Tweaks to order of operation

core/sbin/sympl-filesystem-security

@@ -62,25 +62,28 @@ function secure_domain_dir()
 
     find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
 
-    setfacl -R -d -m u::rwx -m g::rwx -m o::rx "${domain}/public/"
+    find "${domain}/public" ! -type l \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)
 
-  fi
 
 
-  # Lock down the public/htdocs/logs directory, if it exists and contains webalizer html
-  # By default this is left unprotected, and includes IP addresses which are classified
-  #   under GDPR as personally identifiable
+    # Lock down the public/htdocs/logs directory, if it exists and contains webalizer html
+    # By default this is left unprotected, and includes IP addresses which are classified
+    #   under GDPR as personally identifiable
 
-  if [ ! -f "${domain}/public/htdocs/stats/.htaccess" ]; then
-    if [ $( grep -c 'webalizer' "${domain}/public/htdocs/stats/index.html" 2> /dev/null ) != 0 ]; then
-      echo "# Prevent unauthorized access to stats
+    if [ ! -f "${domain}/public/htdocs/stats/.htaccess" ]; then
+      if [ -d "${domain}/public/htdocs/stats/" ] && [ $( grep -c 'webalizer' "${domain}/public/htdocs/stats/index.html" ) != 0 ]; then
+        echo "# Prevent unauthorized access to stats and enforce HTTPS
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 AuthType Basic
 AuthName \"Access Restricted\"
 AuthUserFile ${domain}/config/stats-htaccess
 Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
-    fi 
-  fi
+      fi 
+    fi
 
+  fi
 
   # Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.