Version 1.43.0

Released: 2013-03-16

Backup and restore the MySQL character set (collation) new

mysql >4.1.1:
SHOW VARIABLES LIKE 'character_set%';

gives list. The db.opt file only exists in 4.1.1, so likely won't have this option for mysql 4.

mysql 5:

SHOW CHARACTER SET
SHOW COLLATION

Reference: http://www.databasejournal.com/features/mysql/article.php/3638426

MySQL 4 may not support this function.

Related:

http://stackoverflow.com/questions/4948356/query-to-show-all-tables-and-their-collation

Also store the collation info in the backup and set it at restore time: DONE.

Saved into the dbname.conf all db_collation=, with the entire row, eg:

SELECT * FROM information_schema.SCHEMATA WHERE schema_name=dbname

Data saved into the backup/username_dbname.conf in the tar.gz backups.

Sample:

db_collation=CATALOG_NAME=&DEFAULT_CHARACTER_SET_NAME=latin1&DEFAULT_COLLATION_NAME=latin1_swedish_ci&SCHEMA_NAME=mysqluser_sixchr&SQL_PATH=

DA will remove the db_collation before the restore, else it would try to add username_collation as a new User.. which is often too long for MySQL (16 character cap).

CMD_API_ADDITIONAL_DOMAINS to include type new

CMD_API_ADDITIONAL_DOMAINS to include the type of pointer (alias or redirect).

The pointers= list will remain the same which will include both alias and redirect values, but a 2nd list::

alias_pointers= will contain just the domain alias poitners (ServerAlias).

If needed, you can then subtract the 2 lists to get the redirect pointers.

Feature to give you the ability to automatically add an IP to certain areas (apache/dns), based on the selection of another IP.

Admin Level -> IP Manager -> Click the IP

brings you do:

CMD_IP_MANAGER_DETAILS?ip=1.2.3.4

The main purpose for this feature is to seamlessly link LAN IPs to external IPs, and/or to link IPv6 IPs to IPv4 IPs.

*** Link a LAN to external IP:

  • View the details of the external IP.

  • Link the internal IP to the external IP.

  • Only select Apache, do not select DNS

Don't link the external IP to the internal IP, else the dns would end up having the internal IP added, which is not desired.

*** Link IPv6 to IPv4:

  • View the details of the IPv4 IP.

  • Link the IPv6 to the IPv4.

  • Check both DNS and Apache.

You could link IPv4 to an IPv6 if you wanted.

Adding a linked IP to the current IP will add the linked IP to the areas where the current IP exists.

Linking an IP with dns will duplicate the A/AAAA records for the current IP with the linked IP.

Linking an IP with apache will add the linked IP into the VirtualHost with the current IP.

This feature is independent of the Multi-IP system, but they can be used together.

For example a User can have 2 IPs with the Multi-IP system, and each of those IPs can have linked IPs.

Links are not recursive, so you don't need to worry about infinite loops.

API:

CMD_API_IP_MANAGER_DETAILS has also been added.

See the DA debug output for information on values to be passed.

SKINS:

admin/ip_manager_details.html

files_admin.conf

CMD_IP_MANAGER_DETAILS=admin/ip_manager_details.html

LF_IP_MANAGER=admin/ip_manager.html

LANGUAGE:

lang/en/internal/ip.txt - up to #36

lang/en/internal/comand.txt - up to #523

Ability to tell DA not to wrap dns values new

Relating to this feature:

DKIM keys to be 2048-bit and multi-line TXT records

For anyone who is using a local dns service other than bind, you may not want the values to be wrapped.

A new directadmin.conf variable was added to let you disable the wrapping of dns values.

The internal default is:

wrap_long_dns_values=1

To change it, add this to your directadmin.conf:

wrap_long_dns_values=0

and restart DA.

If you're using bind (named), then leave this as 1, else named will crash if the values are too long.

named.db to support template scripting new

The named.db template (used to create domain.com.db files) now supports username scripting.

