Merge pull request #486 from hestiacp/bugfixes-1.0.2

Additional bug fixes for 1.0.2 hotfix release.

bin/v-change-sys-webmail

@@ -26,7 +26,7 @@ NEW_ALIAS=$1
 
 # Delete old webmail configuration
 for user in `ls /usr/local/hestia/data/users/`; do
-    for domain in $($BIN/v-list-web-domains $user plain |cut -f 1); do
+    for domain in $($BIN/v-list-mail-domains $user plain |cut -f 1); do
         $BIN/v-delete-sys-webmail $user $domain
     done
 done
@@ -35,13 +35,15 @@ done
 $BIN/v-change-sys-config-value 'WEBMAIL_ALIAS' $NEW_ALIAS
 
 for user in `ls /usr/local/hestia/data/users/`; do
-    for domain in $($BIN/v-list-web-domains $user plain |cut -f 1); do
+    for domain in $($BIN/v-list-mail-domains $user plain |cut -f 1); do
         $BIN/v-add-sys-webmail $user $domain
     done
 done
 
 # Update global directory alias configuration
-sed -i "s|Alias \/$OLD_ALIAS|Alias \/$NEW_ALIAS|gI" /etc/apache2/conf.d/roundcube.conf
+if [ "$WEB_SYSTEM" = 'apache2' ]; then
+    sed -i "s|Alias \/$OLD_ALIAS|Alias \/$NEW_ALIAS|gI" /etc/apache2/conf.d/roundcube.conf
+fi
 sed -i "s|location \/$OLD_ALIAS|location \/$NEW_ALIAS|gI" /etc/nginx/conf.d/webmail.inc
 
 #----------------------------------------------------------#

bin/v-list-sys-services

@@ -271,7 +271,7 @@ if [ ! -z "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != 'remote' ]; then
         state="running"
     fi
     data="$data\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'"
-    data="$data STATE='$state' CPU='0' MEM='0' RTIME='0'"
+    data="$data STATE='$state' CPU='0' MEM='0' RTIME='$rtime'"
 fi
 
 # Checking FIREWALL Fail2ban extention

bin/v-update-dns-templates

@@ -16,29 +16,13 @@ restart=$1
 source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
-# Detect OS
-case $(head -n1 /etc/issue | cut -f 1 -d ' ') in
-    Debian)     type="debian" ;;
-    Ubuntu)     type="ubuntu" ;;
-    *)          type="NoSupport" ;;
-esac
-
-# Detect version
-if [ "$type" = "ubuntu" ] || [ "$type" = "debian" ]; then
-    type="deb"
-else
-    echo "Error: can't detect supported os"
-    log_event "$E_NOTEXIST"
-    exit $E_NOTEXIST
-fi
-
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
 # Update templates
-cp -rf $HESTIA/install/$type/templates/dns $HESTIA/data/templates/
+cp -rf $HESTIA/install/deb/templates/dns $HESTIA/data/templates/
 
 
 #----------------------------------------------------------#

bin/v-update-host-certificate

@@ -69,6 +69,11 @@ if [[ "$MAIL_SYSTEM" =~ exim ]]; then
     chown $exim_user:mail $HESTIA/ssl/certificate.key
 fi
 
+# Add UPDATE_HOSTNAME_SSL if not exist
+if [ -z "$UPDATE_HOSTNAME_SSL" ]; then
+    echo "UPDATE_HOSTNAME_SSL='yes'" >> $HESTIA/conf/hestia.conf
+fi
+
 # Restart services
 $BIN/v-restart-web
 $BIN/v-restart-proxy

bin/v-update-mail-templates

@@ -16,29 +16,13 @@ restart=$1
 source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
-# Detect OS
-case $(head -n1 /etc/issue | cut -f 1 -d ' ') in
-    Debian)     type="debian" ;;
-    Ubuntu)     type="ubuntu" ;;
-    *)          type="NoSupport" ;;
-esac
-
-# Detect version
-if [ "$type" = "ubuntu" ] || [ "$type" = "debian" ]; then
-    type="deb"
-else
-    echo "Error: can't detect supported os"
-    log_event "$E_NOTEXIST"
-    exit $E_NOTEXIST
-fi
-
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
 # Update templates
-cp -rf $HESTIA/install/$type/templates/mail $HESTIA/data/templates/
+cp -rf $HESTIA/install/deb/templates/mail $HESTIA/data/templates/
 
 # Rebuild mail domains if mail services are enabled
 if [ ! -z $MAIL_SYSTEM ]; then

bin/v-update-web-templates

@@ -16,22 +16,6 @@ restart=$1
 source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
-# Detect OS
-case $(head -n1 /etc/issue | cut -f 1 -d ' ') in
-    Debian)     type="debian" ;;
-    Ubuntu)     type="ubuntu" ;;
-    *)          type="NoSupport" ;;
-esac
-
-# Detect version
-if [ "$type" = "ubuntu" ] || [ "$type" = "debian" ]; then
-    type="deb"
-else
-    echo "Error: can't detect supported os"
-    log_event "$E_NOTEXIST"
-    exit $E_NOTEXIST
-fi
-
 if [ -z "$WEB_SYSTEM" ]; then
     echo "Error: Missing Web System"
     log_event "$E_ARGS"
@@ -51,7 +35,7 @@ if [ -d "${HST_WEBTEMPLATES}" ]; then
     rm -rf "${HST_WEBTEMPLATES}/unassigned" 2>/dev/null
 fi
 
-for webtpl_folder in $(ls $HESTIA/install/$type/templates/web/* -d 2>/dev/null | egrep -v '/(nginx)$' ); do
+for webtpl_folder in $(ls $HESTIA/install/deb/templates/web/* -d 2>/dev/null | egrep -v '/(nginx)$' ); do
     cp -rf "${webtpl_folder}" "${HST_WEBTEMPLATES}/"
 done
 
@@ -65,7 +49,7 @@ if [ "$php_versions" -gt 1 ]; then
             continue
         fi
         v_tpl=$(echo "$v" | sed -e 's/[.]//')
-        cp -f "$HESTIA/install/$type/multiphp/${WEB_SYSTEM}/PHP-${v_tpl}".* "${HST_WEBTEMPLATES}/${WEB_SYSTEM}/"
+        cp -f "$HESTIA/install/deb/multiphp/${WEB_SYSTEM}/PHP-${v_tpl}".* "${HST_WEBTEMPLATES}/${WEB_SYSTEM}/"
     done
     chmod a+x "${HST_WEBTEMPLATES}/${WEB_SYSTEM}/"*.sh 2> /dev/null
 
@@ -78,7 +62,7 @@ if [ "$php_versions" -gt 1 ]; then
 fi
 
 if [ "$PROXY_SYSTEM" = 'nginx' ] || [ "$php_versions" -le 1 ]; then
-    cp -rf "${HESTIA}/install/${type}/templates/web/nginx" "${HST_WEBTEMPLATES}/"
+    cp -rf "${HESTIA}/install/deb/templates/web/nginx" "${HST_WEBTEMPLATES}/"
 fi
 
 # Rebuilding web domains

install/deb/dovecot/conf.d/10-ssl.conf

@@ -1,5 +1,13 @@
 ssl = yes
 ssl_protocols = !SSLv3 !TLSv1
+ssl_prefer_server_ciphers = yes
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
 ssl_cert = </usr/local/hestia/ssl/certificate.crt
 ssl_key = </usr/local/hestia/ssl/certificate.key
+
+# From and up to version 2.2
+ssl_dh_parameters_length = 4096
+
+# From version 2.3
+#ssl_dh = </etc/ssl/dhparam.pem

install/deb/nginx/webmail.inc

@@ -1,7 +1,8 @@
 location /webmail {
     alias /var/lib/roundcube/;
 
-    location ~ /(config|temp|logs) {
+    location ~ /(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING) {
+        deny all;
         return 404;
     }
 

install/deb/ssl/dhparam.pem

@@ -1,13 +1,13 @@
 -----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA+tQGpIebOZgTRfzeJO8V08AKJxjIEPl+ks2s0kVcYEYn7XhoqV9p
-vMxYxSz+3gavaKD42tbxbru01MZhi6PAhvWZn1pUgdUFTDPv6Suq/zQuNvxEx/p4
-/TvfQ+6IqWcPFjGZb6lmnR4v592joEmTaps6Uqv2PDqCgZoeLDqVSsqWRotFbFWa
-mHCFU/5RsSyUAPhuH9lk0UOnK+rkQulppZsAKNLMUBSoNGg+OjYbvcRq8WMQIx8H
-Or8i9lZa12UFfr3ui5I7Y29aARh4M8WTtWKAxoDp6N8ENT3hXqgEm4cIVmHOgFDZ
-SvWvsV/6ghDpYIOgiatKauQPd2wXkZ/95yeO2JxyYS9rGK4a10QICsB/Jj5j/1i8
-yimrllUs5UW8BjmkRTYQPFtvZzrYUoSohSazz7r5Q7/K/Nh40Tb+SgGvQqMxTolL
-nTR2kP8DDpTIar/E2B1fDM+yk07hMmKlTOP+nFmJtcq61rM79kQfpsG4mxIX2sxR
-el6qP5ng8NQG648aL9OnaUgisLpz1ll6cL7rXHExxEiFgb667F+uKVYJ31d0KyBE
-6zrb7iIr5l1q+/vIxIu3QvOfH43+lAV/XHaNP1YvrCkTmkihBAeHt74x5uZRalg3
-3qci/XOL0h6i5YW3s7Yem1tqy04P2XYVfmfr4KzzNjOFAQwADKm7G3sCAQI=
------END DH PARAMETERS-----
+MIICCAKCAgEA7N3ZOcXgACR0Rat9G/7h8krD7ysVvmEmvAdg8o5l7eKVdtp/QSNK
+anF0JyInJMBEgq05GY7YwvFovglJL73T/eEjTK3qPU6eHzxNGKfR0pM6rnAb+EXL
+dSNJm3Xz9wH4IKn6OJ3nD9aLmBVI5FlIMV1R4QKX3sIWUxRqRSQIzjNQTnY1e/Pk
+BT/ZrUUF7fPPVbg0nPD8Y48ISr7pB6M14Kr66cggGIqUVdBdkPYyt4RpFWR1n3Tv
+rz1j0U+UoVnan2FgGsSiSFT9I/CiIxgC/SrdwxZLUgbAiKsnw9H7nGW92C4cRqY0
+2eKMVNEBk32GSPQXaA+Q5TILyzxuwDbXMxHMxnUVKQGFEcXjWXXyiv7tLAeu68Do
+j5iNFOHbDp17SftnxYHi2vTsYk+9K6Pzc+NmUgibM52Rs92PPYd++HcgMeGrYcqi
+temHP2jPtAymixch0wdqBMgeGTb29w51LR0BAU6D6BeR25pkZvPUag3bb6SU1Oli
+E15DDWh3UnmfTw2M9W1uxlzQAlXOLL6/ZWuvwyqhCY6X7tIONtSgdYGjtiTFaPJp
+ZBdOOrblodLxSu0ObR59SFjv8Pz3sTw4xiRFTG3lFtuIVHdBUbtJHR+2p4fHy/JG
+Ccs+Z1KrmJfEzSMzKwfvZYJ526demNulglFBbcQV06ehqjc6MCG3HnMCAQI=
+-----END DH PARAMETERS-----

install/deb/templates/mail/nginx/default.stpl

@@ -1,13 +1,16 @@
 server {
     listen      %ip%:%proxy_ssl_port% ssl http2;
     server_name %domain% %alias%;
-    ssl_certificate     %ssl_pem%;
-    ssl_certificate_key %ssl_key%;
     root        /var/lib/roundcube;
     index       index.php index.html index.htm;
     access_log /var/log/nginx/domains/%domain%.log combined;
     error_log  /var/log/nginx/domains/%domain%.error.log error;
 
+    ssl_certificate     %ssl_pem%;
+    ssl_certificate_key %ssl_key%;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
     location ~ /\.(?!well-known\/) {
         deny all;
         return 404;

install/deb/templates/mail/nginx/web_system.stpl

@@ -1,13 +1,16 @@
 server {
     listen      %ip%:%web_ssl_port% ssl http2;
     server_name %domain% %alias%;
-    ssl_certificate     %ssl_pem%;
-    ssl_certificate_key %ssl_key%;
     root        /var/lib/roundcube;
     index       index.php index.html index.htm;
     access_log /var/log/nginx/domains/%domain%.log combined;
     error_log  /var/log/nginx/domains/%domain%.error.log error;
 
+    ssl_certificate     %ssl_pem%;
+    ssl_certificate_key %ssl_key%;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    
     location ~ /\.(?!well-known\/) {
         deny all;
         return 404;

install/deb/templates/web/webalizer/webalizer.tpl

@@ -1,110 +0,0 @@
-HostName         %domain_idn%
-LogFile          /var/log/%web_system%/domains/%domain%.log
-OutputDir        %home%/%user%/web/%domain%/stats
-HistoryName      %home%/%user%/web/%domain%/stats/%domain%.hist
-Incremental      yes
-IncrementalName  %home%/%user%/web/%domain%/stats/%domain%.current
-PageType         htm*
-PageType         cgi
-PageType         php
-PageType         shtml
-DNSCache         /var/lib/webalizer/dns_cache.db
-DNSChildren      10
-Quiet            yes
-FoldSeqErr       yes
-IndexAlias       index.php
-HideURL          *.gif
-HideURL          *.GIF
-HideURL          *.jpg
-HideURL          *.JPG
-HideURL          *.png
-HideURL          *.PNG
-HideURL          *.ra
-SearchEngine     abcsearch.          terms=
-SearchEngine     alexa.              q=
-SearchEngine     alltheweb.          q=
-SearchEngine     alltheweb.          query=
-SearchEngine     alot.               q=
-SearchEngine     altavista.          q=
-SearchEngine     aolsearch.          query=
-SearchEngine     aport.ru            r=
-SearchEngine     ask.                q=
-SearchEngine     atlas.cz            q=
-SearchEngine     bbc.                q=
-SearchEngine     bing.               q=
-SearchEngine     blingo.             q=
-SearchEngine     blogs.yandex.ru     text=
-SearchEngine     btopenworld         query=
-SearchEngine     buscador.ya.com     q=
-SearchEngine     busca.              q=
-SearchEngine     business.           query=
-SearchEngine     centrum.cz          q=
-SearchEngine     chiff.              q=
-SearchEngine     clusty.             query=
-SearchEngine     comcast.            q=
-SearchEngine     crawler.            q=
-SearchEngine     cuil.               q=
-SearchEngine     dmoz.               search=
-SearchEngine     dogpile.com         q=
-SearchEngine     dpxml               qkw=
-SearchEngine     eureka.             searchword=
-SearchEngine     euroseek.           string=
-SearchEngine     exalead.            q=
-SearchEngine     excite              search=
-SearchEngine     ezilon.             q=
-SearchEngine     fastbrowsersearch.  q=
-SearchEngine     feedster.com        q=
-SearchEngine     fireball.de         q=
-SearchEngine     fireball.           keyword=
-SearchEngine     freeserve.          q=
-SearchEngine     gigablast.          q=
-SearchEngine     gogo.ru             q=
-SearchEngine     go.mail.ru          q=
-SearchEngine     google.             q=
-SearchEngine     hakia.              q=
-SearchEngine     hotbot.             query=
-SearchEngine     infoseek.           qt=
-SearchEngine     iwon                searchfor=
-SearchEngine     ixquick.com         query=
-SearchEngine     joeant.             keywords=
-SearchEngine     jyxo.cz             s=
-SearchEngine     looksmart.          key=
-SearchEngine     lycos.              query=
-SearchEngine     mamma.              q=
-SearchEngine     metacrawler         q=
-SearchEngine     msn.                MT=
-SearchEngine     msxml               qkw=
-SearchEngine     mysearch.           searchfor=
-SearchEngine     mywebsearch.        searchfor=
-SearchEngine     netscape.           q=
-SearchEngine     nigma.ru            q=
-SearchEngine     northernlight.      qr=
-SearchEngine     ntlworld.           q=
-SearchEngine     orange.             q=
-SearchEngine     overture.           Keywords=
-SearchEngine     punto.ru            text=
-SearchEngine     rambler.            keyword=
-SearchEngine     search.aol.         q=
-SearchEngine     search.babylon.     q=
-SearchEngine     search.centrum.     phrase=
-SearchEngine     search.conduit.     q=
-SearchEngine     search.earthlink    q=
-SearchEngine     search.icq.         q=
-SearchEngine     search.live.com     q=
-SearchEngine     search.rambler.ru   words=
-SearchEngine     search.winamp.      q=
-SearchEngine     searchy.            q=
-SearchEngine     seznam.cz           w=
-SearchEngine     snap.               query=
-SearchEngine     teoma.              q=
-SearchEngine     teradex.com         q=
-SearchEngine     ukplus              key=
-SearchEngine     verizon.            q=
-SearchEngine     virginmedia.        q=
-SearchEngine     voila.              rdata=
-SearchEngine     webcrawler          searchText=
-SearchEngine     web.search.naver.   query=
-SearchEngine     wisenut             q=
-SearchEngine     yahoo.              p=
-SearchEngine     yandex.             text=
-SearchEngine     yodao.              q=

install/deb/vsftpd/vsftpd.conf

@@ -32,7 +32,7 @@ ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
 ssl_ciphers=HIGH
-ssl_tlsv1=YES
+ssl_tlsv1=NO
 ssl_sslv2=NO
 ssl_sslv3=NO
 force_local_data_ssl=NO

install/hst-install-debian.sh

@@ -563,24 +563,6 @@ fi
 #                   Install repository                     #
 #----------------------------------------------------------#
 
-# Updating system
-echo -ne "Updating currently installed packages, please wait... "
-apt-get -y upgrade >> $LOG &
-BACK_PID=$!
-
-# Check if package installation is done, print a spinner
-spin_i=1
-while kill -0 $BACK_PID > /dev/null 2>&1 ; do
-    printf "\b${spinner:spin_i++%${#spinner}:1}"
-    sleep 0.5
-done
-
-# Do a blank echo to get the \n back
-echo
-
-# Check Installation result
-check_result $? 'apt-get upgrade failed'
-
 # Define apt conf location
 apt=/etc/apt/sources.list.d
 
@@ -638,6 +620,25 @@ wget --quiet https://gpg.hestiacp.com/deb_signing.key -O /tmp/deb_signing.key
 APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/deb_signing.key > /dev/null 2>&1
 echo
 
+# Updating system
+echo -ne "Updating currently installed packages, please wait... "
+apt-get -y upgrade >> $LOG &
+BACK_PID=$!
+
+# Check if package installation is done, print a spinner
+spin_i=1
+while kill -0 $BACK_PID > /dev/null 2>&1 ; do
+    printf "\b${spinner:spin_i++%${#spinner}:1}"
+    sleep 0.5
+done
+
+# Do a blank echo to get the \n back
+echo
+
+# Check Installation result
+check_result $? 'apt-get upgrade failed'
+
+
 #----------------------------------------------------------#
 #                         Backup                           #
 #----------------------------------------------------------#
@@ -1191,6 +1192,7 @@ if [ "$nginx" = 'yes' ]; then
     done
     if [ ! -z "$resolver" ]; then
         sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /etc/nginx/nginx.conf
+        sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
     fi
 
     update-rc.d nginx defaults > /dev/null 2>&1

install/hst-install-ubuntu.sh

@@ -541,24 +541,6 @@ fi
 #                   Install repository                     #
 #----------------------------------------------------------#
 
