Introduce mysqld socket stream forwarding with nginx for chroot jails

2019-01-01 13:47:30 +01:00
parent 0f38bd2449
commit 55bc8cd757
9 changed files with 48 additions and 22 deletions
--- a/var/www/common.php
+++ b/var/www/common.php
@ -1,6 +1,6 @@
 <?php
 require_once(__DIR__ . '/vendor/autoload.php');
-const DBHOST='127.0.0.1'; // Database host
+const DBHOST='localhost'; // Database host
 const DBUSER='hosting'; // Database user
 const DBPASS='MY_PASSWORD'; // Database password
 const DBNAME='hosting'; // Database
@ -15,7 +15,8 @@ const SERVERS=[ //servers and ports we are running on
 const EMAIL_TO=''; //Send email notifications about new registrations to this address
 const INDEX_MD5S=[ //MD5 sums of index.hosting.html files that should be considdered as unchanged for deletion
 'd41d8cd98f00b204e9800998ecf8427e', //empty file
-'7ae7e9bac6be76f00e0d95347111f037' //default file
+'7ae7e9bac6be76f00e0d95347111f037', //default file
+'703fac6634bf637f942db8906092d0ab', //new default file
 ];
 const REQUIRE_APPROVAL=false; //require admin approval of new sites? true/false
 const ADMIN_PASSWORD='MY_PASSWORD'; //password for admin interface
@ -63,14 +64,14 @@ server {
 		try_files $uri $uri/ =404;
 		location ~ \.php$ {
 			include snippets/fastcgi-php.conf;
-			fastcgi_param SCRIPT_FILENAME html/$fastcgi_script_name;
+			fastcgi_param SCRIPT_FILENAME /html$fastcgi_script_name;
 			fastcgi_pass unix:/var/run/php/7.3-hosting;
 		}
 	}
 	location /squirrelmail {
 		location ~ \.php$ {
 			include snippets/fastcgi-php.conf;
-			fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 			fastcgi_pass unix:/var/run/php/7.3-squirrelmail;
 		}
 	}
@ -78,7 +79,7 @@ server {
 		root /usr/share;
 		location ~ \.php$ {
 			include snippets/fastcgi-php.conf;
-			fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 			fastcgi_pass unix:/run/php/7.3-phpmyadmin;
 		}
 	}
@ -86,7 +87,7 @@ server {
 		root /usr/share/adminer;
 		location ~ \.php$ {
 			include snippets/fastcgi-php.conf;
-			fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 			fastcgi_pass unix:/run/php/7.3-adminer;
 		}
 	}
@ -415,9 +416,19 @@ function rewrite_nginx_config(PDO $db){
 }
 ";

-		file_put_contents("/etc/nginx/sites-enabled/hosted_sites", $nginx);
-		exec("service nginx reload");
 	}
+	file_put_contents("/etc/nginx/sites-enabled/hosted_sites", $nginx);
+	$nginx='';
+	$stmt=$db->query("SELECT users.system_account, users.php, users.autoindex, onions.onion FROM users INNER JOIN onions ON (onions.user_id=users.id) WHERE onions.enabled IN (1, -2) AND users.id NOT IN (SELECT user_id FROM new_account) AND users.todelete!=1;");
+	while($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
+		$nginx.="server {
+	listen unix:/home/$tmp[system_account]/var/run/mysqld/mysqld.sock;
+	proxy_pass unix:/var/run/mysqld/mysqld.sock;
+}
+";
+	}
+	file_put_contents("/etc/nginx/streams-enabled/hosted_sites", $nginx);
+	exec("service nginx reload");
 }

 function rewrite_php_config(PDO $db, string $key){
--- a/var/www/cron.php
+++ b/var/www/cron.php
@ -140,7 +140,7 @@ foreach($accounts as $account){
 	$drop_user->execute([$account[2]]);
 	$stmt->execute([$account[1]]);
 	while($tmp=$stmt->fetch(PDO::FETCH_NUM)){
-		$db->exec("DROP DATABASE IF EXISTS `$tmp[0]`;");
+		$db->exec('DROP DATABASE IF EXISTS `'.preg_replace('/[^a-z0-9]/i', '', $tmp[0]).'`;');
 	}
 	$db->exec('FLUSH PRIVILEGES;');
 	//delete user from user database
--- a/var/www/html/home.php
+++ b/var/www/html/home.php
@ -77,7 +77,7 @@ echo '<tr><th>Database</th><th>Host</th><th>User</th></tr>';
 $stmt=$db->prepare('SELECT mysql_database  FROM mysql_databases WHERE user_id=?;');
 $stmt->execute([$user['id']]);
 while($mysql=$stmt->fetch(PDO::FETCH_ASSOC)){
-	echo "<tr><td>$mysql[mysql_database]</td><td>127.0.0.1</td><td>$user[mysql_user]</td></tr>";
+	echo "<tr><td>$mysql[mysql_database]</td><td>localhost</td><td>$user[mysql_user]</td></tr>";
 }
 echo '</table>';
 echo '<p><a href="password.php?type=sql">Change MySQL password</a></p>';
--- a/var/www/setup.php
+++ b/var/www/setup.php
@ -35,7 +35,6 @@ if(!@$version=$db->query("SELECT value FROM settings WHERE setting='version';"))
 	$db->exec('CREATE TABLE settings (setting varchar(50) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL PRIMARY KEY, value text CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
 	$stmt=$db->prepare("INSERT INTO settings (setting, value) VALUES ('version', ?);");
 	$stmt->execute([DBVERSION]);
-	exec('/var/www/setup_chroot.sh /var/www');
 	echo "Database and files have successfully been set up\n";
 }else{
 	$version=$version->fetch(PDO::FETCH_NUM)[0];
@ -122,8 +121,6 @@ if(!@$version=$db->query("SELECT value FROM settings WHERE setting='version';"))
 			// some software may break when absolute installation path changes, add symlinks to prevent that
 			symlink('.', '/home/'.$tmp['system_account'].'/home');
 			symlink('.', '/home/'.$tmp['system_account'].'/'.$tmp['system_account']);
-			exec('/var/www/setup_chroot.sh  ' . escapeshellarg('/home/'.$tmp['system_account']));
-			exec('grep ' . escapeshellarg($tmp['system_account']) . ' /etc/passwd >> ' . escapeshellarg("/home/$tmp[system_account]/etc/passwd"));
 			$firstchar=substr($tmp['system_account'], 0, 1);
 			//delete config files
 			foreach(array_replace(PHP_VERSIONS, DISABLED_PHP_VERSIONS) as $v){
@ -139,9 +136,7 @@ if(!@$version=$db->query("SELECT value FROM settings WHERE setting='version';"))
 			if(file_exists("/etc/nginx/sites-enabled/$tmp[system_account]")){
 				unlink("/etc/nginx/sites-enabled/$tmp[system_account]");
 			}
-			exec('/var/www/setup_chroot.sh /var/www');
 		}
-		$db->exec('UPDATE service_instances SET reload=1;');
 	}
 	$stmt=$db->prepare("UPDATE settings SET value=? WHERE setting='version';");
 	$stmt->execute([DBVERSION]);
@ -235,11 +230,22 @@ php_admin_value[open_basedir] = /usr/share/adminer:/tmp
 		file_put_contents("/etc/php/$version/fpm/pool.d/www.conf", $pool_config);
 		exec("service php$version-fpm@default reload");
 	}
-	file_put_contents('/etc/nginx/sites-enabled/default', NGINX_DEFAULT);
-	exec("service nginx reload");
-	if(DBVERSION!=$version){
-		echo "Database and files have successfully been updated to the latest version\n";
-	}else{
-		echo "Database and files already up-to-date\n";
+	echo "Updating chroots, this might take a while…\n";
+	exec('/var/www/setup_chroot.sh /var/www');
+	$stmt=$db->query('SELECT system_account FROM users;');
+	while($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
+		exec('/var/www/setup_chroot.sh  ' . escapeshellarg('/home/'.$tmp['system_account']));
+		exec('grep ' . escapeshellarg($tmp['system_account']) . ' /etc/passwd >> ' . escapeshellarg("/home/$tmp[system_account]/etc/passwd"));
 	}
+	file_put_contents('/etc/nginx/sites-enabled/default', NGINX_DEFAULT);
+	if(!file_exists("/etc/nginx/streams-enabled/")){
+		mkdir("/etc/nginx/streams-enabled/", 0755, true);
+	}
+	file_put_contents('/etc/nginx/streams-enabled/default', "server {
+	listen unix:/var/www/var/run/mysqld/mysqld.sock;
+	proxy_pass unix:/var/run/mysqld/mysqld.sock;
+}");
+	exec("service nginx reload");
+	$db->exec('UPDATE service_instances SET reload=1;');
+	echo "Done - Database and files have been updated to the latest version :)\n";
 }
--- a/var/www/setup_chroot.sh
+++ b/var/www/setup_chroot.sh
@ -61,6 +61,7 @@ CHROOT_DIRECTORY_STRUCTURE=(
    '/usr/sbin'
    '/var'
    '/var/run'
+    '/var/run/mysqld'
 )
 BINARIES_GENERAL=(
    '/usr/lib/openssh/sftp-server'