Skip to content
Permalink
Browse files
add http2 support for froxlor-vhost and per-domain
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
  • Loading branch information
d00p committed Aug 24, 2017
1 parent c2c5178 commit bab982a0e6d13f3a6671fb578a489f28f0615119
Show file tree
Hide file tree
Showing 12 changed files with 95 additions and 23 deletions.
@@ -80,6 +80,19 @@
'save_method' => 'storeSettingField',
'visible' => Settings::Get('system.use_ssl')
),
'system_http2_support' => array(
'label' => $lng['serversettings']['http2_support'],
'settinggroup' => 'system',
'varname' => 'http2_support',
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField',
'websrv_avail' => array(
'apache2',
'nginx'
),
'visible' => Settings::Get('system.use_ssl')
),
/**
* FCGID
*/
@@ -179,17 +179,6 @@
'nginx'
)
),
'system_nginx_http2_support' => array(
'label' => $lng['serversettings']['nginx_http2_support'],
'settinggroup' => 'system',
'varname' => 'nginx_http2_support',
'type' => 'bool',
'default' => false,
'save_method' => 'storeSettingField',
'websrv_avail' => array(
'nginx'
)
),
'system_nginx_php_backend' => array(
'label' => $lng['serversettings']['nginx_php_backend'],
'settinggroup' => 'system',
@@ -590,6 +590,8 @@
}
}

$http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;

// HSTS
$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -601,6 +603,7 @@
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -616,6 +619,7 @@
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -796,10 +800,11 @@
'termination_date' => $termination_date,
'issubof' => $issubof,
'letsencrypt' => $letsencrypt,
'http2' => $http2,
'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
'ocsp_stapling' => $ocsp_stapling
);

$security_questions = array(
@@ -849,10 +854,11 @@
'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
'ismainbutsubto' => $issubof,
'letsencrypt' => $letsencrypt,
'http2' => $http2,
'hsts' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
'ocsp_stapling' => $ocsp_stapling
);

$ins_stmt = Database::prepare("
@@ -887,6 +893,7 @@
`mod_fcgid_maxrequests` = :mod_fcgid_maxrequests,
`ismainbutsubto` = :ismainbutsubto,
`letsencrypt` = :letsencrypt,
`http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload,
@@ -1428,6 +1435,8 @@
$letsencrypt = (int) $_POST['letsencrypt'];
}

$http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;

// HSTS
$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -1465,6 +1474,7 @@
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -1480,6 +1490,7 @@
} else {
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
// we need this for the serialize
// if ssl is disabled or no ssl-ip/port exists
$ssl_ipandports[] = - 1;
@@ -1634,10 +1645,11 @@
'ipandport' => serialize($ipandports),
'ssl_ipandport' => serialize($ssl_ipandports),
'letsencrypt' => $letsencrypt,
'http2' => $http2,
'hsts_maxage' => $hsts_maxage,
'hsts_sub' => $hsts_sub,
'hsts_preload' => $hsts_preload,
'ocsp_stapling' => $ocsp_stapling,
'ocsp_stapling' => $ocsp_stapling
);

$security_questions = array(
@@ -1672,6 +1684,7 @@
$email_only != $result['email_only'] ||
($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') ||
$letsencrypt != $result['letsencrypt'] ||
$http2 != $result['http2'] ||
$hsts_maxage != $result['hsts'] ||
$hsts_sub != $result['hsts_sub'] ||
$hsts_preload != $result['hsts_preload'] ||
@@ -1828,6 +1841,7 @@
$update_data['termination_date'] = $termination_date;
$update_data['ismainbutsubto'] = $issubof;
$update_data['letsencrypt'] = $letsencrypt;
$update_data['http2'] = $http2;
$update_data['hsts'] = $hsts_maxage;
$update_data['hsts_sub'] = $hsts_sub;
$update_data['hsts_preload'] = $hsts_preload;
@@ -1861,6 +1875,7 @@
`termination_date` = :termination_date,
`ismainbutsubto` = :ismainbutsubto,
`letsencrypt` = :letsencrypt,
`http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
`hsts_preload` = :hsts_preload,
@@ -258,6 +258,7 @@ CREATE TABLE `panel_domains` (
`hsts_sub` tinyint(1) NOT NULL default '0',
`hsts_preload` tinyint(1) NOT NULL default '0',
`ocsp_stapling` tinyint(1) DEFAULT '0',
`http2` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`),
KEY `customerid` (`customerid`),
KEY `parentdomain` (`parentdomainid`),
@@ -500,7 +501,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('system', 'ssl_cert_chainfile', ''),
('system', 'ssl_cipher_list', 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128'),
('system', 'nginx_php_backend', '127.0.0.1:8888'),
('system', 'nginx_http2_support', '0'),
('system', 'http2_support', '0'),
('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
('system', 'phpreload_command', ''),
('system', 'apache24', '0'),
@@ -585,7 +586,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''),
('panel', 'version', '0.9.38.7'),
('panel', 'db_version', '201705050');
('panel', 'db_version', '201708240');


DROP TABLE IF EXISTS `panel_tasks`;
@@ -3617,3 +3617,19 @@

updateToDbVersion('201705050');
}

if (isDatabaseVersion('201705050')) {

showUpdateStep("Updating HTTP2 setting");
if (Settings::Get('system.nginx_http2_support') != null) {
Database::query("UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `varname` = 'http2_support' WHERE `varname` = 'nginx_http2_support';");
} else {
Settings::AddNew('system.http2_support', 0);
}
lastStepStatus(0);
showUpdateStep("Adding domain field for HTTP2 stapling");
Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `http2` TINYINT(1) NOT NULL DEFAULT '0';");
lastStepStatus(0);

updateToDbVersion('201708240');
}
@@ -173,6 +173,19 @@
),
'value' => array()
),
'http2' => array(
'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
'label' => $lng['admin']['domain_http2']['title'],
'desc' => $lng['admin']['domain_http2']['description'],
'type' => 'checkbox',
'values' => array(
array (
'label' => $lng['panel']['yes'],
'value' => '1'
)
),
'value' => array()
),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
@@ -207,6 +207,21 @@
$result['letsencrypt']
)
),
'http2' => array(
'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
'label' => $lng['admin']['domain_http2']['title'],
'desc' => $lng['admin']['domain_http2']['description'],
'type' => 'checkbox',
'values' => array(
array (
'label' => $lng['panel']['yes'],
'value' => '1'
)
),
'value' => array(
$result['http2']
)
),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
@@ -19,7 +19,7 @@
$version = '0.9.38.7';

// Database version (YYYYMMDDC where C is a daily counter)
$dbversion = '201705050';
$dbversion = '201708240';

// Distribution branding-tag (used for Debian etc.)
$branding = '';
@@ -2063,8 +2063,8 @@
$lng['admin']['domain_hsts_preload']['title'] = 'Include domain in <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload list</a>';
$lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> before sending the header with "preload".';

$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';
$lng['serversettings']['http2_support']['title'] = 'HTTP2 Support';
$lng['serversettings']['http2_support']['description'] = 'enable HTTP2 support for ssl.<br><em class="red">ENABLE ONLY IF YOUR WEBSERVER SUPPORTS THIS FEATURE (nginx version 1.9.5+, apache2 version 2.4.17+)</em>';

$lng['error']['noipportgiven'] = 'No IP/port given';

@@ -2076,3 +2076,5 @@
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Configures the cache used to store OCSP responses which get included in TLS handshakes.';
$lng['serversettings']['nssextrausers']['title'] = 'Use libnss-extrausers instead of libnss-mysql';
$lng['serversettings']['nssextrausers']['description'] = 'Do not read users from the database but from files. Please only activate if you have already gone through the required configuration steps (system -> libnss-extrausers).<br><strong class="red">For Debian/Ubuntu only (or if you have compiled libnss-extrausers yourself!)</strong>';
$lng['admin']['domain_http2']['title'] = 'HTTP2 support';
$lng['admin']['domain_http2']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">Wikipedia</a> for a detailed explanation of HTTP2';
@@ -1714,8 +1714,8 @@
$lng['admin']['domain_hsts_preload']['title'] = 'Füge Domain in die <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload Liste</a> hinzu';
$lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachte Details unter <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> bevor ein Header mit "preload" gesendet wird.';

