From b672184686e8c0d834f713428b2c577260bb5b05 Mon Sep 17 00:00:00 2001 From: Rene Schuster Date: Mon, 8 Feb 2016 12:39:23 +0100 Subject: [PATCH] Added: Second set of listener files 40_apache2_tools_proxy.pl 50_apache2_hsts.pl 10_nginx_hsts.pl 10_phpfpm_maxchildren.pl 60_postfix_pfs.pl 70_postfix_submission_tls.pl 10_proftpd_tuning.pl 10_roundcube_tls.pl --- .../Apache2/40_apache2_tools_proxy.pl | 70 ++++++++++++++++ contrib/Listeners/Apache2/50_apache2_hsts.pl | 45 +++++++++++ contrib/Listeners/Nginx/10_nginx_hsts.pl | 54 +++++++++++++ .../PHP-FPM/10_phpfpm_maxchildren.pl | 37 +++++++++ contrib/Listeners/Postfix/60_postfix_pfs.pl | 51 ++++++++++++ .../Postfix/70_postfix_submission_tls.pl | 37 +++++++++ .../Listeners/Proftpd/10_proftpd_tuning.pl | 80 +++++++++++++++++++ contrib/Listeners/README.md | 50 ++++++++++++ .../Listeners/Roundcube/10_roundcube_tls.pl | 48 +++++++++++ 9 files changed, 472 insertions(+) create mode 100644 contrib/Listeners/Apache2/40_apache2_tools_proxy.pl create mode 100644 contrib/Listeners/Apache2/50_apache2_hsts.pl create mode 100644 contrib/Listeners/Nginx/10_nginx_hsts.pl create mode 100644 contrib/Listeners/PHP-FPM/10_phpfpm_maxchildren.pl create mode 100644 contrib/Listeners/Postfix/60_postfix_pfs.pl create mode 100644 contrib/Listeners/Postfix/70_postfix_submission_tls.pl create mode 100644 contrib/Listeners/Proftpd/10_proftpd_tuning.pl create mode 100644 contrib/Listeners/Roundcube/10_roundcube_tls.pl diff --git a/contrib/Listeners/Apache2/40_apache2_tools_proxy.pl b/contrib/Listeners/Apache2/40_apache2_tools_proxy.pl new file mode 100644 index 0000000000..a752fe1af3 --- /dev/null +++ b/contrib/Listeners/Apache2/40_apache2_tools_proxy.pl @@ -0,0 +1,70 @@ +# i-MSCP Listener::Apache2::Tools::Proxy listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file for redirect/proxy in customers vhost files for the i-MSCP tools +# + +package Listener::Apache2::Tools::Proxy; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub { + my ($cfgTpl, $tplName, $data) = @_; + + if($tplName =~ /^domain\.tpl$/) { + my $redirect = " RedirectMatch permanent ^/((?:ftp|pma|webmail)[\/]?)\$ "; + + if($data->{'SSL_SUPPORT'}) { + $redirect .= "https://$data->{'DOMAIN_NAME'}/\$1"; + } else { + $redirect .= "https://$main::imscpConfig{'BASE_SERVER_VHOST'}:$main::imscpConfig{'BASE_SERVER_VHOST_HTTPS_PORT'}/\$1"; + } + + $$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n # BEGIN Listener::Apache2::Tools::Proxy\n$redirect\n # END Listener::Apache2::Tools::Proxy\n$1/sm; + } + + my $cfgProxy = < $main::imscpConfig{'BASE_SERVER_VHOST_HTTPS_PORT'}, + }, + $cfgProxy + ); + + if($tplName =~ /^domain_ssl\.tpl$/) { + $$cfgTpl =~ s/(^\s+Include.*<\/VirtualHost>)/\n$cfgProxy$1/sm; + } + + 0; +}); + +1; +__END__ \ No newline at end of file diff --git a/contrib/Listeners/Apache2/50_apache2_hsts.pl b/contrib/Listeners/Apache2/50_apache2_hsts.pl new file mode 100644 index 0000000000..5aa511a112 --- /dev/null +++ b/contrib/Listeners/Apache2/50_apache2_hsts.pl @@ -0,0 +1,45 @@ +# i-MSCP Listener::Apache2::HSTS listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file for HTTP Strict Transport Security (HSTS) with Apache2 +# + +package Listener::Apache2::HSTS; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub { + my ($cfgTpl, $tplName, $data) = @_; + + my $cfgSnippet = <)/\n$cfgSnippet$1/sm; + } + + 0; +}); + +1; +__END__ \ No newline at end of file diff --git a/contrib/Listeners/Nginx/10_nginx_hsts.pl b/contrib/Listeners/Nginx/10_nginx_hsts.pl new file mode 100644 index 0000000000..b5ed4d645b --- /dev/null +++ b/contrib/Listeners/Nginx/10_nginx_hsts.pl @@ -0,0 +1,54 @@ +# i-MSCP Listener::Nginx::HSTS listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file for HTTP Strict Transport Security (HSTS) with Nginx +# + +package Listener::Nginx::HSTS; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('afterFrontEndBuildHttpdVhosts', sub { + my $cfgSnippet = <new('filename' => "/etc/nginx/sites-available/00_master_ssl.conf"); + my $fileContent = $file->get(); + unless (defined $fileContent) { + error("Unable to read $file"); + return 1; + } + + $fileContent =~ s/(ssl_prefer_server_ciphers.*\n)/$1\n$cfgSnippet/g; + + my $rs = $file->set($fileContent); + return $rs if $rs; + + $rs = $file->save(); + return $rs if $rs; + + 0; +}); + +1; +__END__ \ No newline at end of file diff --git a/contrib/Listeners/PHP-FPM/10_phpfpm_maxchildren.pl b/contrib/Listeners/PHP-FPM/10_phpfpm_maxchildren.pl new file mode 100644 index 0000000000..177ac15d28 --- /dev/null +++ b/contrib/Listeners/PHP-FPM/10_phpfpm_maxchildren.pl @@ -0,0 +1,37 @@ +# i-MSCP Listener::phpFPM::MaxChildren listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file to change the phpFPM max_children value +# + +package Listener::phpFPM::MaxChildren; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('beforeHttpdBuildConf', sub { + my ($cfgTpl, $tplName, $data) = @_; + + $$cfgTpl =~ s/^(pm\.max_children\s+=\s+).*/$1 100/m if($tplName eq 'pool.conf'); + + 0; +}); + +1; +__END__ \ No newline at end of file diff --git a/contrib/Listeners/Postfix/60_postfix_pfs.pl b/contrib/Listeners/Postfix/60_postfix_pfs.pl new file mode 100644 index 0000000000..7c3b103ca2 --- /dev/null +++ b/contrib/Listeners/Postfix/60_postfix_pfs.pl @@ -0,0 +1,51 @@ +# i-MSCP Listener::Postfix::PFS listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file to add the self generated EDH parameter files for Perfect +## Forward Secrecy (PFS). First create the files before activating this listener: +## +## cd /etc/postfix +## umask 022 +## openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem +## openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem +## chmod 644 dh512.pem dh2048.pem +# + +package Listener::Postfix::PFS; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('afterMtaBuildMainCfFile', sub { + my $content = shift; + + my $cfgSnippet = < +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file to force TLS connection on postfix submission. +# + +package Listener::Postfix::Submission::TLS; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('afterMtaBuildMasterCfFile', sub { + my $content = shift; + + $$content =~ s/^#(\s+-o\s+smtpd_tls_security_level=encrypt)/$1/m; + + 0; +}); + +1; +__END__ \ No newline at end of file diff --git a/contrib/Listeners/Proftpd/10_proftpd_tuning.pl b/contrib/Listeners/Proftpd/10_proftpd_tuning.pl new file mode 100644 index 0000000000..b8e94b8a73 --- /dev/null +++ b/contrib/Listeners/Proftpd/10_proftpd_tuning.pl @@ -0,0 +1,80 @@ +# i-MSCP Listener::ProFTP::Tuning listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file that removes the ServerIdent information, allows to change the +## passive ports and forces a TLS connection for non local networks. +# + +package Listener::ProFTP::Tuning; + +use strict; +use warnings; +use iMSCP::EventManager; + +# Specify the passive ports for proftpd +my $passivePorts = "60000 65535"; + +# Configure the list of local networks to allow non TLS connection +# my @localNetworks = ( '127.0.0.1', '192.168.1.1', '172.16.12.0/24' ); +my @localNetworks = ('127.0.0.1'); + +# +## Please, don't edit anything below this line +# + +iMSCP::EventManager->getInstance()->register('afterFtpdBuildConf', sub { + my ($tplContent, $tplName) = @_; + + my $cfgSnippet = < + TLSRequired off + + # Require FTPS from remote/non-local clients + + TLSRequired on + +EOF + + my $cfgNetworks; + for my $networks(@localNetworks) { + $cfgNetworks .