new changes

YakPanel-server/backend/app/api/backup.py

@@ -27,6 +27,9 @@ class CreateBackupPlanRequest(BaseModel):
     target_id: int
     schedule: str  # cron, e.g. "0 2 * * *"
     enabled: bool = True
+    s3_bucket: str = ""
+    s3_endpoint: str = ""
+    s3_key_prefix: str = ""
 
 
 @router.get("/plans")
@@ -45,6 +48,9 @@ async def backup_plans_list(
             "target_id": r.target_id,
             "schedule": r.schedule,
             "enabled": r.enabled,
+            "s3_bucket": getattr(r, "s3_bucket", None) or "",
+            "s3_endpoint": getattr(r, "s3_endpoint", None) or "",
+            "s3_key_prefix": getattr(r, "s3_key_prefix", None) or "",
         }
         for r in rows
     ]
@@ -79,6 +85,9 @@ async def backup_plan_create(
         target_id=body.target_id,
         schedule=body.schedule,
         enabled=body.enabled,
+        s3_bucket=(body.s3_bucket or "")[:256],
+        s3_endpoint=(body.s3_endpoint or "")[:512],
+        s3_key_prefix=(body.s3_key_prefix or "")[:256],
     )
     db.add(plan)
     await db.commit()
@@ -107,6 +116,9 @@ async def backup_plan_update(
     plan.target_id = body.target_id
     plan.schedule = body.schedule
     plan.enabled = body.enabled
+    plan.s3_bucket = (body.s3_bucket or "")[:256]
+    plan.s3_endpoint = (body.s3_endpoint or "")[:512]
+    plan.s3_key_prefix = (body.s3_key_prefix or "")[:256]
     await db.commit()
     return {"status": True, "msg": "Updated"}
 
@@ -143,6 +155,27 @@ def _run_site_backup(site: Site) -> tuple[bool, str, str | None]:
         return False, str(e), None
 
 
+def _maybe_upload_s3(local_file: str, plan: BackupPlan) -> tuple[bool, str]:
+    """Copy backup file to S3-compatible bucket if plan.s3_bucket set. Uses AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY."""
+    bucket = (getattr(plan, "s3_bucket", None) or "").strip()
+    if not bucket or not os.path.isfile(local_file):
+        return True, ""
+    try:
+        import boto3
+    except ImportError:
+        return False, "boto3 not installed (pip install boto3)"
+    ep = (getattr(plan, "s3_endpoint", None) or "").strip() or None
+    prefix = (getattr(plan, "s3_key_prefix", None) or "").strip().strip("/")
+    key_base = os.path.basename(local_file)
+    key = f"{prefix}/{key_base}" if prefix else key_base
+    try:
+        client = boto3.client("s3", endpoint_url=ep)
+        client.upload_file(local_file, bucket, key)
+        return True, f"s3://{bucket}/{key}"
+    except Exception as e:
+        return False, str(e)
+
+
 def _run_database_backup(dbo: Database) -> tuple[bool, str, str | None]:
     """Run database backup (sync). Returns (ok, msg, filename)."""
     cfg = get_runtime_config()
@@ -164,15 +197,17 @@ async def backup_run_scheduled(
     """Run all due backup plans. Call this from cron (e.g. every hour) or manually."""
     from datetime import datetime as dt
     now = dt.utcnow()
+    cfg = get_runtime_config()
     result = await db.execute(select(BackupPlan).where(BackupPlan.enabled == True))
     plans = result.scalars().all()
     results = []
     for plan in plans:
+        ok = False
+        msg = ""
         try:
             prev_run = croniter(plan.schedule, now).get_prev(dt)
-            # Run if we're within 15 minutes after the scheduled time
             secs_since = (now - prev_run).total_seconds()
-            if secs_since > 900 or secs_since < 0:  # Not within 15 min window
+            if secs_since > 900 or secs_since < 0:
                 continue
         except Exception:
             continue
@@ -183,6 +218,11 @@ async def backup_run_scheduled(
                 results.append({"plan": plan.name, "status": "skipped", "msg": "Site not found or path invalid"})
                 continue
             ok, msg, filename = _run_site_backup(site)
+            if ok and filename:
+                full = os.path.join(cfg["backup_path"], filename)
+                u_ok, u_msg = _maybe_upload_s3(full, plan)
+                if u_msg:
+                    msg = f"{msg}; {u_msg}" if u_ok else f"{msg}; S3 failed: {u_msg}"
             if ok:
                 send_email(
                     subject=f"YakPanel - Scheduled backup: {plan.name}",
@@ -195,6 +235,11 @@ async def backup_run_scheduled(
                 results.append({"plan": plan.name, "status": "skipped", "msg": "Database not found"})
                 continue
             ok, msg, filename = _run_database_backup(dbo)
+            if ok and filename:
+                full = os.path.join(cfg["backup_path"], "database", filename)
+                u_ok, u_msg = _maybe_upload_s3(full, plan)
+                if u_msg:
+                    msg = f"{msg}; {u_msg}" if u_ok else f"{msg}; S3 failed: {u_msg}"
             if ok:
                 send_email(
                     subject=f"YakPanel - Scheduled backup: {plan.name}",

YakPanel-server/backend/app/api/crontab.py

@@ -1,6 +1,9 @@
 """YakPanel - Crontab API"""
+import json
 import tempfile
 import os
+from pathlib import Path
+
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
@@ -14,6 +17,20 @@ from app.models.crontab import Crontab
 
 router = APIRouter(prefix="/crontab", tags=["crontab"])
 
+_CRON_TEMPLATES = Path(__file__).resolve().parent.parent / "data" / "cron_templates.json"
+
+
+@router.get("/templates")
+async def crontab_templates(current_user: User = Depends(get_current_user)):
+    """YakPanel starter cron templates (edit before apply; no external branding)."""
+    if not _CRON_TEMPLATES.is_file():
+        return {"templates": []}
+    try:
+        data = json.loads(_CRON_TEMPLATES.read_text(encoding="utf-8"))
+        return {"templates": data if isinstance(data, list) else []}
+    except (json.JSONDecodeError, OSError):
+        return {"templates": []}
+
 
 class CreateCrontabRequest(BaseModel):
     name: str = ""

YakPanel-server/backend/app/api/files.py

@@ -22,7 +22,7 @@ def _resolve_path(path: str) -> str:
     Resolve API path to an OS path.
 
     On Linux/macOS: path is an absolute POSIX path from filesystem root (/) so admins
-    can browse the whole server (same expectation as BT/aaPanel-style panels).
+    can browse the whole server (typical expectation for a full-server admin file manager).
 
     On Windows (dev): paths stay sandboxed under www_root / setup_path.
     """

YakPanel-server/backend/app/api/ftp.py

@@ -1,5 +1,6 @@
 """YakPanel - FTP API"""
-from fastapi import APIRouter, Depends, HTTPException
+import os
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, func
 from pydantic import BaseModel
@@ -103,6 +104,25 @@ async def ftp_delete(
     return {"status": True, "msg": "FTP account deleted"}
 
 
+@router.get("/logs")
+async def ftp_logs(
+    lines: int = Query(default=200, ge=1, le=5000),
+    current_user: User = Depends(get_current_user),
+):
+    """Tail common Pure-FTPd log paths if readable (non-destructive)."""
+    candidates = [
+        "/var/log/pure-ftpd/pure-ftpd.log",
+        "/var/log/pureftpd.log",
+        "/var/log/messages",
+    ]
+    for path in candidates:
+        if os.path.isfile(path):
+            out, err = exec_shell_sync(f'tail -n {int(lines)} "{path}" 2>/dev/null', timeout=15)
+            text = (out or "") + (err or "")
+            return {"path": path, "content": text[-800000:] or "(empty)"}
+    return {"path": None, "content": "No known FTP log file found on this server."}
+
+
 @router.get("/count")
 async def ftp_count(
     current_user: User = Depends(get_current_user),

YakPanel-server/backend/app/api/security.py

@@ -0,0 +1,78 @@
+"""YakPanel - read-only security checklist (local server probes)."""
+import os
+import re
+
+from fastapi import APIRouter, Depends
+
+from app.api.auth import get_current_user
+from app.models.user import User
+from app.core.utils import read_file, exec_shell_sync
+
+router = APIRouter(prefix="/security", tags=["security"])
+
+
+@router.get("/checklist")
+async def security_checklist(current_user: User = Depends(get_current_user)):
+    """Non-destructive hints: SSH config, firewall helper, fail2ban. Not a full audit."""
+    items: list[dict] = []
+    sshd = "/etc/ssh/sshd_config"
+    body = read_file(sshd) if os.path.isfile(sshd) else None
+    if isinstance(body, str) and body:
+        if re.search(r"^\s*PasswordAuthentication\s+no\s*$", body, re.MULTILINE | re.IGNORECASE):
+            items.append({
+                "id": "ssh_password_auth",
+                "ok": True,
+                "title": "SSH password auth",
+                "detail": "PasswordAuthentication appears set to no (prefer key-based login).",
+            })
+        elif re.search(r"^\s*PasswordAuthentication\s+yes", body, re.MULTILINE | re.IGNORECASE):
+            items.append({
+                "id": "ssh_password_auth",
+                "ok": False,
+                "title": "SSH password auth",
+                "detail": "PasswordAuthentication is yes — consider disabling and using SSH keys.",
+            })
+        else:
+            items.append({
+                "id": "ssh_password_auth",
+                "ok": None,
+                "title": "SSH password auth",
+                "detail": "Could not find an explicit PasswordAuthentication line (defaults depend on distro).",
+            })
+    else:
+        items.append({
+            "id": "ssh_password_auth",
+            "ok": None,
+            "title": "SSH password auth",
+            "detail": "/etc/ssh/sshd_config not readable from the panel process.",
+        })
+
+    ufw_out, _ = exec_shell_sync("ufw status 2>/dev/null", timeout=5)
+    ufw = ufw_out or ""
+    if "Status: active" in ufw:
+        items.append({"id": "ufw", "ok": True, "title": "UFW firewall", "detail": "UFW reports active."})
+    elif "Status: inactive" in ufw:
+        items.append({
+            "id": "ufw",
+            "ok": None,
+            "title": "UFW firewall",
+            "detail": "UFW installed but inactive — enable if this host is public.",
+        })
+    else:
+        items.append({
+            "id": "ufw",
+            "ok": None,
+            "title": "UFW firewall",
+            "detail": "UFW not detected (OK if you use firewalld/iptables only).",
+        })
+
+    f2_out, _ = exec_shell_sync("systemctl is-active fail2ban 2>/dev/null", timeout=5)
+    f2_active = (f2_out or "").strip() == "active"
+    items.append({
+        "id": "fail2ban",
+        "ok": f2_active,
+        "title": "fail2ban",
+        "detail": "fail2ban is active." if f2_active else "fail2ban not active (optional hardening).",
+    })
+
+    return {"items": items, "disclaimer": "YakPanel reads local settings only; this is not a compliance scan."}

YakPanel-server/backend/app/api/site.py

@@ -29,6 +29,11 @@ class CreateSiteRequest(BaseModel):
     ps: str = ""
     php_version: str = "74"
     force_https: bool = False
+    proxy_upstream: str = ""
+    proxy_websocket: bool = False
+    dir_auth_path: str = ""
+    dir_auth_user_file: str = ""
+    php_deny_execute: bool = False
 
 
 class UpdateSiteRequest(BaseModel):
@@ -37,6 +42,11 @@ class UpdateSiteRequest(BaseModel):
     ps: str | None = None
     php_version: str | None = None
     force_https: bool | None = None
+    proxy_upstream: str | None = None
+    proxy_websocket: bool | None = None
+    dir_auth_path: str | None = None
+    dir_auth_user_file: str | None = None
+    php_deny_execute: bool | None = None
 
 
 @router.get("/list")
@@ -66,6 +76,11 @@ async def site_create(
         ps=body.ps,
         php_version=body.php_version or "74",
         force_https=1 if body.force_https else 0,
+        proxy_upstream=(body.proxy_upstream or "").strip(),
+        proxy_websocket=1 if body.proxy_websocket else 0,
+        dir_auth_path=(body.dir_auth_path or "").strip(),
+        dir_auth_user_file=(body.dir_auth_user_file or "").strip(),
+        php_deny_execute=1 if body.php_deny_execute else 0,
     )
     if not result["status"]:
         raise HTTPException(status_code=400, detail=result["msg"])
@@ -126,12 +141,22 @@ async def site_update(
 ):
     """Update site domains, path, or note"""
     result = await update_site(
-        db, site_id,
+        db,
+        site_id,
         path=body.path,
         domains=body.domains,
         ps=body.ps,
         php_version=body.php_version,
         force_https=None if body.force_https is None else (1 if body.force_https else 0),
+        proxy_upstream=body.proxy_upstream,
+        proxy_websocket=None
+        if body.proxy_websocket is None
+        else (1 if body.proxy_websocket else 0),
+        dir_auth_path=body.dir_auth_path,
+        dir_auth_user_file=body.dir_auth_user_file,
+        php_deny_execute=None
+        if body.php_deny_execute is None
+        else (1 if body.php_deny_execute else 0),
     )
     if not result["status"]:
         raise HTTPException(status_code=400, detail=result["msg"])

YakPanel-server/backend/app/api/ssl.py

@@ -5,6 +5,7 @@ import shutil
 import socket
 import subprocess
 import sys
+import tempfile
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
@@ -403,9 +404,42 @@ async def ssl_diagnostics(current_user: User = Depends(get_current_user)):
             "127.0.0.1:443 accepts TCP, but nginx -T from panel binaries did not show listen 443 — another process may own 443; check ss -tlnp and which nginx serves port 80."
         )
 
+    debian_sites = os.path.isdir("/etc/nginx/sites-available")
+    rhel_conf = os.path.isdir("/etc/nginx/conf.d")
+    layout = "unknown"
+    if debian_sites:
+        layout = "debian_sites_available"
+    elif rhel_conf:
+        layout = "rhel_conf_d"
+    drop_deb = "/etc/nginx/sites-available/yakpanel-vhosts.conf"
+    drop_rhel = "/etc/nginx/conf.d/yakpanel-vhosts.conf"
+    nginx_wizard = {
+        "detected_layout": layout,
+        "include_snippet": include_snippet,
+        "dropin_file_suggested": drop_deb if debian_sites else drop_rhel,
+        "debian": {
+            "sites_available_file": drop_deb,
+            "sites_enabled_symlink": "/etc/nginx/sites-enabled/yakpanel-vhosts.conf",
+            "steps": [
+                f"printf '%s\\n' '{include_snippet}' | sudo tee {drop_deb}",
+                f"sudo ln -sf {drop_deb} /etc/nginx/sites-enabled/yakpanel-vhosts.conf",
+                "sudo nginx -t && sudo systemctl reload nginx",
+            ],
+        },
+        "rhel": {
+            "conf_d_file": drop_rhel,
+            "steps": [
+                f"printf '%s\\n' '{include_snippet}' | sudo tee {drop_rhel}",
+                "sudo nginx -t && sudo systemctl reload nginx",
+            ],
+        },
+        "note": "Run the steps for your distro as root. The include line must appear inside the main http { } context (conf.d files do automatically).",
+    }
+
     return {
         "vhost_dir": vhost_dir,
         "include_snippet": include_snippet,
+        "nginx_wizard": nginx_wizard,
         "vhosts": vhost_summaries,
         "any_vhost_listen_ssl": any_vhost_443,
         "nginx_effective_listen_443": effective_listen_443,
@@ -417,6 +451,132 @@ async def ssl_diagnostics(current_user: User = Depends(get_current_user)):
     }
 
 
+class DnsCertCloudflareRequest(BaseModel):
+    domain: str
+    email: str
+    api_token: str
+
+
+class DnsManualInstructionsRequest(BaseModel):
+    domain: str
+
+
+@router.post("/dns-request/cloudflare")
+async def ssl_dns_cloudflare_cert(
+    body: DnsCertCloudflareRequest,
+    current_user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    """Request Let's Encrypt certificate using DNS-01 via Cloudflare (requires certbot-dns-cloudflare)."""
+    dom = (body.domain or "").split(":")[0].strip()
+    if not dom or ".." in dom or not body.email or not body.api_token:
+        raise HTTPException(status_code=400, detail="domain, email, and api_token required")
+    result_dom = await db.execute(select(Domain).where(Domain.name == dom).limit(1))
+    dom_row = result_dom.scalar_one_or_none()
+    if dom_row:
+        regen_pre = await regenerate_site_vhost(db, dom_row.pid)
+        if not regen_pre.get("status"):
+            raise HTTPException(
+                status_code=500,
+                detail="Cannot refresh nginx vhost: " + str(regen_pre.get("msg", "")),
+            )
+        ok_ngx, err_ngx = _reload_panel_and_common_nginx()
+        if not ok_ngx:
+            raise HTTPException(
+                status_code=500,
+                detail="Nginx reload failed: " + err_ngx,
+            )
+
+    prefix = _certbot_command()
+    if not prefix:
+        raise HTTPException(status_code=500, detail=_certbot_missing_message())
+
+    hostnames = await _le_hostnames_for_domain_row(db, dom_row, dom)
+    if not hostnames:
+        hostnames = [dom]
+    cred_lines = f'dns_cloudflare_api_token = {body.api_token.strip()}\n'
+    fd, cred_path = tempfile.mkstemp(suffix=".ini", prefix="yakpanel_cf_")
+    try:
+        os.write(fd, cred_lines.encode())
+        os.close(fd)
+        os.chmod(cred_path, 0o600)
+    except OSError as e:
+        try:
+            os.close(fd)
+        except OSError:
+            pass
+        raise HTTPException(status_code=500, detail=f"Cannot write credentials temp file: {e}") from e
+
+    base_flags = [
+        "--non-interactive",
+        "--agree-tos",
+        "--email",
+        body.email.strip(),
+        "--no-eff-email",
+        "--dns-cloudflare",
+        "--dns-cloudflare-credentials",
+        cred_path,
+    ]
+    cmd = prefix + ["certonly"] + base_flags
+    for h in hostnames:
+        cmd.extend(["-d", h])
+    env = environment_with_system_path()
+    try:
+        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=600, env=env)
+    except (FileNotFoundError, subprocess.TimeoutExpired) as e:
+        try:
+            os.unlink(cred_path)
+        except OSError:
+            pass
+        raise HTTPException(status_code=500, detail=str(e)) from e
+    finally:
+        try:
+            os.unlink(cred_path)
+        except OSError:
+            pass
+
+    if proc.returncode != 0:
+        err = (proc.stderr or proc.stdout or "").strip() or f"exit {proc.returncode}"
+        raise HTTPException(
+            status_code=500,
+            detail="certbot DNS failed. Install certbot-dns-cloudflare (pip or OS package) if missing. " + err[:6000],
+        )
+
+    if dom_row:
+        regen = await regenerate_site_vhost(db, dom_row.pid)
+        if not regen.get("status"):
+            return {
+                "status": True,
+                "msg": "Certificate issued but vhost regen failed: " + str(regen.get("msg", "")),
+                "output": (proc.stdout or "")[-2000:],
+            }
+
+    return {
+        "status": True,
+        "msg": "Certificate issued via Cloudflare DNS-01",
+        "output": (proc.stdout or "")[-2000:],
+    }
+
+
+@router.post("/dns-request/manual-instructions")
+async def ssl_dns_manual_instructions(
+    body: DnsManualInstructionsRequest,
+    current_user: User = Depends(get_current_user),
+):
+    """Return TXT record host for ACME DNS-01 (user creates record then runs certbot --manual)."""
+    d = (body.domain or "").split(":")[0].strip()
+    if not d or ".." in d:
+        raise HTTPException(status_code=400, detail="Invalid domain")
+    return {
+        "txt_record_name": f"_acme-challenge.{d}",
+        "certbot_example": (
+            f"sudo certbot certonly --manual --preferred-challenges dns --email you@example.com "
+            f"--agree-tos -d {d}"
+        ),
+        "note": "Certbot will display the exact TXT value to create. After DNS propagates, continue in the terminal.",
+    }
+
+
 @router.get("/certificates")
 async def ssl_list_certificates(current_user: User = Depends(get_current_user)):
     """List existing Let's Encrypt certificates"""