Version 1.58.0

Released: 2019-08-12

plugin hook: icon_svg new

Request to:

CMD_PLUGINS_ADMIN?json=yes
CMD_PLUGINS_RESELLER?json=yes
CMD_PLUGINS_USER?json=yes

will now return the following "icon_svg" path, if it exists, example:

{
    "hello_world":
    {
        "author": "JBMC-Software",
        "hooks":
        {
            "icon_svg": "/CMD_PLUGINS_ADMIN/hello_world/images/admin_icon.svg",
            ....

where the file on disk, in the above example would be:

/usr/local/directadmin/plugins/images/admin_icon.svg

Or for the other levels:

/usr/local/directadmin/plugins/images/reseller_icon.svg

/usr/local/directadmin/plugins/images/user_icon.svg

CMD_MODIFY_USER: action=single for User bandwidth, quota, inode new

With this feature, you no longer need to pass all other values to change one setting.

To set just the User bandwidth:

CMD_MODIFY_USER:
method: POST
action=single
user=fred

bandwidth=1234

OR

ubandwidth=unlimited

where you'd pass one or other other for bandwidth and ubandwidth.

bandwidth does support unit, so you could set:

bandwidth=1G

if you wanted.

Same idea applies to:

quota + uquota

inode + uinode

for saving just quotas or just inode limits. (Both also support unit, even though 1G of inodes isn't a common term)

Setting any new limit with this command will set:

package=custom

just as it would for making other changes when editing a User.

The user_modify_pre.sh and user_modify_post.sh still apply, as before.

However, the values passed will only be those of this form.

T17006

CMD_MODIFY_RESELLER: action=single for Reseller bandwidth, quota, inode new

With this feature, you no longer need to pass all other values to change one setting.

To set just the User bandwidth:

CMD_MODIFY_RESELLER or CMD_API_MODIFY_RESELLER:

method: POST
action=single
user=fred
bandwidth=1234

OR

ubandwidth=unlimited

where you'd pass one or other other for bandwidth and ubandwidth.

bandwidth does support unit, so you could set:

bandwidth=1G

if you wanted.

Same idea applies to:

quota + uquota

inode + uinode

for saving just quotas or just inode limits. (Both also support unit, even though 1G of inodes isn't a common term)

Setting any new limit with this command will set:

package=custom

just as it would for making other changes when editing a Reseller.

The reseller_modify_pre.sh and reseller_modify_post.sh still apply, as before.

However, the values passed will only be those of this form.

T17006

Email length max to 128 chars new

The max length of the User part of an email was 64 characters.

There isn't an explicit limit on the username or local part of the email address in {RFC} 822 {Standard for ARPA Internet Text Messages}

https://www.w3.org/Protocols/rfc822/

and we've received reports where longer values were desired.

To keep things within reasonable limits, we've changed the limit from 64 to 128 characters.

Highlight restore account tar.gz files where User already exists new

DirectAdmin supports account merging. This is by design to easily restore items that might have been deleted, without needing to first delete the existing account first.

If you're merging many servers into one, you may run into duplicate Usernames, where restoring both would put all domains into the one account, when you intended to keep them separated.

This change is simply to highlight the user.admin.fred.tar.gz file, should 'fred' already exist on the server. The is simply to avoid confusion, and the functionality will not change.

In response to question:

https://forum.directadmin.com/showthread.php?t=58059&page=9&p=299191#post299191

Currently only in Enhanced skin.

CMD_DB: Upload db.gz now supports raw db.sql new

You can now feed a raw .sql file to the CMD_DB page to upload into DA.

Internal admin/reseller/users.lists checker new

With the cpmove files not showing it's creator when the restore process starts, DA has to do the creator checks after the file is already converted.

This is fine, except there could be race condition for cases where the cpmove's creator does not exist, possibly ending up without a User being added to the users.list file.

