From 7cf3e98090a3e9f0a9cc960d07c5f259adab6a19 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 14 Nov 2013 08:39:08 -0500
Subject: [PATCH] Merge remote-tracking branch 'origin/stable-3.0.5'

---
 server/plugins-available/nginx_plugin.inc.php |  172 ++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 146 insertions(+), 26 deletions(-)

diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 2c347f4..3cd3663 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -99,7 +99,7 @@
 		$app->uses('getconf');
 		$web_config = $app->getconf->get_server_config($conf['server_id'], 'web');
 		if ($web_config['CA_path']!='' && !file_exists($web_config['CA_path'].'/openssl.cnf'))
-			$app->log("CA path error, file does not exist:".$web_config['CA_path'].'/openssl.conf',LOGLEVEL_ERROR);	
+			$app->log("CA path error, file does not exist:".$web_config['CA_path'].'/openssl.cnf',LOGLEVEL_ERROR);	
 		
 		//* Only vhosts can have a ssl cert
 		if($data["new"]["type"] != "vhost" && $data["new"]["type"] != "vhostsubdomain") return;
@@ -170,15 +170,15 @@
 
 			$rand_file = escapeshellcmd($rand_file);
 			$key_file = escapeshellcmd($key_file);
-			if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') != false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
+			if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') !== false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
 			$key_file2 = escapeshellcmd($key_file2);
-			if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') != false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
+			if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') !== false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
 			$ssl_days = 3650;
 			$csr_file = escapeshellcmd($csr_file);
-			if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') != false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
+			if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') !== false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
 			$config_file = escapeshellcmd($ssl_cnf_file);
 			$crt_file = escapeshellcmd($crt_file);
-			if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') != false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate
+			if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') !== false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate
 
 			if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {
 				
@@ -243,6 +243,7 @@
 			if(trim($data["new"]["ssl_cert"]) != '') $app->system->file_put_contents($crt_file,$data["new"]["ssl_cert"]);
 			//if(trim($data["new"]["ssl_bundle"]) != '') $app->system->file_put_contents($bundle_file,$data["new"]["ssl_bundle"]);
 			if(trim($data["new"]["ssl_key"]) != '') $app->system->file_put_contents($key_file2,$data["new"]["ssl_key"]);
+			$app->system->chmod($key_file2,0400);
 			
 			// for nginx, bundle files have to be appended to the certificate file
 			if(trim($data["new"]["ssl_bundle"]) != ''){				
@@ -678,6 +679,9 @@
 			}
 		}
 
+		//* add the nginx user to the client group if this is a vhost and security level is set to high, no matter if this is an insert or update and regardless of set_folder_permissions_on_update
+		if($data['new']['type'] == 'vhost' && $web_config['security_level'] == 20) $app->system->add_user_to_group($groupname, escapeshellcmd($web_config['nginx_user']));
+		
 		//* If the security level is set to high
 		if(($this->action == 'insert' && $data['new']['type'] == 'vhost') or ($web_config['set_folder_permissions_on_update'] == 'y' && $data['new']['type'] == 'vhost')) {
 		
@@ -716,13 +720,10 @@
 					//* add the nginx user to the client group in the chroot environment
 					$tmp_groupfile = $app->system->server_conf['group_datei'];
 					$app->system->server_conf['group_datei'] = $web_config['website_basedir'].'/etc/group';
-					$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['user']));
+					$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['nginx_user']));
 					$app->system->server_conf['group_datei'] = $tmp_groupfile;
 					unset($tmp_groupfile);
 				}
-
-				//* add the nginx user to the client group
-				$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['nginx_user']));
 				
 				//* Chown all default directories
 				$app->system->chown($data['new']['document_root'],'root');
@@ -937,6 +938,100 @@
 		
 		// backwards compatibility; since ISPConfig 3.0.5, the PHP mode for nginx is called 'php-fpm' instead of 'fast-cgi'. The following line makes sure that old web sites that have 'fast-cgi' in the database still get PHP-FPM support.
 		if($vhost_data['php'] == 'fast-cgi') $vhost_data['php'] = 'php-fpm';
+		
+		// Custom rewrite rules
+		/*
+		$final_rewrite_rules = array();
+		$custom_rewrite_rules = $data['new']['rewrite_rules'];
+		// Make sure we only have Unix linebreaks
+		$custom_rewrite_rules = str_replace("\r\n", "\n", $custom_rewrite_rules);
+		$custom_rewrite_rules = str_replace("\r", "\n", $custom_rewrite_rules);
+		$custom_rewrite_rule_lines = explode("\n", $custom_rewrite_rules);
+		if(is_array($custom_rewrite_rule_lines) && !empty($custom_rewrite_rule_lines)){
+			foreach($custom_rewrite_rule_lines as $custom_rewrite_rule_line){
+				$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+			}
+		}
+		$tpl->setLoop('rewrite_rules', $final_rewrite_rules);
+		*/
+		
+		// Custom rewrite rules
+		$final_rewrite_rules = array();
+		
+		if(isset($data['new']['rewrite_rules']) && trim($data['new']['rewrite_rules']) != '') {
+			$custom_rewrite_rules = trim($data['new']['rewrite_rules']);
+			$custom_rewrites_are_valid = true;
+			// use this counter to make sure all curly brackets are properly closed
+			$if_level = 0;
+			// Make sure we only have Unix linebreaks
+			$custom_rewrite_rules = str_replace("\r\n", "\n", $custom_rewrite_rules);
+			$custom_rewrite_rules = str_replace("\r", "\n", $custom_rewrite_rules);
+			$custom_rewrite_rule_lines = explode("\n", $custom_rewrite_rules);
+			if(is_array($custom_rewrite_rule_lines) && !empty($custom_rewrite_rule_lines)){
+				foreach($custom_rewrite_rule_lines as $custom_rewrite_rule_line){
+					// ignore comments
+					if(substr(ltrim($custom_rewrite_rule_line),0,1) == '#'){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// empty lines
+					if(trim($custom_rewrite_rule_line) == ''){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// rewrite
+					if(preg_match('@^\s*rewrite\s+(^/)?\S+(\$)?\s+\S+(\s+(last|break|redirect|permanent|))?\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// if
+					if(preg_match('@^\s*if\s+\(\s*\$\S+(\s+(\!?(=|~|~\*))\s+(\S+|\".+\"))?\s*\)\s*\{\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						$if_level += 1;
+						continue;
+					}
+					// if - check for files, directories, etc.
+					if(preg_match('@^\s*if\s+\(\s*\!?-(f|d|e|x)\s+\S+\s*\)\s*\{\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						$if_level += 1;
+						continue;
+					}
+					// break
+					if(preg_match('@^\s*break\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// return code [ text ]
+					if(preg_match('@^\s*return\s+\d\d\d.*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// return code URL
+					// return URL
+					if(preg_match('@^\s*return(\s+\d\d\d)?\s+(http|https|ftp)\://([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*\@)*((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|localhost|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.(com|edu|gov|int|mil|net|org|biz|arpa|info|name|pro|aero|coop|museum|[a-zA-Z]{2}))(\:[0-9]+)*(/($|[a-zA-Z0-9\.\,\?\'\\\+&%\$#\=~_\-]+))*\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// set
+					if(preg_match('@^\s*set\s+\$\S+\s+\S+\s*;\s*$@', $custom_rewrite_rule_line)){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						continue;
+					}
+					// closing curly bracket
+					if(trim($custom_rewrite_rule_line) == '}'){
+						$final_rewrite_rules[] = array('rewrite_rule' => $custom_rewrite_rule_line);
+						$if_level -= 1;
+						continue;
+					}
+					$custom_rewrites_are_valid = false;
+					break;
+				}
+			}
+			if(!$custom_rewrites_are_valid || $if_level != 0){
+				$final_rewrite_rules = array();
+			}
+		}
+		$tpl->setLoop('rewrite_rules', $final_rewrite_rules);
 		
 		// Custom nginx directives
 		$final_nginx_directives = array();
@@ -1523,19 +1618,33 @@
 		if($web_config['check_apache_config'] == 'y') {
 			//* Test if nginx starts with the new configuration file
 			$nginx_online_status_before_restart = $this->_checkTcp('localhost',80);
-			$app->log('nginx status is: '.$nginx_online_status_before_restart,LOGLEVEL_DEBUG);
+			$app->log('nginx status is: '.($nginx_online_status_before_restart === true? 'running' : 'down'),LOGLEVEL_DEBUG);
 
-			$app->services->restartService('httpd','restart');
+			$retval = $app->services->restartService('httpd','restart'); // $retval['retval'] is 0 on success and > 0 on failure
+			$app->log('nginx restart return value is: '.$retval['retval'],LOGLEVEL_DEBUG);
 			
 			// wait a few seconds, before we test the apache status again
 			sleep(2);
 		
 			//* Check if nginx restarted successfully if it was online before
 			$nginx_online_status_after_restart = $this->_checkTcp('localhost',80);
-			$app->log('nginx online status after restart is: '.$nginx_online_status_after_restart,LOGLEVEL_DEBUG);
-			if($nginx_online_status_before_restart && !$nginx_online_status_after_restart) {
-				$app->log('nginx did not restart after the configuration change for website '.$data['new']['domain'].' Reverting the configuration. Saved non-working config as '.$vhost_file.'.err',LOGLEVEL_WARN);
+			$app->log('nginx online status after restart is: '.($nginx_online_status_after_restart === true? 'running' : 'down'),LOGLEVEL_DEBUG);
+			if($nginx_online_status_before_restart && !$nginx_online_status_after_restart || $retval['retval'] > 0) { 
+				$app->log('nginx did not restart after the configuration change for website '.$data['new']['domain'].'. Reverting the configuration. Saved non-working config as '.$vhost_file.'.err',LOGLEVEL_WARN);
+				if(is_array($retval['output']) && !empty($retval['output'])){
+					$app->log('Reason for nginx restart failure: '.implode("\n", $retval['output']),LOGLEVEL_WARN);
+					$app->dbmaster->datalogError(implode("\n", $retval['output']));
+				} else {
+					// if no output is given, check again
+					exec('nginx -t 2>&1', $tmp_output, $tmp_retval);
+					if($tmp_retval > 0 && is_array($tmp_output) && !empty($tmp_output)){
+						$app->log('Reason for nginx restart failure: '.implode("\n", $tmp_output),LOGLEVEL_WARN);
+						$app->dbmaster->datalogError(implode("\n", $tmp_output));
+					}
+					unset($tmp_output, $tmp_retval);
+				}
 				$app->system->copy($vhost_file,$vhost_file.'.err');
+				
 				if(is_file($vhost_file.'~')) {
 					//* Copy back the last backup file
 					$app->system->copy($vhost_file.'~',$vhost_file);
@@ -1581,12 +1690,7 @@
 			}
 		} else {
 			//* We do not check the nginx config after changes (is faster)
-			if($nginx_chrooted) {
-				$app->services->restartServiceDelayed('httpd','reload');
-			} else {
-				// request a httpd reload when all records have been processed
-				$app->services->restartServiceDelayed('httpd','reload');
-			}
+			$app->services->restartServiceDelayed('httpd','reload');
 		}
 		
