WebSVN – ALCASAR – Diff – /scripts/alcasar-conf.sh


#!/bin/bash
# $Id: alcasar-conf.sh 2824 2020-05-30 17:39:20Z rexy $
 
# alcasar-conf.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
 
# Ce script permet la mise à jour d'un ALCASAR
#	- (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz)
#	- (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions
#	- (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf.
# This script allows ALCASAR update
#	- (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz)
#	- (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions
#	- (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values.
 
DIR_UPDATE="/var/tmp/conf"				# répertoire de stockage des fichier de conf pour une mise à jour
DIR_WEB="/var/www/html"					# répertoire du centre de gestion
DIR_BIN="/usr/local/bin"				# scripts directory
DIR_ETC="/usr/local/etc"				# conf directory
DIR_E2G="/etc/e2guardian/lists"			# Toulouse BL directory
DIR_BLACKLIST="$DIR_E2G/blacklists"		# Toulouse BL directory
CONF_FILE="$DIR_ETC/alcasar.conf"			# main alcasar conf file
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`		# EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`		# INTernal InterFace
MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
INT_DNS_mode=`grep ^INT_DNS_ACTIVE= $CONF_FILE|cut -d"=" -f2`
LDAP_mode=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2`
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
SED="/bin/sed -i"
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` 			# server DNS1 (for WL domain names)
DOMAIN=${DOMAIN:=localdomain}
 
private_network_calc ()
{
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2`				# prefixe du réseau (ex. 24)
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2`			# @ réseau de consultation (ex.: 192.168.182.0)
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX									# @ + masque du réseau de consult (192.168.182.0/24)
	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`;							# classes de réseau (ex.: 2=classe B, 3=classe C)
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.					# @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`				# private network broadcast (ie.: 192.168.182.255)
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`			# last octet of LAN broadcast
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`									# last octet of LAN address
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`	# second network address (ex.: 192.168.182.2)
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`	# MAC address of INTIF
}
 
usage="Usage: alcasar-conf.sh {--create or -create} | {--load or -load} | {--apply or -apply}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
	nb_args=1
	args="-h"
fi
case $args in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
		;;
	--create|-create)
		[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
		mkdir $DIR_UPDATE
# backup the users database  (test to delete in future version)
		$DIR_BIN/alcasar-mysql.sh --dump
		cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE
# backup organism logo
		cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# backup BL/WL custom files
		mkdir $DIR_UPDATE/custom_bl
		for i in exceptioniplist urlregexplist exceptionsitelist bannedsitelist exceptionurllist bannedurllist
		do
			if [ -d /etc/dansguardian ]; then
				cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3
				cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
			else
				cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3
				cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
			fi
		done
# backup conf files (main conf file, filtering, digest, etc.)
		mkdir $DIR_UPDATE/etc/
		cp -rf $DIR_ETC/* $DIR_UPDATE/etc/
 
# backup of the security certificates (server & CA)
		cp -f /etc/pki/tls/certs/alcasar.crt* $DIR_UPDATE
		cp -f /etc/pki/tls/private/alcasar.key* $DIR_UPDATE
		[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3
		cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
		cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
		if [ -e /etc/pki/tls/certs/server-chain.pem ]; then
			cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist
		else
			cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem
		fi
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
# archive file creation
		cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
		tar -cf alcasar-conf.tar conf/
		gzip -f alcasar-conf.tar
		rm -rf $DIR_UPDATE
		;;
 
	--load|-load)
		cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
		tar -xf alcasar-conf*.tar.gz
 
# copy alcasar.conf parameters
		PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf|cut -d"=" -f2`
		MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
		MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
		UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
 
 
 
 
 
 
		for line in `cat $DIR_UPDATE/etc/alcasar.conf | grep "=" | grep -v "^#" | grep -v " "| grep -v "VERSION"`
 
 
 
 
		do
 
 
 
 
			key=`echo $line | cut -d"=" -f1`
 
			key=$key=
 
 
 
			value=`echo $line|cut -d"=" -f2-`
 
			if [ "$value" != "" ]
				then
				echo "key = $key ; value = $value"
				sed -i "s?^$key.*?$key$value?g" /usr/local/etc/alcasar.conf
			fi
 
 
 
 
		done
 
 
 
 
 
 
 
## lighttpd need a .pem certificate (aggregation with private key & server crt)
 
		[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem
 
 
# Retrieve organism logo
		[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/
		chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php
# Retrieve the security certificates (CA and server)
		cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/
		cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
		cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
		cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
		cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/
		[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist
		chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
		chmod 640 /etc/pki/CA/*
		chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
		chmod 600 /etc/pki/CA/private/*
		chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
		chmod 640 /etc/pki/tls/private/*
# Import of the users database
		$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)"
# Retrieve local parameters
		#TODO cp -rf $DIR_UPDATE/etc/* $DIR_ETC/
 
 
# Retrieve BL/WL custom files
		cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/
		cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/
		cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/
		cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/
		cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/
		cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/
		cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null
		chown -R e2guardian:apache $DIR_E2G
		chmod -R g+rw $DIR_E2G
# Adapt DNS/URL filtering
		PARENT_SCRIPT=`basename $0`
		export PARENT_SCRIPT
		$DIR_BIN/alcasar-bl.sh -cat_choice
		$DIR_BIN/alcasar-bl.sh -reload
# admin profile update (admin + manager + backup)
		$DIR_BIN/alcasar-profil.sh --list
# Start / Stop SSH Daemon
		ssh_active=`grep "^SSH=" $CONF_FILE|cut -d"=" -f2`
		if [ $ssh_active = "on" ]
		then
			/usr/bin/systemctl -q enable sshd.service
		else
			/usr/bin/systemctl -q disable sshd.service
		fi
# Remove the update folder
		rm -rf $DIR_UPDATE
		;;
 
