feat: Fix issue where added certificate domains become ineffective. (#8549)

2025-12-26 17:28:48 +08:00 · 2025-05-06 18:05:29 +08:00 · 2025-05-06 18:05:29 +08:00 · 16ec5fb997
commit 16ec5fb997
parent 47d9c996aa
12 changed files with 60 additions and 20 deletions
--- a/agent/app/service/website.go
+++ b/agent/app/service/website.go
@ -680,10 +680,6 @@ func (w WebsiteService) CreateWebsiteDomain(create request.WebsiteDomainCreate)
 		_ = OperateFirewallPort(nil, addPorts)
 	}()

-	if err = addListenAndServerName(website, domainModels); err != nil {
-		return nil, err
-	}
-
 	nginxInstall, err := getAppInstallByKey(constant.AppOpenresty)
 	if err != nil {
 		return nil, err
@ -729,6 +725,10 @@ func (w WebsiteService) CreateWebsiteDomain(create request.WebsiteDomainCreate)
 		}
 	}

+	if err = addListenAndServerName(website, domainModels); err != nil {
+		return nil, err
+	}
+
 	return domainModels, websiteDomainRepo.BatchCreate(context.TODO(), domainModels)
 }

@ -1037,6 +1037,9 @@ func (w WebsiteService) OpWebsiteHTTPS(ctx context.Context, req request.WebsiteH
 		if err != nil {
 			return nil, err
 		}
+		if websiteModel.Pem == "" {
+			return nil, buserr.New("ErrSSLValid")
+		}
 		website.WebsiteSSLID = websiteModel.ID
 		res.SSL = *websiteModel
 		websiteSSL = *websiteModel
--- a/agent/app/service/website_utils.go
+++ b/agent/app/service/website_utils.go
@ -531,10 +531,17 @@ func addListenAndServerName(website model.Website, domains []model.WebsiteDomain
 	server := config.FindServers()[0]
 	http3 := isHttp3(server)

+	var allDomains []string
+	existDomains, _ := websiteDomainRepo.GetBy(websiteDomainRepo.WithWebsiteId(website.ID))
+	for _, domain := range existDomains {
+		allDomains = append(allDomains, domain.Domain)
+	}
+
 	for _, domain := range domains {
 		setListen(server, strconv.Itoa(domain.Port), website.IPV6, http3, website.DefaultServer, website.Protocol == constant.ProtocolHTTPS && domain.SSL)
-		server.UpdateServerName([]string{domain.Domain})
+		allDomains = append(allDomains, domain.Domain)
 	}
+	server.UpdateServerName(allDomains)

 	if err = nginx.WriteConfig(config, nginx.IndentedStyle); err != nil {
 		return err
@ -665,10 +672,14 @@ func applySSL(website *model.Website, websiteSSL model.WebsiteSSL, req request.W
 		return nil
 	}
 	noDefaultPort := true
+	httpPorts := make(map[int]struct{})
 	for _, domain := range domains {
 		if domain.Port == 80 {
 			noDefaultPort = false
 		}
+		if domain.Port != 80 && !domain.SSL {
+			httpPorts[domain.Port] = struct{}{}
+		}
 	}
 	config := nginxFull.SiteConfig.Config
 	server := config.FindServers()[0]
@ -681,6 +692,9 @@ func applySSL(website *model.Website, websiteSSL model.WebsiteSSL, req request.W
 	httpPortIPV6 := "[::]:" + httpPort

 	for _, port := range httpsPort {
+		if _, ok := httpPorts[port]; !ok {
+			server.DeleteListen(strconv.Itoa(port))
+		}
 		setListen(server, strconv.Itoa(port), website.IPV6, req.Http3, website.DefaultServer, true)
 	}

@ -714,10 +728,10 @@ func applySSL(website *model.Website, websiteSSL model.WebsiteSSL, req request.W
 	}
 	if !req.Http3 {
 		for _, port := range httpsPort {
-			server.RemoveListen(strconv.Itoa(port), "quic", "reuseport")
+			server.RemoveListen(strconv.Itoa(port), "quic")
 			if website.IPV6 {
 				httpsPortIPV6 := "[::]:" + strconv.Itoa(port)
-				server.RemoveListen(httpsPortIPV6, "quic", "reuseport")
+				server.RemoveListen(httpsPortIPV6, "quic")
 			}
 		}
 		server.RemoveDirective("add_header", []string{"Alt-Svc"})
--- a/agent/i18n/lang/en.yaml
+++ b/agent/i18n/lang/en.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: 'default is a reserved code, please use another code'
 ErrParentWebsite: 'You need to delete the subsite {{ .name }} first'
 ErrBuildDirNotFound: 'The build directory does not exist'
 ErrImageNotExist: 'The operating environment {{ .name }} image does not exist, please re-edit the operating environment'
+ErrProxyIsUsed: "Load balancing has been used by reverse proxy, cannot be deleted"
+ErrSSLValid: 'Certificate file is abnormal, please check the certificate status!'

 #ssl
 ErrSSLCannotDelete: 'The {{ .name }} certificate is being used by a website and cannot be deleted'
--- a/agent/i18n/lang/ja.yaml
+++ b/agent/i18n/lang/ja.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: 'デフォルトは予約済みのコードです。別のコ
 ErrParentWebsite: 'まずサブサイト {{ .name }} を削除する必要があります'
 ErrBuildDirNotFound: 'ビルド ディレクトリが存在しません'
 ErrImageNotExist: 'オペレーティング環境 {{ .name }} イメージが存在しません。オペレーティング環境を再編集してください'
+ErrProxyIsUsed: "ロードバランシングはリバースプロキシによって使用されているため、削除できません"
+ErrSSLValid: '証明書ファイルが異常です、証明書の状態を確認してください！'

 #ssl
 ErrSSLCannotDelete: '{{ .name }} 証明書は Web サイトで使用されているため、削除できません'
--- a/agent/i18n/lang/ko.yaml
+++ b/agent/i18n/lang/ko.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: '기본값은 예약된 코드입니다. 다른 코드를 사
 ErrParentWebsite: '먼저 하위 사이트 {{ .name }}을 삭제해야 합니다.'
 ErrBuildDirNotFound: '빌드 디렉토리가 존재하지 않습니다'
 ErrImageNotExist: '운영 환경 {{ .name }} 이미지가 존재하지 않습니다. 운영 환경을 다시 편집하세요.'
+ErrProxyIsUsed: "로드 밸런싱이 역방향 프록시에 의해 사용되었으므로 삭제할 수 없습니다"
+ErrSSLValid: '인증서 파일에 문제가 있습니다. 인증서 상태를 확인하세요!'

 #SSL인증
 ErrSSLCannotDelete: '{{ .name }} 인증서는 웹사이트에서 사용 중이므로 삭제할 수 없습니다.'
--- a/agent/i18n/lang/ms.yaml
+++ b/agent/i18n/lang/ms.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: 'lalai ialah kod simpanan, sila gunakan kod lain'
 ErrParentWebsite: 'Anda perlu memadamkan subtapak {{ .name }} dahulu'
 ErrBuildDirNotFound: 'Direktori binaan tidak wujud'
 ErrImageNotExist: 'Imej persekitaran operasi {{ .name }} tidak wujud, sila edit semula persekitaran pengendalian'
+ErrProxyIsUsed: "Pengimbang beban telah digunakan oleh pengganti terbalik, tidak boleh dipadamkan"
+ErrSSLValid: 'Fail sijil bermasalah, sila periksa status sijil!'

 #ssl
 ErrSSLCannotDelete: 'Sijil {{ .name }} sedang digunakan oleh tapak web dan tidak boleh dipadamkan'
--- a/agent/i18n/lang/pt-BR.yaml
+++ b/agent/i18n/lang/pt-BR.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: 'padrão é um código reservado, use outro código'
 ErrParentWebsite: 'Você precisa excluir o subsite {{ .name }} primeiro'
 ErrBuildDirNotFound: 'O diretório de compilação não existe'
 ErrImageNotExist: 'A imagem do ambiente operacional {{ .name }} não existe, edite novamente o ambiente operacional'
+ErrProxyIsUsed: "Balanceamento de carga foi usado por proxy reverso, não pode ser excluído"
+ErrSSLValid: 'O arquivo do certificado está anormal, verifique o status do certificado!'

 #ssl
 ErrSSLCannotDelete: 'O certificado {{ .name }} está sendo usado por um site e não pode ser excluído'
--- a/agent/i18n/lang/ru.yaml
+++ b/agent/i18n/lang/ru.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: 'по умолчанию зарезервирован код,
 ErrParentWebsite: 'Сначала вам необходимо удалить дочерний сайт {{ .name }}'
 ErrBuildDirNotFound: 'Каталог сборки не существует'
 ErrImageNotExist: 'Образ операционной среды {{ .name }} не существует, пожалуйста, отредактируйте операционную среду заново'
+ErrProxyIsUsed: "Балансировка нагрузки используется обратным прокси, невозможно удалить"
+ErrSSLValid: 'Файл сертификата аномален, проверьте статус сертификата!'

 #ssl
 ErrSSLCannotDelete: 'Сертификат {{ .name }} используется веб-сайтом и не может быть удален'
--- a/agent/i18n/lang/zh-Hant.yaml
+++ b/agent/i18n/lang/zh-Hant.yaml
@ -118,6 +118,8 @@ ErrDefaultAlias: 'default 為保留代號，請使用其他代號'
 ErrParentWebsite: '需要先移除子網站{{ .name }}'
 ErrBuildDirNotFound: '建置目錄不存在'
 ErrImageNotExist: '執行環境{{ .name }} 映像不存在，請重新編輯執行環境'
+ErrProxyIsUsed: "負載均衡已被反向代理使用，無法刪除"
+ErrSSLValid: '證書文件異常，請檢查證書狀態！'

 #ssl
 ErrSSLCannotDelete: '{{ .name }} 憑證正在被網站使用，無法刪除'
--- a/agent/i18n/lang/zh.yaml
+++ b/agent/i18n/lang/zh.yaml
@ -118,6 +118,7 @@ ErrParentWebsite: "需要先删除子网站 {{ .name }}"
 ErrBuildDirNotFound: "构建目录不存在"
 ErrImageNotExist: "运行环境 {{ .name }} 镜像不存在，请重新编辑运行环境"
 ErrProxyIsUsed: "负载均衡已被反向代理使用，无法删除"
+ErrSSLValid: '证书文件异常，请检查证书状态！'

 #ssl
 ErrSSLCannotDelete: "{{ .name }} 证书正在被网站使用，无法删除"
--- a/frontend/src/views/website/runtime/php/index.vue
+++ b/frontend/src/views/website/runtime/php/index.vue
@ -100,7 +100,7 @@
        <Extensions ref="extensionsRef" @close="search" />
        <AppResources ref="checkRef" @close="search" />
        <ExtManagement ref="extManagementRef" />
-        <ComposeLogs ref="composeLogRef" :highlightDiff="400" />
+        <ComposeLogs ref="composeLogRef" :highlightDiff="200" />
        <Config ref="configRef" />
        <Supervisor ref="supervisorRef" />
    </div>
--- a/frontend/src/views/website/website/config/basic/https/index.vue
+++ b/frontend/src/views/website/website/config/basic/https/index.vue
@ -73,6 +73,7 @@
                                    :key="index"
                                    :label="ssl.primaryDomain"
                                    :value="ssl.id"
+                                    :disabled="ssl.pem === ''"
                                ></el-option>
                            </el-select>
                        </el-form-item>
@ -140,16 +141,13 @@
                    <el-divider content-position="left">{{ $t('website.SSLProConfig') }}</el-divider>
                    <el-form-item :label="$t('website.supportProtocol')" prop="SSLProtocol">
                        <el-checkbox-group v-model="form.SSLProtocol">
-                            <el-checkbox :label="'TLSv1.3'">{{ 'TLS 1.3' }}</el-checkbox>
-                            <el-checkbox :label="'TLSv1.2'">{{ 'TLS 1.2' }}</el-checkbox>
-                            <el-checkbox :label="'TLSv1.1'">{{ 'TLS 1.1' }}</el-checkbox>
-                            <el-checkbox :label="'TLSv1'">{{ 'TLS 1.0' }}</el-checkbox>
-                            <br />
-                            <el-checkbox :label="'SSLv3'">
-                                {{ 'SSL V3' + $t('website.notSecurity') }}
+                            <el-checkbox :value="'TLSv1.3'">{{ 'TLS 1.3' }}</el-checkbox>
+                            <el-checkbox :value="'TLSv1.2'">{{ 'TLS 1.2' }}</el-checkbox>
+                            <el-checkbox :value="'TLSv1.1'">
+                                {{ 'TLS 1.0' + $t('website.notSecurity') }}
                            </el-checkbox>
-                            <el-checkbox :label="'SSLv2'">
-                                {{ 'SSL V2' + $t('website.notSecurity') }}
+                            <el-checkbox :value="'TLSv1'">
+                                {{ 'TLS 1.1' + $t('website.notSecurity') }}
                            </el-checkbox>
                        </el-checkbox-group>
                    </el-form-item>
@ -209,7 +207,7 @@ const form = reactive({
    hsts: true,
    algorithm:
        'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED',
-    SSLProtocol: ['TLSv1.3', 'TLSv1.2', 'TLSv1.1', 'TLSv1'],
+    SSLProtocol: ['TLSv1.3', 'TLSv1.2'],
    httpsPort: '443',
    http3: false,
 });
@ -255,7 +253,12 @@ const listSSLs = () => {
                }
            }
            if (!exist) {
-                form.websiteSSLId = ssls.value[0].id;
+                for (const ssl of ssls.value) {
+                    if (ssl.pem != '') {
+                        form.websiteSSLId = ssl.id;
+                        break;
+                    }
+                }
            }
            changeSSl(form.websiteSSLId);
        } else {
@ -275,7 +278,12 @@ const changeSSl = (sslid: number) => {
    const res = ssls.value.filter((element: Website.SSL) => {
        return element.id == sslid;
    });
-    websiteSSL.value = res[0];
+    for (const r of res) {
+        if (r.pem != '') {
+            websiteSSL.value = r;
+            break;
+        }
+    }
 };

 const changeType = (type: string) => {