diff --git a/class/core/config_api.py b/class/core/config_api.py
index d49b4dcd2..68e8418e0 100755
--- a/class/core/config_api.py
+++ b/class/core/config_api.py
@@ -168,7 +168,8 @@ class config_api:
import system_api
import firewall_api
- if os.path.exists("/lib/systemd/system/firewalld.service"):
+ sysCfgDir = mw.systemdCfgDir()
+ if os.path.exists(sysCfgDir + "/firewalld.service"):
if not firewall_api.firewall_api().getFwStatus():
return mw.returnJson(False, 'firewalld必须先启动!')
@@ -275,7 +276,8 @@ class config_api:
import system_api
import firewall_api
- if os.path.exists("/lib/systemd/system/firewalld.service"):
+ sysCfgDir = mw.systemdCfgDir()
+ if os.path.exists(sysCfgDir + "/firewalld.service"):
if not firewall_api.firewall_api().getFwStatus():
return mw.returnJson(False, 'firewalld必须先启动!')
@@ -394,6 +396,11 @@ class config_api:
certPem = request.form.get('certPem', '').strip()
privateKey = request.form.get('privateKey', '').strip()
+ if(privateKey.find('KEY') == -1):
+ return mw.returnJson(False, '秘钥错误,请检查!')
+ if(certPem.find('CERTIFICATE') == -1):
+ return mw.returnJson(False, '证书错误,请检查!')
+
mw.writeFile(checkCert, certPem)
if privateKey:
mw.writeFile(keyPath, privateKey)
@@ -407,14 +414,94 @@ class config_api:
# 设置面板SSL
def setPanelSslApi(self):
sslConf = mw.getRunDir() + '/data/ssl.pl'
+
+ panel_tpl = mw.getRunDir() + "/data/tpl/nginx_panel.conf"
+ dst_panel_path = mw.getServerDir() + "/web_conf/nginx/vhost/panel.conf"
if os.path.exists(sslConf):
os.system('rm -f ' + sslConf)
+
+ conf = mw.readFile(dst_panel_path)
+ if conf:
+ rep = "\s+ssl_certificate\s+.+;\s+ssl_certificate_key\s+.+;"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_protocols\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_ciphers\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_prefer_server_ciphers\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_session_cache\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_session_timeout\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_ecdh_curve\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_session_tickets\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_stapling\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl_stapling_verify\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+add_header\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+add_header\s+.+;\n"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+ssl\s+on;"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+error_page\s497.+;"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+if.+server_port.+\n.+\n\s+\s*}"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+listen\s+443.*;"
+ conf = re.sub(rep, '', conf)
+ rep = "\s+listen\s+\[\:\:\]\:443.*;"
+ conf = re.sub(rep, '', conf)
+ mw.writeFile(dst_panel_path, conf)
+
+ mw.writeLog('面板配置', '面板SSL关闭成功!')
+ mw.restartWeb()
return mw.returnJson(True, 'SSL已关闭,请使用http协议访问面板!')
else:
try:
if not os.path.exists('ssl/input.ssl'):
mw.createSSL()
mw.writeFile(sslConf, 'True')
+
+ keyPath = mw.getRunDir() + '/ssl/private.pem'
+ certPath = mw.getRunDir() + '/ssl/cert.pem'
+
+ conf = mw.readFile(dst_panel_path)
+ if conf:
+ if conf.find('ssl_certificate') == -1:
+ sslStr = """#error_page 404/404.html;
+ ssl_certificate %s;
+ ssl_certificate_key %s;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
+ error_page 497 https://$host$request_uri;""" % (certPath, keyPath)
+ if(conf.find('ssl_certificate') != -1):
+ return mw.returnData(True, 'SSL开启成功!')
+
+ conf = conf.replace('#error_page 404/404.html;', sslStr)
+
+ rep = "listen\s+([0-9]+)\s*[default_server]*;"
+ tmp = re.findall(rep, conf)
+ if not mw.inArray(tmp, '443'):
+ listen = re.search(rep, conf).group()
+ http_ssl = "\n\tlisten 443 ssl http2;"
+ http_ssl = http_ssl + "\n\tlisten [::]:443 ssl http2;"
+ conf = conf.replace(listen, listen + http_ssl)
+
+ mw.backFile(dst_panel_path)
+ mw.writeFile(dst_panel_path, conf)
+ isError = mw.checkWebConfig()
+ if(isError != True):
+ mw.restoreFile(dst_panel_path)
+ return mw.returnData(False, '证书错误:
' + isError.replace("\n", '
') + '')
+
except Exception as ex:
return mw.returnJson(False, '开启失败:' + str(ex))
diff --git a/data/tpl/nginx_panel.conf b/data/tpl/nginx_panel.conf
index 92d607830..37bf663c9 100755
--- a/data/tpl/nginx_panel.conf
+++ b/data/tpl/nginx_panel.conf
@@ -1,20 +1,13 @@
server
{
listen {$PORT};
- #listen 443 ssl http2;
- #listen [::]:443 ssl http2;
+ listen [::]:{$PORT};
server_name {$SERVER_NAME};
index index.php index.html index.htm default.php default.htm default.html;
#SSL-START
- #ssl_certificate {$PANAL_ADDR}/ssl/cert.pem;
- #ssl_certificate_key {$PANAL_ADDR}/ssl/privkey.pem;
- #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
- #ssl_prefer_server_ciphers on;
- #ssl_session_cache shared:SSL:10m;
- #ssl_session_timeout 10m;
+ #error_page 404/404.html;
#SSL-END