/CHANGELOG |
---|
14,6 → 14,8 |
- New network configuration UI (dynamic user-friendly diagram form). |
- Show/hide advanced attributes dynamically in user/group creation and edition. |
- Print parsed log of Fail2Ban instead of raw log lines. |
- New ACC menu (with JS instead of PHP reload). |
- Add option to allow unsecure login for user interception. |
BUGS |
- Display info field for DHCP static equipment |
/alcasar.sh |
---|
1235,6 → 1235,8 |
EOF |
chmod a+x /etc/init.d/chilli |
ln -s /etc/init.d/chilli /usr/libexec/chilli |
# HTTPS login |
echo "HTTPS_LOGIN=on" >> $CONF_FILE |
# conf file creation |
[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default |
#NTP Option configuration for DHCP |
/conf/sudoers |
---|
25,7 → 25,7 |
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed) |
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services |
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem |
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh # to manage the certificates |
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates |
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups |
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC |
/scripts/alcasar-conf.sh |
---|
313,7 → 313,8 |
# Set hostname in CoovaChilli |
$SED "s/^uamallowed.*/uamallowed\t${domainNames// /,}/g" /etc/chilli.conf |
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s/^uamserver.*/uamserver\thttps:\/\/$HOSTNAME.$DOMAIN\/intercept.php/g" /etc/chilli.conf |
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf |
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
# Set hostname in Apache |
$SED "s/^ServerName.*/ServerName $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/httpd.conf |
/scripts/alcasar-https.sh |
---|
9,8 → 9,10 |
# enable or disable encryption on authentication flows |
SED="/bin/sed -i" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
CHILLI_CONF_FILE="/etc/chilli.conf" |
INTERCEPT_FILE="/var/www/html/intercept.php" |
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2) |
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2) |
usage="Usage: alcasar-https.sh {--on | -on} | {--off | -off}" |
nb_args=$# |
20,6 → 22,7 |
echo "$usage" |
exit 1 |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
26,19 → 29,18 |
exit 0 |
;; |
--off|-off) # disable HTTPS |
$SED "/# If https not use/,/}/s?^?#?" $INTERCEPT_FILE |
$SED "s?uamserver.*?uamserver\thttp://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
/usr/bin/systemctl restart chilli |
;; |
--on|-on) # enable HTTPS |
$SED "/## If https not use/,/#}/s?^#??" $INTERCEPT_FILE |
$SED "s?uamserver.*?uamserver\thttps://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
/usr/bin/systemctl restart chilli |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "Argument inconnu : $1" |
echo "$usage" |
exit 1 |
;; |
esac |
/web/acc/admin/network.php |
---|
238,7 → 238,16 |
} |
} |
break; |
case 'https_login': // Set HTTPS login status |
if ($_POST['https_login'] === 'on') { |
exec('sudo /usr/local/bin/alcasar-https.sh --on'); |
} else { |
exec('sudo /usr/local/bin/alcasar-https.sh --off'); |
} |
header('Location: '.$_SERVER['PHP_SELF']); |
exit(); |
} |
// Network changes |
if ($choix === 'network_change') { |
617,7 → 626,7 |
<tr><td colspan="2" valign="middle" align="left"> |
<center><h3><?= $l_dhcp_state ?> : <?= ${'l_DHCP_'.$conf['DHCP']} ?></h3></center> |
<form action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" method="POST"> |
<select name="choix">"; |
<select name="choix"> |
<option value="DHCP_Off"<?= ((!strcmp($conf['DHCP'], 'off')) ? ' selected' : '') ?>><?= $l_DHCP_off ?></option> |
<option value="DHCP_On"<?= ((!strcmp($conf['DHCP'], 'on')) ? ' selected' : '') ?>><?= $l_DHCP_on ?></option> |
</select> |
700,16 → 709,24 |
</table> |
<table width="100%" cellspacing="0" cellpadding="5" border="1"> |
<tr> |
<td width="50%"> |
<h3>Importer un certificat existant</h3> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data"> |
<?= $l_private_key;?> <input type="file" name="key"><br> |
<?= $l_certificate;?> <input type="file" name="crt"><br> |
<?= $l_server_chain;?> <input type="file" name="sc"><br> |
<input type="hidden" name="choix" value="import_cert"> |
<input type="submit" value="<?= $l_import ?>"> |
<td width="50%" valign="top"> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="https_login"> |
<span>Autoriser les utilisateurs à se connecter de manière non sécurisée :</span><br> |
<select name="https_login"> |
<option value="on"<?= (($conf['HTTPS_LOGIN'] === 'on') ? ' selected' : '') ?>>Non</option> |
<option value="off"<?= (($conf['HTTPS_LOGIN'] === 'off') ? ' selected' : '') ?>>Oui</option> |
</select> |
<input type="submit" value="<?= $l_apply ?>"><br> |
<span>/!\ Les identifiants de connexion seront envoyés en clair.</span> |
</form> |
<br> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="default_cert"> |
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>> |
</form> |
</td> |
<td width="50%" valign="top"> |
<?php |
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt')); |
719,10 → 736,6 |
$CAdomain = $certificateInfos['issuer']['CN']; |
$CAorganization = (isset($certificateInfos['issuer']['O'])) ? $certificateInfos['issuer']['O'] : ''; |
?> |
<br> |
<hr> |
<h3><?= $l_current_certificate ?></h3> |
Expiration Date : <?= $cert_expiration_date ?><br> |
Common name : <?= $domain ?><br> |
730,11 → 743,17 |
<h4><?= $l_validated ?></h4> |
Common name : <?= $CAdomain ?><br> |
Organization : <?= $CAorganization ?><br> |
<br> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="default_cert"> |
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>> |
</td> |
</tr> |
<tr> |
<td width="50%" valign="top"> |
<h3>Importer un certificat</h3> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data"> |
<?= $l_private_key;?> <input type="file" name="key"><br> |
<?= $l_certificate;?> <input type="file" name="crt"><br> |
<?= $l_server_chain;?> <input type="file" name="sc"><br> |
<input type="hidden" name="choix" value="import_cert"> |
<input type="submit" value="<?= $l_import ?>"> |
</form> |
</td> |
<td width="50%" valign="top"> |
/web/intercept.php |
---|
343,8 → 343,8 |
$l_autoregistration = "Auto registration (sms)"; |
} |
# If https not use, tell it's wrong |
if ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off')) { |
# If HTTPS not use, tell it's wrong |
if (($conf['HTTPS_LOGIN'] === 'on') && ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off'))) { |
// Cleaning the cache |
header('Expires: Tue, 01 Jan 2000 00:00:00 GMT'); |
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); |