From ecdc6a48febd86403befcabf371eafd30643e8c3 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Tue, 17 Dec 2019 14:26:27 -0500 Subject: [PATCH 01/15] Add files via upload --- bin/installfog.sh | 68 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/bin/installfog.sh b/bin/installfog.sh index 22f68f9cfe..e157ef5976 100755 --- a/bin/installfog.sh +++ b/bin/installfog.sh @@ -34,6 +34,7 @@ help() { echo -e "\t\t[-D ] [-c ]" echo -e "\t\t[-W ] [-B ]" echo -e "\t\t[-s <192.168.1.10>] [-e <192.168.1.254>] [-b ]" + echo -e "\t\t[-v ] [-k ] [-t ]" echo -e "\t-h -? --help\t\t\tDisplay this info" echo -e "\t-o --oldcopy\t\t\tCopy back old data" echo -e "\t-d --no-defaults\t\tDon't guess defaults" @@ -63,9 +64,12 @@ help() { echo -e "\t-P --no-pxedefault\t\tDo not overwrite pxe default file" echo -e "\t-F --no-vhost\t\tDo not overwrite vhost file" echo -e "\t-A --arm-support\t\tDo not overwrite vhost file" + echo -e "\t-v --server-cert\t\tSpecify the location of the server's certificate" + echo -e "\t-k --server-key\t\tSpecify the location of the server's certificate key" + echo -e "\t-t --external-CA\t\tSpecify the location of the CA chain certificate" exit 0 } -optspec="h?odEUHSCKYyXxTPFAf:c:-:W:D:B:s:e:b:" +optspec="h?odEUHSCKYyXxTPFAf:c:-:W:D:B:s:e:b:v:t:k:" while getopts "$optspec" o; do case $o in -) @@ -182,7 +186,31 @@ while getopts "$optspec" o; do arm-support) sarmsupport=1 ;; - *) + server-cert) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 9 + fi + sserverCert="${OPTARG}" + ;; + server-key) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 10 + fi + sserverKey="${OPTARG}" + ;; + external-CA) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 11 + fi + sexternalCA="${OPTARG}" + ;; + *) if [[ $OPTERR == 1 && ${optspec:0:1} != : ]]; then echo "Unknown option: --${OPTARG}" help @@ -299,6 +327,30 @@ while getopts "$optspec" o; do A) sarmsupport=1 ;; + v) + if [[ ! -f $OPTARG ]]; then + echo "-$OPTARG requires a file to follow" + help + exit 9 + fi + sserverCert="${OPTARG}" + ;; + k) + if [[ ! -f $OPTARG ]]; then + echo "--$OPTARG requires a file to follow" + help + exit 10 + fi + sserverKey="${OPTARG}" + ;; + t) + if [[ ! -f $OPTARG ]]; then + echo "-$OPTARG requires a file to follow" + help + exit 11 + fi + sexternalCA="${OPTARG}" + ;; :) echo "Option -$OPTARG requires a value" help @@ -382,6 +434,14 @@ echo "Done" [[ -z $httpproto ]] && httpproto="http" [[ -z $armsupport ]] && armsupport=0 [[ -z $fogpriorconfig ]] && fogpriorconfig="$fogprogramdir/.fogsettings" +[[ -n $sserverCert ]] && serverCert=$sserverCert +[[ -n $sserverKey ]] && serverKey=$sserverKey +[[ -n $sexternalCA ]] && externalCA=$sexternalCA + +[[ ! -z "$sserverCert" && ( -z "$sserverKey" || -z "$sexternalCA" ) ]] && { printf "\nMissing server certificate key and/or CA certificate(s)\n\n"; exit; } +[[ ! -z "$sserverKey" && ( -z "$sserverCert" || -z "$sexternalCA" ) ]] && { printf "\nMissing server certificate and/or CA cerificate(s)\n\n"; exit; } +[[ ! -z "$sexternalCA" && ( -z "$sserverCert" || -z "$sserverKey" ) ]] && { printf "\nMissing server certificate and/or server certificate key\n\n"; exit; } + #clearScreen if [[ -z $* || $* != +(-h|-?|--help|--uninstall) ]]; then echo > "$workingdir/error_logs/foginstall.log" @@ -390,7 +450,7 @@ fi displayBanner echo -e " Version: $version Installer/Updater\n" checkSELinux -checkFirewall +rulesFirewall case $doupdate in 1) if [[ -f $fogpriorconfig ]]; then @@ -630,7 +690,7 @@ while [[ -z $blGo ]]; do echo echo " This can be done by opening a web browser and going to:" echo - echo " ${httpproto}://${ipaddress}${webroot}management" + echo " ${httpproto}://${hostname}${webroot}management" echo echo " Default User Information" echo " Username: fog" From 943190894361246f2471753ea61a0a8c0a429f72 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Tue, 17 Dec 2019 14:27:22 -0500 Subject: [PATCH 02/15] Add files via upload --- lib/common/functions.sh | 182 +++++++++++++++++++++++++++------------- 1 file changed, 123 insertions(+), 59 deletions(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index 073ae91846..75371e134f 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -31,12 +31,20 @@ backupReports() { registerStorageNode() { [[ -z $webroot ]] && webroot="/" dots "Checking if this node is registered" - storageNodeExists=$(wget --no-check-certificate -qO - ${httpproto}://$ipaddress/${webroot}/maintenance/check_node_exists.php --post-data="ip=${ipaddress}") + if [ ! -z "$serverCert" ]; then + storageNodeExists=$(wget -qO - ${httpproto}://$ipaddress/${webroot}/maintenance/check_node_exists.php --post-data="ip=${ipaddress}") + else + storageNodeExists=$(wget --no-check-certificate -qO - ${httpproto}://$ipaddress/${webroot}/maintenance/check_node_exists.php --post-data="ip=${ipaddress}") + fi echo "Done" if [[ $storageNodeExists != exists ]]; then [[ -z $maxClients ]] && maxClients=10 dots "Node being registered" - wget --no-check-certificate -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" + if [ ! -z "$serverCert" ]; then + wget -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" + else + wget --no-check-certificate -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" + fi echo "Done" else echo " * Node is registered" @@ -45,14 +53,22 @@ registerStorageNode() { updateStorageNodeCredentials() { [[ -z $webroot ]] && webroot="/" dots "Ensuring node username and passwords match" - wget --no-check-certificate -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" + if [ ! -z "$serverCert" ]; then + wget -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" + else + wget --no-check-certificate -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" + fi echo "Done" } backupDB() { dots "Backing up database" if [[ -d $backupPath/fog_web_${version}.BACKUP ]]; then [[ ! -d $backupPath/fogDBbackups ]] && mkdir -p $backupPath/fogDBbackups >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$ipaddress/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + if [ ! -z "$serverCert" ]; then + wget -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi fi errorStat $? } @@ -63,7 +79,11 @@ updateDB() { local replace='s/[]"\/$&*.^|[]/\\&/g' local escstorageLocation=$(echo $storageLocation | sed -e $replace) sed -i -e "s/'\/images\/'/'$escstorageLocation'/g" $webdirdest/commons/schema.php - wget --no-check-certificate -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${ipaddress}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + if [ ! -z "$serverCert" ]; then + wget -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${hostname}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + wget --no-check-certificate -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${ipaddress}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi errorStat $? ;; *) @@ -71,7 +91,7 @@ updateDB() { echo " * You still need to install/update your database schema." echo " * This can be done by opening a web browser and going to:" echo - echo " $httpproto://${ipaddress}/fog/management" + echo " $httpproto://${hostname}/fog/management" echo read -p " * Press [Enter] key when database is updated/installed." echo @@ -417,7 +437,7 @@ configureFTP() { } configureDefaultiPXEfile() { [[ -z $webroot ]] && webroot='/' - echo -e "#!ipxe\ncpuid --ext 29 && set arch x86_64 || set arch \${buildarch}\nparams\nparam mac0 \${net0/mac}\nparam arch \${arch}\nparam platform \${platform}\nparam product \${product}\nparam manufacturer \${product}\nparam ipxever \${version}\nparam filename \${filename}\nparam sysuuid \${uuid}\nisset \${net1/mac} && param mac1 \${net1/mac} || goto bootme\nisset \${net2/mac} && param mac2 \${net2/mac} || goto bootme\n:bootme\nchain ${httpproto}://$ipaddress${webroot}service/ipxe/boot.php##params" > "$tftpdirdst/default.ipxe" + echo -e "#!ipxe\ncpuid --ext 29 && set arch x86_64 || set arch \${buildarch}\nparams\nparam mac0 \${net0/mac}\nparam arch \${arch}\nparam platform \${platform}\nparam product \${product}\nparam manufacturer \${product}\nparam ipxever \${version}\nparam filename \${filename}\nparam sysuuid \${uuid}\nisset \${net1/mac} && param mac1 \${net1/mac} || goto bootme\nisset \${net2/mac} && param mac2 \${net2/mac} || goto bootme\n:bootme\nchain http://${hostname}/fog/service/ipxe/boot.php##params" > "$tftpdirdst/default.ipxe" } configureTFTPandPXE() { [[ -d ${tftpdirdst}.prev ]] && rm -rf ${tftpdirdst}.prev >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -428,7 +448,11 @@ configureTFTPandPXE() { if [[ "x$httpproto" = "xhttps" ]]; then dots "Compiling iPXE binaries that trust our SSL certificate" cd $buildipxesrc - ./buildipxe.sh ${sslpath}CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + if [ ! -z "$externalCA" ]; then + ./buildipxe.sh $externalCA >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + ./buildipxe.sh ${sslpath}CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi errorStat $? cd $workingdir fi @@ -750,6 +774,25 @@ checkSELinux() { esac done } +rulesFirewall() { + fwstate=$(firewall-cmd --state 2>&1) + [[ "x$fwstate" == "xrunning" ]] && fwrunning=1 + [[ $fwrunning -ne 1 ]] && return + echo " * The local firewall seems to be currently enabled on your system." + echo " * We will attempt to add rules to the active zone." + systemctl start firewalld >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + systemctl enable firewalld >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba + do + firewall-cmd --permanent --add-service=$service >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + done + if [[ $bldhcp -eq 1 ]]; then + firewall-cmd --permanent --add-service=dhcp >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi + firewall-cmd --permanent --add-port=49152-65532/udp >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p igmp -j ACCEPT >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + firewall-cmd --reload >>$workingdir/error_logs/fog_error_${version}.log 2>&1 +} checkFirewall() { command -v iptables >>$workingdir/error_logs/fog_error_${version}.log 2>&1 iptcmd=$? @@ -1054,7 +1097,7 @@ configureMySql() { [[ -n $snmysqlpass ]] && options=( "${options[@]}" "--password=$snmysqlpass" ) sqlescsnmysqlpass=$(echo "$snmysqlpass" | sed -e s/\'/\'\'/g) # Replace every ' with '' for full MySQL escaping sql="UPDATE mysql.user SET plugin='mysql_native_password' WHERE User='root';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 mysqlver=$(mysql -V | sed -n 's/.