Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
40_apache2_tools_proxy.pl 50_apache2_hsts.pl 10_nginx_hsts.pl 10_phpfpm_maxchildren.pl 60_postfix_pfs.pl 70_postfix_submission_tls.pl 10_proftpd_tuning.pl 10_roundcube_tls.pl
- Loading branch information
1 parent
4c98498
commit b672184
Showing
9 changed files
with
472 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# i-MSCP Listener::Apache2::Tools::Proxy listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file for redirect/proxy in customers vhost files for the i-MSCP tools | ||
# | ||
|
||
package Listener::Apache2::Tools::Proxy; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub { | ||
my ($cfgTpl, $tplName, $data) = @_; | ||
|
||
if($tplName =~ /^domain\.tpl$/) { | ||
my $redirect = " RedirectMatch permanent ^/((?:ftp|pma|webmail)[\/]?)\$ "; | ||
|
||
if($data->{'SSL_SUPPORT'}) { | ||
$redirect .= "https://$data->{'DOMAIN_NAME'}/\$1"; | ||
} else { | ||
$redirect .= "https://$main::imscpConfig{'BASE_SERVER_VHOST'}:$main::imscpConfig{'BASE_SERVER_VHOST_HTTPS_PORT'}/\$1"; | ||
} | ||
|
||
$$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n # BEGIN Listener::Apache2::Tools::Proxy\n$redirect\n # END Listener::Apache2::Tools::Proxy\n$1/sm; | ||
} | ||
|
||
my $cfgProxy = <<EOF; | ||
# BEGIN Listener::Apache2::Tools::Proxy | ||
SSLProxyEngine On | ||
ProxyPass /ftp https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/ftp | ||
ProxyPassReverse /ftp https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/ftp | ||
ProxyPass /pma https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/pma | ||
ProxyPassReverse /pma https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/pma | ||
ProxyPass /webmail https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/webmail | ||
ProxyPassReverse /webmail https://{BASE_SERVER_VHOST}:{BASE_SERVER_VHOST_HTTPS_PORT}/webmail | ||
# END Listener::Apache2::Tools::Proxy | ||
EOF | ||
|
||
$cfgProxy = iMSCP::TemplateParser::process( | ||
{ | ||
BASE_SERVER_VHOST_HTTPS_PORT => $main::imscpConfig{'BASE_SERVER_VHOST_HTTPS_PORT'}, | ||
}, | ||
$cfgProxy | ||
); | ||
|
||
if($tplName =~ /^domain_ssl\.tpl$/) { | ||
$$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n$cfgProxy$1/sm; | ||
} | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# i-MSCP Listener::Apache2::HSTS listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file for HTTP Strict Transport Security (HSTS) with Apache2 | ||
# | ||
|
||
package Listener::Apache2::HSTS; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub { | ||
my ($cfgTpl, $tplName, $data) = @_; | ||
|
||
my $cfgSnippet = <<EOF; | ||
# BEGIN Listener::Apache2::HSTS | ||
Header always set Strict-Transport-Security "max-age=31536000" | ||
# END Listener::Apache2::HSTS | ||
EOF | ||
|
||
if($tplName =~ /^domain_ssl\.tpl$/) { | ||
$$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n$cfgSnippet$1/sm; | ||
} | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# i-MSCP Listener::Nginx::HSTS listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file for HTTP Strict Transport Security (HSTS) with Nginx | ||
# | ||
|
||
package Listener::Nginx::HSTS; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
iMSCP::EventManager->getInstance()->register('afterFrontEndBuildHttpdVhosts', sub { | ||
my $cfgSnippet = <<EOF; | ||
# BEGIN Listener::Nginx::HSTS | ||
add_header Strict-Transport-Security max-age=31536000; | ||
# END Listener::Nginx::HSTS | ||
EOF | ||
|
||
my $file = iMSCP::File->new('filename' => "/etc/nginx/sites-available/00_master_ssl.conf"); | ||
my $fileContent = $file->get(); | ||
unless (defined $fileContent) { | ||
error("Unable to read $file"); | ||
return 1; | ||
} | ||
|
||
$fileContent =~ s/(ssl_prefer_server_ciphers.*\n)/$1\n$cfgSnippet/g; | ||
|
||
my $rs = $file->set($fileContent); | ||
return $rs if $rs; | ||
|
||
$rs = $file->save(); | ||
return $rs if $rs; | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# i-MSCP Listener::phpFPM::MaxChildren listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file to change the phpFPM max_children value | ||
# | ||
|
||
package Listener::phpFPM::MaxChildren; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub { | ||
my ($cfgTpl, $tplName, $data) = @_; | ||
|
||
$$cfgTpl =~ s/^(pm\.max_children\s+=\s+).*/$1 100/m if($tplName eq 'pool.conf'); | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# i-MSCP Listener::Postfix::PFS listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file to add the self generated EDH parameter files for Perfect | ||
## Forward Secrecy (PFS). First create the files before activating this listener: | ||
## | ||
## cd /etc/postfix | ||
## umask 022 | ||
## openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem | ||
## openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem | ||
## chmod 644 dh512.pem dh2048.pem | ||
# | ||
|
||
package Listener::Postfix::PFS; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
iMSCP::EventManager->getInstance()->register('afterMtaBuildMainCfFile', sub { | ||
my $content = shift; | ||
|
||
my $cfgSnippet = <<EOF; | ||
# BEGIN Listener::Postfix::PFS | ||
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem | ||
smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem | ||
# END Listener::Postfix::PFS | ||
EOF | ||
|
||
$$content =~ s/^(# TLS parameters\n)/$1$cfgSnippet/m; | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# i-MSCP Listener::Postfix::Submission::TLS listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file to force TLS connection on postfix submission. | ||
# | ||
|
||
package Listener::Postfix::Submission::TLS; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
iMSCP::EventManager->getInstance()->register('afterMtaBuildMasterCfFile', sub { | ||
my $content = shift; | ||
|
||
$$content =~ s/^#(\s+-o\s+smtpd_tls_security_level=encrypt)/$1/m; | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# i-MSCP Listener::ProFTP::Tuning listener file | ||
# Copyright (C) 2015-2016 Rene Schuster <mail@reneschuster.de> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
# | ||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | ||
|
||
# | ||
## Listener file that removes the ServerIdent information, allows to change the | ||
## passive ports and forces a TLS connection for non local networks. | ||
# | ||
|
||
package Listener::ProFTP::Tuning; | ||
|
||
use strict; | ||
use warnings; | ||
use iMSCP::EventManager; | ||
|
||
# Specify the passive ports for proftpd | ||
my $passivePorts = "60000 65535"; | ||
|
||
# Configure the list of local networks to allow non TLS connection | ||
# my @localNetworks = ( '127.0.0.1', '192.168.1.1', '172.16.12.0/24' ); | ||
my @localNetworks = ('127.0.0.1'); | ||
|
||
# | ||
## Please, don't edit anything below this line | ||
# | ||
|
||
iMSCP::EventManager->getInstance()->register('afterFtpdBuildConf', sub { | ||
my ($tplContent, $tplName) = @_; | ||
|
||
my $cfgSnippet = <<EOF; | ||
# Don't require FTPS from local clients | ||
<IfClass local> | ||
TLSRequired off | ||
</IfClass> | ||
# Require FTPS from remote/non-local clients | ||
<IfClass !local> | ||
TLSRequired on | ||
</IfClass> | ||
EOF | ||
|
||
my $cfgNetworks; | ||
for my $networks(@localNetworks) { | ||
$cfgNetworks .= "\n From $networks"; | ||
} | ||
|
||
if ($tplName eq 'proftpd.conf') { | ||
# disable the message displayed on connect | ||
$$tplContent =~ s/^(ServerType.*)/$1\nServerIdent off/m; | ||
|
||
# insert passive ports | ||
$$tplContent =~ s/^#(PassivePorts).*$/$1 $passivePorts/m; | ||
|
||
# remove TLSRequired | ||
$$tplContent =~ s/^\s+TLSRequired.*\n//m; | ||
|
||
# insert $cfgSnippet | ||
$$tplContent =~ s/^(<IfModule mod_tls\.c>$)/$1\n$cfgSnippet/m; | ||
|
||
# insert class local | ||
$$tplContent .= "\n<Class local>$cfgNetworks\n</Class>"; | ||
} | ||
|
||
0; | ||
}); | ||
|
||
1; | ||
__END__ |
Oops, something went wrong.