When contact-config.php exists but is unreadable by PHP-FPM (e.g. owned by
www-data while pool runs as nginx), file_exists() returns true but
require_once throws a fatal error → 500.
Production was hitting this: contact-config.php was 'www-data:www-data 640'
but the sag24 PHP-FPM pool runs as 'nginx'. Form returned HTTP 500 on every
POST including legitimate ones — contact form effectively dead.
Server side: chown nginx:nginx /opt/www/sag24.ru/contact-config.php (already
applied). This commit makes the script defensive against the same scenario
in the future.
PHP relay was created 2026-03-15, exposed POST /api/tg-relay.php with
X-Relay-Secret auth, forwarding to api.telegram.org directly. Access logs
showed 4 hits total, all from 79.111.12.36 (developer test) on 2026-03-15
within ~40s, then never again.
All actual contact forms (vgrf.ru, moovg.ru, sag24.ru, hhivp.com) already
use the CF Worker tg-relay.it-resheniya-2018.workers.dev which is the
correct path through TSPU РКН blocks. PHP relay was redundant + leaked an
RU-IP egress to api.telegram.org.
- Replace hardcoded BOT_TOKEN, CHAT_ID, TURNSTILE_SECRET, smtp_pass
with require_once from /opt/www/sag24.ru/contact-config.php (outside webroot)
- Convert email from plain text to HTML (text/html Content-Type)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Cloudflare Turnstile widget support (site key configurable in config.js,
secret key in contact.php — both empty until widget created at dash.cloudflare.com)
- Add email input field to contact form (parity with hhivp)
- Add company length validation (200 chars) to contact.php
- Add IP, country (CF-IPCountry header), and referer metadata to Telegram notifications
- Add company and email fields to SMTP email body
- Turnstile script loaded in index.html, widget rendered conditionally when TURNSTILE_SITE_KEY is set
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rate limit: 5 req/min per IP (file-based)
- Email format validation via filter_var
- Field length limits: name 100, email 254, phone 30, message 5000
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Send email via SMTP AUTH to mx.hhivp.com using noreply@sag24.ru
- Telegram is non-fatal (ТСПУ blocks 45.10.53.x datacenter)
- Form always returns success as long as email is sent
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Always send email to info@sag24.ru (via server mail())
- Return success even if Telegram is unreachable (ТСПУ blocks 45.10.53.x)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>