$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Unterstützung';
$lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)';
$lng['serversettings']['http2_support']['title'] = 'HTTP2 Unterstützung';
$lng['serversettings']['http2_support']['description'] = 'Aktiviere HTTP2 Unterstützung für SSL.<br><em class="red">NUR AKTIVIEREN, WENN DER WEBSERVER DIESE FUNKTION UNTERSTÜTZT (nginx version 1.9.5+, apache2 version 2.4.17+)</em>';

$lng['error']['noipportgiven'] = 'Keine IP/Port angegeben';

@@ -1727,3 +1727,5 @@
$lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Konfiguriert den Cache-Pfad zum Zwischenspeichern der OCSP-Antworten,<br />die an TLS-Handshakes angehängt werden.';
$lng['serversettings']['nssextrausers']['title'] = 'Verwende libnss-extrausers anstatt libnss-mysql';
$lng['serversettings']['nssextrausers']['description'] = 'Lese Benutzer nicht direkt aus der Datenbank sondern über Dateien, bitte nur aktivieren, wenn die entsprechende Konfiguration vorgenommen wurde (System -> libnss-extrausers).<br><strong class="red">Nur für Debian/Ubuntu (oder wenn libnss-extrausers manuell kompiliert wurde!)</strong>';
$lng['admin']['domain_http2']['title'] = 'HTTP2 Unterstützung';
$lng['admin']['domain_http2']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol#HTTP.2F2">Wikipedia</a> für eine ausführliche Beschreibung von HTTP2';
@@ -434,6 +434,9 @@ public function createIpPort()
$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
if (Settings::Get('system.apache24') == '1') {
if (Settings::Get('system.http2_support') == '1') {
$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
}
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
@@ -869,6 +872,9 @@ protected function getVhostContent($domain, $ssl_vhost = false)
$vhost_content .= ' SSLEngine On' . "\n";
$vhost_content .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
if (Settings::Get('system.apache24') == '1') {
if (isset($domain['http2']) && $domain['http2'] == '1') {
$vhost_content .= ' Protocols h2 http/1.1' . "\n";
}
$vhost_content .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
@@ -196,7 +196,7 @@ public function createIpPort()
}
}

$http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
$http2 = $ssl_vhost == true && Settings::Get('system.http2_support') == '1';

/**
* this HAS to be set for the default host in nginx or else no vhost will work
@@ -418,7 +418,7 @@ protected function getVhostContent($domain, $ssl_vhost = false)
$_vhost_content .= $this->processSpecialConfigTemplate($ipandport['default_vhostconf_domain'], $domain, $domain['ip'], $domain['port'], $ssl_vhost) . "\n";
}

$http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
$http2 = $ssl_vhost == true && (isset($domain['http2']) && $domain['http2'] == '1');

$vhost_content .= "\t" . 'listen ' . $ipport . ($ssl_vhost == true ? ' ssl' : '') . ($http2 == true ? ' http2' : '') . ';' . "\n";
}

5 comments on commit bab982a

@nachtgeist
Copy link
Contributor

@nachtgeist nachtgeist commented on bab982a Aug 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about a2enmod http2 for apache2? (don't know about nginx...)

@d00p
Copy link
Member Author

@d00p d00p commented on bab982a Aug 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would be config-templates, as this cannot be done by the cronjob as it is Debian only

@JB1985
Copy link
Contributor

@JB1985 JB1985 commented on bab982a Sep 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why the customers cant switch on the http2 support?

@d00p
Copy link
Member Author

@d00p d00p commented on bab982a Sep 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, because the customer cant know whether the Serversoftware Supports it

@JB1985
Copy link
Contributor

@JB1985 JB1985 commented on bab982a Sep 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possbile to set a check button (enable/disable) in the settings for http2 support? And If enable in the settings, to allow customers to switch http2 on/off.

Please sign in to comment.