Version 1.62.9

Released: 2021-10-04

• E-mail Summary Report (Pro Pack) new
• Support user specific skin settings to be changed after login-as in Evolution new
• CMD_LOGIN_KEYS: read-only option for Users (SKINS) new
• Directadmin systemd service file improved
• Nginx: put include webapps.conf & CUSTOM3 before LOCATION_BLOCKS, EXTRA_LOCATIONS (TEMPLATES) improved
• Nginx template update to expose defined headers for *.php files (TEMPLATES) improved
• Refactored dataskq queue management and execution improved
• Run unprivileged user tasks under users Cgroup and jailshell improved
• Apache templates updated to have ModSecurity enabled for whole vhost (TEMPLATES) fixed
• AWS MySQL does not allow GRANT ALL fixed
• Fix domain certificate save hook execution fixed
• Add Pointer: inherit master zone: still creating defaults for extra IPs fixed
• MX Templates: clear conflicting CNAME/A/AAAA fixed
• Nginx: Order used locations by length, longest first fixed
• Manual DB restore to quote my.cnf password fixed

E-mail Summary Report (Pro Pack) new

Evolution skin now has new section E-mail Summary in the Admin Tools group.

This is a report of email usage aggregated by email address and domain.

Support user specific skin settings to be changed after login-as in Evolution new

An update to Evolution skin now allows user specific skin settings (for example grid mode) to be changed after performing login-as function.

CMD_LOGIN_KEYS: read-only option for Users (SKINS) new

If a login key is created with the login-as function, eg:

$user = "admin|fred";  //fred is a User

the Reseller/Admin would be shown an option to make the key read-only for the Users. Any login-as account doing work can still delete the key.

This will prevent Users from modifying/deleting keys that they shouldn't have access to.

Usage

For any call, when using a higher-power, like "Login-As" or CLI URL creation, pass client_read_only=yes.

which sets this in the key.conf, preventing Users from deleting or modifying it with their direct login. A Reseller/Admin with Login-As can still delete/modify.

SKINS

Templates:

• data/skins/enhanced/user/create_login_key.html
• data/skins/enhanced/user/modify_login_key.html

Just above the "current password" line:

|*if USERNAME!=LOGIN_AS_MASTER_NAME|
		<tr><td class=list2>|LANG_READ_ONLY|:</td>
			<td class=list2 colspan=2><input type=checkbox name=client_read_only value="yes" |CLIENT_READ_ONLY_CHECKED|>
				|LANG_READ_ONLY_INFO|
			</td>
		</tr>
|*endif|

JSON

The call to CMD_LOGIN_KEYS?json=yes.

will now include an 8th row client_read_only set to yes or no.

If it's set to "yes", then you'd block deletion and modify if it's a direct login (not login-as). The back-end will still do this, but doing it ahead of time in the GUI might avoid confusion.

Enhanced is comparing global USERNAME to LOGIN_AS_MASTER_NAME. If they do match, a direct login, thus respect the client_read_only for blocking.

---

T34215 EVO2148

Directadmin systemd service file improved

Systemd directadmin.service now has a dependency of network-online.service.

It should prevent a startup of DirectAdmin sooner than the Internet connection becomes available.

Nginx: put include webapps.conf & CUSTOM3 before LOCATION_BLOCKS, EXTRA_LOCATIONS (TEMPLATES) improved

The nginx_server.conf templates include the webapps config near the end of the server{} block include /etc/nginx/webapps.conf and include /etc/nginx/webapps.ssl.conf

We' just make reference to webapps.conf for documentation simplicity here.

If the User has added a WordPress Nginx Template to the / location, this would match /webmail before getting to the webapps include, causing a 404 on /webmail.

