WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 1832 2016-04-24 14:19:20Z richard $
+#  $Id: alcasar.sh 1833 2016-04-24 15:32:42Z richard $
 # alcasar.sh
 # ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
 # Ce programme est un logiciel libre ; This software is free and open source
 # Functions :
 #	testing			: connectivity tests, free space test and mageia version test
 #	init			: Installation of RPM and scripts
 #	network			: Network parameters
+#	time			: NTPd configuration
 #	ACC			: ALCASAR Control Center installation
 #	CA			: Certification Authority initialization
 #	init_db			: Initilization of radius database managed with MariaDB
 #	radius			: FreeRadius initialisation
-#	radius_web		: copy ans modifiy original "freeradius web" in ACC
 #	chilli			: coovachilli initialisation (+authentication page)
 #	dansguardian		: DansGuardian filtering HTTP proxy configuration
 #	antivirus		: HAVP + libclamav configuration
 #	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
 #	ulogd			: log system in userland (match NFLOG target of iptables)
 ##			Function "network"			##
 ## - Définition du plan d'adressage du réseau de consultation	##
 ## - Nommage DNS du système 					##
 ## - Configuration de l'interface INTIF (réseau de consultation)##
 ## - Modification du fichier /etc/hosts				##
-## - Configuration du serveur de temps (NTP)			##
 ## - Renseignement des fichiers hosts.allow et hosts.deny	##
 ##################################################################
 network ()
+{
 	header_install
 IPV6INIT=no
 IPV6TO4INIT=no
 ACCOUNTING=no
 USERCTL=no
 EOF
-# Mise à l'heure du serveur
-	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
-	cat <<EOF > /etc/ntp/step-tickers
-.fr.pool.ntp.org	# adapt to your country
-.fr.pool.ntp.org
-.fr.pool.ntp.org
-EOF
-# Configuration du serveur de temps (sur lui même)
-	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
-	cat <<EOF > /etc/ntp.conf
-server 0.fr.pool.ntp.org	# adapt to your country
-server 1.fr.pool.ntp.org
-server 2.fr.pool.ntp.org
-server 127.127.1.0   		# local clock si NTP internet indisponible ...
-fudge 127.127.1.0 stratum 10
-restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
-restrict 127.0.0.1
-driftfile /var/lib/ntp/drift
-logfile /var/log/ntp.log
-disable monitor
-EOF
-	chown -R ntp:ntp /var/lib/ntp
 # Renseignement des fichiers hosts.allow et hosts.deny
 	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
 	cat <<EOF > /etc/hosts.allow
 ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
 sshd: ALL
 	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
 # modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
 [ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
 $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
 [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
-$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
+$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
+#
 # the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
 } # End of network ()
 ##################################################################
+##			Function "time"				##
+## - Configuring NTP server					##
+##################################################################
+time ()
+{
+# Set the Internet time server
+	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
+	cat <<EOF > /etc/ntp/step-tickers
+.fr.pool.ntp.org	# adapt to your country
+.fr.pool.ntp.org
+.fr.pool.ntp.org
+EOF
+	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
+	cat <<EOF > /etc/ntp.conf
+server 0.fr.pool.ntp.org	# adapt to your country
+server 1.fr.pool.ntp.org
+server 2.fr.pool.ntp.org
+server 127.127.1.0   		# local clock si NTP internet indisponible ...
+fudge 127.127.1.0 stratum 10
+restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
+restrict 127.0.0.1
+driftfile /var/lib/ntp/drift
+logfile /var/log/ntp.log
+disable monitor
+EOF
+	chown -R ntp:ntp /var/lib/ntp
+# Synchronize now
+	ntpd -q -g &
+} # End of time ()
+##################################################################
 ##			Function "ACC"				##
 ## - installation du centre de gestion (ALCASAR Control Center)	##
 ## - configuration du serveur web (Apache)			##
 ## - définition du 1er comptes de gestion 			##
 ## - sécurisation des accès					##
 ##################################################################
 ACC ()
+{
 	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
 	mkdir $DIR_WEB
-# Copie et configuration des fichiers du centre de gestion
+# Copy & adapt ACC files
 	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
 	echo "$VERSION" > $DIR_WEB/VERSION
 	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
 	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
 	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
 	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
 	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
 	chown -R apache:apache $DIR_WEB/*
+# copy & adapt "freeradius-web" files
+	cp -rf $DIR_CONF/freeradius-web/ /etc/
+	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
+	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
+	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
+	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
+	cat <<EOF > /etc/freeradius-web/naslist.conf
+nas1_name: alcasar-$ORGANISME
+nas1_model: Network Access Controler
+nas1_ip: $PRIVATE_IP
+nas1_port_num: 0
+nas1_community: public
+EOF
+	chown -R apache:apache /etc/freeradius-web/
-# create the backup structure :
+# create the log & backup structure :
 # - base = users database
 # - archive = tarball of "base + http firewall + netflow"
-# - security = watchdog disconnection)
+# - security = watchdog log
 	for i in base archive security;
 	do
 		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
 	done
 	chown -R root:apache $DIR_SAVE
-# Configuration et sécurisation php
+# Configuring & securing php
 	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
 	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
 	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
 	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
 	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
 	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
 	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
-# Configuration et sécurisation Apache
+# Configuring & sécuring Apache
 	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
 	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
 	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
 	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
 	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
 	cat <<EOF > /usr/share/httpd/error/include/bottom.html
 </body>
 </html>
 EOF
 # Définition du premier compte lié au profil 'admin'
-# !! remove when > V2.9.2 (we need to create new accounts)
-# if [ "$mode" = "install" ]
+if [ "$mode" = "install" ]
-#	then
+	then
 		header_install
 		admin_portal=!
 		PTN='^[a-zA-Z0-9-]*$'
 		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
                 	do
 		until [ -s $DIR_DEST_ETC/digest/key_admin ]
 			do
 				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
 			done
 		$DIR_DEST_BIN/alcasar-profil.sh --list
-# !! remove if > V2.9.2
-# fi
+fi
-# synchronisation horaire
+# ACC partitioning
-	ntpd -q -g &
-# Sécurisation du centre
 	rm -f /etc/httpd/conf/webapps.d/alcasar*
 	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
 <Directory $DIR_ACC>
 	SSLRequireSSL
 	AllowOverride None
 	AuthName "ALCASAR Control Center (ACC)"
 	AuthDigestDomain $HOSTNAME.$DOMAIN
 	AuthUserFile $DIR_DEST_ETC/digest/key_backup
 	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 </Directory>
+<Directory $DIR_WEB/pass>
+	SSLRequireSSL
+	AllowOverride None
+	Order deny,allow
+	Deny from all
+	Allow from 127.0.0.1
+	Allow from $PRIVATE_NETWORK_MASK
+	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
+</Directory>
 EOF
-# Launch after coova
+# Launch after coova (in order to wait tun0 to be up)
 $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
 } # End of ACC ()
 ##########################################################################################
 ##				Fonction "CA"						##
 	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
     ErrorLog logs/ssl_error_log
     ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
 </VirtualHost>
 EOF
 	chown -R root:apache /etc/pki
 	chmod -R 750 /etc/pki
 } # End of CA ()
 ##########################################################################################
 	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
 	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
 	/usr/bin/systemctl daemon-reload
 } # End radius ()
-##########################################################################
-##			Function "radius_web"				##
-## - Import, modification et paramètrage de l'interface "freeradius-WEB ##
-## - Création du lien vers la page de changement de mot de passe        ##
-##########################################################################
-radius_web ()
-{
-# copy "freeradius-web" files and conf files in the manager arae of ACC
-	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
-	cp -rf $DIR_CONF/freeradius-web/ /etc/
-	chown -R apache:apache $DIR_ACC/manager/
-# adapt the main conf file to Alcasar behaviour
-	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
-	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
-	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
-	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
-	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
-	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
-	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
-	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
-	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
-	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
-	cat <<EOF > /etc/freeradius-web/naslist.conf
-nas1_name: alcasar-$ORGANISME
-nas1_model: Portail captif
-nas1_ip: $PRIVATE_IP
-nas1_port_num: 0
-nas1_community: public
-EOF
-# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
-	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
-	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
-# Ajout du mappage des attributs chillispot
-	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
-	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
-# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
-	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
-	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
-	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
-	chown -R apache:apache /etc/freeradius-web
-# Ajout de l'alias vers la page de "changement de mot de passe usager"
-	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
-<Directory $DIR_WEB/pass>
-	SSLRequireSSL
-	AllowOverride None
-	Order deny,allow
-	Deny from all
-	Allow from 127.0.0.1
-	Allow from $PRIVATE_NETWORK_MASK
-	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
-</Directory>
-EOF
-} # End of radius_web ()
 ##################################################################################
 ##			Fonction "chilli"					##
 ## - Création du fichier d'initialisation et de configuration de coova-chilli	##
 ## - Paramètrage de la page d'authentification (intercept.php)			##
 ##################################################################################
 			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
 			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
 			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
 			mode="update"
 		fi
-		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
+		for func in init network time ACC CA init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
 		do
 			$func
 # echo "*** 'debug' : end of function $func ***"; read a
 		done
 		;;

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 3077 – Rev 1832 → 1833