Added: Second set of listener files

40_apache2_tools_proxy.pl 50_apache2_hsts.pl 10_nginx_hsts.pl 10_phpfpm_maxchildren.pl 60_postfix_pfs.pl 70_postfix_submission_tls.pl 10_proftpd_tuning.pl 10_roundcube_tls.pl
i-MSCP · Feb 8, 2016 · b672184 · b672184
1 parent 4c98498
commit b672184
Show file tree

Hide file tree

Showing 9 changed files with 472 additions and 0 deletions.
diff --git a/contrib/Listeners/Apache2/40_apache2_tools_proxy.pl b/contrib/Listeners/Apache2/40_apache2_tools_proxy.pl
@@ -0,0 +1,70 @@
+# i-MSCP Listener::Apache2::Tools::Proxy listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+## Listener file for redirect/proxy in customers vhost files for the i-MSCP tools
+#
+
+package Listener::Apache2::Tools::Proxy;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub {
+	my ($cfgTpl, $tplName, $data) = @_;
+
+	if($tplName =~ /^domain\.tpl$/) {
+		my $redirect = "    RedirectMatch permanent ^/((?:ftp|pma|webmail)[\/]?)\$ ";
+
+		if($data->{'SSL_SUPPORT'}) {
+			$redirect .= "https://$data->{'DOMAIN_NAME'}/\$1";
+		} else {
+			$redirect .= "https://$main::imscpConfig{'BASE_SERVER_VHOST'}:$main::imscpConfig{'BASE_SERVER_VHOST_HTTPS_PORT'}/\$1";
+		}
+
+		$$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n    # BEGIN Listener::Apache2::Tools::Proxy\n$redirect\n    # END Listener::Apache2::Tools::Proxy\n$1/sm;
+	}
+
+	my $cfgProxy = <<EOF;
+    # BEGIN Listener::Apache2::Tools::Proxy
+    SSLProxyEngine On
+    ProxyPass /ftp https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/ftp
+    ProxyPassReverse /ftp https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/ftp
+    ProxyPass /pma https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/pma
+    ProxyPassReverse /pma https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/pma
+    ProxyPass /webmail https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/webmail
+    ProxyPassReverse /webmail https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/webmail
+    # END Listener::Apache2::Tools::Proxy
+EOF
+
+	$cfgProxy = iMSCP::TemplateParser::process(
+		{ 
+			BASE_SERVER_VHOST_HTTPS_PORT => $main::imscpConfig{'BASE_SERVER_VHOST_HTTPS_PORT'},
+		},
+		$cfgProxy
+	);
+
+	if($tplName =~ /^domain_ssl\.tpl$/) {
+		$$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n$cfgProxy$1/sm;
+	}
+
+	0;
+});
+
+1;
+__END__
diff --git a/contrib/Listeners/Apache2/50_apache2_hsts.pl b/contrib/Listeners/Apache2/50_apache2_hsts.pl
@@ -0,0 +1,45 @@
+# i-MSCP Listener::Apache2::HSTS listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+## Listener file for HTTP Strict Transport Security (HSTS) with Apache2
+#
+
+package Listener::Apache2::HSTS;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub {
+	my ($cfgTpl, $tplName, $data) = @_;
+
+	my $cfgSnippet = <<EOF;
+    # BEGIN Listener::Apache2::HSTS
+    Header always set Strict-Transport-Security "max-age=31536000"
+    # END Listener::Apache2::HSTS
+EOF
+
+	if($tplName =~ /^domain_ssl\.tpl$/) {
+		$$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n$cfgSnippet$1/sm;
+	}
+
+	0;
+});
+
+1;
+__END__
diff --git a/contrib/Listeners/Nginx/10_nginx_hsts.pl b/contrib/Listeners/Nginx/10_nginx_hsts.pl
@@ -0,0 +1,54 @@
+# i-MSCP Listener::Nginx::HSTS listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+## Listener file for HTTP Strict Transport Security (HSTS) with Nginx
+#
+
+package Listener::Nginx::HSTS;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+iMSCP::EventManager->getInstance()->register('afterFrontEndBuildHttpdVhosts', sub {
+	my $cfgSnippet = <<EOF;
+    # BEGIN Listener::Nginx::HSTS
+    add_header Strict-Transport-Security max-age=31536000;
+    # END Listener::Nginx::HSTS
+EOF
+
+	my $file = iMSCP::File->new('filename' => "/etc/nginx/sites-available/00_master_ssl.conf");
+	my $fileContent = $file->get();
+	unless (defined $fileContent) {
+		error("Unable to read $file");
+	return 1;
+	}
+
+	$fileContent =~ s/(ssl_prefer_server_ciphers.*\n)/$1\n$cfgSnippet/g;
+
+	my $rs = $file->set($fileContent);
+	return $rs if $rs;
+
+	$rs = $file->save();
+	return $rs if $rs;
+
+	0;
+});
+
+1;
+__END__
diff --git a/contrib/Listeners/PHP-FPM/10_phpfpm_maxchildren.pl b/contrib/Listeners/PHP-FPM/10_phpfpm_maxchildren.pl
@@ -0,0 +1,37 @@
+# i-MSCP Listener::phpFPM::MaxChildren listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+#
+## Listener file to change the phpFPM max_children value
+#
+
+package Listener::phpFPM::MaxChildren;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub {
+	my ($cfgTpl, $tplName, $data) = @_;
+
+	$$cfgTpl =~ s/^(pm\.max_children\s+=\s+).*/$1 100/m if($tplName eq 'pool.conf');
+
+	0;
+});
+
+1;
+__END__
diff --git a/contrib/Listeners/Postfix/60_postfix_pfs.pl b/contrib/Listeners/Postfix/60_postfix_pfs.pl
@@ -0,0 +1,51 @@
+# i-MSCP Listener::Postfix::PFS listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+## Listener file to add the self generated EDH parameter files for Perfect 
+## Forward Secrecy (PFS). First create the files before activating this listener:
+##
+##   cd /etc/postfix
+##   umask 022
+##   openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
+##   openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
+##   chmod 644 dh512.pem dh2048.pem
+#
+
+package Listener::Postfix::PFS;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+iMSCP::EventManager->getInstance()->register('afterMtaBuildMainCfFile', sub {
+	my $content = shift;
+
+	my $cfgSnippet = <<EOF;
+# BEGIN Listener::Postfix::PFS
+smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
+smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
+# END Listener::Postfix::PFS
+EOF
+
+	$$content =~ s/^(# TLS parameters\n)/$1$cfgSnippet/m;
+
+	0;
+});
+
+1;
+__END__
diff --git a/contrib/Listeners/Postfix/70_postfix_submission_tls.pl b/contrib/Listeners/Postfix/70_postfix_submission_tls.pl
@@ -0,0 +1,37 @@
+# i-MSCP Listener::Postfix::Submission::TLS listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+## Listener file to force TLS connection on postfix submission.
+#
+
+package Listener::Postfix::Submission::TLS;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+iMSCP::EventManager->getInstance()->register('afterMtaBuildMasterCfFile', sub {
+	my $content = shift;
+
+	$$content =~ s/^#(\s+-o\s+smtpd_tls_security_level=encrypt)/$1/m;
+
+	0;
+});
+
+1;
+__END__
diff --git a/contrib/Listeners/Proftpd/10_proftpd_tuning.pl b/contrib/Listeners/Proftpd/10_proftpd_tuning.pl
@@ -0,0 +1,80 @@
+# i-MSCP Listener::ProFTP::Tuning listener file
+# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+## Listener file that removes the ServerIdent information, allows to change the 
+## passive ports and forces a TLS connection for non local networks.
+#
+
+package Listener::ProFTP::Tuning;
+
+use strict;
+use warnings;
+use iMSCP::EventManager;
+
+# Specify the passive ports for proftpd
+my $passivePorts = "60000 65535";
+
+# Configure the list of local networks to allow non TLS connection 
+# my @localNetworks = ( '127.0.0.1', '192.168.1.1', '172.16.12.0/24' );
+my @localNetworks = ('127.0.0.1');
+
+#
+## Please, don't edit anything below this line
+#
+
+iMSCP::EventManager->getInstance()->register('afterFtpdBuildConf', sub {
+	my ($tplContent, $tplName) = @_;
+
+	my $cfgSnippet = <<EOF;
+  # Don't require FTPS from local clients
+  <IfClass local>
+    TLSRequired            off
+  </IfClass>
+  # Require FTPS from remote/non-local clients
+  <IfClass !local>
+    TLSRequired            on
+  </IfClass>
+EOF
+
+	my $cfgNetworks;
+	for my $networks(@localNetworks) {
+		$cfgNetworks .= "\n  From $networks";
+	}
+
+	if ($tplName eq 'proftpd.conf') {
+		# disable the message displayed on connect
+		$$tplContent =~ s/^(ServerType.*)/$1\nServerIdent                off/m;
+
+		# insert passive ports
+		$$tplContent =~ s/^#(PassivePorts).*$/$1               $passivePorts/m;
+
+		# remove TLSRequired
+		$$tplContent =~ s/^\s+TLSRequired.*\n//m;
+
+		# insert $cfgSnippet
+		$$tplContent =~ s/^(<IfModule mod_tls\.c>$)/$1\n$cfgSnippet/m;
+
+		# insert class local
+		$$tplContent .= "\n<Class local>$cfgNetworks\n</Class>";
+	}
+
+	0;
+});
+
+1;
+__END__