Rev 2861 | Rev 2867 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log
Rev | Author | Line No. | Line |
---|---|---|---|
2223 | tom.houday | 1 | #!/bin/bash |
64 | franck | 2 | # $Id: alcasar-conf.sh 2864 2020-10-18 09:06:17Z rexy $ |
672 | richard | 3 | |
4 | # alcasar-conf.sh |
||
865 | richard | 5 | # by REXY |
672 | richard | 6 | # This script is distributed under the Gnu General Public License (GPL) |
7 | |||
2744 | rexy | 8 | # Ce script permet la mise à jour d'un ALCASAR |
9 | # - (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz) |
||
10 | # - (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions |
||
11 | # - (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf. |
||
2570 | rexy | 12 | # This script allows ALCASAR update |
2744 | rexy | 13 | # - (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz) |
14 | # - (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions |
||
15 | # - (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values. |
||
672 | richard | 16 | |
2585 | tom.houday | 17 | DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
2247 | tom.houday | 18 | DIR_WEB="/var/www/html" # répertoire du centre de gestion |
19 | DIR_BIN="/usr/local/bin" # scripts directory |
||
20 | DIR_ETC="/usr/local/etc" # conf directory |
||
2688 | lucas.echa | 21 | DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory |
22 | DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory |
||
2247 | tom.houday | 23 | CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file |
24 | EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
||
25 | INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
||
26 | MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2` |
||
1890 | franck | 27 | DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
28 | INT_DNS_mode=`grep ^INT_DNS_ACTIVE= $CONF_FILE|cut -d"=" -f2` |
||
29 | LDAP_mode=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` |
||
2247 | tom.houday | 30 | HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2` |
31 | DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2` |
||
384 | richard | 32 | SED="/bin/sed -i" |
2474 | tom.houday | 33 | DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # server DNS1 (for WL domain names) |
923 | franck | 34 | DOMAIN=${DOMAIN:=localdomain} |
2247 | tom.houday | 35 | |
628 | richard | 36 | private_network_calc () |
37 | { |
||
1060 | richard | 38 | PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
2561 | rexy | 39 | PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
40 | PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24) |
||
2688 | lucas.echa | 41 | classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C) |
1060 | richard | 42 | PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
43 | PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
||
2561 | rexy | 44 | private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast |
45 | private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
||
46 | PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
||
1060 | richard | 47 | PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
1581 | richard | 48 | PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
628 | richard | 49 | } |
8 | franck | 50 | |
933 | franck | 51 | usage="Usage: alcasar-conf.sh {--create or -create} | {--load or -load} | {--apply or -apply}" |
8 | franck | 52 | nb_args=$# |
53 | args=$1 |
||
54 | if [ $nb_args -eq 0 ] |
||
55 | then |
||
2430 | tom.houday | 56 | nb_args=1 |
8 | franck | 57 | args="-h" |
58 | fi |
||
59 | case $args in |
||
60 | -\? | -h* | --h*) |
||
61 | echo "$usage" |
||
62 | exit 0 |
||
63 | ;; |
||
2688 | lucas.echa | 64 | --create|-create) |
8 | franck | 65 | [ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE |
66 | mkdir $DIR_UPDATE |
||
1916 | franck | 67 | # backup the users database (test to delete in future version) |
2664 | tom.houday | 68 | $DIR_BIN/alcasar-mysql.sh --dump |
2688 | lucas.echa | 69 | cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE |
2824 | rexy | 70 | # backup organism logo |
8 | franck | 71 | cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
1912 | richard | 72 | # backup BL/WL custom files |
1914 | richard | 73 | mkdir $DIR_UPDATE/custom_bl |
2541 | rexy | 74 | for i in exceptioniplist urlregexplist exceptionsitelist bannedsitelist exceptionurllist bannedurllist |
75 | do |
||
2570 | rexy | 76 | if [ -d /etc/dansguardian ]; then |
77 | cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3 |
||
2661 | lucas.echa | 78 | cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
2541 | rexy | 79 | else |
2688 | lucas.echa | 80 | cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
2661 | lucas.echa | 81 | cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
2541 | rexy | 82 | fi |
83 | done |
||
2824 | rexy | 84 | # backup conf files (main conf file, filtering, digest, etc.) |
8 | franck | 85 | mkdir $DIR_UPDATE/etc/ |
346 | richard | 86 | cp -rf $DIR_ETC/* $DIR_UPDATE/etc/ |
2825 | rexy | 87 | cp -f /etc/hosts $DIR_UPDATE/etc/ |
1758 | richard | 88 | # backup of the security certificates (server & CA) |
2561 | rexy | 89 | cp -f /etc/pki/tls/certs/alcasar.crt* $DIR_UPDATE |
90 | cp -f /etc/pki/tls/private/alcasar.key* $DIR_UPDATE |
||
2570 | rexy | 91 | [ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3 |
1564 | richard | 92 | cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE |
93 | cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE |
||
2813 | rexy | 94 | if [ -e /etc/pki/tls/certs/server-chain.pem ]; then |
95 | cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist |
||
510 | richard | 96 | else |
2813 | rexy | 97 | cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem |
510 | richard | 98 | fi |
1758 | richard | 99 | # archive file creation |
2688 | lucas.echa | 100 | cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
8 | franck | 101 | tar -cf alcasar-conf.tar conf/ |
102 | gzip -f alcasar-conf.tar |
||
2835 | rexy | 103 | cp alcasar-conf.tar.gz /var/www/html/acc/backup/alcasar-conf.tar.gz |
104 | chown apache:apache /var/www/html/acc/backup/alcasar-conf.tar.gz |
||
8 | franck | 105 | rm -rf $DIR_UPDATE |
106 | ;; |
||
2560 | rexy | 107 | |
389 | franck | 108 | --load|-load) |
2688 | lucas.echa | 109 | cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
2834 | rexy | 110 | tar -xf alcasar-conf.tar.gz |
2824 | rexy | 111 | # copy alcasar.conf parameters |
2561 | rexy | 112 | PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf|cut -d"=" -f2` |
113 | MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1` |
||
114 | MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2` |
||
115 | UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1` |
||
2826 | rexy | 116 | for line in `cat $DIR_UPDATE/etc/alcasar.conf | grep "=" | grep -Ev "^#| |VERSION|INSTALL_DATE|PUBLIC|GW|DNS|SMS|EXTIF|INTIF"` |
2824 | rexy | 117 | do |
118 | key=`echo $line | cut -d"=" -f1` |
||
119 | key=$key= |
||
120 | value=`echo $line|cut -d"=" -f2-` |
||
121 | if [ "$value" != "" ] |
||
122 | then |
||
123 | sed -i "s?^$key.*?$key$value?g" /usr/local/etc/alcasar.conf |
||
124 | fi |
||
125 | done |
||
126 | ## lighttpd need a .pem certificate (aggregation with private key & server crt) |
||
2665 | tom.houday | 127 | [ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem |
2824 | rexy | 128 | # Retrieve organism logo |
510 | richard | 129 | [ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/ |
8 | franck | 130 | chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php |
1060 | richard | 131 | # Retrieve the security certificates (CA and server) |
2571 | rexy | 132 | cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/ |
133 | cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
||
1758 | richard | 134 | cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
135 | cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
||
2688 | lucas.echa | 136 | cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
2813 | rexy | 137 | [ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist |
2825 | rexy | 138 | chmod 755 /etc/pki/ |
2811 | rexy | 139 | chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA |
2825 | rexy | 140 | chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt |
2811 | rexy | 141 | chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private |
142 | chmod 600 /etc/pki/CA/private/* |
||
143 | chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private |
||
144 | chmod 640 /etc/pki/tls/private/* |
||
2825 | rexy | 145 | chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
1060 | richard | 146 | # Import of the users database |
2688 | lucas.echa | 147 | $DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)" |
1914 | richard | 148 | # Retrieve local parameters |
2825 | rexy | 149 | [ -d $DIR_UPDATE/etc/digest ] && cp -rf $DIR_UPDATE/etc/digest $DIR_ETC/ # ACC accounts |
150 | [ -e $DIR_UPDATE/etc/alcasar-iptables-local.sh ] && cp -f $DIR_UPDATE/etc/alcasar-iptables-local.sh $DIR_ETC/ # local FW rules |
||
151 | [ -e $DIR_UPDATE/etc/alcasar-iptables-local-mac-filtered ] && cp -f $DIR_UPDATE/etc/alcasar-iptables-local-mac-filtered $DIR_ETC/ # blocked MAC addresses |
||
152 | [ -e $DIR_UPDATE/etc/alcasar-uamdomain ] && cp -f $DIR_UPDATE/etc/alcasar-uamdomain $DIR_ETC/ # exception domain names |
||
153 | [ -e $DIR_UPDATE/etc/alcasar-uamallowed ] && cp -f $DIR_UPDATE/etc/alcasar-uamallowed $DIR_ETC/ # exception IP_addresses or network_IP_addresses |
||
154 | [ -e $DIR_UPDATE/etc/alcasar-ethers ] && cp -f $DIR_UPDATE/etc/alcasar-ethers $DIR_ETC/ # DHCP static hosts |
||
155 | [ -e $DIR_UPDATE/etc/alcasar-ethers-info ] && cp -f $DIR_UPDATE/etc/alcasar-ethers-info $DIR_ETC/ # DHCP static hosts information |
||
2833 | rexy | 156 | [ -e $DIR_UPDATE/etc/hosts ] && cp -f $DIR_UPDATE/etc/hosts /etc/ # local host name resolution |
1914 | richard | 157 | # Retrieve BL/WL custom files |
2688 | lucas.echa | 158 | cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/ |
159 | cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/ |
||
160 | cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/ |
||
161 | cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/ |
||
162 | cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/ |
||
163 | cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/ |
||
1961 | richard | 164 | cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null |
2688 | lucas.echa | 165 | chown -R e2guardian:apache $DIR_E2G |
166 | chmod -R g+rw $DIR_E2G |
||
1060 | richard | 167 | # Adapt DNS/URL filtering |
168 | PARENT_SCRIPT=`basename $0` |
||
637 | richard | 169 | export PARENT_SCRIPT |
1946 | richard | 170 | $DIR_BIN/alcasar-bl.sh -cat_choice |
1827 | raphael.pi | 171 | $DIR_BIN/alcasar-bl.sh -reload |
1060 | richard | 172 | # admin profile update (admin + manager + backup) |
1827 | raphael.pi | 173 | $DIR_BIN/alcasar-profil.sh --list |
634 | richard | 174 | # Start / Stop SSH Daemon |
2327 | richard | 175 | ssh_active=`grep "^SSH=" $CONF_FILE|cut -d"=" -f2` |
634 | richard | 176 | if [ $ssh_active = "on" ] |
177 | then |
||
1574 | richard | 178 | /usr/bin/systemctl -q enable sshd.service |
634 | richard | 179 | else |
1574 | richard | 180 | /usr/bin/systemctl -q disable sshd.service |
634 | richard | 181 | fi |
1060 | richard | 182 | # Remove the update folder |
8 | franck | 183 | rm -rf $DIR_UPDATE |
184 | ;; |
||
2560 | rexy | 185 | |
628 | richard | 186 | --apply|-apply) |
994 | franck | 187 | PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
2474 | tom.houday | 188 | PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
2688 | lucas.echa | 189 | if ! echo $PRIVATE_IP_MASK | egrep -q $PTN |
190 | then |
||
628 | richard | 191 | echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)" |
192 | exit 0 |
||
193 | fi |
||
2474 | tom.houday | 194 | PUBLIC_IP_MASK=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` |
1590 | richard | 195 | PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" |
1585 | richard | 196 | if [[ "$PUBLIC_IP_MASK" == "dhcp" ]] |
197 | then |
||
198 | PUBLIC_GATEWAY="dhcp" |
||
199 | else |
||
2688 | lucas.echa | 200 | if ! echo $PUBLIC_IP_MASK | egrep -q $PTN |
201 | then |
||
1585 | richard | 202 | echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)" |
203 | exit 0 |
||
204 | fi |
||
1590 | richard | 205 | PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1` |
206 | PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
||
2474 | tom.houday | 207 | PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2` |
2688 | lucas.echa | 208 | if ! echo $PUBLIC_GATEWAY | egrep -q $PTN |
209 | then |
||
1585 | richard | 210 | echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)" |
211 | exit 0 |
||
212 | fi |
||
628 | richard | 213 | fi |
2474 | tom.houday | 214 | DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2` |
2688 | lucas.echa | 215 | if ! echo $DNS1 | egrep -q $PTN |
216 | then |
||
1590 | richard | 217 | echo "Syntax error for the IP address of the first DNS server ($DNS1)" |
218 | exit 0 |
||
219 | fi |
||
2474 | tom.houday | 220 | DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2` |
2688 | lucas.echa | 221 | if ! echo $DNS2 | egrep -q $PTN |
222 | then |
||
1590 | richard | 223 | echo "Syntax error for the IP address of the second DNS server ($DNS2)" |
224 | exit 0 |
||
225 | fi |
||
631 | richard | 226 | PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` |
632 | richard | 227 | PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` |
628 | richard | 228 | private_network_calc |
2474 | tom.houday | 229 | INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2` |
230 | ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-` |
||
2688 | lucas.echa | 231 | BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
232 | WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
||
233 | BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2` |
||
2474 | tom.houday | 234 | DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
1060 | richard | 235 | if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
933 | franck | 236 | then |
2688 | lucas.echa | 237 | if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ] |
1060 | richard | 238 | then |
1827 | raphael.pi | 239 | $DIR_BIN/alcasar-dhcp.sh --off |
1890 | franck | 240 | else |
2569 | lucas.echa | 241 | $DIR_BIN/alcasar-dhcp.sh --on |
1060 | richard | 242 | fi |
2568 | rexy | 243 | # Set the local DNS (or not) |
2688 | lucas.echa | 244 | if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ] |
1890 | franck | 245 | then |
246 | $DIR_BIN/alcasar-dns-local.sh --on |
||
247 | else |
||
248 | $DIR_BIN/alcasar-dns-local.sh --off |
||
249 | fi |
||
2688 | lucas.echa | 250 | # Set the pure ip option (or not) |
251 | if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ] |
||
252 | then |
||
253 | bl_filter_param+="--pureip_off" |
||
254 | else |
||
255 | bl_filter_param+="--pureip_on" |
||
256 | fi |
||
257 | # Set the safesearch options (or not) |
||
258 | bl_filter_param="" |
||
259 | if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ] |
||
260 | then |
||
261 | bl_filter_param+="--safesearch_on " |
||
262 | else |
||
263 | bl_filter_param+="--safesearch_off " |
||
264 | fi |
||
265 | $DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param |
||
266 | if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ] |
||
267 | then |
||
268 | $DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on |
||
269 | else |
||
270 | $DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off |
||
271 | fi |
||
272 | # Reload the local dns configuration |
||
273 | $DIR_BIN/alcasar-dns-local.sh --reload |
||
1585 | richard | 274 | # Logout everybody |
2688 | lucas.echa | 275 | $DIR_BIN/alcasar-logout.sh all |
1585 | richard | 276 | # Services stop |
1521 | richard | 277 | echo -n "Stop services : " |
2840 | rexy | 278 | for i in ntpd e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
1060 | richard | 279 | do |
1574 | richard | 280 | /usr/bin/systemctl stop $i && echo -n "$i, " |
1060 | richard | 281 | done |
1521 | richard | 282 | echo |
1060 | richard | 283 | fi |
1518 | richard | 284 | # EXTIF config |
1585 | richard | 285 | if [ $PUBLIC_IP_MASK == "dhcp" ] |
286 | then |
||
287 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
||
288 | DEVICE=$EXTIF |
||
289 | BOOTPROTO=dhcp |
||
2864 | rexy | 290 | DNS1=$DNS1 |
1585 | richard | 291 | PEERDNS=no |
292 | RESOLV_MODS=yes |
||
293 | ONBOOT=yes |
||
294 | METRIC=10 |
||
295 | MII_NOT_SUPPORTED=yes |
||
296 | IPV6INIT=no |
||
297 | IPV6TO4INIT=no |
||
298 | ACCOUNTING=no |
||
299 | USERCTL=no |
||
300 | MTU=$MTU |
||
1850 | franck | 301 | NOZEROCONF=yes |
1585 | richard | 302 | EOF |
2688 | lucas.echa | 303 | else |
1585 | richard | 304 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
305 | DEVICE=$EXTIF |
||
306 | BOOTPROTO=static |
||
307 | IPADDR=$PUBLIC_IP |
||
308 | NETMASK=$PUBLIC_NETMASK |
||
309 | GATEWAY=$PUBLIC_GATEWAY |
||
2864 | rexy | 310 | DNS1=$DNS1 |
1585 | richard | 311 | RESOLV_MODS=yes |
312 | ONBOOT=yes |
||
313 | METRIC=10 |
||
314 | MII_NOT_SUPPORTED=yes |
||
315 | IPV6INIT=no |
||
316 | IPV6TO4INIT=no |
||
317 | ACCOUNTING=no |
||
318 | USERCTL=no |
||
319 | MTU=$MTU |
||
1850 | franck | 320 | NOZEROCONF=yes |
1585 | richard | 321 | EOF |
322 | fi |
||
1518 | richard | 323 | # INTIF config (for bypass mode only) |
1554 | richard | 324 | $SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
325 | $SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
||
628 | richard | 326 | # NTP server |
632 | richard | 327 | $SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf |
2688 | lucas.echa | 328 | # host.allow |
628 | richard | 329 | cat <<EOF > /etc/hosts.allow |
330 | ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
||
331 | sshd: ALL |
||
332 | ntpd: $PRIVATE_NETWORK_SHORT |
||
333 | EOF |
||
2309 | tom.houday | 334 | # Set hostname |
335 | hostnamectl set-hostname $HOSTNAME.$DOMAIN |
||
2838 | rexy | 336 | # /etc/hosts (retriving local hostnames) |
337 | cp /etc/hosts /tmp/hosts |
||
338 | echo "127.0.0.1 localhost" > /etc/hosts |
||
339 | echo "$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN" >> /etc/hosts |
||
340 | while read -r line |
||
341 | do |
||
342 | if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)" |
||
343 | then |
||
344 | echo $line >> /etc/hosts |
||
345 | fi |
||
346 | done < /tmp/hosts |
||
2861 | rexy | 347 | rm -f /tmp/hosts |
2603 | tom.houday | 348 | # MOTD |
349 | $SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release |
||
2568 | rexy | 350 | # Lighttpd |
2688 | lucas.echa | 351 | $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
352 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
||
353 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
||
2744 | rexy | 354 | # FreeRADIUS |
634 | richard | 355 | $SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf |
356 | $SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf |
||
2707 | tom.houday | 357 | # CoovaChilli |
2568 | rexy | 358 | $SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
359 | $SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
||
2707 | tom.houday | 360 | $SED "s/^domain.*/domain\t\t$DOMAIN/g" /etc/chilli.conf |
2688 | lucas.echa | 361 | [ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
2568 | rexy | 362 | $SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf |
363 | $SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
||
634 | richard | 364 | $SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf |
365 | $SED "s?^dns1.*?dns1\t\t$PRIVATE_IP?g" /etc/chilli.conf |
||
366 | $SED "s?^dns2.*?dns2\t\t$PRIVATE_IP?g" /etc/chilli.conf |
||
367 | $SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf |
||
1581 | richard | 368 | # modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries |
2274 | richard | 369 | $SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info |
2688 | lucas.echa | 370 | # dnsmasq-whitelist |
371 | $SED "/^server=/d" /etc/dnsmasq-whitelist.conf |
||
372 | echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf |
||
373 | echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf |
||
374 | # unbound |
||
375 | # removing unbound configuration files |
||
376 | rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.* |
||
377 | rm -f /etc/unbound/conf.d/common/forward-zone.conf |
||
378 | # Configuration file for the dns servers forward-zone |
||
379 | cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
||
380 | forward-zone: |
||
381 | name: "." |
||
382 | forward-addr: $DNS1 |
||
383 | forward-addr: $DNS2 |
||
384 | EOF |
||
2813 | rexy | 385 | # Configuration file for lo of forward |
2688 | lucas.echa | 386 | cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
387 | server: |
||
388 | interface: 127.0.0.1@53 |
||
389 | access-control-view: 127.0.0.1/8 lo |
||
390 | view: |
||
391 | name: "lo" |
||
2864 | rexy | 392 | local-data: "$HOSTNAME A 127.0.0.1" |
2831 | rexy | 393 | local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
2864 | rexy | 394 | local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN" |
2688 | lucas.echa | 395 | view-first: yes |
396 | EOF |
||
2813 | rexy | 397 | # Configuration file for $INTIF of forward |
2688 | lucas.echa | 398 | cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
399 | server: |
||
400 | interface: ${PRIVATE_IP}@53 |
||
401 | access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
||
402 | view: |
||
403 | name: "$INTIF" |
||
404 | view-first: yes |
||
405 | EOF |
||
2813 | rexy | 406 | # Configuration file for $INTIF of blacklist |
2688 | lucas.echa | 407 | cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
408 | server: |
||
409 | interface: ${PRIVATE_IP}@54 |
||
410 | access-control: $PRIVATE_IP_MASK allow |
||
411 | access-control-tag: $PRIVATE_IP_MASK "blacklist" |
||
412 | access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
||
413 | access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
||
414 | EOF |
||
2813 | rexy | 415 | # Configuration file for $INTIF of whitelist |
2688 | lucas.echa | 416 | cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
417 | server: |
||
418 | interface: ${PRIVATE_IP}@55 |
||
419 | access-control: $PRIVATE_IP_MASK allow |
||
420 | access-control-tag: $PRIVATE_IP_MASK "whitelist" |
||
421 | access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
||
422 | access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
||
423 | EOF |
||
424 | # dhcpd |
||
425 | cat <<EOF > /etc/dhcpd.conf |
||
426 | ddns-update-style none; |
||
427 | subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK { |
||
428 | option routers $PRIVATE_IP; |
||
429 | option subnet-mask $PRIVATE_NETMASK; |
||
430 | option domain-name-servers $PRIVATE_IP; |
||
431 | range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
||
432 | default-lease-time 21600; |
||
433 | max-lease-time 43200; |
||
434 | } |
||
435 | EOF |
||
2838 | rexy | 436 | $DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resolution to unbound (forward & blackhole) |
634 | richard | 437 | # DG + BL |
2521 | armand.ito | 438 | $SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf |
634 | richard | 439 | # Watchdog |
440 | $SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_BIN/alcasar-watchdog.sh |
||
441 | # Prompts |
||
442 | $SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc |
||
443 | # sudoers |
||
444 | $SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers |
||
1060 | richard | 445 | if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
446 | then |
||
634 | richard | 447 | # Services start |
1574 | richard | 448 | /usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
2309 | tom.houday | 449 | $DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli |
2840 | rexy | 450 | for i in unbound unbound-blackhole ntpd |
2309 | tom.houday | 451 | do |
452 | sleep 1 |
||
453 | /usr/bin/systemctl start $i && echo -n ", $i" |
||
454 | done |
||
2688 | lucas.echa | 455 | $DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, dnsmasq-whitelist, e2guardian, iptables" |
2488 | lucas.echa | 456 | /usr/bin/systemctl restart lighttpd && echo -n ", lighttpd" |
1060 | richard | 457 | fi |
628 | richard | 458 | # Start / Stop SSH Daemon |
2474 | tom.houday | 459 | ssh_active=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` |
634 | richard | 460 | if [ $ssh_active = "on" ] |
461 | then |
||
1574 | richard | 462 | /usr/bin/systemctl enable sshd.service |
1060 | richard | 463 | if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
464 | then |
||
1574 | richard | 465 | /usr/bin/systemctl start sshd.service |
1060 | richard | 466 | fi |
634 | richard | 467 | else |
1574 | richard | 468 | /usr/bin/systemctl disable sshd.service |
1060 | richard | 469 | if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
470 | then |
||
1574 | richard | 471 | /usr/bin/systemctl stop sshd.service |
1060 | richard | 472 | fi |
634 | richard | 473 | fi |
2568 | rexy | 474 | # Start / Stop LDAP authentification |
2688 | lucas.echa | 475 | if [ $LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
2568 | rexy | 476 | then |
2707 | tom.houday | 477 | $DIR_BIN/alcasar-ldap.sh --on |
478 | else |
||
479 | $DIR_BIN/alcasar-ldap.sh --off |
||
2568 | rexy | 480 | fi |
481 | echo |
||
628 | richard | 482 | ;; |
8 | franck | 483 | *) |
2688 | lucas.echa | 484 | echo "Argument inconnu : $1"; |
8 | franck | 485 | echo "$usage" |
486 | exit 1 |
||
487 | ;; |
||
488 | esac |