/alcasar.sh |
---|
764,34 → 764,39 |
# Configuring & securing Lighttpd |
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default |
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default |
[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default |
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf |
cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf |
$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf |
$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf |
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default |
$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf |
$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf |
$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf |
$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default |
[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default |
$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf |
$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf |
$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf |
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf |
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/ |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar |
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd |
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log |
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
chown -R apache:apache /var/log/lighttpd |
/usr/bin/systemctl start lighttpd |
/usr/bin/systemctl start php-fpm |
/conf/lighttpd/vhosts.d/alcasar.conf |
---|
File deleted |
/conf/lighttpd/vhosts.d/alcasar-with-ssl.conf |
---|
0,0 → 1,91 |
$HTTP["url"] =~ ".*" { |
# Disabling directory listing as default setting |
dir-listing.activate = "disable" |
} |
# If a wrong url is used, displaying homepage for unprivileged users |
$HTTP["url"] !~ "^/(acc|save)/" { |
server.error-handler-404 = "/" |
} |
# Error pages |
server.errorfile-prefix = "/var/www/html/errors/error-" |
$SERVER["socket"] == "alcasar.localdomain:443" { |
ssl.engine = "enable" |
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem" |
ssl.ca-file = "/etc/pki/tls/certs/server-chain.crt" |
ssl.use-sslv2 = "disable" |
ssl.use-sslv3 = "disable" |
ssl.use-compression = "disable" |
ssl.honor-cipher-order = "enable" |
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" |
var.server_name = "alcasar.localdomain" |
server.name = server_name |
server.document-root = "/var/www/html" |
} |
$HTTP["scheme"] == "https" { |
alias.url = ( |
"/save" => "/var/Save" |
) |
# Digest authentication configuration |
auth.backend = "htdigest" |
auth.debug = 1 |
auth.require = ( |
"/acc/" => |
( |
"method" => "digest", |
"realm" => "ALCASAR Control Center (ACC)", |
"require" => "valid-user" |
), |
"/save/" => |
( |
"method" => "digest", |
"realm" => "ALCASAR Control Center (ACC)", |
"require" => "valid-user" |
) |
) |
$HTTP["url"] =~ "^/(acc|save)/" { |
# Setting digest files according access permissions |
$HTTP["url"] =~ "^/acc/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_all" |
$HTTP["url"] =~ "^/acc/admin" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_admin" |
} |
$HTTP["url"] =~ "^/acc/manager/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_manager" |
} |
$HTTP["url"] =~ "^/acc/backup/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup" |
} |
} |
$HTTP["url"] =~ "^/save" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup" |
# Enabling directory listing |
dir-listing.activate = "enable" |
} |
} |
} |
$HTTP["scheme"] == "http" { |
# Force HTTPS for specific pages |
# $HTTP["url"] =~ "^/(acc|save|(intercept|password).php)" { |
$HTTP["url"] =~ "^/(acc|save)" { |
$HTTP["host"] =~ ".*" { |
url.redirect = (".*" => "https://%0$0") |
} |
} |
} |
/conf/lighttpd/vhosts.d/alcasar-without-ssl.conf |
---|
0,0 → 1,91 |
$HTTP["url"] =~ ".*" { |
# Disabling directory listing as default setting |
dir-listing.activate = "disable" |
} |
# If a wrong url is used, displaying homepage for unprivileged users |
$HTTP["url"] !~ "^/(acc|save)/" { |
server.error-handler-404 = "/" |
} |
# Error pages |
server.errorfile-prefix = "/var/www/html/errors/error-" |
$SERVER["socket"] == "alcasar.localdomain:443" { |
ssl.engine = "enable" |
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem" |
ssl.ca-file = "/etc/pki/tls/certs/server-chain.crt" |
ssl.use-sslv2 = "disable" |
ssl.use-sslv3 = "disable" |
ssl.use-compression = "disable" |
ssl.honor-cipher-order = "enable" |
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" |
var.server_name = "alcasar.localdomain" |
server.name = server_name |
server.document-root = "/var/www/html" |
} |
$HTTP["scheme"] == "https" { |
alias.url = ( |
"/save" => "/var/Save" |
) |
# Digest authentication configuration |
auth.backend = "htdigest" |
auth.debug = 1 |
auth.require = ( |
"/acc/" => |
( |
"method" => "digest", |
"realm" => "ALCASAR Control Center (ACC)", |
"require" => "valid-user" |
), |
"/save/" => |
( |
"method" => "digest", |
"realm" => "ALCASAR Control Center (ACC)", |
"require" => "valid-user" |
) |
) |
$HTTP["url"] =~ "^/(acc|save)/" { |
# Setting digest files according access permissions |
$HTTP["url"] =~ "^/acc/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_all" |
$HTTP["url"] =~ "^/acc/admin" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_admin" |
} |
$HTTP["url"] =~ "^/acc/manager/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_manager" |
} |
$HTTP["url"] =~ "^/acc/backup/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup" |
} |
} |
$HTTP["url"] =~ "^/save" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup" |
# Enabling directory listing |
dir-listing.activate = "enable" |
} |
} |
} |
$HTTP["scheme"] == "http" { |
# Force HTTPS for specific pages |
# $HTTP["url"] =~ "^/(acc|save)" { |
$HTTP["url"] =~ "^/(acc|save)" { |
$HTTP["host"] =~ ".*" { |
url.redirect = (".*" => "https://%0$0") |
} |
} |
} |
/scripts/alcasar-https.sh |
---|
31,13 → 31,23 |
--off | -off) # disable HTTPS |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE |
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
$SED "s?^redirssl.*?#&?" $CHILLI_CONF_FILE |
$SED "s?^uamuissl.*?#&?" $CHILLI_CONF_FILE |
/usr/bin/systemctl restart chilli |
rm -f /etc/lighttpd/vhosts.d/alcasar.conf |
ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
/usr/bin/systemctl restart lighttpd |
;; |
--on | -on) # enable HTTPS |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
$SED "s?^#redirssl.*?redirssl?" $CHILLI_CONF_FILE |
$SED "s?^#uamuissl.*?uamuissl?" $CHILLI_CONF_FILE |
/usr/bin/systemctl restart chilli |
rm -f /etc/lighttpd/vhosts.d/alcasar.conf |
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
/usr/bin/systemctl restart lighttpd |
;; |
*) |
echo "Argument inconnu : $1" |
/web/index.php |
---|
152,7 → 152,7 |
$l_explain_net_pb = "Votre portail détecte que l'accès à Internet est indisponible."; |
$l_contact_access_deny = "Contactez le responsable de la séurité (OSSI/RSSI) si vous pensez que ce filtrage est abusif."; |
$l_contact_net_pb = "Contactez votre responsable informatique ou votre prestataire Internet pour plus d'information."; |
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">Auto Enregistrement par SMS</a>"; |
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">Auto Enregistrement par SMS</a>"; |
$l_install_certif = "Installer le certificat racine"; |
$l_install_certif_more = "Installation du certificat de l'autorité; racine d'ALCASAR"; |
$l_certif_explain = "Permet l'échange de données sécurisées entre votre station de consultation et le portail captif ALCASAR.<BR>Si ce certificat n'est pas enregistré sur votre station de consultation, il est possible que des alertes de sécurité soient émises par votre navigateur.<br><br>"; |
199,7 → 199,7 |
$l_explain_net_pb = "O sistema detectou que o acesso é de risco, não será permitido o acesso"; |
$l_contact_access_deny = "Entre em contato com o administrador do sistema de segurança se acha que essa filtragem é abusiva."; |
$l_contact_net_pb = "Entre em contato com a empresa fornecedora de Internet para mais informações"; |
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>"; |
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>"; |
$l_install_certif = "Instalar Certificado Alcasar AC"; |
$l_install_certif_more = "Instalar Certificado Alcasar AC"; |
$l_certif_explain = "O certificado Permiti a troca de dados seguro entre seu computador e o portal Alcasar.<BR>Se este certificado não estiver incorporado no seu computador, alguns alertas de segurança deverá aparecer no navegador.<br><br>"; |
246,7 → 246,7 |
$l_explain_net_pb = "您的门户检测因特网不可用。"; |
$l_contact_access_deny = "如果您认为该过滤不当,请联系安全负责人(OSSI/RSSI)。"; |
$l_contact_net_pb = "请联系IT负责人或网络服务商来了解更多信息。"; |
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">短信自动登录 </a>"; |
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">短信自动登录 </a>"; |
$l_install_certif = "安装根证书"; |
$l_install_certif_more = "安装根证书"; |
$l_certif_explain = "允许您的计算机与ALCASAR门户进行安全数据交换。<BR>如果该证书未包含在您的计算机中,您的浏览器将出现一些安全提醒。<br><br>"; |
294,7 → 294,7 |
$l_contact_access_deny = "المرجو الاتصال بضابط أمن (OSS / RSS) إذا اعتقدت ان هذه التصفية غير قانونية"; |
$l_contact_net_pb = "المرجو الاتصال بمدير المعلومات أو مورد الأنترنت للمزيد من المعلومات"; |
$auto_save_sms_text = "تسجيل ذاتي على"; |
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">SMS $auto_save_sms_text</a>"; |
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">SMS $auto_save_sms_text</a>"; |
$l_install_certif = "ركب جذر الشهادة"; |
$l_install_certif_more = "ALCASAR تركيب شهادة السلطة؛ جذر الكزار"; |
$exchange_data_text = "يمَكن من تبادل البيانات المؤمّنة بين محطة الاستفسار و بوابة الكزار الأسيرة"; |
361,7 → 361,7 |
$l_explain_net_pb = "Your portal has just detected that the Internet access is down"; |
$l_contact_access_deny = "Contact your security system manager if you think this filtering is abusive."; |
$l_contact_net_pb = "Contact your network responsive or your Internet provider for more information"; |
$l_sms_access = "<a href=\"https://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>"; |
$l_sms_access = "<a href=\"http://$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>"; |
$l_install_certif = "Install ALCASAR AC Certificate"; |
$l_install_certif_more = "Install ALCASAR AC Certificate"; |
$l_certif_explain = "Allow secure data exchange between your computer and ALCASAR portal.<BR>If this certificate isn't incorporated in your computer, some security alerts should appear in your browser.<br><br>"; |