Rev 2887 | Rev 2922 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log
Rev 2887 | Rev 2888 | ||
---|---|---|---|
1 | #!/bin/bash |
1 | #!/bin/bash |
2 | # $Id: alcasar.sh |
2 | # $Id: alcasar.sh 2888 2020-11-29 18:13:41Z rexy $ |
3 | 3 | ||
4 | # alcasar.sh |
4 | # alcasar.sh |
5 | # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
5 | # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
6 | # This script is distributed under the Gnu General Public License (GPL) |
6 | # This script is distributed under the Gnu General Public License (GPL) |
7 | # team@alcasar.net |
7 | # team@alcasar.net |
8 | 8 | ||
9 | # ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
9 | # ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
10 | # Ce programme est un logiciel libre ; This software is free and open source |
10 | # Ce programme est un logiciel libre ; This software is free and open source |
11 | # elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
11 | # elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
12 | # Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
12 | # Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
13 | # sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
13 | # sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
14 | # Voir la Licence Publique Générale GNU pour plus de détails. |
14 | # Voir la Licence Publique Générale GNU pour plus de détails. |
15 | 15 | ||
16 | # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
16 | # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
17 | # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
17 | # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
18 | # Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
18 | # Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
19 | # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
19 | # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
20 | 20 | ||
21 | # Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump |
21 | # Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump |
22 | 22 | ||
23 | # Options : |
23 | # Options : |
24 | # -i or --install |
24 | # -i or --install |
25 | # -u or --uninstall |
25 | # -u or --uninstall |
26 | # Functions : |
26 | # Functions : |
27 | # testing : connectivity tests, free space test and mageia version test |
27 | # testing : connectivity tests, free space test and mageia version test |
28 | # init : Installation of RPM and scripts |
28 | # init : Installation of RPM and scripts |
29 | # network : Network parameters |
29 | # network : Network parameters |
30 | # ACC : ALCASAR Control Center installation |
30 | # ACC : ALCASAR Control Center installation |
31 | # CA : Certification Authority initialization |
31 | # CA : Certification Authority initialization |
32 | # time_server : NTPd configuration |
32 | # time_server : NTPd configuration |
33 | # init_db : Initilization of radius database managed with MariaDB |
33 | # init_db : Initilization of radius database managed with MariaDB |
34 | # freeradius : FreeRadius initialisation |
34 | # freeradius : FreeRadius initialisation |
35 | # chilli : coovachilli initialisation (+authentication page) |
35 | # chilli : coovachilli initialisation (+authentication page) |
36 | # e2guardian : E2Guardian filtering HTTP proxy configuration |
36 | # e2guardian : E2Guardian filtering HTTP proxy configuration |
37 | # antivirus : clamav & freshclam configuration |
37 | # antivirus : clamav & freshclam configuration |
38 | # ulogd : log system in userland (match NFLOG target of iptables) |
38 | # ulogd : log system in userland (match NFLOG target of iptables) |
39 | # nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
39 | # nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
40 | # unbound : Name server configuration |
40 | # unbound : Name server configuration |
41 | # dnsmasq : Name server configuration (for whitelist ipset support) |
41 | # dnsmasq : Name server configuration (for whitelist ipset support) |
42 | # vnstat : little network stat daemon |
42 | # vnstat : little network stat daemon |
43 | # BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
43 | # BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
44 | # cron : Logs export + watchdog + connexion statistics |
44 | # cron : Logs export + watchdog + connexion statistics |
45 | # fail2ban : Fail2ban IDS installation and configuration |
45 | # fail2ban : Fail2ban IDS installation and configuration |
46 | # gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
46 | # gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
47 | # msec : Mandriva security package configuration |
47 | # msec : Mandriva security package configuration |
48 | # letsencrypt : Let's Encrypt client |
48 | # letsencrypt : Let's Encrypt client |
49 | # post_install : Security, log rotation, etc. |
49 | # post_install : Security, log rotation, etc. |
50 | 50 | ||
51 | DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
51 | DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
52 | DATE=`date '+%d %B %Y - %Hh%M'` |
52 | DATE=`date '+%d %B %Y - %Hh%M'` |
53 | DATE_SHORT=`date '+%d/%m/%Y'` |
53 | DATE_SHORT=`date '+%d/%m/%Y'` |
54 | Lang=`echo $LANG|cut -c 1-2` |
54 | Lang=`echo $LANG|cut -c 1-2` |
55 | mode="install" |
55 | mode="install" |
56 | # ******* Files parameters - paramètres fichiers ********* |
56 | # ******* Files parameters - paramètres fichiers ********* |
57 | DIR_INSTALL=`pwd` # current directory |
57 | DIR_INSTALL=`pwd` # current directory |
58 | DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
58 | DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
59 | DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
59 | DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
60 | DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
60 | DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
61 | DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
61 | DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
62 | DIR_WEB="/var/www/html" # directory of Lighttpd |
62 | DIR_WEB="/var/www/html" # directory of Lighttpd |
63 | DIR_DG="/etc/e2guardian" # directory of E2Guardian |
63 | DIR_DG="/etc/e2guardian" # directory of E2Guardian |
64 | DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
64 | DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
65 | DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
65 | DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
66 | DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
66 | DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
67 | DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance) |
67 | DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance) |
68 | CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
68 | CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
69 | PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets |
69 | PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets |
70 | # ******* DBMS parameters - paramètres SGBD ******** |
70 | # ******* DBMS parameters - paramètres SGBD ******** |
71 | DB_RADIUS="radius" # database name used by FreeRadius server |
71 | DB_RADIUS="radius" # database name used by FreeRadius server |
72 | DB_USER="radius" # user name allows to request the users database |
72 | DB_USER="radius" # user name allows to request the users database |
73 | DB_GAMMU="gammu" # database name used by Gammu-smsd |
73 | DB_GAMMU="gammu" # database name used by Gammu-smsd |
74 | # ******* Network parameters - paramètres réseau ******* |
74 | # ******* Network parameters - paramètres réseau ******* |
75 | HOSTNAME="alcasar" # default hostname |
75 | HOSTNAME="alcasar" # default hostname |
76 | DOMAIN="localdomain" # default local domain |
76 | DOMAIN="localdomain" # default local domain |
77 | EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI) |
77 | EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI) |
78 | INTIF='' # INTIF is connected to the consultation network |
78 | INTIF='' # INTIF is connected to the consultation network |
79 | MTU="1500" |
79 | MTU="1500" |
80 | DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address |
80 | DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address |
81 | # ****** Paths - chemin des commandes ******* |
81 | # ****** Paths - chemin des commandes ******* |
82 | SED="/bin/sed -i" |
82 | SED="/bin/sed -i" |
83 | # ****************** End of global parameters ********************* |
83 | # ****************** End of global parameters ********************* |
84 | 84 | ||
85 | license() |
85 | license() |
86 | { |
86 | { |
87 | if [ $Lang == "fr" ] |
87 | if [ $Lang == "fr" ] |
88 | then |
88 | then |
89 | cat $DIR_INSTALL/gpl-warning.fr.txt | more |
89 | cat $DIR_INSTALL/gpl-warning.fr.txt | more |
90 | else |
90 | else |
91 | cat $DIR_INSTALL/gpl-warning.txt | more |
91 | cat $DIR_INSTALL/gpl-warning.txt | more |
92 | fi |
92 | fi |
93 | response=0 |
93 | response=0 |
94 | PTN='^[oOyYnN]?$' |
94 | PTN='^[oOyYnN]?$' |
95 | until [[ "$response" =~ $PTN ]] |
95 | until [[ "$response" =~ $PTN ]] |
96 | do |
96 | do |
97 | if [ $Lang == "fr" ] |
97 | if [ $Lang == "fr" ] |
98 | then echo -n "Acceptez-vous les termes de cette licence (O/n)? : " |
98 | then echo -n "Acceptez-vous les termes de cette licence (O/n)? : " |
99 | else echo -n "Do you accept the terms of this license (Y/n)? : " |
99 | else echo -n "Do you accept the terms of this license (Y/n)? : " |
100 | fi |
100 | fi |
101 | read response |
101 | read response |
102 | done |
102 | done |
103 | if [ "$response" = "n" ] || [ "$response" = "N" ] |
103 | if [ "$response" = "n" ] || [ "$response" = "N" ] |
104 | then |
104 | then |
105 | exit 1 |
105 | exit 1 |
106 | fi |
106 | fi |
107 | } # End of license() |
107 | } # End of license() |
108 | 108 | ||
109 | header_install() |
109 | header_install() |
110 | { |
110 | { |
111 | clear |
111 | clear |
112 | echo "-----------------------------------------------------------------------------" |
112 | echo "-----------------------------------------------------------------------------" |
113 | echo " ALCASAR V$VERSION Installation" |
113 | echo " ALCASAR V$VERSION Installation" |
114 | echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau" |
114 | echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau" |
115 | echo "-----------------------------------------------------------------------------" |
115 | echo "-----------------------------------------------------------------------------" |
116 | } # End of header_install() |
116 | } # End of header_install() |
117 | 117 | ||
118 | ######################################################## |
118 | ######################################################## |
119 | ## Function "testing_system" ## |
119 | ## Function "testing_system" ## |
120 | ## - Test Mageia version ## |
120 | ## - Test Mageia version ## |
121 | ## - Test ALCASAR version (if already installed) ## |
121 | ## - Test ALCASAR version (if already installed) ## |
122 | ## - Test free space on /var (>10G) ## |
122 | ## - Test free space on /var (>10G) ## |
123 | ## - Test Internet access ## |
123 | ## - Test Internet access ## |
124 | ######################################################## |
124 | ######################################################## |
125 | testing_system() |
125 | testing_system() |
126 | { |
126 | { |
127 | # Test of Mageia version |
127 | # Test of Mageia version |
128 | # extract the current Mageia version and hardware architecture (i586 ou X64) |
128 | # extract the current Mageia version and hardware architecture (i586 ou X64) |
129 | fic=`cat /etc/product.id` |
129 | fic=`cat /etc/product.id` |
130 | unknown_os=0 |
130 | unknown_os=0 |
131 | old="$IFS" |
131 | old="$IFS" |
132 | IFS="," |
132 | IFS="," |
133 | set $fic |
133 | set $fic |
134 | for i in "$@" |
134 | for i in "$@" |
135 | do |
135 | do |
136 | if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
136 | if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
137 | then |
137 | then |
138 | DISTRIBUTION=`echo $i|cut -d"=" -f2` |
138 | DISTRIBUTION=`echo $i|cut -d"=" -f2` |
139 | unknown_os=`expr $unknown_os + 1` |
139 | unknown_os=`expr $unknown_os + 1` |
140 | fi |
140 | fi |
141 | if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
141 | if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
142 | then |
142 | then |
143 | CURRENT_VERSION=`echo $i|cut -d"=" -f2` |
143 | CURRENT_VERSION=`echo $i|cut -d"=" -f2` |
144 | unknown_os=`expr $unknown_os + 1` |
144 | unknown_os=`expr $unknown_os + 1` |
145 | fi |
145 | fi |
146 | if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
146 | if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
147 | then |
147 | then |
148 | ARCH=`echo $i|cut -d"=" -f2` |
148 | ARCH=`echo $i|cut -d"=" -f2` |
149 | unknown_os=`expr $unknown_os + 1` |
149 | unknown_os=`expr $unknown_os + 1` |
150 | fi |
150 | fi |
151 | done |
151 | done |
152 | if [ "$ARCH" != "x86_64" ] |
152 | if [ "$ARCH" != "x86_64" ] |
153 | then |
153 | then |
154 | if [ $Lang == "fr" ] |
154 | if [ $Lang == "fr" ] |
155 | then echo "Votre architecture matérielle doit être en 64bits" |
155 | then echo "Votre architecture matérielle doit être en 64bits" |
156 | else echo "You hardware architecture must be 64bits" |
156 | else echo "You hardware architecture must be 64bits" |
157 | fi |
157 | fi |
158 | exit 1 |
158 | exit 1 |
159 | fi |
159 | fi |
160 | IFS="$old" |
160 | IFS="$old" |
161 | if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]] |
161 | if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]] |
162 | then |
162 | then |
163 | if [ -e /var/tmp/alcasar-conf.tar.gz ] # update |
163 | if [ -e /var/tmp/alcasar-conf.tar.gz ] # update |
164 | then |
164 | then |
165 | echo |
165 | echo |
166 | if [ $Lang == "fr" ] |
166 | if [ $Lang == "fr" ] |
167 | then |
167 | then |
168 | echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée." |
168 | echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée." |
169 | echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC" |
169 | echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC" |
170 | echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)" |
170 | echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)" |
171 | echo "3 - Importez votre base des usagers" |
171 | echo "3 - Importez votre base des usagers" |
172 | else |
172 | else |
173 | echo "The automatic update of ALCASAR can't be performed." |
173 | echo "The automatic update of ALCASAR can't be performed." |
174 | echo "1 - Save your traceability files and the user database" |
174 | echo "1 - Save your traceability files and the user database" |
175 | echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)" |
175 | echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)" |
