Version 1.51.4

Released: 2017-06-08

TLSA dns records (SKINS)(TEMPLATES) new

Add support for TLSA dns records.

Will require both skin and template changes.

Disabled by default.

To enable, add this value to your directadmin.conf:

dns_tlsa=1

and restart DirectAdmin.

TEMPLATES

Update:

/usr/local/directadmin/data/templates/named.db

to include the |TLSA| token.

new empty default file:

/usr/local/directadmin/data/templates/dns_tlsa.conf

SKINS

Same idea from SPF, copied to TLSA.

admin/dns_admin_control.html

user/dns_control.html

uses:

|*if DNS_TLSA="yes"|

to confirm the feature is enabled.

TODO

Link LetsEncrypt to automatically add the TLSA records.

CAA dns records (SKINS)(TEMPLATES) new

Add support for CAA dns records.

Will require both skin and template changes.

Disabled by default.

To enable, add this value to your directadmin.conf:

dns_caa=1

and restart DirectAdmin.

IMPORTANT NOTE: DA does not check your version of bind.

Only bind versions BIND ≥ 9.9.6 and higher will support CAA records.

You can find your bind (named) version either in the Admin Level -> System Information page, or by running:

named -v
TEMPLATES

Update:

/usr/local/directadmin/data/templates/named.db

to include the |CAA| token.

new empty default file:

/usr/local/directadmin/data/templates/dns_caa.conf

SKINS

Same idea from TLSA, copied to CAA.

admin/dns_admin_control.html

user/dns_control.html

uses:

|*if DNS_CAA="yes"|

to confirm the feature is enabled.

rotate_httpd_error_log_meg new

To apache/nginx error logs from getting too large in a run-away case, new variable that lets the dataskq check the size of these logs, and rotate them if needed.

Internal default:

rotate_httpd_error_log_meg=0

to keep the domain.com.error.log files with a certain range, set that number in the rotate_httpd_error_log_meg setting.

So if you want a log rotate out at 1gig, you'd set it to 1024 Meg, eg:

rotate_httpd_error_log_meg=1024

Also add option to truncate, instead of rotate:

rotate_httpd_error_log_truncate=0|1

internal default will be 1.

If this is set, then the truncation will create a new log 1/2 the size of the original (half of rotate_httpd_error_log_meg)

We use 1/2 because if you were to truncate to size X, then as the log grows, the truncation would happen every minute which would be a very large burden on the disk I/O.

A truncation to a specific size requires:

  • fseek to location at 1/2 the size of the log

  • go forwards byte by byte until you hit the first newline character, then go 1 more.

  • read each line from the current position, and write to a new log.

  • re-open the current log from where the end used to be, and continue read/writing, because new data might have been added

  • delete the old log, rename the new one to the old name, and HUP apache/nginx.

If rotate_httpd_error_log_meg=0 is set, the rotate_httpd_error_log_truncate value has no effect.


If this event is triggered, a notice will be sent to the User and the Admins on the system with a Notice that a large log has been rotated/truncated.

The last 5 lines of the log will be included, either way.

No template for this message currently exists, and the line numbers cannot currently be changed.

If anyone needs the ability to adjust these, let us know.

EXAMPLE #1

rotate_httpd_error_log_meg=1024

rotate_httpd_error_log_truncate=0

Every minute the dataskq will check all logs at:

/var/log/httpd/domains/*.error.log (or nginx)

If any of those logs is greater than 1024 meg, the log is reset to 0 and HUP sent to httpd.

This is very fast, and doesn't cause any excessive disk I/O.

Drawback is Users cannot see previous errors, but chances are, it will fill up quickly again anyway.

EXAMPLE #2

rotate_httpd_error_log_meg=1024

rotate_httpd_error_log_truncate=1

Every minute the dataskq will check all logs at:

/var/log/httpd/domains/*.error.log (or nginx)

If any of those logs is greater than 1024 meg, the dataskq copies the last 512Meg to a new file.

It deletes the big log, renames the new log to the old name, and sends an HUP to httpd.

NOTICES

New directadmin.conf internal default:

rotate_httpd_error_log_notify=3

if you wish to disable the noticed, set this value to 0.

At the moment, 1 and 2 are reserved for future just user or just admin, but are not implemented.

Use 0 or 3 at this time.

vacation_set_pre.sh vacation_set_post.sh new

Custom scripts;

/usr/local/directadmin/scripts/custom/vacation_set_pre.sh

/usr/local/directadmin/scripts/custom/vacation_set_post.sh

used when the User sets a vacation message (creation or alteration)

The pre.sh must exit with code 0, in order to succeed.

Exit with non-zero code and the vacation message will not be set.

Echo any text you want displayed.

The post.sh exit code has no effect, on the setting of the vacation message,

but you can set a non-zero exit code on post.sh which will throw a text output error in the GUI, if you just need to mention something.

Environmental variables vary depending on the exim.conf version (4.4.1+ gives more options).