*Distrib[ ]\(\([0-9]\([.]\|\)\)*\).*\([-]\|\)[,].*/\1/p') mariadb=$(mysql -V | sed -n 's/.*Distrib[ ].*[-]\(.*\)[,].*/\1/p') vertocheck="5.7" @@ -1079,12 +1122,12 @@ configureMySql() { case $snmysqlhost in 127.0.0.1|[Ll][Oo][Cc][Aa][Ll][Hh][Oo][Ss][Tt]) sql="UPDATE mysql.user SET plugin='mysql_native_password' WHERE User='root';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - sql="ALTER USER '$snmysqluser'@'127.0.0.1' IDENTIFIED WITH mysql_native_password BY '$sqlescsnmysqlpass';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - sql="ALTER USER '$snmysqluser'@'localhost' IDENTIFIED WITH mysql_native_password BY '$sqlescsnmysqlpass';" - mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - ;; + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + sql="ALTER USER '$snmysqluser'@'127.0.0.1' IDENTIFIED BY '$sqlescsnmysqlpass';" + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + sql="ALTER USER '$snmysqluser'@'localhost' IDENTIFIED BY '$sqlescsnmysqlpass';" + mysql -s --host="$snmysqlhost" --user="$snmysqluser" --password="$snmysqlpass" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + ;; *) sql="UPDATE mysql.user SET plugin='mysql_native_password' WHERE User='root';" mysql "${options}" -e "$sql" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -1630,15 +1673,23 @@ displayBanner() { echo } createSSLCA() { - if [[ -z $sslpath ]]; then - [[ -d /opt/fog/snapins/CA && -d /opt/fog/snapins/ssl ]] && mv /opt/fog/snapins/CA /opt/fog/snapins/ssl/ - sslpath='/opt/fog/snapins/ssl/' - fi - if [[ $recreateCA == yes || $caCreated != yes || ! -e $sslpath/CA || ! -e $sslpath/CA/.fogCA.key ]]; then - mkdir -p $sslpath/CA >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - dots "Creating SSL CA" - openssl genrsa -out $sslpath/CA/.fogCA.key 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - openssl req -x509 -new -sha512 -nodes -key $sslpath/CA/.fogCA.key -days 3650 -out $sslpath/CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF + if [ ! -z "$serverCert" ]; then + dots "Copying server certificate and key" + mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cp -f "$serverCert" $webdirdest/management/other/ssl/srvpublic.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cp -f "$serverKey" $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cp -f "$externalCA" /etc/pki/ca-trust/source/anchors/chain.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + errorStat $? + else + if [[ -z $sslpath ]]; then + [[ -d /opt/fog/snapins/CA && -d /opt/fog/snapins/ssl ]] && mv /opt/fog/snapins/CA /opt/fog/snapins/ssl/ + sslpath='/opt/fog/snapins/ssl/' + fi + if [[ $recreateCA == yes || $caCreated != yes || ! -e $sslpath/CA || ! -e $sslpath/CA/.fogCA.key ]]; then + mkdir -p $sslpath/CA >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + dots "Creating SSL CA" + openssl genrsa -out $sslpath/CA/.fogCA.key 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl req -x509 -new -sha512 -nodes -key $sslpath/CA/.fogCA.key -days 3650 -out $sslpath/CA/.fogCA.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF . . . @@ -1647,14 +1698,14 @@ createSSLCA() { FOG Server CA . EOF - errorStat $? - fi - [[ -z $sslprivkey ]] && sslprivkey="$sslpath/.srvprivate.key" - if [[ $recreateKeys == yes || $recreateCA == yes || $caCreated != yes || ! -e $sslpath || ! -e $sslprivkey ]]; then - dots "Creating SSL Private Key" - mkdir -p $sslpath >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - openssl genrsa -out $sslprivkey 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - cat > $sslpath/req.cnf << EOF + errorStat $? + fi + [[ -z $sslprivkey ]] && sslprivkey="$sslpath/.srvprivate.key" + if [[ $recreateKeys == yes || $recreateCA == yes || $caCreated != yes || ! -e $sslpath || ! -e $sslprivkey ]]; then + dots "Creating SSL Private Key" + mkdir -p $sslpath >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl genrsa -out $sslprivkey 4096 >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cat > $sslpath/req.cnf << EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req @@ -1667,27 +1718,28 @@ subjectAltName = @alt_names DNS.1 = $ipaddress DNS.2 = $hostname EOF - openssl req -new -sha512 -key $sslprivkey -out $sslpath/fog.csr -config $sslpath/req.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF + openssl req -new -sha512 -key $sslprivkey -out $sslpath/fog.csr -config $sslpath/req.