879,8 → 879,8 |
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
|
chown -R apache:apache /var/log/lighttpd |
/usr/bin/systemctl start lighttpd |
/usr/bin/systemctl start php-fpm |
# /usr/bin/systemctl start lighttpd |
# /usr/bin/systemctl start php-fpm |
|
# Creation of the first account (in 'admin' profile) |
if [ "$mode" = "install" ] |
1036,16 → 1036,18 |
nas_type = other |
} |
EOF |
# Set Virtual server (remvove all except "alcasar virtual site") |
rm -f /etc/raddb/sites-enabled/* |
# Set Virtual server |
# Remvoveing all except "alcasar virtual site") |
# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled) Change the firewall rules to allow "radius" extern connections. |
cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar |
cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap |
chown radius:apache /etc/raddb/sites-available/alcasar* |
chmod 660 /etc/raddb/sites-available/alcasar* |
rm -f /etc/raddb/sites-enabled/* |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
# Set modules |
# Add custom LDAP "available module" |
# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections. |
cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/ |
chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar |
# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC) |
1054,8 → 1056,7 |
do |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
done |
# INFO : To connect from outside (EAP), add the EAP module (and right accesses to the keys (/etc/pki/tls/private/radius.pem) |
# Configure SQL mod |
# Configure SQL module |
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql |
1064,6 → 1065,13 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
# no TLS encryption on 127.0.0.1 |
$SED "s?^[\t] ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t] ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t] ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t] ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t] ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t] ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1286,57 → 1294,83 |
{ |
mkdir -p /var/e2guardian /var/log/e2guardian |
chown -R e2guardian /var/e2guardian /var/log/e2guardian |
# Adapt systemd unit |
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
# By default the filter is off |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf |
|
# Adapt the main conf file |
# French deny HTML page |
$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf |
# Listen only on LAN side |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
# DG send its flow to HAVP |
$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
# replace the default deny HTML page |
cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/ |
cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
# The port that E2guardian listens to |
$SED "s?^filterports =*?filteports = 8080?g" $DIR_DG/e2guardian.conf |
# DG send its flow to HAVP (127.0.0.1:8090) |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
# # Change the default report page |
$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf |
# Disable HTML content control |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas) |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
# Disable URL control with regex |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas) |
# Configure E2guardian for large site |
# Minimum number of processus to handle connections |
$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf |
# Maximum number of processus to handle connections |
$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf |
# Run at least 8 daemons |
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf |
# minimum number of processes to spawn |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf |
# maximum age of a child process before it croaks it |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf |
# Disable download files control |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
|
# Adapt the first group file (only one for instance) |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf |
# Reporting (deny page) in HTML |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
|
# Replace the default deny HTML page (only fr & uk) |
[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/french/template.html.default |
cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html |
cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
# Dont filtering files by extension or mime-type (empty list) |
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default |
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default |
touch $DIR_DG/lists/bannedextensionlist |
touch $DIR_DG/lists/bannedmimetypelist |
# 'Safesearch' regex actualisation |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
# empty LAN IP list that won't be WEB filtered |
# Empty LAN IP list that won't be WEB filtered |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default |
touch $DIR_DG/lists/exceptioniplist |
# Keep a copy of URL & domain filter configuration files |
# Creation of ALCASAR banned site list |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default |
cat <<EOF > $DIR_DG/lists/bannedsitelist |
# E2guardian domain filter config for ALCASAR |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée) |
#** |
# block all SSL and CONNECT tunnels |
**s |
# block all SSL and CONNECT tunnels specified only as an IP |
*ips |
# block all sites specified only by an IP |
*ip |
EOF |
# Creation of ALCASAR banned URL list (empty) |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
cat <<EOF > $DIR_DG/lists/bannedurllist |
# E2guardian filter config for ALCASAR |
EOF |
# Creation of file for the rehabilited domains and urls |
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
touch $DIR_DG/lists/exceptionsitelist |
touch $DIR_DG/lists/exceptionurllist |
# Add Bing to the safesearch url regext list (parental control) |
[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default |
cat <<EOF >> $DIR_DG/lists/urlregexplist |
# Bing - add 'adlt=strict' |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
EOF |
# 'Safesearch' regex actualisation |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
} # End of e2guardian() |
|
################################################################## |
1825,33 → 1859,6 |
rm -rf $DIR_DG/lists/blacklists |
mkdir -p /tmp/blacklists |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/ |
# creation of file for the rehabilited domains and urls |
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
touch $DIR_DG/lists/exceptionsitelist |
touch $DIR_DG/lists/exceptionurllist |
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian |
cat <<EOF > $DIR_DG/lists/bannedurllist |
# E2guardian filter config for ALCASAR |
EOF |
cat <<EOF > $DIR_DG/lists/bannedsitelist |
# E2guardian domain filter config for ALCASAR |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée) |
#** |
# block all SSL and CONNECT tunnels |
**s |
# block all SSL and CONNECT tunnels specified only as an IP |
*ips |
# block all sites specified only by an IP |
*ip |
EOF |
# Add Bing to the safesearch url regext list (parental control) |
cat <<EOF >> $DIR_DG/lists/urlregexplist |
# Bing - add 'adlt=strict' |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
EOF |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only) |
mkdir -p $DIR_DG/lists/blacklists/ossi-bl |
touch $DIR_DG/lists/blacklists/ossi-bl/domains |
2471,7 → 2478,7 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1` |
mode="update" |
fi |
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |