ISPConfig3 devel
blame | history | patch | commit | commitdiff | ignore whitespace
Marius Cramer
2015-12-08 018c55dd71b17a2db9dc2d5cd21cb44a4963dda5 
 server/plugins-available/apache2_plugin.inc.php


@@ -148,6 +148,7 @@




        [ req ]


        default_bits           = 2048


      default_md             = sha256


        default_keyfile        = keyfile.pem


        distinguished_name     = req_distinguished_name


        attributes             = req_attributes


@@ -171,30 +172,34 @@




         $rand_file = escapeshellcmd($rand_file);


         $key_file = escapeshellcmd($key_file);


         $openssl_cmd_key_file = $key_file;


         if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') !== false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate


         $key_file2 = escapeshellcmd($key_file2);


         $openssl_cmd_key_file2 = $key_file2;


         if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') !== false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate


         $ssl_days = 3650;


         $csr_file = escapeshellcmd($csr_file);


         $openssl_cmd_csr_file = $csr_file;


         if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') !== false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate


         $config_file = escapeshellcmd($ssl_cnf_file);


         $crt_file = escapeshellcmd($crt_file);


         $openssl_cmd_crt_file = $crt_file;


         if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') !== false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate




         if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {




            exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048");


            exec("openssl req -new -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -out $csr_file -days $ssl_days -config $config_file");


            exec("openssl rsa -passin pass:$ssl_password -in $key_file -out $key_file2");


            exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $openssl_cmd_key_file 2048");


            exec("openssl req -new -sha256 -passin pass:$ssl_password -passout pass:$ssl_password -key $openssl_cmd_key_file -out $openssl_cmd_csr_file -days $ssl_days -config $config_file");


            exec("openssl rsa -passin pass:$ssl_password -in $openssl_cmd_key_file -out $openssl_cmd_key_file2");




            if(file_exists($web_config['CA_path'].'/openssl.cnf'))


            {


               exec("openssl ca -batch -out $crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $csr_file");


               exec("openssl ca -batch -out $openssl_cmd_crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $openssl_cmd_csr_file");


               $app->log("Creating CA-signed SSL Cert for: $domain", LOGLEVEL_DEBUG);


               if (filesize($crt_file)==0 || !file_exists($crt_file)) $app->log("CA-Certificate signing failed.  openssl ca -out $crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $csr_file", LOGLEVEL_ERROR);


               if (filesize($crt_file)==0 || !file_exists($crt_file)) $app->log("CA-Certificate signing failed.  openssl ca -out $openssl_cmd_crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $openssl_cmd_csr_file", LOGLEVEL_ERROR);


            };


            if (@filesize($crt_file)==0 || !file_exists($crt_file)){


               exec("openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -in $csr_file -out $crt_file -days $ssl_days -config $config_file ");


               exec("openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $openssl_cmd_key_file -in $openssl_cmd_csr_file -out $openssl_cmd_crt_file -days $ssl_days -config $config_file ");


               $app->log("Creating self-signed SSL Cert for: $domain", LOGLEVEL_DEBUG);


            };




@@ -273,7 +278,7 @@


         $bundle_file = $ssl_dir.'/'.$domain.'.bundle';


         if(file_exists($web_config['CA_path'].'/openssl.cnf') && !is_link($web_config['CA_path'].'/openssl.cnf'))


         {


            exec("openssl ca -batch -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -revoke $crt_file");


            exec("openssl ca -batch -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -revoke ".escapeshellcmd($crt_file));


            $app->log("Revoking CA-signed SSL Cert for: $domain", LOGLEVEL_DEBUG);


         };


         $app->system->unlink($csr_file);


@@ -490,15 +495,27 @@


         if($apache_chrooted) $this->_exec('chroot '.escapeshellcmd($web_config['website_basedir']).' '.$command);




         //* Change the log mount


         /*


         $fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind';


         $app->system->removeLine('/etc/fstab', $fstab_line);


         $fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind,nobootwait';


         $app->system->removeLine('/etc/fstab', $fstab_line);


         $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait,_netdev    0 0';


         $app->system->replaceLine('/etc/fstab', $fstab_line, $fstab_line, 1, 1);


         $fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind,nobootwait';


         $app->system->removeLine('/etc/fstab', $fstab_line);


         */


			


         $fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind';


			


         if($web_config['network_filesystem'] == 'y') {


            $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait,_netdev    0 0';


            $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);


         } else {


            $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait    0 0';


            $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);


         }


         


         exec('mount --bind '.escapeshellarg('/var/log/ispconfig/httpd/'.$data['new']['domain']).' '.escapeshellarg($data['new']['document_root'].'/'.$log_folder));




			


      }




      //print_r($data);


@@ -933,6 +950,92 @@


      }


      */




      //* Generate Let's Encrypt SSL certificat


      if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') {


         $data['new']['ssl_domain'] = $domain;


         $vhost_data['ssl_domain'] = $domain;




         //* be sure to have good domain


         $lddomain = (string) "$domain";


         if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {


            $lddomain .= (string) " --domains www." . $domain;


         }




            $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem";


            $key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";


            $bundle_tmp_file = "/etc/letsencrypt/live/".$domain."/chain.pem";


            $webroot = $data['new']['document_root']."/web";




            //* check if we have already a Let's Encrypt cert


            if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {


               $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);




               if(is_dir($webroot . "/.well-known/")) {


                  $app->log("Remove old challenge directory", LOGLEVEL_DEBUG);


                  $this->_exec("rm -rf " . $webroot . "/.well-known/");


               }




               $app->log("Create challenge directory", LOGLEVEL_DEBUG);


               $app->system->mkdirpath($webroot . "/.well-known/");


               $app->system->chown($webroot . "/.well-known/", $data['new']['system_user']);


               $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);


               $app->system->mkdirpath($webroot . "/.well-known/acme-challenge");


               $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);


               $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);


               $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");




               $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");


            };




            //* check is been correctly created


            if(file_exists($crt_tmp_file) OR file_exists($key_tmp_file)) {


               $date = date("YmdHis");


               if(is_file($key_file)) {


                  $app->system->copy($key_file, $key_file.'.old'.$date);


                  $app->system->chmod($key_file.'.old.'.$date, 0400);


                  $app->system->unlink($key_file);


               }




               if ($web_config["website_symlinks_rel"] == 'y') {


                  $this->create_relative_link(escapeshellcmd($key_tmp_file), escapeshellcmd($key_file));


               } else {


                  exec("ln -s ".escapeshellcmd($key_tmp_file)." ".escapeshellcmd($key_file));


               }




               if(is_file($crt_file)) {


                  $app->system->copy($crt_file, $crt_file.'.old.'.$date);


                  $app->system->chmod($crt_file.'.old.'.$date, 0400);


                  $app->system->unlink($crt_file);


               }




               if($web_config["website_symlinks_rel"] == 'y') {


                  $this->create_relative_link(escapeshellcmd($crt_tmp_file), escapeshellcmd($crt_file));


               } else {


                  exec("ln -s ".escapeshellcmd($crt_tmp_file)." ".escapeshellcmd($crt_file));


               }




               if(is_file($bundle_file)) {


                  $app->system->copy($bundle_file, $bundle_file.'.old.'.$date);


                  $app->system->chmod($bundle_file.'.old.'.$date, 0400);


                  $app->system->unlink($bundle_file);


               }




               if($web_config["website_symlinks_rel"] == 'y') {


                  $this->create_relative_link(escapeshellcmd($bundle_tmp_file), escapeshellcmd($bundle_file));


               } else {


                  exec("ln -s ".escapeshellcmd($bundle_tmp_file)." ".escapeshellcmd($bundle_file));


               }




               /* we don't need to store it.


               /* Update the DB of the (local) Server */


               $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '$ssl_cert', ssl_key = '$ssl_key' WHERE domain = '".$data['new']['domain']."'");


               $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = '".$data['new']['domain']."'");


               /* Update also the master-DB of the Server-Farm */


               $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '$ssl_cert', ssl_key = '$ssl_key' WHERE domain = '".$data['new']['domain']."'");


               $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = '".$data['new']['domain']."'");


            }


         };




      if(@is_file($bundle_file)) $vhost_data['has_bundle_cert'] = 1;




      //$vhost_data['document_root'] = $data['new']['document_root'].'/' . $web_folder;


@@ -1257,8 +1360,11 @@


      $pool_name = 'web'.$data['new']['domain_id'];


      $socket_dir = escapeshellcmd($web_config['php_fpm_socket_dir']);


      if(substr($socket_dir, -1) != '/') $socket_dir .= '/';




      if($data['new']['php_fpm_use_socket'] == 'y'){


		


      $apache_modules = $app->system->getapachemodules();


		


      // Use sockets, but not with apache 2.4 on centos (mod_proxy_fcgi) as socket support is buggy in that version


      if($data['new']['php_fpm_use_socket'] == 'y' && in_array('fastcgi_module',$apache_modules)){


         $use_tcp = 0;


         $use_socket = 1;


      } else {


@@ -2644,7 +2750,10 @@


      $tpl->newTemplate('php_fpm_pool.conf.master');


      $tpl->setVar('apache_version', $app->system->getapacheversion());


      


      if($data['new']['php_fpm_use_socket'] == 'y'){


      $apache_modules = $app->system->getapachemodules();


		


      // Use sockets, but not with apache 2.4 on centos (mod_proxy_fcgi) as socket support is buggy in that version


      if($data['new']['php_fpm_use_socket'] == 'y' && in_array('fastcgi_module',$apache_modules)){


         $use_tcp = 0;


         $use_socket = 1;


         if(!is_dir($socket_dir)) $app->system->mkdirpath($socket_dir);