Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2487 → Rev 2488

/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 
# Options :
# -i or --install
60,7 → 60,7
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
DIR_WEB="/var/www/html" # directory of APACHE
DIR_WEB="/var/www/html" # directory of Lighttpd
DIR_DG="/etc/dansguardian" # directory of DansGuardian
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
714,7 → 714,7
##################################################################
## Function "ACC" ##
## - installation of then ALCASAR Control Center (ACC) ) ##
## - configuration of the web server (Apache) ##
## - configuration of the web server (Lighttpd) ##
## - creation of the first ACC admin account ##
## - secure the access ##
##################################################################
764,196 → 764,53
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
# Configuring & sécuring Apache
# Configuring & securing Lighttpd
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf # exclude vulnerable protocols
echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
echo "SSLPassPhraseDialog builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
# Error page management
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
Alias /error/ "/var/www/html/"
<Directory "/usr/share/httpd/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Require all granted
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
ForceLanguagePriority Prefer Fallback
</Directory>
ErrorDocument 400 /error/error.php?error=400
ErrorDocument 401 /error/error.php?error=401
ErrorDocument 403 /error/error.php?error=403
ErrorDocument 404 /error/index.php
ErrorDocument 405 /error/error.php?error=405
ErrorDocument 408 /error/error.php?error=408
ErrorDocument 410 /error/error.php?error=410
ErrorDocument 411 /error/error.php?error=411
ErrorDocument 412 /error/error.php?error=412
ErrorDocument 413 /error/error.php?error=413
ErrorDocument 414 /error/error.php?error=414
ErrorDocument 415 /error/error.php?error=415
ErrorDocument 500 /error/error.php?error=500
ErrorDocument 501 /error/error.php?error=501
ErrorDocument 502 /error/error.php?error=502
ErrorDocument 503 /error/error.php?error=503
ErrorDocument 506 /error/error.php?error=506
EOF
[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
cat <<EOF > /usr/share/httpd/error/include/bottom.html
</body>
</html>
EOF
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
 
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
 
$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
 
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 
$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
 
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
 
/usr/bin/systemctl start lighttpd
 
# Définition du premier compte lié au profil 'admin'
if [ "$mode" = "install" ]
then
header_install
admin_portal=!
PTN='^[a-zA-Z0-9-]*$'
until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
do
header_install
if [ $Lang == "fr" ]
then
echo ""
echo "Définissez un premier compte d'administration d'ALCASAR :"
echo
echo -n "Nom : "
else
echo ""
echo "Define the first account allow to administrate ALCASAR :"
echo
echo -n "Account : "
fi
read admin_portal
if [ "$admin_portal" == "" ]
then
admin_portal=!
fi
done
# Creation of keys file for the admin account ("admin")
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
mkdir -p $DIR_DEST_ETC/digest
chmod 755 $DIR_DEST_ETC/digest
until [ -s $DIR_DEST_ETC/digest/key_admin ]
do
/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
done
$DIR_DEST_BIN/alcasar-profil.sh --list
do
$DIR_DEST_BIN/alcasar-profil.sh --add admin
done
fi
# ACC partitioning
rm -f /etc/httpd/conf/webapps.d/alcasar*
cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
<Directory $DIR_WEB>
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
<Directory $DIR_WEB/certs>
AddType application/x-x509-ca-cert crt
</Directory>
<Directory $DIR_ACC>
SSLRequireSSL
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_all
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
<Directory $DIR_ACC/admin>
SSLRequireSSL
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_admin
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
<Directory $DIR_ACC/manager>
SSLRequireSSL
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_manager
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
<Directory $DIR_ACC/backup>
SSLRequireSSL
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_backup
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
Alias /save/ "$DIR_SAVE/"
<Directory $DIR_SAVE>
SSLRequireSSL
Options Indexes
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
AuthUserFile $DIR_DEST_ETC/digest/key_backup
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
</Directory>
EOF
 
# Launch after coova (in order to wait tun0 to be up)
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
# Log file for ACC access imputability
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
chown root:apache /var/Save/security/acc_access.log
962,33 → 819,12
 
##########################################################################
## Fonction "CA" ##
## - Creating the CA and the server certificate (apache) ##
## - Creating the CA and the server certificate (lighttpd) ##
##########################################################################
CA ()
{
$DIR_DEST_BIN/alcasar-CA.sh
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
cat <<EOF > $FIC_VIRTUAL_SSL
# default SSL virtual host, used for all HTTPS requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
 
<VirtualHost _default_:443>
# general configuration
ServerAdmin root@localhost
ServerName $HOSTNAME.$DOMAIN
 
# SSL configuration
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
CustomLog logs/ssl_request_log \
"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
ErrorLog logs/ssl_error_log
ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
</VirtualHost>
EOF
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
} # End of CA ()
1935,7 → 1771,7
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
} # End fail2ban()
 
##################################################################
2146,7 → 1982,7
# Log compression
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
# actualisation des fichiers logs compressés
for dir in firewall dansguardian httpd
for dir in firewall dansguardian lighttpd
do
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
done
2176,7 → 2012,7
WantedBy=multi-user.target
EOF
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done