	--apply|-apply)
		PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
		if ! echo $PRIVATE_IP_MASK | egrep -q $PTN
		then
			echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"
			exit 0
		fi
		PUBLIC_IP_MASK=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`
		PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
		if [[ "$PUBLIC_IP_MASK" == "dhcp" ]]
		then
			PUBLIC_GATEWAY="dhcp"
		else
			if ! echo $PUBLIC_IP_MASK | egrep -q $PTN
			then
				echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"
				exit 0
			fi
			PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
			PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
			PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2`
			if ! echo $PUBLIC_GATEWAY | egrep -q $PTN
			then
				echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"
				exit 0
			fi
		fi
		DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
		if ! echo $DNS1 | egrep -q $PTN
		then
			echo "Syntax error for the IP address of the first DNS server ($DNS1)"
			exit 0
		fi
		DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
		if ! echo $DNS2 | egrep -q $PTN
		then
			echo "Syntax error for the IP address of the second DNS server ($DNS2)"
			exit 0
		fi
		PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
		PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`
		private_network_calc
		INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2`
		ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-`
		BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
		WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
		BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2`
		DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
		if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
		then
			if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ]
			then
				$DIR_BIN/alcasar-dhcp.sh --off
			else
				$DIR_BIN/alcasar-dhcp.sh --on
			fi
# Set the local DNS (or not)
			if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ]
			then
				$DIR_BIN/alcasar-dns-local.sh --on
			else
				$DIR_BIN/alcasar-dns-local.sh --off
			fi
# Set the pure ip option (or not)
			if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ]
			then
				bl_filter_param+="--pureip_off"
			else
				bl_filter_param+="--pureip_on"
			fi
# Set the safesearch options (or not)
			bl_filter_param=""
			if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ]
			then
				bl_filter_param+="--safesearch_on "
			else
				bl_filter_param+="--safesearch_off "
			fi
			$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param
			if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ]
			then
				$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on
			else
				$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off
			fi
# Reload the local dns configuration
			$DIR_BIN/alcasar-dns-local.sh --reload
# Logout everybody
			$DIR_BIN/alcasar-logout.sh all
# Services stop
			echo -n "Stop services : "
			for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd
			do
				/usr/bin/systemctl stop $i && echo -n "$i, "
			done
			echo
		fi
# EXTIF config
		if [ $PUBLIC_IP_MASK == "dhcp" ]
		then
			cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
DNS1=127.0.0.1
PEERDNS=no
RESOLV_MODS=yes
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
NOZEROCONF=yes
EOF
		else
			cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
IPADDR=$PUBLIC_IP
NETMASK=$PUBLIC_NETMASK
GATEWAY=$PUBLIC_GATEWAY
DNS1=127.0.0.1
RESOLV_MODS=yes
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
NOZEROCONF=yes
EOF
		fi
# INTIF config (for bypass mode only)
		$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
		$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
# NTP server
		$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf
# host.allow
		cat <<EOF > /etc/hosts.allow
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
sshd: ALL
ntpd: $PRIVATE_NETWORK_SHORT
EOF
# Set hostname
		hostnamectl set-hostname $HOSTNAME.$DOMAIN
# /etc/hosts
		domainNames="$HOSTNAME $HOSTNAME.$DOMAIN"
		[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames"
		$SED "/^$PRIVATE_IP\t/d"  /etc/hosts
		$SED "/\s$HOSTNAME\s\$/d" /etc/hosts
		[ "$HOSTNAME" != 'alcasar' ] && $SED "/\salcasar\s\$/d" /etc/hosts
		echo "$PRIVATE_IP	$domainNames" >> /etc/hosts
# MOTD
		$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release
# Lighttpd
		$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
		$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
		$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
# FreeRADIUS
		$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf
		$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf
# CoovaChilli
		$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
		$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
		$SED "s/^domain.*/domain\t\t$DOMAIN/g" /etc/chilli.conf
		[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
		$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
		$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
		$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf
		$SED "s?^dns1.*?dns1\t\t$PRIVATE_IP?g" /etc/chilli.conf
		$SED "s?^dns2.*?dns2\t\t$PRIVATE_IP?g" /etc/chilli.conf
		$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf
		# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries
		$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info
# dnsmasq-whitelist
		$SED "/^server=/d" /etc/dnsmasq-whitelist.conf
		echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf
		echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf
# unbound
		# removing unbound configuration files
		rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.*
		rm -f /etc/unbound/conf.d/common/forward-zone.conf
		find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete
		# Configuration file for the dns servers forward-zone
		cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
	name: "."
	forward-addr: $DNS1
	forward-addr: $DNS2
EOF
		# Configuration file of ALCASAR main domains for $INTIF
		cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
server:
	local-zone: "$HOSTNAME.$DOMAIN" static
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
	local-zone: "$HOSTNAME" static
	local-data: "$HOSTNAME A $PRIVATE_IP"
EOF
		if [ "$HOSTNAME" != 'alcasar' ]
		then
			echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
			echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
			echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf
			echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf
		fi
		# Configuration file for lo of forward
		cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
	interface: 127.0.0.1@53
	access-control-view: 127.0.0.1/8 lo
view:
	name: "lo"
	view-first: yes
	local-zone: "$HOSTNAME.$DOMAIN" static
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
	local-zone: "$HOSTNAME" static
	local-data: "$HOSTNAME A 127.0.0.1"
	local-zone: "$DOMAIN." static
	local-data: "$DOMAIN. A"
EOF
		# Configuration file for $INTIF of forward
		cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
	interface: ${PRIVATE_IP}@53
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
 
view:
	name: "$INTIF"
	view-first: yes
EOF
		# Configuration file for $INTIF of blacklist
		cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
	interface: ${PRIVATE_IP}@54
	access-control: $PRIVATE_IP_MASK allow
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
		# Configuration file for $INTIF of whitelist
		cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
	interface: ${PRIVATE_IP}@55
	access-control: $PRIVATE_IP_MASK allow
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
		# Configuration file for $INTIF of blackhole
		cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
	interface: ${PRIVATE_IP}@56
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
	name: "$INTIF"
	local-zone: "." redirect
	local-data: ". A $PRIVATE_IP"
EOF
# dhcpd
		cat <<EOF > /etc/dhcpd.conf
ddns-update-style none;
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
	option routers $PRIVATE_IP;
	option subnet-mask $PRIVATE_NETMASK;
	option domain-name-servers $PRIVATE_IP;
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
	default-lease-time 21600;
	max-lease-time 43200;
}
EOF
# tinyproxy
		$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf
# DG + BL
		$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf
# Watchdog
		$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_BIN/alcasar-watchdog.sh
# Prompts
		$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
# sudoers
		$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
		if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
		then
# Services start
			/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1
			$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli
			for i in unbound unbound-blackhole tinyproxy ntpd
			do
				sleep 1
				/usr/bin/systemctl start $i && echo -n ", $i"
			done
			$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, dnsmasq-whitelist, e2guardian, iptables"
			/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd"
		fi
# Start / Stop SSH Daemon
		ssh_active=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`
		if [ $ssh_active = "on" ]
		then
			/usr/bin/systemctl enable sshd.service
			if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
			then
				/usr/bin/systemctl start sshd.service
			fi
		else
			/usr/bin/systemctl disable sshd.service
			if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
			then
				/usr/bin/systemctl stop sshd.service
			fi
		fi
# Start / Stop LDAP authentification
		if [ $LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ]
		then
			$DIR_BIN/alcasar-ldap.sh --on
		else
			$DIR_BIN/alcasar-ldap.sh --off
		fi
		echo
		;;
	*)
		echo "Argument inconnu : $1";
		echo "$usage"
		exit 1
		;;
esac
 