Run DA in debug mode to see everything that's passed.

https://help.directadmin.com/item.php?id=293

the "username" is also added to the variables.

The "post.sh" gets a return_code=1 (good) or return_code=0 (bad) included, depending on if the actual setting process succeeded.

If the pre-checks or pre.sh scripts failed, then the post.sh won't be called.

CHANGED: json for CMD_DNS_ADMIN new

Relating to:

json for CMD_DNS_ADMIN

Format for:

CMD_DNS_ADMIN?json=yes&domain=domain.com

will now be changed to something like:

{
  "records": [
    {
      "type": "A",
      "index": "domain.com.",
      "value": "1.2.3.4"
    },
    {
      "type": "A",
      "index": "ftp",
      "value": "1.2.3.4"
    },
    {
      "type": "NS",
      "index": "ns1.domain.com.",
      "value": "domain.com."
    },
    {
      "type": "NS",
      "index": "ns2.domain.com.",
      "value": "domain.com."
    }
  ]
}

json for CMD_DNS_CONTROL CMD_DNS_MX new

Users can get their records via json, using:

CMD_DNS_CONTROL?domain=domain.com&json=yes

Output is the same as this:

CHANGED: json for CMD_DNS_ADMIN

Note, you can also add:

&ttl=yes

to include the current ttl value in the json output.


The call to:

CMD_DNS_MX?domain=domain.com&json=yes

will again output the records[] array, but will also include:

"internal": "yes"

or "no" depending on if the "Local Mail Server" option is checked.

email_filter_write_pre.sh & email_filter_write_post.sh new

Two new custom scripts:

/usr/local/directadmin/scripts/custom/email_filter_write_pre.sh

/usr/local/directadmin/scripts/custom/email_filter_write_post.sh

to be called before and after the filter file at:

/etc/virtual/domain.com/fitler

The environmental variables are:

  • The contents of:

/etc/virtual/domain.com/filter.conf

  • The tokens for "filter" setup earlier in the process (before the large texts spans are added)

  • username=fred

  • domain=domain.com

The tokens that might be useful are:

DOVECOT=0|1
HOME=/home/fred
INBOX_SPAM=INBOX.spam or Junk, depending on the setting:

Ability to merge old inbox imap folders to new folders

Ability to set Spam folder from INBOX.spam to Junk (TEMPLATES)

the rest are mainly just taken from the filter.conf anyway, which you'll already have loaded (lower case from the filter.conf)

CMD_DNS_ADMIN CMD_DNS_CONTROL CMD_DNS_MX action=edit new

For the skin, a new option called:

action=edit

can be used to simultaneously delete a value, and add a value, in 1 call.

This is not going to be in the enhanced skin, but would be handy for json in the new skin.

Values are a combination of both the action=add and action=select.

So use:

method: POST
action=edit
selecttype=encoded
type=A|NS|MX|CNAME|PTR|AAAA|SRV|DS

where selectype=encoded is the same as deleting values, so see this guide for what to use in place of both "selectype" and "encoded":

API for User and Admin Level DNS Administration

The intent is such that you specify the value you're editing with selectype=encoded, and then provide the new data in type, name, and value.

Although, with the way it's coded, you can delete multiple values if you want, or even values that don't even match the name you're adding.

It's pretty much just a merge of 2 calls into 2, where the deletion happens first.

The "type" variable will be the record type. For most edits, you'll probably specify the same type as in the selectype, eg:

type=A
arecs0=encodeddata

You can optionally include:

json=yes

if you want the output to be json.

CMD_JSON_LANG new

New command to get all tokens for a given command page, eg:

CMD_JSON_LANG?request=CMD_SHOW_DOMAIN
CMD_JSON_LANG?request=global
CMD_JSON_LANG?request=LF_STANDARD&and_global=yes

which will include json output for:

  1. All lang tokens for the given CMD_* based on the PATH lookup in files_*.conf, and over to that lang/en/PATH.

  2. All global tokens if request=global is used.

  3. Any normal CMD or LF request can include &and_global=yes in the GET to include the globals, to save a request.

For the above example, it's in:

files_user.conf:

CMD_SHOW_DOMAIN=user/show_domain.html

so the lookup dumps the tokens from:

/usr/local/directadmin/data/skins/enhanced/lang/en/user/show_domain.html

The global tokens use "no-cache" in the result header, while any other CMD/LF type lookup will use a cache during of 65536 seconds.

This means (for now) if you change the language of your DA, you'll likely need a F5 or ctrl-F5 to grab the new lang pack.

Note the request can be any value from the files_*.conf files, including the LF_STANDARD style entries.

They don't need to be CMD_ entries.

If a value doesn't exist, it will throw a standard json error.

This command does not load hardcoded tokens, as it would when you actually load the /CMD_SOMETHING page.

This only loads the LANG files, or the global tokens that show up on all pages.

The hardcoded tokens are only computed during the actual call of that given CMD_ command.

If you do want one of those specific hardcoded tokens, you can get it using the load_token variable, available on most pages:

load_token=NAME to output only the value of that token for the given page

Ability to preserve html sequences in messages/tickets new

If you're using multiple different charsets, you might need to use html sequences like:

В

in the message system and ticket system templates.

The new directadmin.conf option:

preserve_html_sequences=0

(which is the internal default)

can be changed to be:

preserve_html_sequences=1

such that message/ticket system will respect any html characters set in the file as long as they use the format:

&#xxxx;

where xxxx is a string of 1 or more numbers 0-9.

Because the client might actually want to write the literal string:

В

if the option is enabled, DA will swap any typed occurrences of & with & so it gets displayed exactly as typed.

CMD_JSON_VALIDATE to verify types before submission new

Command for ajax calls, to make validation checks before submission.

This will save an invalid form post, causing the User to have to re-enter all their info again.

type=user&value=fred
type=domain&value=domain.com
type=password&value=secretpass
type=password&action=get   #returns a new random password that passed the difficult password check
type=dbname&value=dbname   (exclude the username_ prefix)
type=dbusername&value=dbuser (exclude the username_ prefix)
type=email&value=user@domain.com  (full address)
type=ftp&value=user&domain=domain.com  (only user part) - added 1.53.1
type=forwarder&value=user@domain.com  (full address)
type=username&value=fred  (can only be called by Resellers and Admins, or error "Users cannot verify usernames")
type=dns&record=A&domain=domain.com&name=www&value=1.2.3.4(&mx_value=mail.domain.com.(&select=name|value)) - added 1.53.2.

Returns json with either:

{
  "error": "some reason"
}

or:

{
  "success": ""
}

or for random password generation (action=yes)

{
  "success": "newrandompassword"
}

Note that the User and domain checks do use the Multi-Server Setup system, if it's enabled where it will check for external domains or username, if those options are checked.

Similar to the functions:

CMD_AJAX_CHECK_USERNAME

CMD_AJAX_CHECK_DOMAIN

CMD_AJAX_CHECK_PASSWORD

=============

type=dns - added 1.53.2

This method allows validation of dns form values.

There are quite a lot of internal checks and variations depending on record type, so please read carefully.

record=A|NS|MX|CNAME|PTR|TXT|AAAA|SRV|SPF|TLSA|CAA|DS
name=left side of add
value=right side of add

if record=MX, then things change depending on settings.
if full_mx_records=1 in directadmin.conf, then:
value=10   - the priority of the MX
mx_value=mail  or mail.domain.com.

if full_mx_records=0, which will be rare and not default, then:
name=mail or mail.domain.com (right side)
value=10 - priority

if record=NS:
value=left side
name=right side

just to be backwards compatible with the older DA where the container could only have a unique index, thus all NS records for the zone would match, hence we flipped to use the value as the index.

But duplicates can now be used, but the value/name are still flipped left to right.


optional for type=dns:

check=name|value

where adding check to "name" or "value" will tell DA only to check the respective name or value.

Lets provides more specific control over the checks.

If it's a domain pointer, use:

domain=maindomain.com
pointer=pointer.com

and the pointer.com zone will be checked/loaded instead.

Ability to shut off dovecot_sni per-domain in the domains/domain.com.conf new

UPDATE: March 30, 2021:

This feature has been tabled to be deprecated due to increasing complexity to support it for upcoming per-host certificates, rather than the previous per-domain certs.


back-end to allow dovecot_sni to be disabled per-domain by adding:

dovecot_sni=OFF

to the domain's config file:

/usr/local/directadmin/data/users/username/domains/domain.com.conf

Possibly an interface change to follow, but for now, just manually add it.


T6630

allow_dns_underscore=1 new internal default new

Changed the allow_dns_underscore setting from 0 to 1 as the new internal default.

enable_ssl_sni=1 new internal default new

For all newer OSs, the enable_ssl_sni=1 setting will be the new default (old was 0).

CentOS 5 and Debian 6 will still have it set to 0 by default (they're end-of-life anyway)

You can still override the setting in the directadmin.conf by adding the enable_ssl_sni varilable to the desired value.

Note that enable_ssl_sni only disables the owned IP check in DA, for accessing the SSL page.

Admin Settings: maxfilesize can be KB, MB, GB, TB, etc (SKINS) new

The maxfilesize variable in the Admin Settings used to require entry in bytes.

As very few people every actually work with those units in terms of file uploads, the variable can now be specified with the size units.

Valid values are now:

536870912
512 KB
512K
512 K
0.5 MB
0.5MB
100MB
1G
0.1 GB
etc..

Valid units are:

blank (for bytes)

K
KB
M
MB
G
GB
T
TB

... although, you'll not likely want to allow anything large than a few Gig, at most for this particular variable.

The number can be an integer or a floating point number, with decimals.

DA will show the number with a space before the unit. The space is not required.