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 << EOF $ipaddress EOF - errorStat $? - fi - [[ ! -e $sslpath/.srvprivate.key ]] && ln -sf $sslprivkey $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - dots "Creating SSL Certificate" - mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - cat > $sslpath/ca.cnf << EOF + errorStat $? + fi + [[ ! -e $sslpath/.srvprivate.key ]] && ln -sf $sslprivkey $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + dots "Creating SSL Certificate" + mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + cat > $sslpath/ca.cnf << EOF [v3_ca] subjectAltName = @alt_names [alt_names] DNS.1 = $ipaddress DNS.2 = $hostname EOF - openssl x509 -req -in $sslpath/fog.csr -CA $sslpath/CA/.fogCA.pem -CAkey $sslpath/CA/.fogCA.key -CAcreateserial -out $webdirdest/management/other/ssl/srvpublic.crt -days 3650 -extensions v3_ca -extfile $sslpath/ca.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - errorStat $? - dots "Creating auth pub key and cert" - cp $sslpath/CA/.fogCA.pem $webdirdest/management/other/ca.cert.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - openssl x509 -outform der -in $webdirdest/management/other/ca.cert.pem -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - errorStat $? + openssl x509 -req -in $sslpath/fog.csr -CA $sslpath/CA/.fogCA.pem -CAkey $sslpath/CA/.fogCA.key -CAcreateserial -out $webdirdest/management/other/ssl/srvpublic.crt -days 3650 -extensions v3_ca -extfile $sslpath/ca.cnf >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + errorStat $? + dots "Creating auth pub key and cert" + cp $sslpath/CA/.fogCA.pem $webdirdest/management/other/ca.cert.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl x509 -outform der -in $webdirdest/management/other/ca.cert.pem -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + errorStat $? + fi dots "Resetting SSL Permissions" chown -R $apacheuser:$apacheuser $webdirdest/management/other >>$workingdir/error_logs/fog_error_${version}.log 2>&1 errorStat $? @@ -1710,14 +1762,16 @@ EOF echo " SetHandler \"proxy:fcgi://127.0.0.1:9000/\"" >> "$etcconf" fi echo " " >> "$etcconf" - echo " ServerName $ipaddress" >> "$etcconf" - echo " ServerAlias $hostname" >> "$etcconf" + echo " ServerName $hostname" >> "$etcconf" + echo " ServerAlias $ipaddress" >> "$etcconf" echo " RewriteEngine On" >> "$etcconf" echo " RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)" >> "$etcconf" echo " RewriteRule .* - [F]" >> "$etcconf" echo " RewriteRule /management/other/ca.cert.der$ - [L]" >> "$etcconf" - echo " RewriteCond %{HTTPS} off" >> "$etcconf" - echo " RewriteRule (.*) https://%{HTTP_HOST}/\$1 [R,L]" >> "$etcconf" + echo " RewriteCond %{REQUEST_URI} /fog/service/ipxe/" >> "$etcconf" + echo " RewriteRule (.*) - [R,L]" >> "$etcconf" + echo " RewriteCond %{HTTPS} off" >> "$etcconf" + echo " RewriteRule (.*) https://%{HTTP_HOST}/\$1 [R,L]" >> "$etcconf" echo "" >> "$etcconf" echo "" >> "$etcconf" echo " KeepAlive Off" >> "$etcconf" @@ -1728,19 +1782,26 @@ EOF echo " SetHandler \"proxy:fcgi://127.0.0.1:9000/\"" >> "$etcconf" fi echo " " >> "$etcconf" - echo " ServerName $ipaddress" >> "$etcconf" - echo " ServerAlias $hostname" >> "$etcconf" + echo " ServerName $hostname" >> "$etcconf" + echo " ServerAlias $ipaddress" >> "$etcconf" echo " DocumentRoot $docroot" >> "$etcconf" echo " SSLEngine On" >> "$etcconf" echo " SSLProtocol all -SSLv3 -SSLv2" >> "$etcconf" echo " SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >> "$etcconf" echo " SSLHonorCipherOrder On" >> "$etcconf" - echo " SSLCertificateFile $webdirdest/management/other/ssl/srvpublic.crt" >> "$etcconf" + echo " SSLCertificateFile ${webdirdest}management/other/ssl/srvpublic.crt" >> "$etcconf" echo " SSLCertificateKeyFile $sslprivkey" >> "$etcconf" - echo " SSLCertificateChainFile $webdirdest/management/other/ca.cert.der" >> "$etcconf" + if [ ! -z "$externalCA" ]; then + echo " SSLCACertificateFile /etc/pki/ca-trust/source/anchors/chain.pem" >> "$etcconf" + else + echo " SSLCertificateChainFile $webdirdest/management/other/ca.cert.der" >> "$etcconf" + fi echo " " >> "$etcconf" echo " DirectoryIndex index.php index.html index.htm" >> "$etcconf" echo " " >> "$etcconf" + echo " SSLVerifyClient optional" >> "$etcconf" + echo " SSLVerifyDepth 3" >> "$etcconf" + echo " SSLOptions +StdEnvVars" >> "$etcconf" echo " RewriteEngine On" >> "$etcconf" echo " RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)" >> "$etcconf" echo " RewriteRule .* - [F]" >> "$etcconf" @@ -1758,8 +1819,8 @@ EOF fi echo " " >> "$etcconf" echo " KeepAlive Off" >> "$etcconf" - echo " ServerName $ipaddress" >> "$etcconf" - echo " ServerAlias $hostname" >> "$etcconf" + echo " ServerName $hostname" >> "$etcconf" + echo " ServerAlias $ipaddress" >> "$etcconf" echo " DocumentRoot $docroot" >> "$etcconf" echo " " >> "$etcconf" echo " DirectoryIndex index.php index.html index.htm" >> "$etcconf" @@ -1810,6 +1871,7 @@ EOF ;; esac dots "Starting and checking status of web services" + update-ca-trust case $systemctl in yes) case $osid in @@ -1906,6 +1968,7 @@ configureHttpd() { esac fi dots "Setting up Apache and PHP files" + echo "ServerName $hostname" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null if [[ ! -f $phpini ]]; then echo "Failed" echo " ###########################################" @@ -2001,6 +2064,7 @@ configureHttpd() { fi dots "Copying new files to web folder" cp -Rf $webdirsrc/* $webdirdest/ + cp -f $webdirsrc/index.php /var/www/html/ errorStat $? for i in $(find $backupPath/fog_web_${version}.BACKUP/management/other/ -maxdepth 1 -type f -not -name gpl-3.0.txt -a -not -name index.php -a -not -name 'ca.