From 11de78ce5144dde32895b88996e5c56ee74960df Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Sun, 6 Jul 2025 20:24:06 +0300
Subject: [PATCH] Add ability to configure SSL enforcement options in UI

---
 usermin/change_ssl.cgi | 3 ++-
 usermin/edit_ssl.cgi   | 7 +++++--
 webmin/change_ssl.cgi  | 3 ++-
 webmin/edit_ssl.cgi    | 7 +++++--
 webmin/lang/en         | 3 ++-
 5 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/usermin/change_ssl.cgi b/usermin/change_ssl.cgi
index be38a16a1..747ce302c 100755
--- a/usermin/change_ssl.cgi
+++ b/usermin/change_ssl.cgi
@@ -10,7 +10,8 @@ require './usermin-lib.pl';
 &get_usermin_miniserv_config(\%miniserv);
 $sslcurr = $miniserv{'ssl'};
 $miniserv{'ssl'} = $in{'ssl'};
-$miniserv{'ssl_hsts'} = ($in{'ssl'} && $in{'ssl_hsts'}) ? 1 : 0;
+$miniserv{'ssl_enforce'} = int($in{'ssl_enforce'});
+$miniserv{'ssl_hsts'} = $miniserv{'ssl_enforce'} == 2 ? 1 : 0;
 &webmin::validate_key_cert($in{'key'}, $in{'cert_def'} ? undef : $in{'cert'});
 $miniserv{'keyfile'} = $in{'key'};
 $miniserv{'certfile'} = $in{'cert_def'} ? undef : $in{'cert'};
diff --git a/usermin/edit_ssl.cgi b/usermin/edit_ssl.cgi
index 61d78906d..4806011c7 100755
--- a/usermin/edit_ssl.cgi
+++ b/usermin/edit_ssl.cgi
@@ -23,8 +23,11 @@ print &ui_table_start($text{'ssl_header'}, undef, 2);
 print &ui_table_row($text{'ssl_on'},
 	&ui_yesno_radio("ssl", $miniserv{'ssl'}));
 
-print ui_table_row($text{'ssl_hsts'},
-	ui_yesno_radio("ssl_hsts", $miniserv{'ssl_hsts'}));
+print ui_table_row($text{'ssl_enforce'},
+	ui_radio("ssl_enforce", $miniserv{'ssl_enforce'} // 1,
+		[ [ 2, $text{'ssl_hsts'} ],
+		  [ 1, $text{'yes'} ],
+		  [ 0, $text{'no'} ] ]));
 
 print &ui_table_row($text{'ssl_key'},
 	&ui_textbox("key", $miniserv{'keyfile'}, 40)." ".
diff --git a/webmin/change_ssl.cgi b/webmin/change_ssl.cgi
index 1d8d7f4a3..b3509fb98 100755
--- a/webmin/change_ssl.cgi
+++ b/webmin/change_ssl.cgi
@@ -10,7 +10,8 @@ require './webmin-lib.pl';
 &get_miniserv_config(\%miniserv);
 $sslcurr = $miniserv{'ssl'};
 $miniserv{'ssl'} = $in{'ssl'};
-$miniserv{'ssl_hsts'} = ($in{'ssl'} && $in{'ssl_hsts'}) ? 1 : 0;
+$miniserv{'ssl_enforce'} = int($in{'ssl_enforce'});
+$miniserv{'ssl_hsts'} = $miniserv{'ssl_enforce'} == 2 ? 1 : 0;
 &validate_key_cert($in{'key'}, $in{'cert_def'} ? undef : $in{'cert'});
 $miniserv{'keyfile'} = $in{'key'};
 $miniserv{'certfile'} = $in{'cert_def'} ? undef : $in{'cert'};
diff --git a/webmin/edit_ssl.cgi b/webmin/edit_ssl.cgi
index 35aea0182..339527d50 100755
--- a/webmin/edit_ssl.cgi
+++ b/webmin/edit_ssl.cgi
@@ -56,8 +56,11 @@ print ui_table_start($text{'ssl_header'}, undef, 2);
 print ui_table_row($text{'ssl_on'},
 	ui_yesno_radio("ssl", $miniserv{'ssl'}));
 
-print ui_table_row($text{'ssl_hsts'},
-	ui_yesno_radio("ssl_hsts", $miniserv{'ssl_hsts'}));
+print ui_table_row($text{'ssl_enforce'},
+	ui_radio("ssl_enforce", $miniserv{'ssl_enforce'} // 1,
+		[ [ 2, $text{'ssl_hsts'} ],
+		  [ 1, $text{'yes'} ],
+		  [ 0, $text{'no'} ] ]));
 
 print ui_table_row($text{'ssl_key'},
 	ui_textbox("key", $miniserv{'keyfile'}, 40)." ".
diff --git a/webmin/lang/en b/webmin/lang/en
index 2b3ac36ea..7cff4f820 100644
--- a/webmin/lang/en
+++ b/webmin/lang/en
@@ -351,7 +351,8 @@ ssl_deny=SSL protocol versions to reject
 ssl_compression=Allow compressed SSL connections?
 ssl_honorcipherorder=Force use of server-defined cipher order?
 ssl_extracas=Additional certificate files<br>for chained certificates
-ssl_hsts=Enforce SSL with HSTS header
+ssl_enforce=Enforce SSL
+ssl_hsts=Yes, with HSTS header
 ssl_redirect=Redirecting after protocol change ..
 ssl_extracasdef=Same as global SSL settings
 ssl_extracasnone=None for this IP address