[Feature] Enhanced and Optimized TLS (#3555)

* Enhanced and Optimized TLS

* Prepare for installer and backup

* Prepare for upgrade (easy part)

* Prepare for upgrade (hell part)

* Minor changes and Prettier

* Changes for third-party compatibility

* Issue in check

---------

Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>

func/upgrade.sh

@@ -271,6 +271,9 @@ upgrade_init_backup() {
 	# Hestia Control Panel configuration files
 	mkdir -p $HESTIA_BACKUP/conf/hestia/
 
+	# OpenSSL configuration files
+	mkdir -p $HESTIA_BACKUP/conf/openssl/
+
 	# Hosting Packages
 	mkdir -p $HESTIA_BACKUP/packages/
 
@@ -352,12 +355,12 @@ upgrade_start_backup() {
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      - Packages"
 	fi
-	cp -rf $HESTIA/data/packages/* $HESTIA_BACKUP/packages/
+	cp -fr $HESTIA/data/packages/* $HESTIA_BACKUP/packages/
 
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      - Templates"
 	fi
-	cp -rf $HESTIA/data/templates/* $HESTIA_BACKUP/templates/
+	cp -fr $HESTIA/data/templates/* $HESTIA_BACKUP/templates/
 
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      - Configuration files:"
@@ -367,7 +370,13 @@ upgrade_start_backup() {
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      ---- hestia"
 	fi
-	cp -rf $HESTIA/conf/* $HESTIA_BACKUP/conf/hestia/
+	cp -fr $HESTIA/conf/* $HESTIA_BACKUP/conf/hestia/
+
+	# OpenSSL configuration files
+	if [ "$DEBUG_MODE" = "true" ]; then
+		echo "      ---- openssl"
+	fi
+	cp -f /etc/ssl/*.cnf $HESTIA_BACKUP/conf/openssl/
 
 	# System service configuration files (apache2, nginx, bind9, vsftpd, etc).
 	if [ -n "$WEB_SYSTEM" ]; then
@@ -424,7 +433,6 @@ upgrade_start_backup() {
 		if [ "$FTP_SYSTEM" = "vsftpd" ]; then
 			cp -f /etc/$FTP_SYSTEM.conf $HESTIA_BACKUP/conf/$FTP_SYSTEM/
 		fi
-
 		if [ "$FTP_SYSTEM" = "proftpd" ]; then
 			cp -f /etc/proftpd/proftpd.conf $HESTIA_BACKUP/conf/$FTP_SYSTEM/
 		fi
@@ -549,12 +557,12 @@ upgrade_b2_tool() {
 
 upgrade_cloudflare_ip() {
 	if [ "$WEB_SYSTEM" = "nginx" ] || [ "$PROXY_SYSTEM" = "nginx" ]; then
-		cf_ips="$(curl -fsLm2 --retry 1 https://api.cloudflare.com/client/v4/ips)"
+		cf_ips="$(curl -fsLm5 --retry 2 https://api.cloudflare.com/client/v4/ips)"
 
 		if [ -n "$cf_ips" ] && [ "$(echo "$cf_ips" | jq -r '.success//""')" = "true" ]; then
 			cf_inc="/etc/nginx/conf.d/cloudflare.inc"
 
-			echo "[ * ] Updating Cloudflare IP Ranges for Nginx..."
+			echo "[ * ] Updating Cloudflare IP Ranges for NGINX..."
 			echo "# Cloudflare IP Ranges" > $cf_inc
 			echo "" >> $cf_inc
 			echo "# IPv4" >> $cf_inc

install/common/dovecot/conf.d/10-ssl.conf

@@ -1,7 +1,7 @@
 ssl = yes
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
 ssl_min_protocol = TLSv1.2
 ssl_prefer_server_ciphers = yes
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
 ssl_cert = </usr/local/hestia/ssl/certificate.crt
 ssl_key = </usr/local/hestia/ssl/certificate.key

install/deb/exim/exim4.conf.4.94.template

@@ -63,6 +63,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
+tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

install/deb/exim/exim4.conf.template

@@ -63,6 +63,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
+tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