*' 2>>$workingdir/error_logs/fog_error_${version}.log); do cp -Rf $i ${webdirdest}/management/other/ >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -2094,7 +2158,7 @@ class Config */ private static function _initSetting() { - define('TFTP_HOST', \"${ipaddress}\"); + define('TFTP_HOST', \"${hostname}\"); define('TFTP_FTP_USERNAME', \"${username}\"); define( 'TFTP_FTP_PASSWORD', @@ -2106,7 +2170,7 @@ class Config define('USE_SLOPPY_NAME_LOOKUPS', true); define('MEMTEST_KERNEL', 'memtest.bin'); define('PXE_IMAGE', 'init.xz'); - define('STORAGE_HOST', \"${ipaddress}\"); + define('STORAGE_HOST', \"${hostname}\"); define('STORAGE_FTP_USERNAME', \"${username}\"); define( 'STORAGE_FTP_PASSWORD', @@ -2117,8 +2181,8 @@ class Config define('STORAGE_BANDWIDTHPATH', '${webroot}status/bandwidth.php'); define('STORAGE_INTERFACE', '${interface}'); define('CAPTURERESIZEPCT', 5); - define('WEB_HOST', \"${ipaddress}\"); - define('WOL_HOST', \"${ipaddress}\"); + define('WEB_HOST', \"${hostname}\"); + define('WOL_HOST', \"${hostname}\"); define('WOL_PATH', '/${webroot}wol/wol.php'); define('WOL_INTERFACE', \"${interface}\"); define('SNAPINDIR', \"${snapindir}/\"); From 750b3686c900edf2d640c8cabe4fa689d45a8844 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Tue, 17 Dec 2019 14:27:51 -0500 Subject: [PATCH 03/15] Add files via upload --- packages/web/lib/plugins/ldap/class/ldap.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/web/lib/plugins/ldap/class/ldap.class.php b/packages/web/lib/plugins/ldap/class/ldap.class.php index 93fcca55f0..fb49c2fe7e 100644 --- a/packages/web/lib/plugins/ldap/class/ldap.class.php +++ b/packages/web/lib/plugins/ldap/class/ldap.class.php @@ -441,7 +441,9 @@ public function authLDAP($user, $pass) /** * Rebind as the user */ - $bind = @$this->bind($userDN, $pass); + if ($_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS') { + $bind = @$this->bind($userDN, $pass); + } /** * If user unable to bind return immediately */ From 2f439d57cd1d1c324454fce4ebdbd8e5a5732b9a Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Tue, 17 Dec 2019 14:29:35 -0500 Subject: [PATCH 04/15] Add files via upload --- packages/web/lib/pages/processlogin.class.php | 84 +++++++++++++++---- 1 file changed, 70 insertions(+), 14 deletions(-) diff --git a/packages/web/lib/pages/processlogin.class.php b/packages/web/lib/pages/processlogin.class.php index 08a6b8c213..5208072432 100644 --- a/packages/web/lib/pages/processlogin.class.php +++ b/packages/web/lib/pages/processlogin.class.php @@ -216,14 +216,63 @@ private function _setRedirMode() } if (count($http_query) < 1) { unset($redirect['login']); - self::redirect('index.php'); + self::redirect('index.php'); } $query = trim(http_build_query($http_query)); $redir = 'index.php'; if ($query) { $redir .= "?$query"; } - self::redirect($redir); + self::redirect($redir); + } + /** + * Generate a random string, using a cryptographically secure + * pseudorandom number generator (random_int) + * + * For PHP 7, random_int is a PHP core function + * + * @param int $length How many characters do we want? + * @param string $keyspace A string of all possible characters + * to select from + * @return string + */ + public function random_str($length, + $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-_=+') + { + $str = ''; + $max = mb_strlen($keyspace, '8bit') - 1; + if ($max < 1) { + throw new Exception('$keyspace must be at least two characters long'); + } + for ($i = 0; $i < $length; ++$i) { + $str .= $keyspace[random_int(0, $max)]; + } + return $str; + } + /** + * Checks for valid certificate + * Returns the sAMAccountName in the UPN + * + * @return string + */ + function hasValidCert() + { + if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) + || !isset($_SERVER['SSL_CLIENT_V_END']) + || !isset($_SERVER['SSL_CLIENT_VERIFY']) + || $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS' + || !isset($_SERVER['SSL_CLIENT_I_DN']) + ) { + return false; + } + + if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) { + return false; + } + + $userFullUPN = $_SERVER['SSL_CLIENT_SAN_OTHER_msUPN_0']; + $userUPN = explode("@", $userFullUPN); + return $userUPN[0]; } /** * Processes the login. @@ -232,11 +281,16 @@ private function _setRedirMode() */ public function processMainLogin() { - global $currentUser; - $uname = filter_input(INPUT_POST, 'uname'); - $upass = filter_input(INPUT_POST, 'upass'); - $this->_username = $uname; - $this->_password = $upass; + global $currentUser; + $user = $this->hasValidCert(); + if ($user == false) { + $user = filter_input(INPUT_POST, 'uname'); + $pass = filter_input(INPUT_POST, 'upass'); + } else { + $pass = $this->random_str(100); + } + $this->_username = $user; + $this->_password = $pass; $type = self::$FOGUser->get('type'); self::$HookManager ->processEvent( @@ -248,14 +302,14 @@ public function processMainLogin() } if (!$this->_username) { self::setMessage(self::$foglang['InvalidLogin']); - self::redirect('index.php?node=logout'); + self::redirect('index.php?node=logout'); } self::$FOGUser = self::attemptLogin( $this->_username, $this->_password ); if (!self::$FOGUser->isValid()) { - $this->_setRedirMode(); + $this->_setRedirMode(); } self::$HookManager ->processEvent( @@ -316,7 +370,7 @@ public function mainLoginForm() } // Login form echo ''; // Password @@ -344,8 +399,9 @@ public function mainLoginForm() echo self::$foglang['Password']; echo ''; echo '
'; - echo ''; + //echo ''; + echo ''; echo '
'; echo ''; // Language From c0f42323607fae58e817c018451681cbd20ff790 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Tue, 17 Dec 2019 14:29:57 -0500 Subject: [PATCH 05/15] Add files via upload --- packages/web/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/web/index.php b/packages/web/index.php index 56d0e04e30..c9716867ad 100644 --- a/packages/web/index.php +++ b/packages/web/index.php @@ -19,5 +19,5 @@ * @license http://opensource.org/licenses/gpl-3.0 GPLv3 * @link https://fogproject.org */ -header('Location: ./management/index.php'); +header('Location: /fog/management/index.php'); exit; From 65f4ed303c3c36d7f16b83371ab5206daac19b10 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 18 Dec 2019 09:25:32 -0500 Subject: [PATCH 06/15] Add files via upload --- bin/installfog.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/bin/installfog.sh b/bin/installfog.sh index e157ef5976..9eefe48668 100755 --- a/bin/installfog.sh +++ b/bin/installfog.sh @@ -35,6 +35,7 @@ help() { echo -e "\t\t[-W ] [-B ]" echo -e "\t\t[-s <192.168.1.10>] [-e <192.168.1.254>] [-b ]" echo -e "\t\t[-v ] [-k ] [-t ]" + echo -e "\t\t[-p ]" echo -e "\t-h -? --help\t\t\tDisplay this info" echo -e "\t-o --oldcopy\t\t\tCopy back old data" echo -e "\t-d --no-defaults\t\tDon't guess defaults" @@ -67,9 +68,10 @@ help() { echo -e "\t-v --server-cert\t\tSpecify the location of the server's certificate" echo -e "\t-k --server-key\t\tSpecify the location of the server's certificate key" echo -e "\t-t --external-CA\t\tSpecify the location of the CA chain certificate" + echo -e "\t-p --ocsp\t\t\tSpecify the URI of the OCSP server" exit 0 } -optspec="h?odEUHSCKYyXxTPFAf:c:-:W:D:B:s:e:b:v:t:k:" +optspec="h?odEUHSCKYyXxTPFAf:c:-:W:D:B:s:e:b:v:t:k:p:" while getopts "$optspec" o; do case $o in -) @@ -210,6 +212,14 @@ while getopts "$optspec" o; do fi sexternalCA="${OPTARG}" ;; + ocsp) + if [[ -z $OPTARG ]]; then + echo "--$OPTARG requires a URI to follow" + help + exit 12 + fi + socsp="${OPTARG}" + ;; *) if [[ $OPTERR == 1 && ${optspec:0:1} != : ]]; then echo "Unknown option: --${OPTARG}" @@ -351,6 +361,14 @@ while getopts "$optspec" o; do fi sexternalCA="${OPTARG}" ;; + p) + if [[ -z $OPTARG ]]; then + echo "--$OPTARG requires a URI to follow" + help + exit 12 + fi + socsp="${OPTARG}" + ;; :) echo "Option -$OPTARG requires a value" help @@ -481,6 +499,7 @@ esac [[ -n $ssslpath ]] && sslpath=$ssslpath [[ -n $srecreateCA ]] && recreateCA=$srecreateCA [[ -n $srecreateKeys ]] && recreateKeys=$srecreateKeys +[[ -n $socsp ]] && ocsp=$socsp [[ -f $fogpriorconfig ]] && grep -l webroot $fogpriorconfig >>$workingdir/error_logs/fog_error_${version}.log 2>&1 case $? in From ba59756853f084c664aff80a4b007a2ee21f0543 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 18 Dec 2019 09:25:51 -0500 Subject: [PATCH 07/15] Add files via upload --- lib/common/functions.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index 75371e134f..51ff49443e 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -1802,6 +1802,12 @@ EOF echo " SSLVerifyClient optional" >> "$etcconf" echo " SSLVerifyDepth 3" >> "$etcconf" echo " SSLOptions +StdEnvVars" >> "$etcconf" + if [ ! -z "$ocsp" ]; then + echo " SSLOCSPEnable leaf" >> "$etcconf" + echo " SSLOCSPUseRequestNonce off" >> "$etcconf" + echo " SSLOCSPDefaultResponder $ocsp" >> "$etcconf" + echo " SSLOCSPOverrideResponder on" >> "$etcconf" + fi echo " RewriteEngine On" >> "$etcconf" echo " RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)" >> "$etcconf" echo " RewriteRule .* - [F]" >> "$etcconf" From bf7d80dbef50db32240d5fba1e75fe53badd83a2 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 18 Dec 2019 09:42:28 -0500 Subject: [PATCH 08/15] Add files via upload --- lib/common/functions.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index 51ff49443e..ace10cb4e6 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -1679,6 +1679,7 @@ createSSLCA() { cp -f "$serverCert" $webdirdest/management/other/ssl/srvpublic.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 cp -f "$serverKey" $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 cp -f "$externalCA" /etc/pki/ca-trust/source/anchors/chain.