Version 1.43.0
Released: 2013-03-16
new
Backup and restore the MySQL character set (collation)mysql >4.1.1:
SHOW VARIABLES LIKE 'character_set%';
gives list. The db.opt file only exists in 4.1.1, so likely won't have this option for mysql 4.
mysql 5:
SHOW CHARACTER SET
SHOW COLLATION
Reference: http://www.databasejournal.com/features/mysql/article.php/3638426
MySQL 4 may not support this function.
Related:
http://stackoverflow.com/questions/4948356/query-to-show-all-tables-and-their-collation
Also store the collation info in the backup and set it at restore time: DONE.
Saved into the dbname.conf all db_collation=, with the entire row, eg:
SELECT * FROM information_schema.SCHEMATA WHERE schema_name=dbname
Data saved into the backup/username_dbname.conf in the tar.gz backups.
Sample:
db_collation=CATALOG_NAME=&DEFAULT_CHARACTER_SET_NAME=latin1&DEFAULT_COLLATION_NAME=latin1_swedish_ci&SCHEMA_NAME=mysqluser_sixchr&SQL_PATH=
DA will remove the db_collation before the restore, else it would try to add username_collation as a new User.. which is often too long for MySQL (16 character cap).
new
CMD_API_ADDITIONAL_DOMAINS to include typeCMD_API_ADDITIONAL_DOMAINS to include the type of pointer (alias or redirect).
The pointers= list will remain the same which will include both alias and redirect values, but a 2nd list::
alias_pointers= will contain just the domain alias poitners (ServerAlias).
If needed, you can then subtract the 2 lists to get the redirect pointers.
new
Ability to link an IPv6 or LAN IP to another IP (SKINS)Feature to give you the ability to automatically add an IP to certain areas (apache/dns), based on the selection of another IP.
Admin Level -> IP Manager -> Click the IP
brings you do:
CMD_IP_MANAGER_DETAILS?ip=1.2.3.4
The main purpose for this feature is to seamlessly link LAN IPs to external IPs, and/or to link IPv6 IPs to IPv4 IPs.
*** Link a LAN to external IP:
View the details of the external IP.
Link the internal IP to the external IP.
Only select Apache, do not select DNS
Don't link the external IP to the internal IP, else the dns would end up having the internal IP added, which is not desired.
*** Link IPv6 to IPv4:
View the details of the IPv4 IP.
Link the IPv6 to the IPv4.
Check both DNS and Apache.
You could link IPv4 to an IPv6 if you wanted.
Adding a linked IP to the current IP will add the linked IP to the areas where the current IP exists.
Linking an IP with dns will duplicate the A/AAAA records for the current IP with the linked IP.
Linking an IP with apache will add the linked IP into the VirtualHost with the current IP.
This feature is independent of the Multi-IP system, but they can be used together.
For example a User can have 2 IPs with the Multi-IP system, and each of those IPs can have linked IPs.
Links are not recursive, so you don't need to worry about infinite loops.
API:
CMD_API_IP_MANAGER_DETAILS has also been added.
See the DA debug output for information on values to be passed.
SKINS:
admin/ip_manager_details.html
files_admin.conf
CMD_IP_MANAGER_DETAILS=admin/ip_manager_details.html
LF_IP_MANAGER=admin/ip_manager.html
LANGUAGE:
lang/en/internal/ip.txt - up to #36
lang/en/internal/comand.txt - up to #523
new
Ability to tell DA not to wrap dns valuesRelating to this feature:
DKIM keys to be 2048-bit and multi-line TXT records
For anyone who is using a local dns service other than bind, you may not want the values to be wrapped.
A new directadmin.conf variable was added to let you disable the wrapping of dns values.
The internal default is:
wrap_long_dns_values=1
To change it, add this to your directadmin.conf:
wrap_long_dns_values=0
and restart DA.