176 | echo "3 - Import your users database" |
176 | echo "3 - Import your users database" |
177 | fi |
177 | fi |
178 | else |
178 | else |
179 | if [ $Lang == "fr" ] |
179 | if [ $Lang == "fr" ] |
180 | then echo "L'installation d'ALCASAR ne peut pas être réalisée." |
180 | then echo "L'installation d'ALCASAR ne peut pas être réalisée." |
181 | else echo "The installation of ALCASAR can't be performed." |
181 | else echo "The installation of ALCASAR can't be performed." |
182 | fi |
182 | fi |
183 | fi |
183 | fi |
184 | echo |
184 | echo |
185 | if [ $Lang == "fr" ] |
185 | if [ $Lang == "fr" ] |
186 | then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)" |
186 | then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)" |
187 | else echo "The OS must be replaced (Mageia7.1-64bits)" |
187 | else echo "The OS must be replaced (Mageia7.1-64bits)" |
188 | fi |
188 | fi |
189 | exit 1 |
189 | exit 1 |
190 | fi |
190 | fi |
191 | 191 | ||
192 | # Test if ALCASAR is already installed |
192 | # Test if ALCASAR is already installed |
193 | if [ -e $CONF_FILE ] |
193 | if [ -e $CONF_FILE ] |
194 | then |
194 | then |
195 | current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2` |
195 | current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2` |
196 | if [ $Lang == "fr" ] |
196 | if [ $Lang == "fr" ] |
197 | then echo "La version $current_version d'ALCASAR est déjà installée" |
197 | then echo "La version $current_version d'ALCASAR est déjà installée" |
198 | else echo "ALCASAR version $current_version is already installed" |
198 | else echo "ALCASAR version $current_version is already installed" |
199 | fi |
199 | fi |
200 | response=0 |
200 | response=0 |
201 | PTN='^[12]$' |
201 | PTN='^[12]$' |
202 | until [[ "$response" =~ $PTN ]] |
202 | until [[ "$response" =~ $PTN ]] |
203 | do |
203 | do |
204 | if [ $Lang == "fr" ] |
204 | if [ $Lang == "fr" ] |
205 | then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : " |
205 | then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : " |
206 | else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : " |
206 | else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : " |
207 | fi |
207 | fi |
208 | read response |
208 | read response |
209 | done |
209 | done |
210 | if [ "$response" = "2" ] |
210 | if [ "$response" = "2" ] |
211 | then |
211 | then |
212 | rm -f /var/tmp/alcasar-conf* |
212 | rm -f /var/tmp/alcasar-conf* |
213 | else |
213 | else |
214 | # Create the archive of conf files |
214 | # Create the archive of conf files |
215 | $DIR_SCRIPTS/alcasar-conf.sh --create |
215 | $DIR_SCRIPTS/alcasar-conf.sh --create |
216 | mode="update" |
216 | mode="update" |
217 | fi |
217 | fi |
218 | fi |
218 | fi |
219 | # Free /var (when updating) and test free space |
219 | # Free /var (when updating) and test free space |
220 | [ -d /var/log/netflow ] && rm -rf /var/log/netflow # remove old porttracker RRD database |
220 | [ -d /var/log/netflow ] && rm -rf /var/log/netflow # remove old porttracker RRD database |
221 | [ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database |
221 | [ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database |
222 | journalctl -q --vacuum-files 1 # remove previous journal logs |
222 | journalctl -q --vacuum-files 1 # remove previous journal logs |
223 | free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'` |
223 | free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'` |
224 | if [ $free_space -lt 10 ] |
224 | if [ $free_space -lt 10 ] |
225 | then |
225 | then |
226 | if [ $Lang == "fr" ] |
226 | if [ $Lang == "fr" ] |
227 | then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)" |
227 | then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)" |
228 | else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)" |
228 | else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)" |
229 | fi |
229 | fi |
230 | exit 0 |
230 | exit 0 |
231 | fi |
231 | fi |
232 | } # End of testing_system |
232 | } # End of testing_system |
233 | 233 | ||
234 | ######################################################## |
234 | ######################################################## |
235 | ## Function "testing_network" ## |
235 | ## Function "testing_network" ## |
236 | ## - Test Internet access ## |
236 | ## - Test Internet access ## |
237 | ######################################################## |
237 | ######################################################## |
238 | testing_network() |
238 | testing_network() |
239 | { |
239 | { |
240 | # Detect external/internal interfaces |
240 | # Detect external/internal interfaces |
241 | if [ -z "$EXTIF" ]; then |
241 | if [ -z "$EXTIF" ]; then |
242 | EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}') |
242 | EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}') |
243 | if [ -z "$EXTIF" ]; then |
243 | if [ -z "$EXTIF" ]; then |
244 | if [ "$Lang" == 'fr' ] |
244 | if [ "$Lang" == 'fr' ] |
245 | then echo "Aucune passerelle par défaut configurée" |
245 | then echo "Aucune passerelle par défaut configurée" |
246 | else echo "No default gateway configured" |
246 | else echo "No default gateway configured" |
247 | fi |
247 | fi |
248 | exit 1 |
248 | exit 1 |
249 | fi |
249 | fi |
250 | fi |
250 | fi |
251 | if [ "$Lang" == 'fr' ] |
251 | if [ "$Lang" == 'fr' ] |
252 | then echo "Interface externe (Internet) utilisée : $EXTIF" |
252 | then echo "Interface externe (Internet) utilisée : $EXTIF" |
253 | else echo "External interface (Internet) used: $EXTIF" |
253 | else echo "External interface (Internet) used: $EXTIF" |
254 | fi |
254 | fi |
255 | 255 | ||
256 | if [ -z "$INTIF" ]; then |
256 | if [ -z "$INTIF" ]; then |
257 | interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$") |
257 | interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$") |
258 | interfacesCount=$(echo "$interfacesList" | wc -w) |
258 | interfacesCount=$(echo "$interfacesList" | wc -w) |
259 | if [ $interfacesCount -eq 0 ]; then |
259 | if [ $interfacesCount -eq 0 ]; then |
260 | if [ "$Lang" == 'fr' ] |
260 | if [ "$Lang" == 'fr' ] |
261 | then echo "Aucune interface de disponible pour le réseau interne" |
261 | then echo "Aucune interface de disponible pour le réseau interne" |
262 | else echo "No interface available for the internal network" |
262 | else echo "No interface available for the internal network" |
263 | fi |
263 | fi |
264 | exit 1 |
264 | exit 1 |
265 | elif [ $interfacesCount -eq 1 ]; then |
265 | elif [ $interfacesCount -eq 1 ]; then |
266 | INTIF="$interfacesList" |
266 | INTIF="$interfacesList" |
267 | else |
267 | else |
268 | interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1) |
268 | interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1) |
269 | interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1) |
269 | interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1) |
270 | if [ "$Lang" == 'fr' ] |
270 | if [ "$Lang" == 'fr' ] |
271 | then echo 'Liste des interfaces disponible :' |
271 | then echo 'Liste des interfaces disponible :' |
272 | else echo 'List of available interfaces:' |
272 | else echo 'List of available interfaces:' |
273 | fi |
273 | fi |
274 | echo "$interfacesSorted" |
274 | echo "$interfacesSorted" |
275 | response='' |
275 | response='' |
276 | while true; do |
276 | while true; do |
277 | if [ "$Lang" == 'fr' ] |
277 | if [ "$Lang" == 'fr' ] |
278 | then echo -n "Choix de l'interface interne ? [$interfacePreferred] " |
278 | then echo -n "Choix de l'interface interne ? [$interfacePreferred] " |
279 | else echo -n "Choice of internal interface ? [$interfacePreferred] " |
279 | else echo -n "Choice of internal interface ? [$interfacePreferred] " |
280 | fi |
280 | fi |
281 | read response |
281 | read response |
282 | 282 | ||
283 | [ -z "$response" ] && response="$interfacePreferred" |
283 | [ -z "$response" ] && response="$interfacePreferred" |
284 | 284 | ||
285 | # Check if interface exist |
285 | # Check if interface exist |
286 | if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then |
286 | if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then |
287 | INTIF="$response" |
287 | INTIF="$response" |
288 | break |
288 | break |
289 | else |
289 | else |
290 | if [ "$Lang" == 'fr' ] |
290 | if [ "$Lang" == 'fr' ] |
291 | then echo "Interface \"$response\" introuvable" |
291 | then echo "Interface \"$response\" introuvable" |
292 | else echo "Interface \"$response\" not found" |
292 | else echo "Interface \"$response\" not found" |
293 | fi |
293 | fi |
294 | fi |
294 | fi |
295 | done |
295 | done |
296 | fi |
296 | fi |
297 | fi |
297 | fi |
298 | if [ "$Lang" == 'fr' ] |
298 | if [ "$Lang" == 'fr' ] |
299 | then echo "Interface interne utilisée : $INTIF" |
299 | then echo "Interface interne utilisée : $INTIF" |
300 | else echo "Internal interface used: $INTIF" |
300 | else echo "Internal interface used: $INTIF" |
301 | fi |
301 | fi |
302 | 302 | ||
303 | if [ $Lang == "fr" ] |
303 | if [ $Lang == "fr" ] |
304 | then echo -n "Tests des paramètres réseau : " |
304 | then echo -n "Tests des paramètres réseau : " |
305 | else echo -n "Network parameters tests: " |
305 | else echo -n "Network parameters tests: " |
306 | fi |
306 | fi |
307 | # Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles) |
307 | # Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles) |
308 | cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; } |
308 | cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; } |
309 | IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
309 | IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
310 | for i in $IF_INTERFACES |
310 | for i in $IF_INTERFACES |
311 | do |
311 | do |
312 | if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then |
312 | if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then |
313 | rm -f ifcfg-$i |
313 | rm -f ifcfg-$i |
314 | 314 | ||
315 | if [ $Lang == "fr" ] |
315 | if [ $Lang == "fr" ] |
316 | then echo "Suppression : ifcfg-$i" |
316 | then echo "Suppression : ifcfg-$i" |
317 | else echo "Deleting: ifcfg-$i" |
317 | else echo "Deleting: ifcfg-$i" |
318 | fi |
318 | fi |
319 | fi |
319 | fi |
320 | done |
320 | done |
321 | cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
321 | cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
322 | echo -n "." |
322 | echo -n "." |
323 | # Test Ethernet NIC links state |
323 | # Test Ethernet NIC links state |
324 | interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1) |
324 | interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1) |
325 | if [ ! -z "$interfacesDown" ]; then |
325 | if [ ! -z "$interfacesDown" ]; then |
326 | for i in $interfacesDown; do |
326 | for i in $interfacesDown; do |
327 | if [ $Lang == "fr" ] |
327 | if [ $Lang == "fr" ] |
328 | then |
328 | then |
329 | echo -e "\nÉchec" |
329 | echo -e "\nÉchec" |
330 | echo "Le lien réseau de la carte $i n'est pas actif." |
330 | echo "Le lien réseau de la carte $i n'est pas actif." |
331 | echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)" |
331 | echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)" |
332 | else |
332 | else |
333 | echo -e "\nFailed" |
333 | echo -e "\nFailed" |
334 | echo "The link state of $i interface is down." |
334 | echo "The link state of $i interface is down." |
335 | echo "Make sure that this network card is connected to a switch or an A.P." |
335 | echo "Make sure that this network card is connected to a switch or an A.P." |
336 | fi |
336 | fi |
337 | done |
337 | done |
338 | exit 1 |
338 | exit 1 |
339 | fi |
339 | fi |
340 | echo -n "." |
340 | echo -n "." |
341 | # Test EXTIF config files |
341 | # Test EXTIF config files |
342 | PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'` |
342 | PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'` |
343 | PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1` |
343 | PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1` |
344 | PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'` |
344 | PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'` |
345 | if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ] |
345 | if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ] |
346 | then |
346 | then |
347 | if [ $Lang == "fr" ] |
347 | if [ $Lang == "fr" ] |
348 | then |
348 | then |
349 | echo -e "\nÉchec" |
349 | echo -e "\nÉchec" |
350 | echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée." |
350 | echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée." |
351 | echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
351 | echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
352 | echo "Appliquez les changements : 'systemctl restart network'" |
352 | echo "Appliquez les changements : 'systemctl restart network'" |
353 | else |
353 | else |
354 | echo -e "\nFailed" |
354 | echo -e "\nFailed" |
355 | echo "The Internet connected network card ($EXTIF) isn't well configured." |
355 | echo "The Internet connected network card ($EXTIF) isn't well configured." |
356 | echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
356 | echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
357 | echo "Apply the new configuration: 'systemctl restart network'" |
357 | echo "Apply the new configuration: 'systemctl restart network'" |
358 | fi |
358 | fi |
359 | echo "DEVICE=$EXTIF" |
359 | echo "DEVICE=$EXTIF" |
360 | echo "IPADDR=" |
360 | echo "IPADDR=" |
361 | echo "NETMASK=" |
361 | echo "NETMASK=" |
362 | echo "GATEWAY=" |
362 | echo "GATEWAY=" |
363 | echo "DNS1=" |
363 | echo "DNS1=" |
364 | echo "DNS2=" |
364 | echo "DNS2=" |
365 | echo "ONBOOT=yes" |
365 | echo "ONBOOT=yes" |
366 | exit 1 |
366 | exit 1 |
367 | fi |
367 | fi |
368 | echo -n "." |
368 | echo -n "." |
369 | # Test if default GW is set on EXTIF (router or ISP provider equipment) |
369 | # Test if default GW is set on EXTIF (router or ISP provider equipment) |
370 | if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then |
370 | if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then |
371 | if [ $Lang == "fr" ] |
371 | if [ $Lang == "fr" ] |
372 | then |
372 | then |
373 | echo -e "\nÉchec" |
373 | echo -e "\nÉchec" |
374 | echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte." |
374 | echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte." |
375 | echo "Réglez ce problème puis relancez ce script." |
375 | echo "Réglez ce problème puis relancez ce script." |
376 | else |
376 | else |
377 | echo -e "\nFailed" |
377 | echo -e "\nFailed" |
378 | echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card" |
378 | echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card" |
379 | echo "Resolv this problem, then restart this script." |
379 | echo "Resolv this problem, then restart this script." |
380 | fi |
380 | fi |
381 | exit 1 |
381 | exit 1 |
382 | fi |