 		//* The vhost is written and apache has been restarted, so we 
@@ -2386,6 +2490,7 @@
 	private function nginx_replace($matches){
 		$location = 'location'.($matches[1] != '' ? ' '.$matches[1] : '').' '.$matches[2].' '.$matches[3];
 		if($matches[4] == '##merge##' || $matches[7] == '##merge##') $location .= ' ##merge##';
+		if($matches[4] == '##delete##' || $matches[7] == '##delete##') $location .= ' ##delete##';
 		$location .= "\n";
 		$location .= $matches[5]."\n";
 		$location .= $matches[6];
@@ -2400,6 +2505,12 @@
 		if(is_array($lines) && !empty($lines)){
 			$linecount = sizeof($lines);
 			for($h=0;$h<$linecount;$h++){
+				// remove comments
+				if(substr(trim($lines[$h]),0,1) == '#'){
+					unset($lines[$h]);
+					continue;
+				}
+				
 				$lines[$h] = rtrim($lines[$h]);
 				/*
 				if(substr(ltrim($lines[$h]), 0, 8) == 'location' && strpos($lines[$h], '{') !== false && strpos($lines[$h], ';') !== false){
@@ -2418,7 +2529,7 @@
 					}
 				}
 				*/
-				$pattern = '/^[^\S\n]*location[^\S\n]+(?:(.+)[^\S\n]+)?(.+)[^\S\n]*(\{)[^\S\n]*(##merge##)?[^\S\n]*(.+)[^\S\n]*(\})[^\S\n]*(##merge##)?[^\S\n]*$/';
+				$pattern = '/^[^\S\n]*location[^\S\n]+(?:(.+)[^\S\n]+)?(.+)[^\S\n]*(\{)[^\S\n]*(##merge##|##delete##)?[^\S\n]*(.+)[^\S\n]*(\})[^\S\n]*(##merge##|##delete##)?[^\S\n]*$/';
 				$lines[$h] = preg_replace_callback($pattern, array($this, 'nginx_replace') ,$lines[$h]);
 			}
 		}
@@ -2430,6 +2541,7 @@
 			
 		if(is_array($lines) && !empty($lines)){	
 			$locations = array();
+			$locations_to_delete = array();
 			$islocation = false;
 			$linecount = sizeof($lines);
 			$server_count = 0;
@@ -2456,12 +2568,12 @@
 					unset($loc_parts);
 					
 					if(!isset($locations[$location]['action'])) $locations[$location]['action'] = 'replace';
-					if(substr($l, -9) == '##merge##'){
-						$locations[$location]['action'] = 'merge';
-					}
+					if(substr($l, -9) == '##merge##') $locations[$location]['action'] = 'merge';
+					if(substr($l, -10) == '##delete##') $locations[$location]['action'] = 'delete';
 					
 					if(!isset($locations[$location]['open_tag'])) $locations[$location]['open_tag'] = '        location '.$location.' {';
 					if(!isset($locations[$location]['location']) || $locations[$location]['action'] == 'replace') $locations[$location]['location'] = '';
+					if($locations[$location]['action'] == 'delete') $locations_to_delete[] = $location;
 					if(!isset($locations[$location]['end_tag'])) $locations[$location]['end_tag'] = '        }';
 					if(!isset($locations[$location]['start_line'])) $locations[$location]['start_line'] = $i;
 
@@ -2488,6 +2600,12 @@
 			}
 			
 			if(is_array($locations) && !empty($locations)){
+				if(is_array($locations_to_delete) && !empty($locations_to_delete)){
+					foreach($locations_to_delete as $location_to_delete){
+						if(isset($locations[$location_to_delete])) unset($locations[$location_to_delete]);
+					}
+				}
+			
 				foreach($locations as $key => $val){
 					$new_location = $val['open_tag']."\n".$val['location'].$val['end_tag'];
 					$lines[$val['start_line']] = $new_location;
@@ -2526,8 +2644,10 @@
 				$app->log('Removed client directory: '.$client_dir,LOGLEVEL_DEBUG);
 			}
 			
-			$this->_exec('groupdel client'.$client_id);
-			$app->log('Removed group client'.$client_id,LOGLEVEL_DEBUG);
+			if($app->system->is_group('client'.$client_id)){
+				$this->_exec('groupdel client'.$client_id);
+				$app->log('Removed group client'.$client_id,LOGLEVEL_DEBUG);
+			}
 		}
 		
 	}

--
Gitblit v1.9.1