If you're using bind (named), then leave this as 1, else named will crash if the values are too long.
new
named.db to support template scriptingThe named.db template (used to create domain.com.db files) now supports username scripting.
Environment info for skin scripts (SKINS scripts)
The scripts will be run as root, so you have full access to everything, but be very careful with this high access level, to ensure you don't do any damage to your system.
Sample addition to the bottom of the named.db code for DNSSEC:
|$/usr/local/bin/php
<?php
if (file_exists("/var/named/|DOMAIN|.zsk.key"))
{
echo "\\\$include /var/named/|DOMAIN|.zsk.key\";
}
if (file_exists("/var/named/|DOMAIN|.zsk.key"))
{
echo "\\\$include /var/named/|DOMAIN|.ksk.key\";
}
?>
DONE|
Note that DA may not support thing you add, so if you add any values that the DA dns parser cannot read (eg: $include lines) ensure you're adding them to the bottom of the file.
You should really also be only adding things here that DA cannot see... else you'll end up with duplicates each time you re-save the zone.
For example, do not add A records with this feature, else you'll get another A record each time you save the zone.
For A records, use the dns_a.conf. It also supports shell scripting.
new
Ability to clear forwarder values when deleting emailsWhen you delete an email account, this new feature will give you the option to have DA search through your forwarder values (not the forwarder names) and remove these deleted emails, so that any emails sent to the existing forwarders don't cause bounces.
For example, say you have two forwarders:
one -> abc@domain.com
two -> abc@domain.com, efc@domain.com
and you also have the email account:
abc@domain.com
When you delete the abc@domain.com email address, when the 'Clean Forwarders Values' checkbox is selected, DA will go through all of your forwarders, and turn them into:
one -> :fail:
two -> efc@domain.com
so that any emails to one@ or two@ don't cause bounces.
Of course, you'll note that the forwader that only had the 1 email becomes a :fail: forwarder.
This is just to remind you of what DA just did. Sending an email to one@ will reject the email (but won't generate a bounce if it's being sent to from an external email).
This is the best we can do, considering you've just deleted it's destination.
DA will also log to the system.log about the action that was done.
The checkbox value passed with pop deletions (CMD_EMAIL_POP or CMD_API_POP) is:
clean_forwarders=yes
without this checkbox value being passed, the "clean" won't happen.
new
Ability to add more headers to welcome emailsRelating to this feature:
ability to add your own email headers in welcome messages
Extra headers can now be used.
Their token names will be:
HEADER2
HEADER3
HEADER4
in addition to the already exsting token value:
HEADER
eg:
|?HEADER=MIME-Version: 1.0|
|?HEADER2=Content-Type: text/plain; charset=utf8|
This does not apply to the HEADER value used in tickets, only welcome emails.
Related keywords/files:
u_welcome.txt
r_welcome.txt
a_welcome.txt
new
custom script all_restores_post.sh, called after Admin/Reseller Level restoresRelated to this feature:
Custom script:
/usr/local/directadmin/scripts/custom/all_restores_post.sh
Variables passed will be whatever is sent from the task.queue.
new
Session to store selected domainWhen a User accesses his User Level, once he views the page:
CMD_SHOW_DOMAIN?domain=domain.com
DA will log the domain value (assuming it's valid) into the session file as:
selected_domain=domain.com
With that, all plugins should then have access to read this env variable as:
SESSION_SELECTED_DOMAIN=domain.com
which saves the need for the plugin to pass the domain via GET all over.
The global skin tokens will also have the variable:
SESSION_SELECTED_DOMAIN
Note that there is no guarantee that this variable will be set.
However, if you can't find |DOMAIN| or |domain|, then this variable would be a good one to try.
new
New skin type JS_ for javascript files.The old javascript files were added in with the HTM_JAVASCRIPT option, which used text/html as the content-type.
Added a new file type JS_ which will set Content-Type: application/javascript.
It will also skip the "no cache" header options, so the pages will load faster, when this is used.