Rev 2813	Rev 2824
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-conf.sh 2813 2020-04-26 21:26:32Z rexy $`	2	`# $Id: alcasar-conf.sh 2824 2020-05-30 17:39:20Z rexy $`
3		3
4	`# alcasar-conf.sh`	4	`# alcasar-conf.sh`
5	`# by REXY`	5	`# by REXY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7		7
8	`# Ce script permet la mise à jour d'un ALCASAR`	8	`# Ce script permet la mise à jour d'un ALCASAR`
9	`# - (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz)`	9	`# - (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz)`
10	`# - (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions`	10	`# - (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions`
11	`# - (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf.`	11	`# - (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf.`
12	`# This script allows ALCASAR update`	12	`# This script allows ALCASAR update`
13	`# - (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz)`	13	`# - (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz)`
14	`# - (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions`	14	`# - (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions`
15	`# - (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values.`	15	`# - (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values.`
16		16
17	`DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour`	17	`DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour`
18	`DIR_WEB="/var/www/html" # répertoire du centre de gestion`	18	`DIR_WEB="/var/www/html" # répertoire du centre de gestion`
19	`DIR_BIN="/usr/local/bin" # scripts directory`	19	`DIR_BIN="/usr/local/bin" # scripts directory`
20	`DIR_ETC="/usr/local/etc" # conf directory`	20	`DIR_ETC="/usr/local/etc" # conf directory`
21	`DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory`	21	`DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory`
22	`DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory`	22	`DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory`
23	`CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file`	23	`CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file`
24	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace	24	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
25	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace	25	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
26	MTU=`grep ^PUBLIC_MTU= $CONF_FILE\|cut -d"=" -f2`	26	MTU=`grep ^PUBLIC_MTU= $CONF_FILE\|cut -d"=" -f2`
27	DHCP_mode=`grep ^DHCP= $CONF_FILE\|cut -d"=" -f2`	27	DHCP_mode=`grep ^DHCP= $CONF_FILE\|cut -d"=" -f2`
28	INT_DNS_mode=`grep ^INT_DNS_ACTIVE= $CONF_FILE\|cut -d"=" -f2`	28	INT_DNS_mode=`grep ^INT_DNS_ACTIVE= $CONF_FILE\|cut -d"=" -f2`
29	LDAP_mode=`grep ^LDAP= $CONF_FILE\|cut -d"=" -f2`	29	LDAP_mode=`grep ^LDAP= $CONF_FILE\|cut -d"=" -f2`
30	HOSTNAME=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2`	30	HOSTNAME=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2`
31	DOMAIN=`grep ^DOMAIN= $CONF_FILE\|cut -d"=" -f2`	31	DOMAIN=`grep ^DOMAIN= $CONF_FILE\|cut -d"=" -f2`
32	`SED="/bin/sed -i"`	32	`SED="/bin/sed -i"`
33	DNS1=`grep ^DNS1= $CONF_FILE \| cut -d'=' -f2` # server DNS1 (for WL domain names)	33	DNS1=`grep ^DNS1= $CONF_FILE \| cut -d'=' -f2` # server DNS1 (for WL domain names)
34	`DOMAIN=${DOMAIN:=localdomain}`	34	`DOMAIN=${DOMAIN:=localdomain}`
35		35
36	`private_network_calc ()`	36	`private_network_calc ()`
37	`{`	37	`{`
38	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK \|cut -d"=" -f2` # prefixe du réseau (ex. 24)	38	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK \|cut -d"=" -f2` # prefixe du réseau (ex. 24)
39	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK\| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)	39	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK\| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
40	`PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)`	40	`PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)`
41	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C)	41	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C)
42	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)	42	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
43	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)	43	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
44	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast	44	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
45	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address	45	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
46	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)	46	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
47	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)	47	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
48	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF	48	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
49	`}`	49	`}`
50		50
51	`usage="Usage: alcasar-conf.sh {--create or -create} \| {--load or -load} \| {--apply or -apply}"`	51	`usage="Usage: alcasar-conf.sh {--create or -create} \| {--load or -load} \| {--apply or -apply}"`
52	`nb_args=$#`	52	`nb_args=$#`
53	`args=$1`	53	`args=$1`
54	`if [ $nb_args -eq 0 ]`	54	`if [ $nb_args -eq 0 ]`
55	`then`	55	`then`
56	`nb_args=1`	56	`nb_args=1`
57	`args="-h"`	57	`args="-h"`
58	`fi`	58	`fi`
59	`case $args in`	59	`case $args in`
60	`-\? \| -h* \| --h*)`	60	`-\? \| -h* \| --h*)`
61	`echo "$usage"`	61	`echo "$usage"`
62	`exit 0`	62	`exit 0`
63	`;;`	63	`;;`
64	`--create\|-create)`	64	`--create\|-create)`
65	`[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE`	65	`[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE`
66	`mkdir $DIR_UPDATE`	66	`mkdir $DIR_UPDATE`
67	`# backup the users database (test to delete in future version)`	67	`# backup the users database (test to delete in future version)`
68	`$DIR_BIN/alcasar-mysql.sh --dump`	68	`$DIR_BIN/alcasar-mysql.sh --dump`
69	`cp /var/Save/base/"$(ls -1t /var/Save/base\|head -1)" $DIR_UPDATE`	69	`cp /var/Save/base/"$(ls -1t /var/Save/base\|head -1)" $DIR_UPDATE`
70	`# backup the logo`	70	`# backup organism logo`
71	`cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE`	71	`cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE`
72	`# backup BL/WL custom files`	72	`# backup BL/WL custom files`
73	`mkdir $DIR_UPDATE/custom_bl`	73	`mkdir $DIR_UPDATE/custom_bl`