382 | fi |
383 | echo -n "." |
383 | echo -n "." |
384 | # Test if default GW is alive |
384 | # Test if default GW is alive |
385 | arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
385 | arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
386 | if [ "$(expr $arp_reply)" -eq 0 ] |
386 | if [ "$(expr $arp_reply)" -eq 0 ] |
387 | then |
387 | then |
388 | if [ $Lang == "fr" ] |
388 | if [ $Lang == "fr" ] |
389 | then |
389 | then |
390 | echo -e "\nÉchec" |
390 | echo -e "\nÉchec" |
391 | echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas." |
391 | echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas." |
392 | echo "Réglez ce problème puis relancez ce script." |
392 | echo "Réglez ce problème puis relancez ce script." |
393 | else |
393 | else |
394 | echo -e "\nFailed" |
394 | echo -e "\nFailed" |
395 | echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered." |
395 | echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered." |
396 | echo "Resolv this problem, then restart this script." |
396 | echo "Resolv this problem, then restart this script." |
397 | fi |
397 | fi |
398 | exit 1 |
398 | exit 1 |
399 | fi |
399 | fi |
400 | echo -n "." |
400 | echo -n "." |
401 | # Test Internet connectivity |
401 | # Test Internet connectivity |
402 | domainTested='www.google.com' |
402 | domainTested='www.google.com' |
403 | /usr/bin/curl -s --head "$domainTested" &>/dev/null |
403 | /usr/bin/curl -s --head "$domainTested" &>/dev/null |
404 | if [ $? -ne 0 ]; then |
404 | if [ $? -ne 0 ]; then |
405 | if [ $Lang == "fr" ] |
405 | if [ $Lang == "fr" ] |
406 | then |
406 | then |
407 | echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)." |
407 | echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)." |
408 | echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI." |
408 | echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI." |
409 | echo "Vérifiez la validité des adresses IP des DNS." |
409 | echo "Vérifiez la validité des adresses IP des DNS." |
410 | else |
410 | else |
411 | echo -e "\nThe Internet connection try failed ($domainTested)." |
411 | echo -e "\nThe Internet connection try failed ($domainTested)." |
412 | echo "Please, verify that the $EXTIF card is connected with the Internet gateway." |
412 | echo "Please, verify that the $EXTIF card is connected with the Internet gateway." |
413 | echo "Verify the DNS IP addresses" |
413 | echo "Verify the DNS IP addresses" |
414 | fi |
414 | fi |
415 | exit 1 |
415 | exit 1 |
416 | fi |
416 | fi |
417 | echo ". : ok" |
417 | echo ". : ok" |
418 | } # End of testing_network() |
418 | } # End of testing_network() |
419 | 419 | ||
420 | ####################################################################### |
420 | ####################################################################### |
421 | ## Function "init" ## |
421 | ## Function "init" ## |
422 | ## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
422 | ## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
423 | ## - Creation of random password for GRUB, mariadb (admin and user) ## |
423 | ## - Creation of random password for GRUB, mariadb (admin and user) ## |
424 | ####################################################################### |
424 | ####################################################################### |
425 | init() |
425 | init() |
426 | { |
426 | { |
427 | if [ "$mode" != "update" ] |
427 | if [ "$mode" != "update" ] |
428 | then |
428 | then |
429 | # On affecte le nom d'organisme |
429 | # On affecte le nom d'organisme |
430 | header_install |
430 | header_install |
431 | ORGANISME=! |
431 | ORGANISME=! |
432 | PTN='^[a-zA-Z0-9-]*$' |
432 | PTN='^[a-zA-Z0-9-]*$' |
433 | until [[ "$ORGANISME" =~ $PTN ]] |
433 | until [[ "$ORGANISME" =~ $PTN ]] |
434 | do |
434 | do |
435 | if [ $Lang == "fr" ] |
435 | if [ $Lang == "fr" ] |
436 | then echo -n "Entrez le nom de votre organisme : " |
436 | then echo -n "Entrez le nom de votre organisme : " |
437 | else echo -n "Enter the name of your organism : " |
437 | else echo -n "Enter the name of your organism : " |
438 | fi |
438 | fi |
439 | read ORGANISME |
439 | read ORGANISME |
440 | if [ "$ORGANISME" == "" ] |
440 | if [ "$ORGANISME" == "" ] |
441 | then |
441 | then |
442 | ORGANISME=! |
442 | ORGANISME=! |
443 | fi |
443 | fi |
444 | done |
444 | done |
445 | fi |
445 | fi |
446 | # On crée aléatoirement les mots de passe et les secrets partagés |
446 | # On crée aléatoirement les mots de passe et les secrets partagés |
447 | # We create random passwords and shared secrets |
447 | # We create random passwords and shared secrets |
448 | rm -f $PASSWD_FILE |
448 | rm -f $PASSWD_FILE |
449 | echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
449 | echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
450 | grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8` |
450 | grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8` |
451 | pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
451 | pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
452 | LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
452 | LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
453 | grep -v '[eE]nter password:' | \ |
453 | grep -v '[eE]nter password:' | \ |
454 | sed -e "s/PBKDF2 hash of your password is //"` |
454 | sed -e "s/PBKDF2 hash of your password is //"` |
455 | echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
455 | echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
456 | [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
456 | [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
457 | cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
457 | cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
458 | chmod 0600 /boot/grub2/user.cfg |
458 | chmod 0600 /boot/grub2/user.cfg |
459 | echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
459 | echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
460 | echo "GRUB2_user=root" >> $PASSWD_FILE |
460 | echo "GRUB2_user=root" >> $PASSWD_FILE |
461 | echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
461 | echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
462 | mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
462 | mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
463 | echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
463 | echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
464 | echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
464 | echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
465 | radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
465 | radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
466 | echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE |
466 | echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE |
467 | echo "db_user=$DB_USER" >> $PASSWD_FILE |
467 | echo "db_user=$DB_USER" >> $PASSWD_FILE |
468 | echo "db_password=$radiuspwd" >> $PASSWD_FILE |
468 | echo "db_password=$radiuspwd" >> $PASSWD_FILE |
469 | secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
469 | secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
470 | echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE |
470 | echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE |
471 | echo "secret_uam=$secretuam" >> $PASSWD_FILE |
471 | echo "secret_uam=$secretuam" >> $PASSWD_FILE |
472 | secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
472 | secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
473 | echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE |
473 | echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE |
474 | echo "secret_radius=$secretradius" >> $PASSWD_FILE |
474 | echo "secret_radius=$secretradius" >> $PASSWD_FILE |
475 | chmod 640 $PASSWD_FILE |
475 | chmod 640 $PASSWD_FILE |
476 | # copy scripts in in /usr/local/bin |
476 | # copy scripts in in /usr/local/bin |
477 | cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar* |
477 | cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar* |
478 | # copy conf files in /usr/local/etc |
478 | # copy conf files in /usr/local/etc |
479 | cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar* |
479 | cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar* |
480 | $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh |
480 | $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh |
481 | # generate central conf file |
481 | # generate central conf file |
482 | cat <<EOF > $CONF_FILE |
482 | cat <<EOF > $CONF_FILE |
483 | ########################################## |
483 | ########################################## |
484 | ## ## |
484 | ## ## |
485 | ## ALCASAR Parameters ## |
485 | ## ALCASAR Parameters ## |
486 | ## ## |
486 | ## ## |
487 | ########################################## |
487 | ########################################## |
488 | 488 | ||
489 | INSTALL_DATE=$DATE |
489 | INSTALL_DATE=$DATE |
490 | VERSION=$VERSION |
490 | VERSION=$VERSION |
491 | ORGANISM=$ORGANISME |
491 | ORGANISM=$ORGANISME |
492 | EOF |
492 | EOF |
493 | chmod o-rwx $CONF_FILE |
493 | chmod o-rwx $CONF_FILE |
494 | } # End of init() |
494 | } # End of init() |
495 | 495 | ||
496 | ######################################################### |
496 | ######################################################### |
497 | ## Function "network" ## |
497 | ## Function "network" ## |
498 | ## - Define the several network address ## |
498 | ## - Define the several network address ## |
499 | ## - Define the DNS naming ## |
499 | ## - Define the DNS naming ## |
500 | ## - INTIF parameters (consultation network) ## |
500 | ## - INTIF parameters (consultation network) ## |
501 | ## - Write "/etc/hosts" file ## |
501 | ## - Write "/etc/hosts" file ## |
502 | ## - write "hosts.allow" & "hosts.deny" files ## |
502 | ## - write "hosts.allow" & "hosts.deny" files ## |
503 | ######################################################### |
503 | ######################################################### |
504 | network() |
504 | network() |
505 | { |
505 | { |
506 | header_install |
506 | header_install |
507 | if [ "$mode" != "update" ] |
507 | if [ "$mode" != "update" ] |
508 | then |
508 | then |
509 | if [ $Lang == "fr" ] |
509 | if [ $Lang == "fr" ] |
510 | then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK" |
510 | then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK" |
511 | else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK" |
511 | else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK" |
512 | fi |
512 | fi |
513 | response=0 |
513 | response=0 |
514 | PTN='^[oOyYnN]?$' |
514 | PTN='^[oOyYnN]?$' |
515 | until [[ "$response" =~ $PTN ]] |
515 | until [[ "$response" =~ $PTN ]] |
516 | do |
516 | do |
517 | if [ $Lang == "fr" ] |
517 | if [ $Lang == "fr" ] |
518 | then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : " |
518 | then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : " |
519 | else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : " |
519 | else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : " |
520 | fi |
520 | fi |
521 | read response |
521 | read response |
522 | done |
522 | done |
523 | if [ "$response" = "n" ] || [ "$response" = "N" ] |
523 | if [ "$response" = "n" ] || [ "$response" = "N" ] |
524 | then |
524 | then |
525 | PRIVATE_IP_MASK="0" |
525 | PRIVATE_IP_MASK="0" |
526 | PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$' |
526 | PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$' |
527 | until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]] |
527 | until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]] |
528 | do |
528 | do |
529 | if [ $Lang == "fr" ] |
529 | if [ $Lang == "fr" ] |
530 | then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : " |
530 | then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : " |
531 | else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : " |
531 | else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : " |
532 | fi |
532 | fi |
533 | read PRIVATE_IP_MASK |
533 | read PRIVATE_IP_MASK |
534 | done |
534 | done |
535 | else |
535 | else |
536 | PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
536 | PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
537 | fi |
537 | fi |
538 | else |
538 | else |
539 | PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2` |
539 | PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2` |
540 | rm -rf /var/tmp/conf |
540 | rm -rf /var/tmp/conf |
541 | fi |
541 | fi |
542 | # Define LAN side global parameters |
542 | # Define LAN side global parameters |
543 | hostnamectl set-hostname $HOSTNAME.$DOMAIN |
543 | hostnamectl set-hostname $HOSTNAME.$DOMAIN |
544 | PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0) |
544 | PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0) |
545 | private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4` # last octet of LAN address |
545 | private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4` # last octet of LAN address |
546 | PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0) |
546 | PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0) |
547 | PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24) |
547 | PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24) |
548 | PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
548 | PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
549 | if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
549 | if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
550 | then |
550 | then |
551 | PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
551 | PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
552 | PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
552 | PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
553 | fi |
553 | fi |
554 | private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
554 | private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
555 | PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
555 | PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
556 | PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
556 | PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
557 | classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C |
557 | classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C |
558 | PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.) |
558 | PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.) |
559 | PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
559 | PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
560 | # Define Internet parameters |
560 | # Define Internet parameters |
561 | DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2` # 1st DNS server |
561 | DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2` # 1st DNS server |
562 | DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2` # 2nd DNS server |
562 | DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2` # 2nd DNS server |
563 | DNS1=${DNS1:=208.67.220.220} |
563 | DNS1=${DNS1:=208.67.220.220} |
564 | DNS2=${DNS2:=208.67.222.222} |
564 | DNS2=${DNS2:=208.67.222.222} |
565 | PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
565 | PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
566 | PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2` |
566 | PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2` |
567 | PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2` |
567 | PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2` |
568 | # Write network parameters in the conf file |
568 | # Write network parameters in the conf file |
569 | echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE |
569 | echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE |
570 | echo "DOMAIN=$DOMAIN" >> $CONF_FILE |
570 | echo "DOMAIN=$DOMAIN" >> $CONF_FILE |
571 | echo "EXTIF=$EXTIF" >> $CONF_FILE |
571 | echo "EXTIF=$EXTIF" >> $CONF_FILE |
572 | echo "INTIF=$INTIF" >> $CONF_FILE |
572 | echo "INTIF=$INTIF" >> $CONF_FILE |
573 | # Retrieve NIC name of other consultation LAN |
573 | # Retrieve NIC name of other consultation LAN |
574 | INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"` |
574 | INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"` |
575 | for i in $INTERFACES |
575 | for i in $INTERFACES |
576 | do |
576 | do |
577 | SUB=`echo ${i:0:2}` |
577 | SUB=`echo ${i:0:2}` |
578 | if [ $SUB = "wl" ] |
578 | if [ $SUB = "wl" ] |
579 | then WIFIF=$i |
579 | then WIFIF=$i |
580 | elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
580 | elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
581 | then LANIF=$i |
581 | then LANIF=$i |
582 | fi |
582 | fi |
583 | done |
583 | done |
584 | if [ -n "$WIFIF" ] |
584 | if [ -n "$WIFIF" ] |
585 | then echo "WIFIF=$WIFIF" >> $CONF_FILE |
585 | then echo "WIFIF=$WIFIF" >> $CONF_FILE |
586 | elif [ -n "$LANIF" ] |
586 | elif [ -n "$LANIF" ] |
587 | then echo "LANIF=$LANIF" >> $CONF_FILE |
587 | then echo "LANIF=$LANIF" >> $CONF_FILE |
588 | fi |
588 | fi |
589 | IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic |
589 | IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic |
590 | if [ $IP_SETTING == "dhcp" ] |
590 | if [ $IP_SETTING == "dhcp" ] |
591 | then |
591 | then |
592 | echo "PUBLIC_IP=dhcp" >> $CONF_FILE |
592 | echo "PUBLIC_IP=dhcp" >> $CONF_FILE |
593 | echo "GW=dhcp" >> $CONF_FILE |
593 | echo "GW=dhcp" >> $CONF_FILE |
594 | else |
594 | else |
595 | echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE |
595 | echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE |
596 | echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE |
596 | echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE |
597 | fi |
597 | fi |
598 | echo "DNS1=$DNS1" >> $CONF_FILE |
598 | echo "DNS1=$DNS1" >> $CONF_FILE |
599 | echo "DNS2=$DNS2" >> $CONF_FILE |
599 | echo "DNS2=$DNS2" >> $CONF_FILE |
600 | echo "PUBLIC_MTU=$MTU" >> $CONF_FILE |
600 | echo "PUBLIC_MTU=$MTU" >> $CONF_FILE |
601 | echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE |
601 | echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE |
602 | echo "DHCP=on" >> $CONF_FILE |
602 | echo "DHCP=on" >> $CONF_FILE |
603 | echo "EXT_DHCP_IP=" >> $CONF_FILE |
603 | echo "EXT_DHCP_IP=" >> $CONF_FILE |
604 | echo "RELAY_DHCP_IP=" >> $CONF_FILE |
604 | echo "RELAY_DHCP_IP=" >> $CONF_FILE |
605 | echo "RELAY_DHCP_PORT=" >> $CONF_FILE |
605 | echo "RELAY_DHCP_PORT=" >> $CONF_FILE |
606 | echo "INT_DNS_DOMAIN=" >> $CONF_FILE |
606 | echo "INT_DNS_DOMAIN=" >> $CONF_FILE |
607 | echo "INT_DNS_IP=" >> $CONF_FILE |
607 | echo "INT_DNS_IP=" >> $CONF_FILE |
608 | echo "INT_DNS_ACTIVE=off" >> $CONF_FILE |
608 | echo "INT_DNS_ACTIVE=off" >> $CONF_FILE |
609 | # network default |
609 | # network default |
610 | [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default |
610 | [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default |
611 | cat <<EOF > /etc/sysconfig/network |
611 | cat <<EOF > /etc/sysconfig/network |
612 | NETWORKING=yes |
612 | NETWORKING=yes |
613 | FORWARD_IPV4=true |
613 | FORWARD_IPV4=true |
614 | EOF |
614 | EOF |
615 | # write "/etc/hosts" |
615 | # write "/etc/hosts" |
616 | [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default |
616 | [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default |
617 | cat <<EOF > /etc/hosts |
617 | cat <<EOF > /etc/hosts |
618 | 127.0.0.1 localhost |
618 | 127.0.0.1 localhost |
619 | $PRIVATE_IP $HOSTNAME |
619 | $PRIVATE_IP $HOSTNAME |
620 | EOF |
620 | EOF |
621 | # write EXTIF (Internet) config |
621 | # write EXTIF (Internet) config |
622 | [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF |
622 | [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF |
623 | if [ $IP_SETTING == "dhcp" ] |
623 | if [ $IP_SETTING == "dhcp" ] |
624 | then |
624 | then |
625 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
625 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
626 | DEVICE=$EXTIF |
626 | DEVICE=$EXTIF |
627 | BOOTPROTO=dhcp |
627 | BOOTPROTO=dhcp |
628 | DNS1=127.0.0.1 |
628 | DNS1=127.0.0.1 |
629 | PEERDNS=no |
629 | PEERDNS=no |
630 | RESOLV_MODS=yes |
630 | RESOLV_MODS=yes |
631 | ONBOOT=yes |
631 | ONBOOT=yes |
632 | NOZEROCONF=yes |
632 | NOZEROCONF=yes |
633 | METRIC=10 |
633 | METRIC=10 |
634 | MII_NOT_SUPPORTED=yes |
634 | MII_NOT_SUPPORTED=yes |
635 | IPV6INIT=no |
635 | IPV6INIT=no |
636 | IPV6TO4INIT=no |
636 | IPV6TO4INIT=no |
637 | ACCOUNTING=no |
637 | ACCOUNTING=no |
638 | USERCTL=no |
638 | USERCTL=no |
639 | MTU=$MTU |
639 | MTU=$MTU |
640 | EOF |
640 | EOF |
641 | else |
641 | else |
642 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
642 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
643 | DEVICE=$EXTIF |
643 | DEVICE=$EXTIF |
644 | BOOTPROTO=static |
644 | BOOTPROTO=static |
645 | IPADDR=$PUBLIC_IP |
645 | IPADDR=$PUBLIC_IP |
646 | NETMASK=$PUBLIC_NETMASK |
646 | NETMASK=$PUBLIC_NETMASK |
647 | GATEWAY=$PUBLIC_GATEWAY |
647 | GATEWAY=$PUBLIC_GATEWAY |
648 | DNS1=$DNS1 |
648 | DNS1=$DNS1 |
649 | DNS2=$DNS2 |
649 | DNS2=$DNS2 |
650 | RESOLV_MODS=yes |
650 | RESOLV_MODS=yes |
651 | ONBOOT=yes |
651 | ONBOOT=yes |
652 | METRIC=10 |
652 | METRIC=10 |
653 | NOZEROCONF=yes |
653 | NOZEROCONF=yes |
654 | MII_NOT_SUPPORTED=yes |
654 | MII_NOT_SUPPORTED=yes |
655 | IPV6INIT=no |
655 | IPV6INIT=no |
656 | IPV6TO4INIT=no |
656 | IPV6TO4INIT=no |
657 | ACCOUNTING=no |
657 | ACCOUNTING=no |
658 | USERCTL=no |
658 | USERCTL=no |
659 | MTU=$MTU |
659 | MTU=$MTU |
660 | EOF |
660 | EOF |
661 | fi |
661 | fi |
662 | # write INTIF (consultation LAN) in normal mode |
662 | # write INTIF (consultation LAN) in normal mode |
663 | cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
663 | cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
664 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF |
664 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF |
665 | DEVICE=$INTIF |
665 | DEVICE=$INTIF |
666 | BOOTPROTO=static |
666 | BOOTPROTO=static |
667 | ONBOOT=yes |
667 | ONBOOT=yes |
668 | NOZEROCONF=yes |
668 | NOZEROCONF=yes |
669 | MII_NOT_SUPPORTED=yes |
669 | MII_NOT_SUPPORTED=yes |
670 | IPV6INIT=no |
670 | IPV6INIT=no |
671 | IPV6TO4INIT=no |
671 | IPV6TO4INIT=no |
672 | ACCOUNTING=no |
672 | ACCOUNTING=no |
673 | USERCTL=no |
673 | USERCTL=no |
674 | EOF |
674 | EOF |
675 | # write INTIF in bypass mode (see "alcasar-bypass.sh") |
675 | # write INTIF in bypass mode (see "alcasar-bypass.sh") |
676 | cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
676 | cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
677 | DEVICE=$INTIF |
677 | DEVICE=$INTIF |
678 | BOOTPROTO=static |
678 | BOOTPROTO=static |
679 | IPADDR=$PRIVATE_IP |
679 | IPADDR=$PRIVATE_IP |
680 | NETMASK=$PRIVATE_NETMASK |
680 | NETMASK=$PRIVATE_NETMASK |
681 | ONBOOT=yes |
681 | ONBOOT=yes |
682 | METRIC=10 |
682 | METRIC=10 |
683 | NOZEROCONF=yes |
683 | NOZEROCONF=yes |
684 | MII_NOT_SUPPORTED=yes |
684 | MII_NOT_SUPPORTED=yes |
685 | IPV6INIT=no |
685 | IPV6INIT=no |
686 | IPV6TO4INIT=no |
686 | IPV6TO4INIT=no |
687 | ACCOUNTING=no |
687 | ACCOUNTING=no |
688 | USERCTL=no |
688 | USERCTL=no |
689 | EOF |
689 | EOF |
690 | ######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode ################# |
690 | ######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode ################# |
691 | if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ] |
691 | if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ] |
692 | then |
692 | then |
693 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF |
693 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF |
694 | DEVICE=$WIFIF |
694 | DEVICE=$WIFIF |
695 | BOOTPROTO=static |
695 | BOOTPROTO=static |
696 | ONBOOT=yes |
696 | ONBOOT=yes |
697 | NOZEROCONF=yes |
697 | NOZEROCONF=yes |
698 | MII_NOT_SUPPORTED=yes |
698 | MII_NOT_SUPPORTED=yes |
699 | IPV6INIT=no |
699 | IPV6INIT=no |
700 | IPV6TO4INIT=no |
700 | IPV6TO4INIT=no |
701 | ACCOUNTING=no |
701 | ACCOUNTING=no |
702 | USERCTL=no |
702 | USERCTL=no |
703 | EOF |
703 | EOF |
704 | elif [ -n "$LANIF" ] |
704 | elif [ -n "$LANIF" ] |
705 | then |
705 | then |
706 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF |
706 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF |
707 | DEVICE=$LANIF |
707 | DEVICE=$LANIF |
708 | BOOTPROTO=static |
708 | BOOTPROTO=static |
709 | ONBOOT=yes |
709 | ONBOOT=yes |
710 | NOZEROCONF=yes |
710 | NOZEROCONF=yes |
711 | MII_NOT_SUPPORTED=yes |
711 | MII_NOT_SUPPORTED=yes |
712 | IPV6INIT=no |
712 | IPV6INIT=no |
713 | IPV6TO4INIT=no |
713 | IPV6TO4INIT=no |
714 | ACCOUNTING=no |
714 | ACCOUNTING=no |
715 | USERCTL=no |
715 | USERCTL=no |
716 | EOF |
716 | EOF |
717 | fi |
717 | fi |
718 | # write hosts.allow & hosts.deny |
718 | # write hosts.allow & hosts.deny |
719 | [ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
719 | [ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
720 | cat <<EOF > /etc/hosts.allow |
720 | cat <<EOF > /etc/hosts.allow |
721 | ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
721 | ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
722 | sshd: ALL |
722 | sshd: ALL |
723 | ntpd: $PRIVATE_NETWORK_SHORT |
723 | ntpd: $PRIVATE_NETWORK_SHORT |
724 | EOF |
724 | EOF |
725 | [ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default |
725 | [ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default |
726 | cat <<EOF > /etc/hosts.deny |
726 | cat <<EOF > /etc/hosts.deny |
727 | ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
727 | ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
728 | EOF |
728 | EOF |
729 | chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
729 | chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
730 | # create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW) |
730 | # create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW) |
731 | echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked |
731 | echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked |
732 | # load conntrack ftp module |
732 | # load conntrack ftp module |
733 | [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
733 | [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
734 | echo "nf_conntrack_ftp" >> /etc/modprobe.preload |
734 | echo "nf_conntrack_ftp" >> /etc/modprobe.preload |
735 | # load ipt_NETFLOW module |
735 | # load ipt_NETFLOW module |
736 | echo "ipt_NETFLOW" >> /etc/modprobe.preload |
736 | echo "ipt_NETFLOW" >> /etc/modprobe.preload |
737 | # modify iptables service files (start with "alcasar-iptables.sh" and stop with flush) |
737 | # modify iptables service files (start with "alcasar-iptables.sh" and stop with flush) |
738 | [ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
738 | [ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
739 | $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
739 | $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
740 | [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
740 | [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
741 | $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
741 | $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
742 | # |
742 | # |
743 | # the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
743 | # the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
744 | } # End of network() |
744 | } # End of network() |
745 | 745 | ||
746 | ################################################################## |
746 | ################################################################## |
747 | ## Fonction "CA" ## |
747 | ## Fonction "CA" ## |
748 | ## - Creating the CA and the server certificate (lighttpd) ## |
748 | ## - Creating the CA and the server certificate (lighttpd) ## |
749 | ################################################################## |
749 | ################################################################## |
750 | CA() |
750 | CA() |
751 | { |
751 | { |
752 | $DIR_DEST_BIN/alcasar-CA.sh |
752 | $DIR_DEST_BIN/alcasar-CA.sh |
753 | chmod 755 /etc/pki/ |
753 | chmod 755 /etc/pki/ |
754 | chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA |
754 | chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA |
755 | chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt |
755 | chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt |
756 | chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private |
756 | chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private |
757 | chmod 600 /etc/pki/CA/private/* |
757 | chmod 600 /etc/pki/CA/private/* |
758 | chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private |
758 | chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private |
759 | chmod 640 /etc/pki/tls/private/* |
759 | chmod 640 /etc/pki/tls/private/* |
760 | chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
760 | chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
761 | } # End of CA() |
761 | } # End of CA() |
762 | 762 | ||
763 | ################################################### |
763 | ################################################### |
764 | ## Function "ACC" ## |
764 | ## Function "ACC" ## |
765 | ## - copy ALCASAR Control Center (ACC) files ## |
765 | ## - copy ALCASAR Control Center (ACC) files ## |
766 | ## - configuration of the web server (Lighttpd) ## |
766 | ## - configuration of the web server (Lighttpd) ## |
767 | ## - creation of the first ACC admin account ## |
767 | ## - creation of the first ACC admin account ## |
768 | ## - secure the ACC access ## |
768 | ## - secure the ACC access ## |
769 | ################################################### |
769 | ################################################### |
770 | ACC() |
770 | ACC() |
771 | { |
