Merge pull request #2 from serghey-rodin/master

update 6 20 2019

bin/v-add-backup-host

@@ -38,8 +38,8 @@ EOF
 sftpc() {
     expect -f "-" <<EOF "$@"
         set count 0
-        spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o \
-            Port=$port $user@$host
+        spawn "/usr/bin/sftp -o StrictHostKeyChecking=no -o \
+            Port=$port '$user@$host'"
         expect {
             "password:" {
                 send "$password\r"
@@ -94,12 +94,14 @@ EOF
 
 if [ "$type" != 'local' ];then
     check_args '4' "$#" "TYPE HOST USERNAME PASSWORD [PATH] [PORT]"
-    is_format_valid 'host'
+    is_format_valid 'user' 'host' 'path' 'port'
     is_password_valid
     if [ "$type" = 'sftp' ]; then
         which expect >/dev/null 2>&1
         check_result $? "expect command not found"  $E_NOTEXIST
     fi
+    host "$host" >/dev/null 2>&1
+    check_result $? "host connection failed" "$E_CONNECT"
 fi
 
 

bin/v-add-dns-on-web-alias

@@ -50,12 +50,12 @@ domain_lvl=$(echo "$alias" |grep -o "\." |wc -l)
 # Adding second level domain
 if [ "$domain_lvl" -eq 1 ] || [ "${#top_domain}" -le '6' ]; then
     $BIN/v-add-dns-domain \
-        $user $alias $ip '' '' '' '' '' $restart >> /dev/null
+        $user $alias $ip '' '' '' '' '' '' '' '' $restart >> /dev/null
     exit
 fi
 
 # Adding top-level domain and then its sub
-$BIN/v-add-dns-domain $user $top_domain $ip '' '' '' '' $restart >> /dev/null
+$BIN/v-add-dns-domain $user $top_domain $ip '' '' '' '' '' $restart >> /dev/null
 
 # Checking top-level domain
 if [ ! -e "$USER_DATA/dns/$top_domain.conf" ]; then

bin/v-add-dns-record

@@ -45,10 +45,12 @@ if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
     fi
 fi
 
-dvalue=${dvalue//\"/}
+if [ $rtype != "CAA" ]; then
+    dvalue=${dvalue//\"/}
 
-if [[ "$dvalue" =~ [\;[:space:]] ]]; then
-    dvalue='"'"$dvalue"'"'
+    if [[ "$dvalue" =~ [\;[:space:]] ]]; then
+        dvalue='"'"$dvalue"'"'
+    fi
 fi
 
 # Additional argument formatting

bin/v-add-firewall-chain

@@ -21,6 +21,12 @@ protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 # Defining absolute path to iptables
 iptables="/sbin/iptables"
 
+# Get vesta port by reading nginx.conf
+vestaport=$(grep 'listen' /usr/local/vesta/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
+if [ -z "$vestaport" ]; then
+    vestaport=8083
+fi
+
 # Includes
 source $VESTA/func/main.sh
 source $VESTA/conf/vesta.conf
@@ -41,13 +47,19 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 
 # Checking known chains
 case $chain in
-    SSH)        port=22; protocol=TCP ;;
+    SSH)        # Get ssh port by reading ssh config file.
+                sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
+                if [ -z "$sshport" ]; then
+                    sshport=22
+                fi
+                port=$sshport; 
+                protocol=TCP ;;
     FTP)        port=21; protocol=TCP  ;;
     MAIL)       port='25,465,587,2525,110,995,143,993'; protocol=TCP  ;;
     DNS)        port=53; protocol=UDP  ;;
     WEB)        port='80,443'; protocol=TCP  ;;
     DB)         port='3306,5432'; protocol=TCP  ;;
-    VESTA)      port=8083; protocol=TCP  ;;
+    VESTA)      port=$vestaport; protocol=TCP  ;;
     *)          check_args '2' "$#" 'CHAIN PORT' ;;
 esac
 

bin/v-add-letsencrypt-domain

@@ -1,13 +1,8 @@
 #!/bin/bash
-# info: adding letsencrypt ssl cetificate for domain
-# options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY]
+# info: check letsencrypt domain
+# options: USER DOMAIN [ALIASES]
 #
-# The function turns on SSL support for a domain. Parameter ssl_dir is a path
-# to directory where 2 or 3 ssl files can be found. Certificate file
-# domain.tld.crt and its key domain.tld.key  are mandatory. Certificate
-# authority domain.tld.ca file is optional. If home directory  parameter
-# (ssl_home) is not set, https domain uses public_shtml as separate
-# documentroot directory.
+# The function check and validates domain with Let's Encript
 
 
 #----------------------------------------------------------#
@@ -18,8 +13,9 @@
 user=$1
 domain=$2
 aliases=$3
-restart=$4
-notify=$5
+
+# LE API
+API='https://acme-v02.api.letsencrypt.org'
 
 # Includes
 source $VESTA/func/main.sh
@@ -27,30 +23,67 @@ source $VESTA/func/domain.sh
 source $VESTA/conf/vesta.conf
 
 # Additional argument formatting
-format_domain_idn
+format_identifier_idn() {
+    identifier_idn=$identifier
+    if [[ "$identifier_idn" = *[![:ascii:]]* ]]; then
+        identifier_idn=$(idn -t --quiet -a $identifier_idn)
+    fi
+}
+
+# encode base64
+encode_base64() {
+    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
+}
+
+# Let's Encrypt v2 curl function
+query_le_v2() {
+
+    protected='{"nonce": "'$3'",'
+    protected=''$protected' "url": "'$1'",'
+    protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
+    content="Content-Type: application/jose+json"
+
+    payload_=$(echo -n "$2" |encode_base64)
+    protected_=$(echo -n "$protected" |encode_base64)
+    signature_=$(printf "%s" "$protected_.$payload_" |\
+        openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
+        encode_base64)
+
+    post_data='{"protected":"'"$protected_"'",'
+    post_data=$post_data'"payload":"'"$payload_"'",'
+    post_data=$post_data'"signature":"'"$signature_"'"}'
+
+    curl -s -i -d "$post_data" "$1" -H "$content"
+}
+
 
 
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]'
-is_format_valid 'user' 'domain'
+check_args '2' "$#" 'USER DOMAIN [ALIASES]'
+is_format_valid 'user' 'domain' 'aliases'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
-is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
-
+get_domain_values 'web'
+# check if alias is the letsencrypt wildcard domain, if not, make the normal checks
+if [[ "$aliases" != "*.$domain" ]]; then
+    for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
+        check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
+        if [ -z "$check_alias" ]; then
+            check_result $E_NOTEXIST "domain alias $alias doesn't exist"
+        fi
+    done
+fi;
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Parsing domain data
-get_domain_values 'web'
-
 # Registering LetsEncrypt user account
 $BIN/v-add-letsencrypt-user $user
 if [ "$?" -ne 0  ]; then
@@ -62,54 +95,154 @@ fi
 
 # Parsing LetsEncrypt account data
 source $USER_DATA/ssl/le.conf
-email=$EMAIL
-
-# Validating domain and aliases
-i=1
-for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
-    $BIN/v-check-letsencrypt-domain $user $alias
-    if [ "$?" -ne 0 ]; then
-        touch $VESTA/data/queue/letsencrypt.pipe
-        sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
-        send_notice "LETSENCRYPT" "$alias validation failed"
-        check_result $E_INVALID "LE domain validation" >/dev/null
+
+# Checking wildcard alias
+if [ "$aliases" = "*.$domain" ]; then
+    wildcard='yes'
+    proto="dns-01"
+    if [ ! -e "$VESTA/data/users/$user/dns/$domain.conf" ]; then
+        check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
     fi
+else
+    proto="http-01"
+fi
+
+# Requesting nonce / STEP 1
+answer=$(curl -s -I "$API/directory")
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+if [[ "$status" -ne 200 ]]; then
+    check_result $E_CONNECT "Let's Encrypt nonce request status $status"
+fi
 
-    # Checking LE limits per account
-    if [ "$i" -gt 100 ]; then
-        touch $VESTA/data/queue/letsencrypt.pipe
-        sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
-        send_notice 'LETSENCRYPT' 'Limit of domains per account is reached'
-        check_result $E_LIMIT "LE can't sign more than 100 domains"
+# Placing new order / STEP 2
+url="$API/acme/new-order"
+payload='{"identifiers":['
+for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
+    format_identifier_idn
+    payload=$payload'{"type":"dns","value":"'$identifier_idn'"},'
+done
+payload=$(echo "$payload"|sed "s/,$//")
+payload=$payload']}'
+answer=$(query_le_v2 "$url" "$payload" "$nonce")
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
+finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
+status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
+if [[ "$status" -ne 201 ]]; then
+    check_result $E_CONNECT "Let's Encrypt new auth status $status"
+fi
+
+# Requesting authorization token / STEP 3
+for auth in $authz; do
+    payload=''
+    answer=$(query_le_v2 "$auth" "$payload" "$nonce")
+    url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
+    token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
+    nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+    status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+    if [[ "$status" -ne 200 ]]; then
+        check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
+    fi
+
+    # Accepting challenge / STEP 4
+    if [ "$wildcard" = 'yes'  ]; then
+        record=$(printf "%s" "$token.$THUMB" |\
+            openssl dgst -sha256 -binary |encode_base64)
+        old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
+        old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
+        for old_record in $old_records; do
+            $BIN/v-delete-dns-record $user $domain $old_record
+        done
+        $BIN/v-add-dns-record $user $domain "_acme-challenge" "TXT" $record
+        check_result $? "DNS _acme-challenge record wasn't created"
+    else
+        if [ "$WEB_SYSTEM" = 'nginx' ] || [ ! -z "$PROXY_SYSTEM" ]; then
+            conf="$HOMEDIR/$user/conf/web/nginx.$domain.conf_letsencrypt"
+            sconf="$HOMEDIR/$user/conf/web/snginx.$domain.conf_letsencrypt"
+            if [ ! -e "$conf" ]; then
+                echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
+                    > $conf
+                echo '    default_type text/plain;' >> $conf
+                echo '    return 200 "$1.'$THUMB'";' >> $conf
+                echo '}' >> $conf
+            fi
+            if [ ! -e "$sconf" ]; then
+                ln -s "$conf" "$sconf"
+            fi
+            $BIN/v-restart-proxy
+            check_result $? "Proxy restart failed" >/dev/null
+
+        else
+            well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
+            acme_challenge="$well_known/acme-challenge"
+            mkdir -p $acme_challenge
+            echo "$token.$THUMB" > $acme_challenge/$token
+            chown -R $user:$user $well_known
+        fi
+        $BIN/v-restart-web
+        check_result $? "Web restart failed" >/dev/null
+    fi
+
+    # Requesting ACME validation / STEP 5
+    validation_check=$(echo "$answer" |grep '"valid"')
+    if [[ ! -z "$validation_check" ]]; then
+        validation='valid'
+    else
+        validation='pending'
+    fi
+
+    # Doing pol check on status
+    i=1
+    while [ "$validation" = 'pending' ]; do
+        payload='{}'
+        answer=$(query_le_v2 "$url" "$payload" "$nonce")
+        validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
+        nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+        status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+        if [[ "$status" -ne 200 ]]; then
+            check_result $E_CONNECT "Let's Encrypt validation status $status"
+        fi
+
+        i=$((i + 1))
+        if [ "$i" -gt 10 ]; then
+            check_result $E_CONNECT "Let's Encrypt domain validation timeout"
+        fi
+        sleep 1
+    done
+    if [ "$validation" = 'invalid' ]; then
+        check_result $E_CONNECT "Let's Encrypt domain verification failed"
     fi
-    i=$((i++))
 done
 
-# Generating CSR
-ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
+
+# Generating new ssl certificate
+ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
     "San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
 
-# Signing CSR
-crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
-if [ "$?" -ne 0 ]; then
-    touch $VESTA/data/queue/letsencrypt.pipe
-    sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
-    send_notice "LETSENCRYPT" "$alias validation failed"
-    check_result "$E_INVALID" "LE $domain validation"
-fi
-echo "$crt" > $ssl_dir/$domain.crt
-
-# Dowloading CA certificate
-le_certs='https://letsencrypt.org/certs'
-x1='lets-encrypt-x1-cross-signed.pem.txt'
-x3='lets-encrypt-x3-cross-signed.pem.txt'
-issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
-if [ -z "$(echo $issuer|grep X3)" ]; then
-    curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
-else
-    curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
+# Sending CSR to finalize order / STEP 6
+csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
+payload='{"csr":"'$csr'"}'
+answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
+if [[ "$status" -ne 200 ]]; then
+    check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
 fi
 
+# Downloading signed certificate / STEP 7
+curl -s "$certificate" -o $ssl_dir/$domain.pem
+
+# Splitting up downloaded pem
+crt_end=$(grep -n END $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
+head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
+
+pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
+ca_end=$(grep -n  "BEGIN" $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
+ca_end=$(( pem_lines - crt_end + 1 ))
+tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
+
 # Adding SSL
 ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
 $BIN/v-delete-web-domain-ssl $user $domain >/dev/null 2>&1
@@ -140,18 +273,13 @@ update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
 #                       Vesta                              #
 #----------------------------------------------------------#
 
-# Restarting web
-$BIN/v-restart-web $restart
-if [ "$?" -ne 0  ]; then
-    send_notice 'LETSENCRYPT' "web server needs to be restarted manually"
-fi
+# Deleteing task from queue
+touch $VESTA/data/queue/letsencrypt.pipe
+sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
 
 # Notifying user
 send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
 
-# Deleteing task from queue
-touch $VESTA/data/queue/letsencrypt.pipe
-sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
 
 # Logging
 log_event "$OK" "$ARGUMENTS"

bin/v-add-letsencrypt-user

@@ -1,8 +1,8 @@
 #!/bin/bash
 # info: register letsencrypt user account
-# options: USER [EMAIL]
+# options: USER
 #
-# The function creates and register LetsEncript account key
+# The function creates and register LetsEncript account 
 
 
 #----------------------------------------------------------#
@@ -11,8 +11,9 @@
 
 # Argument definition
 user=$1
-email=$2
-key_size=4096
+
+# LE API
+API='https://acme-v02.api.letsencrypt.org'
 
 # Includes
 source $VESTA/func/main.sh
@@ -23,15 +24,38 @@ encode_base64() {
     cat |base64 |tr '+/' '-_' |tr -d '\r\n='
 }
 
+# Let's Encrypt v2 curl function
+query_le_v2() {
+    protected='{"nonce": "'$3'",'
+    protected=''$protected' "url": "'$1'",'
+    protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
+    content="Content-Type: application/jose+json"
+
+    payload_=$(echo -n "$2" |encode_base64)
+    protected_=$(echo -n "$protected" |encode_base64)
+    signature_=$(printf "%s" "$protected_.$payload_" |\
+        openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
+        encode_base64)
+
+    post_data='{"protected":"'"$protected_"'",'
+    post_data=$post_data'"payload":"'"$payload_"'",'
+    post_data=$post_data'"signature":"'"$signature_"'"}'
+
+    curl -s -i -d "$post_data" "$1" -H "$content"
+}
+
 
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '1' "$#" 'USER [EMAIL]'
+check_args '1' "$#" 'USER'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 if [ -e "$USER_DATA/ssl/le.conf" ]; then
+    source "$USER_DATA/ssl/le.conf"
+fi
+if [ ! -z "$KID" ]; then
     exit
 fi
 
@@ -40,57 +64,57 @@ fi
 #                       Action                             #
 #----------------------------------------------------------#
 