This code simply goes through all accounts to rebuild all 3 file types:

  • /usr/local/directadmin/data/admin/admin.list
  • /usr/local/directadmin/data/admin/reseller.list
  • /usr/local/directadmin/data/users/*/users.list

This will be triggered after all Admin Level -> Admin Backup/Transfer restores if tally_after_restore=1 is enabled (it is by default)

==============

TASK.QUEUE

Related task.queue command if you want to run it manually:

cd /usr/local/directadmin
echo 'action=rewrite&value=all_lists&admin=admin' >> data/task.queue; ./dataskq d2000

where admin=admin would be replaced with "admin=fred" if you do not have an "admin" Admin account, and "fred" is your Admin login (for example).

OpenLiteSpeed: global and per-domain CUSTOM templates (TEMPLATES) new

Ability to set global override tokens in core OpenLiteSpeed templates.


openlitespeed_listener.conf:

/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.1.pre
/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.1.post
...
/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.7.pre
/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.7.post

TEMPLATE

/usr/local/directadmin/data/templates/openlitespeed_listener.conf

added CUSTOM1 through CUSTOM7, throughout the file.


openlitespeed_redirect_vhost.conf

/usr/local/directadmin/data/templates/custom/openlitespeed_redirect_vhost.conf.CUSTOM.1.pre | 1.post | 7.pre | 7.post
/usr/local/directadmin/data/users/USERNAME/domains/DOMAIN.COM.openlitespeed_redirect_vhost.conf.CUSTOM.1.pre | 1.post | 7.pre | 7.post

TEMPLATE

/usr/local/directadmin/data/templates/openlitespeed_redirect_vhost.conf

added CUSTOM1 through CUSTOM7, throughout the file.

The code that changed the openlitesped_redirect_vhost.conf is the same function as the code that writes:

  • nginx_server_redirect.conf
  • redirect_virtual_host.conf

so the same token methods will also be available to these as well.


openlitespeed_ips.conf

/usr/local/directadmin/data/templates/custom/openlitespeed_ips.conf.CUSTOM.1.pre | 1.post | 7.pre | 7.post

TEMPLATE

/usr/local/directadmin/data/templates/openlitespeed_redirect_vhost.conf

added CUSTOM1 through CUSTOM7, throughout the file.

EXAMPLE

To change the:

sslProtocol 30

to be the following everywhere:

sslProtocol 28

Create:

/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.2.pre
/usr/local/directadmin/data/templates/custom/openlitespeed_redirect_vhost.conf.CUSTOM.2.pre
/usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf.CUSTOM.2.pre
/usr/local/directadmin/data/templates/custom/openlitespeed_ips.conf.CUSTOM.2.pre

where the CUSTOM.2 choice is this particular case, is merely any token set after the original |?SSLPROTOCOL=30| value is set, to load it internally.

The |? tokens don't output anything, thus can be set anywhere you need to set over write a variable.

each with code:

|?SSLPROTOCOL=28|

Any template file not controlled by DA wouldn't be affected by this.

For example, the /usr/local/lsws/conf/httpd-vhosts.conf would not be controlled by tokens, so you'd just copy your cusomized version to:

/usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-vhosts.conf

with the sslProtocol 28 change set in there.

Evolution: demo to use admin Admin with custom config.json new

When logging in as the demo_user or any demo_* account, the requst for a custom config.json file will search the admin.list for the first Admin account which has a copy, eg:

/usr/local/directadmin/data/users/admin/skin_customizations/evolution/config.json

for each Admin in the admin.list file, until one is found.

User Level Exim log info per-account, per-ID (SKINS)(EXIM_PL) new

  1. The CMD_EMAIL_POP?domain=domain.com page will now have another column called "SMTP Log".

There will be 2 URLs in that column for each account: In รขโ€กโ€ž Out

The "In" URL will show the raw exigrep info for all incoming messages for this account.

This includes any attempted messages that never made it to the account, which should greatly help Users debug lost messages.

The "Out" URL will show any messages sent by this account, which should help in the debugging of who might be sending messages, to compliment the CMD_EMAIL_USAGE?domain=domain.com page.

URLs:

CMD_EMAIL_USAGE?action=smtp_log&method=outgoing&domain=domain.com&user=fred
CMD_EMAIL_USAGE?action=smtp_log&method=incoming&domain=domain.com&user=fred

"fred" can be any valid email account or forwarder name under this User.


