noble

- Ubuntu 24.04 support.
- Some small fixes.

README.md

@@ -46,11 +46,12 @@ sudo httpauth -add
 ```
 
 ### Requirements
-* Ubuntu ~~24.04~~ or 22.04
+* Ubuntu 24.04 or 22.04
 
 
 ### Documentation
-For complete documentation, please [visit our site](https://webinoly.com/documentation/).
+For complete documentation: [English](https://webinoly.com/documentation/) | [Español](https://webinoly.com/es/documentacion/) | [
+繁體中文](https://webinoly.com/zh/shuo-ming-wen-jian/)
 
 
 ## Contributing

lib/general

@@ -4,12 +4,12 @@
 # Prevent 'tput' errors when running from Cron
 [[ -z $TERM || $TERM == "unknown" || $TERM == "dumb" ]] && export TERM=dumb
 
-readonly app_version="1.18.1"
+readonly app_version="1.18.2"
 readonly svr_version="1.9"
 readonly os_ubuntu_supported=(focal jammy noble) # https://ubuntu.com/about/release-cycle
 readonly php_supported=(7.4 8.0 8.1 8.2 8.3) # https://www.php.net/supported-versions.php
 readonly php_default="8.3"
-readonly mariadb_supported=(10.6 10.11 11.4) # https://mariadb.com/kb/en/mariadb-server-release-dates/
+readonly mariadb_supported=(10.11 11.4) # https://mariadb.com/kb/en/mariadb-server-release-dates/
 readonly mariadb_default="11.4"
 readonly mysql_supported=(8.0)
 readonly mysql_default="8.0"
@@ -175,6 +175,7 @@ check_mysql_version() {
 	echo $check
 }
 
+
 check_osname() {
 	if ! [[ $(lsb_release -i | cut -d':' -f 2 | xargs) == "Ubuntu" && $(check_ubuntu_release) == "true" ]]; then
 		echo "${red}" >&2
@@ -1569,14 +1570,24 @@ check_var() {
 
 	# PHP opcache validate timestamps
 	elif [[ $1 == "php-opcache-timestamps" ]]; then
-			local out="false"
-			[[ $(conf_read php-opcache-timestamps) == "true" ]] && local out="1"
-			[[ $(conf_read php-opcache-timestamps) == "false" ]] && local out="0"
+		[[ $(conf_read php-opcache-timestamps) == "false" ]] && local out="0" || local out="1"
 
 	# PHP opcache revalidate frequency
 	elif [[ $1 == "php-opcache-reval" ]]; then
 		[[ -n $(conf_read php-opcache-reval) && $(conf_read php-opcache-reval) =~ ^[0-9]+$ && $(conf_read php-opcache-reval) -ge 0 ]] && local out=$(conf_read php-opcache-reval) || local out="false"
 
+	# PHP disable_functions
+	elif [[ $1 == "php-disable-functions" ]]; then
+		if [[ -z $(conf_read php-disable-functions) ]]; then
+			local out="pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_listen,socket_create_listen,socket_read,socket_create_pair,stream_socket_server,proc_open,proc_close,proc_nice,proc_terminate,dl,link,highlight_file,show_source,diskfreespace,disk_free_space,getmyuid,popen,escapeshellcmd,symlink,shell_exec,exec,system,passthru"
+		else
+			local out=$(conf_read php-disable-functions)
+		fi
+
+	# PHP Fopen Wrappers
+	elif [[ $1 == "php-allow-url-fopen" ]]; then
+		[[ $(conf_read php-allow-url-fopen) == "true" ]] && local out="On" || local out="Off"
+
 	# Redis Memory
 	elif [[ $1 == "redis-max-mem" ]]; then
 		[[ -n $(conf_read redis-max-mem) && $(conf_read redis-max-mem) =~ ^[0-9]+$ && $(conf_read redis-max-mem) -le 100 ]] && local out=$(conf_read redis-max-mem) || local out=10
@@ -1969,6 +1980,13 @@ smtp_backup_recovery() {
 }
 
 
+# Compare versions format numbers!
+# Example: [[ $(version $VAR) -ge $(version "6.2.0") ]]
+version () {
+	echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'
+}
+
+
 help_message() {
 	echo ""
 	echo "${blu}${bol}Thanks for using Webinoly!${end}"

lib/install

@@ -494,6 +494,11 @@ php_optim() {
 	sudo sed -i -r "/^[;]?memory_limit =/c\memory_limit = ${phpmem}M" /etc/php/$ver/fpm/php.ini
 	sudo sed -i -r "/^[;]?max_input_vars =/c\max_input_vars = $(check_var php-max-input-vars)" /etc/php/$ver/fpm/php.ini
 
+	# Remove this non-sense restriction in the next stack update (1.10)
+	# We can not make it default because not all conf files have this option because it was included in a minor release (1.18.2)
+	[[ -n $(conf_read php-disable-functions) && $(conf_read php-disable-functions) != "off" ]] && sudo sed -i -r "/^[;]?disable_functions =/c\disable_functions = $(check_var php-disable-functions)" /etc/php/$ver/fpm/php.ini
+	[[ -n $(conf_read php-allow-url-fopen) ]] && sudo sed -i -r "/^[;]?allow_url_fopen =/c\allow_url_fopen = $(check_var php-allow-url-fopen)" /etc/php/$ver/fpm/php.ini
