Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 3325 → Rev 3326

/alcasar.sh
2284,7 → 2284,6
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
# ALCASAR conf file
echo "HTTPS_LOGIN=off" >> $CONF_FILE
echo "HTTPS_CHILLI=off" >> $CONF_FILE
echo "SSH_LAN=22" >> $CONF_FILE
echo "SSH_WAN=0" >> $CONF_FILE
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
/conf/letsencrypt-client/acme.sh-3.1.1.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/conf/letsencrypt-client/acme.sh-3.1.2.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/scripts/alcasar-conf.sh
33,7 → 33,6
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
DOMAIN=${DOMAIN:=lan}
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # To configure WL domain names
HTTPS_LOGIN=`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`
SED="/bin/sed -i"
 
private_network_calc ()
276,6 → 275,7
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
HTTPS_LOGIN=`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ]
318,8 → 318,8
# Logout everybody
$DIR_BIN/alcasar-logout.sh all
# Services stop
echo -n "Stop services : "
for i in ntpd e2guardian unbound unbound-whitelist unbound-blacklist unbound-blackhole chilli network httpd
echo -n "Stop services : " # don't stop httpd as it can run this script (reloading)
for i in ntpd e2guardian unbound unbound-whitelist unbound-blacklist unbound-blackhole chilli network
do
/usr/bin/systemctl stop $i && echo -n "$i, "
done
378,7 → 378,7
$SED "s?^uamallowed.*?uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN?g" /etc/chilli.conf
$SED "s?^locationname.*?locationname\t$HOSTNAME.$DOMAIN?g" /etc/chilli.conf
$SED "s?^domain.*?domain\t\t$DOMAIN?g" /etc/chilli.conf
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
[ "$HTTPS_LOGIN" = "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s?^uamserver.*?uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php?" /etc/chilli.conf
$SED "s?^radiusnasid.*?radiusnasid\t$HOSTNAME.$DOMAIN?g" /etc/chilli.conf
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf
478,13 → 478,11
if [ "$HTTPS_LOGIN" = "on" ] || [ "$HTTPS_LOGIN" = "On" ] || [ "$HTTPS_LOGIN" = "ON" ]
then
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=on?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" /etc/chilli.conf
$SED "s?^#redirssl.*?redirssl?" /etc/chilli.conf
$SED "s?^#uamuissl.*?uamuissl?" /etc/chilli.conf
else
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" /etc/chilli.conf
$SED "s?^redirssl.*?#&?" /etc/chilli.conf
$SED "s?^uamuissl.*?#&?" /etc/chilli.conf
500,7 → 498,7
/usr/bin/systemctl start $i && echo -n ", $i"
done
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, e2guardian, iptables"
/usr/bin/systemctl restart httpd && echo -n ", httpd"
/usr/bin/systemctl reload httpd && echo -n ", httpd"
fi
# Email user registration
$SED "s?^smtpd_banner =.*?smtpd_banner = $HOSTNAME.$DOMAIN ESMTP?g" /etc/postfix/main.cf
/scripts/alcasar-https.sh
32,7 → 32,6
;;
--off | -off) # Chilli : disable HTTPS (it will listen only on 3990 port) + Apache : remove "requireSSL" & redirection directive
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^redirssl.*?#&?" $CHILLI_CONF_FILE
$SED "s?^uamuissl.*?#&?" $CHILLI_CONF_FILE
39,11 → 38,10
/usr/bin/systemctl restart chilli
$SED "/<Directory \/var\/www\/html>/{n;/SSLRequireSSL/{d;};}" $HTTPD_CONF_FILE
$SED "/redirect/d" $HTTPD_80_CONF_FILE
/usr/bin/systemctl restart httpd
/usr/bin/systemctl reload httpd
;;
--on | -on) # Chilli : enable HTTPS (it will listen on ports 3990 (http) and 3991 (https) + apache : add "requireSSL" & redirection directive
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=on?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^#redirssl.*?redirssl?" $CHILLI_CONF_FILE
$SED "s?^#uamuissl.*?uamuissl?" $CHILLI_CONF_FILE
52,7 → 50,7
$SED "/<Directory \/var\/www\/html>/a\ SSLRequireSSL" $HTTPD_CONF_FILE
$SED "/redirect/d" $HTTPD_80_CONF_FILE # remove if already exist
$SED "/<\/VirtualHost>/i\ redirect permanent \/ https:\/\/$HOSTNAME.$DOMAIN" $HTTPD_80_CONF_FILE
/usr/bin/systemctl restart httpd
/usr/bin/systemctl reload httpd
;;
*)
echo "Argument inconnu : $1"
/scripts/alcasar-importcert.sh
53,8 → 53,9
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
#check fqdn format
if [[ "$fqdn" != "" && "$domain" != "" ]]; then
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" $CONF_FILE
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" $CONF_FILE
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
/usr/local/bin/alcasar-conf.sh --apply
fi
}
163,9 → 164,7
then
echo "Restoring default certificate"
defaultCert
domainName
# Reset Letsencrypt file
cat <<EOF > /usr/local/etc/alcasar-letsencrypt
cat <<EOF > /usr/local/etc/alcasar-letsencrypt
email=
dateIssueRequest=
domainRequest=
174,6 → 173,7
dnsapi=
dateNextRenewal=
EOF
domainName
else echo "No default cert found"
fi
;;
/scripts/alcasar-uninstall.sh
269,8 → 269,8
mail_service()
{
echo -en "(3) : "
[ -e /etc/php.d/05_mail.ini.default ] && mv /etc/php.d/05_mail.ini.default /etc/php.d/05_mail.ini && echo -n "1"
[ -e /etc/postfix/main.cf.orig ] && mv /etc/postfix/main.cf.orig /etc/postfix/main.cf && echo -n "2"
[ -e /etc/php.d/05_mail.ini.default ] && mv /etc/php.d/05_mail.ini.default /etc/php.d/05_mail.ini && echo -n "1, "
[ -e /etc/postfix/main.cf.orig ] && mv /etc/postfix/main.cf.orig /etc/postfix/main.cf && echo -n "2, "
[ -e /etc/postfix/aliases.default ] && mv /etc/postfix/aliases.default /etc/postfix/aliases && newaliases && echo -n "3"
}
 
