Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2321 → Rev 2324

/CHANGELOG
14,6 → 14,8
- New network configuration UI (dynamic user-friendly diagram form).
- Show/hide advanced attributes dynamically in user/group creation and edition.
- Print parsed log of Fail2Ban instead of raw log lines.
- New ACC menu (with JS instead of PHP reload).
- Add option to allow unsecure login for user interception.
 
BUGS
- Display info field for DHCP static equipment
/alcasar.sh
1128,7 → 1128,7
chilli ()
{
# chilli unit for systemd
cat << EOF > /lib/systemd/system/chilli.service
cat << EOF > /lib/systemd/system/chilli.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
1233,8 → 1233,10
esac
echo
EOF
chmod a+x /etc/init.d/chilli
ln -s /etc/init.d/chilli /usr/libexec/chilli
chmod a+x /etc/init.d/chilli
ln -s /etc/init.d/chilli /usr/libexec/chilli
# HTTPS login
echo "HTTPS_LOGIN=on" >> $CONF_FILE
# conf file creation
[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
#NTP Option configuration for DHCP
/conf/sudoers
13,21 → 13,21
 
# Cmnd alias specification
Cmnd_Alias NET=/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/bin/alcasar-dhcp.sh # network commands
Cmnd_Alias URPMI=/usr/sbin/urpmi,/usr/sbin/urpmi.update # packages managment
Cmnd_Alias BYPASS=/usr/local/bin/alcasar-bypass.sh # authentication bypass
Cmnd_Alias RADDB=/usr/bin/radwho,/usr/sbin/chilli_query # to manage users in command line
Cmnd_Alias SQL=/usr/local/bin/alcasar-mysql.sh # to export users database
Cmnd_Alias SYSTEM_BACKUP=/usr/local/bin/alcasar-conf.sh # to create conf backup file
Cmnd_Alias EXPORT=/usr/local/bin/alcasar-archive.sh # to export/save the log files
Cmnd_Alias URPMI=/usr/sbin/urpmi,/usr/sbin/urpmi.update # packages managment
Cmnd_Alias BYPASS=/usr/local/bin/alcasar-bypass.sh # authentication bypass
Cmnd_Alias RADDB=/usr/bin/radwho,/usr/sbin/chilli_query # to manage users in command line
Cmnd_Alias SQL=/usr/local/bin/alcasar-mysql.sh # to export users database
Cmnd_Alias SYSTEM_BACKUP=/usr/local/bin/alcasar-conf.sh # to create conf backup file
Cmnd_Alias EXPORT=/usr/local/bin/alcasar-archive.sh # to export/save the log files
Cmnd_Alias BL=/usr/local/bin/alcasar-bl.sh,/usr/local/bin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/bin/alcasar-url_filter_wl.sh,/usr/local/bin/alcasar-url_filter_bl.sh # to manage the filtering system
Cmnd_Alias NF=/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # to manage the firewall
Cmnd_Alias LOGOUT=/usr/local/bin/alcasar-logout.sh # to disconnect the users
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed)
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh # to manage the certificates
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC
Cmnd_Alias NF=/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # to manage the firewall
Cmnd_Alias LOGOUT=/usr/local/bin/alcasar-logout.sh # to disconnect the users
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed)
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC
 
# Defaults specification
# Defaults syslog=auth
/scripts/alcasar-conf.sh
52,7 → 52,7
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # last octet of LAN address
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
PRIVATE_FIRST_IP=$PRIVATE_IP # First network address (ex.: 192.168.182.1)
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
313,7 → 313,8
# Set hostname in CoovaChilli
$SED "s/^uamallowed.*/uamallowed\t${domainNames// /,}/g" /etc/chilli.conf
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^uamserver.*/uamserver\thttps:\/\/$HOSTNAME.$DOMAIN\/intercept.php/g" /etc/chilli.conf
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
# Set hostname in Apache
$SED "s/^ServerName.*/ServerName $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/httpd.conf
/scripts/alcasar-https.sh
9,8 → 9,10
# enable or disable encryption on authentication flows
 
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
CHILLI_CONF_FILE="/etc/chilli.conf"
INTERCEPT_FILE="/var/www/html/intercept.php"
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2)
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2)
 
usage="Usage: alcasar-https.sh {--on | -on} | {--off | -off}"
nb_args=$#
20,25 → 22,25
echo "$usage"
exit 1
fi
 
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off|-off) # disable HTTPS
$SED "/# If https not use/,/}/s?^?#?" $INTERCEPT_FILE
$SED "s?uamserver.*?uamserver\thttp://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE
--off | -off) # disable HTTPS
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
;;
--on|-on) # enable HTTPS
$SED "/## If https not use/,/#}/s?^#??" $INTERCEPT_FILE
$SED "s?uamserver.*?uamserver\thttps://alcasar.localdomain/intercept.php?" $CHILLI_CONF_FILE
--on | -on) # enable HTTPS
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
;;
*)
echo "Argument inconnu :$1";
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
 
/web/acc/admin/network.php
238,6 → 238,15
}
}
break;
 
case 'https_login': // Set HTTPS login status
if ($_POST['https_login'] === 'on') {
exec('sudo /usr/local/bin/alcasar-https.sh --on');
} else {
exec('sudo /usr/local/bin/alcasar-https.sh --off');
}
header('Location: '.$_SERVER['PHP_SELF']);
exit();
}
 
// Network changes
617,7 → 626,7
<tr><td colspan="2" valign="middle" align="left">
<center><h3><?= $l_dhcp_state ?> : <?= ${'l_DHCP_'.$conf['DHCP']} ?></h3></center>
<form action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" method="POST">
<select name="choix">";
<select name="choix">
<option value="DHCP_Off"<?= ((!strcmp($conf['DHCP'], 'off')) ? ' selected' : '') ?>><?= $l_DHCP_off ?></option>
<option value="DHCP_On"<?= ((!strcmp($conf['DHCP'], 'on')) ? ' selected' : '') ?>><?= $l_DHCP_on ?></option>
</select>
700,16 → 709,24
</table>
<table width="100%" cellspacing="0" cellpadding="5" border="1">
<tr>
<td width="50%">
<h3>Importer un certificat existant</h3>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data">
<?= $l_private_key;?> <input type="file" name="key"><br>
<?= $l_certificate;?> <input type="file" name="crt"><br>
<?= $l_server_chain;?> <input type="file" name="sc"><br>
<input type="hidden" name="choix" value="import_cert">
<input type="submit" value="<?= $l_import ?>">
<td width="50%" valign="top">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="https_login">
<span>Autoriser les utilisateurs à se connecter de manière non sécurisée :</span><br>
<select name="https_login">
<option value="on"<?= (($conf['HTTPS_LOGIN'] === 'on') ? ' selected' : '') ?>>Non</option>
<option value="off"<?= (($conf['HTTPS_LOGIN'] === 'off') ? ' selected' : '') ?>>Oui</option>
</select>
<input type="submit" value="<?= $l_apply ?>"><br>
<span>/!\ Les identifiants de connexion seront envoyés en clair.</span>
</form>
 
<br>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="default_cert">
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>>
</form>
</td>
<td width="50%" valign="top">
<?php
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt'));
 
719,10 → 736,6
$CAdomain = $certificateInfos['issuer']['CN'];
$CAorganization = (isset($certificateInfos['issuer']['O'])) ? $certificateInfos['issuer']['O'] : '';
?>
 
<br>
<hr>
 
<h3><?= $l_current_certificate ?></h3>
Expiration Date : <?= $cert_expiration_date ?><br>
Common name : <?= $domain ?><br>
730,11 → 743,17
<h4><?= $l_validated ?></h4>
Common name : <?= $CAdomain ?><br>
Organization : <?= $CAorganization ?><br>
 
<br>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="default_cert">
<input type="submit" value="<?= $l_default_cert ?>" <?= (!file_exists('/etc/pki/tls/certs/alcasar.crt.old') || !file_exists('/etc/pki/tls/private/alcasar.key.old')) ? ' disabled' : '' ?>>
</td>
</tr>
<tr>
<td width="50%" valign="top">
<h3>Importer un certificat</h3>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data">
<?= $l_private_key;?> <input type="file" name="key"><br>
<?= $l_certificate;?> <input type="file" name="crt"><br>
<?= $l_server_chain;?> <input type="file" name="sc"><br>
<input type="hidden" name="choix" value="import_cert">
<input type="submit" value="<?= $l_import ?>">
</form>
</td>
<td width="50%" valign="top">
751,7 → 770,7
}
?>
<h3>Intégration Let's Encrypt</h3>
<?php if ($step === 1) : ?>
<?php if ($step === 1): ?>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="le_issueCert">
Status : Inactif<br>
/web/intercept.php
343,8 → 343,8
$l_autoregistration = "Auto registration (sms)";
}
 
# If https not use, tell it's wrong
if ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off')) {
# If HTTPS not use, tell it's wrong
if (($conf['HTTPS_LOGIN'] === 'on') && ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS'])) || ($_SERVER['HTTPS'] === 'off'))) {
// Cleaning the cache
header('Expires: Tue, 01 Jan 2000 00:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');