WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 2681 2019-01-02 14:58:43Z tom.houdayer $
+#  $Id: alcasar.sh 2688 2019-01-18 23:15:49Z lucas.echard $
 # alcasar.sh
 # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 # This script is distributed under the Gnu General Public License (GPL)
 #  team@alcasar.net
 # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
 # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
 # Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
-# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
+# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 # Options :
 #       -i or --install
 #       -u or --uninstall
 #	e2guardian		: E2Guardian filtering HTTP proxy configuration
 #	antivirus		: HAVP + libclamav configuration
 #	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
 #	ulogd			: log system in userland (match NFLOG target of iptables)
 #	nfsen			: Configuration of Nfsen Netflow grapher
-#	dnsmasq			: Name server configuration
+#	unbound			: Name server configuration
+#	dnsmasq			: Name server configuration (for whitelist ipset support)
 #	vnstat			: little network stat daemon
-#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
+#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
 #	cron			: Logs export + watchdog + connexion statistics
 #	fail2ban		: Fail2ban IDS installation and configuration
 #	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
 #	msec			: Mandriva security package configuration
 #	letsencrypt		: Let's Encrypt client
 DIR_WEB="/var/www/html"					# directory of Lighttpd
 DIR_DG="/etc/e2guardian"				# directory of E2Guardian
 DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
 DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
 DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
-DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
+DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
 CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
 PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
 # ******* DBMS parameters - paramètres SGBD ********
 DB_RADIUS="radius"						# database name used by FreeRadius server
 DB_USER="radius"						# user name allows to request the users database
 	fic=`cat /etc/product.id`
 	unknown_os=0
 	old="$IFS"
 	IFS=","
 	set $fic
-	for i in $*
+	for i in "$@"
 	do
 		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
 			then
 			DISTRIBUTION=`echo $i|cut -d"=" -f2`
 			unknown_os=`expr $unknown_os + 1`
 		fi
 		exit 1
 	fi
 	IFS="$old"
 	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
-		then
+	then
 		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
 			then
 			echo
 			if [ $Lang == "fr" ]
 				then
 		echo
 		if [ $Lang == "fr" ]
 			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
 			else echo "The OS must be replaced (Mageia6-64bits)"
 		fi
-		exit 0
+		exit 1
 	fi
 # Test if ALCASAR is already installed
 	if [ -e $CONF_FILE ]
 	then
 			rm -f /var/tmp/alcasar-conf*
 		else
 # Retrieve former NICname
 			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
 			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
-			[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
+			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
-			[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
+			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
 # Create the current conf file
 			$DIR_SCRIPTS/alcasar-conf.sh --create
 			mode="update"
 		fi
 	fi
 # Test free space on /var
 	if [ ! -d /var/log/netflow/porttracker ]
 		then
-		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
+		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
 		if [ $free_space -lt 10 ]
 			then
 			if [ $Lang == "fr" ]
 				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
 				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
 				read response
 				[ -z "$response" ] && response="$interfacePreferred"
 				# Check if interface exist
-				if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then
+				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
 					INTIF="$response"
 					break
 				else
 					if [ "$Lang" == 'fr' ]
 						then echo "Interface \"$response\" introuvable"
 	if [ $Lang == "fr" ]
 		then echo -n "Tests des paramètres réseau : "
 		else echo -n "Network parameters tests: "
 	fi
 # Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
-	cd /etc/sysconfig/network-scripts/
+	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
 	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
 	for i in $IF_INTERFACES
 	do
-		if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
+		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
 			rm -f ifcfg-$i
 			if [ $Lang == "fr" ]
 				then echo "Suppression : ifcfg-$i"
 				else echo "Deleting: ifcfg-$i"
 			fi
 		fi
 	done
-	cd $DIR_INSTALL
+	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
 	echo -n "."
 # Test Ethernet NIC links state
 	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
 	if [ ! -z "$interfacesDown" ]; then
 		for i in $interfacesDown; do
 	echo -n "."
 # Test EXTIF config files
 	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
 	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
 	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
-	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
+	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
 	then
 		if [ $Lang == "fr" ]
 		then
 			echo -e "\nÉchec"
 			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
 		echo "ONBOOT=yes"
 		exit 1
 	fi
 	echo -n "."
 # Test if default GW is set on EXTIF (router or ISP provider equipment)
-	if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then
+	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
 		if [ $Lang == "fr" ]
 		then
 			echo -e "\nÉchec"
 			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
 			echo "Réglez ce problème puis relancez ce script."
 		exit 1
 	fi
 	echo -n "."