However, upper case characters for the units are required, to avoid confusion with "bits" (vs bytes) where bits are usually a lower case b while bytes are upper case B.

SKINS

admin/admin_settings.html

swapped the |MAXFILE| token with |MAXFILE_UNITS|

The |MAXFILE| token will remain untouched, to be backwards compatible.

The value stored in the directadmin.conf will still be set in bytes.

No DKIM if there is no zone new

Functionality change:

  1. When deleting a zone from the Admin Level -> DNS Admin, if there are any DKIM keys, they will be removed along with the zone.

If you need to have the DKIM keys, you can re-add them manually with the script:

cd /usr/local/directadmin/scripts
./dkim_create.sh domain.com nodns
  1. The call to:

echo "action=rewrite&value=dkim" >> /usr/local/directadmin/data/task.queue

will not create the dkim keys if there is no dns zone.

Related to:

Admin Level -> IP Manager -> click on an IP -> Link IP

this can now be done through the task.queue.

Sample:

echo "action=linked_ips&ip_action=add&ip=1.2.3.4&ip_to_link=1.2.3.5&apache=yes&dns=yes&apply=yes" >> /usr/local/directadmin/data/task.queue

The command is the same as the form in CMD_IP_MANAGER_DETAILS?ip=1.2.3.4, except we move the form action=add to ip_action=add, as the dataskq action needs to be broader.

FileManager head and tail commands new

When requesting a file, eg:

/CMD_FILE_MANAGER/file.txt

You can now add GET options, either

fm_head=10

or:

fm_tail=10

to view the starting or ending number of lines for that file, eg:

/CMD_FILE_MANAGER/file.txt?fm_tail=5

Only one of head or tail can be used at a time.

10 can be replaced with any positive integer.

The Content-Type header will always be set to text/plain.

FTP Backup option to upload md5sum file new

New directadmin.conf internal default option:

backup_ftp_md5=0

which you can add and change to:

backup_ftp_md5=1

in the directadmin.conf to enable md5 uploads, along with the backup file.

The ftp_upload.php will have a new environmental variable:

ftp_md5=1

if this option is enabled, which then uploads a 2nd file, eg:

user.admin.fred.tar.gz.md5

containing the current md5sum of the backup file.

This can be used to verify the integrity of the backup on the remote server, to ensure backup was transferred correctly.

The restore does not currently download or check this file, but if you get an error message during the restore, you'll then be able to manually check the remote file to confirm it's intact, and try again if it is.

The environmental variable ftp_md5=1 is passed to the ftp_restore.php, but the script itself is not currently altered in any way to use it.

Custom Domain Items values available in virtual_host2.conf templates new

The custom_domain_items feature lets you set custom per-domain variables.

This change allow those variables which are set in the domain's config file:

/usr/local/directadmin/data/users/username/domains/domain.com.conf

to be available as a token in the User's httpd.conf templates with the token syntax:

|CUSTOM_DOMAIN_ITEM_%s|

where %s is swapped with the custom item name, and that whole token, when used in the templates, will be swapped with the value from the domain.com.conf.

For example, if you have this file:

/usr/local/directadmin/data/admin/custom_domain_items.conf

loaded with:

banana=type=checkbox&string=Custom 1&desc=Yellow&checked1=yes

Then you can use the token:

|CUSTOM_DOMAIN_ITEM_banana|

in the virtual_host2.conf templates (and subdomains, and pointers).

Note that this token will only be available if:

banana=anything

is actually set in the domain.com.conf file.

If it's unset (name does not exist), then the token will not be set.

An example usage of the token might be:

|*if CUSTOM_DOMAIN_ITEM_banana="ON"|
Options +banana
|*endif|

and a sample, (and invalid) example.

CMD_API_SHOW_SERVICES?all_info=yes to show memory and pids new

You can now show all pids and memory info from the Show Services page, using the extra GET option:

all_info=yes

Changes to generate 3 encoded arrays:

status=<statusarray>&memory=<memoryarray>&pids=<pidarray>

where each of the <subarrays> would be similar to:

status=httpd=on&dovecot=on...
memory=httpd=8.32031&dovecot=39.8398...
pids=httpd=19242 19244 19245 19246 19247 19248 19249 19250 19251 19252 19253 &dovecot=29534

all double-url encoded, as needed.