Environment info for skin scripts (SKINS scripts)

The scripts will be run as root, so you have full access to everything, but be very careful with this high access level, to ensure you don't do any damage to your system.

Sample addition to the bottom of the named.db code for DNSSEC:

|$/usr/local/bin/php
<?php
if (file_exists("/var/named/|DOMAIN|.zsk.key"))
{
        echo "\\\$include        /var/named/|DOMAIN|.zsk.key\";
}
if (file_exists("/var/named/|DOMAIN|.zsk.key"))
{
        echo "\\\$include        /var/named/|DOMAIN|.ksk.key\";
}
?>
DONE|

Note that DA may not support thing you add, so if you add any values that the DA dns parser cannot read (eg: $include lines) ensure you're adding them to the bottom of the file.

You should really also be only adding things here that DA cannot see... else you'll end up with duplicates each time you re-save the zone.

For example, do not add A records with this feature, else you'll get another A record each time you save the zone.

For A records, use the dns_a.conf. It also supports shell scripting.

Ability to clear forwarder values when deleting emails new

When you delete an email account, this new feature will give you the option to have DA search through your forwarder values (not the forwarder names) and remove these deleted emails, so that any emails sent to the existing forwarders don't cause bounces.

For example, say you have two forwarders:

one -> abc@domain.com
two -> abc@domain.com, efc@domain.com

and you also have the email account:

abc@domain.com

When you delete the abc@domain.com email address, when the 'Clean Forwarders Values' checkbox is selected, DA will go through all of your forwarders, and turn them into:

one -> :fail:
two -> efc@domain.com

so that any emails to one@ or two@ don't cause bounces.

Of course, you'll note that the forwader that only had the 1 email becomes a :fail: forwarder.

This is just to remind you of what DA just did. Sending an email to one@ will reject the email (but won't generate a bounce if it's being sent to from an external email).

This is the best we can do, considering you've just deleted it's destination.

DA will also log to the system.log about the action that was done.

The checkbox value passed with pop deletions (CMD_EMAIL_POP or CMD_API_POP) is:

clean_forwarders=yes

without this checkbox value being passed, the "clean" won't happen.

Ability to add more headers to welcome emails new

Relating to this feature:

ability to add your own email headers in welcome messages

Extra headers can now be used.

Their token names will be:

HEADER2

HEADER3

HEADER4

in addition to the already exsting token value:

HEADER

eg:

|?HEADER=MIME-Version: 1.0|

|?HEADER2=Content-Type: text/plain; charset=utf8|

This does not apply to the HEADER value used in tickets, only welcome emails.

Related keywords/files:

u_welcome.txt

r_welcome.txt

a_welcome.txt

custom script all_restores_post.sh, called after Admin/Reseller Level restores new

Related to this feature:

all_backups_post.sh

Custom script:

/usr/local/directadmin/scripts/custom/all_restores_post.sh

Variables passed will be whatever is sent from the task.queue.

Session to store selected domain new

When a User accesses his User Level, once he views the page:

CMD_SHOW_DOMAIN?domain=domain.com

DA will log the domain value (assuming it's valid) into the session file as:

selected_domain=domain.com

With that, all plugins should then have access to read this env variable as:

SESSION_SELECTED_DOMAIN=domain.com

which saves the need for the plugin to pass the domain via GET all over.

The global skin tokens will also have the variable:

SESSION_SELECTED_DOMAIN

Note that there is no guarantee that this variable will be set.

However, if you can't find |DOMAIN| or |domain|, then this variable would be a good one to try.

New skin type JS_ for javascript files. new

The old javascript files were added in with the HTM_JAVASCRIPT option, which used text/html as the content-type.

Added a new file type JS_ which will set Content-Type: application/javascript.

It will also skip the "no cache" header options, so the pages will load faster, when this is used.

This also means that you'll need a full cache dump (ctrl-F5) if you're doing javascript programming through DA.. else you'll keep getting the cached version.

