diff --git a/bin/installfog.sh b/bin/installfog.sh index 22f68f9cfe..9eefe48668 100755 --- a/bin/installfog.sh +++ b/bin/installfog.sh @@ -34,6 +34,8 @@ help() { echo -e "\t\t[-D ] [-c ]" echo -e "\t\t[-W ] [-B ]" echo -e "\t\t[-s <192.168.1.10>] [-e <192.168.1.254>] [-b ]" + echo -e "\t\t[-v ] [-k ] [-t ]" + echo -e "\t\t[-p ]" echo -e "\t-h -? --help\t\t\tDisplay this info" echo -e "\t-o --oldcopy\t\t\tCopy back old data" echo -e "\t-d --no-defaults\t\tDon't guess defaults" @@ -63,9 +65,13 @@ help() { echo -e "\t-P --no-pxedefault\t\tDo not overwrite pxe default file" echo -e "\t-F --no-vhost\t\tDo not overwrite vhost file" echo -e "\t-A --arm-support\t\tDo not overwrite vhost file" + echo -e "\t-v --server-cert\t\tSpecify the location of the server's certificate" + echo -e "\t-k --server-key\t\tSpecify the location of the server's certificate key" + echo -e "\t-t --external-CA\t\tSpecify the location of the CA chain certificate" + echo -e "\t-p --ocsp\t\t\tSpecify the URI of the OCSP server" exit 0 } -optspec="h?odEUHSCKYyXxTPFAf:c:-:W:D:B:s:e:b:" +optspec="h?odEUHSCKYyXxTPFAf:c:-:W:D:B:s:e:b:v:t:k:p:" while getopts "$optspec" o; do case $o in -) @@ -182,7 +188,39 @@ while getopts "$optspec" o; do arm-support) sarmsupport=1 ;; - *) + server-cert) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 9 + fi + sserverCert="${OPTARG}" + ;; + server-key) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 10 + fi + sserverKey="${OPTARG}" + ;; + external-CA) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 11 + fi + sexternalCA="${OPTARG}" + ;; + ocsp) + if [[ -z $OPTARG ]]; then + echo "--$OPTARG requires a URI to follow" + help + exit 12 + fi + socsp="${OPTARG}" + ;; + *) if [[ $OPTERR == 1 && ${optspec:0:1} != : ]]; then echo "Unknown option: --${OPTARG}" help @@ -299,6 +337,38 @@ while getopts "$optspec" o; do A) sarmsupport=1 ;; + v) + if [[ ! -f $OPTARG ]]; then + echo "-$OPTARG requires a file to follow" + help + exit 9 + fi + sserverCert="${OPTARG}" + ;; + k) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 10 + fi + sserverKey="${OPTARG}" + ;; + t) + if [[ ! -f $OPTARG ]]; then + echo "-$OPTARG requires a file to follow" + help + exit 11 + fi + sexternalCA="${OPTARG}" + ;; + p) + if [[ -z $OPTARG ]]; then + echo "--$OPTARG requires a URI to follow" + help + exit 12 + fi + socsp="${OPTARG}" + ;; :) echo "Option -$OPTARG requires a value" help @@ -382,6 +452,14 @@ echo "Done" [[ -z $httpproto ]] && httpproto="http" [[ -z $armsupport ]] && armsupport=0 [[ -z $fogpriorconfig ]] && fogpriorconfig="$fogprogramdir/.fogsettings" +[[ -n $sserverCert ]] && serverCert=$sserverCert +[[ -n $sserverKey ]] && serverKey=$sserverKey +[[ -n $sexternalCA ]] && externalCA=$sexternalCA + +[[ ! -z "$sserverCert" && ( -z "$sserverKey" || -z "$sexternalCA" ) ]] && { printf "\nMissing server certificate key and/or CA certificate(s)\n\n"; exit; } +[[ ! -z "$sserverKey" && ( -z "$sserverCert" || -z "$sexternalCA" ) ]] && { printf "\nMissing server certificate and/or CA cerificate(s)\n\n"; exit; } +[[ ! -z "$sexternalCA" && ( -z "$sserverCert" || -z "$sserverKey" ) ]] && { printf "\nMissing server certificate and/or server certificate key\n\n"; exit; } + #clearScreen if [[ -z $* || $* != +(-h|-?