771 | { |
772 | [ -d $DIR_WEB ] && rm -rf $DIR_WEB |
772 | [ -d $DIR_WEB ] && rm -rf $DIR_WEB |
773 | mkdir $DIR_WEB |
773 | mkdir $DIR_WEB |
774 | # Copy & adapt ACC files |
774 | # Copy & adapt ACC files |
775 | cp -rf $DIR_INSTALL/web/* $DIR_WEB/ |
775 | cp -rf $DIR_INSTALL/web/* $DIR_WEB/ |
776 | $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php |
776 | $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php |
777 | $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php |
777 | $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php |
778 | $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php |
778 | $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php |
779 | $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php |
779 | $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php |
780 | chown -R apache:apache $DIR_WEB/* |
780 | chown -R apache:apache $DIR_WEB/* |
781 | # copy & adapt "freeradius-web" files |
781 | # copy & adapt "freeradius-web" files |
782 | cp -rf $DIR_CONF/freeradius-web/ /etc/ |
782 | cp -rf $DIR_CONF/freeradius-web/ /etc/ |
783 | [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default |
783 | [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default |
784 | $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf |
784 | $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf |
785 | $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf |
785 | $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf |
786 | $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf |
786 | $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf |
787 | cat <<EOF > /etc/freeradius-web/naslist.conf |
787 | cat <<EOF > /etc/freeradius-web/naslist.conf |
788 | nas1_name: alcasar-$ORGANISME |
788 | nas1_name: alcasar-$ORGANISME |
789 | nas1_model: Network Access Controler |
789 | nas1_model: Network Access Controler |
790 | nas1_ip: $PRIVATE_IP |
790 | nas1_ip: $PRIVATE_IP |
791 | nas1_port_num: 0 |
791 | nas1_port_num: 0 |
792 | nas1_community: public |
792 | nas1_community: public |
793 | EOF |
793 | EOF |
794 | chown -R apache:apache /etc/freeradius-web/ |
794 | chown -R apache:apache /etc/freeradius-web/ |
795 | # create the log & backup structure : |
795 | # create the log & backup structure : |
796 | # - base = users database |
796 | # - base = users database |
797 | # - archive = tarball of "base + http firewall + netflow" |
797 | # - archive = tarball of "base + http firewall + netflow" |
798 | # - security = watchdog log |
798 | # - security = watchdog log |
799 | # - conf_file = archive conf file (usefull in updating process) |
799 | # - conf_file = archive conf file (usefull in updating process) |
800 | for i in base archive security activity_report iot_captures; |
800 | for i in base archive security activity_report iot_captures; |
801 | do |
801 | do |
802 | [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i |
802 | [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i |
803 | done |
803 | done |
804 | chown -R root:apache $DIR_SAVE |
804 | chown -R root:apache $DIR_SAVE |
805 | # Configuring & securing php |
805 | # Configuring & securing php |
806 | [ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default |
806 | [ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default |
807 | timezone=`timedatectl show --property=Timezone|cut -d"=" -f2` |
807 | timezone=`timedatectl show --property=Timezone|cut -d"=" -f2` |
808 | $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini |
808 | $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini |
809 | [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default |
809 | [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default |
810 | $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini |
810 | $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini |
811 | $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini |
811 | $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini |
812 | $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini |
812 | $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini |
813 | $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini |
813 | $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini |
814 | $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
814 | $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
815 | $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
815 | $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
816 | $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini |
816 | $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini |
817 | # Configuring & securing Lighttpd |
817 | # Configuring & securing Lighttpd |
818 | rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
818 | rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
819 | [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
819 | [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
820 | $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
820 | $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
821 | $SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
821 | $SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
822 | $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
822 | $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
823 | $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
823 | $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
824 | echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
824 | echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
825 | 825 | ||
826 | [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default |
826 | [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default |
827 | $SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf |
827 | $SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf |
828 | $SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf |
828 | $SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf |
829 | $SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf |
829 | $SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf |
830 | $SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf |
830 | $SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf |
831 | $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf |
831 | $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf |
832 | 832 | ||
833 | [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default |
833 | [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default |
834 | cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf |
834 | cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf |
835 | 835 | ||
836 | [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default |
836 | [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default |
837 | $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf |
837 | $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf |
838 | $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf |
838 | $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf |
839 | $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf |
839 | $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf |
840 | 840 | ||
841 | [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
841 | [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
842 | cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/ |
842 | cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/ |
843 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
843 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
844 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
844 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
845 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
845 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
846 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
846 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
847 | ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
847 | ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
848 | 848 | ||
849 | [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd |
849 | [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd |
850 | [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log |
850 | [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log |
851 | [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
851 | [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
852 | 852 | ||
853 | chown -R apache:apache /var/log/lighttpd |
853 | chown -R apache:apache /var/log/lighttpd |
854 | 854 | ||
855 | # Creation of the first account (in 'admin' profile) |
855 | # Creation of the first account (in 'admin' profile) |
856 | if [ "$mode" = "install" ] |
856 | if [ "$mode" = "install" ] |
857 | then |
857 | then |
858 | header_install |
858 | header_install |
859 | # Creation of keys file for the admin account ("admin") |
859 | # Creation of keys file for the admin account ("admin") |
860 | [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
860 | [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
861 | mkdir -p $DIR_DEST_ETC/digest |
861 | mkdir -p $DIR_DEST_ETC/digest |
862 | chmod 755 $DIR_DEST_ETC/digest |
862 | chmod 755 $DIR_DEST_ETC/digest |
863 | if [ $Lang == "fr" ] |
863 | if [ $Lang == "fr" ] |
864 | then echo "Création du premier compte administrateur : " |
864 | then echo "Création du premier compte administrateur : " |
865 | else echo "Creation of the first admin account : " |
865 | else echo "Creation of the first admin account : " |
866 | fi |
866 | fi |
867 | until [ -s $DIR_DEST_ETC/digest/key_admin ] |
867 | until [ -s $DIR_DEST_ETC/digest/key_admin ] |
868 | do |
868 | do |
869 | $DIR_DEST_BIN/alcasar-profil.sh --add admin |
869 | $DIR_DEST_BIN/alcasar-profil.sh --add admin |
870 | done |
870 | done |
871 | fi |
871 | fi |
872 | # Creation of ACC certs links |
872 | # Creation of ACC certs links |
873 | [ -d /var/www/html/certs ] || mkdir /var/www/html/certs |
873 | [ -d /var/www/html/certs ] || mkdir /var/www/html/certs |
874 | ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt |
874 | ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt |
875 | # Run lighttpd after coova (in order waiting tun0 to be up) |
875 | # Run lighttpd after coova (in order waiting tun0 to be up) |
876 | $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service |
876 | $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service |
877 | # Log file for ACC access imputability |
877 | # Log file for ACC access imputability |
878 | [ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log |
878 | [ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log |
879 | chown root:apache $DIR_SAVE/security/acc_access.log |
879 | chown root:apache $DIR_SAVE/security/acc_access.log |
880 | chmod 664 $DIR_SAVE/security/acc_access.log |
880 | chmod 664 $DIR_SAVE/security/acc_access.log |
- | 881 | # Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca) |
|
- | 882 | cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/ |
|
881 | } # End of ACC() |
883 | } # End of ACC() |
882 | 884 | ||
883 | ############################################################# |
885 | ############################################################# |
884 | ## Function "time_server" ## |
886 | ## Function "time_server" ## |
885 | ## - Configuring NTP server ## |
887 | ## - Configuring NTP server ## |
886 | ############################################################# |
888 | ############################################################# |
887 | time_server() |
889 | time_server() |
888 | { |
890 | { |
889 | # Set the Internet time server |
891 | # Set the Internet time server |
890 | [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default |
892 | [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default |
891 | cat <<EOF > /etc/ntp/step-tickers |
893 | cat <<EOF > /etc/ntp/step-tickers |
892 | 0.fr.pool.ntp.org # adapt to your country |
894 | 0.fr.pool.ntp.org # adapt to your country |
893 | 1.fr.pool.ntp.org |
895 | 1.fr.pool.ntp.org |
894 | 2.fr.pool.ntp.org |
896 | 2.fr.pool.ntp.org |
895 | EOF |
897 | EOF |
896 | [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default |
898 | [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default |
897 | cat <<EOF > /etc/ntp.conf |
899 | cat <<EOF > /etc/ntp.conf |
898 | server 0.fr.pool.ntp.org # adapt to your country |
900 | server 0.fr.pool.ntp.org # adapt to your country |
899 | server 1.fr.pool.ntp.org |
901 | server 1.fr.pool.ntp.org |
900 | server 2.fr.pool.ntp.org |
902 | server 2.fr.pool.ntp.org |
901 | server 127.127.1.0 # local clock si NTP internet indisponible ... |
903 | server 127.127.1.0 # local clock si NTP internet indisponible ... |
902 | fudge 127.127.1.0 stratum 10 |
904 | fudge 127.127.1.0 stratum 10 |
903 | restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
905 | restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
904 | restrict 127.0.0.1 |
906 | restrict 127.0.0.1 |
905 | driftfile /var/lib/ntp/drift |
907 | driftfile /var/lib/ntp/drift |
906 | logfile /var/log/ntp.log |
908 | logfile /var/log/ntp.log |
907 | disable monitor |
909 | disable monitor |
908 | EOF |
910 | EOF |
909 | chown -R ntp:ntp /var/lib/ntp |
911 | chown -R ntp:ntp /var/lib/ntp |
910 | # Synchronize now |
912 | # Synchronize now |
911 | ntpd -4 -q -g & |
913 | ntpd -4 -q -g & |
912 | } # End of time_server() |
914 | } # End of time_server() |
913 | 915 | ||
914 | ##################################################################### |
916 | ##################################################################### |
915 | ## Function "init_db" ## |
917 | ## Function "init_db" ## |
916 | ## - Mysql initialization ## |
918 | ## - Mysql initialization ## |
917 | ## - Set admin (root) password ## |
919 | ## - Set admin (root) password ## |
918 | ## - Remove unused users & databases ## |
920 | ## - Remove unused users & databases ## |
919 | ## - Radius database creation ## |
921 | ## - Radius database creation ## |
920 | ## - Copy of accounting tables (mtotacct, totacct) & userinfo ## |
922 | ## - Copy of accounting tables (mtotacct, totacct) & userinfo ## |
921 | ##################################################################### |
923 | ##################################################################### |
922 | init_db() |
924 | init_db() |
923 | { |
925 | { |
924 | if [ "`systemctl is-active mysqld`" == "active" ] |
926 | if [ "`systemctl is-active mysqld`" == "active" ] |
925 | then |
927 | then |
926 | systemctl stop mysqld |
928 | systemctl stop mysqld |
927 | fi |
929 | fi |
928 | rm -rf /var/lib/mysql # to be sure that there is no former installation |
930 | rm -rf /var/lib/mysql # to be sure that there is no former installation |
929 | [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default |
931 | [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default |
930 | $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf |
932 | $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf |
931 | $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only |
933 | $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only |
932 | $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf |
934 | $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf |
933 | $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed |
935 | $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed |
934 | [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !) |
936 | [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !) |
935 | [ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos) |
937 | [ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos) |
936 | /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1 |
938 | /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1 |
937 | /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking" |
939 | /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking" |
938 | /usr/bin/systemctl start mysqld |
940 | /usr/bin/systemctl start mysqld |
939 | nb_round=1 |
941 | nb_round=1 |
940 | while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on |
942 | while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on |
941 | do |
943 | do |
942 | nb_round=`expr $nb_round + 1` |
944 | nb_round=`expr $nb_round + 1` |
943 | sleep 2 |
945 | sleep 2 |
944 | done |
946 | done |
945 | if [ ! -S /var/lib/mysql/mysql.sock ] |
947 | if [ ! -S /var/lib/mysql/mysql.sock ] |
946 | then |
948 | then |
947 | echo "Problème : la base données 'MariaDB' ne s'est pas lancée !" |
949 | echo "Problème : la base données 'MariaDB' ne s'est pas lancée !" |
948 | exit |
950 | exit |
949 | fi |
951 | fi |
950 | # Secure the server |
952 | # Secure the server |
951 | /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
953 | /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
952 | MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
954 | MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
953 | $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
955 | $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
954 | $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
956 | $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
955 | # Create 'radius' database |
957 | # Create 'radius' database |
956 | $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
958 | $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
957 | # Add an empty radius database structure |
959 | # Add an empty radius database structure |
958 | /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
960 | /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
959 | # modify the start script in order to close accounting connexion when the system is comming down or up |
961 | # modify the start script in order to close accounting connexion when the system is comming down or up |
960 | [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
962 | [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
961 | $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
963 | $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
962 | $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service |
964 | $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service |
963 | /usr/bin/systemctl unset-environment MYSQLD_OPTS |
965 | /usr/bin/systemctl unset-environment MYSQLD_OPTS |
964 | /usr/bin/systemctl daemon-reload |
966 | /usr/bin/systemctl daemon-reload |
965 | } # End of init_db() |
967 | } # End of init_db() |
966 | 968 | ||
967 | ################################################################### |
969 | ################################################################### |
968 | ## Function "freeradius" ## |
970 | ## Function "freeradius" ## |
969 | ## - Set the configuration files ## |
971 | ## - Set the configuration files ## |
970 | ## - Set the shared secret between coova-chilli and freeradius ## |
972 | ## - Set the shared secret between coova-chilli and freeradius ## |
971 | ## - Adapt the Mysql conf file and counters ## |
973 | ## - Adapt the Mysql conf file and counters ## |
972 | ################################################################### |
974 | ################################################################### |
973 | freeradius() |
975 | freeradius() |
974 | { |
976 | { |
975 | cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/ |
977 | cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/ |
976 | chown -R radius:radius /etc/raddb |
978 | chown -R radius:radius /etc/raddb |
977 | [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default |
979 | [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default |
978 | # Set radius global parameters (radius.conf) |
980 | # Set radius global parameters (radius.conf) |
979 | $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf |
981 | $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf |
980 | $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf |
982 | $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf |
981 | $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf |
983 | $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf |
982 | $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function |
984 | $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function |
983 | $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function |
985 | $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function |
984 | # Add ALCASAR & Coovachilli dictionaries |
986 | # Add ALCASAR & Coovachilli dictionaries |
985 | [ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default |
987 | [ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default |
986 | cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/ |
988 | cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/ |
987 | echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary |
989 | echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary |
988 | cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/ |
990 | cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/ |
989 | echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary |
991 | echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary |
990 | # Set "client.conf" to describe radius clients (coova on 127.0.0.1) |
992 | # Set "client.conf" to describe radius clients (coova on 127.0.0.1) |
991 | [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default |
993 | [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default |
992 | cat << EOF > /etc/raddb/clients.conf |
994 | cat << EOF > /etc/raddb/clients.conf |
993 | client localhost { |
995 | client localhost { |
994 | ipaddr = 127.0.0.1 |
996 | ipaddr = 127.0.0.1 |
995 | secret = $secretradius |
997 | secret = $secretradius |
996 | shortname = chilli |
998 | shortname = chilli |
997 | nas_type = other |
999 | nas_type = other |
998 | } |
1000 | } |
999 | EOF |
1001 | EOF |
1000 | # Set Virtual server |
1002 | # Set Virtual server |
1001 | # Remvoveing all except "alcasar virtual site") |
1003 | # Remvoveing all except "alcasar virtual site") |
1002 | # INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled) Change the firewall rules to allow "radius" extern connections. |
1004 | # INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled) Change the firewall rules to allow "radius" extern connections. |
1003 | cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar |
1005 | cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar |
1004 | cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap |
1006 | cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap |
1005 | chown radius:apache /etc/raddb/sites-available/alcasar* |
1007 | chown radius:apache /etc/raddb/sites-available/alcasar* |
1006 | chmod 660 /etc/raddb/sites-available/alcasar* |
1008 | chmod 660 /etc/raddb/sites-available/alcasar* |
1007 | rm -f /etc/raddb/sites-enabled/* |
1009 | rm -f /etc/raddb/sites-enabled/* |
1008 | ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
1010 | ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
1009 | # Set modules |
1011 | # Set modules |
1010 | # Add custom LDAP "available module" |
1012 | # Add custom LDAP "available module" |
1011 | # INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections. |
1013 | # INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections. |
1012 | cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/ |
1014 | cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/ |
1013 | chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar |
1015 | chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar |
1014 | # Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC) |
1016 | # Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC) |
1015 | rm -rf /etc/raddb/mods-enabled/* |
1017 | rm -rf /etc/raddb/mods-enabled/* |
1016 | for mods in sql sqlcounter attr_filter expiration logintime pap expr always |
1018 | for mods in sql sqlcounter attr_filter expiration logintime pap expr always |
1017 | do |
1019 | do |
1018 | ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
1020 | ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
1019 | done |
1021 | done |
1020 | # Configure SQL module |
1022 | # Configure SQL module |
1021 | [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
1023 | [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
1022 | $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql |
1024 | $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql |
1023 | $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql |
1025 | $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql |
1024 | $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql |
1026 | $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql |
1025 | $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql |
1027 | $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql |
1026 | $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql |
1028 | $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql |
1027 | $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
1029 | $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
1028 | $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
1030 | $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
1029 | # no TLS encryption on 127.0.0.1 |
1031 | # no TLS encryption on 127.0.0.1 |
1030 | $SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql |
1032 | $SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql |
1031 | $SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql |
1033 | $SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql |
1032 | $SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql |
1034 | $SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql |
1033 | $SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql |
1035 | $SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql |
1034 | $SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql |
1036 | $SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql |
1035 | $SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql |
1037 | $SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql |
1036 | # queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
1038 | # queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
1037 | [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
1039 | [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
1038 | cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1040 | cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1039 | chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1041 | chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1040 | # sqlcounter modifications |
1042 | # sqlcounter modifications |
1041 | [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default |
1043 | [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default |
1042 | cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter |
1044 | cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter |
1043 | chown -R radius:radius /etc/raddb/mods-available/sqlcounter |
1045 | chown -R radius:radius /etc/raddb/mods-available/sqlcounter |
1044 | # make certain that mysql is up before freeradius start |
1046 | # make certain that mysql is up before freeradius start |
1045 | [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default |
1047 | [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default |
1046 | $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service |
1048 | $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service |
1047 | /usr/bin/systemctl daemon-reload |
1049 | /usr/bin/systemctl daemon-reload |
1048 | # Allow apache to change some conf files (ie : ldap on/off) |
1050 | # Allow apache to change some conf files (ie : ldap on/off) |
1049 | chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
1051 | chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
1050 | chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
1052 | chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
1051 | } # End of freeradius() |
1053 | } # End of freeradius() |
1052 | 1054 | ||
1053 | ############################################################################# |
1055 | ############################################################################# |
1054 | ## Function "chilli" ## |
1056 | ## Function "chilli" ## |
1055 | ## - Creation of the conf file and init file (systemd) for coova-chilli ## |
1057 | ## - Creation of the conf file and init file (systemd) for coova-chilli ## |
1056 | ## - Adapt the authentication web page (intercept.php) ## |
1058 | ## - Adapt the authentication web page (intercept.php) ## |
1057 | ############################################################################# |
1059 | ############################################################################# |
1058 | chilli() |
1060 | chilli() |
1059 | { |
1061 | { |
1060 | # chilli unit for systemd |
1062 | # chilli unit for systemd |
1061 | cat << EOF > /lib/systemd/system/chilli.service |
1063 | cat << EOF > /lib/systemd/system/chilli.service |
1062 | # This file is part of systemd. |
1064 | # This file is part of systemd. |
1063 | # |
1065 | # |
1064 | # systemd is free software; you can redistribute it and/or modify it |
1066 | # systemd is free software; you can redistribute it and/or modify it |
1065 | # under the terms of the GNU General Public License as published by |
1067 | # under the terms of the GNU General Public License as published by |
1066 | # the Free Software Foundation; either version 2 of the License, or |
1068 | # the Free Software Foundation; either version 2 of the License, or |
1067 | # (at your option) any later version. |
1069 | # (at your option) any later version. |
1068 | 1070 | ||
1069 | # This unit launches coova-chilli a captive portal |
1071 | # This unit launches coova-chilli a captive portal |
1070 | [Unit] |
1072 | [Unit] |
1071 | Description=chilli is a captive portal daemon |
1073 | Description=chilli is a captive portal daemon |
1072 | After=network.target |
1074 | After=network.target |
1073 | 1075 | ||
1074 | [Service] |
1076 | [Service] |
1075 | Type=forking |
1077 | Type=forking |
1076 | ExecStart=/usr/libexec/chilli start |
1078 | ExecStart=/usr/libexec/chilli start |
1077 | ExecStop=/usr/libexec/chilli stop |
1079 | ExecStop=/usr/libexec/chilli stop |
1078 | ExecReload=/usr/libexec/chilli reload |
1080 | ExecReload=/usr/libexec/chilli reload |
1079 | PIDFile=/run/chilli.pid |
1081 | PIDFile=/run/chilli.pid |
1080 | 1082 | ||
1081 | [Install] |
1083 | [Install] |
1082 | WantedBy=multi-user.target |
1084 | WantedBy=multi-user.target |
1083 | EOF |
1085 | EOF |
1084 | # init file creation |
1086 | # init file creation |
1085 | [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default |
1087 | [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default |
1086 | cat <<EOF > /etc/init.d/chilli |
1088 | cat <<EOF > /etc/init.d/chilli |
1087 | #!/bin/sh |
1089 | #!/bin/sh |
1088 | # |
1090 | # |
1089 | # chilli CoovaChilli init |
1091 | # chilli CoovaChilli init |
1090 | # |
1092 | # |
1091 | # chkconfig: 2345 65 35 |
1093 | # chkconfig: 2345 65 35 |
1092 | # description: CoovaChilli |
1094 | # description: CoovaChilli |
1093 | ### BEGIN INIT INFO |
1095 | ### BEGIN INIT INFO |
1094 | # Provides: chilli |
1096 | # Provides: chilli |
1095 | # Required-Start: network |
1097 | # Required-Start: network |
1096 | # Should-Start: |
1098 | # Should-Start: |
1097 | # Required-Stop: network |
1099 | # Required-Stop: network |
1098 | # Should-Stop: |
1100 | # Should-Stop: |
1099 | # Default-Start: 2 3 5 |
1101 | # Default-Start: 2 3 5 |
1100 | # Default-Stop: |
1102 | # Default-Stop: |
1101 | # Description: CoovaChilli access controller |
1103 | # Description: CoovaChilli access controller |
1102 | ### END INIT INFO |
1104 | ### END INIT INFO |
1103 | 1105 | ||
1104 | [ -f /usr/sbin/chilli ] || exit 0 |
1106 | [ -f /usr/sbin/chilli ] || exit 0 |
1105 | . /etc/init.d/functions |
1107 | . /etc/init.d/functions |
1106 | CONFIG=/etc/chilli.conf |
1108 | CONFIG=/etc/chilli.conf |
1107 | pidfile=/run/chilli.pid |
1109 | pidfile=/run/chilli.pid |
1108 | [ -f \$CONFIG ] || { |
1110 | [ -f \$CONFIG ] || { |
1109 | echo "\$CONFIG Not found" |
1111 | echo "\$CONFIG Not found" |
1110 | exit 0 |
1112 | exit 0 |
1111 | } |
1113 | } |
1112 | current_users_file="/tmp/current_users.txt" # file containing active users |
1114 | current_users_file="/tmp/current_users.txt" # file containing active users |
1113 | RETVAL=0 |
1115 | RETVAL=0 |
1114 | prog="chilli" |
1116 | prog="chilli" |
1115 | case \$1 in |
1117 | case \$1 in |
1116 | start) |
1118 | start) |
1117 | if [ -f \$pidfile ] ; then |
1119 | if [ -f \$pidfile ] ; then |
1118 | gprintf "chilli is already running" |
1120 | gprintf "chilli is already running" |
1119 | else |
1121 | else |
1120 | gprintf "Starting \$prog: " |
1122 | gprintf "Starting \$prog: " |
1121 | echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file |
1123 | echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file |
1122 | rm -f /run/chilli* # cleaning |
1124 | rm -f /run/chilli* # cleaning |
1123 | /usr/sbin/modprobe tun >/dev/null 2>&1 |
1125 | /usr/sbin/modprobe tun >/dev/null 2>&1 |
1124 | echo 1 > /proc/sys/net/ipv4/ip_forward |
1126 | echo 1 > /proc/sys/net/ipv4/ip_forward |
1125 | [ -e /dev/net/tun ] || { |
1127 | [ -e /dev/net/tun ] || { |
1126 | (cd /dev; |
1128 | (cd /dev; |
1127 | mkdir net; |
1129 | mkdir net; |
1128 | cd net; |
1130 | cd net; |
1129 | mknod tun c 10 200) |
1131 | mknod tun c 10 200) |
1130 | } |
1132 | } |
1131 | ifconfig $INTIF 0.0.0.0 |
1133 | ifconfig $INTIF 0.0.0.0 |
1132 | /usr/sbin/ethtool -K $INTIF gro off |
1134 | /usr/sbin/ethtool -K $INTIF gro off |
1133 | daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile & |
1135 | daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile & |
1134 | RETVAL=\$? |
1136 | RETVAL=\$? |
1135 | fi |
1137 | fi |
1136 | ;; |
1138 | ;; |
1137 | 1139 | ||
1138 | reload) |
1140 | reload) |
1139 | killall -HUP chilli |
1141 | killall -HUP chilli |
1140 | ;; |
1142 | ;; |
1141 | 1143 | ||
1142 | restart) |
1144 | restart) |
1143 | \$0 stop |
1145 | \$0 stop |
1144 | sleep 2 |
1146 | sleep 2 |
1145 | \$0 start |
1147 | \$0 start |
1146 | ;; |
1148 | ;; |
1147 | 1149 | ||
1148 | status) |
1150 | status) |
1149 | status chilli |
1151 | status chilli |
1150 | RETVAL=0 |
1152 | RETVAL=0 |
1151 | ;; |
1153 | ;; |
1152 | 1154 | ||
1153 | stop) |
1155 | stop) |
1154 | if [ -f \$pidfile ] ; then |
1156 | if [ -f \$pidfile ] ; then |
1155 | gprintf "Shutting down \$prog: " |
1157 | gprintf "Shutting down \$prog: " |
1156 | killproc /usr/sbin/chilli |
1158 | killproc /usr/sbin/chilli |
1157 | RETVAL=\$? |
1159 | RETVAL=\$? |
1158 | [ \$RETVAL = 0 ] && rm -f \$pidfile |
1160 | [ \$RETVAL = 0 ] && rm -f \$pidfile |
1159 | [ -e \$current_users_file ] && rm -f \$current_users_file |
1161 | [ -e \$current_users_file ] && rm -f \$current_users_file |
1160 | else |
1162 | else |
1161 | gprintf "chilli is not running" |
1163 | gprintf "chilli is not running" |
1162 | fi |
1164 | fi |
1163 | ;; |
1165 | ;; |
1164 | 1166 | ||
1165 | *) |
1167 | *) |
1166 | echo "Usage: \$0 {start|stop|restart|reload|status}" |
1168 | echo "Usage: \$0 {start|stop|restart|reload|status}" |
1167 | exit 1 |
1169 | exit 1 |
1168 | esac |
1170 | esac |
1169 | echo |
1171 | echo |
1170 | EOF |
1172 | EOF |
1171 | chmod a+x /etc/init.d/chilli |
1173 | chmod a+x /etc/init.d/chilli |
1172 | ln -s /etc/init.d/chilli /usr/libexec/chilli |
1174 | ln -s /etc/init.d/chilli /usr/libexec/chilli |
1173 | # conf file creation |
1175 | # conf file creation |
1174 | [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default |
1176 | [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default |
1175 | #NTP Option configuration for DHCP |
1177 | #NTP Option configuration for DHCP |
1176 | #DHCP Options : rfc2132 |
1178 | #DHCP Options : rfc2132 |
1177 | #dhcp option value will be convert in hexa. |
1179 | #dhcp option value will be convert in hexa. |
1178 | #NTP option (or 'option 42') is like : |
1180 | #NTP option (or 'option 42') is like : |
1179 | # |
1181 | # |
1180 | # Code Len Address 1 Address 2 |
1182 | # Code Len Address 1 Address 2 |
1181 | # +-----+-----+-----+-----+-----+-----+-----+-----+-- |
1183 | # +-----+-----+-----+-----+-----+-----+-----+-----+-- |
1182 | # | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ... |
1184 | # | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ... |
1183 | # +-----+-----+-----+-----+-----+-----+-----+-----+-- |
1185 | # +-----+-----+-----+-----+-----+-----+-----+-----+-- |
1184 | # |
1186 | # |
1185 | #Code : 42 => 2a |
1187 | #Code : 42 => 2a |
1186 | #Len : 4 => 04 |
1188 | #Len : 4 => 04 |
1187 | PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)") |
1189 | PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)") |
1188 | cat <<EOF > /etc/chilli.conf |
1190 | cat <<EOF > /etc/chilli.conf |
1189 | # coova config for ALCASAR |
1191 | # coova config for ALCASAR |
1190 | cmdsocket /run/chilli.sock |
1192 | cmdsocket /run/chilli.sock |
1191 | unixipc chilli.$INTIF.ipc |
1193 | unixipc chilli.$INTIF.ipc |
1192 | pidfile /run/chilli.pid |
1194 | pidfile /run/chilli.pid |
1193 | net $PRIVATE_NETWORK_MASK |
1195 | net $PRIVATE_NETWORK_MASK |
1194 | dhcpif $INTIF |
1196 | dhcpif $INTIF |
1195 | ethers $DIR_DEST_ETC/alcasar-ethers |
1197 | ethers $DIR_DEST_ETC/alcasar-ethers |
1196 | #nodynip |
1198 | #nodynip |
1197 | #statip |
1199 | #statip |
1198 | dynip $PRIVATE_NETWORK_MASK |
1200 | dynip $PRIVATE_NETWORK_MASK |
1199 | domain $DOMAIN |
1201 | domain $DOMAIN |
1200 | dns1 $PRIVATE_IP |
1202 | dns1 $PRIVATE_IP |
1201 | dns2 $PRIVATE_IP |
1203 | dns2 $PRIVATE_IP |
1202 | uamlisten $PRIVATE_IP |
1204 | uamlisten $PRIVATE_IP |
1203 | uamport 3990 |
1205 | uamport 3990 |
1204 | uamuiport 3991 |
1206 | uamuiport 3991 |
1205 | macauth |
1207 | macauth |
1206 | macpasswd password |
1208 | macpasswd password |
1207 | strictmacauth |
1209 | strictmacauth |
1208 | locationname $HOSTNAME.$DOMAIN |
1210 | locationname $HOSTNAME.$DOMAIN |
1209 | radiusserver1 127.0.0.1 |
1211 | radiusserver1 127.0.0.1 |
1210 | radiusserver2 127.0.0.1 |
1212 | radiusserver2 127.0.0.1 |
1211 | radiussecret $secretradius |
1213 | radiussecret $secretradius |
1212 | radiusauthport 1812 |
1214 | radiusauthport 1812 |
1213 | radiusacctport 1813 |
1215 | radiusacctport 1813 |
1214 | uamserver http://$HOSTNAME.$DOMAIN/intercept.php |
1216 | uamserver http://$HOSTNAME.$DOMAIN/intercept.php |
1215 | redirurl |
1217 | redirurl |
1216 | radiusnasid $HOSTNAME.$DOMAIN |
1218 | radiusnasid $HOSTNAME.$DOMAIN |
1217 | uamsecret $secretuam |
1219 | uamsecret $secretuam |
1218 | uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN |
1220 | uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN |
1219 | coaport 3799 |
1221 | coaport 3799 |
1220 | conup $DIR_DEST_BIN/alcasar-conup.sh |
1222 | conup $DIR_DEST_BIN/alcasar-conup.sh |
1221 | condown $DIR_DEST_BIN/alcasar-condown.sh |
1223 | condown $DIR_DEST_BIN/alcasar-condown.sh |
1222 | macup $DIR_DEST_BIN/alcasar-macup.sh |
1224 | macup $DIR_DEST_BIN/alcasar-macup.sh |
1223 | include $DIR_DEST_ETC/alcasar-uamallowed |
1225 | include $DIR_DEST_ETC/alcasar-uamallowed |
1224 | include $DIR_DEST_ETC/alcasar-uamdomain |
1226 | include $DIR_DEST_ETC/alcasar-uamdomain |
1225 | dhcpopt 2a04$PRIVATE_IP_HEXA |
1227 | dhcpopt 2a04$PRIVATE_IP_HEXA |
1226 | #dhcpgateway none |
1228 | #dhcpgateway none |
1227 | #dhcprelayagent none |
1229 | #dhcprelayagent none |
1228 | #dhcpgatewayport none |
1230 | #dhcpgatewayport none |
1229 | sslkeyfile /etc/pki/tls/private/alcasar.key |
1231 | sslkeyfile /etc/pki/tls/private/alcasar.key |
1230 | sslcertfile /etc/pki/tls/certs/alcasar.crt |
1232 | sslcertfile /etc/pki/tls/certs/alcasar.crt |
1231 | #redirssl |
1233 | #redirssl |
1232 | #uamuissl |
1234 | #uamuissl |
1233 | EOF |
1235 | EOF |
1234 | # create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0) |
1236 | # create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0) |
1235 | echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers |
1237 | echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers |
1236 | echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info |
1238 | echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info |
1237 | # create files for trusted domains and urls |
1239 | # create files for trusted domains and urls |
1238 | touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain |
1240 | touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain |
1239 | chown root:apache $DIR_DEST_ETC/alcasar-* |
1241 | chown root:apache $DIR_DEST_ETC/alcasar-* |
1240 | chmod 660 $DIR_DEST_ETC/alcasar-* |
1242 | chmod 660 $DIR_DEST_ETC/alcasar-* |
1241 | # Configuration des fichier WEB d'interception (secret partagé avec coova-chilli) |
1243 | # Configuration des fichier WEB d'interception (secret partagé avec coova-chilli) |
1242 | $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php |
1244 | $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php |
1243 | # user 'chilli' creation (in order to run conup/off and up/down scripts |
1245 | # user 'chilli' creation (in order to run conup/off and up/down scripts |
1244 | chilli_exist=`grep -c ^chilli: /etc/passwd` |
1246 | chilli_exist=`grep -c ^chilli: /etc/passwd` |
1245 | if [ "$chilli_exist" == "1" ] |
1247 | if [ "$chilli_exist" == "1" ] |
1246 | then |
1248 | then |
1247 | userdel -r chilli 2>/dev/null |
1249 | userdel -r chilli 2>/dev/null |
1248 | fi |
1250 | fi |
1249 | groupadd -f chilli |
1251 | groupadd -f chilli |
1250 | useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli |
1252 | useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli |
1251 | } # End of chilli() |
1253 | } # End of chilli() |
1252 | 1254 | ||
1253 | ################################################################ |
1255 | ################################################################ |
1254 | ## Function "e2guardian" ## |
1256 | ## Function "e2guardian" ## |
1255 | ## - Set the parameters of this HTML proxy (as controler) ## |
1257 | ## - Set the parameters of this HTML proxy (as controler) ## |
1256 | ################################################################ |
1258 | ################################################################ |
1257 | e2guardian() |
1259 | e2guardian() |
1258 | { |
1260 | { |
1259 | # Adapt systemd unit |
1261 | # Adapt systemd unit |
1260 | [ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default |
1262 | [ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default |
1261 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
1263 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
1262 | $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
1264 | $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
1263 | [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
1265 | [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
1264 | # Adapt the main conf file |
1266 | # Adapt the main conf file |
1265 | # French deny HTML page |
1267 | # French deny HTML page |
1266 | $SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
1268 | $SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
1267 | # 2 filtergroups (8080 & 8090) |
1269 | # 2 filtergroups (8080 & 8090) |
1268 | $SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
1270 | $SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
1269 | # Listen on 8080 (HTTP for BL users) only on LAN side |
1271 | # Listen on 8080 (HTTP for BL users) only on LAN side |
1270 | $SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
1272 | $SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
1271 | $SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
1273 | $SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
1272 | # Listen on 8090 (HTTP for WL/AV users) only on LAN side |
1274 | # Listen on 8090 (HTTP for WL/AV users) only on LAN side |
1273 | $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
1275 | $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
1274 | $SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf |
1276 | $SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf |
1275 | # E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version) |
1277 | # E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version) |
1276 | $SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
1278 | $SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
