Minor changes

PDowney · web-flow · commit 205daa662546 · 2026-01-21T17:50:39.000-05:00
Added TLS 1.1 back to the config just to support legacy systems. TLS 1.1 will be disabled if the user enabled the high security SSL mode in EngineScript settings.
diff --git a/config/etc/nginx/globals/map-cache.conf b/config/etc/nginx/globals/map-cache.conf
@@ -110,7 +110,7 @@ map $request_uri $es_request_uri {
   "~*/edd-"                               1;  # Easy Digital Downloads
 
   # Block: Unsafe Files
-  #"~*\.(?:asc|aspx?|bak|bash|bat|blade(\.php)?|cfg|cgi|cmd|conf|csh|dll|dump|engine|env|exe|git(ignore)?|hg|inc|info|ini|install|jsp|log|lua|make|mdb|module|old|orig(inal)?|out|pem|pl|po|profile|py|rdf|save|sh|svn|swo|swp|test|theme|tpl|twig|woa|xtmpl)$" 2;
+  #"~*\.(?:asc|aspx?|bak|bash|bat|blade(\.php)?|cfg|cgi|cmd|conf|csh|dll|dump|engine|env|exe|git(ignore)?|hg|inc|info|ini|install|jsp|log|lua|make|md|mdb|module|old|orig(inal)?|out|pem|pl|po|profile|py|rdf|save|sh|svn|swo|swp|test|theme|tpl|twig|woa|xtmpl)$" 2;
   #"~*(Gemfile|Gruntfile|auth|composer|composer/installed|package|package-lock|yarn)\.(?:json|lock)$" 2;
   #"~*(changelog|example|installation|legalnotice|license|readme|wp-config)\.(?:html?|md|php|rst|txt)$" 2;
   #"~*gems\.(?:rb|locked)?$"               2;
diff --git a/config/etc/nginx/ssl/sslshared.conf b/config/etc/nginx/ssl/sslshared.conf
@@ -4,7 +4,7 @@ ssl_conf_command Options KTLS;
 ssl_dhparam /etc/nginx/ssl/dhe/ffdhe2048.pem;
 ssl_ecdh_curve X25519:P-256:P-384;
 ssl_prefer_server_ciphers off;
-ssl_protocols TLSv1.2 TLSv1.3;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
 ssl_reject_handshake off;
 ssl_session_cache shared:SSL:5m;
 ssl_session_tickets on;
diff --git a/config/home/enginescript-install-options.txt b/config/home/enginescript-install-options.txt
@@ -40,6 +40,7 @@ INSTALL_ADMINER=0
 # Controls the SSL certificate keylength for all new domains.
 # 0 = Normal security (EC-256, 256-bit ECDSA certificate, fast and secure for most sites)
 # 1 = High security (EC-384, 384-bit ECDSA certificate, stronger encryption, slightly slower, recommended for high-security environments)
+#     Also disables TLS 1.1 in nginx (only TLS 1.2 and TLS 1.3 allowed)
 #
 # If unsure, leave as 0. Set to 1 only if you require maximum SSL strength.
 HIGH_SECURITY_SSL=0
diff --git a/scripts/functions/auto-upgrade/normal-auto-upgrade.sh b/scripts/functions/auto-upgrade/normal-auto-upgrade.sh
@@ -21,140 +21,3 @@ verify_installation_completion
 # Start Main Script
 
 # Upgrade Scripts will be found below:
-
-#----------------------------------------------------------------------------------
-# Migration: Admin Tools Directory Structure (2025-12-31)
-# 
-# Migrates admin tools from old /var/www/admin/enginescript/ structure
-# to new separated structure:
-#   - Control Panel: /var/www/admin/control-panel/
-#   - Tools: /var/www/admin/tools/
-#
-# This ensures phpMyAdmin and other tools survive EngineScript updates.
-#----------------------------------------------------------------------------------
-
-migrate_admin_tools() {
-    local OLD_ADMIN_DIR="/var/www/admin/enginescript"
-    local NEW_TOOLS_DIR="/var/www/admin/tools"
-    local NEW_PANEL_DIR="/var/www/admin/control-panel"
-    local MIGRATION_NEEDED=0
-
-    # Check if old directory structure exists
-    if [[ -d "$OLD_ADMIN_DIR" ]]; then
-        echo "============================================================="
-        echo "Admin Tools Migration: Detected old directory structure"
-        echo "============================================================="
-        
-        # Create new directories
-        mkdir -p "$NEW_TOOLS_DIR"
-        mkdir -p "$NEW_PANEL_DIR"
-        
-        # Migrate phpMyAdmin (preserve config!)
-        if [[ -d "$OLD_ADMIN_DIR/phpmyadmin" ]]; then
-            echo "Migrating phpMyAdmin..."
-            if [[ ! -d "$NEW_TOOLS_DIR/phpmyadmin" ]]; then
-                mv "$OLD_ADMIN_DIR/phpmyadmin" "$NEW_TOOLS_DIR/phpmyadmin"
-                echo "  ✓ phpMyAdmin migrated to $NEW_TOOLS_DIR/phpmyadmin"
-                MIGRATION_NEEDED=1
-            else
-                echo "  ℹ phpMyAdmin already exists in new location, skipping"
-            fi
-        fi
-        
-        # Migrate Adminer
-        if [[ -d "$OLD_ADMIN_DIR/adminer" ]]; then
-            echo "Migrating Adminer..."
-            if [[ ! -d "$NEW_TOOLS_DIR/adminer" ]]; then
-                mv "$OLD_ADMIN_DIR/adminer" "$NEW_TOOLS_DIR/adminer"
-                echo "  ✓ Adminer migrated to $NEW_TOOLS_DIR/adminer"
-                MIGRATION_NEEDED=1
-            else
-                echo "  ℹ Adminer already exists in new location, skipping"
-            fi
-        fi
-        
-        # Migrate TinyFileManager (preserve config!)
-        if [[ -d "$OLD_ADMIN_DIR/tinyfilemanager" ]]; then
-            echo "Migrating TinyFileManager..."
-            if [[ ! -d "$NEW_TOOLS_DIR/tinyfilemanager" ]]; then
-                mv "$OLD_ADMIN_DIR/tinyfilemanager" "$NEW_TOOLS_DIR/tinyfilemanager"
-                echo "  ✓ TinyFileManager migrated to $NEW_TOOLS_DIR/tinyfilemanager"
-                MIGRATION_NEEDED=1
-            else
-                echo "  ℹ TinyFileManager already exists in new location, skipping"
-            fi
-        fi
-        
-        # Migrate phpSysInfo
-        if [[ -d "$OLD_ADMIN_DIR/phpsysinfo" ]]; then
-            echo "Migrating phpSysInfo..."
-            if [[ ! -d "$NEW_TOOLS_DIR/phpsysinfo" ]]; then
-                mv "$OLD_ADMIN_DIR/phpsysinfo" "$NEW_TOOLS_DIR/phpsysinfo"
-                echo "  ✓ phpSysInfo migrated to $NEW_TOOLS_DIR/phpsysinfo"
-                MIGRATION_NEEDED=1
-            else
-                echo "  ℹ phpSysInfo already exists in new location, skipping"
-            fi
-        fi
-        
-        # Migrate phpinfo
-        if [[ -d "$OLD_ADMIN_DIR/phpinfo" ]]; then
-            echo "Migrating phpinfo..."
-            if [[ ! -d "$NEW_TOOLS_DIR/phpinfo" ]]; then
-                mv "$OLD_ADMIN_DIR/phpinfo" "$NEW_TOOLS_DIR/phpinfo"
-                echo "  ✓ phpinfo migrated to $NEW_TOOLS_DIR/phpinfo"
-                MIGRATION_NEEDED=1
-            else
-                echo "  ℹ phpinfo already exists in new location, skipping"
-            fi
-        fi
-        
-        # Migrate OpCache-GUI
-        if [[ -d "$OLD_ADMIN_DIR/opcache-gui" ]]; then
-            echo "Migrating OpCache-GUI..."
-            if [[ ! -d "$NEW_TOOLS_DIR/opcache-gui" ]]; then
-                mv "$OLD_ADMIN_DIR/opcache-gui" "$NEW_TOOLS_DIR/opcache-gui"
-                echo "  ✓ OpCache-GUI migrated to $NEW_TOOLS_DIR/opcache-gui"
-                MIGRATION_NEEDED=1
-            else
-                echo "  ℹ OpCache-GUI already exists in new location, skipping"
-            fi
-        fi
-        
-        # Set permissions on migrated tools
-        if [[ "$MIGRATION_NEEDED" -eq 1 ]]; then
-            echo "Setting permissions on migrated tools..."
-            chown -R www-data:www-data "$NEW_TOOLS_DIR"
-            find "$NEW_TOOLS_DIR" -type d -exec chmod 755 {} \;
-            find "$NEW_TOOLS_DIR" -type f -exec chmod 644 {} \;
-            
-            echo ""
-            echo "============================================================="
-            echo "Admin Tools Migration Complete!"
-            echo "============================================================="
-            echo ""
-            echo "Tools are now stored in: $NEW_TOOLS_DIR"
-            echo "Control panel is now in: $NEW_PANEL_DIR"
-            echo ""
-            echo "This separation ensures your tool configurations"
-            echo "(especially phpMyAdmin) survive future EngineScript updates."
-            echo "============================================================="
-            echo ""
-        fi
-        
-        # Clean up old directory if empty
-        if [[ -d "$OLD_ADMIN_DIR" ]]; then
-            # Check if directory is empty (only contains . and ..)
-            if [[ -z "$(ls -A "$OLD_ADMIN_DIR" 2>/dev/null)" ]]; then
-                rmdir "$OLD_ADMIN_DIR" 2>/dev/null || true
-                echo "Removed empty old admin directory: $OLD_ADMIN_DIR"
-            else
-                echo "Note: Old admin directory still contains files: $OLD_ADMIN_DIR"
-                echo "      Please review and remove manually if no longer needed."
-            fi
-        fi
-    fi
-}
-
-# Run migration check
-migrate_admin_tools
diff --git a/scripts/install/nginx/nginx-misc.sh b/scripts/install/nginx/nginx-misc.sh
@@ -22,6 +22,11 @@ source /usr/local/bin/enginescript/scripts/functions/shared/enginescript-common.
 cp -a /usr/local/bin/enginescript/config/etc/nginx/. /etc/nginx/
 sed -i "s|SEDPHPVER|${PHP_VER}|g" /etc/nginx/globals/php-fpm.conf
 
+# Disable TLS 1.1 if high security SSL is enabled
+if [[ "${HIGH_SECURITY_SSL}" == "1" ]]; then
+    sed -i 's|ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;|ssl_protocols TLSv1.2 TLSv1.3;|g' /etc/nginx/ssl/sslshared.conf
+fi
+
 # Enable unsafe file blocking if configured
 if [[ "${NGINX_BLOCK_UNSAFE_FILES}" == "1" ]]; then
     sed -i 's|^  #\("~\*\\.\(?:asc\|  \1|' /etc/nginx/globals/map-cache.conf

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ INSTALL_ADMINER=0`
`40`	`40`	`# Controls the SSL certificate keylength for all new domains.`
`41`	`41`	`# 0 = Normal security (EC-256, 256-bit ECDSA certificate, fast and secure for most sites)`
`42`	`42`	`# 1 = High security (EC-384, 384-bit ECDSA certificate, stronger encryption, slightly slower, recommended for high-security environments)`
	`43`	`+# Also disables TLS 1.1 in nginx (only TLS 1.2 and TLS 1.3 allowed)`
`43`	`44`	`#`
`44`	`45`	`# If unsure, leave as 0. Set to 1 only if you require maximum SSL strength.`
`45`	`46`	`HIGH_SECURITY_SSL=0`