|--help|--uninstall) ]]; then echo > "$workingdir/error_logs/foginstall.log" @@ -390,7 +468,7 @@ fi displayBanner echo -e " Version: $version Installer/Updater\n" checkSELinux -checkFirewall +rulesFirewall case $doupdate in 1) if [[ -f $fogpriorconfig ]]; then @@ -421,6 +499,7 @@ esac [[ -n $ssslpath ]] && sslpath=$ssslpath [[ -n $srecreateCA ]] && recreateCA=$srecreateCA [[ -n $srecreateKeys ]] && recreateKeys=$srecreateKeys +[[ -n $socsp ]] && ocsp=$socsp [[ -f $fogpriorconfig ]] && grep -l webroot $fogpriorconfig >>$workingdir/error_logs/fog_error_${version}.log 2>&1 case $? in @@ -630,7 +709,7 @@ while [[ -z $blGo ]]; do echo echo " This can be done by opening a web browser and going to:" echo - echo " ${httpproto}://${ipaddress}${webroot}management" + echo " ${httpproto}://${hostname}${webroot}management" echo echo " Default User Information" echo " Username: fog" diff --git a/lib/common/functions.sh b/lib/common/functions.sh index 073ae91846..0cb3574382 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -52,7 +52,7 @@ backupDB() { dots "Backing up database" if [[ -d $backupPath/fog_web_${version}.BACKUP ]]; then [[ ! -d $backupPath/fogDBbackups ]] && mkdir -p $backupPath/fogDBbackups >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$ipaddress/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 fi errorStat $? } @@ -71,7 +71,7 @@ updateDB() { echo " * You still need to install/update your database schema." echo " * This can be done by opening a web browser and going to:" echo - echo " $httpproto://${ipaddress}/fog/management" + echo " $httpproto://${hostname}/fog/management" echo read -p " * Press [Enter] key when database is updated/installed." echo @@ -417,7 +417,7 @@ configureFTP() { } configureDefaultiPXEfile() { [[ -z $webroot ]] && webroot='/' - echo -e "#!ipxe\ncpuid --ext 29 && set arch x86_64 || set arch \${buildarch}\nparams\nparam mac0 \${net0/mac}\nparam arch \${arch}\nparam platform \${platform}\nparam product \${product}\nparam manufacturer \${product}\nparam ipxever \${version}\nparam filename \${filename}\nparam sysuuid \${uuid}\nisset \${net1/mac} && param mac1 \${net1/mac} || goto bootme\nisset \${net2/mac} && param mac2 \${net2/mac} || goto bootme\n:bootme\nchain ${httpproto}://$ipaddress${webroot}service/ipxe/boot.php##params" > "$tftpdirdst/default.ipxe" + echo -e "#!ipxe\ncpuid --ext 29 && set arch x86_64 || set arch \${buildarch}\nparams\nparam mac0 \${net0/mac}\nparam arch \${arch}\nparam platform \${platform}\nparam product \${product}\nparam manufacturer \${product}\nparam ipxever \${version}\nparam filename \${filename}\nparam sysuuid \${uuid}\nisset \${net1/mac} && param mac1 \${net1/mac} || goto bootme\nisset \${net2/mac} && param mac2 \${net2/mac} || goto bootme\n:bootme\nchain ${httpproto}://${ipaddress}/fog/service/ipxe/boot.php##params" > "$tftpdirdst/default.ipxe" } configureTFTPandPXE() { [[ -d ${tftpdirdst}.prev ]] && rm -rf ${tftpdirdst}.prev >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -428,7 +428,11 @@ configureTFTPandPXE() { if [[ "x$httpproto" = "xhttps" ]]; then dots "Compiling iPXE binaries that trust our SSL certificate" cd $buildipxesrc - ./buildipxe.sh ${sslpath}CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + if [ ! -z "$externalCA" ]; then + ./buildipxe.sh $externalCA >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + ./buildipxe.sh ${sslpath}CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi errorStat $? cd $workingdir fi @@ -1054,7 +1058,7 @@ configureMySql() { [[ -n $snmysqlpass ]] && options=( "${options[@]}" "--password=$snmysqlpass" ) sqlescsnmysqlpass=$(echo "$snmysqlpass" | sed -e s/\'/\'\'/g) # Replace every ' with '' for full MySQL escaping sql="UPDATE mysql.user SET plugin='mysql_native_password' WHERE User='root';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 mysqlver=$(mysql -V | sed -n 's/.*Distrib[ ]\(\([0-9]\([.]\|\)\)*\).*\([-]\|\)[,].*/\1/p') mariadb=$(mysql -V | sed -n 's/.*Distrib[ ].*[-]\(.*\)[,].