Solution

Move the 2 lines:

|CUSTOM3|
	include /etc/nginx/webapps.conf;

higher up in the output, before LOCATION_BLOCKS, and after HOTLINK_PROTECTION, eg:

|*if HAVE_NGINX_PROXY="1"|
...
|*else|
|NGINX_REDIRECTS|
|HOTLINK_PROTECTION|
|*endif|

|CUSTOM3|
	include /etc/nginx/webapps.conf;

|*if HAVE_NGINX_PROXY!="1"|
|LOCATION_BLOCKS|
|EXTRA_LOCATIONS|
|*endif|
|MOD_SECURITY_RULES|

Here is the previous layout before the above change:

|*if HAVE_NGINX_PROXY="1"|
...
|*else|
|NGINX_REDIRECTS|
|HOTLINK_PROTECTION|
|LOCATION_BLOCKS|
|EXTRA_LOCATIONS|
|*endif|
|MOD_SECURITY_RULES|
|CUSTOM3|
	include /etc/nginx/webapps.conf;

Templates

The following 4 templates have the above change:

• nginx_server.conf
• nginx_server_secure.conf
• nginx_server_sub.conf
• nginx_server_secure_sub.conf

(where webapps.ssl.conf is used for nginx_server_secure*.conf instances)

---

T35292

Nginx template update to expose defined headers for *.php files (TEMPLATES) improved

Template data/templates/nginx_php.conf has add_header X-FastCGI-Cache $upstream_cache_status; line removed now.

Without this change all the other defined headers in global templates were ignored for .php files, and it required to re-add headers to nginx_php.conf in addition to the other template files.

Refactored dataskq queue management and execution improved

In preparation for new features we are refactoring how dataskq parses and executes task files. This change should not have any visible side effects, but as with any refactoring there is a risk of unintended changes.

Run unprivileged user tasks under users Cgroup and jailshell improved

To run all unprivileged tasks Userd process starts up using /usr/bin/su --login -s USERSHELL|/bin/bash.

This affects /CMD_API_EXEC endpoint.

Apache templates updated to have ModSecurity enabled for whole vhost (TEMPLATES) fixed

ModSecurity rule exceptions were in <Directory> block in Apache templates, this is the reason why they did not work for global aliases like /roundcube.

|MOD_SECURITY_RULES| is moved outside <Directory> block now, so that it would work for the whole virtualhost.

AWS MySQL does not allow GRANT ALL fixed

Use the full list of allowed commands for the GRANT instead of ALL.

New internal default db_grant_all=1.

to change DA to specify all grant options, instead of "ALL", set:

./directadmin set db_grant_all 0
service directadmin restart

---

T34646

Fix domain certificate save hook execution fixed

Due to ssl_safe hooks misconfiguration, scripts/custom/ssl_safe_(pre|post).sh were not getting called, when domain certificate is saved.

Hooks in scripts/custom/ssl_safe_(pre|post)/ and in plugins were called correctly.

Add Pointer: inherit master zone: still creating defaults for extra IPs fixed

Relating to this change from 1.62.5.

where creating a pointer will now inherit the master domain's zone, the bug was that the section that added additional IPs to the zone was still doing so with the default records.

When this feature is used, it will now skip the addition of additional IPs as they should have already been in the master zone.

---

T35155

MX Templates: clear conflicting CNAME/A/AAAA fixed

In some cases, you might want to add a CNAME/A/AAAA record into one of the MX Template files which might have a conflicting value already in the zone. For example:

mail 3600 CNAME ghs.googlehosted.com.

which would conflict with the existing default mail "A" record.

This fix will take any conflict between CNAME vs A/AAAA and clear them out, allowing the new value in. Applies in either direction.

Note: A vs AAAA do not clear each other, only CNAME vs A/AAAA or A/AAAA vs CNAME, as A and AAAA are allowed to be duplicated.

---

T35117

Nginx: Order used locations by length, longest first fixed

The location within the nginx.conf should match based on the longest first.

---

T35293

Manual DB restore to quote my.cnf password fixed

To allow the # character in passwords, the my.cnf "password" needs to be quoted.