= "\n From $networks"; + } + + if ($tplName eq 'proftpd.conf') { + # disable the message displayed on connect + $$tplContent =~ s/^(ServerType.*)/$1\nServerIdent off/m; + + # insert passive ports + $$tplContent =~ s/^#(PassivePorts).*$/$1 $passivePorts/m; + + # remove TLSRequired + $$tplContent =~ s/^\s+TLSRequired.*\n//m; + + # insert $cfgSnippet + $$tplContent =~ s/^($)/$1\n$cfgSnippet/m; + + # insert class local + $$tplContent .= "\n$cfgNetworks\n"; + } + + 0; +}); + +1; +__END__ \ No newline at end of file diff --git a/contrib/Listeners/README.md b/contrib/Listeners/README.md index 77c7555408..a354099bd3 100644 --- a/contrib/Listeners/README.md +++ b/contrib/Listeners/README.md @@ -23,6 +23,14 @@ Listener file that allows to override Apache2 ServerAlias directive value. Listener file that allows to change the domain redirect type in customer's vhost files from 302 to 301. +### 40_apache2_tools_proxy.pl + +Listener file for redirect/proxy in customers vhost files for the i-MSCP tools + +### 50_apache2_hsts.pl + +Listener file for HTTP Strict Transport Security (HSTS) with Apache2 + ## Dovecot listeners ### 10_dovecot_compress.pl @@ -72,6 +80,18 @@ Listener file that provides zone output for zone transfer to secondary nameserve Listener file that modifies the zone files, removes default nameservers and adds custom out-of-zone nameservers. +## Nginx listeners + +### 10_nginx_hsts.pl + +Listener file for HTTP Strict Transport Security (HSTS) with Nginx + +## PHP-FPM listeners + +### 10_phpfpm_maxchildren.pl + +Listener file to change the phpFPM max_children value + ## Postfix listeners ### 10_postfix_smarthost.pl @@ -98,6 +118,36 @@ Listener file that allows to setup sender canonical maps. Listener file that allows to setup sender generic map. +### 60_postfix_pfs.pl + +Listener file to add the self generated EDH parameter files for Perfect +Forward Secrecy (PFS). First create the files before activating this listener: + +``` +cd /etc/postfix +umask 022 +openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem +openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem +chmod 644 dh512.pem dh2048.pem +``` + +### 70_postfix_submission_tls.pl + +Listener file to force TLS connection on postfix submission. + +## Proftpd listeners + +### 10_proftpd_tuning.pl + +Listener file that removes the ServerIdent information, allows to change the +passive ports and forces a TLS connection for non local networks. + +## Roundcube listeners + +### 10_roundcube_tls.pl + +Listener file to change the Roundcube config to connect via TLS. + ## System listeners ## 10_system_hosts.pl diff --git a/contrib/Listeners/Roundcube/10_roundcube_tls.pl b/contrib/Listeners/Roundcube/10_roundcube_tls.pl new file mode 100644 index 0000000000..11ab6b76ba --- /dev/null +++ b/contrib/Listeners/Roundcube/10_roundcube_tls.pl @@ -0,0 +1,48 @@ +# i-MSCP Listener::Roundcube::TLS listener file +# Copyright (C) 2015-2016 Rene Schuster +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# +## Listener file to change the Roundcube config to connect via TLS. +# + +package Listener::Roundcube::TLS; + +use strict; +use warnings; +use iMSCP::EventManager; + +iMSCP::EventManager->getInstance()->register('afterSetupTasks', sub { + my $file = iMSCP::File->new('filename' => "$main::imscpConfig{'GUI_PUBLIC_DIR'}/tools/webmail/config/config.inc.php"); + my $fileContent = $file->get(); + unless (defined $fileContent) { + error("Unable to read $file"); + return 1; + } + + $fileContent =~ s/(\$config\['(?:default_host|smtp_server)?'\]\s+=\s+').*(';)/$1tls:\/\/$main::imscpConfig{'BASE_SERVER_VHOST'}$2/g; + + my $rs = $file->set($fileContent); + return $rs if $rs; + + $rs = $file->save(); + return $rs if $rs; + + 0; +}); + +1; +__END__ \ No newline at end of file