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + openssl x509 -outform der -in "$externalCA" -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 errorStat $? else if [[ -z $sslpath ]]; then From d8da9cdd72e8139d0ea3b74094db73239a2cdf8b Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 18 Dec 2019 14:01:01 -0500 Subject: [PATCH 09/15] Add files via upload --- lib/common/functions.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index ace10cb4e6..bb734f5c84 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -1975,7 +1975,9 @@ configureHttpd() { esac fi dots "Setting up Apache and PHP files" - echo "ServerName $hostname" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null + if (! grep -Fxq "ServerName \"$hostname\"" httpd.conf); then + echo "ServerName $hostname" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null + fi if [[ ! -f $phpini ]]; then echo "Failed" echo " ###########################################" From 010a4d4c372543b31b787e9d45475b7156d4532d Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 18 Dec 2019 14:03:00 -0500 Subject: [PATCH 10/15] Add files via upload --- lib/common/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index bb734f5c84..de7ef98c59 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -1975,7 +1975,7 @@ configureHttpd() { esac fi dots "Setting up Apache and PHP files" - if (! grep -Fxq "ServerName \"$hostname\"" httpd.conf); then + if (! grep -Fxq "ServerName \"$hostname\"" /etc/httpd/conf/httpd.conf); then echo "ServerName $hostname" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null fi if [[ ! -f $phpini ]]; then From 0fd212431529d70b09b019c71a5544b7b31d55c3 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 18 Dec 2019 14:04:29 -0500 Subject: [PATCH 11/15] Add files via upload --- lib/common/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index de7ef98c59..7fb6a79ef4 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -1976,7 +1976,7 @@ configureHttpd() { fi dots "Setting up Apache and PHP files" if (! grep -Fxq "ServerName \"$hostname\"" /etc/httpd/conf/httpd.conf); then - echo "ServerName $hostname" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null + echo "ServerName \"$hostname\"" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null fi if [[ ! -f $phpini ]]; then echo "Failed" From 8ca6ae8537c67439e02eae228e546942609e0edd Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Thu, 19 Dec 2019 10:41:45 -0500 Subject: [PATCH 12/15] Add files via upload --- lib/common/functions.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index 7fb6a79ef4..25ed7e5a00 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -1975,9 +1975,6 @@ configureHttpd() { esac fi dots "Setting up Apache and PHP files" - if (! grep -Fxq "ServerName \"$hostname\"" /etc/httpd/conf/httpd.conf); then - echo "ServerName \"$hostname\"" | sudo tee -a /etc/httpd/conf/httpd.conf >> /dev/null - fi if [[ ! -f $phpini ]]; then echo "Failed" echo " ###########################################" From a8578d5b5055085185280c11c4ac699d65c906e9 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Wed, 15 Jan 2020 19:25:16 -0500 Subject: [PATCH 13/15] Add files via upload --- lib/common/functions.sh | 75 +++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 48 deletions(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index 25ed7e5a00..bff02e973e 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -31,20 +31,12 @@ backupReports() { registerStorageNode() { [[ -z $webroot ]] && webroot="/" dots "Checking if this node is registered" - if [ ! -z "$serverCert" ]; then - storageNodeExists=$(wget -qO - ${httpproto}://$ipaddress/${webroot}/maintenance/check_node_exists.php --post-data="ip=${ipaddress}") - else - storageNodeExists=$(wget --no-check-certificate -qO - ${httpproto}://$ipaddress/${webroot}/maintenance/check_node_exists.php --post-data="ip=${ipaddress}") - fi + storageNodeExists=$(wget --no-check-certificate -qO - ${httpproto}://$ipaddress/${webroot}/maintenance/check_node_exists.php --post-data="ip=${ipaddress}") echo "Done" if [[ $storageNodeExists != exists ]]; then [[ -z $maxClients ]] && maxClients=10 dots "Node being registered" - if [ ! -z "$serverCert" ]; then - wget -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" - else - wget --no-check-certificate -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" - fi + wget --no-check-certificate -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" echo "Done" else echo " * Node is registered" @@ -53,10 +45,7 @@ registerStorageNode() { updateStorageNodeCredentials() { [[ -z $webroot ]] && webroot="/" dots "Ensuring node username and passwords match" - if [ ! -z "$serverCert" ]; then - wget -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" - else - wget --no-check-certificate -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" + wget --no-check-certificate -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" fi echo "Done" } @@ -64,11 +53,7 @@ backupDB() { dots "Backing up database" if [[ -d $backupPath/fog_web_${version}.BACKUP ]]; then [[ ! -d $backupPath/fogDBbackups ]] && mkdir -p $backupPath/fogDBbackups >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - if [ ! -z "$serverCert" ]; then - wget -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - else - wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - fi + wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 fi errorStat $? } @@ -79,11 +64,7 @@ updateDB() { local replace='s/[]"\/$&*.