From 452dc81c90627d912dacd5ea7845a03deccfff57 Mon Sep 17 00:00:00 2001
From: VirtuBox <thomas@virtubox.net>
Date: Tue, 30 Jul 2019 11:34:27 +0200
Subject: [PATCH] Proftpd TLS configuration

---
 CHANGELOG.md                          |  2 ++
 wo/cli/plugins/site_functions.py      |  4 +--
 wo/cli/plugins/stack.py               | 43 +++++++++++++++++++++++++++
 wo/cli/templates/proftpd-tls.mustache | 12 ++++++++
 4 files changed, 59 insertions(+), 2 deletions(-)
 create mode 100644 wo/cli/templates/proftpd-tls.mustache

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b18282..140b9f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - MySQL configuration tuning
 - Cronjob to optimize MySQL databases weekly
 - WO-kernel systemd service to automatically apply kernel tweaks on server startup
+- Proftpd stack now secured with TLS
+- New Nginx package built with Brotli from operating system libraries
 - Brotli configuration with only well compressible MIME types
 
 #### Changed
diff --git a/wo/cli/plugins/site_functions.py b/wo/cli/plugins/site_functions.py
index 2a9996b..f5c3070 100644
--- a/wo/cli/plugins/site_functions.py
+++ b/wo/cli/plugins/site_functions.py
@@ -1325,10 +1325,10 @@ def site_url_https(self, wo_domain):
         if not (test_url[0] == 'https'):
             try:
                 WOShellExec.cmd_exec(self, "php {0} option update siteurl "
-                                     "\"https://{1}\" --allow-root".format(
+                                     "\'https://{1}\' --allow-root".format(
                                          WOVariables.wo_wpcli_path, wo_domain))
                 WOShellExec.cmd_exec(self, "php {0} option update home "
-                                     "\"https://{1}\" --allow-root".format(
+                                     "\'https://{1}\' --allow-root".format(
                                          WOVariables.wo_wpcli_path, wo_domain))
             except CommandExecutionError as e:
                 Log.debug(self, "{0}".format(e))
diff --git a/wo/cli/plugins/stack.py b/wo/cli/plugins/stack.py
index 7ac863b..bb5efe3 100644
--- a/wo/cli/plugins/stack.py
+++ b/wo/cli/plugins/stack.py
@@ -1042,6 +1042,49 @@ class WOStackController(CementBaseController):
                                           "PassivePorts "
                                           "             "
                                           "    49000 50000")
+            # proftpd TLS configuration
+            if not os.path.isdir("/etc/proftpd/ssl"):
+                os.makedirs("/etc/proftpd/ssl")
+                try:
+                    WOShellExec.cmd_exec(self, "openssl genrsa -out "
+                                         "/etc/proftpd/ssl/proftpd.key 2048")
+                    WOShellExec.cmd_exec(self, "openssl req -new -batch  "
+                                         "-subj /commonName=localhost/ "
+                                         "-key /etc/proftpd/ssl/proftpd.key "
+                                         "-out /etc/proftpd/ssl/proftpd.csr")
+                    WOFileUtils.mvfile(self, "/etc/proftpd/ssl/proftpd.key",
+                                       "/etc/proftpd/ssl/proftpd.key.org")
+                    WOShellExec.cmd_exec(self, "openssl rsa -in "
+                                         "/etc/proftpd/ssl/proftpd.key.org"
+                                         "-out /etc/proftpd/ssl/"
+                                         "proftpd/proftpd.key")
+                    WOShellExec.cmd_exec(self, "openssl x509 -req -days "
+                                         "3652 -in /etc/proftpd/ssl/"
+                                         "proftpd.csr"
+                                         "-signkey /etc/proftpd/ssl/"
+                                         "proftpd.key"
+                                         " -out /etc/proftpd/ssl/proftpd.crt")
+                except CommandExecutionError as e:
+                    Log.debug(self, "{0}".format(e))
+                    Log.error(
+                        self, "Failed to generate SSL "
+                        "certificate for Proftpd")
+            WOFileUtils.chmod(self, "/etc/proftpd/ssl/proftpd.key", 0o600)
+            WOFileUtils.chmod(self, "/etc/proftpd/ssl/proftpd.crt", 0o600)
+            data = dict()
+            Log.debug(self, 'Writting the proftpd configuration to '
+                      'file /etc/proftpd/tls.conf')
+            wo_proftpdconf = open('/etc/proftpd/tls.conf',
+                                  encoding='utf-8', mode='w')
+            self.app.render((data), 'proftpd-tls.mustache',
+                                    out=wo_proftpdconf)
+            wo_proftpdconf.close()
+            WOFileUtils.searchreplace(self, "/etc/proftpd/"
+                                      "proftpd.conf",
+                                      "#Include /etc/proftpd/tls.conf",
+                                      "Include /etc/proftpd/tls.conf")
+            WOService.restart_service(self, 'proftpd')
+
             # add rule for proftpd with UFW
             if WOAptGet.is_installed(self, 'ufw'):
                 try:
diff --git a/wo/cli/templates/proftpd-tls.mustache b/wo/cli/templates/proftpd-tls.mustache
new file mode 100644
index 0000000..6e3f9cf
--- /dev/null
+++ b/wo/cli/templates/proftpd-tls.mustache
@@ -0,0 +1,12 @@
+<IfModule mod_tls.c>
+TLSEngine                  on
+TLSLog                     /var/log/proftpd/tls.log
+TLSProtocol TLSv1.2
+TLSCipherSuite AES256+EECDH:AES256+EDH
+TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
+TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.crt
+TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key
+TLSVerifyClient            off
+TLSRequired                on
+RequireValidShell          no
+</IfModule>
\ No newline at end of file