Here's a sample output:

memory=da%25%32Dpopb%25%33%34smtp%3D%25%33%30%25%32E%25%33%35%25%33%34%25%33%36%25%33%38%25%33%37%25%33%35%26directadmin%3D%25%33%38%25%32E%25%33%33%25%33%32%25%33%30%25%33%33%25%33%31%26dovecot%3D%25%33%33%25%33%39%25%32E%25%33%38%25%33%33%25%33%39%25%33%38%26exim%3D%25%33%31%25%32E%25%33%32%25%33%34%25%33%32%25%33%31%25%33%39%26httpd%3D%25%33%31%25%33%30%25%33%38%25%32E%25%33%38%25%33%36%25%33%37%26mysqld%3D%25%33%31%25%33%35%25%33%35%25%32E%25%33%36%25%33%31%25%33%33%26named%3D%25%33%31%25%33%31%25%32E%25%33%38%25%33%34%25%33%37%25%33%37%26pure%25%32Dftpd%3D%25%33%31%25%32E%25%33%35%25%33%34%25%33%32%25%33%39%25%33%37%26sshd%3D%25%33%34%25%32E%25%33%39%25%33%37%25%33%36%25%33%35%25%33%36&pids=da%25%32Dpopb%25%33%34smtp%3D%25%33%31%25%33%34%25%33%33%25%33%37%25%33%31%25%32%30%26directadmin%3D%25%33%31%25%33%39%25%33%32%25%33%34%25%33%32%25%32%30%25%33%31%25%33%39%25%33%32%25%33%34%25%33%34%25%32%30%25%33%31%25%33%39%25%33%32%25%33%34%25%33%35%25%32%30%25%33%31%25%33%39%25%33%32%25%33%34%25%33%36%25%32%30%25%33%31%25%33%39%25%33%32%25%33%34%25%33%37%25%32%30%25%33%31%25%33%39%25%33%32%25%33%34%25%33%38%25%32%30%25%33%31%25%33%39%25%33%32%25%33%34%25%33%39%25%32%30%25%33%31%25%33%39%25%33%32%25%33%35%25%33%30%25%32%30%25%33%31%25%33%39%25%33%32%25%33%35%25%33%31%25%32%30%25%33%31%25%33%39%25%33%32%25%33%35%25%33%32%25%32%30%25%33%31%25%33%39%25%33%32%25%33%35%25%33%33%25%32%30%26dovecot%3D%25%33%32%25%33%39%25%33%35%25%33%33%25%33%34%25%32%30%26exim%3D%25%33%32%25%33%37%25%33%34%25%33%32%25%33%31%25%32%30%26httpd%3D%25%33%37%25%33%37%25%33%39%25%33%34%25%32%30%25%33%31%25%33%32%25%33%34%25%33%32%25%33%31%25%32%30%25%33%31%25%33%32%25%33%34%25%33%32%25%33%32%25%32%30%25%33%31%25%33%32%25%33%34%25%33%34%25%33%31%25%32%30%25%33%31%25%33%32%25%33%34%25%33%34%25%33%34%25%32%30%25%33%31%25%33%32%25%33%34%25%33%34%25%33%37%25%32%30%26mysqld%3D%25%33%35%25%33%32%25%33%32%25%32%30%25%33%35%25%33%32%25%33%33%25%32%30%25%33%35%25%33%32%25%33%34%25%32%30%25%33%35%25%33%32%25%33%35%25%32%30%25%33%35%25%33%32%25%33%36%25%32%30%25%33%35%25%33%32%25%33%37%25%32%30%25%33%35%25%33%32%25%33%39%25%32%30%25%33%35%25%33%33%25%33%30%25%32%30%25%33%35%25%33%33%25%33%31%25%32%30%25%33%35%25%33%33%25%33%32%25%32%30%26named%3D%25%33%31%25%33%33%25%33%39%25%33%35%25%33%32%25%32%30%25%33%31%25%33%33%25%33%39%25%33%35%25%33%35%25%32%30%25%33%31%25%33%33%25%33%39%25%33%35%25%33%37%25%32%30%25%33%32%25%33%33%25%33%37%25%33%34%25%33%33%25%32%30%26pure%25%32Dftpd%3D%25%33%31%25%33%32%25%33%37%25%33%31%25%33%38%25%32%30%26sshd%3D%25%33%32%25%33%31%25%33%39%25%33%38%25%33%30%25%32%30%25%33%32%25%33%38%25%33%37%25%33%35%25%33%31%25%32%30&status=da%25%32Dpopb%25%33%34smtp%3Don%26directadmin%3Don%26dovecot%3Don%26exim%3Don%26httpd%3Don%26mysqld%3Don%26named%3Don%26pure%25%32Dftpd%3Don%26sshd%3Don

Pass $created_by variable to domain_create_pre.sh / post.sh new

New variable passed to custom scripts:

/usr/local/directadmin/scripts/custom/domain_create_pre.sh

/usr/local/directadmin/scripts/custom/domain_create_post.sh

created_by=0|1|2|3|4

which is the default, set to 0 when a domain is created by the User.

List of options:

0: domain is created with the User, by the Admin or Reseller creator (see creator variable to see who)

1: domain is created by the User via the additional domains section

2: domain is created by the User, via a User Level restore

3: domain is created by Reseller Level restore

4: domain is created by an Admin Level restore

Also added extra variables to the same scripts:

skip_template=0|1 - specifies if the index.html is to be omitted from the domain creation. Set to 1 if the domain already existed or the domains directory is to be restored.

user_creation=0|1 - specifies if the domain creation is happening at the same time this User is being created.