+
 	sudo sed -i -r "/^[;]?opcache.memory_consumption=/c\opcache.memory_consumption=$(check_var php-max-mem)" /etc/php/$ver/fpm/php.ini
 	sudo sed -i -r '/^[;]?opcache.interned_strings_buffer=/c\opcache.interned_strings_buffer=16' /etc/php/$ver/fpm/php.ini
 	sudo sed -i -r '/^[;]?opcache.max_accelerated_files=/c\opcache.max_accelerated_files=100000' /etc/php/$ver/fpm/php.ini

lib/webin

@@ -281,11 +281,13 @@ mysql_public_access() {
 
 	if [[ $mysql_public_access == "on" ]]; then
 		if [[ -z $bind ]]; then
+			cnf_delete bind-address
 			cnf_write skip-networking 0
 			cnf_write skip-bind-address
 			bind="true"
 
 		elif [[ $bind =~ ^(::|\*)$ || $(is_ip $bind) == "true" ]]; then
+			cnf_delete skip-bind-address
 			cnf_write skip-networking 0
 			cnf_write bind-address "$bind"
 
@@ -315,6 +317,7 @@ mysql_public_access() {
 				fi
 			fi
 
+			cnf_delete skip-bind-address
 			cnf_write skip-networking 0
 			cnf_write bind-address "$bind"
 		else
@@ -331,6 +334,7 @@ mysql_public_access() {
 	elif [[ $mysql_public_access == "off" ]]; then
 		cnf_delete skip-networking
 		cnf_delete skip-bind-address
+		cnf_delete bind-address
 		conf_write mysql-public-access false
 		echo "${gre}MySQL/MariaDB remote access successfully disabled!${end}"
 	fi

templates/general/conf

@@ -426,6 +426,22 @@
 #php-info:true
 
 
+# PHP Disable Functions
+# Values: <function>,<function>... (a comma-delimited list of function names)
+# Note: https://www.php.net/manual/en/ini.core.php#ini.disable-functions
+# Note: Use 'off' value to disable this security feature (not-recommended).
+# Note: This feature is utilized to help secure your websites and reduce your attack surface by preventing the execution of potentially risky PHP functions that could be exploited by attackers. Our default settings restrict access to specific PHP functions that aren't critical for the vast majority of websites.
+###########################
+php-disable-functions:pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_listen,socket_create_listen,socket_read,socket_create_pair,stream_socket_server,proc_open,proc_close,proc_nice,proc_terminate,dl,link,highlight_file,show_source,diskfreespace,disk_free_space,getmyuid,popen,escapeshellcmd,symlink,shell_exec,exec,system,passthru
+
+
+# PHP Fopen Wrappers (allow_url_fopen)
+# Values: boolean (true/false)
+# Default: false
+# Note: Determines whether PHP can retrieve URL objects, such as files. This functionality is typically disabled for security purposes, although certain scripts may require it to work correctly.
+php-allow-url-fopen:false
+
+
 # Redis maximum amount of memory before eviction policies
 # Values: numeric int (% < 100)
 # Default: 10

templates/nginx/nginx.conf

@@ -79,7 +79,7 @@ http {
 	##
 
 	log_format we_log '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
-		'$http_host "$request" $status $body_bytes_sent $request_time '
+		'$host "$request" $status $body_bytes_sent $request_time '
 		'"$http_referer" "$http_user_agent"';
 
 	log_format we_log_ext '$remote_addr - $remote_user [$time_local] "$request" '

usr/stack

@@ -731,8 +731,7 @@ elif [[ -n $mysql_ver ]]; then
 			echo "${gre}MySQL (MariaDB) $mysql_ver is currently installed!${end}"
 		elif [[ $(conf_read mysql) == "true" ]]; then
 			# Downgrades are not allowed - https://mariadb.com/kb/en/downgrading-between-major-versions-of-mariadb/
-			current_mysql_ver="$(conf_read mysql-ver)"
-			if [[ -n $current_mysql_ver && ${current_mysql_ver//.} -gt ${mysql_ver//.} ]]; then
+			if [[ $(version $(conf_read mysql-ver)) -gt $(version $mysql_ver) ]]; then
 				echo "${red}[ERROR] Downgrading MySQL/MariaDB is not supported!${end}"
 				exit 1
 			fi

weby

@@ -16,7 +16,7 @@ if [[ $2 == "-ver="* ]]; then
 fi
 
 # Supported: 22.04 Jammy and 24.04 Noble
-if [[ $distr != "Ubuntu" ]] || ! [[ $osver =~ ^(focal|jammy)$ ]]; then
+if [[ $distr != "Ubuntu" ]] || ! [[ $osver =~ ^(focal|jammy|noble)$ ]]; then
 	echo "$(tput setaf 1)"
 	echo "[ERROR] This OS is not supported by Webinoly and could not work properly. $(tput dim)(${distr} '${osver}')"
 	echo "$(tput sgr0)"