install/deb/nginx/nginx.conf

@@ -22,11 +22,11 @@ http {
 	client_body_timeout             180s;
 	client_header_buffer_size       2k;
 	client_body_buffer_size         256k;
-	client_max_body_size            256m;
+	client_max_body_size            1024m;
 	large_client_header_buffers     4 8k;
 	send_timeout                    60s;
 	keepalive_timeout               30s;
-	keepalive_requests              100000;
+	keepalive_requests              10000;
 	reset_timedout_connection       on;
 	server_tokens                   off;
 	server_name_in_redirect         off;
@@ -34,7 +34,7 @@ http {
 	server_names_hash_bucket_size   512;
 	charset                         utf-8;
 	# FastCGI settings
-	fastcgi_buffers                 8 256k;
+	fastcgi_buffers                 512 4k;
 	fastcgi_buffer_size             256k;
 	fastcgi_busy_buffers_size       256k;
 	fastcgi_temp_file_write_size    256k;
@@ -51,14 +51,15 @@ http {
 	proxy_set_header                X-Real-IP $remote_addr;
 	proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_pass_header               Set-Cookie;
-	proxy_buffers                   32 4k;
-	proxy_buffer_size               8k;
+	proxy_buffers                   256 4k;
+	proxy_buffer_size               32k;
+	proxy_busy_buffers_size         32k;
+	proxy_temp_file_write_size      256k;
 	proxy_connect_timeout           30s;
 	proxy_read_timeout              300s;
 	proxy_send_timeout              180s;
 	# Log format
-	log_format                      main '$remote_addr - $remote_user [$time_local] $request '
-	  '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
+	log_format                      main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 	log_format                      bytes '$body_bytes_sent';
 	log_not_found                   off;
 	access_log                      off;
@@ -67,32 +68,28 @@ http {
 	default_type                    application/octet-stream;
 	# Compression
 	gzip                            on;
-	gzip_static                     on;
 	gzip_vary                       on;
+	gzip_static                     on;
 	gzip_comp_level                 6;
 	gzip_min_length                 1024;
-	gzip_buffers                    16 8k;
+	gzip_buffers                    128 4k;
 	gzip_http_version               1.1;
-	gzip_types                      text/plain text/css text/javascript text/js text/xml
-	  application/json application/javascript application/x-javascript application/xml
-	  application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
+	gzip_types                      text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
 	gzip_proxied                    any;
-	gzip_disable                    "MSIE [1-6]\.";
-    
-	# Cloudflare ips
+	# Cloudflare IPs
 	include                         /etc/nginx/conf.d/cloudflare.inc;
-	
-    # SSL PCI compliance
-	ssl_session_cache               shared:SSL:20m;
-	ssl_session_timeout             60m;
-	ssl_buffer_size                 1400;
-	ssl_protocols                   TLSv1.2 TLSv1.3;
-	ssl_prefer_server_ciphers       on;
-	ssl_ciphers                     "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+	# SSL PCI compliance
+	ssl_buffer_size                 1369;
+	ssl_ciphers                     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
 	ssl_dhparam                     /etc/ssl/dhparam.pem;
-	ssl_ecdh_curve                  secp384r1;
-	ssl_session_tickets             off;
-	resolver                        1.1.1.1 8.8.8.8 valid=300s ipv6=off;
+	ssl_early_data                  on;
+	ssl_ecdh_curve                  auto;
+	ssl_prefer_server_ciphers       on;
+	ssl_protocols                   TLSv1.2 TLSv1.3;
+	ssl_session_cache               shared:SSL:20m;
+	ssl_session_tickets             on;
+	ssl_session_timeout             7d;
+	resolver                        1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
 	resolver_timeout                5s;
 	# Error pages
 	error_page                      403 /error/404.html;
@@ -100,20 +97,17 @@ http {
 	error_page                      410 /error/410.html;
 	error_page                      500 501 502 503 504 505 /error/50x.html;
 	# Proxy cache
-	proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m
-	  max_size=1024m;
+	proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
 	proxy_cache_key                 "$scheme$request_method$host$request_uri";
 	proxy_temp_path                 /var/cache/nginx/temp;
-	proxy_ignore_headers            Expires Cache-Control;
-	proxy_cache_use_stale           error timeout invalid_header http_502;
+	proxy_ignore_headers            Cache-Control Expires;
+	proxy_cache_use_stale           error timeout invalid_header updating http_502;
 	proxy_cache_valid               any 1d;
 	# FastCGI cache
-	fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m
-	  max_size=1024m inactive=30m;
+	fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
 	fastcgi_cache_key               "$scheme$request_method$host$request_uri";
-	fastcgi_cache_methods           GET HEAD;
-	fastcgi_cache_use_stale         updating error timeout invalid_header http_500 http_503;
 	fastcgi_ignore_headers          Cache-Control Expires Set-Cookie;
+	fastcgi_cache_use_stale         error timeout invalid_header updating http_500 http_503;
 	add_header                      X-FastCGI-Cache $upstream_cache_status;
 
 	# Cache bypass
@@ -131,4 +125,4 @@ http {
 	# Wildcard include
 	include                         /etc/nginx/conf.d/*.conf;
 	include                         /etc/nginx/conf.d/domains/*.conf;
-}
+}

install/deb/proftpd/tls.conf

@@ -13,7 +13,9 @@
 TLSEngine                               on
 TLSLog                                  /var/log/proftpd/tls.log
 # this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
-TLSProtocol                             TLSv1.2
+TLSCipherSuite                          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
+TLSProtocol                             TLSv1.2 TLSv1.3
+TLSServerCipherPreference               on
 #
 # Server SSL certificate. You can generate a self-signed certificate using
 # a command like:
@@ -42,9 +44,9 @@ TLSRSACertificateKeyFile                /usr/local/hestia/ssl/certificate.key
 # Per default drop connection if client tries to start a renegotiate
 # This is a fix for CVE-2009-3555 but could break some clients.
 #
-#TLSOptions                                                     AllowClientRenegotiations
+#TLSOptions                      AllowClientRenegotiations
 #
-TLSOptions                       NoSessionReuseRequired AllowClientRenegotiations
+TLSOptions                      NoSessionReuseRequired AllowClientRenegotiations
 # Authenticate clients that want to use FTP over TLS?
 #
 #TLSVerifyClient                         off

install/deb/vsftpd/vsftpd.conf

@@ -31,7 +31,7 @@ utf8_filesystem=YES
 ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
-ssl_ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
 ssl_sslv2=NO
 ssl_sslv3=NO
 ssl_tlsv1=NO

install/hst-install-debian.sh

@@ -49,7 +49,7 @@ software="acl apache2 apache2-suexec-custom apache2-suexec-pristine apache2-util
   php$fpm_v-pgsql php$fpm_v-pspell php$fpm_v-readline php$fpm_v-xml php$fpm_v-zip postgresql postgresql-contrib
   proftpd-basic quota rrdtool rsyslog spamassassin sudo sysstat unrar-free unzip util-linux vim-common vsftpd whois zip zstd"
 
-installer_dependencies="apt-transport-https ca-certificates curl dirmngr gnupg wget"
+installer_dependencies="apt-transport-https ca-certificates curl dirmngr gnupg openssl wget"
 
 # Defining help function
 help() {
@@ -685,7 +685,7 @@ if [ -z "$(swapon -s)" ] && [ "$memory" -lt 1000000 ]; then
 	chmod 600 /swapfile
 	mkswap /swapfile
 	swapon /swapfile
-	echo "/swapfile   none    swap    sw    0   0" >> /etc/fstab
+	echo "/swapfile	none	swap	sw	0	0" >> /etc/fstab
 fi
 
 #----------------------------------------------------------#
@@ -786,7 +786,10 @@ check_result $? 'apt-get upgrade failed'
 mkdir -p $hst_backups
 cd $hst_backups
 mkdir nginx apache2 php vsftpd proftpd bind exim4 dovecot clamd
-mkdir spamassassin mysql postgresql hestia
+mkdir spamassassin mysql postgresql openssl hestia
+
+# Backup OpenSSL configuration
+cp /etc/ssl/openssl.cnf $hst_backups/openssl > /dev/null 2>&1
 
 # Backup nginx configuration
 systemctl stop nginx > /dev/null 2>&1
@@ -799,7 +802,7 @@ rm -f /etc/apache2/conf.d/* > /dev/null 2>&1
 
 # Backup PHP-FPM configuration
 systemctl stop php*-fpm > /dev/null 2>&1
-cp -r /etc/php/* $hst_backups/php/ > /dev/null 2>&1
+cp -r /etc/php/* $hst_backups/php > /dev/null 2>&1
 
 # Backup Bind configuration
 systemctl stop bind9 > /dev/null 2>&1
@@ -1261,6 +1264,22 @@ cp -rf $HESTIA_COMMON_DIR/api $HESTIA/data/
 # Configuring server hostname
 $HESTIA/bin/v-change-sys-hostname $servername > /dev/null 2>&1
 
+# Configuring global OpenSSL options
+echo "[ * ] Configuring OpenSSL to improve TLS performance..."
+tls13_ciphers="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
+if [ "$release" = "10" ] || [ "$release" = "11" ]; then
+	sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+elif [ "$release" = "12" ]; then
+	if ! grep -qw "^ssl_conf = ssl_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '/providers = provider_sect$/a ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
+	fi
+	if ! grep -qw "^[ssl_sect]$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '$a \\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+	elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+	fi
+fi
+
 # Generating SSL certificate
 echo "[ * ] Generating default self-signed SSL certificate..."
 $HESTIA/bin/v-generate-ssl-cert $(hostname) '' 'US' 'California' \
@@ -1335,12 +1354,12 @@ for ip in $dns_resolver; do
 	fi
 done
 if [ -n "$resolver" ]; then
-	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
-	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
+	sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
+	sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
 fi
 
 # https://github.com/ergin/nginx-cloudflare-real-ip/
-cf_ips="$(curl -fsLm2 --retry 1 https://api.cloudflare.com/client/v4/ips)"
+cf_ips="$(curl -fsLm5 --retry 2 https://api.cloudflare.com/client/v4/ips)"
 
 if [ -n "$cf_ips" ] && [ "$(echo "$cf_ips" | jq -r '.success//""')" = "true" ]; then
 	cf_inc="/etc/nginx/conf.d/cloudflare.inc"
@@ -1479,7 +1498,7 @@ if [ "$vsftpd" = 'yes' ]; then
 	touch /var/log/xferlog
 	chown root:adm /var/log/xferlog
 	chmod 640 /var/log/xferlog
-	update-rc.d vsftpd defaults
+	update-rc.d vsftpd defaults > /dev/null 2>&1
 	systemctl start vsftpd >> $LOG
 	check_result $? "vsftpd start failed"
 fi

install/hst-install-ubuntu.sh

@@ -49,7 +49,7 @@ software="acl apache2 apache2.2-common apache2-suexec-custom apache2-utils appar
   php$fpm_v-pgsql php$fpm_v-pspell php$fpm_v-readline php$fpm_v-xml php$fpm_v-zip postgresql postgresql-contrib
   proftpd-basic quota rrdtool rsyslog setpriv spamassassin sudo sysstat unzip vim-common vsftpd whois zip zstd"
 
-installer_dependencies="apt-transport-https ca-certificates curl dirmngr gnupg software-properties-common wget"
+installer_dependencies="apt-transport-https ca-certificates curl dirmngr gnupg openssl software-properties-common wget"
 
 # Defining help function
 help() {
@@ -674,7 +674,7 @@ if [ -z "$(swapon -s)" ] && [ "$memory" -lt 1000000 ]; then
 	chmod 600 /swapfile
 	mkswap /swapfile
 	swapon /swapfile
-	echo "/swapfile   none    swap    sw    0   0" >> /etc/fstab
+	echo "/swapfile	none	swap	sw	0	0" >> /etc/fstab
 fi
 
 #----------------------------------------------------------#
@@ -758,7 +758,10 @@ check_result $? 'apt-get upgrade failed'
 mkdir -p $hst_backups
 cd $hst_backups
 mkdir nginx apache2 php vsftpd proftpd bind exim4 dovecot clamd
-mkdir spamassassin mysql postgresql hestia
+mkdir spamassassin mysql postgresql openssl hestia
+
+# Backup OpenSSL configuration
+cp /etc/ssl/openssl.cnf $hst_backups/openssl > /dev/null 2>&1
 
 # Backup nginx configuration
 systemctl stop nginx > /dev/null 2>&1
@@ -771,7 +774,7 @@ rm -f /etc/apache2/conf.d/* > /dev/null 2>&1
 
 # Backup PHP-FPM configuration
 systemctl stop php*-fpm > /dev/null 2>&1
-cp -r /etc/php/* $hst_backups/php/ > /dev/null 2>&1
+cp -r /etc/php/* $hst_backups/php > /dev/null 2>&1
 
 # Backup Bind configuration
 systemctl stop bind9 > /dev/null 2>&1
@@ -1292,6 +1295,22 @@ cp -rf $HESTIA_COMMON_DIR/api $HESTIA/data/
 # Configuring server hostname
 $HESTIA/bin/v-change-sys-hostname $servername > /dev/null 2>&1
 
+# Configuring global OpenSSL options
+echo "[ * ] Configuring OpenSSL to improve TLS performance..."
+tls13_ciphers="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
+if [ "$release" = "20.04" ]; then
+	if ! grep -qw "^openssl_conf = default_conf$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '/^oid_section		= new_oids$/a \\n# System default\nopenssl_conf = default_conf' /etc/ssl/openssl.cnf
+	fi
+	if ! grep -qw "^[default_conf]$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '$a [default_conf]\nssl_conf = ssl_sect\n\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+	elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+	fi
+elif [ "$release" = "22.04" ]; then
+	sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+fi
+
 # Generating SSL certificate
 echo "[ * ] Generating default self-signed SSL certificate..."
 $HESTIA/bin/v-generate-ssl-cert $(hostname) '' 'US' 'California' \
@@ -1374,12 +1393,12 @@ for ip in $dns_resolver; do
 	fi
 done
 if [ -n "$resolver" ]; then
-	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
-	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
+	sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
+	sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
 fi
 
 # https://github.com/ergin/nginx-cloudflare-real-ip/
-cf_ips="$(curl -fsLm2 --retry 1 https://api.cloudflare.com/client/v4/ips)"
+cf_ips="$(curl -fsLm5 --retry 2 https://api.cloudflare.com/client/v4/ips)"
 
 if [ -n "$cf_ips" ] && [ "$(echo "$cf_ips" | jq -r '.success//""')" = "true" ]; then
 	cf_inc="/etc/nginx/conf.d/cloudflare.inc"
@@ -1518,7 +1537,7 @@ if [ "$vsftpd" = 'yes' ]; then
 	touch /var/log/xferlog
 	chown root:adm /var/log/xferlog
 	chmod 640 /var/log/xferlog
-	update-rc.d vsftpd defaults
+	update-rc.d vsftpd defaults > /dev/null 2>&1
 	systemctl start vsftpd >> $LOG
 	check_result $? "vsftpd start failed"
 fi

install/rpm/exim/exim.conf

@@ -61,6 +61,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
+tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

install/rpm/nginx/nginx.conf

@@ -4,6 +4,7 @@ worker_processes     auto;
 worker_rlimit_nofile 65535;
 error_log            /var/log/nginx/error.log;
 pid                  /run/nginx.pid;
+include              /etc/nginx/modules-enabled/*.conf;
 
 # Worker config
 events {
@@ -14,114 +15,100 @@ events {
 
 http {
 	# Main settings
-	sendfile                      on;
-	tcp_nopush                    on;
-	tcp_nodelay                   on;
-	client_header_timeout         180s;
-	client_body_timeout           180s;
-	client_header_buffer_size     2k;
-	client_body_buffer_size       256k;
-	client_max_body_size          256m;
-	large_client_header_buffers   4 8k;
-	send_timeout                  60s;
-	keepalive_timeout             30s;
-	keepalive_requests            100000;
-	reset_timedout_connection     on;
-	server_tokens                 off;
-	server_name_in_redirect       off;
-	server_names_hash_max_size    512;
-	server_names_hash_bucket_size 512;
-	charset                       utf-8;
+	sendfile                        on;
+	tcp_nopush                      on;
+	tcp_nodelay                     on;
+	client_header_timeout           180s;
+	client_body_timeout             180s;
+	client_header_buffer_size       2k;
+	client_body_buffer_size         256k;
+	client_max_body_size            1024m;
+	large_client_header_buffers     4 8k;
+	send_timeout                    60s;
+	keepalive_timeout               30s;
+	keepalive_requests              10000;
+	reset_timedout_connection       on;
+	server_tokens                   off;
+	server_name_in_redirect         off;
+	server_names_hash_max_size      512;
+	server_names_hash_bucket_size   512;
+	charset                         utf-8;
 	# FastCGI settings
-	fastcgi_buffers               8 256k;
-	fastcgi_buffer_size           256k;
-	fastcgi_busy_buffers_size     256k;
-	fastcgi_temp_file_write_size  256k;
-	fastcgi_connect_timeout       30s;
-	fastcgi_read_timeout          300s;
-	fastcgi_send_timeout          180s;
-	fastcgi_cache_lock            on;
-	fastcgi_cache_lock_timeout    5s;
+	fastcgi_buffers                 512 4k;
+	fastcgi_buffer_size             256k;
+	fastcgi_busy_buffers_size       256k;
+	fastcgi_temp_file_write_size    256k;
+	fastcgi_connect_timeout         30s;
+	fastcgi_read_timeout            300s;
+	fastcgi_send_timeout            180s;
+	fastcgi_cache_lock              on;
+	fastcgi_cache_lock_timeout      5s;
+	fastcgi_cache_background_update on;
+	fastcgi_cache_revalidate        on;
 	# Proxy settings
-	proxy_redirect                off;
-	proxy_set_header              Host $host;
-	proxy_set_header              X-Real-IP $remote_addr;
-	proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_pass_header             Set-Cookie;
-	proxy_buffers                 32 4k;
-	proxy_buffer_size             8k;
-	proxy_connect_timeout         30s;
-	proxy_read_timeout            300s;
-	proxy_send_timeout            180s;
+	proxy_redirect                  off;
+	proxy_set_header                Host $host;
+	proxy_set_header                X-Real-IP $remote_addr;
+	proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_pass_header               Set-Cookie;
+	proxy_buffers                   256 4k;
+	proxy_buffer_size               32k;
+	proxy_busy_buffers_size         32k;
+	proxy_temp_file_write_size      256k;
+	proxy_connect_timeout           30s;
+	proxy_read_timeout              300s;
+	proxy_send_timeout              180s;
 	# Log format
-	log_format                    main '$remote_addr - $remote_user [$time_local] $request '
-	  '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
-	log_format                    bytes '$body_bytes_sent';
-	log_not_found                 off;
-	access_log                    off;
+	log_format                      main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+	log_format                      bytes '$body_bytes_sent';
+	log_not_found                   off;
+	access_log                      off;
 	# Mime settings
-	include                       /etc/nginx/mime.types;
-	default_type                  application/octet-stream;
+	include                         /etc/nginx/mime.types;
+	default_type                    application/octet-stream;
 	# Compression
-	gzip                          on;
-	gzip_static                   on;
-	gzip_vary                     on;
-	gzip_comp_level               6;
-	gzip_min_length               1024;
-	gzip_buffers                  16 8k;
-	gzip_http_version             1.1;
-	gzip_types                    text/plain text/css text/javascript text/js text/xml
-	  application/json application/javascript application/x-javascript application/xml
-	  application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
-	gzip_proxied                  any;
-	gzip_disable                  "MSIE [1-6]\.";
-	# Cloudflare https://www.cloudflare.com/ips
-	set_real_ip_from              103.21.244.0/22;
-	set_real_ip_from              103.22.200.0/22;
-	set_real_ip_from              103.31.4.0/22;
-	set_real_ip_from              104.16.0.0/12;
-	set_real_ip_from              108.162.192.0/18;
-	set_real_ip_from              131.0.72.0/22;
-	set_real_ip_from              141.101.64.0/18;
-	set_real_ip_from              162.158.0.0/15;
-	set_real_ip_from              172.64.0.0/13;
-	set_real_ip_from              173.245.48.0/20;
-	set_real_ip_from              188.114.96.0/20;
-	set_real_ip_from              190.93.240.0/20;
-	set_real_ip_from              197.234.240.0/22;
-	set_real_ip_from              198.41.128.0/17;
-	#set_real_ip_from  2400:cb00::/32;
-	#set_real_ip_from  2405:b500::/32;
-	#set_real_ip_from  2606:4700::/32;
-	#set_real_ip_from  2803:f800::/32;
-	#set_real_ip_from  2c0f:f248::/32;
-	#set_real_ip_from  2a06:98c0::/29;
-	real_ip_header                CF-Connecting-IP;
+	gzip                            on;
+	gzip_vary                       on;
+	gzip_static                     on;
+	gzip_comp_level                 6;
+	gzip_min_length                 1024;
+	gzip_buffers                    128 4k;
+	gzip_http_version               1.1;
+	gzip_types                      text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
+	gzip_proxied                    any;
+	# Cloudflare IPs
+	include                         /etc/nginx/conf.d/cloudflare.inc;
 	# SSL PCI compliance
-	ssl_session_cache             shared:SSL:20m;
-	ssl_session_timeout           60m;
-	ssl_buffer_size               1400;
-	ssl_protocols                 TLSv1.2 TLSv1.3;
-	ssl_prefer_server_ciphers     on;
-	ssl_ciphers                   "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
-	ssl_dhparam                   /etc/ssl/dhparam.pem;
-	ssl_ecdh_curve                secp384r1;
-	ssl_session_tickets           off;
-	resolver                      1.1.1.1 8.8.8.8 valid=300s ipv6=off;
-	resolver_timeout              5s;
+	ssl_buffer_size                 1369;
+	ssl_ciphers                     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
+	ssl_dhparam                     /etc/ssl/dhparam.pem;
+	ssl_early_data                  on;
+	ssl_ecdh_curve                  auto;
+	ssl_prefer_server_ciphers       on;
+	ssl_protocols                   TLSv1.2 TLSv1.3;
+	ssl_session_cache               shared:SSL:20m;
+	ssl_session_tickets             on;
+	ssl_session_timeout             7d;
+	resolver                        1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
+	resolver_timeout                5s;
 	# Error pages
-	error_page                    403 /error/404.html;
-	error_page                    404 /error/404.html;
-	error_page                    410 /error/410.html;
-	error_page                    500 501 502 503 504 505 /error/50x.html;
-	# Cache settings
-	proxy_cache_path              /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m
-	  max_size=1024m;
-	proxy_cache_key               "$host$request_uri $cookie_user";
-	proxy_temp_path               /var/cache/nginx/temp;
-	proxy_ignore_headers          Expires Cache-Control;
-	proxy_cache_use_stale         error timeout invalid_header http_502;
-	proxy_cache_valid             any 1d;
+	error_page                      403 /error/404.html;
+	error_page                      404 /error/404.html;
+	error_page                      410 /error/410.html;
+	error_page                      500 501 502 503 504 505 /error/50x.html;
+	# Proxy cache
+	proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
+	proxy_cache_key                 "$scheme$request_method$host$request_uri";
+	proxy_temp_path                 /var/cache/nginx/temp;
+	proxy_ignore_headers            Cache-Control Expires;
+	proxy_cache_use_stale           error timeout invalid_header updating http_502;
+	proxy_cache_valid               any 1d;
+	# FastCGI cache
+	fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
+	fastcgi_cache_key               "$scheme$request_method$host$request_uri";
+	fastcgi_ignore_headers          Cache-Control Expires Set-Cookie;
+	fastcgi_cache_use_stale         error timeout invalid_header updating http_500 http_503;
+	add_header                      X-FastCGI-Cache $upstream_cache_status;
 
 	# Cache bypass
 	map $http_cookie $no_cache {
@@ -131,11 +118,11 @@ http {
 	}
 
 	# File cache (static assets)
-	open_file_cache               max=10000 inactive=30s;
-	open_file_cache_valid         60s;
-	open_file_cache_min_uses      2;
-	open_file_cache_errors        off;
+	open_file_cache                 max=10000 inactive=30s;
+	open_file_cache_valid           60s;
+	open_file_cache_min_uses        2;
+	open_file_cache_errors          off;
 	# Wildcard include
-	include                       /etc/nginx/conf.d/*.conf;
-	include                       /etc/nginx/conf.d/domains/*.conf;
-}
+	include                         /etc/nginx/conf.d/*.conf;
+	include                         /etc/nginx/conf.d/domains/*.conf;
+}

install/rpm/proftpd/proftpd.conf

@@ -4,6 +4,8 @@ ServerAdmin                     root@localhost
 DefaultServer                   on
 DefaultRoot                  ~ !adm
 
+Include /etc/proftpd/tls.conf
+
 <IfModule mod_vroot.c>
     VRootEngine                 on
     VRootAlias                  /etc/security/pam_env.conf etc/security/pam_env.conf

install/rpm/proftpd/tls.conf

@@ -0,0 +1,65 @@
+#
+# Proftpd sample configuration for FTPS connections.
+#
+# Note that FTPS impose some limitations in NAT traversing.
+# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
+# for more information.
+#
+<IfModule mod_dso.c>
+    # If mod_tls was built as a shared/DSO module, load it
+    LoadModule mod_tls.c
+</IfModule>
+<IfModule mod_tls.c>
+TLSEngine                               on
+TLSLog                                  /var/log/proftpd/tls.log
+# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
+TLSCipherSuite                          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
+TLSProtocol                             TLSv1.2 TLSv1.3
+TLSServerCipherPreference               on
+#
+# Server SSL certificate. You can generate a self-signed certificate using
+# a command like:
+#
+# openssl req -x509 -newkey rsa:1024 \
+#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
+#          -nodes -days 365
+#
+# The proftpd.key file must be readable by root only. The other file can be
+# readable by anyone.
+#
+# chmod 0600 /etc/ssl/private/proftpd.key
+# chmod 0640 /etc/ssl/private/proftpd.key
+#
+TLSRSACertificateFile                   /usr/local/hestia/ssl/certificate.crt
+TLSRSACertificateKeyFile                /usr/local/hestia/ssl/certificate.key
+#
+# CA the server trusts...
+#TLSCACertificateFile                    /etc/ssl/certs/CA.pem
+# ...or avoid CA cert and be verbose
+#TLSOptions                      NoCertRequest EnableDiags
+# ... or the same with relaxed session use for some clients (e.g. FireFtp)
+#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
+#
+#
+# Per default drop connection if client tries to start a renegotiate
+# This is a fix for CVE-2009-3555 but could break some clients.
+#
+#TLSOptions                      AllowClientRenegotiations
+#
+TLSOptions                      NoSessionReuseRequired AllowClientRenegotiations
+# Authenticate clients that want to use FTP over TLS?
+#
+#TLSVerifyClient                         off
+#
+# Are clients required to use FTP over TLS when talking to this server?
+#
+TLSRequired                             off
+#
+# Allow SSL/TLS renegotiations when the client requests them, but
+# do not force the renegotations.  Some clients do not support
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+# clients will close the data connection, or there will be a timeout
+# on an idle data connection.
+#
+TLSRenegotiate                          required off
+</IfModule>

install/rpm/vsftpd/vsftpd.conf

@@ -31,10 +31,10 @@ utf8_filesystem=YES
 ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
-ssl_ciphers=HIGH
-ssl_tlsv1=NO
+ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
 ssl_sslv2=NO
 ssl_sslv3=NO
+ssl_tlsv1=NO
 force_local_data_ssl=NO
 force_local_logins_ssl=NO
 rsa_cert_file=/usr/local/hestia/ssl/certificate.crt

src/deb/hestia/postinst

@@ -83,16 +83,16 @@ upgrade_rainloop | tee -a $LOG
 # Upgrade Roundcube if applicable
 upgrade_roundcube | tee -a $LOG
 
-# Upgrade PHP php dependencies
+# Upgrade PHP dependencies
 upgrade_dependencies | tee -a $LOG
 
-# Upgrade Cloudflare IPs if applicable
+# Update Cloudflare IPs if applicable
 upgrade_cloudflare_ip | tee -a $LOG
 
 # Upgrade phpMyAdmin if applicable
 upgrade_phpmyadmin | tee -a $LOG
 
-# Upgrade phpMyAdmin if applicable
+# Upgrade phpPgAdmin if applicable
 upgrade_phppgadmin | tee -a $LOG
 
 # Upgrade blackblaze-cli-took if applicable

src/deb/nginx/nginx.conf

@@ -4,6 +4,7 @@ worker_processes     1;
 worker_rlimit_nofile 65535;
 error_log            /var/log/hestia/nginx-error.log;
 pid                  /run/hestia-nginx.pid;
+pcre_jit             on;
 
 # Worker config
 events {
@@ -21,11 +22,11 @@ http {
 	client_body_timeout           180s;
 	client_header_buffer_size     2k;
 	client_body_buffer_size       256k;
-	client_max_body_size          256m;
+	client_max_body_size          1024m;
 	large_client_header_buffers   4 8k;
 	send_timeout                  60s;
 	keepalive_timeout             30s;
-	keepalive_requests            100000;
+	keepalive_requests            10000;
 	reset_timedout_connection     on;
 	server_tokens                 off;
 	server_name_in_redirect       off;
@@ -33,7 +34,7 @@ http {
 	server_names_hash_bucket_size 512;
 	charset                       utf-8;
 	# FastCGI settings
-	fastcgi_buffers               8 256k;
+	fastcgi_buffers               512 4k;
 	fastcgi_buffer_size           256k;
 	fastcgi_busy_buffers_size     256k;
 	fastcgi_temp_file_write_size  256k;
@@ -46,48 +47,48 @@ http {
 	proxy_set_header              X-Real-IP $remote_addr;
 	proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_pass_header             Set-Cookie;
-	proxy_buffers                 32 4k;
-	proxy_buffer_size             8k;
+	proxy_buffers                 256 4k;
+	proxy_buffer_size             32k;
+	proxy_busy_buffers_size       32k;
+	proxy_temp_file_write_size    256k;
 	proxy_connect_timeout         30s;
 	proxy_read_timeout            300s;
 	proxy_send_timeout            180s;
 	# Log format
-	log_format                    main '$remote_addr - $remote_user [$time_local] $request '
-	  '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
-	log_format                    bytes '$body_bytes_sent';
+	log_format                    main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 	access_log                    /var/log/hestia/nginx-access.log main;
 	# Mime settings
-	include                       /usr/local/hestia/nginx/conf/mime.types;
+	include                       mime.types;
 	default_type                  application/octet-stream;
 	# Compression
 	gzip                          on;
 	gzip_vary                     on;
 	gzip_comp_level               6;
 	gzip_min_length               1024;
-	gzip_buffers                  16 8k;
+	gzip_buffers                  128 4k;
 	gzip_http_version             1.1;
-	gzip_types                    text/plain text/css text/javascript text/js text/xml
-	  application/json application/javascript application/x-javascript application/xml
-	  application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
+	gzip_types                    text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
 	gzip_proxied                  any;
-	gzip_disable                  "MSIE [1-6]\.";
 	# SSL PCI compliance
-	ssl_session_cache             shared:SSL:10m;
-	ssl_session_timeout           60m;
-	ssl_buffer_size               1400;
-	ssl_protocols                 TLSv1.2 TLSv1.3;
-	ssl_prefer_server_ciphers     on;
-	ssl_ciphers                   "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+	ssl_buffer_size               1369;
+	ssl_ciphers                   "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
+	ssl_conf_command              Ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
+	ssl_conf_command              Options PrioritizeChaCha;
 	ssl_dhparam                   /etc/ssl/dhparam.pem;
-	ssl_ecdh_curve                secp384r1;
-	# ssl_reject_handshake on;
-	ssl_session_tickets           off;
-	resolver                      1.1.1.1 8.8.8.8 valid=300s ipv6=off;
-	resolver_timeout              5s;
+	ssl_early_data                on;
+	ssl_ecdh_curve                auto;
+	ssl_prefer_server_ciphers     on;
+	ssl_protocols                 TLSv1.2 TLSv1.3;
+	ssl_session_cache             shared:SSL:10m;
+	ssl_session_tickets           on;
+	ssl_session_timeout           7d;
 	ssl_stapling                  on;
 	ssl_stapling_verify           on;
-	add_header                    X-Frame-Options SAMEORIGIN;
+	resolver                      1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
+	resolver_timeout              5s;
+	# Security headers
 	add_header                    X-Content-Type-Options nosniff;
+	add_header                    X-Frame-Options SAMEORIGIN;
 	add_header                    X-XSS-Protection "1; mode=block";
 
 	# Vhost
@@ -107,22 +108,22 @@ http {
 
 		location / {
 			expires off;
-			index   index.php;
+			index index.php;
 		}
 
 		location /error/ {
-			expires  off;
-			internal ;
+			expires off;
+			internal;
 		}
 
 		location /rrd/ {
-			expires  off;
-			internal ;
+			expires off;
+			internal;
 		}
 
 		location /backup/ {
-			root     /;
-			internal ;
+			root /;
+			internal;
 		}
 
 		location /fm/ {
@@ -131,20 +132,19 @@ http {
 
 			location ~ /([^/]+\.php)$ {
 				try_files     /$1 =404;
-				fastcgi_pass  unix:/run/hestia-php.sock;
-				fastcgi_index index.php;
 				include       fastcgi_params;
 				fastcgi_param SCRIPT_FILENAME /usr/local/hestia/web/fm/dist/index.php;
+				fastcgi_pass  unix:/run/hestia-php.sock;
+				fastcgi_index index.php;
 			}
 		}
 
 		location ~ \.php$ {
-			include                  /usr/local/hestia/nginx/conf/fastcgi_params;
+			include                  fastcgi_params;
 			fastcgi_param            SCRIPT_FILENAME /usr/local/hestia/web/$fastcgi_script_name;
-			fastcgi_param            QUERY_STRING $query_string;
 			fastcgi_pass             unix:/run/hestia-php.sock;
 			fastcgi_intercept_errors on;
-			break                    ;
+			break;
 		}
 	}
 }

src/rpm/hestia/hestia.spec

@@ -108,11 +108,14 @@ if [ -e "/usr/local/hestia/data/users/admin" ]; then
     # Upgrade PHPMailer if applicable
     upgrade_phpmailer | tee -a $LOG
 
+    # Update Cloudflare IPs if applicable
+    upgrade_cloudflare_ip | tee -a $LOG
+
     # Upgrade phpMyAdmin if applicable
     upgrade_phpmyadmin | tee -a $LOG
 
-	# Upgrade phpMyAdmin if applicable
-	upgrade_phppgadmin | tee -a $LOG
+    # Upgrade phpPgAdmin if applicable
+    upgrade_phppgadmin | tee -a $LOG
 
     # Upgrade blackblaze-cli-took if applicable
     upgrade_b2_tool | tee -a $LOG

src/rpm/nginx/nginx.conf

@@ -2,8 +2,9 @@
 user                 admin;
 worker_processes     1;
 worker_rlimit_nofile 65535;
-error_log            /usr/local/hestia/log/nginx-error.log;
+error_log            /var/log/hestia/nginx-error.log;
 pid                  /run/hestia-nginx.pid;
+pcre_jit             on;
 
 # Worker config
 events {
@@ -21,11 +22,11 @@ http {
 	client_body_timeout           180s;
 	client_header_buffer_size     2k;
 	client_body_buffer_size       256k;
-	client_max_body_size          256m;
+	client_max_body_size          1024m;
 	large_client_header_buffers   4 8k;
 	send_timeout                  60s;
 	keepalive_timeout             30s;
-	keepalive_requests            100000;
+	keepalive_requests            10000;
 	reset_timedout_connection     on;
 	server_tokens                 off;
 	server_name_in_redirect       off;
@@ -33,7 +34,7 @@ http {
 	server_names_hash_bucket_size 512;
 	charset                       utf-8;
 	# FastCGI settings
-	fastcgi_buffers               8 256k;
+	fastcgi_buffers               512 4k;
 	fastcgi_buffer_size           256k;
 	fastcgi_busy_buffers_size     256k;
 	fastcgi_temp_file_write_size  256k;
@@ -46,47 +47,48 @@ http {
 	proxy_set_header              X-Real-IP $remote_addr;
 	proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_pass_header             Set-Cookie;
-	proxy_buffers                 32 4k;
-	proxy_buffer_size             8k;
+	proxy_buffers                 256 4k;
+	proxy_buffer_size             32k;
+	proxy_busy_buffers_size       32k;
+	proxy_temp_file_write_size    256k;
 	proxy_connect_timeout         30s;
 	proxy_read_timeout            300s;
 	proxy_send_timeout            180s;
 	# Log format
-	log_format                    main '$remote_addr - $remote_user [$time_local] $request '
-	  '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
-	log_format                    bytes '$body_bytes_sent';
-	access_log                    /usr/local/hestia/log/nginx-access.log main;
+	log_format                    main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+	access_log                    /var/log/hestia/nginx-access.log main;
 	# Mime settings
-	include                       /usr/local/hestia/nginx/conf/mime.types;
+	include                       mime.types;
 	default_type                  application/octet-stream;
 	# Compression
 	gzip                          on;
 	gzip_vary                     on;
 	gzip_comp_level               6;
 	gzip_min_length               1024;
-	gzip_buffers                  16 8k;
+	gzip_buffers                  128 4k;
 	gzip_http_version             1.1;
-	gzip_types                    text/plain text/css text/javascript text/js text/xml
-	  application/json application/javascript application/x-javascript application/xml
-	  application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
+	gzip_types                    text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
 	gzip_proxied                  any;
-	gzip_disable                  "MSIE [1-6]\.";
 	# SSL PCI compliance
-	ssl_session_cache             shared:SSL:10m;
-	ssl_session_timeout           60m;
-	ssl_buffer_size               1400;
-	ssl_protocols                 TLSv1.2 TLSv1.3;
-	ssl_prefer_server_ciphers     on;
-	ssl_ciphers                   "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+	ssl_buffer_size               1369;
+	ssl_ciphers                   "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
+	ssl_conf_command              Ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
+	ssl_conf_command              Options PrioritizeChaCha;
 	ssl_dhparam                   /etc/ssl/dhparam.pem;
-	ssl_ecdh_curve                secp384r1;
-	ssl_session_tickets           off;
-	resolver                      1.1.1.1 8.8.8.8 valid=300s ipv6=off;
-	resolver_timeout              5s;
+	ssl_early_data                on;
+	ssl_ecdh_curve                auto;
+	ssl_prefer_server_ciphers     on;
+	ssl_protocols                 TLSv1.2 TLSv1.3;
+	ssl_session_cache             shared:SSL:10m;
+	ssl_session_tickets           on;
+	ssl_session_timeout           7d;
 	ssl_stapling                  on;
 	ssl_stapling_verify           on;
-	add_header                    X-Frame-Options SAMEORIGIN;
+	resolver                      1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
+	resolver_timeout              5s;
+	# Security headers
 	add_header                    X-Content-Type-Options nosniff;
+	add_header                    X-Frame-Options SAMEORIGIN;
 	add_header                    X-XSS-Protection "1; mode=block";
 
 	# Vhost
@@ -105,36 +107,43 @@ http {
 
 		location / {
 			expires off;
-			index   index.php;
+			index index.php;
 		}
 
 		location /error/ {
-			expires  off;
-			internal ;
+			expires off;
+			internal;
 		}
 
 		location /rrd/ {
-			expires  off;
-			internal ;
+			expires off;
+			internal;
 		}
 
 		location /backup/ {
-			root     /;
-			internal ;
+			root /;
+			internal;
 		}
 
 		location /fm/ {
 			alias /usr/local/hestia/web/fm/dist/;
 			index index.php;
+
+			location ~ /([^/]+\.php)$ {
+				try_files     /$1 =404;
+				include       fastcgi_params;
+				fastcgi_param SCRIPT_FILENAME /usr/local/hestia/web/fm/dist/index.php;
+				fastcgi_pass  unix:/run/hestia-php.sock;
+				fastcgi_index index.php;
+			}
 		}
 
 		location ~ \.php$ {
-			include                  /usr/local/hestia/nginx/conf/fastcgi_params;
+			include                  fastcgi_params;
 			fastcgi_param            SCRIPT_FILENAME /usr/local/hestia/web/$fastcgi_script_name;
-			fastcgi_param            QUERY_STRING $query_string;
 			fastcgi_pass             unix:/run/hestia-php.sock;
 			fastcgi_intercept_errors on;
-			break                    ;
+			break;
 		}
 	}
-}
+}