tproxy_cache_key "$scheme$request_method$host$request_uri";\n\tproxy_temp_path /var/cache/nginx/temp;\n\tproxy_ignore_headers Cache-Control Expires;\n\tproxy_cache_use_stale error timeout invalid_header updating http_502;\n\tproxy_cache_valid any 1d;|;s|# FastCGI cache|# FastCGI cache\n\tfastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;\n\tfastcgi_cache_key "$scheme$request_method$host$request_uri";\n\tfastcgi_ignore_headers Cache-Control Expires Set-Cookie;\n\tfastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;\n\tadd_header X-FastCGI-Cache $upstream_cache_status;|;s/# File cache (static assets)/# File cache (static assets)\n\topen_file_cache max=10000 inactive=30s;\n\topen_file_cache_valid 60s;\n\topen_file_cache_min_uses 2;\n\topen_file_cache_errors off;/' /etc/nginx/nginx.conf-staging
|
|
|
|
# Apply the update for implement TLS 1.3 0-RTT anti-replay and upcoming HTTP/3 support
|
|
sed -i '/\/etc\/nginx\/conf\.d\/main\/\*\.conf;/d;/pid \/run\/nginx.pid;/a include /etc/nginx/conf.d/main/*.conf;' /etc/nginx/nginx.conf-staging
|
|
sed -i '/Early-Data/d;/proxy_set_header Host $host;/a \\tproxy_set_header Early-Data $rfc_early_data;' /etc/nginx/nginx.conf-staging
|
|
|
|
# Verify new configuration file
|
|
if nginx -c /etc/nginx/nginx.conf-staging -t > /dev/null 2>&1; then
|
|
mv -f /etc/nginx/nginx.conf-staging /etc/nginx/nginx.conf
|
|
fi
|
|
fi
|
|
|
|
# Implement TLS 1.3 0-RTT anti-replay
|
|
echo -e "[ * ] TLS 1.3 0-RTT anti-replay for NGINX, please view:\n[ - ] $HESTIA_BACKUP/message.log"
|
|
add_upgrade_message "About TLS 1.3 0-RTT anti-replay for NGINX\n\nIf you use custom templates, please update them (*.stpl) to apply this protection.\n\nFollow the usage or other default templates:\n/etc/nginx/conf.d/0rtt-anti-replay.conf\n\nLearn more:\nhttps://github.com/hestiacp/hestiacp/pull/3692"
|
|
"$BIN"/v-add-user-notification admin "About TLS 1.3 0-RTT anti-replay for NGINX" '<p>If you use custom templates, please update them (*.stpl) to apply this protection.</p><p>Follow the usage or other default templates:<br><code>/etc/nginx/conf.d/0rtt-anti-replay.conf</code></p><p>Visit PR <a href="https://github.com/hestiacp/hestiacp/pull/3692" target="_blank">#3692</a> on GitHub to learn more.</p>'
|
|
|
|
if grep -qw "IMPORTANT: Manual Action Required" "$HESTIA"/data/users/admin/notifications.conf 2> /dev/null; then
|
|
sed -i "s/""$(grep -m 1 "About TLS 1.3 0-RTT anti-replay for NGINX" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='2'/" "$HESTIA"/data/users/admin/notifications.conf
|
|
else
|
|
sed -i "s/""$(grep -m 1 "About TLS 1.3 0-RTT anti-replay for NGINX" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='1'/" "$HESTIA"/data/users/admin/notifications.conf
|
|
fi
|
|
|
|
cp -f "$HESTIA_INSTALL_DIR"/nginx/0rtt-anti-replay.conf /etc/nginx/conf.d
|
|
|
|
# Update resolver for NGINX
|
|
for nameserver in $(grep -is '^nameserver' /etc/resolv.conf | cut -d' ' -f2 | tr '\r\n' ' ' | xargs); do
|
|
if [[ "$nameserver" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
|
|
if [ -z "$resolver" ]; then
|
|
resolver="$nameserver"
|
|
else
|
|
resolver="$resolver $nameserver"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
if [ -n "$resolver" ]; then
|
|
sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
|
|
fi
|
|
|
|
# Update some configuration files
|
|
cp -f "$HESTIA_INSTALL_DIR"/nginx/phpmyadmin.inc "$HESTIA_INSTALL_DIR"/nginx/phppgadmin.inc "$HESTIA_INSTALL_DIR"/nginx/status.conf /etc/nginx/conf.d
|
|
[ -n "$DB_PMA_ALIAS" ] && sed -i "s|%pma_alias%|$DB_PMA_ALIAS|g" /etc/nginx/conf.d/phpmyadmin.inc
|
|
[ -n "$DB_PGA_ALIAS" ] && sed -i "s|%pga_alias%|$DB_PGA_ALIAS|g" /etc/nginx/conf.d/phppgadmin.inc
|
|
|
|
# Prepare for upcoming HTTP/3 support, also convenient for users to add directive to "main" context
|
|
mkdir -p /etc/nginx/conf.d/main
|
|
fi
|
|
fi
|
|
|
|
unset commit nameserver nginx_conf_commit nginx_conf_compare nginx_conf_local os_release tls12_ciphers tls13_ciphers resolver
|
|
# Finish configuring the "Enhanced and Optimized TLS" feature
|
|
|
|
# Update IPs configuration file
|
|
# shellcheck source=/usr/local/hestia/func/domain.sh
|
|
source $HESTIA/func/domain.sh
|
|
|
|
if [ "$WEB_SYSTEM" = "nginx" ]; then
|
|
while IFS= read -r IP; do
|
|
ip_conf="/etc/nginx/conf.d/$IP.conf"
|
|
cp -f "$HESTIA_INSTALL_DIR"/nginx/unassigned.inc "$ip_conf"
|
|
sed -i "s/directIP/$IP/g" "$ip_conf"
|
|
process_http2_directive "$ip_conf"
|
|
done < <(ls "$HESTIA"/data/ips/ 2> /dev/null)
|
|
elif [ "$PROXY_SYSTEM" = "nginx" ]; then
|
|
while IFS= read -r IP; do
|
|
cat "$WEBTPL"/nginx/proxy_ip.tpl \
|
|
| sed -e "s/%ip%/$IP/g" \
|
|
-e "s/%web_port%/$WEB_PORT/g" \
|
|
-e "s/%proxy_port%/$PROXY_PORT/g" \
|
|
-e "s/%proxy_ssl_port%/$PROXY_SSL_PORT/g" \
|
|
> "/etc/nginx/conf.d/$IP.conf"
|
|
process_http2_directive "/etc/nginx/conf.d/$IP.conf"
|
|
done < <(ls "$HESTIA"/data/ips/ 2> /dev/null)
|
|
fi
|
|
|
|
if [ "$MAIL_SYSTEM" = "exim4" ]; then
|
|
exim_version=$(exim4 --version | head -1 | awk '{print $3}' | cut -f -2 -d .)
|
|
# if Exim version > 4.95 or greater!
|
|
if version_ge "$exim_version" "4.95"; then
|
|
if ! grep -q 'SRS_SECRET' /etc/exim4/exim4.conf.template; then
|
|
srs=$(generate_password)
|
|
echo $srs > /etc/exim4/srs.conf
|
|
chmod 640 /etc/exim4/srs.conf
|
|
chown root:Debian-exim /etc/exim4/srs.conf
|
|
cp /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.staging
|
|
patch /etc/exim4/exim4.conf.template.staging $HESTIA/install/upgrade/patch/3661-exim-srs-support.patch 2>&1
|
|
exim -C /etc/exim4/exim4.conf.template.staging 2>&1
|
|
if [ "$?" -ne 0 ]; then
|
|
add_upgrade_message "Unable to successfully aply the SRS update patch for Exim.\n If you use SMTP relay with the SRS feature use the exim config found in /usr/local/hestia/install/deb/exim/exim4.conf.4.95.template"
|
|
"$BIN"/v-add-user-notification admin "Unable to apply patch to Exim config" 'Unable to successfully apply the SRS update patch for Exim.<br /> If you use SMTP relay with the SRS feature use the exim config found in /usr/local/hestia/install/deb/exim/exim4.conf.4.95.template'
|
|
if grep -qw "IMPORTANT: Manual Action Required" "$HESTIA"/data/users/admin/notifications.conf 2> /dev/null; then
|
|
sed -i "s/""$(grep -m 1 "Unable to apply patch to Exim config" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='3'/" "$HESTIA"/data/users/admin/notifications.conf
|
|
else
|
|
sed -i "s/""$(grep -m 1 "Unable to apply patch to Exim config" "$HESTIA"/data/users/admin/notifications.conf | awk '{print $1}')""/NID='2'/" "$HESTIA"/data/users/admin/notifications.conf
|
|
fi
|
|
echo "[ ! ] Unable to apply SRS update patch for SMTP relay"
|
|
else
|
|
echo "[ * ] Update exim4.conf.template ..."
|
|
cp /etc/exim4/exim4.conf.template.staging /etc/exim4/exim4.conf.template
|
|
fi
|
|
rm /etc/exim4/exim4.conf.template.staging*
|
|
else
|
|
sed -i "s/SRS_SECRET = readfile{\/etc\/exim4\/srs.conf}/SRS_SECRET = \${readfile{\/etc\/exim4\/srs.conf}}/g" /etc/exim4/exim4.conf.template
|
|
chown root:Debian-exim /etc/exim4/srs.conf
|
|
fi
|
|
fi
|
|
|
|
exim_version=$(exim4 --version | head -1 | awk '{print $3}' | cut -f -2 -d .)
|
|
# if Exim version > 4.95 or greater!
|
|
if version_ge "$exim_version" "4.95"; then
|
|
if ! grep -q 'condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}' /etc/exim4/exim4.conf.template; then
|
|
for line in $(sed -n '/redirect_router = dnslookup/=' /etc/exim4/exim4.conf.template); do
|
|
testline=$((line - 1))
|
|
newline=$((line + 1))
|
|
if [ "$(awk NR==$testline /etc/exim4/exim4.conf.template)" = " file_transport = local_delivery" ]; then
|
|
# Add new line
|
|
sed -i "$newline i \ \ condition = \${lookup{\$local_part@\$domain}lsearch{/etc/exim4/domains/\${lookup{\$domain}dsearch{/etc/exim4/domains/}}/aliases}{false}{true}}" /etc/exim4/exim4.conf.template
|
|
fi
|
|
done
|
|
fi
|
|
fi
|
|
|
|
fi
|