*/\1/p') vertocheck="5.7" @@ -1079,12 +1083,12 @@ configureMySql() { case $snmysqlhost in 127.0.0.1|[Ll][Oo][Cc][Aa][Ll][Hh][Oo][Ss][Tt]) sql="UPDATE mysql.user SET plugin='mysql_native_password' WHERE User='root';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - sql="ALTER USER '$snmysqluser'@'127.0.0.1' IDENTIFIED WITH mysql_native_password BY '$sqlescsnmysqlpass';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - sql="ALTER USER '$snmysqluser'@'localhost' IDENTIFIED WITH mysql_native_password BY '$sqlescsnmysqlpass';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - ;; + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + sql="ALTER USER '$snmysqluser'@'127.0.0.1' IDENTIFIED BY '$sqlescsnmysqlpass';" + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + sql="ALTER USER '$snmysqluser'@'localhost' IDENTIFIED BY '$sqlescsnmysqlpass';" + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + ;; *) sql="UPDATE mysql.user SET plugin='mysql_native_password' WHERE User='root';" mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -1630,15 +1634,28 @@ displayBanner() { echo } createSSLCA() { - if [[ -z $sslpath ]]; then - [[ -d /opt/fog/snapins/CA && -d /opt/fog/snapins/ssl ]] && mv /opt/fog/snapins/CA /opt/fog/snapins/ssl/ - sslpath='/opt/fog/snapins/ssl/' - fi - if [[ $recreateCA == yes || $caCreated != yes || ! -e $sslpath/CA || ! -e $sslpath/CA/.fogCA.key ]]; then - mkdir -p $sslpath/CA >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - dots "Creating SSL CA" - openssl genrsa -out $sslpath/CA/.fogCA.key 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - openssl req -x509 -new -sha512 -nodes -key $sslpath/CA/.fogCA.key -days 3650 -out $sslpath/CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF + if [ ! -z "$serverCert" ]; then + dots "Copying server certificate and key" + mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cp -f "$serverCert" $webdirdest/management/other/ssl/srvpublic.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cp -f "$serverKey" $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + if [[ $osid -eq 2 ]]; then + cp -f "$externalCA" /usr/local/share/ca-certificates/chain.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + cp -f "$externalCA" /etc/pki/ca-trust/source/anchors/chain.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi + openssl x509 -outform der -in "$externalCA" -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + errorStat $? + else + if [[ -z $sslpath ]]; then + [[ -d /opt/fog/snapins/CA && -d /opt/fog/snapins/ssl ]] && mv /opt/fog/snapins/CA /opt/fog/snapins/ssl/ + sslpath='/opt/fog/snapins/ssl/' + fi + if [[ $recreateCA == yes || $caCreated != yes || ! -e $sslpath/CA || ! -e $sslpath/CA/.fogCA.key ]]; then + mkdir -p $sslpath/CA >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + dots "Creating SSL CA" + openssl genrsa -out $sslpath/CA/.fogCA.key 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl req -x509 -new -sha512 -nodes -key $sslpath/CA/.fogCA.key -days 3650 -out $sslpath/CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF . . . @@ -1647,14 +1664,14 @@ createSSLCA() { FOG Server CA . EOF - errorStat $? - fi - [[ -z $sslprivkey ]] && sslprivkey="$sslpath/.srvprivate.key" - if [[ $recreateKeys == yes || $recreateCA == yes || $caCreated != yes || ! -e $sslpath || ! -e $sslprivkey ]]; then - dots "Creating SSL Private Key" - mkdir -p $sslpath >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - openssl genrsa -out $sslprivkey 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - cat > $sslpath/req.cnf << EOF + errorStat $? + fi + [[ -z $sslprivkey ]] && sslprivkey="$sslpath/.srvprivate.key" + if [[ $recreateKeys == yes || $recreateCA == yes || $caCreated != yes || ! -e $sslpath || ! -e $sslprivkey ]]; then + dots "Creating SSL Private Key" + mkdir -p $sslpath >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl genrsa -out $sslprivkey 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cat > $sslpath/req.cnf << EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req @@ -1667,27 +1684,28 @@ subjectAltName = @alt_names DNS.1 = $ipaddress DNS.2 = $hostname EOF - openssl req -new -sha512 -key $sslprivkey -out $sslpath/fog.csr -config $sslpath/req.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF + openssl req -new -sha512 -key $sslprivkey -out $sslpath/fog.csr -config $sslpath/req.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF $ipaddress EOF - errorStat $? - fi - [[ ! -e $sslpath/.srvprivate.key ]] && ln -sf $sslprivkey $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - dots "Creating SSL Certificate" - mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - cat > $sslpath/ca.cnf << EOF + errorStat $? + fi + [[ ! -e $sslpath/.srvprivate.key ]] && ln -sf $sslprivkey $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + dots "Creating SSL Certificate" + mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cat > $sslpath/ca.cnf << EOF [v3_ca] subjectAltName = @alt_names [alt_names] DNS.1 = $ipaddress DNS.2 = $hostname EOF - openssl x509 -req -in $sslpath/fog.csr -CA $sslpath/CA/.fogCA.pem -CAkey $sslpath/CA/.fogCA.key -CAcreateserial -out $webdirdest/management/other/ssl/srvpublic.crt -days 3650 -extensions v3_ca -extfile $sslpath/ca.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - errorStat $? - dots "Creating auth pub key and cert" - cp $sslpath/CA/.fogCA.pem $webdirdest/management/other/ca.cert.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - openssl x509 -outform der -in $webdirdest/management/other/ca.cert.pem -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - errorStat $? + openssl x509 -req -in $sslpath/fog.csr -CA $sslpath/CA/.fogCA.pem -CAkey $sslpath/CA/.fogCA.key -CAcreateserial -out $webdirdest/management/other/ssl/srvpublic.crt -days 3650 -extensions v3_ca -extfile $sslpath/ca.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + errorStat $? + dots "Creating auth pub key and cert" + cp $sslpath/CA/.fogCA.pem $webdirdest/management/other/ca.cert.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl x509 -outform der -in $webdirdest/management/other/ca.cert.pem -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + errorStat $? + fi dots "Resetting SSL Permissions" chown -R $apacheuser:$apacheuser $webdirdest/management/other >>$workingdir/error_logs/fog_error_${version}.log 2>&1 errorStat $? @@ -1716,8 +1734,10 @@ EOF echo " RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)" >> "$etcconf" echo " RewriteRule .* - [F]" >> "$etcconf" echo " RewriteRule /management/other/ca.cert.der$ - [L]" >> "$etcconf" - echo " RewriteCond %{HTTPS} off" >> "$etcconf" - echo " RewriteRule (.*) https://%{HTTP_HOST}/\$1 [R,L]" >> "$etcconf" + echo " RewriteCond %{REQUEST_URI} /fog/service/ipxe/" >> "$etcconf" + echo " RewriteRule (.*) - [R,L]" >> "$etcconf" + echo " RewriteCond %{HTTPS} off" >> "$etcconf" + echo " RewriteRule (.*) https://%{HTTP_HOST}/\$1 [R,L]" >> "$etcconf" echo "" >> "$etcconf" echo "" >> "$etcconf" echo " KeepAlive Off" >> "$etcconf" @@ -1728,19 +1748,37 @@ EOF echo " SetHandler \"proxy:fcgi://127.0.0.1:9000/\"" >> "$etcconf" fi echo " " >> "$etcconf" - echo " ServerName $ipaddress" >> "$etcconf" - echo " ServerAlias $hostname" >> "$etcconf" + echo " ServerName $hostname" >> "$etcconf" + echo " ServerAlias $ipaddress" >> "$etcconf" echo " DocumentRoot $docroot" >> "$etcconf" echo " SSLEngine On" >> "$etcconf" echo " SSLProtocol all -SSLv3 -SSLv2" >> "$etcconf" echo " SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >> "$etcconf" echo " SSLHonorCipherOrder On" >> "$etcconf" - echo " SSLCertificateFile $webdirdest/management/other/ssl/srvpublic.crt" >> "$etcconf" - echo " SSLCertificateKeyFile $sslprivkey" >> "$etcconf" - echo " SSLCertificateChainFile $webdirdest/management/other/ca.cert.der" >> "$etcconf" + echo " SSLCertificateFile ${webdirdest}management/other/ssl/srvpublic.crt" >> "$etcconf" + echo " SSLCertificateKeyFile ${sslpath}/.srvprivate.key" >> "$etcconf" + #echo " SSLCertificateKeyFile $sslprivkey" >> "$etcconf" + if [ ! -z "$externalCA" ]; then + if [[ $osid -eq 2 ]]; then + echo " SSLCACertificateFile /usr/local/share/ca-certificates/chain.crt" >> "$etcconf" + else + echo " SSLCACertificateFile /etc/pki/ca-trust/source/anchors/chain.crt" >> "$etcconf" + fi + else + echo " SSLCertificateChainFile $webdirdest/management/other/ca.cert.der" >> "$etcconf" + fi echo " " >> "$etcconf" echo " DirectoryIndex index.php index.html index.htm" >> "$etcconf" echo " " >> "$etcconf" + echo " SSLVerifyClient optional" >> "$etcconf" + echo " SSLVerifyDepth 3" >> "$etcconf" + echo " SSLOptions +StdEnvVars" >> "$etcconf" + if [ ! -z "$ocsp" ]; then + echo " SSLOCSPEnable leaf" >> "$etcconf" + echo " SSLOCSPUseRequestNonce off" >> "$etcconf" + echo " SSLOCSPDefaultResponder $ocsp" >> "$etcconf" + echo " SSLOCSPOverrideResponder on" >> "$etcconf" + fi echo " RewriteEngine On" >> "$etcconf" echo " RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)" >> "$etcconf" echo " RewriteRule .* - [F]" >> "$etcconf" @@ -1758,8 +1796,8 @@ EOF fi echo " " >> "$etcconf" echo " KeepAlive Off" >> "$etcconf" - echo " ServerName $ipaddress" >> "$etcconf" - echo " ServerAlias $hostname" >> "$etcconf" + echo " ServerName $hostname" >> "$etcconf" + echo " ServerAlias $ipaddress" >> "$etcconf" echo " DocumentRoot $docroot" >> "$etcconf" echo " " >> "$etcconf" echo " DirectoryIndex index.php index.html index.htm" >> "$etcconf" @@ -1810,6 +1848,11 @@ EOF ;; esac dots "Starting and checking status of web services" + if [[ $osid -eq 2 ]]; then + update-ca-certificates >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + trust extract-compat >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi case $systemctl in yes) case $osid in @@ -2001,6 +2044,11 @@ configureHttpd() { fi dots "Copying new files to web folder" cp -Rf $webdirsrc/* $webdirdest/ + if [[ $osid -eq 2 ]]; then + cp -f $webdirsrc/index.php /var/www/ + else + cp -f $webdirsrc/index.php /var/www/html/ + fi errorStat $? for i in $(find $backupPath/fog_web_${version}.BACKUP/management/other/ -maxdepth 1 -type f -not -name gpl-3.0.txt -a -not -name index.php -a -not -name 'ca.*' 2>>$workingdir/error_logs/fog_error_${version}.log); do cp -Rf $i ${webdirdest}/management/other/ >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -2106,7 +2154,7 @@ class Config define('USE_SLOPPY_NAME_LOOKUPS', true); define('MEMTEST_KERNEL', 'memtest.bin'); define('PXE_IMAGE', 'init.xz'); - define('STORAGE_HOST', \"${ipaddress}\"); + define('STORAGE_HOST', \"${hostname}\"); define('STORAGE_FTP_USERNAME', \"${username}\"); define( 'STORAGE_FTP_PASSWORD', @@ -2117,8 +2165,8 @@ class Config define('STORAGE_BANDWIDTHPATH', '${webroot}status/bandwidth.php'); define('STORAGE_INTERFACE', '${interface}'); define('CAPTURERESIZEPCT', 5); - define('WEB_HOST', \"${ipaddress}\"); - define('WOL_HOST', \"${ipaddress}\"); + define('WEB_HOST', \"${hostname}\"); + define('WOL_HOST', \"${hostname}\"); define('WOL_PATH', '/${webroot}wol/wol.php'); define('WOL_INTERFACE', \"${interface}\"); define('SNAPINDIR', \"${snapindir}/\"); diff --git a/packages/web/lib/pages/processlogin.class.php b/packages/web/lib/pages/processlogin.class.php index 08a6b8c213..5208072432 100644 --- a/packages/web/lib/pages/processlogin.class.php +++ b/packages/web/lib/pages/processlogin.class.php @@ -216,14 +216,63 @@ private function _setRedirMode() } if (count($http_query) < 1) { unset($redirect['login']); - self::redirect('index.php'); + self::redirect('index.php'); } $query = trim(http_build_query($http_query)); $redir = 'index.php'; if ($query) { $redir .= "?$query"; } - self::redirect($redir); + self::redirect($redir); + } + /** + * Generate a random string, using a cryptographically secure + * pseudorandom number generator (random_int) + * + * For PHP 7, random_int is a PHP core function + * + * @param int $length How many characters do we want? + * @param string $keyspace A string of all possible characters + * to select from + * @return string + */ + public function random_str($length, + $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-_=+') + { + $str = ''; + $max = mb_strlen($keyspace, '8bit') - 1; + if ($max < 1) { + throw new Exception('$keyspace must be at least two characters long'); + } + for ($i = 0; $i < $length; ++$i) { + $str .= $keyspace[random_int(0, $max)]; + } + return $str; + } + /** + * Checks for valid certificate + * Returns the sAMAccountName in the UPN + * + * @return string + */ + function hasValidCert() + { + if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) + || !isset($_SERVER['SSL_CLIENT_V_END']) + || !isset($_SERVER['SSL_CLIENT_VERIFY']) + || $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS' + || !isset($_SERVER['SSL_CLIENT_I_DN']) + ) { + return false; + } + + if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) { + return false; + } + + $userFullUPN = $_SERVER['SSL_CLIENT_SAN_OTHER_msUPN_0']; + $userUPN = explode("@", $userFullUPN); + return $userUPN[0]; } /** * Processes the login. @@ -232,11 +281,16 @@ private function _setRedirMode() */ public function processMainLogin() { - global $currentUser; - $uname = filter_input(INPUT_POST, 'uname'); - $upass = filter_input(INPUT_POST, 'upass'); - $this->_username = $uname; - $this->_password = $upass; + global $currentUser; + $user = $this->hasValidCert(); + if ($user == false) { + $user = filter_input(INPUT_POST, 'uname'); + $pass = filter_input(INPUT_POST, 'upass'); + } else { + $pass = $this->random_str(100); + } + $this->_username = $user; + $this->_password = $pass; $type = self::$FOGUser->get('type'); self::$HookManager ->processEvent( @@ -248,14 +302,14 @@ public function processMainLogin() } if (!$this->_username) { self::setMessage(self::$foglang['InvalidLogin']); - self::redirect('index.php?node=logout'); + self::redirect('index.php?node=logout'); } self::$FOGUser = self::attemptLogin( $this->_username, $this->_password ); if (!self::$FOGUser->isValid()) { - $this->_setRedirMode(); + $this->_setRedirMode(); } self::$HookManager ->processEvent( @@ -316,7 +370,7 @@ public function mainLoginForm() } // Login form echo ''; // Password @@ -344,8 +399,9 @@ public function mainLoginForm() echo self::$foglang['Password']; echo ''; echo '
'; - echo ''; + //echo ''; + echo ''; echo '
'; echo ''; // Language diff --git a/packages/web/lib/plugins/ldap/class/ldap.class.php b/packages/web/lib/plugins/ldap/class/ldap.class.php index 93fcca55f0..fb49c2fe7e 100644 --- a/packages/web/lib/plugins/ldap/class/ldap.class.php +++ b/packages/web/lib/plugins/ldap/class/ldap.class.php @@ -441,7 +441,9 @@ public function authLDAP($user, $pass) /** * Rebind as the user */ - $bind = @$this->bind($userDN, $pass); + if ($_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS') { + $bind = @$this->bind($userDN, $pass); + } /** * If user unable to bind return immediately */