The DA skins have not been changed to use JS_, as HTM_ works fine for our purposes.

Ability to set the crypt type for passwords new

The default crypt in DA is MD5 which uses the $1$ type for the crypt command.

A new directadmin.conf option will allow the 1 to be changed to a 6 for sha-512, if desired (giving $6$)

This should allow you to be GDPR compliant.

Default internal value:

crypt_method=1

If you'd like passwords to use sha-512, add this to your directadmin.conf, and restart DA:

crypt_method=6

This will affect all calls that DA makes to the "crypt" function.

This includes:

  • Email accounts

  • FTP accounts

  • DA accounts, but only in some cases (varies per OS)

The DA accounts have their password crypt created from different places, depending on what's going on.

Below will outline which cases are used, and will either show what is used to generate the crypt, or it will show "crypt", which will be affected by this change.

Any values that do not show "crypt" will not use DA's crypt() function, thus will not use this feature (crypt method controlled via other configs)

  1. Changing a password:

FreeBSD: crypt

Debian: chpasswd

Linux: passwd

  1. Creating a User:

FreeBSD: pw

Debian: crypt

Linux: crypt

  1. Restores just copy the old encrypted data, so this feature does not apply to the backup/restores.

For the non-"crypt" methods, see this guide:

http://help.directadmin.com/item.php?id=248

This only affects the above crypt methods when triggered.

Existing encryptions are not touched until one of the above crypt methods is triggered (Eg: if you reset the password and it uses crypt)

Password protected directories (as of 1.43.0) use openssl to generate an $apr1$ crypt.

Protected directories to use $apr1$ password format

However, if the crypt generation fails with the openssl binary, then crypt() is used to to generate the passwod crypt... however, it defaults to a very old DES method without $1$.. so this feature will not apply to password protected directories from 1.43.0 and newer.

Versions of DA older than this do use the local crypt (eg: $1$), but this feature doesn't exist.. so still wouldn't apply.

Access-Control-Allow-Origin new

If you'd like to add a header:

Access-Control-Allow-Origin

you can do so by specifying the following in your directadmin.conf:

access_control_allow_origin=http://www.domain.com

Tags:

CORS OPTIONS

Ability to automatically encode subjects to UTF-8 for emails generated by DA new

New option in DA which automatically swaps a subject with a utf8 encoded subject for all emails generated by DA (welcome emails, notices, etc..)

Default internal setting:

utf8_encode_subject=0

to enable the setting, add the following to your directadmin.conf, and restart DA:

utf8_encode_subject=1

and all emails will have the subject header value swapped out with the valid base64 utf8 encoding.

New script which uses php to do the encoding (our internal base64 encode doesn't support more than 7 bit chars)

/usr/local/directadmin/scripts/base64_encode.php

The encoding of the subject will fix the following SpamAssassin header tags:

SUBJECT_NEEDS_ENCODING

SUBJ_ILLEGAL_CHARS

which should lower the spam score by about 1.6, if special characters exist in the subject line.

IMPORTANT

Make sure you've set your skin to use UTF-8, else the special characters will not show up correctly.

http://help.directadmin.com/item.php?id=364

CMD_API_USER_BACKUP new

Related to the Admin Level Backup/Restore:

CMD_API_ADMIN_BACKUP

CMD_API_USER_BACKUP


View local files and settings, crons, and users:

pass nothing.


View remote files and settings, crons, and users:

GET or POST:

action=update_files
ftp_ip=127.0.0.1
ftp_password=password
ftp_path=/user_backups   (remote ftp path)
ftp_port=21
ftp_username=admin
local_path=
where=ftp

To create backups, crons, save settings, etc.. please run DA in debug mode, and make a desired call through your browser.

The same values send to CMD_USER_BACKUP will be sent to CMD_API_USER_BACKUP

http://help.directadmin.com/item.php?id=293

Ability to disable the User Level domain redirect new

If a User only has 1 domain, when they view their User Level, they'll immediately be redirected to the "Show Domain" page, which contains all of their URLs to the features.

