Merge pull request #59 from niiknow/master

Bug fixes to mysql

Dockerfile

@@ -4,7 +4,7 @@ LABEL maintainer="noogen <[email protected]>"
 
 ENV DEBIAN_FRONTEND=noninteractive \
     VESTA=/usr/local/vesta \
-    GOLANG_VERSION=1.10.3 \
+    GOLANG_VERSION=1.10.4 \
     NGINX_BUILD_DIR=/usr/src/nginx \
     NGINX_DEVEL_KIT_VERSION=0.3.0 NGINX_SET_MISC_MODULE_VERSION=0.31 \
     NGINX_VERSION=1.14.0 \
@@ -91,7 +91,7 @@ RUN \
     cd /tmp \
 
 # begin setup for vesta
-    && curl -SL https://vestacp.com/pub/vst-install-ubuntu.sh -o /tmp/vst-install-ubuntu.sh \
+    && curl -SL https://raw.githubusercontent.com/serghey-rodin/vesta/master/install/vst-install-ubuntu.sh -o /tmp/vst-install-ubuntu.sh \
 
 # put nginx on hold so it doesn't get updates with apt-get upgrade, also remove from vesta apt-get
     && apt-mark hold nginx postgresql-10 postgresql-client-10 postgresql-doc-10 postgresql-contrib \
@@ -142,7 +142,7 @@ RUN \
 
 # install nodejs, memcached, redis-server, openvpn, mongodb, dotnet-sdk, and couchdb
     && apt-get install -yf --no-install-recommends nodejs memcached php-memcached redis-server \
-        openvpn mongodb-org php-mongodb couchdb dotnet-sdk-2.1.200 \
+        openvpn mongodb-org php-mongodb couchdb dotnet-sdk-2.1 \
 
 # setting upawscli, golang
 # awscli

README.md

@@ -2,20 +2,20 @@
 The ultimate control panel with docker (thanks lagun4ik for a great start)
 
 What's included?
-* ubuntu 16.04 lts + Vesta 0.9.8-22
+* ubuntu 16.04 lts + Vesta 0.9.8-23
 * nginx (proxy) -> apache2 -> php-fcgi - high performance and flexible implementation
 * added ability to also run php-fpm
 * ssh/sftp, letsencrypt, memcached, redis, MariaDB 10.2, postgresql 9.6, nodejs 8.x, golang 1.10, openvpn, mongodb, couchdb, .net core 2.0 runtime
 * folder redirection for data persistence and automatic daily backup provided by VestaCP
 * DNS, named, dovecot/roundcube, spamassassin, clamav, etc... -- disabled by default
-* vesta panel SSL (LE-issued) for mail and control panel - provide $VESTA_DOMAIN environment variable
+* vesta panel SSL (LE-issued) for mail and control panel - provide $HOSTNAME environment variable
 
 Run this image:
 ```
 mkdir -p /opt/vestacp/{vesta,home,backup}
 
 docker run -d --restart=always \
--p 2222:22 -p 80:80 -p 443:443 -p 3306:3306 -p 5432:5432 -p 8083:8083 \
+-p 2222:22 -p 80:80 -p 443:443 -p 9088:8083 \
 -v /opt/vestacp/vesta:/vesta -v /opt/vestacp/home:/home -v /opt/vestacp/backup:/backup \
 niiknow/vestacp
 ```
@@ -58,9 +58,6 @@ FTP was not installed on purpose because it's not secure.  Use SFTP instead on t
 - [ ] java, dotnet
 - [ ] openvpn
 
-### known issues
-- [ ] MariaDB password is not saved across backup and restore.  After you restore, go to VESTA DB admin UI and update the password.
-
 ### your todo
 - [ ] I recommend the following:
 
@@ -74,6 +71,12 @@ If you use this Docker for hosting and allow your user to login, I also recommen
 Enjoy!!!
 
 ## Release Notes
+*^1.4.0 - in this update, we remove support for php5.6 and 7.0 as it no longer officially support/end of life (EOL) by the end of this year: http://php.net/supported-versions.php There is no excuse, you know this day was coming.  ** this is just a preview of upcoming version message/notice**
+
+1.3.10 - finalizing stuff to get ready for 1.4.0
+
+1.3.9 - update to 0.9.8-23, see security bulleton/notice in forum here: https://forum.vestacp.com/viewtopic.php?f=10&t=17795  The panel should have auto-updated, we're just updating the build for new user convenience.
+
 1.3.6 - update nginx to 1.14 stable release, update dotnet
 
 1.3.5 - update to 0.9.8-22 - REMINDER: if your server has not autoupdate to 0.9.8-22, please do so or update to this release.  There is a serious security issue in 0.9.8-20.

docker-compose.yml

@@ -4,6 +4,7 @@ services:
   vesta:
     image: niiknow/vestacp
     container_name: vesta
+    hostname: yourcpanelhostname.com
     volumes:
       - "/opt/vestacp/backup:/backup"
       - "/opt/vestacp/vesta:/vesta"
@@ -12,7 +13,7 @@ services:
       - "2222:22"
       - "80:80"
       - "443:443"
-      - "8083:8083"
+      - "9088:8083"
     privileged: true
     ulimits:
       nproc: 65535
@@ -23,4 +24,12 @@ services:
       net.core.somaxconn: '511'
     labels:
       - "Vesta Control Panel"
-    restart: unless-stopped
+    restart: always
+
+# Note, set hostname for auto ssl on the panel, it also
+# help with valid IP for SMTP email validation among
+# other things.
+# 
+# also note, I set the port to 9088 above on purpose
+# You can of course change it back to 8083
+# it help with security to change to a different port

rootfs/etc/nginx/location_optmz_php.conf

@@ -1,6 +1,8 @@
-# block access to sensitive files or a file scan
-    location ~* \.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op]|cgi)$ {
+# block access to sensitive file extensions
+    location ~* \.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op]|cgi|env|yml|example)$ {
         deny all;
+        log_not_found off;
+        access_log off;
     }
 
 # allow but don't log fav icon or robots txt
@@ -10,19 +12,18 @@
         access_log off;
     }
 
-# deny access to svn or git files
-    location ~ /\.(svn|git|ht|hg|bzr)/* {
+# Disable .htaccess and other hidden files
+    location ~ /\.(?!well-known).* {
         deny all;
+        access_log off;
+        log_not_found off;
     }
 
 # deny access to specific folder
     location ~ /(private|cgi-bin)/* {
         deny all;
-    }
-
-# deny public access to specfic file
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
+        log_not_found off;
+        access_log off;
     }
 
     location /nginx_status {

rootfs/sysprepz/admin/bin/vesta-auto-ssl.sh

@@ -1,14 +1,16 @@
 #!/bin/bash
 
+domain="$HOSTNAME"
+
 # get environment variables
 source /etc/container_environment.sh
 
 VESTA_PATH='/usr/local/vesta'
-domain="$VESTA_DOMAIN"
 user='admin'
 
-# only run if domain has a value
-if [ -n "$domain" ]; then
+# only run if hostname is valid, regex check if it has a period
+# default docker installation is some random string
+if [[ $domain == *[\.]* ]]; then
 
     # too often, user did not setup DNS host to IP correctly, so we should validate first
     # issue is easier fix by the user than getting blocked by Letsencrypt server
@@ -92,5 +94,5 @@ if [ -n "$domain" ]; then
         echo "[i] Cert file successfullly swapped out.  Please restart docker or vesta, apache2, nginx, and exim4."
     fi
 else
-    echo "[i] vesta-auto-ssl exit due to empty VESTA_DOMAIN variable"
+    echo "[i] vesta-auto-ssl exit due to invalid/default docker hostname: $domain"
 fi

rootfs/sysprepz/admin/bin/vesta-update.sh

@@ -1,20 +1,20 @@
 #!/bin/bash
 # this file is use to update between different
 # of vesta within this docker panel
-rsync --update -raz --progress --exclude 'data' --exclude 'log' --exclude 'conf' --exclude 'nginx' /vesta-start/local/vesta /usr/local/vesta
+rsync --update -ahp --progress --exclude 'data' --exclude 'log' --exclude 'conf' --exclude 'nginx' /vesta-start/local/vesta/ /usr/local/vesta/
 
-rsync --update -raz --progress /vesta-start/local/vesta/data/templates /usr/local/vesta/data/templates
+rsync --update -ahp --progress /vesta-start/local/vesta/data/templates/ /usr/local/vesta/data/templates/
 
-rsync --update -raz --progress --exclude 'conf.d' /vesta-start/etc/nginx /etc/nginx
+rsync --update -ahp --progress --exclude 'conf.d' /vesta-start/etc/nginx/ /etc/nginx/
 
 # update php conf
 rm -rf /vesta/etc/php/*
-rsync --update -raz --progress /vesta-start/etc/php/ /vesta/etc/php/
+rsync --update -avhp --progress /vesta-start/etc/php/ /vesta/etc/php/
 
 if [ ! -d "/var/lib/postgresql/9.6/" ]; then
     echo "[i] add postgresql 9.6"
-    rsync --update -raz /vesta-start/var/lib/postgresql/9.6/* /vesta/var/lib/postgresql/9.6
-    rsync --update -raz /vesta-start/etc/postgresql/9.6/* /vesta/etc/postgresql/9.6
+    rsync --update -avhp /vesta-start/var/lib/postgresql/9.6/ /vesta/var/lib/postgresql/9.6/
+    rsync --update -avhp /vesta-start/etc/postgresql/9.6/ /vesta/etc/postgresql/9.6/
 fi
 
 # restart vesta after update

rootfs/sysprepz/apache2-templates/php56fpm.sh

@@ -17,10 +17,11 @@ listen.owner = $user
 listen.group = www-data
 listen.mode = 0660
 
-pm = ondemand
-pm.max_children = 5
-pm.process_idle_timeout = 10s
-pm.max_requests = 2000
+pm = dynamic
+pm.start_servers = 1
+pm.max_children = 6
+pm.min_spare_servers = 1
+pm.max_spare_servers = 6
 "
 fpm_conf_file="$home_dir/$user/web/$domain/cgi-bin/php$php_version-fpm.conf"
 

rootfs/sysprepz/apache2-templates/php70fpm.sh

@@ -17,10 +17,11 @@ listen.owner = $user
 listen.group = www-data
 listen.mode = 0660
 
-pm = ondemand
-pm.max_children = 5
-pm.process_idle_timeout = 10s
-pm.max_requests = 2000
+pm = dynamic
+pm.start_servers = 1
+pm.max_children = 6
+pm.min_spare_servers = 1
+pm.max_spare_servers = 6
 "
 fpm_conf_file="$home_dir/$user/web/$domain/cgi-bin/php-fpm.conf"
 

rootfs/sysprepz/apache2-templates/php71fpm.sh

@@ -17,10 +17,11 @@ listen.owner = $user
 listen.group = www-data
 listen.mode = 0660
 
-pm = ondemand
-pm.max_children = 5
-pm.process_idle_timeout = 10s
-pm.max_requests = 2000
+pm = dynamic
+pm.start_servers = 1
+pm.max_children = 6
+pm.min_spare_servers = 1
+pm.max_spare_servers = 6
 "
 fpm_conf_file="$home_dir/$user/web/$domain/cgi-bin/php-fpm.conf"
 

rootfs/sysprepz/apache2-templates/php72fpm.sh

@@ -17,10 +17,11 @@ listen.owner = $user
 listen.group = www-data
 listen.mode = 0660
 
-pm = ondemand
-pm.max_children = 5
-pm.process_idle_timeout = 10s
-pm.max_requests = 2000
+pm = dynamic
+pm.start_servers = 1
+pm.max_children = 6
+pm.min_spare_servers = 1
+pm.max_spare_servers = 6
 "
 fpm_conf_file="$home_dir/$user/web/$domain/cgi-bin/php-fpm.conf"
 

rootfs/sysprepz/nginx-templates/custom.stpl

@@ -1,7 +1,7 @@
 server {
-    listen      %proxy_ssl_port%;
+    listen      %proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
+
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
     error_log   /var/log/%web_system%/domains/%domain%.error.log error;

rootfs/sysprepz/nginx-templates/php-fpm.stpl

@@ -1,7 +1,7 @@
 server {
-    listen      %proxy_ssl_port%;
+    listen      %proxy_ssl_port% ssl;
     server_name %domain_idn% %alias_idn%;
-    ssl         on;
+
     ssl_certificate      %ssl_pem%;
     ssl_certificate_key  %ssl_key%;
 
@@ -20,40 +20,34 @@ server {
         # allow for forcing ssl if necessary
         include %docroot%/sngin*.conf;
 
-        try_files $uri $uri/ /index.php?$query_string;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
+    location ~ \.php$ {
+        try_files $uri /index.php =404;
 
-            if ($http_cookie ~ (comment_author_.*|wordpress_logged_in.*|wp-postpass_.*)) {
-                set $no_cache 1;
-            }
+        if ($http_cookie ~ (comment_author_.*|wordpress_logged_in.*|wp-postpass_.*)) {
+            set $no_cache 1;
+        }
 
-            include         /etc/nginx/fastcgi_params;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/vesta-php-fpm-%domain_idn%.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
 
-            fastcgi_index index.php;
-            fastcgi_pass  unix:/var/run/vesta-php-fpm-%domain_idn%.sock;
-            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-            fastcgi_intercept_errors on;
+        fastcgi_intercept_errors on;
 
-            fastcgi_cache_use_stale error timeout invalid_header http_500;
-            fastcgi_cache_key $host$request_uri;
-            fastcgi_cache fpm_%domain%;
+        fastcgi_cache_use_stale error timeout invalid_header http_500;
+        fastcgi_cache_key $host$request_uri;
+        fastcgi_cache fpm_%domain%;
 
-            # small amount of cache goes a long way
-            fastcgi_cache_valid 200 1m;
-            fastcgi_cache_bypass $no_cache;
-            fastcgi_no_cache $no_cache;
-        }
+        # small amount of cache goes a long way
+        fastcgi_cache_valid 200 1m;
+        fastcgi_cache_bypass $no_cache;
+        fastcgi_no_cache $no_cache;
     }
-
+    
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;
     error_page  500 502 503 504 /error/50x.html;