new changes

2026-04-07 10:23:05 +05:30
parent 8a3e3ce04b
commit 09d0e2e033
5 changed files with 177 additions and 17 deletions
--- a/YakPanel-server/backend/app/services/site_service.py
+++ b/YakPanel-server/backend/app/services/site_service.py
@@ -83,6 +83,73 @@ def _best_ssl_for_hostnames(hostnames: list[str]) -> dict:
        return none


+def _letsencrypt_paths(hostname: str) -> tuple[str, str] | None:
+    """Return (fullchain, privkey) if Let's Encrypt files exist for this hostname."""
+    h = (hostname or "").strip().lower().split(":")[0]
+    if not h or ".." in h:
+        return None
+    base = os.path.join(LETSENCRYPT_LIVE, h)
+    fc = os.path.join(base, "fullchain.pem")
+    pk = os.path.join(base, "privkey.pem")
+    if os.path.isfile(fc) and os.path.isfile(pk):
+        return fc, pk
+    return None
+
+
+def _build_ssl_server_block(
+    server_names: str,
+    root_path: str,
+    logs_path: str,
+    site_name: str,
+    php_version: str,
+    fullchain: str,
+    privkey: str,
+    redirects: list[tuple[str, str, int]] | None,
+) -> str:
+    """Second server {} for HTTPS when LE certs exist."""
+    pv = php_version or "74"
+    redirect_lines: list[str] = []
+    for src, tgt, code in (redirects or []):
+        if src and tgt:
+            redirect_lines.append(f"    location = {src} {{ return {code} {tgt}; }}")
+    redirect_block = ("\n" + "\n".join(redirect_lines)) if redirect_lines else ""
+    q_fc = fullchain.replace("\\", "\\\\").replace('"', '\\"')
+    q_pk = privkey.replace("\\", "\\\\").replace('"', '\\"')
+    return (
+        f"server {{\n"
+        f"    listen 443 ssl;\n"
+        f"    server_name {server_names};\n"
+        f'    ssl_certificate "{q_fc}";\n'
+        f'    ssl_certificate_key "{q_pk}";\n'
+        f"    index index.php index.html index.htm default.php default.htm default.html;\n"
+        f"    root {root_path};\n"
+        f"    error_page 404 /404.html;\n"
+        f"    error_page 502 /502.html;\n"
+        f"    location ^~ /.well-known/acme-challenge/ {{\n"
+        f'        default_type "text/plain";\n'
+        f"        allow all;\n"
+        f"        try_files $uri =404;\n"
+        f"    }}\n"
+        f"{redirect_block}\n"
+        r"    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {" + "\n"
+        f"        expires 30d;\n"
+        f"        access_log off;\n"
+        f"    }}\n"
+        r"    location ~ .*\.(js|css)?$ {" + "\n"
+        f"        expires 12h;\n"
+        f"        access_log off;\n"
+        f"    }}\n"
+        r"    location ~ \.php$ {" + "\n"
+        f"        fastcgi_pass unix:/tmp/php-cgi-{pv}.sock;\n"
+        f"        fastcgi_index index.php;\n"
+        f"        include fastcgi.conf;\n"
+        f"    }}\n"
+        f"    access_log {logs_path}/{site_name}.log;\n"
+        f"    error_log {logs_path}/{site_name}.error.log;\n"
+        f"}}\n"
+    )
+
+
 def _render_vhost(
    template: str,
    server_names: str,
@@ -92,14 +159,32 @@ def _render_vhost(
    php_version: str,
    force_https: int,
    redirects: list[tuple[str, str, int]] | None = None,
+    le_hostnames: list[str] | None = None,
 ) -> str:
    """Render nginx vhost template. redirects: [(source, target, code), ...]"""
-    force_block = "return 301 https://$host$request_uri;" if force_https else ""
+    if force_https:
+        force_block = (
+            '    if ($request_uri !~ "^/.well-known/acme-challenge/") {\n'
+            "        return 301 https://$host$request_uri;\n"
+            "    }"
+        )
+    else:
+        force_block = ""
    redirect_lines = []
    for src, tgt, code in (redirects or []):
        if src and tgt:
            redirect_lines.append(f"    location = {src} {{ return {code} {tgt}; }}")
    redirect_block = "\n".join(redirect_lines) if redirect_lines else ""
+    hosts = le_hostnames if le_hostnames is not None else [p for p in server_names.split() if p]
+    ssl_block = ""
+    for h in hosts:
+        le = _letsencrypt_paths(h)
+        if le:
+            fc, pk = le
+            ssl_block = _build_ssl_server_block(
+                server_names, root_path, logs_path, site_name, php_version, fc, pk, redirects
+            )
+            break
    content = template.replace("{SERVER_NAMES}", server_names)
    content = content.replace("{ROOT_PATH}", root_path)
    content = content.replace("{LOGS_PATH}", logs_path)
@@ -107,6 +192,7 @@ def _render_vhost(
    content = content.replace("{PHP_VERSION}", php_version or "74")
    content = content.replace("{FORCE_HTTPS_BLOCK}", force_block)
    content = content.replace("{REDIRECTS_BLOCK}", redirect_block)
+    content = content.replace("{SSL_SERVER_BLOCK}", ssl_block)
    return content


@@ -183,7 +269,10 @@ async def create_site(
    if os.path.exists(template_path):
        template = read_file(template_path) or ""
        server_names = " ".join(d.split(":")[0] for d in domains)
-        content = _render_vhost(template, server_names, site_path, www_logs, name, php_version or "74", force_https or 0, [])
+        le_hosts = [d.split(":")[0] for d in domains]
+        content = _render_vhost(
+            template, server_names, site_path, www_logs, name, php_version or "74", force_https or 0, [], le_hosts
+        )
        write_file(conf_path, content)

    # Reload Nginx if available
@@ -337,7 +426,10 @@ async def update_site(
            fhttps = getattr(site, "force_https", 0) or 0
            redir_result = await db.execute(select(SiteRedirect).where(SiteRedirect.site_id == site.id))
            redirects = [(r.source, r.target, r.code or 301) for r in redir_result.scalars().all()]
-            content = _render_vhost(template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects)
+            le_hosts = [d.name for d in domain_rows]
+            content = _render_vhost(
+                template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects, le_hosts
+            )
            write_file(conf_path, content)
        nginx_bin = os.path.join(cfg["setup_path"], "nginx", "sbin", "nginx")
        if os.path.exists(nginx_bin):
@@ -411,7 +503,10 @@ async def regenerate_site_vhost(db: AsyncSession, site_id: int) -> dict:
    fhttps = getattr(site, "force_https", 0) or 0
    redir_result = await db.execute(select(SiteRedirect).where(SiteRedirect.site_id == site.id))
    redirects = [(r.source, r.target, r.code or 301) for r in redir_result.scalars().all()]
-    content = _render_vhost(template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects)
+    le_hosts = [d.name for d in domain_rows]
+    content = _render_vhost(
+        template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects, le_hosts
+    )
    write_file(conf_path, content)
    nginx_bin = os.path.join(cfg["setup_path"], "nginx", "sbin", "nginx")
    if os.path.exists(nginx_bin):