  1. The CMD_EMAIL_USAGE?domain=domain.com page will now have 2 more radio boxes below the "Today/This Month/This Month, excluding today" radio boxes:

Outgoing Incoming

where the default is "Outgoing", as the page original had.

If "Incoming" is selected, the parser flips from looking for method=outgoing to instead hunt for method=incoming in the /etc/virtual/usage/username.bytes, or /usr/local/directadmin/data/users/username/bandwidth.tally, depending on the day selector.

Selecting "Incoming" will hide the "Highest Sender" table (I didn't feel "highest recipient" was worthy of a table).

Regardless of incoming or outgoing, the Message "ID" column is now a URL pointing to:

CMD_EMAIL_USAGE?domain=domain&action=id_info&id=1huNE5-0000s3-DH

where it dumps the full output from exigrep for this message ID.

Only message IDs that belong to the User (based on username.bytes or their bandwidth.tally) can be requested.


For either request, you can pass:

html_encoded=yes

and the output will be text/html and html encoded, instead of the raw text/plain, non-encoded default.

================

REQUIRED /etc/exim.pl version 27

For the "incoming" option to correctly show the sender column, the /etc/exim.pl needs to be updated to version 27.

If you're using eximconf_release=4.5, then a simple:

./build update
./build eximconf

should do the trick.

Only messages logged after the update will have the sender stored.

But viewing the entry for that local user@domain will still work (and show the sender in the log)

===============

SKINS

Adding the extra radio buttons has a few changes to:

/usr/local/directadmin/data/skins/enhanced/user/email/usage.html

to add the radio boxes for:

direction=outgoing
direction=incoming

when directadmin=incoming is used, the |EMAIL_STATS| table will be empty "" and the |LANG_COUNT_NOTE| token will also be hidden via the skin's if-then option.

CMD_API_SHOW_RESELLER_CONFIG new

Same idea as CMD_API_SHOW_USER_CONFIG, except for Resellers.

If called by a Reseller, they'll get their own reseller.conf, regardless of the user= setting.

If called by an Admin, without a &user=fred, they'll get their own reseller.conf, else adding user=fred, will show fred's reseller.conf file.

If you add both=yes, you'll get the reseller.conf, plus a "user=" variable, with a the reseller.usage encoded into that variable (would need another level of decoding)

Added after RC2, so ensure compile time shows within a few minutes of:

Compile time: Aug 7 2019 at 13:18:45

usertype=admin|reseller will be appended to all requests, so the response will show the account type.

LetsEncrypt: foreground requests if non-wildcard and less than 10 entries new

Since the introduction of SSL locking:

Basic locking for LetsEncrypt requests

We had DA doing all LetsEncrypt requests in the background, to simply locking:

LetsEncrypt: All requests to background

eg: background=auto was was always "yes".

This change adds a new directadmin.conf variable, with internal default:

letsencrypt_foreground_http_max=10

where, if you do NOT use a wildcard LetsEncrypt cert (meaning it uses method http-01 and it doesn't use method dns-01),

AND if the number of entries you've selected is less than or equal to 10,

then it will run the LetsEncrypt request in the foreground.

Everything else goes to the background, as before.

Locking has been changed around slightly where:

  1. A call from the GUI that goes to the background will be locked by "directadmin", sent to the task.queue, and unlocked in the dataskq.

The dataskq internally adds task_queue=yes to the task.queue URL so the #2 doesn't happen.

  1. A call from the GUI that uses the foreground (where task_queue=yes is not present), will both lock and unlock in the SSL class within this one request.

If anything goes wrong, say directadmin or the dataskq are killed mid-lock, it's set to live 5 minutes, so you'd need only wait that long before doing another attempt.

For some time, lock files have the caller's info stored.

This will be the first time a failed lock request will actually pull this data and show the caller "who" actually made the lock, in case it was a foreground or background request, automated renewal, etc.

