From 7bd2e79f069210659237a6d66962630aed362abd Mon Sep 17 00:00:00 2001
From: Daniel Winzen <d@winzen4.de>
Date: Thu, 8 Mar 2018 20:57:42 +0100
Subject: [PATCH] Separate nginx sockets for each site to make hoster
 identification harder

---
 README.md                                      |  3 ++-
 etc/systemd/system/nginx.service.d/custom.conf |  1 +
 var/www/common.php                             |  2 +-
 var/www/cron.php                               |  6 +++---
 var/www/setup.php                              | 14 ++++++++++++++
 5 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index bfbba26..25c5213 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@ apt-get purge apache2* resolvconf
 
 If you are on Ubuntu, add the following PPA:
 ```
-add-apt-repository ppa:ondrej/php && apt-get update
+LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php && apt-get update
 ```
 On debian stable this may be worth a look: https://deb.sury.org/
 
@@ -123,6 +123,7 @@ Create a mysql user with all permissions for our hosting management:
 mysql
 CREATE USER 'hosting'@'localhost' IDENTIFIED BY 'MY_PASSWORD';
 GRANT ALL PRIVILEGES ON *.* TO 'hosting'@'localhost' WITH GRANT OPTION;
+FLUSH PRIVILEGES;
 quit
 ```
 
diff --git a/etc/systemd/system/nginx.service.d/custom.conf b/etc/systemd/system/nginx.service.d/custom.conf
index afa8669..1af5869 100644
--- a/etc/systemd/system/nginx.service.d/custom.conf
+++ b/etc/systemd/system/nginx.service.d/custom.conf
@@ -3,3 +3,4 @@ LimitNOFILE=100000
 TimeoutStartSec=300
 ExecStop=
 ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
+ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
diff --git a/var/www/common.php b/var/www/common.php
index bbe2ec6..c47b24e 100644
--- a/var/www/common.php
+++ b/var/www/common.php
@@ -4,7 +4,7 @@ const DBUSER='hosting'; // Database user
 const DBPASS='MY_PASSWORD'; // Database password
 const DBNAME='hosting'; // Database
 const PERSISTENT=true; // Use persistent database conection true/false
-const DBVERSION=2; //database layout version
+const DBVERSION=3; //database layout version
 const CAPTCHA=0; // Captcha difficulty (0=off, 1=simple, 2=moderate, 3=extreme)
 const ADDRESS='dhosting4okcs22v.onion'; // our own address
 const SERVERS=[ //servers and ports we are running on
diff --git a/var/www/cron.php b/var/www/cron.php
index f5a87b6..c1c42ac 100644
--- a/var/www/cron.php
+++ b/var/www/cron.php
@@ -48,7 +48,7 @@ if($id[5]!=0){
 
 $nginx="server {
 	listen [::]:80;
-	listen unix:/var/run/nginx.sock;
+	listen unix:/var/run/nginx/$onion;
 	root /home/$onion.onion/www;
 	server_name $onion.onion *.$onion.onion;
 	access_log /var/log/nginx/access_$onion.onion.log custom;
@@ -106,7 +106,7 @@ php_admin_value[session.save_path] = /home/$onion.onion/tmp
 	chgrp("/var/lib/tor-instances/$firstchar/hidden_service_$onion.onion/private_key", "_tor-$firstchar");
 	//add hidden service to torrc
 	$torrc=file_get_contents("/etc/tor/instances/$firstchar/torrc");
-	$torrc.="HiddenServiceDir /var/lib/tor-instances/$firstchar/hidden_service_$onion.onion/\nHiddenServicePort 80 unix:/var/run/nginx.sock\nHiddenServicePort 25 127.0.0.1:25\n";
+	$torrc.="HiddenServiceDir /var/lib/tor-instances/$firstchar/hidden_service_$onion.onion/\nHiddenServicePort 80 unix:/var/run/nginx/$onion\nHiddenServicePort 25 127.0.0.1:25\n";
 	file_put_contents("/etc/tor/instances/$firstchar/torrc", $torrc);
 	//remove from to-add queue
 	$del->execute([$onion]);
@@ -132,7 +132,7 @@ foreach($onions as $onion){
 	unlink("/etc/nginx/sites-enabled/$onion[0].onion");
 	//clean torrc from user
 	$torrc=file_get_contents("/etc/tor/instances/$firstchar/torrc");
-	$torrc=str_replace("HiddenServiceDir /var/lib/tor-instances/$firstchar/hidden_service_$onion[0].onion/\nHiddenServicePort 80 unix:/var/run/nginx.sock\nHiddenServicePort 25 127.0.0.1:25\n", '', $torrc);
+	$torrc=str_replace("HiddenServiceDir /var/lib/tor-instances/$firstchar/hidden_service_$onion[0].onion/\nHiddenServicePort 80 unix:/var/run/nginx/$onion[0]\nHiddenServicePort 25 127.0.0.1:25\n", '', $torrc);
 	file_put_contents("/etc/tor/instances/$firstchar/torrc", $torrc);
 	//delete hidden service from tor
 	if(file_exists("/var/lib/tor-instances/$firstchar/hidden_service_$onion[0].onion/")){
diff --git a/var/www/setup.php b/var/www/setup.php
index 1cf597e..e4eaafe 100644
--- a/var/www/setup.php
+++ b/var/www/setup.php
@@ -36,6 +36,20 @@ if(!@$version=$db->query("SELECT value FROM settings WHERE setting='version';"))
 		$db->exec('ALTER TABLE new_account ADD approved tinyint(1) UNSIGNED NOT NULL;');
 		$db->exec('DROP TABLE del_account;');
 	}
+	if($version<3){
+		$stmt=$db->query("SELECT onion FROM users;");
+		while($id=$stmt->fetch(PDO::FETCH_NUM)){
+			$onion=$id[0];
+			$firstchar=substr($onion, 0, 1);
+			$replace=str_replace("listen unix:/var/run/nginx.sock;", "listen unix:/var/run/nginx/$onion backlog=2048;", file_get_contents("/etc/nginx/sites-enabled/$onion.onion"));
+			file_put_contents("/etc/nginx/sites-enabled/$onion.onion", $replace);
+			$torrc=file_get_contents("/etc/tor/instances/$firstchar/torrc");
+			$torrc=str_replace("$onion.onion/\nHiddenServicePort 80 unix:/var/run/nginx.sock", "$onion.onion/\nHiddenServicePort 80 unix:/var/run/nginx/$onion", $torrc);
+			file_put_contents("/etc/tor/instances/$firstchar/torrc", $torrc);
+		}
+		exec('service nginx reload');
+		exec("service tor reload");
+	}
 	$stmt=$db->prepare("UPDATE settings SET value=? WHERE setting='version';");
 	$stmt->execute([DBVERSION]);
 	if(DBVERSION!=$version){