If they have multiple domains, clicking their User Level, they'll not receive the redirect and be shown a table to chose which domain to use.

This feature prevents the redirect in the event the the User only has 1 domain.

The only real use for this would be for customizations to the User Level index that shows the domain list.

The internal default is:

skin_domain_redirect=1

To disable the redirect, add the following to the directadmin.conf and restart directadmin:

skin_domain_redirect=0

Admin Backup Options to specify E-Mail Data (SKINS) new

The Admin Backup/Transfer can now specify "E-Mail Data" in the Backup options.

This will let you backup the email account names/passwords, without actually including the message data, which can sometimes be quite large.

This is a per-cron option which would more-or-less replace the need for the global option "skip_imap_in_backups":

skip_imap_in_backups to not include email data

The changed used to implement this feature are identical to this feature, except of course database_data is changed to email_data:

Ability to exclude DB data from backup, but include DB Settings (SKINS)

The update will convert everything to become database_data_aware, so it's important that the update.sh script is run (which should be done automatically, so you shouldn't need to worry about it)

SKINS:

form_version needs to be changed from 2 to 3.

admin/admin_backup.html

admin/admin_backup_modify.html

user/site_backup.html

user/site_restore.html

lang/en/reseller/backup_modify.html

lang/en/user/site_backup.html

ability for CMD_API_SHOW_USER_CONFIG to show user.conf and user.usage new

Additional ability for the CMD_API_SHOW_USER_CONFIG command:

User version CMD_API_SHOW_USER_CONFIG

to also include the user.usage file.

To get DA to add the user.usage, simply add:

both=yes

eg:

CMD_API_SHOW_USER_CONFIG?both=yes

or:

CMD_API_SHOW_USER_CONFIG?user=username&both=yes

and DA will add a new variable to the config:

usage=<value>

where <value> is a double URL encoded list of the user.usage file.

Ability to set ionice for backups new

New directadmin.conf option:

ionice_string=

where the internal default is 0 (null).

If you add a string, it would look something like this:

ionice_string=/usr/bin/ionice -c2 -n7

and requires that you actually have ionice on your system (it doesn't exist on all OS's hence we don't use it by default)

If the value is blank, ensure that ionice_string is not present anywhere in the directadmin.conf, else it won't be "null" and make cause strange effects.

This would make the resulting tar backup call look like:

/usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 /bin/tar cvf <etc>..

The applies to all areas of tar and zip/unzip.

CMD_API_DIRECTADMIN_CONF new

An API-only command CMD_API_DIRECTADMIN_CONF where the output will be all values from the directadmin.conf as loaded in the active process (including the internal defaults that may not exist in the directadmin.conf file), so all values will always be present, as used by DA.

For Admins only.

block_ip.sh: new iptables to block all outbound connections to 25 which are not from "mail" (exim) or "root" (manual update required) new

Requires optional scripts and iptables: http://help.directadmin.com/item.php?id=380

VERSION=2

Added extra code to the iptables script to block all outbound emails on port 25, unless the uid is mail or root.

"root" isn't really needed, so you can remove that line if you want to be extra secure (in case the box gets rooted)

Basically, it requires all email leaving the server to be routed through exim (unless you're "root").

With this change, no User will be able to connect to port 25 on a remote box.. meaning, if an attacker going to spam from your server (using an insecure php script, usually) they'll need to spam through exim.. which has logs and limits.

If you didn't manually install the iptables script yourself, then you're not likely using it, so if you want this change, use the id=380 guide normally (below).

Related:

http://help.directadmin.com/item.php?id=380

actual iptables code used:

#SMTP output, only allow mail to send remotely.
$IPTABLES -A OUTPUT -m owner --uid-owner mail -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner root -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -j REJECT

Feel free to remove the whole line containing "--uid-owner root" if you don't need it.

I personally do a lot of debugging with telnet to port 25, hence I'm leaving it open.

This script does not apply to FreeBSD.


CSF

Similar settings for CSF:

https://forum.directadmin.com/showthread.php?t=51996&p=267427#post267427

https://forum.directadmin.com/showthread.php?t=51923&p=267072#post267072


TESTING

To ensure it's working, you should be able to run these commands and get a similar block for admin, while it still works for root (note: exim sends with "mail", which doesn't have an ssh shell, hence we add root too)

[root@server ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@server ~]# su - admin
[admin@server ~]$ telnet directadmin.com 25
Trying 216.144.255.179...
telnet: connect to address 216.144.255.179: Connection refused
[admin@server ~]$ logout
[root@server ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@server ~]# telnet directadmin.com 25
Trying 216.144.255.179...
Connected to directadmin.com.
Escape character is '^]'.
220 jbmc-software.com ESMTP Exim 4.86.2 Fri, 08 Apr 2016 16:06:28 -0600
QUIT
221 jbmc-software.com closing connection
Connection closed by foreign host.
[root@server ~]#

Template caching for virtual_host* files new

The template files:

/usr/local/directadmin/data/templates/virtual_host2*.conf

are read from disk many times.

Optimization in the file loader which saves the loaded files into memory for certain cases like this.

The speedup on the rewrites should be significant if you have many domains, subdomains and/or Users.

This also includes custom templates, and nginx templates.

The cache also only applies on a per-process basis... meaning you don't need to worry about the master directadmin process caching an old file.

It's only cached within a child process. Handy when a User has many domains. Also very handy with the dataskq (1 process) when rewriting everything.

Tipping point to implement this was for the new Linked IP feature, which would do many lookups on the IP files, where the data wouldn't change over the span of those reads.

http://www.directadmin.com/versions/index.php?id=1377

add_apache_comments to disable adding comments to user httpd.conf files new

New directadmin.conf option add_apache_comments to prevent DA adding all #comments from the user httpd.conf files.

Internal default is:

add_apache_comments=1

To disable the comments, add this to your directadmin.conf and restart DA:

add_apache_comments=0

dataskq option to only parse task.queue.cb new

New task.queue file:

/usr/local/directadmin/data/task.queue.cb

This will always be parsed.

The task.queue.cb will (for the most part) only be filled by the custombuild script.

There is nothing stopping you from using this file as well, to make use of this feature.

The "feature" part is that the dataskq can now be called like this:

/usr/local/directadmin/dataskq d2000 --custombuild

Where the --custombuild option is new.

With the --custombuild option passed to the dataskq (with or without debug mode), this tells the dataskq to skip all other tasks, and only process the task.queue.cb file.

This means:

  1. The task.queue.cb file is executed.

  2. No other task.queue or task.queue.da file is executed

  3. Services are not checked if they're running

  4. Partition usage is not checked

  5. Brute force scanner is not run

  6. The DA login history counter is not checked (for port 2222)

Once custombuild 2.0 is updated to use this feature, you must be running the binaries that supports this option.

This is because

  • DA will throw an error if you use --custombuild and the dataskq doesn't support it.

  • the task.queue.cb is not going to be seen, so rewrites and other CB tasks won't be run.

exim.pl VERSION=11 to track IDs to prevent retries from being counted multiple times new

Each email retry will count against a send limit.

The design "flaw" in the way the limit works is that each attempt (including retries) will count as a send.

The exim.pl doesn't know that a send is a retry, thus counts it as another send, to be certain it gets counted.

It could figure out if it's a retry by checking the /etc/virtual/usage/user.bytes file for another entry with the same ID, however we felt the overhead of scanning the entire file for each email delivery would be too great on the system.

For this reason, the exim send counter will usually be higher than the counter used by DA during the tally, as DA has the extra time to figure out what is or is not a retry. (only done once per day, instead of once per send)

This has actually just given me an idea... of creating a folder,eg:

/etc/virtual/usage/username_ids

and anytime an email is added to the tracking logs:

/etc/virtual/username.bytes

/etc/virtual/username

the exim.pl would also create:

/etc/virtual/username_ids/<message-ID>

The overhead of checking if a file exists is quite low.. and would allow the counter:

/etc/virtual/username

to be skipped if the ID already exists in username_ids/*

The username_ids folder would be removed daily in the email rotation script.

diff of the exim.pl:

3c3
< #VERSION=11
---
> #VERSION=10
290,319c290,293
<               my $is_retry = 0;
<               if ($mid ne "")
<               {
<                       if (! -d "/etc/virtual/usage/${name}_ids")
<                       {
<                               mkdir("/etc/virtual/usage/${name}_ids", 0770);
<                       }
<
<                       my $id_file = "/etc/virtual/usage/${name}_ids/$mid";
<
<                       if (-f $id_file)
<                       {
<                               $is_retry = 1;
<                       }
<                       else
<                       {
<                               open(IDF, ">>$id_file");
<                               print IDF "$timestamp";
<                               close(IDF);
<                               chmod (0660, $id_file);
<                       }
<               }
<
<               if ($is_retry != 1)
<               {
<                       open(USAGE, ">>/etc/virtual/usage/$name");
<                       print USAGE "1";
<                       close(USAGE);
<                       chmod (0660, "/etc/virtual/usage/$name");
<               }
---
>               open(USAGE, ">>/etc/virtual/usage/$name");
>               print USAGE "1";
>               close(USAGE);
>               chmod (0660, "/etc/virtual/usage/$name");

exim.pl VERSION=12: Block smtp-auth sends if limit reached (manual changes) new

When the send limit has been reached for a DA user, or email account, the smtp-auth will return an invalid password to prevent the emails from entering the mail queue/spool at all.

Changes to DA's brute_filter_list will replace the keyword scan of:

login authenticator failed for

and replace it with:

535 Incorrect authentication data

So that the failed send when the limit is reached won't be caught by the brute force monitor:

2013-03-14 23:28:41 login authenticator failed for (1.2.3.4) [127.0.0.1]: 435 Unable to authenticate at present (set_id=admin): The email send limit for admin has been reached

as code 435 represents the abort of the exim.pl script upon hitting the limit, and not an actual failed login.

It will also block based on the per-email limit, if you've enabled that:

Per-Email send limit (SKINS)


Other changes are with regards to the ID tracking:

exim.pl VERSION=11 to track IDs to prevent retries from being counted multiple times

The change will create a directory for the first letter of the ID, to split up the folder.

Many email sends would cause a very large user_ids folder.. so splitting it up in the same manner that exim does will keep the system happier.

added support for underscore in A, AAAA and NS records fixed

The underscore character _ will now be allowed in A records and NS records with this setting.

allow_dns_underscore was already available for CNAME, TXT and SRV records.

This option is disabled by default with the internal default:

allow_dns_underscore=0

To enable it, add:

allow_dns_underscore=1

to your directadmin.conf and restart DA.

However, if you enable this, then you'll need to ensure that you've gold bind/named that it is ok to have them.

Related:

https://lists.isc.org/pipermail/bind-users/2008-February/069295.html

Quote:

Because there are some resolvers that do check and named

is the data entry point. If named isn't the data entry

point then turn check-names off.

named.conf options:

check-names master ignore;

check-names slave ignore;

ftp_list.php: ncftpls requires %2F for / characters fixed

All ftp paths in the ftp uploads for Admin Backup/Transfers require a leading / character.

ncftpls assumes that any /path/value is relative to the login path.. which may not always be true.

Some ftp clients do not chroot, and /path/value may in fact mean that absolute path, when the login cwd is something totally different.

A common error that would be received would be "cannot chdir to /path"

As a result, we need to treat all paths as abolutes with the ncftpls script.

The way it does that is uses %2F as the leading / character.

The ftp_list.php now has this code added:

CHAR1=\`echo ${ftp_path} | awk '{print substr($1,1,1)}'\`
if \[ "$CHAR1" = "/" \]; then
        new_path="/%2F\`echo ${ftp_path} | awk '{print substr($1,1)}'\`"
        ftp_path=${new_path}
fi

CB2: "x-httpd-php-source .phps" caused DA to think CLI was enabled fixed

New code was added to the apache to CB 2.0 to allow for phps files. This is done with the line:

AddHandler application/x-httpd-php-source .phps

in the httpd-php-handlers.conf file.

DA previously was looking for the string:

AddHandler application/x-httpd-php

to determine if CLI was enabled.

With the addition of the phps line, it caused DA to think CLI was enabled.

Fix was to simply inclue a space at the end of the search string:

"AddHandler application/x-httpd-php "


Full error:

Starting httpd: AH00526: Syntax error on line 99 of /usr/local/directadmin/data/users/admin/httpd.conf:

Invalid command 'php_admin_flag', perhaps misspelled or defined by a module not included in the server configuration

FileManager download issues with files over 8Gig fixed

The file sending system was using an "unsigned int" cast on the file.st_size variable.

Sizes larger than 8 gig were too big for this cast, so the cast was changed to unsigned long long.

This really only affected the Content-Length header.. the whole file would have likely been transferred if the header was ignored, but it was a bug none the less.

Prevent +ExecCGI if is cgi disabled template changes fixed

If CGI is not enabled for a domain, .htaccess files should not be allowed to add ExecCGI

Change all virtual_host2*.conf templates to add this at the top:

|?ALLOW_OVERRIDE=AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None|

and this within the <Directory |DOCROOT| section:
|*if CGI=""|
                |ALLOW_OVERRIDE|
                Options -ExecCGI
|*endif|

What this does, is specifies what options are allowed if cgi is disabled, and also disables cgi.

The old values have also been removed from the templates, as they're redundant to the global defaults set under /etc/httpd/conf/*

Options +Includes -Indexes

ftp bandwidth counting for owned IPs fixed

ftp bandwidth on owned IPs was not correctly counted with the unified_ftp_password_file option.

only update domain.conf if user.conf value changed fixed

When making changes to a User, all values for that User are passed to DA.

For example, the checkbox for php is always passed, so the user.conf will always be set to the php value which is passed.

The issue is that if you're changing something else, like bandwidth, and php stays on (was never turned off), if php was off in one of the User domains, it would end up having php enabled again.

This fix will check the previous value for php to see if it was already on. If the value is still on, then php is not is changed for the domains.

The applies to php, spam, catchall, cgi, and ssl.

da-popb4smtp not logging imap fixed

It appears as though the dovecot imap logging format was changed at some point, and we didn't notice.

Update the da-popb4smtp code to catch the new dovecot imap logging format (to handle both types)

The new default format dovecot is using is:

imap(user@domain.com): Disconnected: Logged out in=1182 out=24960

or

imap(user@domain.com): Disconnected: Disconnected in IDLE in=381 out=25566

Dovecot had changed the format, and we had addressed it for 1.42.0:

Log pop+imap bandwidth for dovecot

but seems it was changed yet again, hence the need for the change.


As a workaround, it may be possible to change the logging format back to what da-popb4smtp is looking for, eg:

Disconnected: Logged out bytes=385/1626

eg, /etc/dovecot/dovecot.conf, add to very bottom:

protocol imap {
        imap_logout_format = bytes=%i/%o
}

Prevent double login with auto-logout from session expiry fixed

If you let your browser sit long enough, the page will be redirected to CMD_LOGOUT.

If the session on the server has expired before the browser does the redirect (possible if the clocks are off by a small amount), then the unauthorized page the browser is trying to access is CMD_LOGOUT. Since the client isn't logged in, the login page is shown.. and once a valid login works, DA happily redirects the browser to where it wanted to go: CMD_LOGOUT...