Check for "./directadmin o" time:

Compile time: Aug 7 2019 at 14:26:08

Rotate uncompressed apache logs new

Logs are rotated in a tar.gz format into the User's log folder:

/home/user/domains/domain.com/logs/Aug-2019.tar.gz

New internal directadmin.conf option, default:

compress_rotated_logs=1

will continue to do that, unless you disable it by adding this to your directadmin.conf:

compress_rotated_logs=0

Once set to 0, the logs will be rotated to:

/home/user/domains/domain.com/logs/Aug-2019.log

/home/user/domains/domain.com/logs/Aug-2019.error.log

Similarly for subdomains:

/home/user/domains/domain.com/logs/Aug-2019.sub.log

/home/user/domains/domain.com/logs/Aug-2019.sub.error.log

Rotation "up" for old logs will no longer use the timestamp (as it was getting a bit messy to manage), so the:

logs_to_keep=5

setting will now be enforce simply by checking the file extension, eg:

/home/user/domains/domain.com/logs/Aug-2019.log.5

/home/user/domains/domain.com/logs/Aug-2019.error.log.5

where anything 5 and up will be removed (as the first file doesn't have a number, giving us .4 as the 5th log)


~ Compile time: Aug 9 2019 at 15:53:19 +

Allow login-as to use a login key, to create a User login-key fixed

A code re-write which let us specify if a login-key should be considered a valid option, cause the creation of a User Login key to only work when using the creator's (eg: admin) true password.

This fix simply sets a flag to resume the previous functionality, to allow the creator's login key to be used to validate the creation of the User's login key.

Database new methods: suspend/unsuspend for MariaDB 10.4 needs ACCOUNT LOCK/UNLOCK fixed

The feature that makes use of:

mysql_use_new_user_methods=1

will now use the ALTER USER ... ACCOUNT LOCK|UNLOCK options to suspend/unsuspend mysql accounts.

However, MariaDB 10.3 and older will still use the old method, even if it's enabled.

TODO:

check backup/restore state

T16892

User Level backup: add 'dns' to backup_options.list fixed

Although the dns zone is always included in the backup, the value 'dns' was not being added to the backup/backup_options.list file.

The only affect this would have would be if someone is restoring a User Level created backup, and they had custom DNS records added, those customizations wouldn't be restored.

Backups created at any other level would not be affected.

cpanel_to_da: Confirm creator match if User and creators already exist fixed

As the cpmove-*.gz file don't have the creators listed, most of the account checks that are typically done before the restore of all files even start, are skipped.

As similar check was added to ensure if you have user.res1.fred.tar.gz and user.res2.fred.tar.gz, should "fred" already be restored to res1, if you try to restore the res2 file, it will be blocked.

Related Message System error:

Restore of account '%s' to creator '%s' has been denied, as this account already exists under the control of creator '%s'

Related errortaskq.log/system.log:

Backup::restoreFromFile(%s): User %s already existed under creator '%s'. Request to restore under '%s' has been denied as it's not a match.

where %s characters will be swapped out, accordingly.

T17056

CMD_SHOW_USER json=yes to show custom package item details fixed

The command:

CMD_MODIFY_USER?json=yes&user=fred

already had the "custom_items" array, with details about the custom_package_items array.

The CMD_SHOW_USER variant did not have all of this info, so the same "custom_items" array is now added to:

CMD_SHOW_USER?jso=yes&user=fred

in a similar "custom_items" array.

Same addition made to CMD_USER_STATS

MySQL 8.0: set very temporary password during restore on new system Db account fixed

When creating all new databases from a User restore with MySQL 8.0 installed, DA needs to create a system account to put on this DB.

DA does not know the plaintext password, but does know the crypted password from before.

Previously, DA would create the system acount with:

CREATE USER 'systemacocunt'@'localhost'

and the raw password and grants are set on it immediately after.

With MySQL 8.0, it requires a password to be set, else you may hit this error message:

"Your password does not satisfy the current policy requirements"

The solution we've used is to create a random password, and append IDENTIFIED BY 'randomescapedpassword', to satisfy this need.

The old crypted value and grants are immediately followed, so the temp value is very short lived and does not need to be recorded.

T16772

Show warning if subdomain exists as full domain fixed

When creating a full domain called "sub.domain.com", DA will now parse through all local zones looking for any instances where "sub" or "sub.domain.com." exists as an A, AAAA or CNAME record.

If a match is found, the warning will be added to the output, eg:

Domain Created

Details

Domain Created Successfully

A subdomain with the same name already exists on the system under another domain. This may give unexpected results.

This does also handle sub.sub.domain.com cases where the zone name might be sub.domain.com.


Similarly, when creating a subdomain, if a zone with that same name exists, this warning is added to the output:

A full domain/zone with this name already exists. This may give unexpected results.

Reseller: Modify Backup cron: The requested command requires POST but GET was used fixed

Related to new feature:

state-change require POST (SKINS)(SECURITY)

The GET request to fill tokens/html should not require POST:

CMD_USER_BACKUP_MODIFY?id=2

Related error message:

"The requested command requires POST but GET was used"

An Admin could not restore their data from User Level fixed

One of those bugs that has not yet been reported, likely existed for a very long time.

When logged in as "admin", DA wouldn't restore their User data from the Site Backup/Restore page.

Simply caused by "root" being the creator (which is correct), but when the "Reseller root" was attempted to be read, things silently failed.

Simple workaround to allow this case.

Your IP is blacklisted: Improve functionality of localhost whitelist of 2222 (API) fixed

By default, too many failed connections from 127.0.0.1 on 2222 (as for any other IP) will be blocked. This will not change.

The issue is that API scripts are the main trigger for 127.0.0.1 blocks, and the block text was plain html.

Two changes to help clarify things:

  1. Since 127.0.0.1 being blocked it 99% caused by an API script, instead of:

Your IP is blacklisted...

it will be changed to:

error=1&text=Your IP is blacklisted...

so those scripts will able to catch the error properly and display something that makes more sense.

Humans should still be able to make sense of the error.

Because no parsing is done on blacklisted IP, DA doesn't know if it's a CMD_* or CMD_API_* request, this is why we've opted for a standardized request.

Blocked IPs (possibly caused by DOS) need to respond as efficiently as possible, and not parsing the request is the quickest way to do this.

  1. DirectAdmin has an option in the Admin Settings:

Prevent 127.0.0.1 from being Blacklisted [x]

which controls if 127.0.0.1 can be blacklisted or not.

This change here in with regards to when the 127.0.0.1 was already blacklisted, and then the feature is turned on.

With this change, the 127.0.0.1 can be in the ip_blacklist file, and if the feature is enabled (exempt_local_block=1), the IP is checked for 127.0.0.1 and allowed before the ip_blacklist file is checked.

Discussion was made about simply using exempt_local_block=1 by default, but as this is considered a security hole for any local account to possibly gain the admin password through any compromised php script,

we've instead opted to improve all other areas where possible to help admin's solve the issue more easily.

================

SECURITY

IF YOUR 127.0.0.1 IS BLOCKED

Before simply unblocking it or allowing 127.0.0.1, you should check

  1. your /var/log/directadmin/security.log

  2. Admin: Message System for any subject "*** 127.0.0.1 has been added to the ip_blacklist file ***"

to find out which username was attempted most frequently.

If you're seeing many random usernames or "admin", then there might be some local script attempting to brute force their way into an account..

most likely on "admin" at that point, since they'd already have User access through some website (or similar).

User action lock checking on Domain creation/deletion/change/suspend/unsuspend fixed

The backup on an account requires data to be fairly static in order to get a valid image.

Any change to a User account mid-backup can confuse things, possibly causing errors.

Relating to the user action locking feature:

User action locking to prevent race conditions

This has been extended to only check for a lock when doing actions on a domain, only when executed by a User:

  • creation

  • deletion

  • suspension/un-suspension

  • rename

These actions do not create a lock themselves (we don't want a User action to block a backup from starting), but do check for the lock, most likely created by the backup process, as this could take a longer period of time to run.

CMD_API_ADDITIONAL_DOMAINS: php selector fixed

Related command:

CMD_API_ADDITIONAL_DOMAINS?action=view&domain=domain.com

Previously, DA only reported the 1st php1_ver (Eg: 5.6).

Sample CustomBuild options.conf:

php1_release=5.6
php1_mode=php-fpm
php2_release=7.0
php2_mode=php-fpm
php3_release=no
php4_release=no
php3_mode=php-fpm
php4_mode=php-fpm

The change will now allow the CMD_API call to return all 4 of them, as expected:

php1_select = 2
php1_ver = 5.6
php2_ver = 7.0
php3_ver = 0.0
php4_ver = 0.0

where php1_select would imply that domain's main php selection would be php 7.0 (php2_ver).

If you had 2 php choices available (not recommended, off by default), then you'd also see a php2_select=# to line up with one of the other php#_ver values.

================

JSON OPTION

Note, there is a json=yes option for this, and almost all other calls (not always, but usually), eg:

CMD_API_ADDITIONAL_DOMAINS?action=view&domain=domain.com=yes

which the Evolution skin uses, and would give you a more detailed/organized.

httpd logrotate to use USR1 fixed

Previous logrotate used HUP, which was too aggressive and not needed for a modern webserver. Swapped to USR1 to be more graceful.

Not specifically part of the DirectAdmin update, but default for new installs was changed on July 22, 2019.

If you wish to get the updated version, type:

wget -O /etc/logrotate.d/apache http://files1.directadmin.com/services/custombuild/apache.logrotate

But isn't required.

Domain: force_ssl AND force www redirect should redirect twice for HSTS fixed

When both the "Force SSL" option and "Force Redirect" to "www.domain.com" options are enabled for a given domain, DA previously redirected:

http://domain.com -> https://www.domain.com

in once step, to save a redirect.

Although this is quicker, HSTS does not like this, and checkers would report:

"Error: HTTP redirects to www first"

"`http://domain.com` (HTTP) should immediately redirect to `https://domain.com` (HTTPS) before adding the www subdomain. Right now, the first redirect is to `https://www.domain.com/`.

The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain."

The basic logic change is to check if the domain has:

  • force ssl

  • redirect to www or non-www (any www redirect type)

  • calling for 80 non-ssl

if all are true, simply shut off the www or non-www redirect (As if this force redirect feature was off), but leave the force ssl feature on.

No system "username: username" alias in email aliases with system_user_to_virtual_passwd fixed

The system_user_to_virtual_passwd=1 feature lets you have your DA login name in the file:

/etc/virtual/domain.com/passwd

such that you can use it normally like username@domain.com for logging into check email, etc..

Without the feature you'd login as "username", but the username@domain.com email address can be used for delivery for either case (relying on the username@host.name.com forwarder)

This change only applies to systems if you've enabled system_user_to_virtual_passwd=1 (most people currently do not have this).

When set, the hostname redirect in:

/etc/virtual/domain.com/aliases

which was previously:

username: username

will be removed when this file is re-saved.

There are several cases where this is not entirely true, like when a system pipe has been setup in the forwarders, or the User has setup other redirects there too.

For those cases, DA will still hunt for the "usenrame" ":blackhole:" or ":fail:" in the output, and remove them if it can find them.

If there are 0 items left over, the entire row will be removed.

REWRITE

Adding/removing a forwarder, or changing the catch-all settings will trigger a rewrite of the file, clearing things as needed.


task.queue

2 new related task.queue entries can be used for global or per-User changes:

echo 'action=rewrite&value=email_aliases' >> /usr/local/directadmin/data/task.queue

echo 'action=rewrite&value=email_aliases&user=fred' >> /usr/local/directadmin/data/task.queue

Allow UTF-8 / special characters in Password Protected Directory fixed

Character's checked for the "Member's Area" type text for password prompt on protected directories will now allow the 128-255 range of characters.

UTF-8 character all fall into this category (even the 4-byte characters, each byte will be >=128)

T17479

Increase /etc/proftpd.passwd lock time fixed

The global default for time to wait to get a lock on a file is 2s.

Report that the lock might not be obtained if the system is enduring high disk I/O or has a very large /etc/proftpd.passwd file, while restoring multiple accounts at the same time in parallel.

For all accesses of the /etc/proftpd.passwd file, the timeout has been increased to 6s.

CRON: Allow multiple emails in MAILTO fixed

Allow a comma separated list of emails, or the system 'username' in the cron MAILTO field.

Quotes will now always be used for the right-side value, unlike before where an email would be unquoted.

Eg:

MAILTO="one@email.com, two@email.com"

Does not support multiple MAILTO entries to split mail deliveries per cron.

Considered as a feature request for future

Set demodocsroot when using CMD_SKINS : Set Global fixed

Previously, the "Set Global" button to change the server's default skin only applied to the "docsroot" directadmin.conf varilable.

The setting will now also set the "demodoscroot" option.

OpenLiteSpeed: site redirection bugs fixed

The .htaccess was correctly rewritten, but the trigger to rewrite the User's openlitespeed.conf was not present.

Also parsed redirect "to" values for the ? character.

If there is a ? in the string, DA will ensure there is at least 1 / either after the http(s)๐Ÿ˜•/domain.com, or starts with /redirect, etc.. and if there is a ? anywhere after that,

then the redirect RewriteRule ending match will change from /$1 to be just $1, so that any "to" values like:

domain.com/something.php?name=value

doesn't end up being redirected to:

domain.com/something.php?name=value/

as the trailing slash wouldn't belong in that case.

T17707

Subdomains to be converted to punycode, if needed fixed

Domains are already converted to punycode, if needed, when:

convert_to_punycode=1

is enabled.

However, subdomains are not affected by this setting, but they should be.

Creating new subdomains will now check and convert as needed.

T17772

DNS: TXT: parse multi-"quoted strings", where some are not quoted fixed

During cpmove conversion, it was found some TXT records had long single lines, but were quoted in an odd fashion, although valid to bind.

DA was not parsing this correctly.

eg:

default._domainkey14400INTXT"v=DKIM1; k=rsa; p=MIIB...cryb" Hfdt...QAB\;

where the "v=DKIM" portion was quoted, but there was a trailing non-quoted string, with escaped semi-colon.

DA's db read function has been updated to chunk these pieces, and re-assemble them into one long string, eg:

"v=DKIM1; k=rsa; p=MIIB...crybHfdt...QAB"

where the entire string is quoted, and the trailing \; is removed, as it's not needed.

When saving (assuming wrap_long_dns_values=1 is set, which it should be), DA will then chunk the items in it's desired format, eg:

default._domainkey    14400   IN      TXT     ( "v=DKIM1; k=rsa; p=MIIB...GA7"
                                        "xiO...zEJ"
                                        "AIT...QAB" )

Note: for documentation purposes, some long strings have chunks replaced with "..." for easier reading.

DEPRECATED: SSL=0|1 replaced with ssl=0|1 fixed

Due to inconsistency with the directadmin.conf and the actual used value, we've decided to drop the use of SSL= in the directadmin.conf, replaced with ssl=

DirectAdmin will still read SSL= so no behavior will be changed, but all checking/cleaning functions on the directadmin.conf will automatically swap it with the lower case version.

No changes should be needed on your part.

Issued arose when using:

./directadmin set SSL 1

as this caused duplicate entries.

DA will allow both, but only save ssl=1.

From now on, please use the lower case instead:

./directadmin set ssl 1

================

DIRECT DIRECTADMIN.CONF

SET:

If anyone is affecting the directadmin.conf with a script, please change your script to use the above "set" method, which automatically catches these things.

CHECK:

We never recommend direct checking of the directadmin.conf, as values can be missing from there, which do exist internally (there are intenral defaults).

Always use something like this:

./directadmin c | grep ^ssl=

for example, to fetch all loaded values.

This also ensure the values have been set correctly, as any missing newline characters on the last line will prevent that line from being seen.

DA defines a "lines" as must ending in a newline character.

================

Message System: A system issue requires your attention


Config::clean: Swapped deprecated SSL=1 with ssl=1

https://www.directadmin.com/features.php?id=2447

DirectAdmin should be restarted within 1 minute.


The above message in the Message System is going to be perfectly normal, as DA must swap the SSL=1 with ssl=1 (or 0 if applicable).

As this is changing your config, we felt it important that the Admin be notified of the change, thus the message is generated.

No action is required on your part. The swap happened automatically.

Don't revert to Server Cert after failed LetsEncrypt request, if existing certs are valid fixed

Previously, any failed LetsEncrypt request would cause the domain to revert back to the shared server certificate.

This change is to simply check if the existing cert/key files are still a valid pair, and if they, continue using them.

Invalid pairs will result in the domain reverting to the shared server cert/key pair.

Databases: restore with mysql < sql instead of -e source sql fixed

When restoring the load of the backup/*.sql files will now be down with a stdin pipe method, eg:

mysql --defaults-extra-file=path_for_user_my.cnf --host=localhost (extra_mysql_restore_options) db_name < /path/to/db.sql

instead of the previous:

mysql --defaults-extra-file=path_for_user_my.cnf -e "source /path/to/db.sql" --host=localhost (extra_mysql_restore_options) db_name

as it was found some cases with -e "source .sql" caused mysql to return a zero exit code, hiding relevant errors that were there.

LetsEncrypt was automatically enabled for existing installs fixed

Relating to this change:

letsencrypt=1 enabled by default for new installs

the change should have only affected new installs via the data/templates/directadmin.conf file with letsencrypt=1

The bug is that the internal default set to letsencrypt=1, when it should have remained to 0 for existing installs.

So some existing boxes that did not want or have letsencrypt=1 would have had it enabled for the period between 1.57.2 to 1.58.0, where it would be shut off again.

If you physically have letsencrypt=1 in your directadmin.conf then it will remain on.

If it's not there, it will be turned off, back to the state it should have been.

OpenLiteSpeed: surround php_admin_value with <IfModule LiteSpeed> (TEMPLATES) fixed

The php_admin_value and php_admin_flag entries in the 4 virtual_host2*.conf templates need to be surrounted with:

<IfModule LiteSpeed>
...
</IfModule>

tags. To do this, we've added 2 new tokens:

IF_MODULE_LITESPEED_OPEN="<IfModule LiteSpeed>"
IF_MODULE_LITESPEED_CLOSE-="</IfModule>"

without the quotes, and place them before/after the mentioned php_admin_value tags in the 4 template file:

virtual_host2.conf
virtual_host2_sub.conf
virtual_host2_secure.conf
virtual_host2_secure_sub.conf
user_virtual_host.conf

Compile time: Aug 11 2019 at 17:16:53+

Named: read zone on cpmove file not parsing header fixed

DA's zone templates all use @ as the header (after the $TTL line).

This fix reads and ignores all comment lines, goes past the first TTL line (as this is set by DA each write anyway)

so that it's correctly sitting on either DA's format:

@       IN      SOA 

Or the cpmove format:

domain.com.  86400   IN      SOA

where the next search is for SOA, and it then continues parsing normally.

Bug when restoring cpmove files was that DA was expecting @ to be present, when it was not in some cpmove files, thus not restoring some custom zone info.


Compile time: Aug 11 2019 at 17:16:22 +

Restore: reseller was inheriting some user.conf limits fixed

Due to the wonders of class inheritance, the User-restore section of the backup code was acting on a Reseller class, so (for example), setting the bandwidth to the User (user.conf) was actually affecting the reseller.conf and user.conf.

Forcing the lower-class with usr->User::setData() solve this. (setData is a virtual function, exists at all class levels)

Home directory pre-check fixed

Before creating a User, ensure their /home/username path does not already exist.

If it does, throw an error, as there might be a UID mismatch or root ownership causing issues.

/home is used unless create_user_home_override=/somethingelse is set.

backup_roundcube.php to work with php 5.2 fixed

Yes, I know it's EOL.. but some are using it anyway.

The script/backup_roundcube.php makes a call to:

$mysql_conf = @parse_ini_file("/usr/local/directadmin/conf/mysql.conf", false, INI_SCANNER_RAW);

but the 3rd function parameter only existed since php 5.3.

We can now use both:

if (version_compare(PHP_VERSION, '5.3.0', '<'))
{
    $mysql_conf = @parse_ini_file("/usr/local/directadmin/conf/mysql.conf", false);
}
else
{
    $mysql_conf = @parse_ini_file("/usr/local/directadmin/conf/mysql.conf", false, INI_SCANNER_RAW);
}

Same change applied to restore_roundcube.php.

P.S. use newer versions.

Last Updated: