Subversion Repositories ALCASAR

Rev

Rev 1336 | Rev 1348 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1336 Rev 1342
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 1336 2014-04-28 17:07:37Z richard $
2 
#  $Id: alcasar.sh 1342 2014-05-06 10:10:39Z richard $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
 
 5 
 
6 
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
6 
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
7 
# Ce programme est un logiciel libre ; This software is free and open source
 7 
# Ce programme est un logiciel libre ; This software is free and open source
Line 18... Line 18...
18 
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
 18 
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19 
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
 19 
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 20 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 21 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
22 
#
 22 
#
23 
# Coovachilli, freeradius, mariaDB, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
 23 
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
24 
 
 24 
 
25 
# Options :
 25 
# Options :
26 
#       -i or --install
 26 
#       -i or --install
27 
#       -u or --uninstall
 27 
#       -u or --uninstall
28 
 
 28 
 
Line 34... Line 34...
34 
#	CA			: Certification Authority initialization
 34 
#	CA			: Certification Authority initialization
35 
#	init_db			: Initilization of radius database managed with MariaDB
 35 
#	init_db			: Initilization of radius database managed with MariaDB
36 
#	param_radius		: FreeRadius initialisation
 36 
#	param_radius		: FreeRadius initialisation
37 
#	param_web_radius	: copy ans modifiy original "freeradius web" in ACC
 37 
#	param_web_radius	: copy ans modifiy original "freeradius web" in ACC
38 
#	param_chilli		: coovachilli initialisation (+authentication page)
 38 
#	param_chilli		: coovachilli initialisation (+authentication page)
39 
#	param_squid		: Squid cache proxy configuration
 - 
 
40 
#	param_dansguardian	: DansGuardian filtering HTTP proxy configuration
 39 
#	param_dansguardian	: DansGuardian filtering HTTP proxy configuration
41 
#	antivirus		: HAVP + libclamav configuration
 40 
#	antivirus		: HAVP + libclamav configuration
42 
#	param_nfsen		: Configuration du grapheur nfsen pour apache
41 
#	param_nfsen		: Configuration du grapheur nfsen pour apache
43 
#	dnsmasq			: Name server configuration
 42 
#	dnsmasq			: Name server configuration
44 
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
 43 
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
Line 99... Line 98...
99 
} # End of header_install ()
 98 
} # End of header_install ()
100 
 
 99 
 
101 
 
 100 
 
102 
##################################################################
 101 
##################################################################
103 
##			Function "testing"			##
 102 
##			Function "testing"			##
- 
 
 103 
## - Test of free space on /var  (>10G)				##
104 
## - Test of Internet access					##
 104 
## - Test of Internet access					##
105 
##################################################################
 105 
##################################################################
106 
testing ()
 106 
testing ()
107 
{
 107 
{
- 
 
 108 
	free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
- 
 
 109 
	if [ $free_space -lt 10 ]
- 
 
 110 
		then
108 
	if [ $Lang == "fr" ]
 111 
		if [ $Lang == "fr" ]
- 
 
 112 
			then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
- 
 
 113 
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
- 
 
 114 
		fi
- 
 
 115 
		exit 0
- 
 
 116 
	fi
- 
 
 117 
if [ $Lang == "fr" ]
109 
		then echo -n "Tests des paramètres réseau : "
 118 
		then echo -n "Tests des paramètres réseau : "
110 
		else echo -n "Network parameters tests : "
 119 
		else echo -n "Network parameters tests : "
111 
	fi
 120 
	fi
112 
# We test EXTIF config files
 121 
# We test EXTIF config files
113 
 
 122 
 
Line 500... Line 509...
500 
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
 509 
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
501 
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
 510 
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
502 
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
 511 
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
503 
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
 512 
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
504 
	chown -R apache:apache $DIR_WEB/*
 513 
	chown -R apache:apache $DIR_WEB/*
505 
	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
 514 
	for i in system_backup base logs/firewall logs/httpd logs/security;
506 
	do
 515 
	do
507 
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
 516 
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
508 
	done
 517 
	done
509 
	chown -R root:apache $DIR_SAVE
 518 
	chown -R root:apache $DIR_SAVE
510 
# Configuration et sécurisation php
 519 
# Configuration et sécurisation php
Line 974... Line 983...
974 
	      userdel -r chilli 2>/dev/null
 983 
	      userdel -r chilli 2>/dev/null
975 
	fi
 984 
	fi
976 
	groupadd -f chilli
 985 
	groupadd -f chilli
977 
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
 986 
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
978 
}  # End of param_chilli ()
 987 
}  # End of param_chilli ()
979 
 
 - 
 
980 
##########################################################
 - 
 
981 
##			Fonction "param_squid"		##
 - 
 
982 
## - Paramètrage du proxy 'squid' en mode 'cache'	##
 - 
 
983 
## - Initialisation de la base de données  		##
 - 
 
984 
##########################################################
 - 
 
985 
param_squid ()
 - 
 
986 
{
 - 
 
987 
# paramètrage de Squid (connecté en série derrière Dansguardian)
 - 
 
988 
	[ -e /etc/squid/squid.conf.default  ] || cp /etc/squid/squid.conf /etc/squid/squid.conf.default
 - 
 
989 
# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
 - 
 
990 
	$SED "/^acl localnet/d" /etc/squid/squid.conf
 - 
 
991 
	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
 - 
 
992 
	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
 - 
 
993 
	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
 - 
 
994 
	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
 - 
 
995 
	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
 - 
 
996 
# mode 'proxy transparent local'
 - 
 
997 
	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
 - 
 
998 
# Configuration du cache local
 - 
 
999 
	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
 - 
 
1000 
# désactivation des "access log"
 - 
 
1001 
	echo '#Disable access log' >> /etc/squid/squid.conf
 - 
 
1002 
        echo "access_log none" >> /etc/squid/squid.conf
 - 
 
1003 
# anonymisation of squid version
 - 
 
1004 
	echo "via off" >> /etc/squid/squid.conf
 - 
 
1005 
# remove the 'X_forwarded' http option
 - 
 
1006 
	echo "forwarded_for delete" >> /etc/squid/squid.conf
 - 
 
1007 
# linked squid output in HAVP input
 - 
 
1008 
	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
 - 
 
1009 
	echo "never_direct allow all" >> /etc/squid/squid.conf
 - 
 
1010 
# avoid error messages on network interfaces state changes
 - 
 
1011 
	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
 - 
 
1012 
# reduce squid shutdown time (100 to 50)
 - 
 
1013 
	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
 - 
 
1014 
 
 - 
 
1015 
# Squid cache init
 - 
 
1016 
	/usr/sbin/squid -z
 - 
 
1017 
}  # End of param_squid ()
 - 
 
1018
988
1019 
##################################################################
 989 
##################################################################
1020 
##		Fonction "param_dansguardian"			##
 990 
##		Fonction "param_dansguardian"			##
1021 
## - Paramètrage du gestionnaire de contenu Dansguardian	##
 991 
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1022 
##################################################################
 992 
##################################################################
Line 1029... Line 999...
1029 
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
 999 
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1030 
# French deny HTML page
 1000 
# French deny HTML page
1031 
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
 1001 
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1032 
# Listen only on LAN side
 1002 
# Listen only on LAN side
1033 
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
 1003 
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1034 
# DG send its flow to SQUID
 1004 
# DG send its flow to HAVP
1035 
	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
 1005 
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1036 
# replace the default deny HTML page
 1006 
# replace the default deny HTML page
1037 
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
 1007 
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1038 
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
 1008 
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1039 
# Don't log
 1009 
# Don't log
1040 
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
 1010 
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
Line 1469... Line 1439...
1469 
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
 1439 
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1470 
# Droits d'exécution pour utilisateur apache et sysadmin
 1440 
# Droits d'exécution pour utilisateur apache et sysadmin
1471 
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
 1441 
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1472 
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
 1442 
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1473 
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
 1443 
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1474 
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
 1444 
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1475 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
 1445 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1476 
	chmod 644 /etc/logrotate.d/*
 1446 
	chmod 644 /etc/logrotate.d/*
1477 
# rectification sur versions précédentes de la compression des logs
 1447 
# rectification sur versions précédentes de la compression des logs
1478 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
 1448 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1479 
# actualisation des fichiers logs compressés
 1449 
# actualisation des fichiers logs compressés
1480 
	for dir in firewall squid dansguardian httpd
 1450 
	for dir in firewall dansguardian httpd
1481 
	do
 1451 
	do
1482 
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
 1452 
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1483 
	done
 1453 
	done
1484 
# create the alcasar-load_balancing unit
 1454 
# create the alcasar-load_balancing unit
1485 
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
 1455 
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
Line 1505... Line 1475...
1505 
 
 1475 
 
1506 
[Install]
 1476 
[Install]
1507 
WantedBy=multi-user.target
 1477 
WantedBy=multi-user.target
1508 
EOF
 1478 
EOF
1509 
# processes launched at boot time (SYSV)
 1479 
# processes launched at boot time (SYSV)
1510 
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
 1480 
	for i in ntpd iptables ulogd dnsmasq chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1511 
	do
 1481 
	do
1512 
		/sbin/chkconfig --add $i
 1482 
		/sbin/chkconfig --add $i
1513 
	done
 1483 
	done
1514 
# processes launched at boot time (Systemctl)
 1484 
# processes launched at boot time (Systemctl)
1515 
	for i in alcasar-load_balancing.service nfsen.service
 1485 
	for i in alcasar-load_balancing.service nfsen.service
Line 1742... Line 1712...
1742 
				$DIR_SCRIPTS/alcasar-conf.sh --create
 1712 
				$DIR_SCRIPTS/alcasar-conf.sh --create
1743 
				mode="update"
 1713 
				mode="update"
1744 
			fi
 1714 
			fi
1745 
		fi
 1715 
		fi
1746 
# RPMs install
 1716 
# RPMs install
1747 
echo "STOP" ; read a
 - 
 
1748 
		$DIR_SCRIPTS/alcasar-urpmi.sh
 1717 
		$DIR_SCRIPTS/alcasar-urpmi.sh
1749 
		if [ "$?" != "0" ]
 1718 
		if [ "$?" != "0" ]
1750 
		then
 1719 
		then
1751 
			exit 0
 1720 
			exit 0
1752 
		fi
 1721 
		fi
- 
 
 1722 
echo "STOP" ; read a
1753 
		if [ -e $CONF_FILE ]
 1723 
		if [ -e $CONF_FILE ]
1754 
		then
 1724 
		then
1755 
# Uninstall the running version
 1725 
# Uninstall the running version
1756 
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
 1726 
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1757 
		fi
 1727 
		fi
Line 1793... Line 1763...
1793 
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
 1763 
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
1794 
			mode="update"
 1764 
			mode="update"
1795 
		else
 1765 
		else
1796 
			mode="install"
 1766 
			mode="install"
1797 
		fi
 1767 
		fi
1798 
		for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
 1768 
		for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
1799 
		do
 1769 
		do
1800 
			$func
 1770 
			$func
1801 
# echo "*** 'debug' : end of function $func ***"; read a
 1771 
# echo "*** 'debug' : end of function $func ***"; read a
1802 
		done
 1772 
		done
1803 
		;;
 1773 
		;;