Commit Graph

11 Commits

Author SHA1 Message Date
ac0467290c fix(contact.php): use is_readable() instead of file_exists() for config
When contact-config.php exists but is unreadable by PHP-FPM (e.g. owned by
www-data while pool runs as nginx), file_exists() returns true but
require_once throws a fatal error → 500.

Production was hitting this: contact-config.php was 'www-data:www-data 640'
but the sag24 PHP-FPM pool runs as 'nginx'. Form returned HTTP 500 on every
POST including legitimate ones — contact form effectively dead.

Server side: chown nginx:nginx /opt/www/sag24.ru/contact-config.php (already
applied). This commit makes the script defensive against the same scenario
in the future.
2026-05-06 01:27:12 +03:00
5dea9c4a52 remove unused tg-relay.php — duplicate of CF Worker, no callers in 50 days
PHP relay was created 2026-03-15, exposed POST /api/tg-relay.php with
X-Relay-Secret auth, forwarding to api.telegram.org directly. Access logs
showed 4 hits total, all from 79.111.12.36 (developer test) on 2026-03-15
within ~40s, then never again.

All actual contact forms (vgrf.ru, moovg.ru, sag24.ru, hhivp.com) already
use the CF Worker tg-relay.it-resheniya-2018.workers.dev which is the
correct path through TSPU РКН blocks. PHP relay was redundant + leaked an
RU-IP egress to api.telegram.org.
2026-05-06 01:20:10 +03:00
4e33aebe55 fix: contact.php — move secrets to include file, HTML email
- Replace hardcoded BOT_TOKEN, CHAT_ID, TURNSTILE_SECRET, smtp_pass
  with require_once from /opt/www/sag24.ru/contact-config.php (outside webroot)
- Convert email from plain text to HTML (text/html Content-Type)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 21:09:30 +03:00
18fff2e3f6 feat: activate Cloudflare Turnstile for sag24.ru contact form
Set site key and secret key for sag24-website-contact-form widget

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 14:41:22 +03:00
c155ff366c feat: add Turnstile anti-bot, email field, and metadata to contact form
- Add Cloudflare Turnstile widget support (site key configurable in config.js,
  secret key in contact.php — both empty until widget created at dash.cloudflare.com)
- Add email input field to contact form (parity with hhivp)
- Add company length validation (200 chars) to contact.php
- Add IP, country (CF-IPCountry header), and referer metadata to Telegram notifications
- Add company and email fields to SMTP email body
- Turnstile script loaded in index.html, widget rendered conditionally when TURNSTILE_SITE_KEY is set

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 14:20:23 +03:00
a42007e0a5 feat: add rate limiting and input validation to contact form
- Rate limit: 5 req/min per IP (file-based)
- Email format validation via filter_var
- Field length limits: name 100, email 254, phone 30, message 5000

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 07:29:27 +03:00
7decd512c9 fix: use Cloudflare Worker relay for Telegram, fix phone format
- contact.php: route Telegram API via tg-relay.it-resheniya-2018.workers.dev
- translations: fix phone format (909) 945-44-56 -> +7 909 945-44-56

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 05:59:18 +03:00
fc1d2c20cd fix: contact.php — SMTP via noreply@sag24.ru, Telegram best-effort
- Send email via SMTP AUTH to mx.hhivp.com using noreply@sag24.ru
- Telegram is non-fatal (ТСПУ blocks 45.10.53.x datacenter)
- Form always returns success as long as email is sent

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 01:18:13 +03:00
cd265e4459 fix: contact form — email fallback + non-fatal Telegram
- Always send email to info@sag24.ru (via server mail())
- Return success even if Telegram is unreachable (ТСПУ blocks 45.10.53.x)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 01:15:23 +03:00
952634de3e feat: add Telegram relay endpoint for hhivp-website 2026-03-15 00:13:46 +03:00
9a3785a13c feat: add Telegram contact form API (PHP) and connect form endpoint 2026-03-14 19:41:25 +03:00