rkok/plesk_global_auto_prepend.sh

## plesk_global_auto_prepend.sh
#!/usr/bin/env bash
############################################################
# For every domain on a Plesk server:
#
#  - Sets a desired PHP auto_prepend_file
#  - Patches open_basedir (if necessary)
#  - Strips any Wordfence WAF open_basedir override (make sure your custom prepend file re-includes it!)
#
# Only tested on RedHat-like servers with Plesk Obsidian 18.0.52
# Use at your own risk
############################################################

set -e

# CHANGE THESE AS DESIRED
prepend_dir="/var/www/myprepend"
prepend_file="$prepend_dir/myprepend.php"

if [ ! -d "/opt/plesk/php" ]; then
  echo "Couldn't find PHP dir /opt/plesk/php" >&2
  exit 1
fi

php_ini_changed=0

echo "Configuring global auto_prepend_file ..."
for config in /opt/plesk/php/*/etc/php.ini; do
  echo -n "$config: "
  existing_prepend="$(cat $config | grep "^auto_prepend_file" | tr -d '\r' | cut -d= -f2)"
  if [ -n "$existing_prepend" ]; then
    if ! echo "$existing_prepend" | grep -q "$prepend_file"; then
      echo "Conflicting prepend: '$existing_prepend'" >&2
      exit 1
    else
      echo "Already configured"
    fi
  else
    new_prepend="auto_prepend_file=$prepend_file"
    echo "Adding $new_prepend ..."
    echo "$new_prepend" >> "$config"
    php_ini_changed=1
  fi
done

if [ "$php_ini_changed" == "1" ]; then
  ps -ef | grep -q lsphp && killall -9 lsphp || true
  systemctl | grep -q lshttpd && systemctl restart lshttpd
  systemctl | grep fpm | awk '{print $1}' | while read -r service; do
    systemctl restart "$service"
  done
fi

echo -e "\nConfiguring domains ..."
plesk db -N -e '
	select d.name domain, dp.val setting_id, p.value as open_basedir
	from psa.domains d
	join psa.dom_param dp on d.id = dp.dom_id and dp.param = "phpSettingsId"
	join psa.PhpSettingsParameters p on dp.val = p.id and p.name = "open_basedir";
' | while read -r domain setting_id open_basedir; do
  echo -e "\n********** $domain **********"

  webroot="/var/www/vhosts/$domain/httpdocs"
  if [ ! -d "$webroot" ]; then
    echo "Webroot not found: $webroot, skipping ..." >&2
    continue
  fi

  if [ "$open_basedir" == "none" ] || echo "$open_basedir" | grep -q "$prepend_dir"; then
    echo "Already configured"
  else
    new_open_basedir="$open_basedir{:}$prepend_dir"
    echo "Setting open_basedir=$new_open_basedir ..."
    plesk db -e "update PhpSettingsParameters set value='$new_open_basedir' where name = 'open_basedir' and id = $setting_id"
    echo "Triggering settings update ..."
    /usr/local/psa/bin/domain --update-php-settings "$domain"
  fi

  for file in $webroot/.{htaccess,user.ini}; do
    if [ -f "$file" ] && grep -q 'Wordfence WAF' "$file"; then
      echo "Stripping Wordfence WAF from $file ..."
      sed -i '/^[;#] Wordfence WAF/,/[;#] END Wordfence WAF/d' "$file"
    fi
  done
done
	#!/usr/bin/env bash
	############################################################
	# For every domain on a Plesk server:
	#
	# - Sets a desired PHP auto_prepend_file
	# - Patches open_basedir (if necessary)
	# - Strips any Wordfence WAF open_basedir override (make sure your custom prepend file re-includes it!)
	#
	# Only tested on RedHat-like servers with Plesk Obsidian 18.0.52
	# Use at your own risk
	############################################################

	set -e

	# CHANGE THESE AS DESIRED
	prepend_dir="/var/www/myprepend"
	prepend_file="$prepend_dir/myprepend.php"

	if [ ! -d "/opt/plesk/php" ]; then
	echo "Couldn't find PHP dir /opt/plesk/php" >&2
	exit 1
	fi

	php_ini_changed=0

	echo "Configuring global auto_prepend_file ..."
	for config in /opt/plesk/php/*/etc/php.ini; do
	echo -n "$config: "
	existing_prepend="$(cat $config \| grep "^auto_prepend_file" \| tr -d '\r' \| cut -d= -f2)"
	if [ -n "$existing_prepend" ]; then
	if ! echo "$existing_prepend" \| grep -q "$prepend_file"; then
	echo "Conflicting prepend: '$existing_prepend'" >&2
	exit 1
	else
	echo "Already configured"
	fi
	else
	new_prepend="auto_prepend_file=$prepend_file"
	echo "Adding $new_prepend ..."
	echo "$new_prepend" >> "$config"
	php_ini_changed=1
	fi
	done

	if [ "$php_ini_changed" == "1" ]; then
	ps -ef \| grep -q lsphp && killall -9 lsphp \|\| true
	systemctl \| grep -q lshttpd && systemctl restart lshttpd
	systemctl \| grep fpm \| awk '{print $1}' \| while read -r service; do
	systemctl restart "$service"
	done
	fi

	echo -e "\nConfiguring domains ..."
	plesk db -N -e '
	select d.name domain, dp.val setting_id, p.value as open_basedir
	from psa.domains d
	join psa.dom_param dp on d.id = dp.dom_id and dp.param = "phpSettingsId"
	join psa.PhpSettingsParameters p on dp.val = p.id and p.name = "open_basedir";
	' \| while read -r domain setting_id open_basedir; do
	echo -e "\n******** $domain ********"

	webroot="/var/www/vhosts/$domain/httpdocs"
	if [ ! -d "$webroot" ]; then
	echo "Webroot not found: $webroot, skipping ..." >&2
	continue
	fi

	if [ "$open_basedir" == "none" ] \|\| echo "$open_basedir" \| grep -q "$prepend_dir"; then
	echo "Already configured"
	else
	new_open_basedir="$open_basedir{:}$prepend_dir"
	echo "Setting open_basedir=$new_open_basedir ..."
	plesk db -e "update PhpSettingsParameters set value='$new_open_basedir' where name = 'open_basedir' and id = $setting_id"
	echo "Triggering settings update ..."
	/usr/local/psa/bin/domain --update-php-settings "$domain"
	fi

	for file in $webroot/.{htaccess,user.ini}; do
	if [ -f "$file" ] && grep -q 'Wordfence WAF' "$file"; then
	echo "Stripping Wordfence WAF from $file ..."
	sed -i '/^[;#] Wordfence WAF/,/[;#] END Wordfence WAF/d' "$file"
	fi
	done
	done