Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2591 → Rev 2592

/alcasar.sh
764,34 → 764,39
# Configuring & securing Lighttpd
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
 
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
 
$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 
[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
 
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
 
[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
 
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
 
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar
 
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
chown -R apache:apache /var/log/lighttpd
/usr/bin/systemctl start lighttpd
/usr/bin/systemctl start php-fpm
 
/conf/lighttpd/vhosts.d/alcasar.conf
File deleted
/conf/lighttpd/vhosts.d/alcasar-with-ssl.conf
0,0 → 1,91
$HTTP["url"] =~ ".*" {
# Disabling directory listing as default setting
dir-listing.activate = "disable"
}
 
# If a wrong url is used, displaying homepage for unprivileged users
$HTTP["url"] !~ "^/(acc|save)/" {
server.error-handler-404 = "/"
}
 
# Error pages
server.errorfile-prefix = "/var/www/html/errors/error-"
 
$SERVER["socket"] == "alcasar.localdomain:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem"
ssl.ca-file = "/etc/pki/tls/certs/server-chain.crt"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
 
var.server_name = "alcasar.localdomain"
server.name = server_name
 
server.document-root = "/var/www/html"
}
 
$HTTP["scheme"] == "https" {
 
alias.url = (
"/save" => "/var/Save"
)
 
# Digest authentication configuration
auth.backend = "htdigest"
auth.debug = 1
auth.require = (
"/acc/" =>
(
"method" => "digest",
"realm" => "ALCASAR Control Center (ACC)",
"require" => "valid-user"
),
"/save/" =>
(
"method" => "digest",
"realm" => "ALCASAR Control Center (ACC)",
"require" => "valid-user"
)
 
)
 
$HTTP["url"] =~ "^/(acc|save)/" {
# Setting digest files according access permissions
$HTTP["url"] =~ "^/acc/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_all"
 
$HTTP["url"] =~ "^/acc/admin" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_admin"
}
 
$HTTP["url"] =~ "^/acc/manager/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_manager"
}
 
$HTTP["url"] =~ "^/acc/backup/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup"
}
}
 
$HTTP["url"] =~ "^/save" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup"
# Enabling directory listing
dir-listing.activate = "enable"
}
}
}
 
$HTTP["scheme"] == "http" {
# Force HTTPS for specific pages
# $HTTP["url"] =~ "^/(acc|save|(intercept|password).php)" {
$HTTP["url"] =~ "^/(acc|save)" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
/conf/lighttpd/vhosts.d/alcasar-without-ssl.conf
0,0 → 1,91
$HTTP["url"] =~ ".*" {
# Disabling directory listing as default setting
dir-listing.activate = "disable"
}
 
# If a wrong url is used, displaying homepage for unprivileged users
$HTTP["url"] !~ "^/(acc|save)/" {
server.error-handler-404 = "/"
}
 
# Error pages
server.errorfile-prefix = "/var/www/html/errors/error-"
 
$SERVER["socket"] == "alcasar.localdomain:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem"
ssl.ca-file = "/etc/pki/tls/certs/server-chain.crt"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
 
var.server_name = "alcasar.localdomain"
server.name = server_name
 
server.document-root = "/var/www/html"
}
 
$HTTP["scheme"] == "https" {
 
alias.url = (
"/save" => "/var/Save"
)
 
# Digest authentication configuration
auth.backend = "htdigest"
auth.debug = 1
auth.require = (
"/acc/" =>
(
"method" => "digest",
"realm" => "ALCASAR Control Center (ACC)",
"require" => "valid-user"
),
"/save/" =>
(
"method" => "digest",
"realm" => "ALCASAR Control Center (ACC)",
"require" => "valid-user"
)
 
)
 
$HTTP["url"] =~ "^/(acc|save)/" {
# Setting digest files according access permissions
$HTTP["url"] =~ "^/acc/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_all"
 
$HTTP["url"] =~ "^/acc/admin" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_admin"
}
 
$HTTP["url"] =~ "^/acc/manager/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_manager"
}
 
$HTTP["url"] =~ "^/acc/backup/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup"
}
}
 
$HTTP["url"] =~ "^/save" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup"
# Enabling directory listing
dir-listing.activate = "enable"
}
}
}
 
