Subversion Repositories ALCASAR

Compare Revisions

Regard whitespace Rev 2321 → Rev 2324

/CHANGELOG
14,6 → 14,8
- New network configuration UI (dynamic user-friendly diagram form).
- Show/hide advanced attributes dynamically in user/group creation and edition.
- Print parsed log of Fail2Ban instead of raw log lines.
- New ACC menu (with JS instead of PHP reload).
- Add option to allow unsecure login for user interception.
 
BUGS
- Display info field for DHCP static equipment
/alcasar.sh
1235,6 → 1235,8
EOF
chmod a+x /etc/init.d/chilli
ln -s /etc/init.d/chilli /usr/libexec/chilli
# HTTPS login
echo "HTTPS_LOGIN=on" >> $CONF_FILE
# conf file creation
[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
#NTP Option configuration for DHCP
/conf/sudoers
25,7 → 25,7
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed)
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh # to manage the certificates
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC
 
/scripts/alcasar-conf.sh
313,7 → 313,8
# Set hostname in CoovaChilli
$SED "s/^uamallowed.*/uamallowed\t${domainNames// /,}/g" /etc/chilli.conf
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^uamserver.*/uamserver\thttps:\/\/$HOSTNAME.$DOMAIN\/intercept.php/g" /etc/chilli.conf
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
# Set hostname in Apache
$SED "s/^ServerName.*/ServerName $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/httpd.conf
/scripts/alcasar-https.sh
9,8 → 9,10
# enable or disable encryption on authentication flows
 
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
CHILLI_CONF_FILE="/etc/chilli.conf"
INTERCEPT_FILE="/var/www/html/intercept.php"
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2)
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2)
 
usage="Usage: alcasar-https.sh {--on | -on} | {--off | -off}"
nb_args=$#
20,6 → 22,7
echo "$usage"
exit 1
fi
 
case $args in
-\? | -h* | --h*)
echo "$usage"
26,19 → 29,18
exit 0
;;
--off|-off) # disable HTTPS
$SED "/# If https not use/,/}/s?^?#?" $INTERCEPT_FILE
$SED "s?uamserver.*?uamserver\thttp://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
;;
--on|-on) # enable HTTPS
$SED "/## If https not use/,/#}/s?^#??" $INTERCEPT_FILE
$SED "s?uamserver.*?uamserver\thttps://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
;;
*)
echo "Argument inconnu :$1";
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
 
/web/acc/admin/network.php
238,7 → 238,16
}
}
break;
 
case 'https_login': // Set HTTPS login status
if ($_POST['https_login'] === 'on') {
exec('sudo /usr/local/bin/alcasar-https.sh --on');
} else {
exec('sudo /usr/local/bin/alcasar-https.sh --off');
}
header('Location: '.$_SERVER['PHP_SELF']);
exit();
}
 
// Network changes
if ($choix === 'network_change') {
617,7 → 626,7
<tr><td colspan="2" valign="middle" align="left">
<center><h3><?= $l_dhcp_state ?> : <?= ${'l_DHCP_'.$conf['DHCP']} ?></h3></center>
<form action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" method="POST">
<select name="choix">";
<select name="choix">
<option value="DHCP_Off"<?= ((!strcmp($conf['DHCP'], 'off')) ? ' selected' : '') ?>><?= $l_DHCP_off ?></option>
<option value="DHCP_On"<?= ((!strcmp($conf['DHCP'], 'on')) ? ' selected' : '') ?>><?= $l_DHCP_on ?></option>
</select>
700,16 → 709,24
</table>
<table width="100%" cellspacing="0" cellpadding="5" border="1">
<tr>
<td width="50%">
<h3>Importer un certificat existant</h3>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data">
<?= $l_private_key;?> <input type="file" name="key"><br>
<?= $l_certificate;?> <input type="file" name="crt"><br>
<?= $l_server_chain;?> <input type="file" name="sc"><br>
<input type="hidden" name="choix" value="import_cert">
<input type="submit" value="<?= $l_import ?>">
<td width="50%" valign="top">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="https_login">
<span>Autoriser les utilisateurs à se connecter de manière non sécurisée :</span><br>
<select name="https_login">
<option value="on"<?= (($conf['HTTPS_LOGIN'] === 'on') ? ' selected' : '') ?>>Non</option>
<option value="off"<?= (($conf['HTTPS_LOGIN'] === 'off') ? ' selected' : '') ?>>Oui</option>
</select>
<input type="submit" value="<?= $l_apply ?>"><br>
<span>/!\ Les identifiants de connexion seront envoyés en clair.</span>
</form>
 
<br>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="default_cert">
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>>
</form>
</td>
<td width="50%" valign="top">
<?php
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt'));
 
719,10 → 736,6
$CAdomain = $certificateInfos['issuer']['CN'];
$CAorganization = (isset($certificateInfos['issuer']['O'])) ? $certificateInfos['issuer']['O'] : '';
?>
 
<br>
<hr>
 
<h3><?= $l_current_certificate ?></h3>
Expiration Date : <?= $cert_expiration_date ?><br>
Common name : <?= $domain ?><br>
730,11 → 743,17
<h4><?= $l_validated ?></h4>
Common name : <?= $CAdomain ?><br>
Organization : <?= $CAorganization ?><br>
 
<br>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="default_cert">
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>>
</td>
</tr>
<tr>
<td width="50%" valign="top">
<h3>Importer un certificat</h3>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data">
<?= $l_private_key;?> <input type="file" name="key"><br>
<?= $l_certificate;?> <input type="file" name="crt"><br>
<?= $l_server_chain;?> <input type="file" name="sc"><br>
<input type="hidden" name="choix" value="import_cert">
<input type="submit" value="<?= $l_import ?>">
</form>
</td>
<td width="50%" valign="top">
/web/intercept.php
343,8 → 343,8
$l_autoregistration = "Auto registration (sms)";
}
 
# If https not use, tell it's wrong
if ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off')) {
# If HTTPS not use, tell it's wrong
if (($conf['HTTPS_LOGIN'] === 'on') && ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off'))) {
// Cleaning the cache
header('Expires: Tue, 01 Jan 2000 00:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');