-api='https://acme-v01.api.letsencrypt.org'
-if [ -z "$email" ]; then
-    email=$(get_user_value '$CONTACT')
+
+# Defining user email
+if [[ -z "$EMAIL" ]]; then
+    EMAIL=$(get_user_value '$CONTACT')
 fi
 
-agreement=$(curl -s -I "$api/terms" |grep Location |cut -f 2 -d \ |tr -d '\r\n')
+# Defining user agreement
+agreement=''
 
-# Generating key
-key="$USER_DATA/ssl/user.key"
-if [ ! -e "$key" ]; then
-    openssl genrsa -out $key $key_size >/dev/null 2>&1
-    chmod 600 $key
+# Generating user key
+KEY="$USER_DATA/ssl/user.key"
+if [ ! -e "$KEY" ]; then
+    openssl genrsa -out $KEY 4096 >/dev/null 2>&1
+    chmod 600 $KEY
 fi
 
 # Defining key exponent
-exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
-    grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
-    xxd -r -p |encode_base64)
+if [ -z "$EXPONENT" ]; then
+    EXPONENT=$(openssl pkey -inform pem -in "$KEY" -noout -text_pub |\
+        grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
+        xxd -r -p |encode_base64)
+fi
 
 # Defining key modulus
-modulus=$(openssl rsa -in "$key" -modulus -noout |\
-    sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
-
-# Defining key thumb
-thumb='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
-thumb="$(echo -n "$thumb" |openssl dgst -sha256 -binary |encode_base64)"
-
-# Defining JWK header
-header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
-header='{"alg":"RS256","jwk":'"$header"'}'
-
-# Requesting nonce
-nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
-protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
-
-# Defining registration query
-query='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
-query=$query'"agreement":"'$agreement'"}'
-payload=$(echo -n "$query" |encode_base64)
-signature=$(printf "%s" "$protected.$payload" |\
-    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
-data='{"header":'"$header"',"protected":"'"$protected"'",'
-data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
-
-# Sending request to LetsEncrypt API
-answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
-status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
+if [ -z "$MODULUS" ]; then
+    MODULUS=$(openssl rsa -in "$KEY" -modulus -noout |\
+        sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
+fi
+
+# Defining JWK
+jwk='{"e":"'$EXPONENT'","kty":"RSA","n":"'"$MODULUS"'"}'
+
+# Defining key thumbnail
+if [ -z "$THUMB" ]; then
+    THUMB="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
+fi
+
 
-# Checking http answer status
-if [[ "$status" -ne "201" ]] && [[ "$status" -ne "409" ]]; then
-    check_result $E_CONNECT "LetsEncrypt account registration $status"
+# Requesting ACME nonce
+nonce=$(curl -s -I "$API/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
+
+# Creating ACME account
+url="$API/acme/new-acct"
+payload='{"termsOfServiceAgreed": true}'
+answer=$(query_le_v2 "$url" "$payload" "$nonce")
+kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
+
+# Checking answer status
+status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
+if [[ "${status:0:2}" -ne "20" ]]; then
+    check_result $E_CONNECT "Let's Encrypt acc registration failed $status"
 fi
 
 
@@ -99,12 +123,17 @@ fi
 #----------------------------------------------------------#
 
 # Adding le.conf
-echo "EMAIL='$email'" > $USER_DATA/ssl/le.conf
-echo "EXPONENT='$exponent'" >> $USER_DATA/ssl/le.conf
-echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
-echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
-chmod 660  $USER_DATA/ssl/le.conf
-
+if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
+    echo "EXPONENT='$EXPONENT'" > $USER_DATA/ssl/le.conf
+    echo "MODULUS='$MODULUS'" >> $USER_DATA/ssl/le.conf
+    echo "THUMB='$THUMB'" >> $USER_DATA/ssl/le.conf
+    echo "EMAIL='$EMAIL'" >> $USER_DATA/ssl/le.conf
+    echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
+    chmod 660  $USER_DATA/ssl/le.conf
+else
+    sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
+    echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
+fi
 
 # Logging
 log_event "$OK" "$ARGUMENTS"

bin/v-add-mail-domain

@@ -45,6 +45,7 @@ is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_domain_new 'mail' "$domain"
 is_package_full 'MAIL_DOMAINS'
+is_dir_symlink $HOMEDIR/$user/mail
 
 
 #----------------------------------------------------------#

bin/v-add-sys-mail-ssl

@@ -0,0 +1,106 @@
+#!/bin/bash
+# info: copy mail ssl certificate
+# options: USER DOMAIN [RESTART]
+#
+# The function copies user domain SSL to mail SSL directory
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+domain=$2
+restart=$3
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/func/domain.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER DOMAIN [RESTART]'
+is_format_valid 'user' 'domain'
+is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
+is_object_valid 'user' 'USER' "$user"
+is_object_valid 'web' 'DOMAIN' "$domain"
+is_object_value_exist 'web' 'DOMAIN' "$domain" '$SSL'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining certificate location
+dom_crt="/home/$user/conf/web/ssl.$domain.pem"
+dom_key="/home/$user/conf/web/ssl.$domain.key"
+vst_crt="$VESTA/ssl/mail.crt"
+vst_key="$VESTA/ssl/mail.key"
+
+# Checking certificate
+if [ ! -e "$dom_crt" ] || [ ! -e "$dom_key" ]; then
+    check_result $E_NOTEXIST "$domain certificate doesn't exist"
+fi
+
+# Checking difference
+diff $dom_crt $vst_crt >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    rm -f $vst_crt.old $vst_key.old
+    mv $vst_crt $vst_crt.old >/dev/null 2>&1
+    mv $vst_key $vst_key.old >/dev/null 2>&1
+    cp $dom_crt $vst_crt 2>/dev/null
+    cp $dom_key $vst_key 2>/dev/null
+    chown root:mail $vst_crt $vst_key
+else
+    restart=no
+fi
+
+# Updating mail certificate
+case $MAIL_SYSTEM in
+    exim)           conf='/etc/exim/exim.conf';;
+    exim4)          conf='/etc/exim4/exim4.conf.template';;
+esac
+if [ -e "$conf" ]; then
+    sed -e "s|^tls_certificate.*|tls_certificate = $vst_crt|" \
+        -e "s|^tls_privatekey.*|tls_privatekey = $vst_key|" -i $conf
+fi
+
+# Updating imap certificate
+conf="/etc/dovecot/conf.d/10-ssl.conf"
+if [ ! -z "$IMAP_SYSTEM" ] && [ -e "$conf" ]; then
+    sed -e "s|ssl_cert.*|ssl_cert = <$vst_crt|" \
+        -e "s|ssl_key.*|ssl_key = <$vst_key|" -i $conf
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Restarting services
+if [ "$restart" != 'no' ]; then
+    if [ ! -z "$MAIL_SYSTEM" ]; then
+        $BIN/v-restart-service $MAIL_SYSTEM
+    fi
+    if [ ! -z "$IMAP_SYSTEM" ]; then
+        $BIN/v-restart-service $IMAP_SYSTEM
+    fi
+fi
+
+# Updating vesta.conf
+if [ -z "$(grep MAIL_CERTIFICATE $VESTA/conf/vesta.conf)" ]; then
+    echo "MAIL_CERTIFICATE='$user:$domain'" >> $VESTA/conf/vesta.conf
+else
+    sed -i "s/MAIL_CERTIFICATE.*/MAIL_CERTIFICATE='$user:$domain'/g" \
+        $VESTA/conf/vesta.conf
+fi
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-add-sys-vesta-ssl

@@ -0,0 +1,97 @@
+#!/bin/bash
+# info: add vesta ssl certificate
+# options: USER DOMAIN [RESTART]
+#
+# The function copies user domain SSL to vesta SSL directory
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+domain=$2
+restart=$3
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/func/domain.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER DOMAIN [RESTART]'
+is_format_valid 'user' 'domain'
+is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
+is_object_valid 'user' 'USER' "$user"
+is_object_valid 'web' 'DOMAIN' "$domain"
+is_object_value_exist 'web' 'DOMAIN' "$domain" '$SSL'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining certificate location
+dom_crt="/home/$user/conf/web/ssl.$domain.pem"
+dom_key="/home/$user/conf/web/ssl.$domain.key"
+vst_crt="$VESTA/ssl/certificate.crt"
+vst_key="$VESTA/ssl/certificate.key"
+
+# Checking certificate
+if [ ! -e "$dom_crt" ] || [ ! -e "$dom_key" ]; then
+    check_result $E_NOTEXIST "$domain certificate doesn't exist"
+fi
+
+# Checking difference
+diff $dom_crt $vst_crt >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    rm -f $vst_crt.old $vst_key.old
+    mv $vst_crt $vst_crt.old
+    mv $vst_key $vst_key.old
+    cp $dom_crt $vst_crt 2>/dev/null
+    cp $dom_key $vst_key 2>/dev/null
+    chown root:mail $vst_crt $vst_key
+else
+    restart=no
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Restarting services
+if [ "$restart" != 'no' ]; then
+    if [ ! -z "$MAIL_SYSTEM" ] && [ -z "$MAIL_CERTIFICATE" ]; then
+        $BIN/v-restart-service $MAIL_SYSTEM
+    fi
+    if [ ! -z "$IMAP_SYSTEM" ] && [ -z "$MAIL_CERTIFICATE" ]; then
+        $BIN/v-restart-service $IMAP_SYSTEM
+    fi
+    if [ ! -z "$FTP_SYSTEM" ]; then
+        $BIN/v-restart-service "$FTP_SYSTEM"
+    fi
+    if [ -e "/var/run/vesta-nginx.pid" ]; then
+        kill -HUP $(cat /var/run/vesta-nginx.pid)
+    else
+        service vesta restart
+    fi
+fi
+
+# Updating vesta.conf
+if [ -z "$(grep VESTA_CERTIFICATE $VESTA/conf/vesta.conf)" ]; then
+    echo "VESTA_CERTIFICATE='$user:$domain'" >> $VESTA/conf/vesta.conf
+else
+    sed -i "s/VESTA_CERTIFICATE.*/VESTA_CERTIFICATE='$user:$domain'/g" \
+        $VESTA/conf/vesta.conf
+fi
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-add-user-package

@@ -30,37 +30,37 @@ is_package_new() {
 is_package_consistent() {
     source $pkg_dir/$package.pkg
     if [ "$WEB_DOMAINS" != 'unlimited' ]; then
-        is_format_valid_int $WEB_DOMAINS 'WEB_DOMAINS'
+        is_int_format_valid $WEB_DOMAINS 'WEB_DOMAINS'
     fi
     if [ "$WEB_ALIASES" != 'unlimited' ]; then
-        is_format_valid_int $WEB_ALIASES 'WEB_ALIASES'
+        is_int_format_valid $WEB_ALIASES 'WEB_ALIASES'
     fi
     if [ "$DNS_DOMAINS" != 'unlimited' ]; then
-        is_format_valid_int $DNS_DOMAINS 'DNS_DOMAINS'
+        is_int_format_valid $DNS_DOMAINS 'DNS_DOMAINS'
     fi
     if [ "$DNS_RECORDS" != 'unlimited' ]; then
-        is_format_valid_int $DNS_RECORDS 'DNS_RECORDS'
+        is_int_format_valid $DNS_RECORDS 'DNS_RECORDS'
     fi
     if [ "$MAIL_DOMAINS" != 'unlimited' ]; then
-        is_format_valid_int $MAIL_DOMAINS 'MAIL_DOMAINS'
+        is_int_format_valid $MAIL_DOMAINS 'MAIL_DOMAINS'
     fi
     if [ "$MAIL_ACCOUNTS" != 'unlimited' ]; then
-        is_format_valid_int $MAIL_ACCOUNTS 'MAIL_ACCOUNTS'
+        is_int_format_valid $MAIL_ACCOUNTS 'MAIL_ACCOUNTS'
     fi
     if [ "$DATABASES" != 'unlimited' ]; then
-        is_format_valid_int $DATABASES 'DATABASES'
+        is_int_format_valid $DATABASES 'DATABASES'
     fi
     if [ "$CRON_JOBS" != 'unlimited' ]; then
-        is_format_valid_int $CRON_JOBS 'CRON_JOBS'
+        is_int_format_valid $CRON_JOBS 'CRON_JOBS'
     fi
     if [ "$DISK_QUOTA" != 'unlimited' ]; then
-        is_format_valid_int $DISK_QUOTA 'DISK_QUOTA'
+        is_int_format_valid $DISK_QUOTA 'DISK_QUOTA'
     fi
     if [ "$BANDWIDTH" != 'unlimited' ]; then
-        is_format_valid_int $BANDWIDTH 'BANDWIDTH'
+        is_int_format_valid $BANDWIDTH 'BANDWIDTH'
     fi
     if [ "$BACKUPS" != 'unlimited' ]; then
-        is_format_valid_int $BACKUPS 'BACKUPS'
+        is_int_format_valid $BACKUPS 'BACKUPS'
     fi
     is_format_valid_shell $SHELL
 }

bin/v-add-web-domain

@@ -47,6 +47,7 @@ is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_package_full 'WEB_DOMAINS' 'WEB_ALIASES'
 is_domain_new 'web' "$domain,$aliases"
+is_dir_symlink $HOMEDIR/$user/web
 if [ ! -z "$ip" ]; then
     is_ip_valid "$ip" "$user"
 else
@@ -90,7 +91,7 @@ chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* $conf
 chmod 640 /var/log/$WEB_SYSTEM/domains/$domain.*
 chmod 751 $HOMEDIR/$user/web/$domain $HOMEDIR/$user/web/$domain/*
 chmod 551 $HOMEDIR/$user/web/$domain/stats $HOMEDIR/$user/web/$domain/logs
-chmod 644 $HOMEDIR/$user/web/$domain/public_*html/*
+chmod 644 $HOMEDIR/$user/web/$domain/public_*html/*.*
 
 # Addding PHP-FPM backend
 if [ ! -z "$WEB_BACKEND" ]; then
@@ -112,9 +113,12 @@ if [ "$aliases" = 'none' ]; then
     ALIAS=''
 else
     ALIAS="www.$domain"
-    if [ ! -z "$aliases" ]; then
-        ALIAS="$ALIAS,$aliases"
+    if [ -z "$aliases" ]; then
+        ALIAS="www.$domain"
+    else
+        ALIAS="$aliases"
     fi
+    
     ip_alias=$(get_ip_alias $domain)
     if [ ! -z "$ip_alias" ]; then
         ALIAS="$ALIAS,$ip_alias"

bin/v-add-web-domain-ssl

@@ -120,6 +120,22 @@ check_result $? "Web restart failed" >/dev/null
 $BIN/v-restart-proxy $restart
 check_result $? "Proxy restart failed" >/dev/null
 
+# Updating system ssl dependencies
+if [ ! -z "$VESTA_CERTIFICATE" ]; then
+    crt_user=$(echo "$VESTA_CERTIFICATE" |cut -f 1 -d :)
+    crt_domain=$(echo "$VESTA_CERTIFICATE" |cut -f 2 -d :)
+    if [ "$user" = "$crt_user" ] && [ "$domain" = "$crt_domain" ]; then
+        $BIN/v-add-sys-vesta-ssl $user $domain >/dev/null 2>&1
+    fi
+fi
+if [ ! -z "$MAIL_CERTIFICATE" ]; then
+    crt_user=$(echo "$MAIL_CERTIFICATE" |cut -f 1 -d :)
+    crt_domain=$(echo "$MAIL_CERTIFICATE" |cut -f 2 -d :)
+    if [ "$user" = "$crt_user" ] && [ "$domain" = "$crt_domain" ]; then
+        $BIN/v-add-sys-mail-ssl $user $domain >/dev/null 2>&1
+    fi
+fi
+
 if [ ! -z "$UPDATE_HOSTNAME_SSL" ] && [ "$UPDATE_HOSTNAME_SSL" = "yes" ]; then
     hostname=$(hostname)
     if [ "$hostname" = "$domain" ]; then
@@ -127,6 +143,10 @@ if [ ! -z "$UPDATE_HOSTNAME_SSL" ] && [ "$UPDATE_HOSTNAME_SSL" = "yes" ]; then
     fi
 fi
 
+if [ ! -z "$UPDATE_SSL_SCRIPT" ]; then
+    eval "$UPDATE_SSL_SCRIPT $user $domain"
+fi
+
 # Logging
 log_history "enabled ssl support for $domain"
 log_event "$OK" "$ARGUMENTS"

bin/v-backup-user

@@ -68,8 +68,12 @@ while [ "$la" -ge "$BACKUP_LA_LIMIT" ]; do
     (( ++i))
 done
 
+if [ -z "$BACKUP_TEMP" ]; then
+    BACKUP_TEMP=$BACKUP
+fi
+
 # Creating temporary directory
-tmpdir=$(mktemp -p /tmp -d)
+tmpdir=$(mktemp -p $BACKUP_TEMP -d)
 
 if [ "$?" -ne 0 ]; then
     echo "Can't create tmp dir $tmpdir" |$SENDMAIL -s "$subj" $email $notify
@@ -212,24 +216,32 @@ if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB" != '*' ]; then
             cp $USER_DATA/ssl/$domain.* vesta/
         fi
 
+        # Changin dir to documentroot
+        cd $HOMEDIR/$user/web/$domain
+
         # Define exclude arguments
         exlusion=$(echo -e "$WEB" |tr ',' '\n' |grep "^$domain:")
         set -f
         fargs=()
-        fargs+=(--exclude='logs/*')
+        fargs+=(--exclude='./logs/*')
         if [ ! -z "$exlusion" ]; then
             xdirs="$(echo -e "$exlusion" |tr ':' '\n' |grep -v $domain)"
             for xpath in $xdirs; do
-                fargs+=(--exclude=$xpath/*)
-                echo "$(date "+%F %T") excluding directory $xpath"
-                msg="$msg\n$(date "+%F %T") excluding directory $xpath"
+                if [ -d "$xpath" ]; then
+                    fargs+=(--exclude=$xpath/*)
+                    echo "$(date "+%F %T") excluding directory $xpath"
+                    msg="$msg\n$(date "+%F %T") excluding directory $xpath"
+                else
+                    echo "$(date "+%F %T") excluding file $xpath"
+                    msg="$msg\n$(date "+%F %T") excluding file $xpath"
+                    fargs+=(--exclude=$xpath)
+                fi
             done
         fi
         set +f
 
         # Backup files
-        cd $HOMEDIR/$user/web/$domain
-        tar -cpf- * ${fargs[@]} |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
+        tar --anchored -cpf- ${fargs[@]} * |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
     done
 
     # Print total
@@ -388,14 +400,17 @@ if [ ! -z "$DB_SYSTEM" ] && [ "$DB" != '*' ]; then
         grep "DB='$database'" $conf > vesta/db.conf
 
         dump="$tmpdir/db/$database/$database.$TYPE.sql"
+        dumpgz="$tmpdir/db/$database/$database.$TYPE.sql.gz"
         grants="$tmpdir/db/$database/conf/$database.$TYPE.$DBUSER"
-        case $TYPE in
-            mysql) dump_mysql_database ;;
-            pgsql) dump_pgsql_database ;;
-        esac
-
-        # Compress dump
-        gzip -$BACKUP_GZIP $dump
+        if [ ! -f "$dumpgz" ]; then
+            case $TYPE in
+                mysql) dump_mysql_database ;;
+                pgsql) dump_pgsql_database ;;
+            esac
+
+            # Compress dump
+            gzip -$BACKUP_GZIP $dump
+        fi
     done
 
     # Print total
@@ -445,11 +460,15 @@ if [ "$USER" != '*' ]; then
     fi
     fargs=()
     for xpath in $(echo "$USER" |tr ',' '\n'); do
-        fargs+=(-not)
-        fargs+=(-path)
-        fargs+=("./$xpath*")
-        echo "$(date "+%F %T") excluding directory $xpath" |\
+        if [ -d "$xpath" ]; then
+            fargs+=(--exclude=$xpath/*)
+            echo "$(date "+%F %T") excluding directory $xpath" |\
             tee -a $BACKUP/$user.log
+        else
+            echo "$(date "+%F %T") excluding file $xpath" |\
+            tee -a $BACKUP/$user.log
+            fargs+=(--exclude=$xpath)
+        fi
     done
 
     IFS=$'\n'
@@ -464,7 +483,7 @@ if [ "$USER" != '*' ]; then
             echo -e "$(date "+%F %T") adding $udir" |tee -a $BACKUP/$user.log
 
             # Backup files and dirs
-            tar -cpf- $udir |gzip -$BACKUP_GZIP - > $tmpdir/user_dir/$udir.tar.gz
+            tar --anchored -cpf- ${fargs[@]} $udir |gzip -$BACKUP_GZIP - > $tmpdir/user_dir/$udir.tar.gz
         fi
     done
     set +f

bin/v-backup-users

@@ -28,6 +28,9 @@ if [ -z "$BACKUP_SYSTEM" ]; then
     exit
 fi
 for user in $(grep '@' /etc/passwd |cut -f1 -d:); do
+    if [ ! -f "$VESTA/data/users/$user/user.conf" ]; then
+        continue;
+    fi
     check_suspend=$(grep "SUSPENDED='no'" $VESTA/data/users/$user/user.conf)
     log=$VESTA/log/backup.log
     if [ ! -z "$check_suspend" ]; then

bin/v-change-sys-ip-nat

@@ -34,48 +34,72 @@ is_ip_valid "$ip"
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Changing nat ip
+# Updating IP
 if [ -z "$(grep NAT= $VESTA/data/ips/$ip)" ]; then
     sed -i "s/^TIME/NAT='$nat_ip'\nTIME/g" $VESTA/data/ips/$ip
+    old=''
+    new=$nat_ip
 else
-    update_ip_value '$NAT' "$nat_ip"
+    old=$(get_ip_value '$NAT')
+    new=$nat_ip
+    sed -i "s/NAT=.*/NAT='$new'/" $VESTA/data/ips/$ip
+    if [ -z "$nat_ip" ]; then
+        new=$ip
+    fi
 fi
 
-# Check ftp system
-if [ "$FTP_SYSTEM" = 'vsftpd' ]; then
-
-    # Find configuration
-    if [ -e '/etc/vsftpd/vsftpd.conf' ]; then
-        conf='/etc/vsftpd/vsftpd.conf'
-    fi
+# Updating WEB configs
+if [ ! -z "$old" ] && [ ! -z "$WEB_SYSTEM" ]; then
+    sed -i "s/$old/$new/" $VESTA/data/users/*/web.conf
+    for user in $(ls $VESTA/data/users/); do
+        $BIN/v-rebuild-web-domains $user no
+    done
+    $BIN/v-restart-dns $restart
+fi
 
-    if [ -e '/etc/vsftpd.conf' ]; then
-        conf='/etc/vsftpd.conf'
-    fi
+# Updating DNS configs
+if [ ! -z "$old" ] && [ ! -z "$DNS_SYSTEM" ]; then
+    sed -i "s/$old/$new/" $VESTA/data/users/*/dns.conf
+    sed -i "s/$old/$new/" $VESTA/data/users/*/dns/*.conf
+    for user in $(ls $VESTA/data/users/); do
+        $BIN/v-rebuild-dns-domains $user no
+    done
+    $BIN/v-restart-dns $restart
+fi
 
-    # Update config
-    if [ -z "$(grep pasv_address $conf)" ]; then
-        if [ ! -z "$nat_ip" ]; then
-            echo "pasv_address=$nat_ip" >> $conf
-        fi
-    else
-        if [ ! -z "$nat_ip" ]; then
-            sed -i "s/pasv_address=.*/pasv_address='$nat_ip'/g" $conf
-        else
-            sed -i "/pasv_address/d" $conf
+# Updating FTP
+if [ ! -z "$old" ] && [ ! -z "$FTP_SYSTEM" ]; then
+    conf=$(find /etc -name $FTP_SYSTEM.conf)
+    if [ -e "$conf" ]; then
+        sed -i "s/$old/$new/g" $conf
+        if [ "$FTP_SYSTEM" = 'vsftpd' ]; then
+            check_pasv=$(grep pasv_address $conf)
+            if [ -z "$check_pasv" ] && [ ! -z "$nat_ip" ]; then
+                echo "pasv_address=$nat_ip" >> $conf
+            fi
+            if [ ! -z "$check_pasv" ] && [ -z "$nat_ip" ]; then
+                sed -i "/pasv_address/d" $conf
+            fi
+            if [ ! -z "$check_pasv" ] && [ ! -z "$nat_ip" ]; then
+                sed -i "s/pasv_address=.*/pasv_address='$nat_ip'/g" $conf
+            fi
         fi
     fi
+    $BIN/v-restart-ftp $restart
+fi
+
+# Updating firewall
+if [ ! -z "$old" ] && [ ! -z "$FIREWALL_SYSTEM" ]; then
+    sed -i "s/$old/$new/g" $VESTA/data/firewall/*.conf
+    $BIN/v-update-firewall
 fi
 
 
+
 #----------------------------------------------------------#
 #                       Vesta                              #
 #----------------------------------------------------------#
 
-# Restart ftp server
-$BIN/v-restart-ftp $restart
-check_result $? "FTP restart failed" >/dev/null
-
 # Logging
 log_history "changed associated nat address on $ip to $nat_ip" '' 'admin'
 log_event "$OK" "$ARGUMENTS"

bin/v-change-sys-service-config

@@ -95,13 +95,21 @@ if [ "$update" = 'yes' ] && [ "$restart" != 'no' ]; then
 
     if [ "$service" = 'php' ]; then
         if [ "$WEB_SYSTEM" = "nginx" ]; then
-            service=$(ls /etc/init.d/php*fpm* |cut -f 4 -d / |sed -n 1p)
+            if [ $(ps --no-headers -o comm 1) == systemd ]; then
+                service=$(systemctl | grep -o -E "php.*fpm.*\.service")
+                service=${service//.service/}
+            else
+                service=$(ls /etc/init.d/php*fpm* |cut -f 4 -d /)
+            fi
         else
             service=$WEB_SYSTEM
         fi
     fi
 
-    service $service restart >/dev/null 2>&1
+    for single_service in $service; do
+        service $single_service restart >/dev/null 2>&1
+    done <<< "$service"
+
     if [ $? -ne 0 ]; then
         for config in $dst; do
             cat $config.vst.back > $config

bin/v-change-web-domain-ip

@@ -49,7 +49,7 @@ is_ip_valid "$ip" "$user"
 # Preparing variables for vhost replace
 get_domain_values 'web'
 old=$(get_real_ip $IP)
-new=$ip
+new=$(get_real_ip $ip)
 
 # Replacing vhost
 replace_web_config "$WEB_SYSTEM" "$TPL.tpl"

bin/v-check-letsencrypt-domain

@@ -1,162 +0,0 @@
-#!/bin/bash
-# info: check letsencrypt domain
-# options: USER DOMAIN
-#
-# The function check and validates domain with LetsEncript
-
-
-#----------------------------------------------------------#
-#                    Variable&Function                     #
-#----------------------------------------------------------#
-
-# Argument definition
-user=$1
-domain=$2
-
-# Includes
-source $VESTA/func/main.sh
-source $VESTA/conf/vesta.conf
-
-# encode base64
-encode_base64() {
-    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
-}
-
-# Additional argument formatting
-format_domain_idn
-
-
-#----------------------------------------------------------#
-#                    Verifications                         #
-#----------------------------------------------------------#
-
-check_args '2' "$#" 'USER DOMAIN'
-is_format_valid 'user' 'domain'
-is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
-is_object_valid 'user' 'USER' "$user"
-is_object_unsuspended 'user' 'USER' "$user"
-if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
-    check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
-fi
-rdomain=$(egrep "'$domain'|'$domain,|,$domain,|,$domain'" $USER_DATA/web.conf)
-if [ -z "$rdomain" ]; then
-    check_result $E_NOTEXIST "domain $domain doesn't exist"
-fi
-
-
-#----------------------------------------------------------#
-#                       Action                             #
-#----------------------------------------------------------#
-
-source $USER_DATA/ssl/le.conf
-api='https://acme-v01.api.letsencrypt.org'
-r_domain=$(echo "$rdomain" |cut -f 2 -d \')
-key="$USER_DATA/ssl/user.key"
-exponent="$EXPONENT"
-modulus="$MODULUS"
-thumb="$THUMB"
-
-# Defining JWK header
-header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
-header='{"alg":"RS256","jwk":'"$header"'}'
-
-# Requesting nonce
-nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
-protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
-
-# Defining ACME query (request challenge)
-query='{"resource":"new-authz","identifier"'
-query=$query':{"type":"dns","value":"'"$domain_idn"'"}}'
-payload=$(echo -n "$query" |encode_base64)
-signature=$(printf "%s" "$protected.$payload" |\
-    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
-data='{"header":'"$header"',"protected":"'"$protected"'",'
-data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
-
-# Sending request to LetsEncrypt API
-answer=$(curl -s -i -d "$data" "$api/acme/new-authz")
-
-# Checking http answer status
-status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
-if [[ "$status" -ne "201" ]]; then
-    check_result $E_CONNECT "LetsEncrypt challenge request $status"
-fi
-
-# Parsing domain nonce,token and uri
-nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
-protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
-token=$(echo "$answer" |grep -A 3 http-01 |grep token |cut -f 4 -d \")
-uri=$(echo "$answer" |grep -A 3 http-01 |grep uri |cut -f 4 -d \")
-
-# Adding location wrapper for request challenge
-if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
-    conf="$HOMEDIR/$user/conf/web/nginx.$r_domain.conf_letsencrypt"
-    sconf="$HOMEDIR/$user/conf/web/snginx.$r_domain.conf_letsencrypt"
-    if [ ! -e "$conf" ]; then
-        echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' > $conf
-        echo '    default_type text/plain;' >> $conf
-        echo '    return 200 "$1.'$thumb'";' >> $conf
-        echo '}' >> $conf
-    fi
-    if [ ! -e "$sconf" ]; then
-        ln -s "$conf" "$sconf"
-    fi
-else
-    acme="$HOMEDIR/$user/web/$r_domain/public_html/.well-known/acme-challenge"
-    if [ ! -d "$acme" ]; then
-        mkdir -p $acme
-    fi
-    echo "$token.$thumb" > $acme/$token
-    chown -R $user:$user $HOMEDIR/$user/web/$r_domain/public_html/.well-known
-fi
-
-# Restarting web server
-if [ -z "$PROXY_SYSTEM" ]; then
-    $BIN/v-restart-web
-    check_result $? "Proxy restart failed" >/dev/null
-else
-    $BIN/v-restart-proxy
-    $BIN/v-restart-web
-    check_result $? "Web restart failed" >/dev/null
-fi
-
-# Defining ACME query (request validation)
-query='{"resource":"challenge","type":"http-01","keyAuthorization"'
-query=$query':"'$token.$thumb'","token":"'$token'"}'
-payload=$(echo -n "$query" |encode_base64)
-signature=$(printf "%s" "$protected.$payload" |\
-    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
-data='{"header":'"$header"',"protected":"'"$protected"'",'
-data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
-
-# Sending request to LetsEncrypt API
-answer=$(curl -s -i -d "$data" "$uri")
-
-# Checking domain validation status
-i=1
-status=$(echo $answer |tr ',' '\n' |grep status |cut -f 4 -d \")
-location=$(echo "$answer" |grep Location: |awk '{print $2}' |tr -d '\r\n')
-while [ "$status" = 'pending' ]; do
-    answer=$(curl -s -i "$location")
-    detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
-    status=$(echo "$answer" |tr ',' '\n' |grep status |cut -f 4 -d \")
-    sleep 1
-    i=$((i + 1))
-    if [ "$i" -gt 60 ]; then
-        check_result $E_CONNECT "$detail"
-    fi
-done
-if [ "$status" = 'invalid' ]; then
-    detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
-    check_result $E_CONNECT "$detail"
-fi
-
-
-#----------------------------------------------------------#
-#                       Vesta                              #
-#----------------------------------------------------------#
-
-# Logging
-log_event "$OK" "$ARGUMENTS"
-
-exit

bin/v-check-user-hash

@@ -75,15 +75,15 @@ else
     method='des'
 fi
 
+# Checking salt
 if [ -z "$salt" ]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
     exit 9
 fi
 
-# Checking hash
-result=$(grep "^$user:$hash:" /etc/shadow 2>/dev/null)
-if [[ -z "$result" ]]; then
+# Comparing hashes
+if [[ "$shadow" != "$hash" ]]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
     exit 9

bin/v-delete-sys-mail-ssl

@@ -0,0 +1,75 @@
+#!/bin/bash
+# info: delete sys vesta user ssl certificate
+# options: NONE
+#
+# The script disables user domain ssl synchronization
+
+
+#----------------------------------------------------------#
+#                  Variable & Function                     #
+#----------------------------------------------------------#
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+vst_crt="$VESTA/ssl/certificate.crt"
+vst_key="$VESTA/ssl/certificate.key"
+
+# Updating mail certificate
+case $MAIL_SYSTEM in
+    exim)           conf='/etc/exim/exim.conf';;
+    exim4)          conf='/etc/exim4/exim4.conf.template';;
+esac
+if [ -e "$conf" ]; then
+    sed -e "s|^tls_certificate.*|tls_certificate = $vst_crt|" \
+        -e "s|^tls_privatekey.*|tls_privatekey = $vst_key|" -i $conf
+fi
+
+# Updating imap certificate
+conf="/etc/dovecot/conf.d/10-ssl.conf"
+if [ ! -z "$IMAP_SYSTEM" ] && [ -e "$conf" ]; then
+    sed -e "s|ssl_cert.*|ssl_cert = <$vst_crt|" \
+        -e "s|ssl_key.*|ssl_key = <$vst_key|" -i $conf
+fi
+
+# Moving old certificates
+if [ -e "$VESTA/ssl/mail.crt" ]; then
+    mv -f $VESTA/ssl/mail.crt $VESTA/ssl/mail.crt.old
+fi
+if [ -e "VESTA/ssl/mail.key" ]; then
+    mv $VESTA/ssl/mail.key VESTA/ssl/mail.key.old
+fi
+
+# Updating vesta.conf value
+sed -i "/MAIL_CERTIFICATE=/ d" $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Restarting services
+if [ "$restart" != 'no' ]; then
+    if [ ! -z "$MAIL_SYSTEM" ]; then
+        $BIN/v-restart-service $MAIL_SYSTEM
+    fi
+    if [ ! -z "$IMAP_SYSTEM" ]; then
+        $BIN/v-restart-service $IMAP_SYSTEM
+    fi
+fi
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-delete-sys-vesta-ssl

@@ -0,0 +1,37 @@
+#!/bin/bash
+# info: delete sys vesta user ssl certificate
+# options: NONE
+#
+# The script disables user domain ssl synchronization
+
+
+#----------------------------------------------------------#
+#                  Variable & Function                     #
+#----------------------------------------------------------#
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Updating vesta.conf value
+sed -i "/VESTA_CERTIFICATE=/ d" $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-list-letsencrypt-user

@@ -23,7 +23,8 @@ json_list() {
         "EMAIL": "'$EMAIL'",
         "EXPONENT": "'$EXPONENT'",
         "MODULUS": "'$MODULUS'",
-        "THUMB: "'$THUMB'"
+        "THUMB": "'$THUMB'",
+        "KID": "'$KID'"
     }'
     echo '}'
 }
@@ -35,17 +36,18 @@ shell_list() {
     echo "THUMB:          $THUMB"
     echo "EXPONENT:       $EXPONENT"
     echo "MODULUS:        $MODULUS"
+    echo "KID:            $KID"
 }
 
 # PLAIN list function
 plain_list() {
-    echo -e "$user\t$EMAIL\t$EXPONENT\t$MODULUS\t$THUMB"
+    echo -e "$user\t$EMAIL\t$EXPONENT\t$MODULUS\t$THUMB\t$KID"
 }
 
 # CSV list function
 csv_list() {
-    echo "USER,EMAIL,EXPONENT,MODULUS,THUMB"
-    echo "$user,$EMAIL,$EXPONENT,$MODULUS,$THUMB"
+    echo "USER,EMAIL,EXPONENT,MODULUS,THUMB,KID"
+    echo "$user,$EMAIL,$EXPONENT,$MODULUS,$THUMB,$KID"
 }
 
 

bin/v-list-mail-domain-dkim-dns

@@ -67,7 +67,7 @@ is_object_valid 'mail' 'DOMAIN' "$domain"
 
 # Parsing domain keys
 if [ -e "$USER_DATA/mail/$domain.pub" ]; then
-    pub=$(cat $USER_DATA/mail/$domain.pub |grep -v "KEY-----")
+    pub=$(cat $USER_DATA/mail/$domain.pub |grep -v "KEY-----" |tr -d "\n\r")
     pub=$(echo "$pub" |sed ':a;N;$!ba;s/\n/\\n/g')
 else
     pub="DKIM-SUPPORT-IS-NOT-ACTIVATED"

bin/v-list-sys-config

@@ -51,7 +51,9 @@ json_list() {
         "MAIL_URL": "'$MAIL_URL'",
         "DB_PMA_URL": "'$DB_PMA_URL'",
         "DB_PGA_URL": "'$DB_PGA_URL'",
-        "SOFTACULOUS": "'$SOFTACULOUS'"
+        "SOFTACULOUS": "'$SOFTACULOUS'",
+        "MAIL_CERTIFICATE": "'$MAIL_CERTIFICATE'",
+        "VESTA_CERTIFICATE": "'$VESTA_CERTIFICATE'"
     }
 }'
 }
@@ -138,6 +140,12 @@ shell_list() {
     if [ ! -z "$LANGUAGE" ] && [ "$LANGUAGE" != 'en' ]; then
         echo "Language:       $LANGUAGE"
     fi
+    if [ ! -z "$MAIL_CERTIFICATE" ]; then
+        echo "Mail SSL:       $MAIL_CERTIFICATE"
+    fi
+    if [ ! -z "$VESTA_CERTIFICATE" ]; then
+        echo "Vesta SSL:      $VESTA_CERTIFICATE"
+    fi
     echo "Version:        $VERSION"
 }
 
@@ -151,7 +159,8 @@ plain_list() {
     echo -ne "$CRON_SYSTEM\t$DISK_QUOTA\t$FIREWALL_SYSTEM\t"
     echo -ne "$FIREWALL_EXTENSION\t$FILEMANAGER_KEY\t$SFTPJAIL_KEY\t"
     echo -ne "$REPOSITORY\t$VERSION\t$LANGUAGE\t$BACKUP_GZIP\t$BACKUP\t"
-    echo -e "$MAIL_URL\t$DB_PMA_URL\t$DB_PGA_URL"
+    echo -ne "$MAIL_URL\t$DB_PMA_URL\t$DB_PGA_URL\t$MAIL_CERTIFICATE\t"
+    echo -e  "$VESTA_CERTIFICATE"
 }
 
 
@@ -165,7 +174,8 @@ csv_list() {
     echo -n "'CRON_SYSTEM','DISK_QUOTA','FIREWALL_SYSTEM',"
     echo -n "'FIREWALL_EXTENSION','FILEMANAGER_KEY','SFTPJAIL_KEY',"
     echo -n "'REPOSITORY','VERSION','LANGUAGE','BACKUP_GZIP','BACKUP',"
-    echo -n "'MAIL_URL','DB_PMA_URL','DB_PGA_URL'"
+    echo -n "'MAIL_URL','DB_PMA_URL','DB_PGA_URL', 'SOFTACULOUS',"
+    echo -n "'MAIL_CERTIFICATE','VESTA_CERTIFICATE'"
     echo
     echo -n "'$WEB_SYSTEM','$WEB_RGROUPS','$WEB_PORT','$WEB_SSL',"
     echo -n "'$WEB_SSL_PORT','$WEB_BACKEND','$PROXY_SYSTEM','$PROXY_PORT',"
@@ -176,6 +186,7 @@ csv_list() {
     echo -n "'$FIREWALL_EXTENSION','$FILEMANAGER_KEY','$SFTPJAIL_KEY',"
     echo -n "'$REPOSITORY','$VERSION','$LANGUAGE','$BACKUP_GZIP','$BACKUP',"
     echo -n "'$MAIL_URL','$DB_PMA_URL','$DB_PGA_URL', '$SOFTACULOUS'"
+    echo -n "'$MAIL_CERTIFICATE','$VESTA_CERTIFICATE'"
     echo
 }
 
@@ -187,7 +198,7 @@ csv_list() {
 # Listing data
 case $format in
     json)   json_list ;;
-    plain)  shell_list ;;
+    plain)  plain_list ;;
     csv)    csv_list ;;
     shell)  shell_list ;;
 esac

bin/v-list-sys-mail-ssl

@@ -0,0 +1,135 @@
+#!/bin/bash
+# info: list mail ssl certificate
+# options: [FORMAT]
+#
+# The function of obtaining mail ssl files.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+format=${1-shell}
+
+# Includes
+source $VESTA/func/main.sh
+
+# JSON list function
+json_list() {
+    echo '{'
+    echo -e "\t\"MAIL\": {"
+    echo "        \"CRT\": \"$crt\","
+    echo "        \"KEY\": \"$key\","
+    echo "        \"CA\": \"$ca\","
+    echo "        \"SUBJECT\": \"$subj\","
+    echo "        \"ALIASES\": \"$alt_dns\","
+    echo "        \"NOT_BEFORE\": \"$before\","
+    echo "        \"NOT_AFTER\": \"$after\","
+    echo "        \"SIGNATURE\": \"$signature\","
+    echo "        \"PUB_KEY\": \"$pub_key\","
+    echo "        \"ISSUER\": \"$issuer\""
+    echo -e "\t}\n}"
+}
+
+# SHELL list function
+shell_list() {
+    if [ ! -z "$crt" ]; then
+        echo -e "$crt"
+    fi
+    if [ ! -z "$key" ]; then
+        echo -e "\n$key"
+    fi
+    if [ ! -z "$crt" ]; then
+        echo
+        echo
+        echo "SUBJECT:        $subj"
+        if [ ! -z "$alt_dns" ]; then
+            echo "ALIASES:        ${alt_dns//,/ }"
+        fi
+        echo "VALID FROM:     $before"
+        echo "VALID TIL:      $after"
+        echo "SIGNATURE:      $signature"
+        echo "PUB_KEY:        $pub_key"
+        echo "ISSUER:         $issuer"
+    fi
+}
+
+# PLAIN list function
+plain_list() {
+    if [ ! -z "$crt" ]; then
+        echo -e "$crt"
+    fi
+    if [ ! -z "$key" ]; then
+        echo -e "\n$key"
+    fi
+    if [ ! -z "$ca" ]; then
+        echo -e "\n$ca"
+    fi
+    if [ ! -z "$crt" ]; then
+        echo "$subj"
+        echo "${alt_dns//,/ }"
+        echo "$before"
+        echo "$after"
+        echo "$signature"
+        echo "$pub_key"
+        echo "$issuer"
+    fi
+
+}
+
+# CSV list function
+csv_list() {
+    echo -n "CRT,KEY,CA,SUBJECT,ALIASES,NOT_BEFORE,NOT_AFTER,SIGNATURE,"
+    echo "PUB_KEY,ISSUER"
+    echo -n "\"$crt\",\"$key\",\"$ca\",\"$subj\",\"${alt_dns//,/ }\","
+    echo "\"$before\",\"$after\",\"$signature\",\"$pub_key\",\"$issuer\""
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Parsing SSL certificate
+if [ ! -e "$VESTA/ssl/mail.crt" ] || [ ! -e "$VESTA/ssl/mail.key" ]; then
+    exit
+fi
+
+crt=$(cat $VESTA/ssl/mail.crt |sed ':a;N;$!ba;s/\n/\\n/g')
+key=$(cat $VESTA/ssl/mail.key |sed ':a;N;$!ba;s/\n/\\n/g')
+
+
+# Parsing SSL certificate details without CA
+info=$(openssl x509 -text -in $VESTA/ssl/mail.crt)
+subj=$(echo "$info" |grep Subject: |cut -f 2 -d =)
+before=$(echo "$info" |grep Before: |sed -e "s/.*Before: //")
+after=$(echo "$info" |grep "After :" |sed -e "s/.*After : //")
+signature=$(echo "$info" |grep "Algorithm:" |head -n1 )
+signature=$(echo "$signature"| sed -e "s/.*Algorithm: //")
+pub_key=$(echo "$info" |grep Public-Key: |cut -f2 -d \( | tr -d \))
+issuer=$(echo "$info" |grep Issuer: |sed -e "s/.*Issuer: //")
+alt_dns=$(echo "$info" |grep DNS |sed -e 's/DNS:/\n/g' |tr -d ',')
+alt_dns=$(echo "$alt_dns" |tr -d ' ' |sed -e "/^$/d")
+alt_dns=$(echo "$alt_dns" |sed -e ':a;N;$!ba;s/\n/,/g')
+
+# Listing data
+case $format in
+    json)   json_list ;;
+    plain)  plain_list ;;
+    csv)    csv_list ;;
+    shell)  shell_list ;;
+esac
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit

bin/v-list-user-log

@@ -23,7 +23,10 @@ json_list() {
     objects=$(echo "$logs" |wc -l)
     echo "{"
     for str in $logs; do
-        eval $str
+        ID=$(echo "$str" |cut -f 2 -d \')
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         CMD=${CMD//\"/\\\"}
         echo -n '    "'$ID'": {
         "CMD": "'$CMD'",
@@ -46,13 +49,9 @@ shell_list() {
     echo "DATE~TIME~CMD"
     echo "----~----~---"
     for str in $logs; do
-        eval $str
-        if [ -z "$DATE" ]; then
-            DATE='no'
-        fi
-        if [ -z "$TIME" ]; then
-            TIME='no'
-        fi
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         echo "$DATE~$TIME~$CMD"
     done
 }
@@ -61,7 +60,9 @@ shell_list() {
 plain_list() {
     IFS=$'\n'
     for str in $logs; do
-        eval $str
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         echo -e "$ID\t$CMD\t$UNDO\t$TIME\t$DATE"
     done
 }
@@ -71,7 +72,9 @@ csv_list() {
     IFS=$'\n'
     echo "ID,CMD,UNDO,TIME,DATE"
     for str in $logs; do
-        eval $str
+        DATE=$(echo "$str" |cut -f 4 -d \')
+        TIME=$(echo "$str" |cut -f 6 -d \')
+        CMD=$(echo "$str" |cut -f 8 -d \')
         echo "$ID,\"$CMD\",\"$UNDO\",$TIME,$DATE"
     done
 }

bin/v-list-users

@@ -15,9 +15,14 @@ format=${1-shell}
 # JSON list function
 json_list() {
     echo '{'
-    object_count=$(grep '@' /etc/passwd |wc -l)
     i=1
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
+        if [ $i -gt 1 ]; then
+            echo ","
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -n '    "'$USER'": {
         "FNAME": "'$FNAME'",
@@ -74,14 +79,8 @@ json_list() {
         "TIME": "'$TIME'",
         "DATE": "'$DATE'"
         }'
-        if [ "$i" -lt "$object_count" ]; then
-            echo ','
-        else
-            echo
-        fi
         ((i++))
     done < <(grep '@' /etc/passwd |cut -f1 -d:)
-
     echo '}'
 }
 
@@ -90,6 +89,9 @@ shell_list() {
     echo "USER   PKG   WEB   DNS   MAIL   DB   DISK   BW   SPND   DATE"
     echo "----   ---   ---   ---   ---    --   ----   --   ----   ----"
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -n "$USER $PACKAGE $U_WEB_DOMAINS $U_DNS_DOMAINS $U_MAIL_DOMAINS"
         echo " $U_DATABASES $U_DISK $U_BANDWIDTH $SUSPENDED $DATE"
@@ -99,6 +101,9 @@ shell_list() {
 # PLAIN list function
 plain_list() {
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -ne "$USER\t$FNAME\t$LNAME\t$PACKAGE\t$WEB_TEMPLATE\t"
         echo -ne "$BACKEND_TEMPLATE\t$PROXY_TEMPLATE\t$DNS_TEMPLATE\t"
@@ -131,6 +136,9 @@ csv_list() {
     echo -n "U_MAIL_DOMAINS,U_MAIL_DKIM,U_MAIL_ACCOUNTS,U_DATABASES"
     echo "U_CRON_JOBS,U_BACKUPS,LANGUAGE,TIME,DATE"
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         source $VESTA/data/users/$USER/user.conf
         echo -n "$USER,\"$FNAME\",\"$LNAME\",$PACKAGE,$WEB_TEMPLATE,"
         echo -n "$BACKEND_TEMPLATE,$PROXY_TEMPLATE,$DNS_TEMPLATE,"
@@ -151,6 +159,9 @@ csv_list() {
 # Raw list function
 raw_list() {
     while read USER; do
+        if [ ! -f "$VESTA/data/users/$USER/user.conf" ]; then
+            continue;
+        fi
         echo $VESTA/data/users/$USER/user.conf
         cat $VESTA/data/users/$USER/user.conf
     done < <(grep '@' /etc/passwd |cut -f1 -d:)

bin/v-list-web-domain-ssl

@@ -19,6 +19,7 @@ source $VESTA/func/main.sh
 
 # JSON list function
 json_list() {
+    issuer=$(echo "$issuer" |sed -e 's/"/\\"/g' -e "s/%quote%/'/g")
     echo '{'
     echo -e "\t\"$domain\": {"
     echo "        \"CRT\": \"$crt\","

bin/v-open-fs-config

@@ -35,6 +35,11 @@ if [ ! -z "$src_file" ]; then
         echo "Error: invalid source path $src_file"
         exit 2
     fi
+    spath=$(echo "$rpath" |egrep "/etc|/var/lib")
+    if [ -z "$spath" ]; then
+        echo "Error: invalid source path $src_file"
+        exit 2
+    fi
 fi
 
 # Reading conf

bin/v-rebuild-web-domains

@@ -37,7 +37,7 @@ is_object_unsuspended 'user' 'USER' "$user"
 #----------------------------------------------------------#
 
 # Deleting old web configs
-sed -i "/.*\/$user\//d" /etc/$WEB_SYSTEM/conf.d/vesta.conf
+sed -i "/.*\/$user\/conf\/web\//d" /etc/$WEB_SYSTEM/conf.d/vesta.conf
 if [ -e "$HOMEDIR/$user/conf/web/$WEB_SYSTEM.conf"  ]; then
     rm $HOMEDIR/$user/conf/web/$WEB_SYSTEM.conf
 fi
@@ -47,7 +47,7 @@ fi
 
 # Deleting old proxy configs
 if [ ! -z "$PROXY_SYSTEM" ]; then
-    sed -i "/.*\/$user\//d" /etc/$PROXY_SYSTEM/conf.d/vesta.conf
+    sed -i "/.*\/$user\/conf\/web\//d" /etc/$PROXY_SYSTEM/conf.d/vesta.conf
 
     if [ -e "$HOMEDIR/$user/conf/web/$PROXY_SYSTEM.conf" ]; then
         rm $HOMEDIR/$user/conf/web/$PROXY_SYSTEM.conf

bin/v-restore-user

@@ -229,8 +229,12 @@ while [ "$la" -ge "$BACKUP_LA_LIMIT" ]; do
     (( ++i))
 done
 
+if [ -z "$BACKUP_TEMP" ]; then
+    BACKUP_TEMP=$BACKUP
+fi
+
 # Creating temporary directory
-tmpdir=$(mktemp -p /tmp -d)
+tmpdir=$(mktemp -p $BACKUP_TEMP -d)
 if [ "$?" -ne 0 ]; then
     echo "Can't create tmp dir $tmpdir" |$SENDMAIL -s "$subj" $email $notify
     sed -i "/ $user /d" $VESTA/data/queue/backup.pipe

bin/v-search-ssl-certificates

@@ -0,0 +1,93 @@
+#!/bin/bash
+# info: search ssl certificates
+# options: [FORMAT]
+#
+# The function to obtain the list of available ssl certificates.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+format=${1-shell}
+
+# Includes
+source $VESTA/func/main.sh
+
+# JSON list function
+json_list() {
+    IFS=$'\n'
+    objects=$(echo "$search_cmd" |wc -l)
+    i=1
+    echo '['
+    for str in $search_cmd; do
+        eval $str
+        if [ "$i" -lt "$objects" ]; then
+            echo -e  "\t\"$USER:$DOMAIN\","
+        else
+            echo -e  "\t\"$USER:$DOMAIN\""
+        fi
+        (( ++i))
+    done
+    echo "]"
+}
+
+# SHELL list function
+shell_list() {
+    IFS=$'\n'
+    echo "USER   DOMAIN"
+    echo "----   ------"
+    for str in $search_cmd; do
+        eval $str
+        echo "$USER $DOMAIN"
+    done
+}
+
+# PLAIN list function
+plain_list() {
+    IFS=$'\n'
+    for str in $search_cmd; do
+        eval $str
+        echo -e "$USER\t$DOMAIN"
+    done
+}
+
+# CSV list function
+csv_list() {
+    IFS=$'\n'
+    echo "USER,DOMAIN"
+    for str in $search_cmd; do
+        eval $str
+        echo  "$USER,$DOMAIN"
+    done
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+search_cmd=$(grep -H "SSL='yes'" $VESTA/data/users/*/web.conf |\
+    cut -f 1 -d ' ' |\
+    sed -e "s|$VESTA/data/users/|USER='|" -e "s|/web.conf:|' |")
+
+# Listing data
+case $format in
+    json)   json_list ;;
+    plain)  plain_list ;;
+    csv)    csv_list ;;
+    shell)  shell_list |column -t ;;
+esac
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit

bin/v-sign-letsencrypt-csr

@@ -1,110 +0,0 @@
-#!/bin/bash
-# info: sing letsencrypt csr
-# options: USER DOMAIN CSR_DIR [FORMAT]
-#
-# The function signs certificate request using LetsEncript API
-
-
-#----------------------------------------------------------#
-#                    Variable&Function                     #
-#----------------------------------------------------------#
-
-# Argument definition
-user=$1
-domain=$2
-csr="$3/$domain.csr"
-format=$4
-
-# Includes
-source $VESTA/func/main.sh
-source $VESTA/conf/vesta.conf
-
-# encode base64
-encode_base64() {
-    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
-}
-
-
-#----------------------------------------------------------#
-#                    Verifications                         #
-#----------------------------------------------------------#
-
-check_args '3' "$#" 'USER DOMAIN CSR'
-is_format_valid 'user' 'domain'
-is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
-is_object_valid 'user' 'USER' "$user"
-is_object_unsuspended 'user' 'USER' "$user"
-if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
-    check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
-fi
-check_domain=$(grep -w "$domain'" $USER_DATA/web.conf)
-if [ -z "$check_domain" ]; then
-    check_result $E_NOTEXIST "domain $domain doesn't exist"
-fi
-if [ ! -e "$csr" ]; then
-    check_result $E_NOTEXIST "$csr doesn't exist"
-fi
-
-
-#----------------------------------------------------------#
-#                       Action                             #
-#----------------------------------------------------------#
-
-source $USER_DATA/ssl/le.conf
-api='https://acme-v01.api.letsencrypt.org'
-key="$USER_DATA/ssl/user.key"
-exponent="$EXPONENT"
-modulus="$MODULUS"
-thumb="$THUMB"
-
-# Defining JWK header
-header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
-header='{"alg":"RS256","jwk":'"$header"'}'
-
-# Requesting nonce
-nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
-protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
-
-# Defining ACME query (request challenge)
-csr=$(openssl req -in $csr -outform DER |encode_base64)
-query='{"resource":"new-cert","csr":"'$csr'"}'
-payload=$(echo -n "$query" |encode_base64)
-signature=$(printf "%s" "$protected.$payload" |\
-    openssl dgst -sha256 -binary -sign "$key" |encode_base64)
-data='{"header":'"$header"',"protected":"'"$protected"'",'
-data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
-
-# Sending request to LetsEncrypt API
-answer=$(mktemp)
-curl -s -d "$data" "$api/acme/new-cert" -o $answer
-if [ ! -z "$(grep Error $answer)" ]; then
-    detail="$(cat $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
-    detail=$(echo "$detail" |awk -F "::" '{print $2}')
-    rm $answer
-    check_result $E_LIMIT "$detail"
-fi
-
-# Printing certificate
-crt=$(cat "$answer" |openssl base64 -e)
-rm $answer
-if [ "$format" != 'json' ]; then
-    echo "-----BEGIN CERTIFICATE-----"
-    echo "$crt"
-    echo "-----END CERTIFICATE-----"
-else
-    echo -e "{\n\t\"$domain\": {\n\t\t\"CRT\":\""
-    echo -n '-----BEGIN CERTIFICATE-----\n'
-    echo -n "$crt" |sed ':a;N;$!ba;s/\n/\\n/g'
-    echo -n '-----END CERTIFICATE-----'
-    echo -e  "\"\n\t\t}\n\t}"
-fi
-
-
-#----------------------------------------------------------#
-#                       Vesta                              #
-#----------------------------------------------------------#
-
-# Logging
-log_event "$OK" "$ARGUMENTS"
-
-exit

bin/v-suspend-dns-domain

@@ -41,6 +41,16 @@ is_object_unsuspended 'dns' 'DOMAIN' "$domain"
 #                       Action                             #
 #----------------------------------------------------------#
 
+# Deleting system configs
+if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
+    if [ -e '/etc/named.conf' ]; then
+        dns_conf='/etc/named.conf'
+    else
+        dns_conf='/etc/bind/named.conf'
+    fi
+
+    sed -i "/\/$user\/conf\/dns\/$domain.db\"/d" $dns_conf
+fi
 
 #----------------------------------------------------------#
 #                       Vesta                              #

bin/v-unsuspend-dns-domain

@@ -40,7 +40,21 @@ is_object_suspended 'dns' 'DOMAIN' "$domain"
 #                       Action                             #
 #----------------------------------------------------------#
 
-
+# Creating system configs
+if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
+    if [ -e '/etc/named.conf' ]; then
+        dns_conf='/etc/named.conf'
+        dns_group='named'
+    else
+        dns_conf='/etc/bind/named.conf'
+        dns_group='bind'
+    fi
+
+    # Adding zone in named.conf
+    named="zone \"$domain_idn\" {type master; file"
+    named="$named \"$HOMEDIR/$user/conf/dns/$domain.db\";};"
+    echo "$named" >> $dns_conf
+fi
 
 #----------------------------------------------------------#
 #                       Vesta                              #

bin/v-unsuspend-mail-account

@@ -48,6 +48,9 @@ is_object_suspended "mail/$domain" 'ACCOUNT' "$account"
 if [[ "$MAIL_SYSTEM" =~ exim ]]; then
     md5=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$MD5')
     quota=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$QUOTA')
+    if [ "$quota" = 'unlimited' ]; then
+        quota=0
+    fi
     sed -i "/^$account:/d" $HOMEDIR/$user/conf/mail/$domain/passwd
     str="$account:$md5:$user:mail::$HOMEDIR/$user:$quota"
     echo $str >> $HOMEDIR/$user/conf/mail/$domain/passwd

bin/v-update-firewall

@@ -51,11 +51,6 @@ if [ $? -ne 0 ]; then
     conntrack_ftp='no'
 fi
 
-# Checking custom OpenSSH  port
-sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
-if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22"  ]; then
-    sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
-fi
 
 # Creating temporary file
 tmp=$(mktemp)

bin/v-update-host-certificate

@@ -76,6 +76,9 @@ $BIN/v-restart-mail
 if [ ! -z "$IMAP_SYSTEM" ]; then
     $BIN/v-restart-service "$IMAP_SYSTEM"
 fi
+if [ ! -z "$FTP_SYSTEM" ]; then
+    $BIN/v-restart-service "$FTP_SYSTEM"
+fi
 if [ -f "/var/run/vesta-nginx.pid" ]; then
     kill -HUP $(cat /var/run/vesta-nginx.pid)
 fi

bin/v-update-letsencrypt-ssl

@@ -22,42 +22,33 @@ source $VESTA/conf/vesta.conf
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Defining user list
-users=$($BIN/v-list-users | tail -n+3 | awk '{ print $1 }')
+lecounter=0
 
-# Checking users
-for user in $users; do
+# Checking user certificates
+for user in $($BIN/v-list-users plain |cut -f 1); do
     USER_DATA=$VESTA/data/users/$user
-    # Checking user certificates
-    for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
 
-        crt="$VESTA/data/users/$user/ssl/$domain.crt"
-        crt_data=$(openssl x509 -text -in "$crt")
-        expire=$(echo "$crt_data" |grep "Not After")
-        expire=$(echo "$expire" |cut -f 2,3,4 -d :)
-        expire=$(date -d "$expire" +%s)
+    for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
+        crt_data=$(openssl x509 -text -in $USER_DATA/ssl/$domain.crt)
+        not_after=$(echo "$crt_data" |grep "Not After" |cut -f 2,3,4 -d :)
+        expiration=$(date -d "$not_after" +%s)
         now=$(date +%s)
-        expire=$((expire - now))
-        expire=$((expire / 86400))
-        domain=$(basename $crt |sed -e "s/.crt$//")
-        if [[ "$expire" -lt 31 ]]; then
+        seconds_valid=$((expiration - now))
+        days_valid=$((seconds_valid / 86400))
+        if [[ "$days_valid" -lt 31 ]]; then
+            if [ $lecounter -gt 0 ]; then
+                sleep 10
+            fi
+            ((lecounter++))
             aliases=$(echo "$crt_data" |grep DNS:)
-            aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//")
+            aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//g")
             aliases=$(echo "$aliases" |tr ' ' '\n' |sed "/^$/d")
-            aliases=$(echo "$aliases" |grep -v "^$domain$")
-            if [ ! -z "$aliases" ]; then
-                aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')
-                msg=$($BIN/v-add-letsencrypt-domain $user $domain $aliases)
-                if [ $? -ne 0 ]; then
-                    echo "$domain $msg"
-                fi
-            else
-                msg==$($BIN/v-add-letsencrypt-domain $user $domain)
-                if [ $? -ne 0 ]; then
-                    echo "$domain $msg"
-                fi
+            aliases=$(echo "$aliases" |grep -v "^$domain,$")
+            aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')
+            msg=$($BIN/v-add-letsencrypt-domain $user $domain $aliases)
+            if [ $? -ne 0 ]; then
+                echo "$domain $msg"
             fi
-            sleep 10
         fi
     done
 done

bin/v-update-sys-ip

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: update system ip
-# options: [USER] [IP_STATUS]
+# options: [NONE]
 #
 # The function scans configured ip in the system and register them with vesta
 # internal database. This call is intended for use on vps servers, where ip is
@@ -11,12 +11,10 @@
 #                    Variable&Function                     #
 #----------------------------------------------------------#
 
-# Argument definition
-user=${1-admin}
-ip_status=${2-shared}
+# Importing system variables
+source /etc/profile
 
 # Includes
-source /etc/profile.d/vesta.sh
 source $VESTA/func/main.sh
 source $VESTA/func/ip.sh
 source $VESTA/conf/vesta.conf
@@ -26,87 +24,84 @@ source $VESTA/conf/vesta.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '0' "$#" '[USER] [IP_STATUS]'
-is_format_valid 'user' 'ip_status'
-is_object_valid 'user' 'USER' "$user" "$user"
-
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Get list of ip addresses
-ip_list=$(/sbin/ip addr|grep 'inet '|grep global|awk '{print $2}')
-ip_list=$(echo "$ip_list"|cut -f 1 -d /)
-ip_num=$(echo "$ip_list" | wc -l)
-
-# WorkAround for DHCP IP address
-vst_ip_list=$(ls $VESTA/data/ips/)
-vst_ip_num=$(echo "$vst_ip_list" | wc -l)
-
-if [ ! -z "$vst_ip_list" ] && [ "$vst_ip_num" -eq '1' ]; then
-    if [ $ip_num -eq 1 ] && [ "$ip_list" != "$vst_ip_list" ]; then
-        new=$ip_list
-        old=$vst_ip_list
-        mv $VESTA/data/ips/$old $VESTA/data/ips/$new
-        if [ ! -z "$PROXY_SYSTEM" ]; then
-            mv /etc/$PROXY_SYSTEM/conf.d/$old.conf \
-                /etc/$PROXY_SYSTEM/conf.d/$new.conf
-            sed -i "s/$old/$new/g" /etc/$PROXY_SYSTEM/conf.d/$new.conf
-        fi
-        if [ ! -z "$WEB_SYSTEM" ]; then
-            mv /etc/$WEB_SYSTEM/conf.d/$old.conf \
-                /etc/$WEB_SYSTEM/conf.d/$new.conf
-            sed -i "s/$old/$new/g" /etc/$WEB_SYSTEM/conf.d/$new.conf
-            sed -i "s/$old/$new/g" $VESTA/data/users/*/web.conf
-
-            # Rebuild web domains
-            for user in $(ls $VESTA/data/users/); do
-                $BIN/v-rebuild-web-domains $user no
-            done
-        fi
-        if [ ! -z "$FTP_SYSTEM" ];then
-            ftpd_conf_file=$(find /etc/ -maxdepth 2 -name $FTP_SYSTEM.conf)
-            sed -i "s/$old/$new/g" $ftpd_conf_file
-        fi
-
-        # Restarting web server
-        $BIN/v-restart-web
+# Listing system ip addresses
+ips=$(/sbin/ip addr |grep 'inet ' |grep global |awk '{print $2}' |cut -f1 -d/)
+v_ips=$(ls $VESTA/data/ips/)
+ip_num=$(echo "$ips" |wc -l)
+v_ip_num=$(echo "$v_ips" |wc -l)
+
+# Checking primary IP change
+if [[ "$ip_num" -eq '1' ]] && [[ "$v_ip_num" -eq 1 ]]; then
+    if [ "$ips" != "$v_ips" ]; then
+        new=$ips
+        old=$v_ips
+    fi
+fi
 
-        # Restarting ftp server
-        $BIN/v-restart-ftp
+# Updating configs
+if [ ! -z "$old" ]; then
+    mv $VESTA/data/ips/$old $VESTA/data/ips/$new
 
-        # Restarting proxy server
-        if [ ! -z "$PROXY_SYSTEM" ]; then
-            $BIN/v-restart-proxy
+    # Updating PROXY
+    if [ ! -z "$PROXY_SYSTEM" ]; then
+        cd /etc/$PROXY_SYSTEM/conf.d
+        if [ -e "$old.conf" ]; then
+            mv $old.conf $new.conf
+            sed -i "s/$old/$new/g" $new.conf
         fi
+    fi
 
-        # Restarting firewall
-        if [ ! -z "$FIREWALL_SYSTEM" ]; then
-            $BIN/v-update-firewall
+    # Updating WEB
+    if [ ! -z "$WEB_SYSTEM" ]; then
+        cd /etc/$WEB_SYSTEM/conf.d
+        if [ -e "$old.conf" ]; then
+            mv $old.conf $new.conf
+            sed -i "s/$old/$new/g" $new.conf
         fi
+        sed -i "s/$old/$new/g" $VESTA/data/users/*/web.conf
+        for user in $(ls $VESTA/data/users/); do
+            $BIN/v-rebuild-web-domains $user no
+        done
+        $BIN/v-restart-proxy
+        $BIN/v-restart-web
+    fi
 
-        if [ ! -z "$DNS_SYSTEM" ]; then
-            # Rebuild dns domains
-            for user in $(ls $VESTA/data/users/); do
-                sed -i "s/$old/$new/g" $VESTA/data/users/$user/dns.conf
-                sed -i "s/$old/$new/g" $VESTA/data/users/$user/dns/*.conf
-                $BIN/v-rebuild-dns-domains $user no
-            done
-            $BIN/v-restart-dns
-            check_result $? "dns restart failed" >/dev/null
+    # Updating DNS
+    if [ ! -z "$DNS_SYSTEM" ]; then
+        sed -i "s/$old/$new/g" $VESTA/data/users/*/dns.conf
+        sed -i "s/$old/$new/g" $VESTA/data/users/*/dns/*.conf
+        for user in $(ls $VESTA/data/users/); do
+            $BIN/v-rebuild-dns-domains $user no
+        done
+        $BIN/v-restart-dns
+    fi
+
+    # Updating FTP
+    if [ ! -z "$FTP_SYSTEM" ] && [ "$FTP_SYSTEM" = 'vsftpd' ]; then
+        conf=$(find /etc/ -maxdepth 2 -name $FTP_SYSTEM.conf)
+        if [ ! -z "$conf" ]; then
+            sed -i "s/$old/$new/g" $conf
+            $BIN/v-restart-ftp
         fi
+    fi
 
-        # No further comparation is needed
-        exit
+    # Updating firewall
+    if [ ! -z "$FIREWALL_SYSTEM" ]; then
+        sed -i "s/$old/$new/g" $VESTA/data/firewall/*.conf
+        $BIN/v-update-firewall
     fi
 fi
 
-# Compare ips
-for ip in $ip_list; do
+# Adding system IP
+for ip in $ips; do
     check_ifconfig=$(/sbin/ifconfig |grep "$ip")
     if [ ! -e "$VESTA/data/ips/$ip" ] && [ ! -z "$check_ifconfig" ]; then
-        interface=$(/sbin/ip addr |grep $ip |awk '{print $NF}'|uniq)
+        interface=$(/sbin/ip addr |grep $ip |awk '{print $NF}' |uniq)
         interface=$(echo "$interface" |cut -f 1 -d : |head -n 1)
         netmask=$(/sbin/ip addr |grep $ip |cut -f 2 -d / |cut -f 1 -d \ )
         netmask=$(convert_cidr $netmask)
@@ -114,12 +109,11 @@ for ip in $ip_list; do
     fi
 done
 
-# Checking NAT
+# Updating NAT
 pub_ip=$(curl -s vestacp.com/what-is-my-ip/)
-if [ ! -z "$pub_ip" ] && [ ! -e "$VESTA/data/ips/$pub_ip" ]; then
-    check_nat=$(grep -R "$pub_ip" $VESTA/data/ips/)
-    if [ -z "$check_nat" ]; then
-        ip=$(ls -t $VESTA/data/ips/|head -n1)
+if [ ! -e "$VESTA/data/ips/$pub_ip" ]; then
+    if [ -z "$(grep -R "$pub_ip" $VESTA/data/ips/)" ]; then
+        ip=$(ls -t $VESTA/data/ips/ |head -n1)
         $BIN/v-change-sys-ip-nat $ip $pub_ip
     fi
 fi

bin/v-update-sys-rrd-mysql

@@ -14,6 +14,7 @@ period=${1-daily}
 
 # Includes
 source $VESTA/func/main.sh
+source $VESTA/func/db.sh
 source $VESTA/conf/vesta.conf
 
 
@@ -66,23 +67,10 @@ for host in $hosts; do
     fi
 
     if [ "$period" = 'daily' ]; then
-        # Defining host credentials
-        host_str=$(grep "HOST='$host'" $conf)
-        for key in $host_str; do
-            eval ${key%%=*}=${key#*=}
-        done
-        sql="mysql -h $HOST -u $USER -p$PASSWORD -e"
-
-        # Checking empty vars
-        if [ -z $HOST ] || [ -z $USER ] || [ -z $PASSWORD ]; then
-            echo "Error: config is broken"
-            log_event "$E_PARSING" "$ARGUMENTS"
-            exit $E_PARSING
-        fi
-
-        # Parsing data
-        status=$($sql "SHOW GLOBAL STATUS" 2>/dev/null); code="$?"
-        if [ '0' -ne "$code" ]; then
+        mysql_connect $host
+        query='SHOW GLOBAL STATUS'
+        status=$(mysql_query "$query" 2>/dev/null)
+        if [ $? -ne 0 ]; then
             active=0
             slow=0
         else

bin/v-update-sys-rrd-pgsql

@@ -85,7 +85,7 @@ for host in $hosts; do
         # Parsing data
         q='SELECT SUM(xact_commit + xact_rollback), SUM(numbackends)
                 FROM pg_stat_database;'
-        status=$($sql plsql -d postgres -c "$q" 2>/dev/null); code="$?"
+        status=$($sql psql -d postgres -c "$q" 2>/dev/null); code="$?"
         if [ '0' -ne "$code" ]; then
             active=0
             slow=0

bin/v-update-user-counters

@@ -53,6 +53,7 @@ for user in $user_list; do
     IP_OWNED=0
     U_USERS=0
     U_DISK=0
+    DISK=0 
     U_DISK_DIRS=$(get_user_value '$U_DISK_DIRS')
     if [ -z "$U_DISK_DIRS" ]; then
         U_DISK_DIRS=0

bin/v-update-user-quota

@@ -33,7 +33,7 @@ is_object_valid 'user' 'USER' "$user"
 # Updating disk quota
 # Had quota equals package value. Soft quota equals 90% of package value for warnings.
 quota=$(get_user_value '$DISK_QUOTA')
-soft=$(echo "$quota * 1024 * 0.90"|bc |cut -f 1 -d .)
+soft=$(echo "$quota * 1024"|bc |cut -f 1 -d .)
 hard=$(echo "$quota * 1024"|bc |cut -f 1 -d .)
 
 # Searching home mount point

bin/v-update-user-stats

@@ -67,6 +67,9 @@ TOTAL_USERS=0
 
 # Updating user stats
 for user in $user_list; do
+    if [ ! -f "$VESTA/data/users/$user/user.conf" ]; then
+        continue;
+    fi
     USER_DATA=$VESTA/data/users/$user
     source $USER_DATA/user.conf
     next_month=$(date +'%m/01/%y' -d '+ 1 month')

func/db.sh

@@ -47,19 +47,22 @@ mysql_connect() {
 }
 
 mysql_query() {
-    mysql --defaults-file=$mycnf -e "$1" 2>/dev/null
+    sql_tmp=$(mktemp)
+    echo "$1" > $sql_tmp
+    mysql --defaults-file=$mycnf < "$sql_tmp"  2>/dev/null
+    rm -f "$sql_tmp"
 }
 
 mysql_dump() {
     err="/tmp/e.mysql"
-    mysqldump --defaults-file=$mycnf --single-transaction -r $1 $2 2> $err
+    mysqldump --defaults-file=$mycnf --single-transaction --max_allowed_packet=100M -r $1 $2 2> $err
     if [ '0' -ne "$?" ]; then
         rm -rf $tmpdir
         if [ "$notify" != 'no' ]; then
             echo -e "Can't dump database $database\n$(cat $err)" |\
                 $SENDMAIL -s "$subj" $email
         fi
-        echo "Error: dump $database failed"
+        echo "Error: dump $database failed\n$(cat $err)"
         log_event  "$E_DB" "$ARGUMENTS"
         exit $E_DB
     fi
@@ -89,7 +92,10 @@ psql_connect() {
 }
 
 psql_query() {
-    psql -h $HOST -U $USER -c "$1" 2>/dev/null
+    sql_tmp=$(mktemp)
+    echo "$1" > $sql_tmp
+    psql -h $HOST -U $USER -f "$sql_tmp" 2>/dev/null
+    rm -f $sql_tmp
 }
 
 psql_dump() {

func/domain.sh

@@ -215,7 +215,11 @@ add_web_config() {
         fi
     fi
 
-    trigger="${2/.*pl/.sh}"
+    trigger="${2/%.tpl/.sh}"
+    if [[ "$2" =~ stpl$ ]]; then
+        trigger="${2/%.stpl/.sh}"
+    fi
+
     if [ -x "$WEBTPL/$1/$WEB_BACKEND/$trigger" ]; then
         $WEBTPL/$1/$WEB_BACKEND/$trigger \
             $user $domain $local_ip $HOMEDIR \
@@ -269,7 +273,7 @@ replace_web_config() {
     fi
 }
 
-# Delete web configuartion
+# Delete web configuration
 del_web_config() {
     conf="$HOMEDIR/$user/conf/web/$domain.$1.conf"
     if [[ "$2" =~ stpl$ ]]; then
@@ -285,13 +289,15 @@ del_web_config() {
         if [[ "$2" =~ stpl$ ]]; then
             conf="$HOMEDIR/$user/conf/web/s$1.conf"
         fi
-        get_web_config_lines $WEBTPL/$1/$WEB_BACKEND/$2 $conf
-        sed -i "$top_line,$bottom_line d" $conf
+        if [ -e "$conf" ]; then
+            get_web_config_lines $WEBTPL/$1/$WEB_BACKEND/$2 $conf
+            sed -i "$top_line,$bottom_line d" $conf
+        fi
     fi
     # clean-up for both config styles if there is no more domains
     web_domain=$(grep DOMAIN $USER_DATA/web.conf |wc -l)
     if [ "$web_domain" -eq '0' ]; then
-        sed -i "/.*\/$user\/.*/d" /etc/$1/conf.d/vesta.conf
+        sed -i "/.*\/$user\/conf\/web\//d" /etc/$1/conf.d/vesta.conf
         if [ -f "$conf" ]; then
             rm -f $conf
         fi
@@ -337,7 +343,7 @@ is_web_domain_cert_valid() {
         check_result $E_FORBIDEN "SSL Key is protected (remove pass_phrase)"
     fi
 
-    openssl s_server -quiet -cert $ssl_dir/$domain.crt \
+    openssl s_server -port 654321 -quiet -cert $ssl_dir/$domain.crt \
         -key $ssl_dir/$domain.key >> /dev/null 2>&1 &
     pid=$!
     sleep 0.5

func/ip.sh

@@ -26,7 +26,7 @@ get_ip_iface() {
 }
 
 
-# Check ip address speciefic value
+# Check ip address specific value
 is_ip_key_empty() {
     key="$1"
     string=$(cat $VESTA/data/ips/$ip)
@@ -141,7 +141,7 @@ get_real_ip() {
     else
         nat=$(grep -H "^NAT='$1'" $VESTA/data/ips/*)
         if [ ! -z "$nat" ]; then
-            echo "$nat" |cut -f 1 -d : |cut -f 7 -d /
+            echo "$nat" |cut -f 1 -d : |cut -f 7 -d / |head -n 1
         fi
     fi
 }

func/main.sh

@@ -287,6 +287,13 @@ is_hash_valid() {
     fi
 }
 
+# Check if directory is a symlink
+is_dir_symlink() {
+    if [[ -L "$1" ]]; then
+        check_result $E_FORBIDEN "$1 directory is a symlink"
+    fi
+}
+
 # Get object value
 get_object_value() {
     object=$(grep "$2='$3'" $USER_DATA/$1.conf)
@@ -525,7 +532,7 @@ is_user_format_valid() {
 is_domain_format_valid() {
     object_name=${2-domain}
     exclude="[!|@|#|$|^|&|*|(|)|+|=|{|}|:|,|<|>|?|_|/|\|\"|'|;|%|\`| ]"
-    if [[ $1 =~ $exclude ]] || [[ $1 =~ ^[0-9]+$ ]] || [[ $1 =~ "\.\." ]]; then
+    if [[ $1 =~ $exclude ]] || [[ $1 =~ ^[0-9]+$ ]] || [[ $1 =~ "\.\." ]] || [[ $1 =~ "$(printf '\t')" ]]; then
         check_result $E_INVALID "invalid $object_name format :: $1"
     fi
 }
@@ -652,7 +659,7 @@ is_dbuser_format_valid() {
 
 # DNS record type validator
 is_dns_type_format_valid() {
-    known_dnstype='A,AAAA,NS,CNAME,MX,TXT,SRV,DNSKEY,KEY,IPSECKEY,PTR,SPF,TLSA'
+    known_dnstype='A,AAAA,NS,CNAME,MX,TXT,SRV,DNSKEY,KEY,IPSECKEY,PTR,SPF,TLSA,CAA'
     if [ -z "$(echo $known_dnstype |grep -w $1)" ]; then
         check_result $E_INVALID "invalid dns record type format :: $1"
     fi
@@ -798,7 +805,16 @@ is_password_format_valid() {
         check_result $E_INVALID "invalid password format :: $1"
     fi
 }
-
+# Missing function - 
+# Before: validate_format_shell 
+# After: is_format_valid_shell
+is_format_valid_shell() {	
+    if [ -z "$(grep -w $1 /etc/shells)" ]; then	
+        echo "Error: shell $1 is not valid"	
+        log_event "$E_INVALID" "$EVENT"	
+        exit $E_INVALID	
+    fi	
+}
 # Format validation controller
 is_format_valid() {
     for arg_name in $*; do
@@ -865,7 +881,9 @@ is_format_valid() {
                 restart)        is_boolean_format_valid "$arg" 'restart' ;;
                 rtype)          is_dns_type_format_valid "$arg" ;;
                 rule)           is_int_format_valid "$arg" "rule id" ;;
-                soa)            is_domain_format_valid "$arg" 'SOA' ;;
+                soa)            is_domain_format_valid "$arg" 'SOA' ;;	
+                #missing command: is_format_valid_shell
+                shell)          is_format_valid_shell "$arg" ;;
                 stats_pass)     is_password_format_valid "$arg" ;;
                 stats_user)     is_user_format_valid "$arg" "$arg_name" ;;
                 template)       is_object_format_valid "$arg" "$arg_name" ;;
@@ -915,7 +933,7 @@ format_aliases() {
         aliases=$(echo "$aliases" |tr -s '.')
         aliases=$(echo "$aliases" |sed -e "s/[.]*$//g")
         aliases=$(echo "$aliases" |sed -e "s/^[.]*//")
-        aliases=$(echo "$aliases" |grep -v www.$domain |sed -e "/^$/d")
+        aliases=$(echo "$aliases" |sed -e "/^$/d")
         aliases=$(echo "$aliases" |tr '\n' ',' |sed -e "s/,$//")
     fi
 }

func/rebuild.sh

@@ -71,6 +71,9 @@ rebuild_user_conf() {
         echo "$BIN/v-update-web-domains-disk $user" \
             >> $VESTA/data/queue/disk.pipe
 
+        if [[ -L "$HOMEDIR/$user/web" ]]; then
+            rm $HOMEDIR/$user/web
+        fi
         mkdir -p $HOMEDIR/$user/conf/web
         mkdir -p $HOMEDIR/$user/web
         mkdir -p $HOMEDIR/$user/tmp
@@ -105,6 +108,9 @@ rebuild_user_conf() {
         echo "$BIN/v-update-mail-domains-disk $user" \
             >> $VESTA/data/queue/disk.pipe
 
+        if [[ -L "$HOMEDIR/$user/mail" ]]; then
+            rm $HOMEDIR/$user/mail
+        fi
         mkdir -p $HOMEDIR/$user/conf/mail
         mkdir -p $HOMEDIR/$user/mail
         chmod 751 $HOMEDIR/$user/mail
@@ -594,7 +600,7 @@ rebuild_pgsql_database() {
         exit $E_CONNECT
     fi
 
-    query="CREATE ROLE $DBUSER"
+    query="CREATE ROLE $DBUSER WITH LOGIN"
     psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
 
     query="UPDATE pg_authid SET rolpassword='$MD5' WHERE rolname='$DBUSER'"
@@ -611,7 +617,7 @@ rebuild_pgsql_database() {
     query="GRANT ALL PRIVILEGES ON DATABASE $DB TO $DBUSER"
     psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
 
-    query="GRANT CONNECT ON DATABASE template1 to $dbuser"
+    query="GRANT CONNECT ON DATABASE template1 to $DBUSER"
     psql -h $HOST -U $USER -c "$query" > /dev/null 2>&1
 }
 

install/debian/7/nginx/nginx.conf

@@ -50,6 +50,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/debian/7/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/debian/7/templates/web/apache2/basedir.stpl

@@ -15,7 +15,7 @@
         AllowOverride All
         SSLRequireSSL
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"

install/debian/7/templates/web/apache2/hosting.stpl

@@ -22,7 +22,7 @@
         php_admin_flag mysql.allow_persistent  off
         php_admin_flag safe_mode off
         php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
     </Directory>

install/debian/7/templates/web/apache2/phpcgi.stpl

@@ -15,7 +15,7 @@
         SSLRequireSSL
         AllowOverride All
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         Action phpcgi-script /cgi-bin/php

install/debian/7/templates/web/apache2/phpfcgid.stpl

@@ -15,7 +15,7 @@
         SSLRequireSSL
         AllowOverride All
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         <Files *.php>

install/debian/7/templates/web/nginx/caching.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;

install/debian/7/templates/web/nginx/default.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;

install/debian/7/templates/web/nginx/hosting.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;
@@ -31,7 +30,7 @@ server {
     location ~ /\.hg/   {return 404;}
     location ~ /\.bzr/  {return 404;}
 
-    disable_symlinks if_not_owner from=%docroot%;
+    disable_symlinks if_not_owner from=%sdocroot%;
 
     include %home%/%user%/conf/web/snginx.%domain%.conf*;
 }

install/debian/7/templates/web/nginx/http2.stpl

@@ -1,17 +1,16 @@
 server {
-    listen      %ip%:%proxy_ssl_port% http2;
+    listen      %ip%:%proxy_ssl_port% ssl http2;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
-    error_log  /var/log/httpd/domains/%domain%.error.log error;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
         proxy_pass      https://%ip%:%web_ssl_port%;
         location ~* ^.+\.(%proxy_extentions%)$ {
             root           %sdocroot%;
-            access_log     /var/log/httpd/domains/%domain%.log combined;
-            access_log     /var/log/httpd/domains/%domain%.bytes bytes;
+            access_log     /var/log/%web_system%/domains/%domain%.log combined;
+            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
             expires        max;
             try_files      $uri @fallback;
         }

install/debian/7/templates/web/nginx/http2.tpl

@@ -1,14 +1,14 @@
 server {
     listen      %ip%:%proxy_port%;
     server_name %domain_idn% %alias_idn%;
-    error_log  /var/log/httpd/domains/%domain%.error.log error;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
         proxy_pass      http://%ip%:%web_port%;
         location ~* ^.+\.(%proxy_extentions%)$ {
             root           %docroot%;
-            access_log     /var/log/httpd/domains/%domain%.log combined;
-            access_log     /var/log/httpd/domains/%domain%.bytes bytes;
+            access_log     /var/log/%web_system%/domains/%domain%.log combined;
+            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
             expires        max;
             try_files      $uri @fallback;
         }

install/debian/7/templates/web/nginx/php5-fpm/drupal6.stpl

@@ -10,69 +10,53 @@ server {
     ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
+   
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
+    }   
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
-
-    location ~ \..*/.*\.php$ {
-        return 403;
-    }
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
+        location ~ ^/sites/.*/private/ {
             return 403;
         }
 
-    location / {
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+        
         try_files $uri @rewrite;
 
         location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
-    }
+        location ~ ^/sites/.*/files/imagecache/ {
+            try_files $uri @rewrite;
+        }    
 
-    location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
-        rewrite ^/(.*)$ /index.php?q=$1;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;             
+            include /etc/nginx/fastcgi_params;
+        }        
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal6.tpl

@@ -7,69 +7,52 @@ server {
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;
     error_log   /var/log/nginx/domains/%domain%.error.log error;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
-    }
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
 
-    location / {
-        try_files $uri @rewrite;
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+    
+        try_files $uri @rewrite; 
 
         location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
+        location ~ ^/sites/.*/files/imagecache/ {
+            try_files $uri @rewrite;
         }
-    }
-
-    location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
-        rewrite ^/(.*)$ /index.php?q=$1;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+            
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;             
+            include /etc/nginx/fastcgi_params;
+        }        
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal7.stpl

@@ -11,68 +11,56 @@ server {
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
-
-    location ~ \..*/.*\.php$ {
-        return 403;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
+        location ~ \..*/.*\.php$ {
             return 403;
         }
 
-    location / {
-        try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~ ^/sites/.*/private/ {
+            return 403;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+    
+        try_files $uri /index.php?$query_string;  
 
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
         }
-    }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
+        }
 
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
+        
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }        
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal7.tpl

@@ -7,69 +7,56 @@ server {
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;
     error_log   /var/log/nginx/domains/%domain%.error.log error;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # Very rarely should these ever be accessed outside of your lan
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
-    }
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }  
 
-    location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
         }
-    }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
 
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }                
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal8.stpl

@@ -11,70 +11,62 @@ server {
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
-    }
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
+        location ~ ^/sites/.*/private/ {
             return 403;
         }
 
-    location / {
-        try_files $uri @rewrite;
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+        
+        location ~ /vendor/.*\.php$ {
+            deny all;
+            return 404;
+        }          
+        
+        try_files $uri /index.php?$query_string;
+        
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
+        }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
         }
 
-        location ~ [^/]\.php(/|$)|^/update.php {
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
+        
+        location ~ '\.php$|^/update.php' {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
-    }
-
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
-    }
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }        
+    }    
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal8.tpl

@@ -7,71 +7,62 @@ server {
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;
     error_log   /var/log/nginx/domains/%domain%.error.log error;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # Very rarely should these ever be accessed outside of your lan
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
+    }  
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
-    }
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+        
+        location ~ /vendor/.*\.php$ {
+            deny all;
+            return 404;
+        }          
+        
+        try_files $uri /index.php?$query_string;
+        
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
+        }
 
-    location / {
-        try_files $uri @rewrite;
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
+        }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
         }
 
-        location ~ [^/]\.php(/|$)|^/update.php {
+        location ~ '\.php$|^/update.php' {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
-    }
-
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
-    }
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }        
+    }        
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/sendy.stpl

@@ -3,7 +3,7 @@ server {
     server_name %domain_idn% %alias_idn%;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
-    root        %docroot%;
+    root        %sdocroot%;
     index       index.php index.html index.htm;
     access_log  /var/log/nginx/domains/%domain%.log combined;
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;

install/debian/7/templates/web/nginx/php5-fpm/wordpress2_rewrite.stpl

@@ -1,7 +1,7 @@
 server {
     listen      %ip%:%web_ssl_port%;
     server_name %domain_idn% %alias_idn%;
-    root        %docroot%;
+    root        %sdocroot%;
     index       index.php index.html index.htm;
     access_log  /var/log/nginx/domains/%domain%.log combined;
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;

install/debian/7/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.stpl

@@ -0,0 +1,89 @@
+server {
+    listen      %ip%:%web_ssl_port%;
+    server_name %domain_idn% %alias_idn%;
+    root        %sdocroot%;
+    index       index.php index.html index.htm;
+    access_log  /var/log/nginx/domains/%domain%.log combined;
+    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
+    error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+    ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    set $cache_uri $request_uri;
+
+    if ($request_method = POST) {
+        set $cache_uri 'null cache';
+    }
+
+    if ($query_string != "") {
+        set $cache_uri 'null cache';
+    }   
+
+    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
+                          |wp-.*.php|/feed/|index.php|wp-comments-popup.php
+                          |wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
+                          |[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
+        set $cache_uri 'null cache';
+    }  
+
+    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
+                         |wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
+        set $cache_uri 'null cache';
+    }
+    
+    location / {
+        try_files /wp-content/cache/supercache/$http_host/$cache_uri/index-https.html $uri $uri/ /index.php?$args;
+
+        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+            expires     max;
+        }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            if (!-f $document_root$fastcgi_script_name) {
+                return  404;
+            }
+
+            fastcgi_pass    %backend_lsnr%;
+            fastcgi_index   index.php;
+            include         /etc/nginx/fastcgi_params;
+        }
+    }
+
+    error_page  403 /error/404.html;
+    error_page  404 /error/404.html;
+    error_page  500 502 503 504 /error/50x.html;
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location ~* "/\.(htaccess|htpasswd)$" {
+        deny    all;
+        return  404;
+    }
+
+    location /vstats/ {
+        alias   %home%/%user%/web/%domain%/stats/;
+        include %home%/%user%/conf/web/%domain%.auth*;
+    }
+
+    include     /etc/nginx/conf.d/phpmyadmin.inc*;
+    include     /etc/nginx/conf.d/phppgadmin.inc*;
+    include     /etc/nginx/conf.d/webmail.inc*;
+
+    include     %home%/%user%/conf/web/snginx.%domain%.conf*;
+}

install/debian/7/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.tpl

@@ -0,0 +1,85 @@
+server {
+    listen      %ip%:%web_port%;
+    server_name %domain_idn% %alias_idn%;
+    root        %docroot%;
+    index       index.php index.html index.htm;
+    access_log  /var/log/nginx/domains/%domain%.log combined;
+    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
+    error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+    
+    set $cache_uri $request_uri;
+
+    if ($request_method = POST) {
+        set $cache_uri 'null cache';
+    }
+
+    if ($query_string != "") {
+        set $cache_uri 'null cache';
+    }   
+
+    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
+                          |wp-.*.php|/feed/|index.php|wp-comments-popup.php
+                          |wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
+                          |[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
+        set $cache_uri 'null cache';
+    }  
+
+    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
+                         |wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
+        set $cache_uri 'null cache';
+    }
+
+    location / {
+        try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
+
+        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+            expires     max;
+        }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            if (!-f $document_root$fastcgi_script_name) {
+                return  404;
+            }
+
+            fastcgi_pass    %backend_lsnr%;
+            fastcgi_index   index.php;
+            include         /etc/nginx/fastcgi_params;
+        }
+    }
+
+    error_page  403 /error/404.html;
+    error_page  404 /error/404.html;
+    error_page  500 502 503 504 /error/50x.html;
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location ~* "/\.(htaccess|htpasswd)$" {
+        deny    all;
+        return  404;
+    }
+
+    location /vstats/ {
+        alias   %home%/%user%/web/%domain%/stats/;
+        include %home%/%user%/conf/web/%domain%.auth*;
+    }
+
+    include     /etc/nginx/conf.d/phpmyadmin.inc*;
+    include     /etc/nginx/conf.d/phppgadmin.inc*;
+    include     /etc/nginx/conf.d/webmail.inc*;
+
+    include     %home%/%user%/conf/web/nginx.%domain%.conf*;
+}

install/debian/8/nginx/nginx.conf

@@ -51,6 +51,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/debian/8/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/debian/8/templates/web/apache2/basedir.stpl

@@ -15,7 +15,7 @@
         AllowOverride All
         SSLRequireSSL
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"

install/debian/8/templates/web/apache2/hosting.stpl

@@ -22,7 +22,7 @@
         php_admin_flag mysql.allow_persistent  off
         php_admin_flag safe_mode off
         php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
     </Directory>

install/debian/8/templates/web/apache2/phpcgi.stpl

@@ -15,7 +15,7 @@
         SSLRequireSSL
         AllowOverride All
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         Action phpcgi-script /cgi-bin/php

install/debian/8/templates/web/apache2/phpfcgid.stpl

@@ -15,7 +15,7 @@
         SSLRequireSSL
         AllowOverride All
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         <Files *.php>

install/debian/8/templates/web/nginx/caching.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;

install/debian/8/templates/web/nginx/default.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;

install/debian/8/templates/web/nginx/hosting.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;
@@ -31,7 +30,7 @@ server {
     location ~ /\.hg/   {return 404;}
     location ~ /\.bzr/  {return 404;}
 
-    disable_symlinks if_not_owner from=%docroot%;
+    disable_symlinks if_not_owner from=%sdocroot%;
 
     include %home%/%user%/conf/web/snginx.%domain%.conf*;
 }

install/debian/8/templates/web/nginx/http2.stpl

@@ -1,17 +1,16 @@
 server {
-    listen      %ip%:%proxy_ssl_port% http2;
+    listen      %ip%:%proxy_ssl_port% ssl http2;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
-    error_log  /var/log/httpd/domains/%domain%.error.log error;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
         proxy_pass      https://%ip%:%web_ssl_port%;
         location ~* ^.+\.(%proxy_extentions%)$ {
             root           %sdocroot%;
-            access_log     /var/log/httpd/domains/%domain%.log combined;
-            access_log     /var/log/httpd/domains/%domain%.bytes bytes;
+            access_log     /var/log/%web_system%/domains/%domain%.log combined;
+            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
             expires        max;
             try_files      $uri @fallback;
         }

install/debian/8/templates/web/nginx/http2.tpl

@@ -1,14 +1,14 @@
 server {
     listen      %ip%:%proxy_port%;
     server_name %domain_idn% %alias_idn%;
-    error_log  /var/log/httpd/domains/%domain%.error.log error;
+    error_log  /var/log/%web_system%/domains/%domain%.error.log error;
 
     location / {
         proxy_pass      http://%ip%:%web_port%;
         location ~* ^.+\.(%proxy_extentions%)$ {
             root           %docroot%;
-            access_log     /var/log/httpd/domains/%domain%.log combined;
-            access_log     /var/log/httpd/domains/%domain%.bytes bytes;
+            access_log     /var/log/%web_system%/domains/%domain%.log combined;
+            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
             expires        max;
             try_files      $uri @fallback;
         }

install/debian/8/templates/web/nginx/php5-fpm/drupal6.stpl

@@ -10,69 +10,53 @@ server {
     ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
+   
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
+    }   
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
-
-    location ~ \..*/.*\.php$ {
-        return 403;
-    }
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
+        location ~ ^/sites/.*/private/ {
             return 403;
         }
 
-    location / {
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+        
         try_files $uri @rewrite;
 
         location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
-    }
+        location ~ ^/sites/.*/files/imagecache/ {
+            try_files $uri @rewrite;
+        }    
 
-    location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
-        rewrite ^/(.*)$ /index.php?q=$1;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;             
+            include /etc/nginx/fastcgi_params;
+        }        
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal6.tpl

@@ -7,69 +7,52 @@ server {
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;
     error_log   /var/log/nginx/domains/%domain%.error.log error;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
-    }
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
 
-    location / {
-        try_files $uri @rewrite;
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+    
+        try_files $uri @rewrite; 
 
         location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
+        location ~ ^/sites/.*/files/imagecache/ {
+            try_files $uri @rewrite;
         }
-    }
-
-    location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
-        rewrite ^/(.*)$ /index.php?q=$1;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+            
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;             
+            include /etc/nginx/fastcgi_params;
+        }        
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal7.stpl

@@ -11,68 +11,56 @@ server {
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
-
-    location ~ \..*/.*\.php$ {
-        return 403;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
+        location ~ \..*/.*\.php$ {
             return 403;
         }
 
-    location / {
-        try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~ ^/sites/.*/private/ {
+            return 403;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+    
+        try_files $uri /index.php?$query_string;  
 
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
         }
-    }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
+        }
 
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
+        
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }        
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal7.tpl

@@ -7,69 +7,56 @@ server {
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;
     error_log   /var/log/nginx/domains/%domain%.error.log error;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # Very rarely should these ever be accessed outside of your lan
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
-    }
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }  
 
-    location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
         }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
         }
-    }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
 
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
+        location ~ '\.php$|^/update.php' {
+            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }                
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal8.stpl

@@ -11,70 +11,62 @@ server {
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
     }
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
-    }
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
+        location ~ ^/sites/.*/private/ {
             return 403;
         }
 
-    location / {
-        try_files $uri @rewrite;
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+        
+        location ~ /vendor/.*\.php$ {
+            deny all;
+            return 404;
+        }          
+        
+        try_files $uri /index.php?$query_string;
+        
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
+        }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
         }
 
-        location ~ [^/]\.php(/|$)|^/update.php {
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
+        }
+        
+        location ~ '\.php$|^/update.php' {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
-    }
-
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
-    }
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }        
+    }    
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal8.tpl

@@ -7,71 +7,62 @@ server {
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;
     error_log   /var/log/nginx/domains/%domain%.error.log error;
 
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # Very rarely should these ever be accessed outside of your lan
-    location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
-        deny all;
-    }
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?q=$1;
+    }  
+   
+    location / {
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-    # No no for private
-    location ~ ^/sites/.*/private/ {
-        return 403;
-    }
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
-    }
+        location ~ ^/sites/.*/private/ {
+            return 403;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+        }
+        
+        location ~ /vendor/.*\.php$ {
+            deny all;
+            return 404;
+        }          
+        
+        try_files $uri /index.php?$query_string;
+        
+        location ~ ^/sites/.*/files/styles/ {
+            try_files $uri @rewrite;
+        }
 
-    location / {
-        try_files $uri @rewrite;
+        location ~ ^(/[a-z\-]+)?/system/files/ {
+            try_files $uri /index.php?$query_string;
+        }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            try_files $uri @rewrite;
+            expires max;
+            log_not_found off;
         }
 
-        location ~ [^/]\.php(/|$)|^/update.php {
+        location ~ '\.php$|^/update.php' {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
-    }
-
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
-    }
-
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
-    }
+            fastcgi_pass %backend_lsnr%;
+            include /etc/nginx/fastcgi_params;
+        }        
+    }        
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/sendy.stpl

@@ -3,7 +3,7 @@ server {
     server_name %domain_idn% %alias_idn%;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
-    root        %docroot%;
+    root        %sdocroot%;
     index       index.php index.html index.htm;
     access_log  /var/log/nginx/domains/%domain%.log combined;
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;

install/debian/8/templates/web/nginx/php5-fpm/wordpress2_rewrite.stpl

@@ -1,7 +1,7 @@
 server {
     listen      %ip%:%web_ssl_port%;
     server_name %domain_idn% %alias_idn%;
-    root        %docroot%;
+    root        %sdocroot%;
     index       index.php index.html index.htm;
     access_log  /var/log/nginx/domains/%domain%.log combined;
     access_log  /var/log/nginx/domains/%domain%.bytes bytes;

install/debian/8/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.stpl

@@ -0,0 +1,89 @@
+server {
+    listen      %ip%:%web_ssl_port%;
+    server_name %domain_idn% %alias_idn%;
+    root        %sdocroot%;
+    index       index.php index.html index.htm;
+    access_log  /var/log/nginx/domains/%domain%.log combined;
+    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
+    error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+    ssl         on;
+    ssl_certificate      %ssl_pem%;
+    ssl_certificate_key  %ssl_key%;
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    set $cache_uri $request_uri;
+
+    if ($request_method = POST) {
+        set $cache_uri 'null cache';
+    }
+
+    if ($query_string != "") {
+        set $cache_uri 'null cache';
+    }   
+
+    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
+                          |wp-.*.php|/feed/|index.php|wp-comments-popup.php
+                          |wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
+                          |[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
+        set $cache_uri 'null cache';
+    }  
+
+    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
+                         |wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
+        set $cache_uri 'null cache';
+    }
+    
+    location / {
+        try_files /wp-content/cache/supercache/$http_host/$cache_uri/index-https.html $uri $uri/ /index.php?$args;
+
+        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+            expires     max;
+        }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            if (!-f $document_root$fastcgi_script_name) {
+                return  404;
+            }
+
+            fastcgi_pass    %backend_lsnr%;
+            fastcgi_index   index.php;
+            include         /etc/nginx/fastcgi_params;
+        }
+    }
+
+    error_page  403 /error/404.html;
+    error_page  404 /error/404.html;
+    error_page  500 502 503 504 /error/50x.html;
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location ~* "/\.(htaccess|htpasswd)$" {
+        deny    all;
+        return  404;
+    }
+
+    location /vstats/ {
+        alias   %home%/%user%/web/%domain%/stats/;
+        include %home%/%user%/conf/web/%domain%.auth*;
+    }
+
+    include     /etc/nginx/conf.d/phpmyadmin.inc*;
+    include     /etc/nginx/conf.d/phppgadmin.inc*;
+    include     /etc/nginx/conf.d/webmail.inc*;
+
+    include     %home%/%user%/conf/web/snginx.%domain%.conf*;
+}

install/debian/8/templates/web/nginx/php5-fpm/wordpress2_wp_super_cache.tpl

@@ -0,0 +1,85 @@
+server {
+    listen      %ip%:%web_port%;
+    server_name %domain_idn% %alias_idn%;
+    root        %docroot%;
+    index       index.php index.html index.htm;
+    access_log  /var/log/nginx/domains/%domain%.log combined;
+    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
+    error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+    
+    set $cache_uri $request_uri;
+
+    if ($request_method = POST) {
+        set $cache_uri 'null cache';
+    }
+
+    if ($query_string != "") {
+        set $cache_uri 'null cache';
+    }   
+
+    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
+                          |wp-.*.php|/feed/|index.php|wp-comments-popup.php
+                          |wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
+                          |[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
+        set $cache_uri 'null cache';
+    }  
+
+    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
+                         |wp-postpass|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_") {
+        set $cache_uri 'null cache';
+    }
+
+    location / {
+        try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
+
+        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+            expires     max;
+        }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            if (!-f $document_root$fastcgi_script_name) {
+                return  404;
+            }
+
+            fastcgi_pass    %backend_lsnr%;
+            fastcgi_index   index.php;
+            include         /etc/nginx/fastcgi_params;
+        }
+    }
+
+    error_page  403 /error/404.html;
+    error_page  404 /error/404.html;
+    error_page  500 502 503 504 /error/50x.html;
+
+    location /error/ {
+        alias   %home%/%user%/web/%domain%/document_errors/;
+    }
+
+    location ~* "/\.(htaccess|htpasswd)$" {
+        deny    all;
+        return  404;
+    }
+
+    location /vstats/ {
+        alias   %home%/%user%/web/%domain%/stats/;
+        include %home%/%user%/conf/web/%domain%.auth*;
+    }
+
+    include     /etc/nginx/conf.d/phpmyadmin.inc*;
+    include     /etc/nginx/conf.d/phppgadmin.inc*;
+    include     /etc/nginx/conf.d/webmail.inc*;
+
+    include     %home%/%user%/conf/web/nginx.%domain%.conf*;
+}

install/debian/9/dovecot/conf.d/15-mailboxes.conf

@@ -0,0 +1,29 @@
+## Mailbox definitions
+##
+
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  mailbox Drafts {
+    special_use = \Drafts
+    auto = subscribe
+  }
+
+  mailbox Junk {
+    special_use = \Junk
+    auto = subscribe
+  }
+
+  mailbox Trash {
+    special_use = \Trash
+    auto = subscribe
+  }
+
+  mailbox Sent {
+    special_use = \Sent
+    auto = subscribe
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+}

install/debian/9/nginx/nginx.conf

@@ -51,6 +51,7 @@ http {
 
     # Compression
     gzip                on;
+    gzip_vary           on;
     gzip_comp_level     9;
     gzip_min_length     512;
     gzip_buffers        8 64k;

install/debian/9/sudo/admin

@@ -4,5 +4,5 @@ Defaults:admin !syslog
 Defaults:admin !requiretty
 Defaults:root !requiretty
 
-admin   ALL=(ALL)       ALL
+# sudo is limited to vesta scripts
 admin   ALL=NOPASSWD:/usr/local/vesta/bin/*

install/debian/9/templates/web/apache2/basedir.stpl

@@ -15,7 +15,7 @@
         AllowOverride All
         SSLRequireSSL
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"

install/debian/9/templates/web/apache2/hosting.stpl

@@ -22,7 +22,7 @@
         php_admin_flag mysql.allow_persistent  off
         php_admin_flag safe_mode off
         php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
     </Directory>

install/debian/9/templates/web/apache2/phpcgi.stpl

@@ -15,7 +15,7 @@
         SSLRequireSSL
         AllowOverride All
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         Action phpcgi-script /cgi-bin/php

install/debian/9/templates/web/apache2/phpfcgid.stpl

@@ -15,7 +15,7 @@
         SSLRequireSSL
         AllowOverride All
         Options +Includes -Indexes +ExecCGI
-        php_admin_value open_basedir %docroot%:%home%/%user%/tmp
+        php_admin_value open_basedir %sdocroot%:%home%/%user%/tmp
         php_admin_value upload_tmp_dir %home%/%user%/tmp
         php_admin_value session.save_path %home%/%user%/tmp
         <Files *.php>

install/debian/9/templates/web/nginx/caching.stpl

@@ -1,7 +1,6 @@
 server {
-    listen      %ip%:%proxy_ssl_port%;
+    listen      %ip%:%proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log  /var/log/%web_system%/domains/%domain%.error.log error;