$HTTP["scheme"] == "http" {
# Force HTTPS for specific pages
# $HTTP["url"] =~ "^/(acc|save)" {
$HTTP["url"] =~ "^/(acc|save)" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
/scripts/alcasar-https.sh
31,13 → 31,23
--off | -off) # disable HTTPS
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^redirssl.*?#&?" $CHILLI_CONF_FILE
$SED "s?^uamuissl.*?#&?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
/usr/bin/systemctl restart lighttpd
;;
--on | -on) # enable HTTPS
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^#redirssl.*?redirssl?" $CHILLI_CONF_FILE
$SED "s?^#uamuissl.*?uamuissl?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
/usr/bin/systemctl restart lighttpd
;;
*)
echo "Argument inconnu : $1"
/web/index.php
152,7 → 152,7
$l_explain_net_pb = "Votre portail détecte que l'accès à Internet est indisponible.";
$l_contact_access_deny = "Contactez le responsable de la séurité (OSSI/RSSI) si vous pensez que ce filtrage est abusif.";
$l_contact_net_pb = "Contactez votre responsable informatique ou votre prestataire Internet pour plus d'information.";
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">Auto Enregistrement par SMS</a>";
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">Auto Enregistrement par SMS</a>";
$l_install_certif = "Installer le certificat racine";
$l_install_certif_more = "Installation du certificat de l'autorité; racine d'ALCASAR";
$l_certif_explain = "Permet l'échange de données sécurisées entre votre station de consultation et le portail captif ALCASAR.<BR>Si ce certificat n'est pas enregistré sur votre station de consultation, il est possible que des alertes de sécurité soient émises par votre navigateur.<br><br>";
199,7 → 199,7
$l_explain_net_pb = "O sistema detectou que o acesso é de risco, não será permitido o acesso";
$l_contact_access_deny = "Entre em contato com o administrador do sistema de segurança se acha que essa filtragem é abusiva.";
$l_contact_net_pb = "Entre em contato com a empresa fornecedora de Internet para mais informações";
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>";
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>";
$l_install_certif = "Instalar Certificado Alcasar AC";
$l_install_certif_more = "Instalar Certificado Alcasar AC";
$l_certif_explain = "O certificado Permiti a troca de dados seguro entre seu computador e o portal Alcasar.<BR>Se este certificado não estiver incorporado no seu computador, alguns alertas de segurança deverá aparecer no navegador.<br><br>";
246,7 → 246,7
$l_explain_net_pb = "您的门户检测因特网不可用。";
$l_contact_access_deny = "如果您认为该过滤不当,请联系安全负责人(OSSI/RSSI)。";
$l_contact_net_pb = "请联系IT负责人或网络服务商来了解更多信息。";
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">短信自动登录 </a>";
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">短信自动登录 </a>";
$l_install_certif = "安装根证书";
$l_install_certif_more = "安装根证书";
$l_certif_explain = "允许您的计算机与ALCASAR门户进行安全数据交换。<BR>如果该证书未包含在您的计算机中,您的浏览器将出现一些安全提醒。<br><br>";
294,7 → 294,7
$l_contact_access_deny = "المرجو الاتصال بضابط أمن (OSS / RSS) إذا اعتقدت ان هذه التصفية غير قانونية";
$l_contact_net_pb = "المرجو الاتصال بمدير المعلومات أو مورد الأنترنت للمزيد من المعلومات";
$auto_save_sms_text = "تسجيل ذاتي على";
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">SMS $auto_save_sms_text</a>";
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">SMS $auto_save_sms_text</a>";
$l_install_certif = "ركب جذر الشهادة";
$l_install_certif_more = "ALCASAR تركيب شهادة السلطة؛ جذر الكزار";
$exchange_data_text = "يمَكن من تبادل البيانات المؤمّنة بين محطة الاستفسار و بوابة الكزار الأسيرة";
361,7 → 361,7
$l_explain_net_pb = "Your portal has just detected that the Internet access is down";
$l_contact_access_deny = "Contact your security system manager if you think this filtering is abusive.";
$l_contact_net_pb = "Contact your network responsive or your Internet provider for more information";
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>";
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>";
$l_install_certif = "Install ALCASAR AC Certificate";
$l_install_certif_more = "Install ALCASAR AC Certificate";
$l_certif_explain = "Allow secure data exchange between your computer and ALCASAR portal.<BR>If this certificate isn't incorporated in your computer, some security alerts should appear in your browser.<br><br>";