1277 | # Don't log |
1279 | # Don't log |
1278 | $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
1280 | $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
1279 | # Disable HTML content control (weighted & banned) |
1281 | # Disable HTML content control (weighted & banned) |
1280 | $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
1282 | $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
1281 | # Enable authport plugin |
1283 | # Enable authport plugin |
1282 | $SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
1284 | $SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
1283 | $SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
1285 | $SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
1284 | # Enable clamd scanner |
1286 | # Enable clamd scanner |
1285 | $SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf |
1287 | $SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf |
1286 | 1288 | ||
1287 | # Adapt the first group conf file |
1289 | # Adapt the first group conf file |
1288 | [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
1290 | [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
1289 | $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
1291 | $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
1290 | $SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf |
1292 | $SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf |
1291 | $SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf |
1293 | $SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf |
1292 | 1294 | ||
1293 | # copy & adapt HTML templates |
1295 | # copy & adapt HTML templates |
1294 | cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html |
1296 | cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html |
1295 | cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html |
1297 | cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html |
1296 | $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html |
1298 | $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html |
1297 | $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html |
1299 | $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html |
1298 | 1300 | ||
1299 | ###### ALCASAR special filtering #### |
1301 | ###### ALCASAR special filtering #### |
1300 | # RAZ bannedphraselist |
1302 | # RAZ bannedphraselist |
1301 | cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
1303 | cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
1302 | $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
1304 | $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
1303 | # Disable URL control with regex |
1305 | # Disable URL control with regex |
1304 | cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
1306 | cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
1305 | $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
1307 | $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
1306 | # Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
1308 | # Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
1307 | # [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
1309 | # [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
1308 | # cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
1310 | # cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
1309 | # [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default |
1311 | # [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default |
1310 | # cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html |
1312 | # cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html |
1311 | # Dont filtering files by extension or mime-type (empty list) |
1313 | # Dont filtering files by extension or mime-type (empty list) |
1312 | [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default |
1314 | [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default |
1313 | touch $DIR_DG/lists/bannedextensionlist |
1315 | touch $DIR_DG/lists/bannedextensionlist |
1314 | [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default |
1316 | [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default |
1315 | touch $DIR_DG/lists/bannedmimetypelist |
1317 | touch $DIR_DG/lists/bannedmimetypelist |
1316 | # Empty LAN IP list that won't be WEB filtered |
1318 | # Empty LAN IP list that won't be WEB filtered |
1317 | [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default |
1319 | [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default |
1318 | touch $DIR_DG/lists/exceptioniplist |
1320 | touch $DIR_DG/lists/exceptioniplist |
1319 | # Creation of ALCASAR banned site list |
1321 | # Creation of ALCASAR banned site list |
1320 | [ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default |
1322 | [ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default |
1321 | cat <<EOF > $DIR_DG/lists/greysitelist |
1323 | cat <<EOF > $DIR_DG/lists/greysitelist |
1322 | # E2guardian filter config for ALCASAR |
1324 | # E2guardian filter config for ALCASAR |
1323 | # In ALCASAR E2guardian filters only URLs (domains are filtered with unbound) |
1325 | # In ALCASAR E2guardian filters only URLs (domains are filtered with unbound) |
1324 | # block all SSL and CONNECT tunnels |
1326 | # block all SSL and CONNECT tunnels |
1325 | **s |
1327 | **s |
1326 | # block all SSL and CONNECT tunnels specified only as an IP |
1328 | # block all SSL and CONNECT tunnels specified only as an IP |
1327 | *ips |
1329 | *ips |
1328 | # block all sites specified only by an IP |
1330 | # block all sites specified only by an IP |
1329 | *ip |
1331 | *ip |
1330 | EOF |
1332 | EOF |
1331 | # Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function) |
1333 | # Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function) |
1332 | [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
1334 | [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
1333 | cat <<EOF > $DIR_DG/lists/bannedurllist |
1335 | cat <<EOF > $DIR_DG/lists/bannedurllist |
1334 | # E2guardian filter config for ALCASAR |
1336 | # E2guardian filter config for ALCASAR |
1335 | EOF |
1337 | EOF |
1336 | # Creation of files for rehabilited domains and urls |
1338 | # Creation of files for rehabilited domains and urls |
1337 | [ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
1339 | [ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
1338 | [ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
1340 | [ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
1339 | touch $DIR_DG/lists/exceptionsitelist |
1341 | touch $DIR_DG/lists/exceptionsitelist |
1340 | touch $DIR_DG/lists/exceptionurllist |
1342 | touch $DIR_DG/lists/exceptionurllist |
1341 | # Add Bing to the safesearch url regext list (parental control) |
1343 | # Add Bing to the safesearch url regext list (parental control) |
1342 | [ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default |
1344 | [ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default |
1343 | cat <<EOF >> $DIR_DG/lists/urlregexplist |
1345 | cat <<EOF >> $DIR_DG/lists/urlregexplist |
1344 | 1346 | ||
1345 | # Bing - add 'adlt=strict' |
1347 | # Bing - add 'adlt=strict' |
1346 | #"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
1348 | #"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
1347 | EOF |
1349 | EOF |
1348 | # 'Safesearch' regex actualisation |
1350 | # 'Safesearch' regex actualisation |
1349 | $SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
1351 | $SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
1350 | # change the google safesearch ("safe=strict" instead of "safe=vss") |
1352 | # change the google safesearch ("safe=strict" instead of "safe=vss") |
1351 | $SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
1353 | $SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
1352 | 1354 | ||
1353 | # Create & adapt the second group conf file (av + av_wl) |
1355 | # Create & adapt the second group conf file (av + av_wl) |
1354 | cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf |
1356 | cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf |
1355 | $SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf |
1357 | $SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf |
1356 | $SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf |
1358 | $SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf |
1357 | $SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls |
1359 | $SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls |
1358 | 1360 | ||
1359 | # create log folder |
1361 | # create log folder |
1360 | mkdir -p /var/log/e2guardian |
1362 | mkdir -p /var/log/e2guardian |
1361 | chown -R e2guardian /etc/e2guardian /var/log/e2guardian |
1363 | chown -R e2guardian /etc/e2guardian /var/log/e2guardian |
1362 | } # End of e2guardian() |
1364 | } # End of e2guardian() |
1363 | 1365 | ||
1364 | ################################################################## |
1366 | ################################################################## |
1365 | ## Function "antivirus" ## |
1367 | ## Function "antivirus" ## |
1366 | ## - Set the parameters of clamav and freshclam ## |
1368 | ## - Set the parameters of clamav and freshclam ## |
1367 | ################################################################## |
1369 | ################################################################## |
1368 | antivirus() |
1370 | antivirus() |
1369 | { |
1371 | { |
1370 | # Clamd adaptation to e2guardian |
1372 | # Clamd adaptation to e2guardian |
1371 | [ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default |
1373 | [ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default |
1372 | $SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
1374 | $SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
1373 | $SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
1375 | $SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
1374 | [ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default |
1376 | [ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default |
1375 | $SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
1377 | $SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
1376 | $SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
1378 | $SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
1377 | 1379 | ||
1378 | [ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
1380 | [ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
1379 | $SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf |
1381 | $SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf |
1380 | $SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message |
1382 | $SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message |
1381 | $SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf |
1383 | $SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf |
1382 | $SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf |
1384 | $SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf |
1383 | $SED "s?^User.*?User e2guardian?g" /etc/clamd.conf |
1385 | $SED "s?^User.*?User e2guardian?g" /etc/clamd.conf |
1384 | $SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf |
1386 | $SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf |
1385 | chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav |
1387 | chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav |
1386 | chmod 775 /var/log/clamav /var/lib/clamav |
1388 | chmod 775 /var/log/clamav /var/lib/clamav |
1387 | chmod 664 /var/log/clamav/* |
1389 | chmod 664 /var/log/clamav/* |
1388 | # update virus database every 4 hours (24h/6) |
1390 | # update virus database every 4 hours (24h/6) |
1389 | [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default |
1391 | [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default |
1390 | $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
1392 | $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
1391 | $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
1393 | $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
1392 | $SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf |
1394 | $SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf |
1393 | $SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
1395 | $SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
1394 | $SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
1396 | $SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
1395 | # update now |
1397 | # update now |
1396 | /usr/bin/freshclam --no-warnings --quiet |
1398 | /usr/bin/freshclam --no-warnings --quiet |
1397 | } # End of antivirus() |
1399 | } # End of antivirus() |
1398 | 1400 | ||
1399 | ############################################################## |
1401 | ############################################################## |
1400 | ## function "ulogd" ## |
1402 | ## function "ulogd" ## |
1401 | ## - Ulog config for multi-log files ## |
1403 | ## - Ulog config for multi-log files ## |
1402 | ############################################################## |
1404 | ############################################################## |
1403 | ulogd() |
1405 | ulogd() |
1404 | { |
1406 | { |
1405 | # Three instances of ulogd (three different logfiles) |
1407 | # Three instances of ulogd (three different logfiles) |
1406 | [ -d /var/log/firewall ] || mkdir -p /var/log/firewall |
1408 | [ -d /var/log/firewall ] || mkdir -p /var/log/firewall |
1407 | nl=1 |
1409 | nl=1 |
1408 | for log_type in traceability ssh ext-access |
1410 | for log_type in traceability ssh ext-access |
1409 | do |
1411 | do |
1410 | [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service |
1412 | [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service |
1411 | [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log |
1413 | [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log |
1412 | cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf |
1414 | cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf |
1413 | $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf |
1415 | $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf |
1414 | cat << EOF >> /etc/ulogd-$log_type.conf |
1416 | cat << EOF >> /etc/ulogd-$log_type.conf |
1415 | [emu1] |
1417 | [emu1] |
1416 | file="/var/log/firewall/$log_type.log" |
1418 | file="/var/log/firewall/$log_type.log" |
1417 | sync=1 |
1419 | sync=1 |
1418 | EOF |
1420 | EOF |
1419 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service |
1421 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service |
1420 | nl=`expr $nl + 1` |
1422 | nl=`expr $nl + 1` |
1421 | done |
1423 | done |
1422 | chown -R root:apache /var/log/firewall |
1424 | chown -R root:apache /var/log/firewall |
1423 | chmod 750 /var/log/firewall |
1425 | chmod 750 /var/log/firewall |
1424 | chmod 640 /var/log/firewall/* |
1426 | chmod 640 /var/log/firewall/* |
1425 |