74	`for i in exceptioniplist urlregexplist exceptionsitelist bannedsitelist exceptionurllist bannedurllist`	74	`for i in exceptioniplist urlregexplist exceptionsitelist bannedsitelist exceptionurllist bannedurllist`
75	`do`	75	`do`
76	`if [ -d /etc/dansguardian ]; then`	76	`if [ -d /etc/dansguardian ]; then`
77	`cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3`	77	`cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3`
78	`cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null`	78	`cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null`
79	`else`	79	`else`
80	`cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3`	80	`cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3`
81	`cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null`	81	`cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null`
82	`fi`	82	`fi`
83	`done`	83	`done`
84	`# backup of different conf files (main conf file, filtering, digest, /etc/hosts, etc.)`	84	`# backup conf files (main conf file, filtering, digest, etc.)`
85	`mkdir $DIR_UPDATE/etc/`	85	`mkdir $DIR_UPDATE/etc/`
86	`cp -rf $DIR_ETC/* $DIR_UPDATE/etc/`	86	`cp -rf $DIR_ETC/* $DIR_UPDATE/etc/`
87	`cp /etc/hosts $DIR_UPDATE/etc/`	-
88	`# backup of the security certificates (server & CA)`	87	`# backup of the security certificates (server & CA)`
89	`cp -f /etc/pki/tls/certs/alcasar.crt* $DIR_UPDATE`	88	`cp -f /etc/pki/tls/certs/alcasar.crt* $DIR_UPDATE`
90	`cp -f /etc/pki/tls/private/alcasar.key* $DIR_UPDATE`	89	`cp -f /etc/pki/tls/private/alcasar.key* $DIR_UPDATE`
91	`[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3`	90	`[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3`
92	`cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE`	91	`cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE`
93	`cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE`	92	`cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE`
94	`if [ -e /etc/pki/tls/certs/server-chain.pem ]; then`	93	`if [ -e /etc/pki/tls/certs/server-chain.pem ]; then`
95	`cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist`	94	`cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist`
96	`else`	95	`else`
97	`cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem`	96	`cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem`
98	`fi`	97	`fi`
99	`# pureip & safesearch status`	-
100	`[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian \|\| dg_path=/etc/e2guardian`	-
101		-
102	`if ! grep -Eq '^WL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then`	-
103	`if [ -f /etc/dnsmasq-whitelist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-whitelist.conf; then`	-
104	`echo 'WL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf`	-
105	`else`	-
106	`echo 'WL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf`	-
107	`fi`	-
108	`fi`	-
109		-
110	`if ! grep -Eq '^BL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then`	-
111	`if [ -f /etc/dnsmasq-blacklist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-blacklist.conf; then`	-
112	`echo 'BL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf`	-
113	`else`	-
114	`echo 'BL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf`	-
115	`fi`	-
116	`fi`	-
117		-
118	`if ! grep -Eq '^BL_PUREIP=' $DIR_UPDATE/etc/alcasar.conf; then`	-
119	`if grep -Eq "^\*ip" $dg_path/lists/bannedsitelist; then`	-
120	`echo 'BL_PUREIP=on' >> $DIR_UPDATE/etc/alcasar.conf`	-
121	`else`	-
122	`echo 'BL_PUREIP=off' >> $DIR_UPDATE/etc/alcasar.conf`	-
123	`fi`	-
124	`fi`	-
125		-
126	`# archive file creation`	98	`# archive file creation`
127	`cd /var/tmp \|\| { echo "Unable to find /var/tmp directory"; }`	99	`cd /var/tmp \|\| { echo "Unable to find /var/tmp directory"; }`
128	`tar -cf alcasar-conf.tar conf/`	100	`tar -cf alcasar-conf.tar conf/`
129	`gzip -f alcasar-conf.tar`	101	`gzip -f alcasar-conf.tar`
130	`rm -rf $DIR_UPDATE`	102	`rm -rf $DIR_UPDATE`
131	`;;`	103	`;;`
132		104
133	`--load\|-load)`	105	`--load\|-load)`
134	`cd /var/tmp \|\| { echo "Unable to find /var/tmp directory"; }`	106	`cd /var/tmp \|\| { echo "Unable to find /var/tmp directory"; }`
135	`tar -xf alcasar-conf*.tar.gz`	107	`tar -xf alcasar-conf*.tar.gz`
136	`######################### modifications between versions #######################`	-
137	`# Retrieve the previous version`	108	`# copy alcasar.conf parameters`
138	PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf\|cut -d"=" -f2`	109	PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf\|cut -d"=" -f2`
139	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`	110	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
140	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2`	111	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2`
141	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3\|cut -c1`	112	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3\|cut -c1`
142	`## From 3.2.0 & 3.2.1 ##`	-
143	`## rewrite /etc/hosts file managing hostname resolution`	-
144	PRIVATE_IP=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2\|cut -d"/" -f1`	-
145	HOSTNAME=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2-`	-
146	`domainNames="$HOSTNAME $HOSTNAME.$DOMAIN"`	-
147	`[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames"`	-
148	`if [ "$(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts )" -eq 0 ]; then`	113	for line in `cat $DIR_UPDATE/etc/alcasar.conf \| grep "=" \| grep -v "^#" \| grep -v " "\| grep -v "VERSION"`
149	`cat << EOF > $DIR_UPDATE/etc/hosts`	-
150	`127.0.0.1 localhost`	-
151	`$PRIVATE_IP $domainNames`	-
152	`EOF`	-
153	`fi`	114	`do`
154	`## apache & dansguardian are replaced with lighttpd & E²guardian`	-
155	`if [ "$(rpm -qa \| grep '^\(apache\\|apache-mod_php\\|apache-mod_ssl\\|dansguardian\)-' \| wc -l)" -ne 0 ]; then`	-
156	`rm_rpm="apache apache-mod_php apache-mod_ssl dansguardian"`	-
157	`/usr/sbin/urpme --auto -a $rm_rpm 2>/dev/null`	-
158	`/usr/sbin/urpme --auto --auto-orphans`	115	key=`echo $line \| cut -d"=" -f1`
159	`rm -rf /etc/httpd/ /var/log/httpd/ /var/dansguardian/ /etc/dansguardian/`	-
160	`fi`	116	`key=$key=`
161	`## lighttpd need a .pem certificate (aggregation with private key & server crt)`	-
162	`[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem`	-
163	`## From 3.3.0 ##`	-
164	`# add "SMS=off" in conf file`	117	value=`echo $line\|cut -d"=" -f2-`
165	`if [ "$(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then`	-
166	`echo "SMS=off" >> $DIR_UPDATE/etc/alcasar.conf`	118	`if [ "$value" != "" ]`
167	`fi`	119	`then`
168	`if [ "$(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then`	120	`echo "key = $key ; value = $value"`
169	`echo "SMS_NUM=" >> $DIR_UPDATE/etc/alcasar.conf`	121	`sed -i "s?^$key.*?$key$value?g" /usr/local/etc/alcasar.conf`
170	`fi`	122	`fi`
171	`## From 3.4.0 ##`	-
172	`# Fix subdomain dot position (.domain.org to domain.org.) for Unbound`	-
173	`for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl/domains $DIR_BLACKLIST/ossi-wl/domains; do`	-
174	`[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file`	-
175	`done`	123	`done`
176	`# Add LDAPS parameters to config file`	-
177	`if [ "$(grep -c '^LDAP_SSL=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then`	-
178	`echo "LDAP_SSL=on" >> $DIR_UPDATE/etc/alcasar.conf`	-
179	`fi`	-
180	`if [ "$(grep -c '^LDAP_CERT_REQUIRED=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then`	-
181	`echo "LDAP_CERT_REQUIRED=" >> $DIR_UPDATE/etc/alcasar.conf`	-
182	`fi`	-
183	`# remove DNSMASQ primary service (keep only one instance for whitelist on port 55)`	124	`## lighttpd need a .pem certificate (aggregation with private key & server crt)`
184	`[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf`	-
185	`[ -e /lib/systemd/system/dnsmasq.service.default ] && rm /lib/systemd/system/dnsmasq.service.default`	125	`[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem`
186	`[ -e /lib/systemd/system/dnsmasq.service ] && rm /lib/systemd/system/dnsmasq.service`	-
187	`###################### End of modifications between versions #######################`	-
188	`# Retrieve the logo`	126	`# Retrieve organism logo`
189	`[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/`	127	`[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/`
190	`chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php`	128	`chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php`
191	`# Retrieve the security certificates (CA and server)`	129	`# Retrieve the security certificates (CA and server)`
192	`cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/`	130	`cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/`
193	`cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/`	131	`cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/`
194	`cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/`	132	`cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/`
195	`cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/`	133	`cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/`
196	`cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/`	134	`cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/`
197	`[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist`	135	`[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist`
198	`chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA`	136	`chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA`
199	`chmod 640 /etc/pki/CA/*`	137	`chmod 640 /etc/pki/CA/*`
200	`chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private`	138	`chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private`
201	`chmod 600 /etc/pki/CA/private/*`	139	`chmod 600 /etc/pki/CA/private/*`
202	`chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private`	140	`chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private`
203	`chmod 640 /etc/pki/tls/private/*`	141	`chmod 640 /etc/pki/tls/private/*`
204	`# Import of the users database`	142	`# Import of the users database`
205	`$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)"`	143	`$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)"`
206	`# Retrieve local parameters`	144	`# Retrieve local parameters`
207	`cp -rf $DIR_UPDATE/etc/* $DIR_ETC/`	145	`#TODO cp -rf $DIR_UPDATE/etc/* $DIR_ETC/`
208	`mv -f $DIR_UPDATE/etc/hosts /etc/hosts`	-
209	`chmod 755 /etc/hosts`	-
210	`# Retrieve BL/WL custom files`	146	`# Retrieve BL/WL custom files`
211	`cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/`	147	`cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/`
212	`cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/`	148	`cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/`
213	`cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/`	149	`cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/`
214	`cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/`	150	`cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/`
215	`cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/`	151	`cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/`
216	`cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/`	152	`cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/`
217	`cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null`	153	`cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null`
218	`chown -R e2guardian:apache $DIR_E2G`	154	`chown -R e2guardian:apache $DIR_E2G`
219	`chmod -R g+rw $DIR_E2G`	155	`chmod -R g+rw $DIR_E2G`
220	`# Adapt DNS/URL filtering`	156	`# Adapt DNS/URL filtering`
221	PARENT_SCRIPT=`basename $0`	157	PARENT_SCRIPT=`basename $0`
222	`export PARENT_SCRIPT`	158	`export PARENT_SCRIPT`
223	`$DIR_BIN/alcasar-bl.sh -cat_choice`	159	`$DIR_BIN/alcasar-bl.sh -cat_choice`
224	`$DIR_BIN/alcasar-bl.sh -reload`	160	`$DIR_BIN/alcasar-bl.sh -reload`
225	`# admin profile update (admin + manager + backup)`	161	`# admin profile update (admin + manager + backup)`
226	`$DIR_BIN/alcasar-profil.sh --list`	162	`$DIR_BIN/alcasar-profil.sh --list`
227	`# Start / Stop SSH Daemon`	163	`# Start / Stop SSH Daemon`
228	ssh_active=`grep "^SSH=" $CONF_FILE\|cut -d"=" -f2`	164	ssh_active=`grep "^SSH=" $CONF_FILE\|cut -d"=" -f2`
229	`if [ $ssh_active = "on" ]`	165	`if [ $ssh_active = "on" ]`
230	`then`	166	`then`
231	`/usr/bin/systemctl -q enable sshd.service`	167	`/usr/bin/systemctl -q enable sshd.service`
232	`else`	168	`else`
233	`/usr/bin/systemctl -q disable sshd.service`	169	`/usr/bin/systemctl -q disable sshd.service`
234	`fi`	170	`fi`
235	`# Remove the update folder`	171	`# Remove the update folder`
236	`rm -rf $DIR_UPDATE`	172	`rm -rf $DIR_UPDATE`
237	`;;`	173	`;;`
238		174
239	`--apply\|-apply)`	175	`--apply\|-apply)`
240	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/([012]?[0-9]\|3[0-2])\b"`	176	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/([012]?[0-9]\|3[0-2])\b"`
241	PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`	177	PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
242	`if ! echo $PRIVATE_IP_MASK \| egrep -q $PTN`	178	`if ! echo $PRIVATE_IP_MASK \| egrep -q $PTN`
243	`then`	179	`then`
244	`echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"`	180	`echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"`
245	`exit 0`	181	`exit 0`
246	`fi`	182	`fi`
247	PUBLIC_IP_MASK=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2`	183	PUBLIC_IP_MASK=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2`
248	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\b"`	184	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\b"`
249	`if [[ "$PUBLIC_IP_MASK" == "dhcp" ]]`	185	`if [[ "$PUBLIC_IP_MASK" == "dhcp" ]]`
250	`then`	186	`then`
251	`PUBLIC_GATEWAY="dhcp"`	187	`PUBLIC_GATEWAY="dhcp"`
252	`else`	188	`else`
253	`if ! echo $PUBLIC_IP_MASK \| egrep -q $PTN`	189	`if ! echo $PUBLIC_IP_MASK \| egrep -q $PTN`
254	`then`	190	`then`
255	`echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"`	191	`echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"`
256	`exit 0`	192	`exit 0`
257	`fi`	193	`fi`
258	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`	194	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
259	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`	195	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
260	PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE\|cut -d"=" -f2`	196	PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE\|cut -d"=" -f2`
261	`if ! echo $PUBLIC_GATEWAY \| egrep -q $PTN`	197	`if ! echo $PUBLIC_GATEWAY \| egrep -q $PTN`
262	`then`	198	`then`
263	`echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"`	199	`echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"`
264	`exit 0`	200	`exit 0`
265	`fi`	201	`fi`
266	`fi`	202	`fi`
267	DNS1=`grep ^DNS1= $CONF_FILE\|cut -d"=" -f2`	203	DNS1=`grep ^DNS1= $CONF_FILE\|cut -d"=" -f2`
268	`if ! echo $DNS1 \| egrep -q $PTN`	204	`if ! echo $DNS1 \| egrep -q $PTN`
269	`then`	205	`then`
270	`echo "Syntax error for the IP address of the first DNS server ($DNS1)"`	206	`echo "Syntax error for the IP address of the first DNS server ($DNS1)"`
271	`exit 0`	207	`exit 0`
272	`fi`	208	`fi`
273	DNS2=`grep ^DNS2= $CONF_FILE\|cut -d"=" -f2`	209	DNS2=`grep ^DNS2= $CONF_FILE\|cut -d"=" -f2`
274	`if ! echo $DNS2 \| egrep -q $PTN`	210	`if ! echo $DNS2 \| egrep -q $PTN`
275	`then`	211	`then`
276	`echo "Syntax error for the IP address of the second DNS server ($DNS2)"`	212	`echo "Syntax error for the IP address of the second DNS server ($DNS2)"`
277	`exit 0`	213	`exit 0`
278	`fi`	214	`fi`
279	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1`	215	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1`
280	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2`	216	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2`
281	`private_network_calc`	217	`private_network_calc`
282	INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE\|cut -d"=" -f2`	218	INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE\|cut -d"=" -f2`
283	ORGANISME=`grep ^ORGANISM= $CONF_FILE\|cut -d"=" -f2-`	219	ORGANISME=`grep ^ORGANISM= $CONF_FILE\|cut -d"=" -f2-`
284	BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE\|cut -d"=" -f2`	220	BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE\|cut -d"=" -f2`
285	WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE\|cut -d"=" -f2`	221	WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE\|cut -d"=" -f2`
286	BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE\|cut -d"=" -f2`	222	BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE\|cut -d"=" -f2`
287	DHCP_mode=`grep ^DHCP= $CONF_FILE\|cut -d"=" -f2`	223	DHCP_mode=`grep ^DHCP= $CONF_FILE\|cut -d"=" -f2`
288	`if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage`	224	`if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage`
289	`then`	225	`then`
290	`if [ "$DHCP_mode" = "off" ] \|\| [ "$DHCP_mode" = "Off" ] \|\| [ "$DHCP_mode" = "OFF" ]`	226	`if [ "$DHCP_mode" = "off" ] \|\| [ "$DHCP_mode" = "Off" ] \|\| [ "$DHCP_mode" = "OFF" ]`
291	`then`	227	`then`
292	`$DIR_BIN/alcasar-dhcp.sh --off`	228	`$DIR_BIN/alcasar-dhcp.sh --off`
293	`else`	229	`else`
294	`$DIR_BIN/alcasar-dhcp.sh --on`	230	`$DIR_BIN/alcasar-dhcp.sh --on`
295	`fi`	231	`fi`
296	`# Set the local DNS (or not)`	232	`# Set the local DNS (or not)`
297	`if [ "$INT_DNS_mode" = "on" ] \|\| [ "$INT_DNS_mode" = "On" ] \|\| [ "$INT_DNS_mode" = "ON" ]`	233	`if [ "$INT_DNS_mode" = "on" ] \|\| [ "$INT_DNS_mode" = "On" ] \|\| [ "$INT_DNS_mode" = "ON" ]`
298	`then`	234	`then`
299	`$DIR_BIN/alcasar-dns-local.sh --on`	235	`$DIR_BIN/alcasar-dns-local.sh --on`
300	`else`	236	`else`
301	`$DIR_BIN/alcasar-dns-local.sh --off`	237	`$DIR_BIN/alcasar-dns-local.sh --off`
302	`fi`	238	`fi`
303	`# Set the pure ip option (or not)`	239	`# Set the pure ip option (or not)`
304	`if [ "$BL_PUREIP" = "off" ] \|\| [ "$BL_PUREIP" = "Off" ] \|\| [ "$BL_PUREIP" = "OFF" ]`	240	`if [ "$BL_PUREIP" = "off" ] \|\| [ "$BL_PUREIP" = "Off" ] \|\| [ "$BL_PUREIP" = "OFF" ]`
305	`then`	241	`then`
306	`bl_filter_param+="--pureip_off"`	242	`bl_filter_param+="--pureip_off"`
307	`else`	243	`else`
308	`bl_filter_param+="--pureip_on"`	244	`bl_filter_param+="--pureip_on"`
309	`fi`	245	`fi`
310	`# Set the safesearch options (or not)`	246	`# Set the safesearch options (or not)`
311	`bl_filter_param=""`	247	`bl_filter_param=""`
312	`if [ "$BL_SAFESEARCH" = "on" ] \|\| [ "$BL_SAFESEARCH" = "On" ] \|\| [ "$BL_SAFESEARCH" = "ON" ]`	248	`if [ "$BL_SAFESEARCH" = "on" ] \|\| [ "$BL_SAFESEARCH" = "On" ] \|\| [ "$BL_SAFESEARCH" = "ON" ]`
313	`then`	249	`then`
314	`bl_filter_param+="--safesearch_on "`	250	`bl_filter_param+="--safesearch_on "`
315	`else`	251	`else`
316	`bl_filter_param+="--safesearch_off "`	252	`bl_filter_param+="--safesearch_off "`
317	`fi`	253	`fi`
318	`$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param`	254	`$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param`
319	`if [ "$WL_SAFESEARCH" = "on" ] \|\| [ "$WL_SAFESEARCH" = "On" ] \|\| [ "$WL_SAFESEARCH" = "ON" ]`	255	`if [ "$WL_SAFESEARCH" = "on" ] \|\| [ "$WL_SAFESEARCH" = "On" ] \|\| [ "$WL_SAFESEARCH" = "ON" ]`
320	`then`	256	`then`
321	`$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on`	257	`$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on`
322	`else`	258	`else`
323	`$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off`	259	`$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off`
324	`fi`	260	`fi`
325	`# Reload the local dns configuration`	261	`# Reload the local dns configuration`
326	`$DIR_BIN/alcasar-dns-local.sh --reload`	262	`$DIR_BIN/alcasar-dns-local.sh --reload`
327	`# Logout everybody`	263	`# Logout everybody`
328	`$DIR_BIN/alcasar-logout.sh all`	264	`$DIR_BIN/alcasar-logout.sh all`
329	`# Services stop`	265	`# Services stop`
330	`echo -n "Stop services : "`	266	`echo -n "Stop services : "`
331	`for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd`	267	`for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd`
332	`do`	268	`do`
333	`/usr/bin/systemctl stop $i && echo -n "$i, "`	269	`/usr/bin/systemctl stop $i && echo -n "$i, "`
334	`done`	270	`done`
335	`echo`	271	`echo`
336	`fi`	272	`fi`
337	`# EXTIF config`	273	`# EXTIF config`
338	`if [ $PUBLIC_IP_MASK == "dhcp" ]`	274	`if [ $PUBLIC_IP_MASK == "dhcp" ]`
339	`then`	275	`then`
340	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF`	276	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF`
341	`DEVICE=$EXTIF`	277	`DEVICE=$EXTIF`
342	`BOOTPROTO=dhcp`	278	`BOOTPROTO=dhcp`
343	`DNS1=127.0.0.1`	279	`DNS1=127.0.0.1`
344	`PEERDNS=no`	280	`PEERDNS=no`
345	`RESOLV_MODS=yes`	281	`RESOLV_MODS=yes`
346	`ONBOOT=yes`	282	`ONBOOT=yes`
347	`METRIC=10`	283	`METRIC=10`
348	`MII_NOT_SUPPORTED=yes`	284	`MII_NOT_SUPPORTED=yes`
349	`IPV6INIT=no`	285	`IPV6INIT=no`
350	`IPV6TO4INIT=no`	286	`IPV6TO4INIT=no`
351	`ACCOUNTING=no`	287	`ACCOUNTING=no`
352	`USERCTL=no`	288	`USERCTL=no`
353	`MTU=$MTU`	289	`MTU=$MTU`
354	`NOZEROCONF=yes`	290	`NOZEROCONF=yes`
355	`EOF`	291	`EOF`
356	`else`	292	`else`
357	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF`	293	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF`
358	`DEVICE=$EXTIF`	294	`DEVICE=$EXTIF`
359	`BOOTPROTO=static`	295	`BOOTPROTO=static`
360	`IPADDR=$PUBLIC_IP`	296	`IPADDR=$PUBLIC_IP`
361	`NETMASK=$PUBLIC_NETMASK`	297	`NETMASK=$PUBLIC_NETMASK`
362	`GATEWAY=$PUBLIC_GATEWAY`	298	`GATEWAY=$PUBLIC_GATEWAY`
363	`DNS1=127.0.0.1`	299	`DNS1=127.0.0.1`
364	`RESOLV_MODS=yes`	300	`RESOLV_MODS=yes`
365	`ONBOOT=yes`	301	`ONBOOT=yes`
366	`METRIC=10`	302	`METRIC=10`
367	`MII_NOT_SUPPORTED=yes`	303	`MII_NOT_SUPPORTED=yes`
368	`IPV6INIT=no`	304	`IPV6INIT=no`
369	`IPV6TO4INIT=no`	305	`IPV6TO4INIT=no`
370	`ACCOUNTING=no`	306	`ACCOUNTING=no`
371	`USERCTL=no`	307	`USERCTL=no`
372	`MTU=$MTU`	308	`MTU=$MTU`
373	`NOZEROCONF=yes`	309	`NOZEROCONF=yes`
374	`EOF`	310	`EOF`
375	`fi`	311	`fi`
376	`# INTIF config (for bypass mode only)`	312	`# INTIF config (for bypass mode only)`
377	`$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF`	313	`$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF`
378	`$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF`	314	`$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF`
379	`# NTP server`	315	`# NTP server`
380	`$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf`	316	`$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf`
381	`# host.allow`	317	`# host.allow`
382	`cat <<EOF > /etc/hosts.allow`	318	`cat <<EOF > /etc/hosts.allow`
383	`ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP`	319	`ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP`
384	`sshd: ALL`	320	`sshd: ALL`
385	`ntpd: $PRIVATE_NETWORK_SHORT`	321	`ntpd: $PRIVATE_NETWORK_SHORT`
386	`EOF`	322	`EOF`
387	`# Set hostname`	323	`# Set hostname`
388	`hostnamectl set-hostname $HOSTNAME.$DOMAIN`	324	`hostnamectl set-hostname $HOSTNAME.$DOMAIN`
389	`# /etc/hosts`	325	`# /etc/hosts`
390	`domainNames="$HOSTNAME $HOSTNAME.$DOMAIN"`	326	`domainNames="$HOSTNAME $HOSTNAME.$DOMAIN"`
391	`[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames"`	327	`[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames"`
392	`$SED "/^$PRIVATE_IP\t/d" /etc/hosts`	328	`$SED "/^$PRIVATE_IP\t/d" /etc/hosts`
393	`$SED "/\s$HOSTNAME\s\$/d" /etc/hosts`	329	`$SED "/\s$HOSTNAME\s\$/d" /etc/hosts`
394	`[ "$HOSTNAME" != 'alcasar' ] && $SED "/\salcasar\s\$/d" /etc/hosts`	330	`[ "$HOSTNAME" != 'alcasar' ] && $SED "/\salcasar\s\$/d" /etc/hosts`
395	`echo "$PRIVATE_IP $domainNames" >> /etc/hosts`	331	`echo "$PRIVATE_IP $domainNames" >> /etc/hosts`
396	`# MOTD`	332	`# MOTD`
397	`$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release`	333	`$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release`
398	`# Lighttpd`	334	`# Lighttpd`
399	`$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf`	335	`$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf`
400	`$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf`	336	`$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf`
401	`$SED "s/^\([\t ]\)var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf`	337	`$SED "s/^\([\t ]\)var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf`
402	`# FreeRADIUS`	338	`# FreeRADIUS`
403	`$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf`	339	`$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf`
404	`$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf`	340	`$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf`
405	`# CoovaChilli`	341	`# CoovaChilli`
406	`$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf`	342	`$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf`
407	`$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf`	343	`$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf`
408	`$SED "s/^domain.*/domain\t\t$DOMAIN/g" /etc/chilli.conf`	344	`$SED "s/^domain.*/domain\t\t$DOMAIN/g" /etc/chilli.conf`
409	[ "`grep ^HTTPS_LOGIN= $CONF_FILE \| cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" \|\| chilli_login_protocol="http"	345	[ "`grep ^HTTPS_LOGIN= $CONF_FILE \| cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" \|\| chilli_login_protocol="http"
410	`$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf`	346	`$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf`
411	`$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf`	347	`$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf`
412	`$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf`	348	`$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf`
413	`$SED "s?^dns1.*?dns1\t\t$PRIVATE_IP?g" /etc/chilli.conf`	349	`$SED "s?^dns1.*?dns1\t\t$PRIVATE_IP?g" /etc/chilli.conf`
414	`$SED "s?^dns2.*?dns2\t\t$PRIVATE_IP?g" /etc/chilli.conf`	350	`$SED "s?^dns2.*?dns2\t\t$PRIVATE_IP?g" /etc/chilli.conf`
415	`$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf`	351	`$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf`
416	`# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries`	352	`# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries`
417	`$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info`	353	`$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info`
418	`# dnsmasq-whitelist`	354	`# dnsmasq-whitelist`
419	`$SED "/^server=/d" /etc/dnsmasq-whitelist.conf`	355	`$SED "/^server=/d" /etc/dnsmasq-whitelist.conf`
420	`echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf`	356	`echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf`
421	`echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf`	357	`echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf`
422	`# unbound`	358	`# unbound`
423	`# removing unbound configuration files`	359	`# removing unbound configuration files`
424	`rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.*`	360	`rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.*`
425	`rm -f /etc/unbound/conf.d/common/forward-zone.conf`	361	`rm -f /etc/unbound/conf.d/common/forward-zone.conf`
426	`find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete`	362	`find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete`
427	`# Configuration file for the dns servers forward-zone`	363	`# Configuration file for the dns servers forward-zone`
428	`cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf`	364	`cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf`
429	`forward-zone:`	365	`forward-zone:`
430	`name: "."`	366	`name: "."`
431	`forward-addr: $DNS1`	367	`forward-addr: $DNS1`
432	`forward-addr: $DNS2`	368	`forward-addr: $DNS2`
433	`EOF`	369	`EOF`
434	`# Configuration file of ALCASAR main domains for $INTIF`	370	`# Configuration file of ALCASAR main domains for $INTIF`
435	`cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`	371	`cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`
436	`server:`	372	`server:`
437	`local-zone: "$HOSTNAME.$DOMAIN" static`	373	`local-zone: "$HOSTNAME.$DOMAIN" static`
438	`local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"`	374	`local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"`
439	`local-zone: "$HOSTNAME" static`	375	`local-zone: "$HOSTNAME" static`
440	`local-data: "$HOSTNAME A $PRIVATE_IP"`	376	`local-data: "$HOSTNAME A $PRIVATE_IP"`
441	`EOF`	377	`EOF`
442	`if [ "$HOSTNAME" != 'alcasar' ]`	378	`if [ "$HOSTNAME" != 'alcasar' ]`
443	`then`	379	`then`
444	`echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`	380	`echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`
445	`echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`	381	`echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`
446	`echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf`	382	`echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf`
447	`echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf`	383	`echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf`
448	`fi`	384	`fi`
449	`# Configuration file for lo of forward`	385	`# Configuration file for lo of forward`
450	`cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf`	386	`cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf`
451	`server:`	387	`server:`
452	`interface: 127.0.0.1@53`	388	`interface: 127.0.0.1@53`
453	`access-control-view: 127.0.0.1/8 lo`	389	`access-control-view: 127.0.0.1/8 lo`
454	`view:`	390	`view:`
455	`name: "lo"`	391	`name: "lo"`
456	`view-first: yes`	392	`view-first: yes`
457	`local-zone: "$HOSTNAME.$DOMAIN" static`	393	`local-zone: "$HOSTNAME.$DOMAIN" static`
458	`local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"`	394	`local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"`
459	`local-zone: "$HOSTNAME" static`	395	`local-zone: "$HOSTNAME" static`
460	`local-data: "$HOSTNAME A 127.0.0.1"`	396	`local-data: "$HOSTNAME A 127.0.0.1"`
461	`local-zone: "$DOMAIN." static`	397	`local-zone: "$DOMAIN." static`
462	`local-data: "$DOMAIN. A"`	398	`local-data: "$DOMAIN. A"`
463	`EOF`	399	`EOF`
464	`# Configuration file for $INTIF of forward`	400	`# Configuration file for $INTIF of forward`
465	`cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf`	401	`cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf`
466	`server:`	402	`server:`
467	`interface: ${PRIVATE_IP}@53`	403	`interface: ${PRIVATE_IP}@53`
468	`access-control-view: $PRIVATE_NETWORK_MASK $INTIF`	404	`access-control-view: $PRIVATE_NETWORK_MASK $INTIF`
469		405
470	`view:`	406	`view:`
471	`name: "$INTIF"`	407	`name: "$INTIF"`
472	`view-first: yes`	408	`view-first: yes`
473	`EOF`	409	`EOF`
474	`# Configuration file for $INTIF of blacklist`	410	`# Configuration file for $INTIF of blacklist`
475	`cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf`	411	`cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf`
476	`server:`	412	`server:`
477	`interface: ${PRIVATE_IP}@54`	413	`interface: ${PRIVATE_IP}@54`
478	`access-control: $PRIVATE_IP_MASK allow`	414	`access-control: $PRIVATE_IP_MASK allow`
479	`access-control-tag: $PRIVATE_IP_MASK "blacklist"`	415	`access-control-tag: $PRIVATE_IP_MASK "blacklist"`
480	`access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect`	416	`access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect`
481	`access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"`	417	`access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"`
482	`EOF`	418	`EOF`
483	`# Configuration file for $INTIF of whitelist`	419	`# Configuration file for $INTIF of whitelist`
484	`cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf`	420	`cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf`
485	`server:`	421	`server:`
486	`interface: ${PRIVATE_IP}@55`	422	`interface: ${PRIVATE_IP}@55`
487	`access-control: $PRIVATE_IP_MASK allow`	423	`access-control: $PRIVATE_IP_MASK allow`
488	`access-control-tag: $PRIVATE_IP_MASK "whitelist"`	424	`access-control-tag: $PRIVATE_IP_MASK "whitelist"`
489	`access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect`	425	`access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect`
490	`access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"`	426	`access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"`
491	`EOF`	427	`EOF`
492	`# Configuration file for $INTIF of blackhole`	428	`# Configuration file for $INTIF of blackhole`
493	`cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf`	429	`cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf`
494	`server:`	430	`server:`
495	`interface: ${PRIVATE_IP}@56`	431	`interface: ${PRIVATE_IP}@56`
496	`access-control-view: $PRIVATE_NETWORK_MASK $INTIF`	432	`access-control-view: $PRIVATE_NETWORK_MASK $INTIF`
497	`view:`	433	`view:`
498	`name: "$INTIF"`	434	`name: "$INTIF"`
499	`local-zone: "." redirect`	435	`local-zone: "." redirect`
500	`local-data: ". A $PRIVATE_IP"`	436	`local-data: ". A $PRIVATE_IP"`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-conf.sh – Rev 2813 → 2824