-# Updating system
-echo -ne "Updating currently installed packages, please wait... "
-apt-get -y upgrade >> $LOG &
-BACK_PID=$!
-
-# Check if package installation is done, print a spinner
-spin_i=1
-while kill -0 $BACK_PID > /dev/null 2>&1 ; do
-    printf "\b${spinner:spin_i++%${#spinner}:1}"
-    sleep 0.5
-done
-
-# Do a blank echo to get the \n back
-echo
-
-# Check Installation result
-check_result $? 'apt-get upgrade failed'
-
 # Define apt conf location
 apt=/etc/apt/sources.list.d
 
@@ -598,6 +580,25 @@ wget --quiet https://gpg.hestiacp.com/deb_signing.key -O /tmp/deb_signing.key
 APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/deb_signing.key > /dev/null 2>&1
 echo
 
+# Updating system
+echo -ne "Updating currently installed packages, please wait... "
+apt-get -y upgrade >> $LOG &
+BACK_PID=$!
+
+# Check if package installation is done, print a spinner
+spin_i=1
+while kill -0 $BACK_PID > /dev/null 2>&1 ; do
+    printf "\b${spinner:spin_i++%${#spinner}:1}"
+    sleep 0.5
+done
+
+# Do a blank echo to get the \n back
+echo
+
+# Check Installation result
+check_result $? 'apt-get upgrade failed'
+
+
 #----------------------------------------------------------#
 #                         Backup                           #
 #----------------------------------------------------------#
@@ -1159,6 +1160,7 @@ if [ "$nginx" = 'yes' ]; then
     done
     if [ ! -z "$resolver" ]; then
         sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /etc/nginx/nginx.conf
+        sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
     fi
 
     update-rc.d nginx defaults > /dev/null 2>&1

install/upgrade/versions/1.0.2.sh

@@ -6,4 +6,64 @@
 #######                      Place additional commands below.                   #######
 #######################################################################################
 
+# Replace dhparam 1024 with dhparam 4096
+echo "(*) Increasing Diffie-Hellman Parameter strength to 4096-bit..."
+mv /etc/ssl/dhparam.pem $HESTIA_BACKUP/conf/
+cp -f $HESTIA/install/deb/ssl/dhparam.pem /etc/ssl/
+chmod 600 /etc/ssl/dhparam.pem
 
+# Enhance Vsftpd security
+echo "(*) Hardening Vsftpd SSL configuration..."
+cp -f /etc/vsftpd.conf $HESTIA_BACKUP/conf/
+sed -i "s|ssl_tlsv1=YES|ssl_tlsv1=NO|g" /etc/vsftpd.conf
+
+# Enhance Dovecot security
+echo "(*) Hardening Dovecot SSL configuration..."
+mv /etc/dovecot/conf.d/10-ssl.conf $HESTIA_BACKUP/conf/
+cp -f $HESTIA/install/deb/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/
+
+# Update DNS resolvers in hestia-nginx's configuration
+echo "(*) Updating DNS resolvers for Hestia Internal Web Server..."
+dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
+for ip in $dns_resolver; do
+    if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        resolver="$ip $resolver"
+    fi
+done
+if [ ! -z "$resolver" ]; then
+    sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
+fi
+
+# Remove Webalizer and set AWStats as default
+WEBALIZER_CHECK=$(cat $HESTIA/conf/hestia.conf | grep webalizer)
+if [ ! -z "$WEBALIZER_CHECK" ]; then
+    echo "(*) Removing Webalizer and setting AWStats as default web statistics backend..."
+    apt purge webalizer -y > /dev/null 2>&1
+    if [ -d "$HESTIA/data/templates/web/webalizer" ]; then
+        rm -rf $HESTIA/data/templates/web/webalizer
+    fi
+    if [ -d "/var/www/webalizer" ]; then
+        rm -rf /var/www/webalizer
+    fi
+    sed -i "s/STATS_SYSTEM='webalizer,awstats'/STATS_SYSTEM='awstats'/g" $HESTIA/conf/hestia.conf
+fi
+
+# Remove old hestia.conf files from Apache & NGINX if they exist
+if [ -f "/etc/apache2/conf.d/hestia.conf" ]; then
+    echo "(*) Removing old Apache configuration file from previous version of Hestia Control Panel..."
+    rm -f /etc/apache2/conf.d/hestia.conf
+fi
+if [ -f "/etc/nginx/conf.d/hestia.conf" ]; then
+    echo "(*) Removing old NGINX configuration file from previous version of Hestia Control Panel..."
+    rm -f /etc/nginx/conf.d/hestia.conf
+fi
+
+# Update webmail templates to enable OCSP/SSL stapling
+if [ ! -z "$IMAP_SYSTEM" ]; then
+    echo "(*) Enabling OCSP stapling support for webmail services..."
+    $BIN/v-update-mail-templates > /dev/null 2>&1
+fi 
+
+# Enhance webmail security
+cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
+sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc

install/upgrade/versions/1.00.0-190618.sh

@@ -17,19 +17,19 @@ fi
 # Update Apache and Nginx configuration to support new file structure
 if [ -f /etc/apache2/apache.conf ]; then
     echo "(*) Updating Apache configuration..."
-    mv  /etc/apache2/apache.conf $HESTIA_BACKUP/conf/
+    mv /etc/apache2/apache.conf $HESTIA_BACKUP/conf/
     cp -f $HESTIA/install/deb/apache2/apache.conf /etc/apache2/apache.conf
 fi
 if [ -f /etc/nginx/nginx.conf ]; then
     echo "(*) Updating NGINX configuration..."
-    mv  /etc/nginx/nginx.conf $HESTIA_BACKUP/conf/
+    mv /etc/nginx/nginx.conf $HESTIA_BACKUP/conf/
     cp -f $HESTIA/install/deb/nginx/nginx.conf /etc/nginx/nginx.conf
 fi
 
 # Generate dhparam
 if [ ! -e /etc/ssl/dhparam.pem ]; then
     echo "(*) Enabling HTTPS Strict Transport Security (HSTS) support..."
-    mv  /etc/nginx/nginx.conf $HESTIA_BACKUP/conf/
+    mv /etc/nginx/nginx.conf $HESTIA_BACKUP/conf/
     cp -f $hestiacp/nginx/nginx.conf /etc/nginx/
 
     # Copy dhparam
@@ -50,9 +50,9 @@ fi
 if [ -d $HESTIA/data/templates/ ]; then
     echo "(*) Replacing default Web, DNS, and Mail templates..."
     cp -rf $HESTIA/data/templates $HESTIA_BACKUP/templates/
-    $HESTIA/bin/v-update-web-templates >/dev/null 2>&1
-    $HESTIA/bin/v-update-dns-templates >/dev/null 2>&1
-	$HESTIA/bin/v-update-mail-templates >/dev/null 2>&1
+    $HESTIA/bin/v-update-web-templates > /dev/null 2>&1
+    $HESTIA/bin/v-update-dns-templates > /dev/null 2>&1
+    $HESTIA/bin/v-update-mail-templates > /dev/null 2>&1
 fi
 
 # Remove old Office 365 template as there is a newer version with an updated name
@@ -213,11 +213,11 @@ fi
 # Fix Dovecot configuration
 echo "(*) Updating Dovecot IMAP/POP server configuration..."
 if [ -f /etc/dovecot/conf.d/15-mailboxes.conf ]; then
-    mv  /etc/dovecot/conf.d/15-mailboxes.conf $HESTIA_BACKUP/conf/
+    mv /etc/dovecot/conf.d/15-mailboxes.conf $HESTIA_BACKUP/conf/
 fi
 if [ -f /etc/dovecot/dovecot.conf ]; then
     # Update Dovecot configuration and restart Dovecot service
-    mv  /etc/dovecot/dovecot.conf $HESTIA_BACKUP/conf/
+    mv /etc/dovecot/dovecot.conf $HESTIA_BACKUP/conf/
     cp -f $HESTIA/install/deb/dovecot/dovecot.conf /etc/dovecot/dovecot.conf
     systemctl restart dovecot
     sleep 0.5
@@ -226,7 +226,7 @@ fi
 # Fix Exim configuration
 if [ -f /etc/exim4/exim4.conf.template ]; then
     echo "(*) Updating Exim SMTP server configuration..."
-    mv  /etc/exim4/exim4.conf.template $HESTIA_BACKUP/conf/
+    mv /etc/exim4/exim4.conf.template $HESTIA_BACKUP/conf/
     cp -f $HESTIA/install/deb/exim/exim4.conf.template /etc/exim4/exim4.conf.template
     # Reconfigure spam filter and virus scanning
     if [ ! -z "$ANTISPAM_SYSTEM" ]; then
@@ -246,14 +246,6 @@ if [ -z "$IMAP_SYSTEM" ]; then
     fi
 fi
 
-# Remove Webalizer and set AWStats as default
-WEBALIAZER_CHECK=$(cat $HESTIA/conf/hestia.conf | grep webalizer)
-if [ ! -z "$WEBALIZER_CHECK" ]; then
-    echo "(*) Removing Webalizer and setting AWStats as default web statistics backend..."
-    apt purge webalizer -y > /dev/null 2>&1
-    sed -i "s/STATS_SYSTEM='webalizer,awstats'/STATS_SYSTEM='awstats'/g" $HESTIA/conf/hestia.conf
-fi
-
 # Run sftp jail once
 $HESTIA/bin/v-add-sys-sftp-jail
 

src/deb/nginx/nginx.conf

@@ -82,8 +82,16 @@ http {
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    ssl_dhparam         /etc/ssl/dhparam.pem;
+    ssl_ecdh_curve      secp384r1;
+    ssl_session_tickets off;
+    resolver 1.0.0.1 1.1.1.1 valid=300s ipv6=off;
+    resolver_timeout    5s;
+    ssl_stapling on;
+    ssl_stapling_verify on;
     add_header          X-Frame-Options SAMEORIGIN;
     add_header          X-Content-Type-Options nosniff;
+    add_header          X-XSS-Protection "1; mode=block";
 
     # Vhost
     server {

web/inc/i18n/en.php

@@ -193,7 +193,8 @@ $LANG['en'] = array(
     'template'  => 'Template',
     'SSL Support'  => 'Enable SSL for this domain',
     'SSL Home Directory'  => 'SSL Home Directory',
-    'Force SSL/HTTPS' => 'Enforce HTTP-to-HTTPS redirection',
+    'Force SSL/HTTPS' => 'Enable automatic HTTP-to-HTTPS redirection',
+    'Enable SSL HSTS' => 'Enable HTTP Strict Transport Security (HSTS) <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank"><i class="fas fa-question-circle"></i></a>',
     'Lets Encrypt Support'  => 'Use Lets Encrypt to obtain SSL certificate',
     'Lets Encrypt'  => 'Lets Encrypt',
     'Your certificate will be automatically issued in 5 minutes' => 'Your SSL certificate will be automatically issued within 5 minutes',
@@ -753,7 +754,6 @@ $LANG['en'] = array(
     'Use SSL / TLS' => 'Use SSL / TLS',
     'No encryption' => 'No encryption',
     'Do not use encryption' => 'Do not use encryption',
-
     'maximum characters length, including prefix' => 'maximum %s characters in length (including prefix)',
 
     'Email Credentials' => 'Email Credentials',