This also means that you'll need a full cache dump (ctrl-F5) if you're doing javascript programming through DA.. else you'll keep getting the cached version.
The DA skins have not been changed to use JS_, as HTM_ works fine for our purposes.
new
Ability to set the crypt type for passwordsThe default crypt in DA is MD5 which uses the $1$ type for the crypt command.
A new directadmin.conf option will allow the 1 to be changed to a 6 for sha-512, if desired (giving $6$)
This should allow you to be GDPR compliant.
Default internal value:
crypt_method=1
If you'd like passwords to use sha-512, add this to your directadmin.conf, and restart DA:
crypt_method=6
This will affect all calls that DA makes to the "crypt" function.
This includes:
Email accounts
FTP accounts
DA accounts, but only in some cases (varies per OS)
The DA accounts have their password crypt created from different places, depending on what's going on.
Below will outline which cases are used, and will either show what is used to generate the crypt, or it will show "crypt", which will be affected by this change.
Any values that do not show "crypt" will not use DA's crypt() function, thus will not use this feature (crypt method controlled via other configs)
- Changing a password:
FreeBSD: crypt
Debian: chpasswd
Linux: passwd
- Creating a User:
FreeBSD: pw
Debian: crypt
Linux: crypt
- Restores just copy the old encrypted data, so this feature does not apply to the backup/restores.
For the non-"crypt" methods, see this guide:
http://help.directadmin.com/item.php?id=248
This only affects the above crypt methods when triggered.
Existing encryptions are not touched until one of the above crypt methods is triggered (Eg: if you reset the password and it uses crypt)
Password protected directories (as of 1.43.0) use openssl to generate an $apr1$ crypt.
Protected directories to use $apr1$ password format
However, if the crypt generation fails with the openssl binary, then crypt() is used to to generate the passwod crypt... however, it defaults to a very old DES method without $1$.. so this feature will not apply to password protected directories from 1.43.0 and newer.
Versions of DA older than this do use the local crypt (eg: $1$), but this feature doesn't exist.. so still wouldn't apply.
new
Access-Control-Allow-OriginIf you'd like to add a header:
Access-Control-Allow-Origin
you can do so by specifying the following in your directadmin.conf:
access_control_allow_origin=http://www.domain.com
Tags:
CORS OPTIONS
new
Ability to automatically encode subjects to UTF-8 for emails generated by DANew option in DA which automatically swaps a subject with a utf8 encoded subject for all emails generated by DA (welcome emails, notices, etc..)
Default internal setting:
utf8_encode_subject=0
to enable the setting, add the following to your directadmin.conf, and restart DA:
utf8_encode_subject=1
and all emails will have the subject header value swapped out with the valid base64 utf8 encoding.
New script which uses php to do the encoding (our internal base64 encode doesn't support more than 7 bit chars)
/usr/local/directadmin/scripts/base64_encode.php
The encoding of the subject will fix the following SpamAssassin header tags:
SUBJECT_NEEDS_ENCODING
SUBJ_ILLEGAL_CHARS
which should lower the spam score by about 1.6, if special characters exist in the subject line.
IMPORTANT
Make sure you've set your skin to use UTF-8, else the special characters will not show up correctly.
http://help.directadmin.com/item.php?id=364
new
CMD_API_USER_BACKUPRelated to the Admin Level Backup/Restore:
CMD_API_USER_BACKUP
View local files and settings, crons, and users:
pass nothing.
View remote files and settings, crons, and users:
GET or POST:
action=update_files
ftp_ip=127.0.0.1
ftp_password=password
ftp_path=/user_backups (remote ftp path)
ftp_port=21
ftp_username=admin
local_path=
where=ftp
To create backups, crons, save settings, etc.. please run DA in debug mode, and make a desired call through your browser.
The same values send to CMD_USER_BACKUP will be sent to CMD_API_USER_BACKUP
http://help.directadmin.com/item.php?id=293
new
Ability to disable the User Level domain redirectIf a User only has 1 domain, when they view their User Level, they'll immediately be redirected to the "Show Domain" page, which contains all of their URLs to the features.
If they have multiple domains, clicking their User Level, they'll not receive the redirect and be shown a table to chose which domain to use.
This feature prevents the redirect in the event the the User only has 1 domain.
The only real use for this would be for customizations to the User Level index that shows the domain list.
The internal default is:
skin_domain_redirect=1
To disable the redirect, add the following to the directadmin.conf and restart directadmin:
skin_domain_redirect=0
new
Admin Backup Options to specify E-Mail Data (SKINS)The Admin Backup/Transfer can now specify "E-Mail Data" in the Backup options.
This will let you backup the email account names/passwords, without actually including the message data, which can sometimes be quite large.
This is a per-cron option which would more-or-less replace the need for the global option "skip_imap_in_backups":
skip_imap_in_backups to not include email data
The changed used to implement this feature are identical to this feature, except of course database_data is changed to email_data:
Ability to exclude DB data from backup, but include DB Settings (SKINS)
The update will convert everything to become database_data_aware, so it's important that the update.sh script is run (which should be done automatically, so you shouldn't need to worry about it)
SKINS:
form_version needs to be changed from 2 to 3.
admin/admin_backup.html
admin/admin_backup_modify.html
user/site_backup.html
user/site_restore.html
lang/en/reseller/backup_modify.html
lang/en/user/site_backup.html
new
ability for CMD_API_SHOW_USER_CONFIG to show user.conf and user.usageAdditional ability for the CMD_API_SHOW_USER_CONFIG command:
User version CMD_API_SHOW_USER_CONFIG
to also include the user.usage file.
To get DA to add the user.usage, simply add:
both=yes
eg:
CMD_API_SHOW_USER_CONFIG?both=yes
or:
CMD_API_SHOW_USER_CONFIG?user=username&both=yes
and DA will add a new variable to the config:
usage=<value>
where <value>
is a double URL encoded list of the user.usage file.
new
Ability to set ionice for backupsNew directadmin.conf option:
ionice_string=
where the internal default is 0 (null).
If you add a string, it would look something like this:
ionice_string=/usr/bin/ionice -c2 -n7
and requires that you actually have ionice on your system (it doesn't exist on all OS's hence we don't use it by default)
If the value is blank, ensure that ionice_string is not present anywhere in the directadmin.conf, else it won't be "null" and make cause strange effects.
This would make the resulting tar backup call look like:
/usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 /bin/tar cvf <etc>..
The applies to all areas of tar and zip/unzip.
new
CMD_API_DIRECTADMIN_CONFAn API-only command CMD_API_DIRECTADMIN_CONF where the output will be all values from the directadmin.conf as loaded in the active process (including the internal defaults that may not exist in the directadmin.conf file), so all values will always be present, as used by DA.
For Admins only.
new
block_ip.sh: new iptables to block all outbound connections to 25 which are not from "mail" (exim) or "root" (manual update required)Requires optional scripts and iptables: http://help.directadmin.com/item.php?id=380
VERSION=2
Added extra code to the iptables script to block all outbound emails on port 25, unless the uid is mail or root.
"root" isn't really needed, so you can remove that line if you want to be extra secure (in case the box gets rooted)
Basically, it requires all email leaving the server to be routed through exim (unless you're "root").
With this change, no User will be able to connect to port 25 on a remote box.. meaning, if an attacker going to spam from your server (using an insecure php script, usually) they'll need to spam through exim.. which has logs and limits.
If you didn't manually install the iptables script yourself, then you're not likely using it, so if you want this change, use the id=380 guide normally (below).
Related:
http://help.directadmin.com/item.php?id=380
actual iptables code used:
#SMTP output, only allow mail to send remotely.
$IPTABLES -A OUTPUT -m owner --uid-owner mail -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner root -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -j REJECT
Feel free to remove the whole line containing "--uid-owner root" if you don't need it.
I personally do a lot of debugging with telnet to port 25, hence I'm leaving it open.
This script does not apply to FreeBSD.
CSF
Similar settings for CSF:
https://forum.directadmin.com/showthread.php?t=51996&p=267427#post267427
https://forum.directadmin.com/showthread.php?t=51923&p=267072#post267072
TESTING
To ensure it's working, you should be able to run these commands and get a similar block for admin, while it still works for root (note: exim sends with "mail", which doesn't have an ssh shell, hence we add root too)
[root@server ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@server ~]# su - admin
[admin@server ~]$ telnet directadmin.com 25
Trying 216.144.255.179...
telnet: connect to address 216.144.255.179: Connection refused
[admin@server ~]$ logout
[root@server ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@server ~]# telnet directadmin.com 25
Trying 216.144.255.179...
Connected to directadmin.com.
Escape character is '^]'.
220 jbmc-software.com ESMTP Exim 4.86.2 Fri, 08 Apr 2016 16:06:28 -0600
QUIT
221 jbmc-software.com closing connection
Connection closed by foreign host.
[root@server ~]#
new
Template caching for virtual_host* filesThe template files:
/usr/local/directadmin/data/templates/virtual_host2*.conf
are read from disk many times.
Optimization in the file loader which saves the loaded files into memory for certain cases like this.
The speedup on the rewrites should be significant if you have many domains, subdomains and/or Users.
This also includes custom templates, and nginx templates.
The cache also only applies on a per-process basis... meaning you don't need to worry about the master directadmin process caching an old file.
It's only cached within a child process. Handy when a User has many domains. Also very handy with the dataskq (1 process) when rewriting everything.
Tipping point to implement this was for the new Linked IP feature, which would do many lookups on the IP files, where the data wouldn't change over the span of those reads.
http://www.directadmin.com/versions/index.php?id=1377
new
add_apache_comments to disable adding comments to user httpd.conf filesNew directadmin.conf option add_apache_comments to prevent DA adding all #comments from the user httpd.conf files.
Internal default is:
add_apache_comments=1
To disable the comments, add this to your directadmin.conf and restart DA:
add_apache_comments=0
new
dataskq option to only parse task.queue.cbNew task.queue file:
/usr/local/directadmin/data/task.queue.cb
This will always be parsed.
The task.queue.cb will (for the most part) only be filled by the custombuild script.
There is nothing stopping you from using this file as well, to make use of this feature.
The "feature" part is that the dataskq can now be called like this:
/usr/local/directadmin/dataskq d2000 --custombuild
Where the --custombuild option is new.
With the --custombuild option passed to the dataskq (with or without debug mode), this tells the dataskq to skip all other tasks, and only process the task.queue.cb file.
This means:
The task.queue.cb file is executed.
No other task.queue or task.queue.da file is executed
Services are not checked if they're running
Partition usage is not checked
Brute force scanner is not run
The DA login history counter is not checked (for port 2222)
Once custombuild 2.0 is updated to use this feature, you must be running the binaries that supports this option.
This is because
DA will throw an error if you use --custombuild and the dataskq doesn't support it.
the task.queue.cb is not going to be seen, so rewrites and other CB tasks won't be run.
new
exim.pl VERSION=11 to track IDs to prevent retries from being counted multiple timesEach email retry will count against a send limit.
The design "flaw" in the way the limit works is that each attempt (including retries) will count as a send.
The exim.pl doesn't know that a send is a retry, thus counts it as another send, to be certain it gets counted.
It could figure out if it's a retry by checking the /etc/virtual/usage/user.bytes file for another entry with the same ID, however we felt the overhead of scanning the entire file for each email delivery would be too great on the system.
For this reason, the exim send counter will usually be higher than the counter used by DA during the tally, as DA has the extra time to figure out what is or is not a retry. (only done once per day, instead of once per send)
This has actually just given me an idea... of creating a folder,eg:
/etc/virtual/usage/username_ids
and anytime an email is added to the tracking logs:
/etc/virtual/username.bytes
/etc/virtual/username
the exim.pl would also create:
/etc/virtual/username_ids/<message-ID>
The overhead of checking if a file exists is quite low.. and would allow the counter:
/etc/virtual/username
to be skipped if the ID already exists in username_ids/*
The username_ids folder would be removed daily in the email rotation script.
diff of the exim.pl:
3c3
< #VERSION=11
---
> #VERSION=10
290,319c290,293
< my $is_retry = 0;
< if ($mid ne "")
< {
< if (! -d "/etc/virtual/usage/${name}_ids")
< {
< mkdir("/etc/virtual/usage/${name}_ids", 0770);
< }
<
< my $id_file = "/etc/virtual/usage/${name}_ids/$mid";
<
< if (-f $id_file)
< {
< $is_retry = 1;
< }
< else
< {
< open(IDF, ">>$id_file");
< print IDF "$timestamp";
< close(IDF);
< chmod (0660, $id_file);
< }
< }
<
< if ($is_retry != 1)
< {
< open(USAGE, ">>/etc/virtual/usage/$name");
< print USAGE "1";
< close(USAGE);
< chmod (0660, "/etc/virtual/usage/$name");
< }
---
> open(USAGE, ">>/etc/virtual/usage/$name");
> print USAGE "1";
> close(USAGE);
> chmod (0660, "/etc/virtual/usage/$name");
new
exim.pl VERSION=12: Block smtp-auth sends if limit reached (manual changes)When the send limit has been reached for a DA user, or email account, the smtp-auth will return an invalid password to prevent the emails from entering the mail queue/spool at all.
Changes to DA's brute_filter_list will replace the keyword scan of:
login authenticator failed for
and replace it with:
535 Incorrect authentication data
So that the failed send when the limit is reached won't be caught by the brute force monitor:
2013-03-14 23:28:41 login authenticator failed for (1.2.3.4) [127.0.0.1]: 435 Unable to authenticate at present (set_id=admin): The email send limit for admin has been reached
as code 435 represents the abort of the exim.pl script upon hitting the limit, and not an actual failed login.
It will also block based on the per-email limit, if you've enabled that:
Other changes are with regards to the ID tracking:
exim.pl VERSION=11 to track IDs to prevent retries from being counted multiple times
The change will create a directory for the first letter of the ID, to split up the folder.
Many email sends would cause a very large user_ids folder.. so splitting it up in the same manner that exim does will keep the system happier.
fixed
added support for underscore in A, AAAA and NS recordsThe underscore character _ will now be allowed in A records and NS records with this setting.
allow_dns_underscore was already available for CNAME, TXT and SRV records.
This option is disabled by default with the internal default:
allow_dns_underscore=0
To enable it, add:
allow_dns_underscore=1
to your directadmin.conf and restart DA.
However, if you enable this, then you'll need to ensure that you've gold bind/named that it is ok to have them.
Related:
https://lists.isc.org/pipermail/bind-users/2008-February/069295.html
Quote:
Because there are some resolvers that do check and named
is the data entry point. If named isn't the data entry
point then turn check-names off.
named.conf options:
check-names master ignore;
check-names slave ignore;
fixed
ftp_list.php: ncftpls requires %2F for / charactersAll ftp paths in the ftp uploads for Admin Backup/Transfers require a leading / character.
ncftpls assumes that any /path/value is relative to the login path.. which may not always be true.
Some ftp clients do not chroot, and /path/value may in fact mean that absolute path, when the login cwd is something totally different.
A common error that would be received would be "cannot chdir to /path"
As a result, we need to treat all paths as abolutes with the ncftpls script.
The way it does that is uses %2F as the leading / character.
The ftp_list.php now has this code added:
CHAR1=\`echo ${ftp_path} | awk '{print substr($1,1,1)}'\`
if \[ "$CHAR1" = "/" \]; then
new_path="/%2F\`echo ${ftp_path} | awk '{print substr($1,1)}'\`"
ftp_path=${new_path}
fi
fixed
CB2: "x-httpd-php-source .phps" caused DA to think CLI was enabledNew code was added to the apache to CB 2.0 to allow for phps files. This is done with the line:
AddHandler application/x-httpd-php-source .phps
in the httpd-php-handlers.conf file.
DA previously was looking for the string:
AddHandler application/x-httpd-php
to determine if CLI was enabled.
With the addition of the phps line, it caused DA to think CLI was enabled.
Fix was to simply inclue a space at the end of the search string:
"AddHandler application/x-httpd-php "
Full error:
Starting httpd: AH00526: Syntax error on line 99 of /usr/local/directadmin/data/users/admin/httpd.conf:
Invalid command 'php_admin_flag', perhaps misspelled or defined by a module not included in the server configuration
fixed
FileManager download issues with files over 8GigThe file sending system was using an "unsigned int" cast on the file.st_size variable.
Sizes larger than 8 gig were too big for this cast, so the cast was changed to unsigned long long.
This really only affected the Content-Length header.. the whole file would have likely been transferred if the header was ignored, but it was a bug none the less.
fixed
Prevent +ExecCGI if is cgi disabled template changesIf CGI is not enabled for a domain, .htaccess files should not be allowed to add ExecCGI
Change all virtual_host2*.conf templates to add this at the top:
|?ALLOW_OVERRIDE=AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None|
and this within the <Directory |DOCROOT| section:
|*if CGI=""|
|ALLOW_OVERRIDE|
Options -ExecCGI
|*endif|
What this does, is specifies what options are allowed if cgi is disabled, and also disables cgi.
The old values have also been removed from the templates, as they're redundant to the global defaults set under /etc/httpd/conf/*
Options +Includes -Indexes
fixed
ftp bandwidth counting for owned IPsftp bandwidth on owned IPs was not correctly counted with the unified_ftp_password_file option.
fixed
only update domain.conf if user.conf value changedWhen making changes to a User, all values for that User are passed to DA.
For example, the checkbox for php is always passed, so the user.conf will always be set to the php value which is passed.
The issue is that if you're changing something else, like bandwidth, and php stays on (was never turned off), if php was off in one of the User domains, it would end up having php enabled again.
This fix will check the previous value for php to see if it was already on. If the value is still on, then php is not is changed for the domains.
The applies to php, spam, catchall, cgi, and ssl.
fixed
da-popb4smtp not logging imapIt appears as though the dovecot imap logging format was changed at some point, and we didn't notice.
Update the da-popb4smtp code to catch the new dovecot imap logging format (to handle both types)
The new default format dovecot is using is:
imap(user@domain.com): Disconnected: Logged out in=1182 out=24960
or
imap(user@domain.com): Disconnected: Disconnected in IDLE in=381 out=25566
Dovecot had changed the format, and we had addressed it for 1.42.0:
Log pop+imap bandwidth for dovecot
but seems it was changed yet again, hence the need for the change.
As a workaround, it may be possible to change the logging format back to what da-popb4smtp is looking for, eg:
Disconnected: Logged out bytes=385/1626
eg, /etc/dovecot/dovecot.conf, add to very bottom:
protocol imap {
imap_logout_format = bytes=%i/%o
}
fixed
Prevent double login with auto-logout from session expiryIf you let your browser sit long enough, the page will be redirected to CMD_LOGOUT.
If the session on the server has expired before the browser does the redirect (possible if the clocks are off by a small amount), then the unauthorized page the browser is trying to access is CMD_LOGOUT. Since the client isn't logged in, the login page is shown.. and once a valid login works, DA happily redirects the browser to where it wanted to go: CMD_LOGOUT...
Authorized calls to CMD_LOGOUT get redirected to CMD_LOGIN... This is why there is a double login sometimes.
The fix was to simply to prevent using CMD_LOGOUT in the "referer" field in the login form.
If that's the referer value, either / is used, or no value is used at all.. thus the login will send you to /, and not CMD_LOGOUT, preventing the double login.
fixed
Timeout when saving User SpamAssassin settingsWhen saving your changes to the spam data, DA will check to ensure ownership is correct on all emails/folders.
For E-Mail accounts, this is added as a cronjob.
However, the main account was left within the "directadmin" process.
As a result, if the folder:
/home/user/Maildir
was oversized with thousands+ of emails, this would likely cause a timeout.
The solution was to skip the check on the files below this path, since if it exists, it's likely already set correctly.
fixed
Wrapped dns txt records had API_MANAGE_USER_PACKAGES at the endRelating to DKIM keys to be 2048-bit and multi-line TXT records
Bug where the re-assembly of a multi-line dns TXT record wasn't given a terminating null character.
In some cases it would give a very strange string in the output (likely leftovers from another memory allocation)
Bugfix was to simply add a null character to the end of the string, as is required.
fixed
Open_basedir not enabled on restoresTypo on Admin Level restores set open_basedir for restored domains to off in some cases, when actually set to on in the backup.
fixed
If ExecCGI is disabled, awstats should use the index.htmlWith this new ExecCGI restriction:
Prevent +ExecCGI if is cgi disabled template changes
If awstats is enabled, the awstats_process.sh will now create an .htaccess without ExecCGI and will get the browser to view the index.html, instead of awstats.pl.
fixed
Debian: remove IP from device when deletedFor whatever reason, the command:
/sbin/ifconfig eth0:1 del 1.2.3.4
was not removing the 1.2.3.4 IP from the eth0:1 device.
Added extra code to the removeip script, where if:
the OS is debian
the IP is not IPv6
and device found is not the main device (eg not eth0, but eth0:0 is valid)
Then the removeip script will use this instead:
/sbin/ifconfig eth0:1 down
fixed
Protected directories to use $apr1$ password formatThe bug was only reported recently, but it may have existed for some time.
The .htpasswd files apparently don't support $1$ formats, but DA has been saving this format since 1.24.3:
so it's possible that older versions of apache did support $1$.. not sure.
In any case, the proper solution is to use the proprietary apache md5 format which uses:
$apr1$
The htpasswd binary has many different versions.. the version we'd need for secure automation has the -i option to use a single stdin.
However, this is only a recent addition, so instead we're relying on using openssl with -stdin for the creation of the $apr1$ format.
fixed
Replaced AliasMatch with UserDirIP VirtualHosts replaced AliasMatch/ScriptAliasMatch with UserDir public_html options to allow for working FastCGI operations.
Affects VirtualHosts in:
/etc/httpd/conf/ips.conf
/etc/httpd/conf/extra/httpd-vhosts.conf
fixed
Admin Level Restore: Check that Reseller existsIf you're doing restores for User accounts, and they're in the form:
user.reseller.username.tar.gz
if the reseller account who previously created the User (on a different server) does not exist on this server, the restore previously did create the User, but the User was not added to any users.list files, if the "reseller" didn't exist.
This caused the need for this fix, even if the Reseller was restored after the User:
http://help.directadmin.com/item.php?id=251
This fix does a check and will refuse to restore a User account if the Reseller in the filename does not exist.
This check is only done on user...tar.gz restores, because a reseller and admin...* always share the same .list file, thus can never go missing in this scenario (all Admin's share the same admin.list and reseller.list, so Reseller/Admin accounts will always be added to them, even if their "creator" is wrong in the filename)
The table shown on the Admin Level Restore page containing the list of files will show the file as bold and red if the creator does not exist.. forcasting that an error will occur if you try and restore this User.