Authorized calls to CMD_LOGOUT get redirected to CMD_LOGIN... This is why there is a double login sometimes.

The fix was to simply to prevent using CMD_LOGOUT in the "referer" field in the login form.

If that's the referer value, either / is used, or no value is used at all.. thus the login will send you to /, and not CMD_LOGOUT, preventing the double login.

Timeout when saving User SpamAssassin settings fixed

When saving your changes to the spam data, DA will check to ensure ownership is correct on all emails/folders.

For E-Mail accounts, this is added as a cronjob.

However, the main account was left within the "directadmin" process.

As a result, if the folder:

/home/user/Maildir

was oversized with thousands+ of emails, this would likely cause a timeout.

The solution was to skip the check on the files below this path, since if it exists, it's likely already set correctly.

Wrapped dns txt records had API_MANAGE_USER_PACKAGES at the end fixed

Relating to DKIM keys to be 2048-bit and multi-line TXT records

Bug where the re-assembly of a multi-line dns TXT record wasn't given a terminating null character.

In some cases it would give a very strange string in the output (likely leftovers from another memory allocation)

Bugfix was to simply add a null character to the end of the string, as is required.

Open_basedir not enabled on restores fixed

Typo on Admin Level restores set open_basedir for restored domains to off in some cases, when actually set to on in the backup.

If ExecCGI is disabled, awstats should use the index.html fixed

With this new ExecCGI restriction:

Prevent +ExecCGI if is cgi disabled template changes

If awstats is enabled, the awstats_process.sh will now create an .htaccess without ExecCGI and will get the browser to view the index.html, instead of awstats.pl.

Debian: remove IP from device when deleted fixed

For whatever reason, the command:

/sbin/ifconfig eth0:1 del 1.2.3.4

was not removing the 1.2.3.4 IP from the eth0:1 device.

Added extra code to the removeip script, where if:

  1. the OS is debian

  2. the IP is not IPv6

  3. and device found is not the main device (eg not eth0, but eth0:0 is valid)

Then the removeip script will use this instead:

/sbin/ifconfig eth0:1 down

Protected directories to use $apr1$ password format fixed

The bug was only reported recently, but it may have existed for some time.

The .htpasswd files apparently don't support $1$ formats, but DA has been saving this format since 1.24.3:

crypt

so it's possible that older versions of apache did support $1$.. not sure.

In any case, the proper solution is to use the proprietary apache md5 format which uses:

$apr1$

The htpasswd binary has many different versions.. the version we'd need for secure automation has the -i option to use a single stdin.

However, this is only a recent addition, so instead we're relying on using openssl with -stdin for the creation of the $apr1$ format.

Replaced AliasMatch with UserDir fixed

IP VirtualHosts replaced AliasMatch/ScriptAliasMatch with UserDir public_html options to allow for working FastCGI operations.

Affects VirtualHosts in:

/etc/httpd/conf/ips.conf

/etc/httpd/conf/extra/httpd-vhosts.conf

Admin Level Restore: Check that Reseller exists fixed

If you're doing restores for User accounts, and they're in the form:

user.reseller.username.tar.gz

if the reseller account who previously created the User (on a different server) does not exist on this server, the restore previously did create the User, but the User was not added to any users.list files, if the "reseller" didn't exist.

This caused the need for this fix, even if the Reseller was restored after the User:

http://help.directadmin.com/item.php?id=251

This fix does a check and will refuse to restore a User account if the Reseller in the filename does not exist.

This check is only done on user...tar.gz restores, because a reseller and admin...* always share the same .list file, thus can never go missing in this scenario (all Admin's share the same admin.list and reseller.list, so Reseller/Admin accounts will always be added to them, even if their "creator" is wrong in the filename)

The table shown on the Admin Level Restore page containing the list of files will show the file as bold and red if the creator does not exist.. forcasting that an error will occur if you try and restore this User.

Last Updated: