/CHANGELOG |
---|
14,6 → 14,8 |
- New network configuration UI (dynamic user-friendly diagram form). |
- Show/hide advanced attributes dynamically in user/group creation and edition. |
- Print parsed log of Fail2Ban instead of raw log lines. |
- New ACC menu (with JS instead of PHP reload). |
- Add option to allow unsecure login for user interception. |
BUGS |
- Display info field for DHCP static equipment |
/alcasar.sh |
---|
1128,7 → 1128,7 |
chilli () |
{ |
# chilli unit for systemd |
cat << EOF > /lib/systemd/system/chilli.service |
cat << EOF > /lib/systemd/system/chilli.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
1233,8 → 1233,10 |
esac |
echo |
EOF |
chmod a+x /etc/init.d/chilli |
ln -s /etc/init.d/chilli /usr/libexec/chilli |
chmod a+x /etc/init.d/chilli |
ln -s /etc/init.d/chilli /usr/libexec/chilli |
# HTTPS login |
echo "HTTPS_LOGIN=on" >> $CONF_FILE |
# conf file creation |
[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default |
#NTP Option configuration for DHCP |
/conf/sudoers |
---|
13,21 → 13,21 |
# Cmnd alias specification |
Cmnd_Alias NET=/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/bin/alcasar-dhcp.sh # network commands |
Cmnd_Alias URPMI=/usr/sbin/urpmi,/usr/sbin/urpmi.update # packages managment |
Cmnd_Alias BYPASS=/usr/local/bin/alcasar-bypass.sh # authentication bypass |
Cmnd_Alias RADDB=/usr/bin/radwho,/usr/sbin/chilli_query # to manage users in command line |
Cmnd_Alias SQL=/usr/local/bin/alcasar-mysql.sh # to export users database |
Cmnd_Alias SYSTEM_BACKUP=/usr/local/bin/alcasar-conf.sh # to create conf backup file |
Cmnd_Alias EXPORT=/usr/local/bin/alcasar-archive.sh # to export/save the log files |
Cmnd_Alias URPMI=/usr/sbin/urpmi,/usr/sbin/urpmi.update # packages managment |
Cmnd_Alias BYPASS=/usr/local/bin/alcasar-bypass.sh # authentication bypass |
Cmnd_Alias RADDB=/usr/bin/radwho,/usr/sbin/chilli_query # to manage users in command line |
Cmnd_Alias SQL=/usr/local/bin/alcasar-mysql.sh # to export users database |
Cmnd_Alias SYSTEM_BACKUP=/usr/local/bin/alcasar-conf.sh # to create conf backup file |
Cmnd_Alias EXPORT=/usr/local/bin/alcasar-archive.sh # to export/save the log files |
Cmnd_Alias BL=/usr/local/bin/alcasar-bl.sh,/usr/local/bin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/bin/alcasar-url_filter_wl.sh,/usr/local/bin/alcasar-url_filter_bl.sh # to manage the filtering system |
Cmnd_Alias NF=/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # to manage the firewall |
Cmnd_Alias LOGOUT=/usr/local/bin/alcasar-logout.sh # to disconnect the users |
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed) |
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services |
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem |
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh # to manage the certificates |
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups |
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC |
Cmnd_Alias NF=/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # to manage the firewall |
Cmnd_Alias LOGOUT=/usr/local/bin/alcasar-logout.sh # to disconnect the users |
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed) |
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services |
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem |
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates |
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups |
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC |
# Defaults specification |
# Defaults syslog=auth |
/scripts/alcasar-conf.sh |
---|
52,7 → 52,7 |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # last octet of LAN address |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
PRIVATE_FIRST_IP=$PRIVATE_IP # First network address (ex.: 192.168.182.1) |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
313,7 → 313,8 |
# Set hostname in CoovaChilli |
$SED "s/^uamallowed.*/uamallowed\t${domainNames// /,}/g" /etc/chilli.conf |
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s/^uamserver.*/uamserver\thttps:\/\/$HOSTNAME.$DOMAIN\/intercept.php/g" /etc/chilli.conf |
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf |
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
# Set hostname in Apache |
$SED "s/^ServerName.*/ServerName $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/httpd.conf |
/scripts/alcasar-https.sh |
---|
9,8 → 9,10 |
# enable or disable encryption on authentication flows |
SED="/bin/sed -i" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
CHILLI_CONF_FILE="/etc/chilli.conf" |
INTERCEPT_FILE="/var/www/html/intercept.php" |
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2) |
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2) |
usage="Usage: alcasar-https.sh {--on | -on} | {--off | -off}" |
nb_args=$# |
20,25 → 22,25 |
echo "$usage" |
exit 1 |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
--off|-off) # disable HTTPS |
$SED "/# If https not use/,/}/s?^?#?" $INTERCEPT_FILE |
$SED "s?uamserver.*?uamserver\thttp://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE |
--off | -off) # disable HTTPS |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
/usr/bin/systemctl restart chilli |
;; |
--on|-on) # enable HTTPS |
$SED "/## If https not use/,/#}/s?^#??" $INTERCEPT_FILE |
$SED "s?uamserver.*?uamserver\thttps://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE |
--on | -on) # enable HTTPS |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
/usr/bin/systemctl restart chilli |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "Argument inconnu : $1" |
echo "$usage" |
exit 1 |
;; |
esac |
/web/acc/admin/network.php |
---|
238,6 → 238,15 |
} |
} |
break; |
case 'https_login': // Set HTTPS login status |
if ($_POST['https_login'] === 'on') { |
exec('sudo /usr/local/bin/alcasar-https.sh --on'); |
} else { |
exec('sudo /usr/local/bin/alcasar-https.sh --off'); |
} |
header('Location: '.$_SERVER['PHP_SELF']); |
exit(); |
} |
// Network changes |
617,7 → 626,7 |
<tr><td colspan="2" valign="middle" align="left"> |
<center><h3><?= $l_dhcp_state ?> : <?= ${'l_DHCP_'.$conf['DHCP']} ?></h3></center> |
<form action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" method="POST"> |
<select name="choix">"; |
<select name="choix"> |
<option value="DHCP_Off"<?= ((!strcmp($conf['DHCP'], 'off')) ? ' selected' : '') ?>><?= $l_DHCP_off ?></option> |
<option value="DHCP_On"<?= ((!strcmp($conf['DHCP'], 'on')) ? ' selected' : '') ?>><?= $l_DHCP_on ?></option> |
</select> |
700,16 → 709,24 |
</table> |
<table width="100%" cellspacing="0" cellpadding="5" border="1"> |
<tr> |
<td width="50%"> |
<h3>Importer un certificat existant</h3> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data"> |
<?= $l_private_key;?> <input type="file" name="key"><br> |
<?= $l_certificate;?> <input type="file" name="crt"><br> |
<?= $l_server_chain;?> <input type="file" name="sc"><br> |
<input type="hidden" name="choix" value="import_cert"> |
<input type="submit" value="<?= $l_import ?>"> |
<td width="50%" valign="top"> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="https_login"> |
<span>Autoriser les utilisateurs à se connecter de manière non sécurisée :</span><br> |
<select name="https_login"> |
<option value="on"<?= (($conf['HTTPS_LOGIN'] === 'on') ? ' selected' : '') ?>>Non</option> |
<option value="off"<?= (($conf['HTTPS_LOGIN'] === 'off') ? ' selected' : '') ?>>Oui</option> |
</select> |
<input type="submit" value="<?= $l_apply ?>"><br> |
<span>/!\ Les identifiants de connexion seront envoyés en clair.</span> |
</form> |
<br> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="default_cert"> |
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>> |
</form> |
</td> |
<td width="50%" valign="top"> |
<?php |
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt')); |
719,10 → 736,6 |
$CAdomain = $certificateInfos['issuer']['CN']; |
$CAorganization = (isset($certificateInfos['issuer']['O'])) ? $certificateInfos['issuer']['O'] : ''; |
?> |
<br> |
<hr> |
<h3><?= $l_current_certificate ?></h3> |
Expiration Date : <?= $cert_expiration_date ?><br> |
Common name : <?= $domain ?><br> |
730,11 → 743,17 |
<h4><?= $l_validated ?></h4> |
Common name : <?= $CAdomain ?><br> |
Organization : <?= $CAorganization ?><br> |
<br> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="default_cert"> |
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>> |
</td> |
</tr> |
<tr> |
<td width="50%" valign="top"> |
<h3>Importer un certificat</h3> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data"> |
<?= $l_private_key;?> <input type="file" name="key"><br> |
<?= $l_certificate;?> <input type="file" name="crt"><br> |
<?= $l_server_chain;?> <input type="file" name="sc"><br> |
<input type="hidden" name="choix" value="import_cert"> |
<input type="submit" value="<?= $l_import ?>"> |
</form> |
</td> |
<td width="50%" valign="top"> |
751,7 → 770,7 |
} |
?> |
<h3>Intégration Let's Encrypt</h3> |
<?php if ($step === 1) : ?> |
<?php if ($step === 1): ?> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="le_issueCert"> |
Status : Inactif<br> |
/web/intercept.php |
---|
343,8 → 343,8 |
$l_autoregistration = "Auto registration (sms)"; |
} |
# If https not use, tell it's wrong |
if ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off')) { |
# If HTTPS not use, tell it's wrong |
if (($conf['HTTPS_LOGIN'] === 'on') && ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off'))) { |
// Cleaning the cache |
header('Expires: Tue, 01 Jan 2000 00:00:00 GMT'); |
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); |