Unable to Logout; The referer used is not safe as it can be controlled by a User fixed

When logged in as a User using the "Login As" option, if you see this message:

Unable to Logout

The referer used is not safe as it can be controlled by a User

it refers to a recent referer check in 1.51.0:

session security improvements (SECURITY)

The bug was that the possibly url encoded referer wasn't being decoded before the check.

Runnin DA in debug mode 2100 will get you more info about the "is_dangerous_referer" function doing the check.

This is the related error that was incorrect:

is_dangerous_referer: /home/username/domains/one%32three.com is either not readable or not a directory. Will not trust it.

where "%32" shoudld have been decoded into "2" before checking the path.

HTML encoded characters missing trailing semi-colon fixed

For characters encoded, say:

2

would be encoded like:

&50;

the semi-colon was not previously added to the end.

Oddly, the didn't seem to be an issue for most browsers, why it wasn't caught sooner.

Regardless, it was not correct, and is now fixed.

domain data files not being removed with domain fixed

The following files were not being removed when a domain was deleted:

/usr/local/directadmin/data/users/username/domains/*

domain.com.cacert
domain.com.cert.combined
domain.com.cert.creation_time
domain.com.csr
domain.com.cust_httpd
domain.com.cust_httpd.1
domain.com.cust_httpd.2
domain.com.cust_httpd.3
domain.com.cust_httpd.4
domain.com.san_config

They were removed with the User, as the entire folder is cleared, but for adding/removing domains within a User, they should be removed with the domain.

awstats_process.sh + cagefs: LogFile not always swapped fixed

The config file for awstats:

/home/user/domains/domain.com/awstats/.data/awstats.domain.com.conf

has a line:

LogFile="/var/log/httpd/domains/domain.com.log"

With cagefs, this should be swapped to:

LogFile="/var/log/user_logs/username/domain.com.log"

at the run-time of the awstats_process.sh script.

Because the perl regex was run as the User, through "su", it required many characters to escape things correctly.

I've swapped it for simpler version.

Also, the awstats_process.sh now has

VERSION=2.5

set near the top, so we can better track which version of awstats_process.sh is present.


If you want to manually grab the v2.5 of this script, it's here:

wget -O /usr/local/directadmin/scripts/awstats_process.sh http://files1.directadmin.com/services/all/awstats/awstats_process.sh

which is worth a try if your stats are not updating.

Worth checking the LogFile value in the config though to see what it's set to.


UPDATE:

version 2.6 fixed the FreeBSD call from /bin/su to /usr/bin/su.

nginx/proxy: php selector using wrong php on secondary domain is default domain swapped, 2nd not fixed

Conditions:

1 - Using either nginx, or nginx/proxy.

2 - using 2 php versions in the CustomBuild options.conf

3 - default domain php selections are changed. This causes nginx_php.conf to be swapped (for ~username php, as default domain controls it)

4 - Secondary domain php versions are NOT swapped, matching the CustomBuild options.

Because of #4, DA didn't consider the secondary domains swapped, so it used the nginx_php.conf, which was incorrect.

Fix was to take note for when the php_nginx.conf was swapped.

If it was, always add secondary domain php code into the nginx.conf, so it's correct, no matter what's in the main file.

Reset Today to also delete per-Email sends fixed

If a User sends their limit of emails in a given day, the Admin or Reseller (if enabaled) can click the "Reset Today" button for that User, which clears the:

/etc/virtual/usage/username

file. However, it did not previously reset:

/etc/virtual/domain.com/usage/user

for the per-email sends.

With this change, the "Reset Today" button will also rest the per-Email sends.

CMD_EMAIL_REG to force download fixed

The download "Outlook Setting" option on the E-Mail Accounts page will now add a new header:

Content-Disposition: attachment; filename=outlook_USER.reg;

to force download of the .reg file.

The USER contain either the DA system account name, or the prefix USER of USER@domain.com

Automatically add quotes for TXT records, if they're needed fixed

When adding a TXT record if there is a space in the name value, but the value "is not quoted", then DA will automatically add "quotes" around the full value.

It also does the same if the value contains an = character.

It's possible that quotes are always required, but if named allows it, I'd prefer not to add rules where not required.

DA does already use the named-checkzone command to ensure zones are syntactically correct, as the final check before putting a change into effect.

Related:

https://tools.ietf.org/html/rfc1464

https://en.wikipedia.org/wiki/TXT_record

FreeBSD: dnssec.sh using wrong binary paths fixed

Related:

http://forum.directadmin.com/showthread.php?t=54489

Added:

if [ "${OS}" = "FreeBSD" ]; then
BIND_PATH=/etc/namedb
NAMED_BIN=/usr/local/sbin/named
DNSSEC_KEYGEN=/usr/local/sbin/dnssec-keygen
DNSSEC_SIGNZONE=/usr/local/sbin/dnssec-signzone
...

Check for /var/www/html/squirrelmail before backup/restore fixed

If the /var/www/html/squirrelmail path does not exist (directory or link, doesn't matter), then the backup/restore won't happy for the SquirrelMail data.

This extra check was added to prevent errors for backing up things if the server doesn't have SM installed.

The path check will use an internal cache method, so a new lstat is not run for each User. The dataskq would store it in the backup.

The directadmin processes should also be safe from cache issues because the parent doesn't call this check, and each chiled is forked.

(in case you delete the /var/www/html/squirrelmail path, but DA still thinks it's there).. but even if you have issues, just restart DA.

CMD_API_FILE_MANAGER type returned incorrect value fixed

DirectAdmin 1.51.3 introduced a bug where the call to;

CMD_API_FILE_MANAGER

return a 'type' value for files of:

<img border='0' alt="File" src="/IMG_FILE" />

and directories:

<img alt="Directory" src="/IMG_FOLDER" border='0' />

instead of "file" or "dir", respectively.

BlockCracking: variables.conf.custom values show extra = character in notices fixed

The DirectAdmin template:

block_cracking_notice_script.txt

will use some of the values from the BlockCracking variables.

If you're using a custom variables override file, the values are set with double == characters.

When DA was reading that file, it only used the first = character, and assumed the 2nd was the value, so using something like:

BC_LIM == 2

would cause the |COUNT| token to incorrect be filled with:

= 2

where it should have just been 2.

Missing headers for API response of "...does not exist in your authority level" fixed

Recent changes to the internal header code caused the scenario where you've run a wrong command which normally gives you this error:

error=1&text=You cannot execute that command&details=The request you've made cannot be executed because it does not exist in your authority level

to not generate HTTP response headers first, and also causing DA to continue to try and send a blank request, so you'd end up with 404 headers after the above code was sent.

This bug would cause confusion in cases where a command is entered incorrectly, or the commands.allow/commands.deny isn't allowing it, since parsers cannot find the end of the headers, since the first output isn't "HTTP/1.1", but instead gave "error=1" which isn't valid to start a response.

So browsers or API scripts would just give blank output, even though the above output was given, just without headers (plus a junk 404 at the end)

It's possible there were other cases where no headers were generated first, but this fix simply confirms that they were, rather than assuming they were.

No CGI for a domain should not have Options Includes (SECURITY)(TEMPLATES) fixed

If you disable CGI for a domain, "Includes" is now removed from the Options list the AllowOverride list.

If you have CGI enabled, then cgi based server-side includes are allowed.

Reasoning:

Adding IncludesNoExec does not negate the exec portion of already added Includes Option because it's a binary "OR"

so "+Includes +IncludesNoExec" does allow exec, which is not what we want.

Must be "-Includes +IncludesNoExec"

IMPORTANT:

If you have CGI disabled, but have an .htaccess with:

Options +Includes

you will get an internal server error, so change it to be:

Options +IncludesNoExec

TEMPLATES:

Changes to the 4 virtual_host2*.conf files for the CGI=off case:

Token now set to:

|?ALLOW_OVERRIDE=AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None|

where Includes has been removed from the AllowOverride

as well:

|*if CGI=""|
|ALLOW_OVERRIDE|
Options -ExecCGI -Includes +IncludesNOEXEC
|*endif|

so Includes is not allowed without CGI, which is correct (as server-side includes exec have the same permissions as cgi-bin files)

Moved php-fpm section into <Directory> section of VirtualHost (TEMPLATES) fixed

The HAVE_PHP1_FPM and HAVE_PHP2_FPM sections for php-fpm have been moved from outside the <Directory> section, to within the <Directory> section.

This was to allows for mixing lsphp and php-fpm.

This will move them past the CUSTOM, CUSTOM2, and CUSTOM3 tokens, which should affect people unless they're changing any of the tokens the php-fpm section uses:

PHP1_RELEASE, PHP2_RELEASE, and USER

TEMPLATES

virtual_host2.conf

virtual_host2_secure.conf

virtual_host2_sub.conf

virtual_host2_secure_sub.conf

CMD_FILE_MANAGER could not use path token to set other token fixed

Code changes made on Dec 10th to do more creative things with the Evolution skin caused the "path" token to be unset at the time of the FileManager pre-load.

(The pre-load is done to run any scripts like |$/usr/local/bin/php ... before the FM is chrooted to ~/)

This prevented things like:

|?CUSTOMPATH=`path`|

from working, while using |path| would have still worked fine as the token was added after the pre-load.

Change was to add the path token before the pre-load.

Update: Also added missing COMMAND token, used for the "Back" button in template.html standard messages.

Allow forward slash in PTR record names fixed

If you need to add a range of IPs, you can now add a zone like:

4.3.2.in-addr.arpa

where that's the domain name (don't use the rDNS checkbox)

and add a PTR name value (left size) like:

5.0/24

to specify which IPs it should cover.

You can then clear out all other records, just leave the PTR and NS record.

dovecot_sni rename domain didn't swap /etc/dovecot/conf/sni/domain.com.conf fixed

  1. Added fix to remove the dovecot sni file:

/etc/dovecot/conf/sni/domain.com.conf

  1. then swap the domain name as usual

  2. then re-rewrite a conf/sni/newdomain.com.conf file.

Also found and fixed a bug where the:

/usr/local/directadmin/data/users/username/domains/domain.com.mime.types

was not being renamed to newdomain.com.mime.types.

Removed old logs from deleted domains fixed

DirectAdmin does not delete the old logs from deleted domains so that User cannot bypass bandwidth counting by deleting and re-adding their domains.

The side-effect would be that over time, the apache/nginx domain log paths get irrelevant left-over logs.

This change is to clean up those old logs after 60 days.

It will remove logs ending in:

.log

.log.1

.bytes

.bytes.X (1-(logs_to_keep))

which are older than the 60 day max.

This feature only runs if:

rotation=1

is enabled, which is used to rotate to the logs into the Users log folders.

If you set rotation=0, then you're 100% responsible for adding rotation to this directory (eg: add something into logrotate, etc)

Linked IPs should only duplicate local IPs in DNS fixed

Previously, when linking IPs at:

Admin Level -> IP Manager -> click the IP -> link IP

the dns portion would just take a fresh copy of the dns_*.conf templates, and add all A and AAAA records from there using the new IP.

This was not logically correct for some cases where a custom A record was added, pointing to an external IP.

Functionality change in the DNS portion for linked IPs, where only matching A or AAAA records for the local IP, will be duplicated with the linked IP.

For example, domain is on 1.2.3.4 with A records:

www A 1.2.3.4
ftp A 1.2.3.4
pop A 2.3.4.5
smtp A 2.3.4.5
mail A 2.3.4.5

where 2.3.4.5 might be some external server managing the mail.

If you link 1.2.3.5 to the dns for 1.2.3.4, the new zone will now look like:

www A 1.2.3.4
www A 1.2.3.5
ftp A 1.2.3.4
ftp A 1.2.3.5
pop A 2.3.4.5
smtp A 2.3.4.5
mail A 2.3.4.5

Previously, the 2.3.4.5 A records would have been duplicated too, causing a round robin to both 1.2.3.5 and 2.3.4.5, which is is not likely the desired effect.

This change also applies for AAAA records, in either order (linking IPv4 to IPv6 or IPv6 to IPv4)

mod_security logs not rotated if awstats=1 fixed

If you're running mod_security, and need the log rotation of the logs in:

/var/log/modsec_audit

a bug where awstats=1 would prevent those logs from being rotated, because, DA only rotates the logs to the .1 files if only webalizer is used, as it states a live log shouldn't be used.

But we changed it to use live logs with awstats anyway, so the apache log rotation didn't happen, which is where the mod_security log rotation function was called.

Fix was to simply move the function call out of the apache log rotation function.

It still requires rotation=1 though.

Disable SSLv2/SSLv2 for outboud client calls fixed

DirectAdmin sometimes makes outbound calls to remote servers using SSL.

Some examples would be plugin updates, DA or License updates, or when using the Multi-Server Setup.

This change disables the client calls from being allowed to use SSLv2 or SSLv3, forcing them to use TLS.

The effect of this will only be that server side of the connection, that is being connected to, must support TLS, and any server that does not will no longer work.

Notify Admins on LetsEncrypt renewal error fixed

If there are any renewal errors, previously only the User was notified.

This change will also notify the Admins, should any renewal errors occur.

If there is a problem with the script itself, then only the Admin can fix it anyway, hence they might as well get a notice.

As before, no notice is sent to anyone if the renewal occurs without any errors.

Don't throw error is User is deleted mid-backup fixed

As some systems take quite a while to generate a single backup of all accounts, it's possible that the User might be deleted mid-run.

In this case, DA would have thrown the error:


User deleteduser has unknown usertype

<13:31:40>

Cannot find /tmp/admin.123456/user.admin.deleteduser.tar.gz for upload.


and in some cases, we would not want the backup error to generate an error if we know we deleted the User.

This change adds checks to see if the error is actual an error with a present User, or if the User was actually deleted,

but only exempts the error is the User Selection method is "All Users" or "All Users except".

Should a specific User list be used and this account is missing an error will be generated.

To confirm if a User is deleted, DA will check for the uid via the /etc/passwd file.

It will also look for the directory /usr/local/directadmin/data/users/username

If either exist, then the User was not deleted, and an error is thrown.

If both are missing, then DA assumes the User was deleted, and in addition to the above usertype error, a message is added to the output:

"Looks like the User was deleted mid-backup. Ignoring the error."

and the result is a non-error, just extra text in the message.

If you set the option to only send an email on backup errors, then no message/email would be generated.

Last Updated: