/CHANGELOG |
---|
3,7 → 3,6 |
-----------------------2.9.2 ----------------------- |
NEWS |
- importation of official certificate |
- Configuration of Dansguardian and DNSMASQ for larger sites |
- The SSL level has been improved to avoid recent vulnerabilities (exclude SSLV2 & V3) |
- The autosigned certificate has been improved (key lenght : 2048b and sha256 for fingerprint algorithm) |
/scripts/alcasar-defaultcert.sh |
---|
0,0 → 1,65 |
#!/bin/bash |
# alcasar-defaultcert.sh |
# by Raphaël, Hugo, Clément, Bettyna |
# This script is distributed under Gnu General Public License (GPL) |
# Script permettant |
# - de revenir au certificat par default |
# Script allows |
# - go back to the default certificate |
SED="/bin/sed -ri" |
DIR_CERT="/etc/pki/tls" |
usage="Usage: alcasar-defaultcert.sh. Ce script permet de revenir au certificat par default" |
nb_args=$# |
args=$1 |
function defaultNdd() |
{ |
$SED 's/^DOMAIN=.*/DOMAIN=localdomain/g' /usr/local/etc/alcasar.conf |
$SED 's/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.localdomain/g' /etc/hosts |
$SED 's/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.localdomain/g' /etc/chilli.conf |
$SED 's/^domain.*/domain\t\tlocaldomain/g' /etc/chilli.conf |
$SED 's/^ServerName.*/ServerName alcasar.localdomain/g' /etc/httpd/conf/httpd.conf |
} |
function defaultCert() |
{ |
cd $DIR_CERT |
rm private/alcasar.key |
rm certs/alcasar.crt |
mv certs/alcasar.crt.old certs/alcasar.crt |
mv private/alcasar.key.old private/alcasar.key |
if [ -f certs/server-chain.crt.old ] |
then |
rm certs/server-chain.crt |
mv certs/server-chain.crt.old certs/server-chain.crt |
fi |
} |
if [ $nb_args != 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
esac |
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ] |
then |
echo "Back to the original certificate" |
defaultCert |
defaultNdd |
systemctl restart chilli.service |
systemctl restart httpd.service |
fi |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
/scripts/alcasar-importcert.sh |
---|
7,54 → 7,24 |
# Script permettant |
# - d'importer des certificats sur Alcasar |
# - de revenir au certificat par default |
# This script allows |
# - to import a certificate in Alcasar |
# - to go back to the default certificate |
# - to import certificate in Alcasar |
SED="/bin/sed -ri" |
DIR_CERT="/etc/pki/tls" |
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key (-c /path/to/serverchain.crt) || alcasar-importcert.sh -d (Cette utilisation permet de revenir au certificat par default)" |
usage="Usage: alcasar-importcert.sh -i YourCertificate.crt -k YourAlcasar.key -c Chaîne.com" |
nb_args=$# |
arg1=$1 |
args=$1 |
args1=$3 |
args2=$5 |
cert=$2 |
key=$4 |
sc=$6 |
# nb_args=$# |
# args=$1 |
# args1=$3 |
# args2=$5 |
# cert=$2 |
# key=$4 |
# sc=$6 |
function defaultNdd() |
{ |
$SED 's/^DOMAIN=.*/DOMAIN=localdomain/g' /usr/local/etc/alcasar.conf |
$SED 's/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.localdomain/g' /etc/hosts |
$SED 's/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.localdomain/g' /etc/chilli.conf |
$SED 's/^domain.*/domain\t\tlocaldomain/g' /etc/chilli.conf |
$SED 's/^ServerName.*/ServerName alcasar.localdomain/g' /etc/httpd/conf/httpd.conf |
} |
function defaultCert() |
{ |
cd $DIR_CERT |
rm private/alcasar.key |
rm certs/alcasar.crt |
mv certs/alcasar.crt.old certs/alcasar.crt |
mv private/alcasar.key.old private/alcasar.key |
if [ -f certs/server-chain.crt.old ] |
then |
rm certs/server-chain.crt |
mv certs/server-chain.crt.old certs/server-chain.crt |
fi |
} |
function domainName() # change the domain name in the conf files |
{ |
61,7 → 31,7 |
ndd=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p') |
echo $ndd |
if [ "$ndd" != "" ] |
then |
then |
$SED "s/^DOMAIN=.*/DOMAIN=$ndd/g" /usr/local/etc/alcasar.conf |
$SED "s/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.$ndd/g" /etc/hosts |
$SED "s/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.$ndd/g" /etc/chilli.conf |
73,7 → 43,7 |
function certImport() |
{ |
cd $DIR_CERT |
if [ ! -f "/etc/pki/tls/certs/alcasar.crt.old" ] |
then |
echo "Backup of old cert (alcasar.crt)" |
84,7 → 54,7 |
echo "Backup of old private key (alcasar.key)" |
mv private/alcasar.key private/alcasar.key.old |
fi |
cp $cert certs/alcasar.crt |
cp $key private/alcasar.key |
108,74 → 78,55 |
fi |
} |
if [ $nb_args -eq 0 ] |
if [ $nb_args -eq 0 ] || [ "$cert" == "" ] || [ "$key" == "" ] |
then |
echo "$usage" |
exit 1 |
nb_args=1 |
args="-h" |
fi |
case $arg1 in |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-i) |
arg3=$3 |
arg5=$5 |
cert=$2 |
key=$4 |
sc=$6 |
echo "You want import the certificate: $2" |
;; |
*) |
echo "Unknown argument: $1" |
echo "$usage" |
exit 1 |
;; |
esac |
if [ "$cert" == "" ] || [ "$key" == "" ] |
then |
echo "$usage" |
exit 1 |
fi |
if [ ! -f "$cert" -o ! -f "$key" ] |
then |
echo "Certificate and/or private key not found" |
exit 1 |
fi |
if [ ${cert: -4} != ".crt" ] |
then |
echo "Invalid certificate file" |
exit 1 |
fi |
if [ ${key: -4} != ".key" ] |
then |
echo "Invalid private key" |
exit 1 |
fi |
if [ "$arg5" != "-c" ] || [ ! -f "$sc" ] |
then |
echo "No server-chain given" |
echo "Importing certificate $cert with private key $key" |
sc="" |
else |
echo "Importing certificate $cert with private key $key and server-chain $sc" |
fi |
domainName $cert |
certImport $cert $key $sc |
systemctl restart chilli.service |
systemctl restart httpd.service |
case $args1 in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-d) |
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ] |
then |
echo "Restoring default certificate" |
defaultCert |
defaultNdd |
systemctl restart chilli.service |
systemctl restart httpd.service |
fi |
-k) |
echo "With the private key: $4" |
;; |
*) |
echo "$usage" |
;; |
echo "Unknown argument: $3" |
echo "$usage" |
exit 1 |
;; |
esac |
if [ "$args2" == "-c" ] |
then |
echo "And the cert-chain: $6" |
if [ "$sc" == "" ] |
then |
echo "! Can't find the file of the chain-cert" |
fi |
else |
echo "Without a cert-chain" |
sc="" |
fi |
domainName |
certImport $cert $key $sc |
systemctl restart chilli.service |
systemctl restart httpd.service |
/scripts/alcasar-urpmi.sh |
---|
188,7 → 188,7 |
else |
echo "Nettoyage du système : " |
fi |
for rm_rpm in shorewall mandi radeontool avahi mageia-gfxboot-theme privoxy cpupower squid gamin |
for rm_rpm in shorewall mandi radeontool avahi mageia-gfxboot-theme privoxy cpupower squid |
do |
/usr/sbin/urpme --auto $rm_rpm --auto-orphans 2>/dev/null |
echo -n "." |
/web/acc/admin/network.php |
---|
2,7 → 2,7 |
/* written by steweb57 & Rexy */ |
/******************** |
* TEST CONF FILES * |
* CONF FILES EXIST * |
*********************/ |
define ("CONF_FILE", "/usr/local/etc/alcasar.conf"); |
define ("ETHERS_FILE", "/usr/local/etc/alcasar-ethers"); |
24,12 → 24,12 |
$l_extif_legend = " (Interface connectée à Internet)"; |
$l_intif_legend = " (Réseau de consultation)"; |
$l_internet_legend = "INTERNET"; |
$l_ip_adr = "Adresse IP"; |
$l_ip_mask = "Masque"; |
$l_ip_adr = "Adresse IP"; |
$l_ip_mask = "Masque"; |
$l_ip_router = "Passerelle"; |
$l_ip_public = "Adresse IP publique"; |
$l_ip_dns1 = "DNS1"; |
$l_ip_dns2 = "DNS2"; |
$l_ip_dns1 = "DNS1"; |
$l_ip_dns2 = "DNS2"; |
$l_dhcp_title = "Service DHCP"; |
$l_dhcp_state = "Mode actuel"; |
$l_DHCP_on = "actif"; |
38,14 → 38,9 |
$l_static_dhcp_title = "Réservation d'adresses IP statiques"; |
$l_mac_address = "Adresse MAC"; |
$l_ip_address = "Adresse IP"; |
$l_mac_del = "Supprimer de la liste"; |
$l_mac_del = "Supprimer de la liste"; |
$l_add_to_list = "Ajouter"; |
$l_apply = "Appliquer les changements"; |
$l_import_cert = "Import de certificat"; |
$l_private_key = "Clé privée (.key) :"; |
$l_certificate = "Certificat (.crt) :"; |
$l_server_chain = "Server-chain (Si nécéssaire : .crt) :"; |
$l_default_cert = "Retourner aux certificat par défaut"; |
$l_apply = "Appliquer les changements"; |
} else { |
$l_network_title = "Network configuration"; |
52,12 → 47,12 |
$l_extif_legend = " (Internet connected interface)"; |
$l_intif_legend = " (Private network)"; |
$l_internet_legend = "INTERNET"; |
$l_ip_adr = "IP Address"; |
$l_ip_mask = "Mask"; |
$l_ip_adr = "IP Address"; |
$l_ip_mask = "Mask"; |
$l_ip_router = "Gateway"; |
$l_ip_public = "Public IP address"; |
$l_ip_dns1 = "DNS1"; |
$l_ip_dns2 = "DNS2"; |
$l_ip_dns1 = "DNS1 :"; |
$l_ip_dns2 = "DNS2"; |
$l_dhcp_title = "DHCP service"; |
$l_dhcp_state = "Current mode"; |
$l_DHCP_on = "enabled"; |
66,14 → 61,9 |
$l_static_dhcp_title = "Static IP addresses reservation"; |
$l_mac_address = "MAC Address"; |
$l_ip_address = "IP Address"; |
$l_mac_del = "Delete from list"; |
$l_mac_del = "Delete from list"; |
$l_add_to_list = "Add"; |
$l_apply = "Apply changes"; |
$l_import_cert = "Certificate import"; |
$l_private_key = "Private key (.key) :"; |
$l_certificate = "Certificate (.crt) :"; |
$l_server_chain = "Server-chain (If necessary : .crt) :"; |
$l_default_cert = "Back to default certificate"; |
$l_apply = "Apply changes"; |
} |
if (isset($_POST['choix'])){$choix=$_POST['choix'];} else {$choix="";} |
switch ($choix) |
107,7 → 97,7 |
} |
} |
} |
if ($insert == "True") |
if ($insert == "True") |
{ |
$line = trim($_POST['add_mac']) . " " . trim($_POST['add_ip']) . "\n"; |
$pointeur=fopen(ETHERS_FILE,"a"); |
149,7 → 139,7 |
$port = "80"; |
//var $num; //not used |
//var $error; //not used |
if (! $sock = @fsockopen($host, $port, $num, $error, 5)) { |
return false; |
} else { |
264,22 → 254,22 |
?> |
<table width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th><?php echo $l_import_cert;?></th></tr> |
<tr><th>Import de certificat</th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</table> |
<table width="100%" border="1" cellspacing="0" cellpadding="0"> |
<tr><td> |
<form method="post" action="network.php" enctype="multipart/form-data"> |
<?php echo $l_private_key;?><input type="file" name="key"/><br/> |
<?php echo $l_certificate;?><input type="file" name="crt"/><br/> |
<?php echo $l_server_chain;?><input type="file" name="sc"/> |
<input type="hidden" name="MAX_FILE_SIZE" value=<?php echo $maxsize;?> /><br/> |
Clé privée (.key): <input type="file" name="key"/><br/> |
Certificat (.crt):<input type="file" name="crt"/><br/> |
Server-chain (Recommandé : .crt):<input type="file" name="sc"/> |
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxsize ?>" /><br/> |
<input type="submit" value="Valider"/> |
</form> |
</td><td> |
<form method="post" action="network.php"> |
<input type="hidden" name="default"/> |
<input type="submit" <?php echo "value=\"".$l_default_cert."\""?>/> |
<input type="submit" value="Retourner aux certificats par défaut"/> |
</form> |
</td> |
</tr> |
291,7 → 281,7 |
<?php |
if(isset($_POST['default'])){ |
echo "Retour au certificats par défaut"; |
exec("sudo alcasar-importcert.sh -d"); |
exec("sudo alcasar-defaultcert.sh"); |
} |
if(isset($_POST['MAX_FILE_SIZE'])){ |
echo "changement"; |
318,3 → 308,4 |
} |
} |
?> |
/conf/sudoers |
---|
19,15 → 19,15 |
Cmnd_Alias SQL=/usr/local/sbin/alcasar-mysql.sh # to export users database |
Cmnd_Alias SYSTEM_BACKUP=/usr/local/bin/alcasar-conf.sh # to create conf backup file |
Cmnd_Alias EXPORT=/usr/local/bin/alcasar-archive.sh # to export/save the log files |
Cmnd_Alias BL=/usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh # to manage the filtering system |
Cmnd_Alias BL=/usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh # to manege the filtering system |
Cmnd_Alias NF=/usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # to manage the firewall |
Cmnd_Alias LOGOUT=/usr/local/sbin/alcasar-logout.sh # to disconnect the users |
Cmnd_Alias UAM=/usr/local/sbin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed) |
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services |
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem |
Cmnd_Alias SSL=/usr/bin/openssl # to manage the certificates |
Cmnd_Alias IMPCERT=/usr/local/sbin/alcasar-importcert.sh # to import an official certificate |
Cmnd_Alias SSL=/usr/bin/openssl,/usr/local/sbin/alcasar-importcert.sh,/usr/local/sbin/alcasar-defaultcert.sh # to manage the certificats |
# Defaults specification |
# Defaults syslog=auth |
46,6 → 46,6 |
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom |
# %users localhost=/sbin/shutdown -h now |
ADMWEB LAN_ORG=(root) NOPASSWD: NET,SYSTEM_BACKUP,SQL,BL,NF,EXPORT,RADDB,LOGOUT,UAM,SERVICE,GAMMU,SSL,IMPCERT |
ADMWEB LAN_ORG=(root) NOPASSWD: NET,SYSTEM_BACKUP,SQL,BL,NF,EXPORT,RADDB,LOGOUT,UAM,SERVICE,GAMMU,SSL |
ADMIN LAN_ORG=(root) NOPASSWD: NET,URPMI,BYPASS,SYSTEM_BACKUP,SQL,EXPORT,SERVICE |