 # Test if default GW is alive
 	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
-	if [ $(expr $arp_reply) -eq 0 ]
+	if [ "$(expr $arp_reply)" -eq 0 ]
 		then
 		if [ $Lang == "fr" ]
 		then
 			echo -e "\nÉchec"
 			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
 				then echo -n "Entrez le nom de votre organisme : "
 				else echo -n "Enter the name of your organism : "
 			fi
 			read ORGANISME
 			if [ "$ORGANISME" == "" ]
-				then
+			then
 				ORGANISME=!
 			fi
 		done
 	fi
 # On crée aléatoirement les mots de passe et les secrets partagés
 # We create random passwords and shared secrets
 	rm -f $PASSWD_FILE
 	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
-	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
+	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
 	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
 		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
 		grep -v '[eE]nter password:' | \
 		sed -e "s/PBKDF2 hash of your password is //"`
 	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
 	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
 	chmod 0600 /boot/grub2/user.cfg
 	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
 	echo "GRUB2_user=root" >> $PASSWD_FILE
 	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
-	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
+	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
 	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
 	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
-	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
+	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
 	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
 	echo "db_user=$DB_USER" >> $PASSWD_FILE
 	echo "db_password=$radiuspwd" >> $PASSWD_FILE
-	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
+	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
 	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
 	echo "secret_uam=$secretuam" >> $PASSWD_FILE
-	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
+	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
 	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
 	echo "secret_radius=$secretradius" >> $PASSWD_FILE
 	chmod 640 $PASSWD_FILE
 #  copy scripts in in /usr/local/bin
 	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
 					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
 				fi
 				read PRIVATE_IP_MASK
 			done
 		else
-	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
+			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
 		fi
 	else
 		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
 		rm -rf conf/etc/alcasar.conf
 	fi
 	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
 	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
 	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
 	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
 	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
-		then
+	then
 		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
 		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
 	fi
 	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
 	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
 	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
 	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
 	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
-	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
-	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
-	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
-	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
 	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
 # Define Internet parameters
 	if [ "$mode" != "update" ]
 	then
 		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
 		then echo "LANIF=$LANIF" >> $CONF_FILE
 	fi
 	#########################################################################################################
 	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
 	if [ $IP_SETTING == "dhcp" ]
-		then
+	then
 		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
 		echo "GW=dhcp" >> $CONF_FILE
 	else
 		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
 		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
 $PRIVATE_IP	$HOSTNAME
 EOF
 # write EXTIF (Internet) config
 	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
 	if [ $IP_SETTING == "dhcp" ]
-		then
+	then
 		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
 DEVICE=$EXTIF
 BOOTPROTO=dhcp
 DNS1=127.0.0.1
 PEERDNS=no
 IPV6TO4INIT=no
 ACCOUNTING=no
 USERCTL=no
 MTU=$MTU
 EOF
-		else
+	else
 		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
 DEVICE=$EXTIF
 BOOTPROTO=static
 IPADDR=$PUBLIC_IP
 NETMASK=$PUBLIC_NETMASK
 	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
 	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
 # load ipt_NETFLOW module
 	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
 # modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
-[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
+	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
-$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
+	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
-[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
+	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
-$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
+	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
+#
 # the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
 } # End of network ()
 ###################################################
 	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
 # Configuring & securing Lighttpd
 	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
 	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
 	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
-	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
+	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
-	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
+	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
 	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
 	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
 	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
 	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
 	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
 	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
-	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
+	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
-	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
+	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
-	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
+	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
-	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
+	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
 	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
 	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
 	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
 	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 	chown -R apache:apache /var/log/lighttpd
 	/usr/bin/systemctl start lighttpd
 	/usr/bin/systemctl start php-fpm
 # Creation of the first account (in 'admin' profile)
 	if [ "$mode" = "install" ]
-		then
+	then
-			header_install
+		header_install
 # Creation of keys file for the admin account ("admin")
-			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
+		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
-			mkdir -p $DIR_DEST_ETC/digest
+		mkdir -p $DIR_DEST_ETC/digest
-			chmod 755 $DIR_DEST_ETC/digest
+		chmod 755 $DIR_DEST_ETC/digest
-			until [ -s $DIR_DEST_ETC/digest/key_admin ]
+		until [ -s $DIR_DEST_ETC/digest/key_admin ]
-			do
+		do
-				$DIR_DEST_BIN/alcasar-profil.sh --add admin
+			$DIR_DEST_BIN/alcasar-profil.sh --add admin
-			done
+		done
 	fi
 	# Run after coova (in order to wait tun0 to be up)
 	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
 	# Log file for ACC access imputability
 logfile /var/log/ntp.log
 disable monitor
 EOF
 	chown -R ntp:ntp /var/lib/ntp
 # Synchronize now
-	ntpd -q -g &
+	ntpd -4 -q -g &
 } # End of time_server ()
 #####################################################################
 ##                     Function "init_db"                          ##
 ## - Mysql initialization                                          ##
 ## - Radius database creation                                      ##
 ## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
 #####################################################################
 init_db ()
+{
-	if [ `systemctl is-active mysqld` == "active" ]
+	if [ "`systemctl is-active mysqld`" == "active" ]
 	then
 		systemctl stop mysqld
 	fi
 	rm -rf /var/lib/mysql # to be sure that there is no former installation
 	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
 	if [ ! -S /var/lib/mysql/mysql.sock ]
 	then
 		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
 		exit
 	fi
-	MYSQL="/usr/bin/mysql --execute"
 # Secure the server
-	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
+	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
 	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
-	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
+	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
-	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
+	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
 # Create 'radius' database
-	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
+	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
 # Add an empty radius database structure
-	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
+	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
 # modify the start script in order to close accounting connexion when the system is comming down or up
 	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
 	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
 	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
 	/usr/bin/systemctl unset-environment MYSQLD_OPTS
 	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
 	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
 	/usr/bin/systemctl daemon-reload
 # Allow apache to change some conf files (ie : ldap on/off)
 	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
 } # End freeradius ()
 #############################################################################
 ##                           Function "chilli"                             ##
 ## - Creation of the conf file and init file (systemd) for coova-chilli    ##
 		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
 		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
+		#
 		#Code : 42 => 2a
 		#Len : 4 => 04
-	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
+	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
 	cat <<EOF > /etc/chilli.conf
 # coova config for ALCASAR
 cmdsocket	/var/run/chilli.sock
 unixipc		chilli.$INTIF.ipc
 pidfile		/var/run/chilli.pid
 	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
 # use of our conf file and init unit
 	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
 # Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
 	DirTmp=$(pwd)
-	cd /tmp/nfsen-*/
+	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
 	/usr/bin/perl install.pl etc/nfsen.conf
 	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
 # Create RRD DB for porttracker (only in it still doesn't exist)
 	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
 	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
 [Install]
 WantedBy=multi-user.target
 EOF
 # Add the listen port to collect netflow packet (nfcapd)
-	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
+	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
 # expire delay for the profile "live"
 	/usr/bin/systemctl start nfsen
 	/bin/nfsen -m live -e 62d 2>/dev/null
 # add SURFmap plugin (waiting for new technical solution)
 # see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
 #	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
 #	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
 #	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
 #	cd /tmp/
 #	/usr/bin/sh SURFmap/install.sh
 # clear the installation
 #	rm -rf /tmp/SURFmap*
 	rm -rf /tmp/nfsen-*
-	cd $DirTmp
+	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
 	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
 } # End of nfsen ()
 ###########################################################
 ##                     Function "vnstat"                 ##
 ###########################################################
 vnstat ()
+{
 	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
 	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
-    $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
+	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
 	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
 	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
 	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
 	/usr/bin/vnstat -i $EXTIF -u --force
 } # End of vnstat
 ## - creation of the file managing domain name (local & remote) ##
 ##################################################################
 dnsmasq ()
+{
 	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
-# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
-	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
+	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
-	cat << EOF > /etc/dnsmasq.conf
-# Configuration file for "dnsmasq in forward mode"
-conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-listen-address=$PRIVATE_IP
-pid-file=/var/run/dnsmasq.pid
-listen-address=127.0.0.1
-no-dhcp-interface=$INTIF
-no-dhcp-interface=tun0
-no-dhcp-interface=lo
-bind-interfaces
-cache-size=2048
-domain-needed
-expand-hosts
-bogus-priv
-filterwin2k
-server=$DNS1
-server=$DNS2
-# DHCP service is configured. It will be enabled in "bypass" mode
-#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
-#dhcp-option=option:router,$PRIVATE_IP
-#dhcp-option=option:ntp-server,$PRIVATE_IP
-# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
-#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
-EOF
-# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
-	cat << EOF > /etc/dnsmasq-blacklist.conf
-# Configuration file for "dnsmasq with blacklist"
-# Add Toulouse University blacklist domains
-conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
-pid-file=/var/run/dnsmasq-blacklist.pid
-listen-address=$PRIVATE_IP
-port=54
-no-dhcp-interface=$INTIF
-no-dhcp-interface=tun0
-no-dhcp-interface=lo
-bind-interfaces
-cache-size=2048
-domain-needed
-expand-hosts
-bogus-priv
-filterwin2k
-log-queries
-log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
-server=$DNS1
-server=$DNS2
-EOF
-# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
+	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
 	cat << EOF > /etc/dnsmasq-whitelist.conf
 # Configuration file for "dnsmasq with whitelist"
 # ADD Toulouse university whitelist domains
-conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
 pid-file=/var/run/dnsmasq-whitelist.pid
-listen-address=$PRIVATE_IP
+listen-address=127.0.0.1
 port=55
-no-dhcp-interface=$INTIF
-no-dhcp-interface=tun0
 no-dhcp-interface=lo
 bind-interfaces
 cache-size=1024
 domain-needed
 expand-hosts
 bogus-priv
 filterwin2k
-ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
+ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
-address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
-EOF
-# 4th dnsmasq listen on udp 56 ("blackhole")
-	cat << EOF > /etc/dnsmasq-blackhole.conf
-# Configuration file for "dnsmasq as a blackhole"
-conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
-pid-file=/var/run/dnsmasq-blackhole.pid
-listen-address=$PRIVATE_IP
-port=56
-no-dhcp-interface=$INTIF
-no-dhcp-interface=tun0
-no-dhcp-interface=lo
-bind-interfaces
-cache-size=256
-domain-needed
-expand-hosts
+server=$DNS1
-bogus-priv
-filterwin2k
+server=$DNS2
 EOF
-# file managing domain name resolution (local & remote)
-	cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
-# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
-# Here you can define your local domain name ('localdomain' by default)
-local=/localdomain/
-domain=localdomain
-## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
-## Add one line for each domain name managed by an other DNS server
-## server=/<your_domain>/<@IP_domain_server>
-## Exemple for an A.D. domain :  server=/Your.Domain.AD/110.120.100.100
-## Exemple for an other domain : server=/an_other_domain/10.20.30.40
+	# Create dnsmasq-whitelist unit
+	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
+	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
+	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
+	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
+} # End dnsmasq
+##################################################
+##              Function "unbound"              ##
+##################################################
+unbound ()
+{
+	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
+	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
+	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
+	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
+	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
+	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
+	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
+	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
+	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
+	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
+	# Local static DNS configuration
+	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
+	# Forward zone configuration file for all unbound dns servers
+	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
+forward-zone:
+	name: "."
+	forward-addr: $DNS1
+	forward-addr: $DNS2
+EOF
+	# Custom configuration file for manual DNS configuration
+	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
+## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
+## Add one block for each domain name managed by an other DNS server
+##
+## Example:
+##
+## server:
+##     local-zone: "<your_domain>." transparent
+## forward-zone:
+##     name: "<your_domain>."
+##     forward-addr: <@IP_domain_server>
+##
 ## INFO : local hostnames are resolved in /etc/hosts file
 EOF
+	# Configuration file of ALCASAR main domains for $INTIF
+	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
+server:
+	local-zone: "$HOSTNAME.$DOMAIN" static
+	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
+	local-zone: "$HOSTNAME" static
+	local-data: "$HOSTNAME A $PRIVATE_IP"
+	local-zone: "$DOMAIN." static
+	local-data: "$DOMAIN. A"
+EOF
+	# Configuration file for lo of forward unbound
+	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
+server:
+	interface: 127.0.0.1@53
+	access-control-view: 127.0.0.1/8 lo
+view:
+	name: "lo"