/web/acc/admin/network.php
631,24 → 631,27
if ($choix === 'le_issueCert') {
$email = $_POST['email'];
$domainName = $_POST['domainname'];
if ((!empty($domainname)) && (preg_match($reg_domain, $domainname))) {
if ((!empty($domainName)) && (preg_match($reg_domain, $domainName))) {
if ((!empty($email)) && (preg_match($reg_email, $email))) {
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --issue --email '.escapeshellarg($email).' --domain '.escapeshellarg($domainName), $output, $exitCode);}
else {
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --issue --domain '.escapeshellarg($domainName), $output, $exitCode);}
else {
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --issue --email '.escapeshellarg($email).' --domain '.escapeshellarg($domainName), $output, $exitCode);}
$cmdResponse = implode("<br>\n", $output);}
}
 
if ($choix === 'le_renewCert') {
if ((isset($_POST['recheck'])) && ((!empty($_POST['recheck'])) || (!empty($_POST['recheck_force'])))) {
$forceOpt = (!empty($_POST['recheck_force'])) ? ' --force' : '';
 
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --renew' . $forceOpt, $output, $exitCode);
 
$cmdResponse = implode("<br>\n", $output);
} else if ((isset($_POST['cancel'])) && (!empty($_POST['cancel']))) {
if ((isset($_POST['cancel'])) && (!empty($_POST['cancel']))) {
file_put_contents(LETS_ENCRYPT_FILE, preg_replace('/challenge=.*/','challenge=', file_get_contents(LETS_ENCRYPT_FILE)));
file_put_contents(LETS_ENCRYPT_FILE, preg_replace('/domainRequest=.*/','domainRequest=', file_get_contents(LETS_ENCRYPT_FILE)));
file_put_contents(LETS_ENCRYPT_FILE, preg_replace('/email=.*/','email=', file_get_contents(LETS_ENCRYPT_FILE)));
file_put_contents(LETS_ENCRYPT_FILE, preg_replace('/dateIssueRequest=.*/','dateIssueRequest=', file_get_contents(LETS_ENCRYPT_FILE)));
}
else {
if ((isset($_POST['recheck_force'])) && (!empty($_POST['recheck_force']))) {
$forceOpt = (!empty($_POST['recheck_force'])) ? ' --force' : ''; }
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --renew' . $forceOpt, $output, $exitCode);
$cmdResponse = implode("<br>\n", $output);
}
}
 
// Read Let's Encrypt configuration file
1305,7 → 1308,7
<div class="panel-row">
<div class="panel-cell">
<?php
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt'));
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt'));
$cert_expiration_date = date('d-m-Y H:i:s', $certificateInfos['validTo_time_t']);
$domain = $certificateInfos['subject']['CN'];
$organization = (isset($certificateInfos['subject']['O'])) ? $certificateInfos['subject']['O'] : '';
1321,7 → 1324,7
<div class="panel-cell">
<?
if (file_exists('/etc/pki/tls/certs/alcasar.crt.old') && file_exists('/etc/pki/tls/private/alcasar.key.old')){ // An old default certificate exist ?
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt.old'));
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt.old'));
$cert_expiration_date = date('d-m-Y H:i:s', $certificateInfos['validTo_time_t']);
$domain = $certificateInfos['subject']['CN'];
$organization = (isset($certificateInfos['subject']['O'])) ? $certificateInfos['subject']['O'] : '';
1352,6 → 1355,7
<div class="panel-cell">
<?php
// Get step
$domain=$conf['HOSTNAME'].".".$conf['DOMAIN'];
if (empty($LE_conf['domainRequest'])) {
$step = 1;
} else if (!empty($LE_conf['challenge'])) {
1367,8 → 1371,8
<form name="new_LE" method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" onSubmit="document.getElementById('ldoverlay').style.display='block';">
<input type="hidden" name="choix" value="le_issueCert">
<?= $l_le_status ?> <?= $l_disabled ?><br>
<?= $l_le_domain_name ?> <input type="text" name="domainname" placeholder="alcasar.domain.tld" required><br>
<?= $l_le_email ?> <input type="text" name="email" placeholder="adresse@email.com"<?= ((!empty($LE_conf['email'])) ? ' value="'.$LE_conf['email'].'"' : '') ?>><br>
<?= $l_le_domain_name ?> <input type="text" name="domainname" placeholder="alcasar.domain.tld" required><br>
<input type="submit" onClick="return (Domain_Control('new_LE'))" class="button" name="issue" value="<?= $l_send ?>"><br>
</form>
<?php elseif ($step === 2): ?>
/web/index.php
52,7 → 52,7
$network_pb = false;
$diagnostic = "can't contact the default router";
$certCa_link = (($useHTTPS) ? 'https' : 'http')."://$hostname/certs/certificat_alcasar_ca.crt";
$logout_link = ((($conf['HTTPS_CHILLI'] === 'on') && $useHTTPS) ? 'https://'.$hostname.':3991' : 'http://'.$hostname.':3990').'/logoff';
$logout_link = ((($conf['HTTPS_LOGIN'] === 'on') && $useHTTPS) ? 'https://'.$hostname.':3991' : 'http://'.$hostname.':3990').'/logoff';
$direct_access = false;
$remote_ip = preg_match('#^([0-9]{1,3}\.){3}[0-9]{1,3}$#', $_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
$connection_history = '';
/web/intercept.php
66,7 → 66,7
$loginpath = htmlspecialchars($_SERVER['PHP_SELF']);
$useHTTPS = ((isset($_SERVER['HTTPS'])) && (!empty($_SERVER['HTTPS'])) && ($_SERVER['HTTPS'] !== 'off'));
$alcasarpath = (($useHTTPS) ? 'https' : 'http' ).'://'.$conf['HOSTNAME'].'.'.$conf['DOMAIN'];
$statuspath = (($conf['HTTPS_CHILLI'] === 'on') ? 'https' : 'http' ).'://'.$conf['HOSTNAME'].'.'.$conf['DOMAIN'].'/status.php';
$statuspath = (($conf['HTTPS_LOGIN'] === 'on') ? 'https' : 'http' ).'://'.$conf['HOSTNAME'].'.'.$conf['DOMAIN'].'/status.php';
 
# Redirection if HTTPS needed and not used
if (($conf['HTTPS_LOGIN'] === 'on') && (!$useHTTPS)) {
393,7 → 393,7
// TODO: clean unused query params
 
$uamip = $conf['HOSTNAME'].'.'.$conf['DOMAIN'];
if (($conf['HTTPS_CHILLI'] === 'on') && $useHTTPS) {
if (($conf['HTTPS_LOGIN'] === 'on') && $useHTTPS) {
$uamproto = 'https';
$uamport = 3991;
} else {