Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1832 → Rev 1833

/alcasar.sh
29,11 → 29,11
# testing : connectivity tests, free space test and mageia version test
# init : Installation of RPM and scripts
# network : Network parameters
# time : NTPd configuration
# ACC : ALCASAR Control Center installation
# CA : Certification Authority initialization
# init_db : Initilization of radius database managed with MariaDB
# radius : FreeRadius initialisation
# radius_web : copy ans modifiy original "freeradius web" in ACC
# chilli : coovachilli initialisation (+authentication page)
# dansguardian : DansGuardian filtering HTTP proxy configuration
# antivirus : HAVP + libclamav configuration
407,7 → 407,6
## - Nommage DNS du système ##
## - Configuration de l'interface INTIF (réseau de consultation)##
## - Modification du fichier /etc/hosts ##
## - Configuration du serveur de temps (NTP) ##
## - Renseignement des fichiers hosts.allow et hosts.deny ##
##################################################################
network ()
586,29 → 585,6
ACCOUNTING=no
USERCTL=no
EOF
# Mise à l'heure du serveur
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
cat <<EOF > /etc/ntp/step-tickers
0.fr.pool.ntp.org # adapt to your country
1.fr.pool.ntp.org
2.fr.pool.ntp.org
EOF
# Configuration du serveur de temps (sur lui même)
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
cat <<EOF > /etc/ntp.conf
server 0.fr.pool.ntp.org # adapt to your country
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 127.127.1.0 # local clock si NTP internet indisponible ...
fudge 127.127.1.0 stratum 10
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
restrict 127.0.0.1
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
disable monitor
EOF
 
chown -R ntp:ntp /var/lib/ntp
# Renseignement des fichiers hosts.allow et hosts.deny
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default
cat <<EOF > /etc/hosts.allow
632,12 → 608,42
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
#
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
} # End of network ()
 
##################################################################
## Function "time" ##
## - Configuring NTP server ##
##################################################################
time ()
{
# Set the Internet time server
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
cat <<EOF > /etc/ntp/step-tickers
0.fr.pool.ntp.org # adapt to your country
1.fr.pool.ntp.org
2.fr.pool.ntp.org
EOF
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
cat <<EOF > /etc/ntp.conf
server 0.fr.pool.ntp.org # adapt to your country
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 127.127.1.0 # local clock si NTP internet indisponible ...
fudge 127.127.1.0 stratum 10
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
restrict 127.0.0.1
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
disable monitor
EOF
chown -R ntp:ntp /var/lib/ntp
# Synchronize now
ntpd -q -g &
} # End of time ()
##################################################################
## Function "ACC" ##
## - installation du centre de gestion (ALCASAR Control Center) ##
## - configuration du serveur web (Apache) ##
648,7 → 654,7
{
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
mkdir $DIR_WEB
# Copie et configuration des fichiers du centre de gestion
# Copy & adapt ACC files
cp -rf $DIR_INSTALL/web/* $DIR_WEB/
echo "$VERSION" > $DIR_WEB/VERSION
$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
657,16 → 663,30
$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
chown -R apache:apache $DIR_WEB/*
# create the backup structure :
# copy & adapt "freeradius-web" files
cp -rf $DIR_CONF/freeradius-web/ /etc/
[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
cat <<EOF > /etc/freeradius-web/naslist.conf
nas1_name: alcasar-$ORGANISME
nas1_model: Network Access Controler
nas1_ip: $PRIVATE_IP
nas1_port_num: 0
nas1_community: public
EOF
chown -R apache:apache /etc/freeradius-web/
# create the log & backup structure :
# - base = users database
# - archive = tarball of "base + http firewall + netflow"
# - security = watchdog disconnection)
# - security = watchdog log
for i in base archive security;
do
[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
done
chown -R root:apache $DIR_SAVE
# Configuration et sécurisation php
# Configuring & securing php
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
674,7 → 694,7
$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
# Configuration et sécurisation Apache
# Configuring & sécuring Apache
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
736,10 → 756,8
</html>
EOF
# Définition du premier compte lié au profil 'admin'
 
# !! remove when > V2.9.2 (we need to create new accounts)
# if [ "$mode" = "install" ]
# then
if [ "$mode" = "install" ]
then
header_install
admin_portal=!
PTN='^[a-zA-Z0-9-]*$'
773,12 → 791,8
/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
done
$DIR_DEST_BIN/alcasar-profil.sh --list
# !! remove if > V2.9.2
# fi
 
# synchronisation horaire
ntpd -q -g &
# Sécurisation du centre
fi
# ACC partitioning
rm -f /etc/httpd/conf/webapps.d/alcasar*
cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
<Directory $DIR_ACC>
856,8 → 870,17
AuthUserFile $DIR_DEST_ETC/digest/key_backup
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
<Directory $DIR_WEB/pass>
SSLRequireSSL
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
ErrorDocument 404 https://$HOSTNAME.$DOMAIN
</Directory>
EOF
# Launch after coova
# Launch after coova (in order to wait tun0 to be up)
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
} # End of ACC ()
 
890,7 → 913,6
ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
</VirtualHost>
EOF
 
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
} # End of CA ()
998,60 → 1020,6
/usr/bin/systemctl daemon-reload
} # End radius ()
 
##########################################################################
## Function "radius_web" ##
## - Import, modification et paramètrage de l'interface "freeradius-WEB ##
## - Création du lien vers la page de changement de mot de passe ##
##########################################################################
radius_web ()
{
# copy "freeradius-web" files and conf files in the manager arae of ACC
cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
cp -rf $DIR_CONF/freeradius-web/ /etc/
chown -R apache:apache $DIR_ACC/manager/
# adapt the main conf file to Alcasar behaviour
[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
cat <<EOF > /etc/freeradius-web/naslist.conf
nas1_name: alcasar-$ORGANISME
nas1_model: Portail captif
nas1_ip: $PRIVATE_IP
nas1_port_num: 0
nas1_community: public
EOF
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
# Ajout du mappage des attributs chillispot
[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
chown -R apache:apache /etc/freeradius-web
# Ajout de l'alias vers la page de "changement de mot de passe usager"
cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
<Directory $DIR_WEB/pass>
SSLRequireSSL
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
ErrorDocument 404 https://$HOSTNAME.$DOMAIN
</Directory>
EOF
} # End of radius_web ()
 
##################################################################################
## Fonction "chilli" ##
## - Création du fichier d'initialisation et de configuration de coova-chilli ##
2103,7 → 2071,7
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
mode="update"
fi
for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
for func in init network time ACC CA init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
do
$func
# echo "*** 'debug' : end of function $func ***"; read a