add http2 support for froxlor-vhost and per-domain

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
froxlor · Aug 24, 2017 · bab982a · bab982a · nachtgeist · Aug 24, 2017
1 parent c2c5178
commit bab982a
Show file tree

Hide file tree

Showing 12 changed files with 95 additions and 23 deletions.
diff --git a/actions/admin/settings/122.froxlorvhost.php b/actions/admin/settings/122.froxlorvhost.php
@@ -80,6 +80,19 @@
 					'save_method' => 'storeSettingField',
 					'visible' => Settings::Get('system.use_ssl')
 				),
+				'system_http2_support' => array(
+					'label' => $lng['serversettings']['http2_support'],
+					'settinggroup' => 'system',
+					'varname' => 'http2_support',
+					'type' => 'bool',
+					'default' => false,
+					'save_method' => 'storeSettingField',
+					'websrv_avail' => array(
+						'apache2',
+						'nginx'
+					),
+					'visible' => Settings::Get('system.use_ssl')
+				),
 				/**
 				 * FCGID
 				 */

diff --git a/actions/admin/settings/130.webserver.php b/actions/admin/settings/130.webserver.php
@@ -179,17 +179,6 @@
 						'nginx'
 					)
 				),
-				'system_nginx_http2_support' => array(
-					'label' => $lng['serversettings']['nginx_http2_support'],
-					'settinggroup' => 'system',
-					'varname' => 'nginx_http2_support',
-					'type' => 'bool',
-					'default' => false,
-					'save_method' => 'storeSettingField',
-					'websrv_avail' => array(
-						'nginx'
-					)
-				),
 				'system_nginx_php_backend' => array(
 					'label' => $lng['serversettings']['nginx_php_backend'],
 					'settinggroup' => 'system',

diff --git a/admin_domains.php b/admin_domains.php
@@ -590,6 +590,8 @@
 							}
 						}
 
+						$http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;
+
 						// HSTS
 						$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
 						$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -601,6 +603,7 @@
 					} else {
 						$ssl_redirect = 0;
 						$letsencrypt = 0;
+						$http2 = 0;
 						// we need this for the serialize
 						// if ssl is disabled or no ssl-ip/port exists
 						$ssl_ipandports[] = - 1;
@@ -616,6 +619,7 @@
 				} else {
 					$ssl_redirect = 0;
 					$letsencrypt = 0;
+					$http2 = 0;
 					// we need this for the serialize
 					// if ssl is disabled or no ssl-ip/port exists
 					$ssl_ipandports[] = - 1;
@@ -796,10 +800,11 @@
 						'termination_date' => $termination_date,
 						'issubof' => $issubof,
 						'letsencrypt' => $letsencrypt,
+						'http2' => $http2,
 						'hsts_maxage' => $hsts_maxage,
 						'hsts_sub' => $hsts_sub,
 						'hsts_preload' => $hsts_preload,
-						'ocsp_stapling' => $ocsp_stapling,
+						'ocsp_stapling' => $ocsp_stapling
 					);
 
 					$security_questions = array(
@@ -849,10 +854,11 @@
 						'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
 						'ismainbutsubto' => $issubof,
 						'letsencrypt' => $letsencrypt,
+						'http2' => $http2,
 						'hsts' => $hsts_maxage,
 						'hsts_sub' => $hsts_sub,
 						'hsts_preload' => $hsts_preload,
-						'ocsp_stapling' => $ocsp_stapling,
+						'ocsp_stapling' => $ocsp_stapling
 					);
 
 					$ins_stmt = Database::prepare("
@@ -887,6 +893,7 @@
 						`mod_fcgid_maxrequests` = :mod_fcgid_maxrequests,
 						`ismainbutsubto` = :ismainbutsubto,
 						`letsencrypt` = :letsencrypt,
+						`http2` = :http2,
 						`hsts` = :hsts,
 						`hsts_sub` = :hsts_sub,
 						`hsts_preload` = :hsts_preload,
@@ -1428,6 +1435,8 @@
 						$letsencrypt = (int) $_POST['letsencrypt'];
 					}
 
+					$http2 = isset($_POST['http2']) && (int)$_POST['http2'] == 1 ? 1 : 0;
+
 					// HSTS
 					$hsts_maxage = isset($_POST['hsts_maxage']) ? (int)$_POST['hsts_maxage'] : 0;
 					$hsts_sub = isset($_POST['hsts_sub']) && (int)$_POST['hsts_sub'] == 1 ? 1 : 0;
@@ -1465,6 +1474,7 @@
 					} else {
 						$ssl_redirect = 0;
 						$letsencrypt = 0;
+						$http2 = 0;
 						// we need this for the serialize
 						// if ssl is disabled or no ssl-ip/port exists
 						$ssl_ipandports[] = - 1;
@@ -1480,6 +1490,7 @@
 				} else {
 					$ssl_redirect = 0;
 					$letsencrypt = 0;
+					$http2 = 0;
 					// we need this for the serialize
 					// if ssl is disabled or no ssl-ip/port exists
 					$ssl_ipandports[] = - 1;
@@ -1634,10 +1645,11 @@
 					'ipandport' => serialize($ipandports),
 					'ssl_ipandport' => serialize($ssl_ipandports),
 					'letsencrypt' => $letsencrypt,
+					'http2' => $http2,
 					'hsts_maxage' => $hsts_maxage,
 					'hsts_sub' => $hsts_sub,
 					'hsts_preload' => $hsts_preload,
-					'ocsp_stapling' => $ocsp_stapling,
+					'ocsp_stapling' => $ocsp_stapling
 				);
 
 				$security_questions = array(
@@ -1672,6 +1684,7 @@
 					$email_only != $result['email_only'] ||
 					($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1') ||
 					$letsencrypt != $result['letsencrypt'] ||
+					$http2 != $result['http2'] ||
 					$hsts_maxage != $result['hsts'] ||
 					$hsts_sub != $result['hsts_sub'] ||
 					$hsts_preload != $result['hsts_preload'] ||
@@ -1828,6 +1841,7 @@
 				$update_data['termination_date'] = $termination_date;
 				$update_data['ismainbutsubto'] = $issubof;
 				$update_data['letsencrypt'] = $letsencrypt;
+				$update_data['http2'] = $http2;
 				$update_data['hsts'] = $hsts_maxage;
 				$update_data['hsts_sub'] = $hsts_sub;
 				$update_data['hsts_preload'] = $hsts_preload;
@@ -1861,6 +1875,7 @@
 					`termination_date` = :termination_date,
 					`ismainbutsubto` = :ismainbutsubto,
 					`letsencrypt` = :letsencrypt,
+					`http2` = :http2,
 					`hsts` = :hsts,
 					`hsts_sub` = :hsts_sub,
 					`hsts_preload` = :hsts_preload,

diff --git a/install/froxlor.sql b/install/froxlor.sql
@@ -258,6 +258,7 @@ CREATE TABLE `panel_domains` (
   `hsts_sub` tinyint(1) NOT NULL default '0',
   `hsts_preload` tinyint(1) NOT NULL default '0',
   `ocsp_stapling` tinyint(1) DEFAULT '0',
+  `http2` tinyint(1) DEFAULT '0',
   PRIMARY KEY  (`id`),
   KEY `customerid` (`customerid`),
   KEY `parentdomain` (`parentdomainid`),
@@ -500,7 +501,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('system', 'ssl_cert_chainfile', ''),
 	('system', 'ssl_cipher_list', 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128'),
 	('system', 'nginx_php_backend', '127.0.0.1:8888'),
-	('system', 'nginx_http2_support', '0'),
+	('system', 'http2_support', '0'),
 	('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
 	('system', 'phpreload_command', ''),
 	('system', 'apache24', '0'),
@@ -585,7 +586,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'version', '0.9.38.7'),
-	('panel', 'db_version', '201705050');
+	('panel', 'db_version', '201708240');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;

diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -3617,3 +3617,19 @@
 
 	updateToDbVersion('201705050');
 }
+
+if (isDatabaseVersion('201705050')) {
+
+	showUpdateStep("Updating HTTP2 setting");
+	if (Settings::Get('system.nginx_http2_support') != null) {
+		Database::query("UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `varname` = 'http2_support' WHERE `varname` = 'nginx_http2_support';");
+	} else {
+		Settings::AddNew('system.http2_support', 0);
+	}
+	lastStepStatus(0);
+	showUpdateStep("Adding domain field for HTTP2 stapling");
+	Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `http2` TINYINT(1) NOT NULL DEFAULT '0';");
+	lastStepStatus(0);
+
+	updateToDbVersion('201708240');
+}
diff --git a/lib/formfields/admin/domains/formfield.domains_add.php b/lib/formfields/admin/domains/formfield.domains_add.php
@@ -173,6 +173,19 @@
 						),
 						'value' => array()
 					),
+					'http2' => array(
+						'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
+						'label' => $lng['admin']['domain_http2']['title'],
+						'desc' => $lng['admin']['domain_http2']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array (
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array()
+					),
 					'no_ssl_available_info' => array(
 						'visible' => ($ssl_ipsandports == '' ? true : false),
 						'label' => 'SSL',

diff --git a/lib/formfields/admin/domains/formfield.domains_edit.php b/lib/formfields/admin/domains/formfield.domains_edit.php
@@ -207,6 +207,21 @@
 							$result['letsencrypt']
 						)
 					),
+					'http2' => array(
+						'visible' => ($ssl_ipsandports != '' ? true : false) && Settings::Get('system.webserver') != 'lighttpd',
+						'label' => $lng['admin']['domain_http2']['title'],
+						'desc' => $lng['admin']['domain_http2']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array (
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array(
+							$result['http2']
+						)
+					),
 					'no_ssl_available_info' => array(
 						'visible' => ($ssl_ipsandports == '' ? true : false),
 						'label' => 'SSL',

diff --git a/lib/version.inc.php b/lib/version.inc.php
@@ -19,7 +19,7 @@
 $version = '0.9.38.7';
 
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201705050';
+$dbversion = '201708240';
 
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';
diff --git a/lng/english.lng.php b/lng/english.lng.php
@@ -2063,8 +2063,8 @@
 $lng['admin']['domain_hsts_preload']['title'] = 'Include domain in <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload list</a>';
 $lng['admin']['domain_hsts_preload']['description'] = 'If you would like this domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use activate this.<br>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains.<br>Please read the details at <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> before sending the header with "preload".';
 
-$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Support';
-$lng['serversettings']['nginx_http2_support']['description'] = 'enable http2 support for ssl. ENABLE ONLY IF YOUR Nginx SUPPORT THIS FEATURE. (version 1.9.5+)';
+$lng['serversettings']['http2_support']['title'] = 'HTTP2 Support';
+$lng['serversettings']['http2_support']['description'] = 'enable HTTP2 support for ssl.<br><em class="red">ENABLE ONLY IF YOUR WEBSERVER SUPPORTS THIS FEATURE (nginx version 1.9.5+, apache2 version 2.4.17+)</em>';
 
 $lng['error']['noipportgiven'] = 'No IP/port given';
 
@@ -2076,3 +2076,5 @@
 $lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Configures the cache used to store OCSP responses which get included in TLS handshakes.';
 $lng['serversettings']['nssextrausers']['title'] = 'Use libnss-extrausers instead of libnss-mysql';
 $lng['serversettings']['nssextrausers']['description'] = 'Do not read users from the database but from files. Please only activate if you have already gone through the required configuration steps (system -> libnss-extrausers).<br><strong class="red">For Debian/Ubuntu only (or if you have compiled libnss-extrausers yourself!)</strong>';
+$lng['admin']['domain_http2']['title'] = 'HTTP2 support';
+$lng['admin']['domain_http2']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">Wikipedia</a> for a detailed explanation of HTTP2';
diff --git a/lng/german.lng.php b/lng/german.lng.php
@@ -1714,8 +1714,8 @@
 $lng['admin']['domain_hsts_preload']['title'] = 'Füge Domain in die <a href="https://hstspreload.appspot.com/" target="_blank">HSTS preload Liste</a> hinzu';
 $lng['admin']['domain_hsts_preload']['description'] = 'Wenn die Domain in die HSTS preload Liste, verwaltet von Chrome (und genutzt von Firefox und Safari), hinzugefügt werden soll, dann aktiviere diese Einstellung.<br>Die preload-Direktive zu senden kann PERMANTENTE KONSEQUENZEN haben und dazu führen, dass Benutzer auf diese Domain und auch Subdomains nicht zugreifen können.<br>Beachte Details unter <a href="https://hstspreload.appspot.com/#removal" target="_blank">hstspreload.appspot.com/#removal</a> bevor ein Header mit "preload" gesendet wird.';
 
-$lng['serversettings']['nginx_http2_support']['title'] = 'Nginx HTTP2 Unterstützung';
-$lng['serversettings']['nginx_http2_support']['description'] = 'Aktiviere http2 Unterstützung für SSL. NUR AKTIVIEREN, WENN nginx DIESE FUNKTION UNTERSTÜTZT (version 1.9.5+)';
+$lng['serversettings']['http2_support']['title'] = 'HTTP2 Unterstützung';
+$lng['serversettings']['http2_support']['description'] = 'Aktiviere HTTP2 Unterstützung für SSL.<br><em class="red">NUR AKTIVIEREN, WENN DER WEBSERVER DIESE FUNKTION UNTERSTÜTZT (nginx version 1.9.5+, apache2 version 2.4.17+)</em>';
 
 $lng['error']['noipportgiven'] = 'Keine IP/Port angegeben';
 
@@ -1727,3 +1727,5 @@
 $lng['serversettings']['ssl']['apache24_ocsp_cache_path']['description'] = 'Konfiguriert den Cache-Pfad zum Zwischenspeichern der OCSP-Antworten,<br />die an TLS-Handshakes angehängt werden.';
 $lng['serversettings']['nssextrausers']['title'] = 'Verwende libnss-extrausers anstatt libnss-mysql';
 $lng['serversettings']['nssextrausers']['description'] = 'Lese Benutzer nicht direkt aus der Datenbank sondern über Dateien, bitte nur aktivieren, wenn die entsprechende Konfiguration vorgenommen wurde (System -> libnss-extrausers).<br><strong class="red">Nur für Debian/Ubuntu (oder wenn libnss-extrausers manuell kompiliert wurde!)</strong>';
+$lng['admin']['domain_http2']['title'] = 'HTTP2 Unterstützung';
+$lng['admin']['domain_http2']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol#HTTP.2F2">Wikipedia</a> für eine ausführliche Beschreibung von HTTP2';
diff --git a/scripts/jobs/cron_tasks.inc.http.10.apache.php b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -434,6 +434,9 @@ public function createIpPort()
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
 							if (Settings::Get('system.apache24') == '1') {
+								if (Settings::Get('system.http2_support') == '1') {
+									$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
+								}
 								$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
 							}
 							// this makes it more secure, thx to Marcel (08/2013)
@@ -869,6 +872,9 @@ protected function getVhostContent($domain, $ssl_vhost = false)
 				$vhost_content .= '  SSLEngine On' . "\n";
 				$vhost_content .= '  SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n";
 				if (Settings::Get('system.apache24') == '1') {
+					if (isset($domain['http2']) && $domain['http2'] == '1') {
+						$vhost_content .= ' Protocols h2 http/1.1' . "\n";
+					}
 					$vhost_content .= '  SSLCompression Off' . "\n";
 				}
 				// this makes it more secure, thx to Marcel (08/2013)

diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
@@ -196,7 +196,7 @@ public function createIpPort()
 					}
 				}
 
-				$http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
+				$http2 = $ssl_vhost == true && Settings::Get('system.http2_support') == '1';
 
 				/**
 				 * this HAS to be set for the default host in nginx or else no vhost will work
@@ -418,7 +418,7 @@ protected function getVhostContent($domain, $ssl_vhost = false)
 				$_vhost_content .= $this->processSpecialConfigTemplate($ipandport['default_vhostconf_domain'], $domain, $domain['ip'], $domain['port'], $ssl_vhost) . "\n";
 			}
 
-            $http2 = $ssl_vhost == true && Settings::Get('system.nginx_http2_support') == '1';
+			$http2 = $ssl_vhost == true && (isset($domain['http2']) && $domain['http2'] == '1');
 
             $vhost_content .= "\t" . 'listen ' . $ipport . ($ssl_vhost == true ? ' ssl' : '') . ($http2 == true ? ' http2' : '') . ';' . "\n";
 		}