+	local-zone: "$HOSTNAME.$DOMAIN" static
+	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
+	local-zone: "$HOSTNAME" static
+	local-data: "$HOSTNAME A 127.0.0.1"
+	local-zone: "$DOMAIN." static
+	local-data: "$DOMAIN. A"
+	view-first: yes
+EOF
+	# Configuration file for $INTIF of forward unbound
+	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
+server:
+	interface: ${PRIVATE_IP}@53
+	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
+view:
+	name: "$INTIF"
+	local-zone: "$HOSTNAME.$DOMAIN" static
+	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
+	local-zone: "$HOSTNAME" static
+	local-data: "$HOSTNAME A $PRIVATE_IP"
+	view-first: yes
+EOF
+	# Configuration file for forward unbound
+	cat << EOF > /etc/unbound/unbound.conf
+server:
+	verbosity: 1
+	hide-version: yes
+	hide-identity: yes
+	do-ip6: no
+	include: /etc/unbound/conf.d/common/forward-zone.conf
+	include: /etc/unbound/conf.d/common/local-forward/*
+	include: /etc/unbound/conf.d/common/local-dns/*
+	include: /etc/unbound/conf.d/forward/*
+EOF
+	# Configuration file for $INTIF of blacklist unbound
+	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
+server:
+	interface: ${PRIVATE_IP}@54
+	access-control: $PRIVATE_IP_MASK allow
+	access-control-tag: $PRIVATE_IP_MASK "blacklist"
+	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
+	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
+EOF
+	# Configuration file for blacklist unbound
+	cat << EOF > /etc/unbound/unbound-blacklist.conf
+server:
+	verbosity: 1
+	hide-version: yes
+	hide-identity: yes
+	do-ip6: no
+	logfile: "/var/log/unbound/unbound-blacklist.log"
+	chroot: ""
+	define-tag: "blacklist"
+	log-local-actions: yes
+	include: /etc/unbound/conf.d/common/forward-zone.conf
+	include: /etc/unbound/conf.d/common/local-forward/*
+	include: /etc/unbound/conf.d/common/local-dns/*
+	include: /etc/unbound/conf.d/blacklist/*
+	include: /usr/local/share/unbound-bl-enabled/*
+EOF
+	# Configuration file for $INTIF of whitelist unbound
+	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
+server:
+	interface: ${PRIVATE_IP}@55
+	access-control: $PRIVATE_IP_MASK allow
+	access-control-tag: $PRIVATE_IP_MASK "whitelist"
+	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
-# the main instance should start after network and chilli (which create tun0)
+	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
+EOF
+	# Configuration file for whitelist unbound
+	cat << EOF > /etc/unbound/unbound-whitelist.conf
+server:
+	verbosity: 1
+	hide-version: yes
+	hide-identity: yes
+	do-ip6: no
+	do-not-query-localhost: no
+	define-tag: "whitelist"
+	local-zone: "." transparent
+	local-zone-tag: "." "whitelist"
+	include: /usr/local/share/unbound-wl-enabled/*
+	include: /etc/unbound/conf.d/whitelist/*
+	include: /etc/unbound/conf.d/common/local-dns/*
+	include: /etc/unbound/conf.d/common/local-forward/*
+forward-zone:
+	name: "."
+	forward-addr: 127.0.0.1@55
+EOF
+	# Configuration file for $INTIF of blackhole unbound
+	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
+server:
+	interface: ${PRIVATE_IP}@56
+	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
+view:
+	name: "$INTIF"
+	local-zone: "." redirect
+	local-data: ". A $PRIVATE_IP"
+EOF
+	# Configuration file for blackhole unbound
+	cat << EOF > /etc/unbound/unbound-blackhole.conf
+server:
+	verbosity: 1
+	hide-version: yes
+	hide-identity: yes
+	do-ip6: no
+	include: /etc/unbound/conf.d/blackhole/*
+	include: /etc/unbound/conf.d/common/local-dns/*
+	include: /etc/unbound/conf.d/common/local-forward/*
+EOF
+	if [ ! -e /lib/systemd/system/unbound.service.default ]
+	then
-	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
+		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
+	fi
-	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
+	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
-# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
+	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
-	for list in blacklist whitelist blackhole
+	for list in blacklist blackhole whitelist
 	do
-		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
+		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
-		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
+		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
-		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
+		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
 	done
+	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
-} # End dnsmasq
+} # End unbound
 ##########################################################
 ##                      Function "BL"                   ##
 ## - copy Toulouse BL                                   ##
 ## - adapt this BL to ALCASAR architecture              ##
-##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
+##     - domain names for unbound-bl & unbound-wl       ##
 ##     - URLs for E²guardian                            ##
 ##     - IPs for NetFilter                              ##
 ##########################################################
 BL ()
+{
 	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
 	usermod -a -G dialout gammu_smsd
 # Create 'gammu' database
 	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
-	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
+	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
 # Add a gammu database structure
-	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
+	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
 # Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
 	cat << EOF > /etc/gammurc
 [gammu]
 device = /dev/ttyUSB0
 	# Extract acme.sh
 	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
 	pwdInstall=$(pwd)
-	cd /tmp/acme.sh-*
+	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
 	acmesh_installDir="/opt/acme.sh"
 	acmesh_confDir="/usr/local/etc/letsencrypt"
 	acmesh_userAgent="ALCASAR"
 dateIssued=
 dnsapi=
 dateNextRenewal=
 EOF
-	cd $pwdInstall
+	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
 	rm -rf /tmp/acme.sh-*
 } # END letsencrypt()
 ##################################################################
 	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
 	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
 	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 # postfix banner anonymisation
-	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
+	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
 	chown -R postfix:postfix /var/lib/postfix
 # sshd liste on EXTIF & INTIF
 	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
 # sshd authorized certificate for root login
 	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
 	echo "MULTIWAN=off" >> $CONF_FILE
 	echo "FAILOVER=30" >> $CONF_FILE
 	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
 	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
 	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
+	echo "BL_PUREIP=on" >> $CONF_FILE
+	echo "BL_SAFESEARCH=off" >> $CONF_FILE
+	echo "WL_SAFESEARCH=off" >> $CONF_FILE
 # Prompt customisation (colors)
 	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
 	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
 	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
 # sudoers configuration for "apache" & "sysadmin"
 # Log compression
 	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
 # actualisation des fichiers logs compressés
 	for dir in firewall e2guardian lighttpd
 	do
-		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
+		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
 	done
 # create the alcasar-load_balancing unit
 	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
 #  This file is part of systemd.
+#
 [Install]
 WantedBy=multi-user.target
 EOF
 	/usr/bin/systemctl daemon-reload
 # processes launched at boot time (Systemctl)
-	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
+	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
 	do
 		/usr/bin/systemctl -q enable $i.service
 	done
 # disable processes at boot time (Systemctl)
-	for i in ulogd gpm
+	for i in ulogd gpm dhcpd
 	do
 		/usr/bin/systemctl -q disable $i.service
 	done
 # Apply French Security Agency (ANSSI) rules
 		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
 	fi
 	if [ $Lang == "fr" ]
 	then
 		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
-		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
+		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
 	else
 		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
-		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
+		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
 	fi
 	/usr/bin/update-grub2
 # Load and apply the previous conf file
 	if [ "$mode" = "update" ]
 	then
 	fi
 	rm -f /var/tmp/alcasar-conf*
 	chown -R root:apache $DIR_DEST_ETC/*
 	chmod -R 660 $DIR_DEST_ETC/*
 	chmod ug+x $DIR_DEST_ETC/digest
-	cd $DIR_INSTALL
+	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
 	echo ""
 	echo "#############################################################################"
 	if [ $Lang == "fr" ]
 		then
 		echo "#                        Fin d'installation d'ALCASAR                       #"
 		echo
 		echo "- ALCASAR sera fonctionnel après redémarrage du système"
 		echo
 		echo "- Lisez attentivement la documentation d'exploitation"
 		echo
-		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
+		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
 		echo
 		echo "                   Appuyez sur 'Entrée' pour continuer"
 	else
 		echo "#                        End of ALCASAR install process                     #"
 		echo "#                                                                           #"
 		echo
 		echo "- The system will be rebooted in order to operate ALCASAR"
 		echo
 		echo "- Read the exploitation documentation"
 		echo
-		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
+		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
 		echo
 		echo "                   Hit 'Enter' to continue"
 	fi
 	sleep 2
 	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
 	then
-		read a
+		read
 	fi
 	clear
 	reboot
 } # End post_install ()
 then
 	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
 	echo "Launch this program from the ALCASAR archive directory"
 	exit 0
 fi
-if [[ $EUID > 0 ]]
+if [ $EUID -gt 0 ]
 then
-	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
+	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
-	echo "You must be "root" to install ALCASAR ('su' command)"
+	echo "You must be \"root\" to install ALCASAR ('su' command)"
 	exit 0
 fi
 VERSION=`cat $DIR_INSTALL/VERSION`
 usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
 nb_args=$#
 			fi
 		fi
 	if [ $DEBUG_ALCASAR == "on" ]
 	then
 		echo "*** 'debug' : end of cleaning ***"
-		read a
+		read
 	fi
 # Test if manual update
 		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
 		then
 			header_install
 			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
 			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
 			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
 			mode="update"
 		fi
-		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
+		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install
 		do
 			$func
 			if [ $DEBUG_ALCASAR == "on" ]
-				then
+			then
 				echo "*** 'debug' : end of install '$func' ***"
-				read a
+				read
 			fi
 		done
 		;;
 	-u | --uninstall)
 		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
 		echo "$usage"
 		exit 1
 		;;
 esac
 # end of script

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2681 → 2688