^|[]/\\&/g' local escstorageLocation=$(echo $storageLocation | sed -e $replace) sed -i -e "s/'\/images\/'/'$escstorageLocation'/g" $webdirdest/commons/schema.php - if [ ! -z "$serverCert" ]; then - wget -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${hostname}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - else - wget --no-check-certificate -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${ipaddress}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - fi + wget --no-check-certificate -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${ipaddress}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 errorStat $? ;; *) @@ -774,25 +755,6 @@ checkSELinux() { esac done } -rulesFirewall() { - fwstate=$(firewall-cmd --state 2>&1) - [[ "x$fwstate" == "xrunning" ]] && fwrunning=1 - [[ $fwrunning -ne 1 ]] && return - echo " * The local firewall seems to be currently enabled on your system." - echo " * We will attempt to add rules to the active zone." - systemctl start firewalld >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - systemctl enable firewalld >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba - do - firewall-cmd --permanent --add-service=$service >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - done - if [[ $bldhcp -eq 1 ]]; then - firewall-cmd --permanent --add-service=dhcp >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - fi - firewall-cmd --permanent --add-port=49152-65532/udp >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p igmp -j ACCEPT >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - firewall-cmd --reload >>$workingdir/error_logs/fog_error_${version}.log 2>&1 -} checkFirewall() { command -v iptables >>$workingdir/error_logs/fog_error_${version}.log 2>&1 iptcmd=$? @@ -1678,7 +1640,11 @@ createSSLCA() { mkdir -p $webdirdest/management/other/ssl >>$workingdir/error_logs/fog_error_${version}.log 2>&1 cp -f "$serverCert" $webdirdest/management/other/ssl/srvpublic.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 cp -f "$serverKey" $sslpath/.srvprivate.key >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - cp -f "$externalCA" /etc/pki/ca-trust/source/anchors/chain.pem >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + if [[ $osid -eq 2 ]]; then + cp -f "$externalCA" /usr/local/share/ca-certificates/chain.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + cp -f "$externalCA" /etc/pki/ca-trust/source/anchors/chain.crt >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi openssl x509 -outform der -in "$externalCA" -out $webdirdest/management/other/ca.cert.der >>$workingdir/error_logs/fog_error_${version}.log 2>&1 errorStat $? else @@ -1791,9 +1757,14 @@ EOF echo " SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >> "$etcconf" echo " SSLHonorCipherOrder On" >> "$etcconf" echo " SSLCertificateFile ${webdirdest}management/other/ssl/srvpublic.crt" >> "$etcconf" - echo " SSLCertificateKeyFile $sslprivkey" >> "$etcconf" + echo " SSLCertificateKeyFile ${sslpath}/.srvprivate.key" >> "$etcconf" + #echo " SSLCertificateKeyFile $sslprivkey" >> "$etcconf" if [ ! -z "$externalCA" ]; then - echo " SSLCACertificateFile /etc/pki/ca-trust/source/anchors/chain.pem" >> "$etcconf" + if [[ $osid -eq 2 ]]; then + echo " SSLCACertificateFile /usr/local/share/ca-certificates/chain.crt" >> "$etcconf" + else + echo " SSLCACertificateFile /etc/pki/ca-trust/source/anchors/chain.crt" >> "$etcconf" + fi else echo " SSLCertificateChainFile $webdirdest/management/other/ca.cert.der" >> "$etcconf" fi @@ -1878,7 +1849,11 @@ EOF ;; esac dots "Starting and checking status of web services" - update-ca-trust + if [[ $osid -eq 2 ]]; then + update-ca-certificates >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + else + trust extract-compat >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + fi case $systemctl in yes) case $osid in @@ -2070,7 +2045,11 @@ configureHttpd() { fi dots "Copying new files to web folder" cp -Rf $webdirsrc/* $webdirdest/ - cp -f $webdirsrc/index.php /var/www/html/ + if [[ $osid -eq 2 ]]; then + cp -f $webdirsrc/index.php /var/www/ + else + cp -f $webdirsrc/index.php /var/www/html/ + fi errorStat $? for i in $(find $backupPath/fog_web_${version}.BACKUP/management/other/ -maxdepth 1 -type f -not -name gpl-3.0.txt -a -not -name index.php -a -not -name 'ca.*' 2>>$workingdir/error_logs/fog_error_${version}.log); do cp -Rf $i ${webdirdest}/management/other/ >>$workingdir/error_logs/fog_error_${version}.log 2>&1 From b29588be7eee46e2719b24eea257b1b269a40545 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Thu, 16 Jan 2020 10:40:40 -0500 Subject: [PATCH 14/15] Add files via upload --- packages/web/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/web/index.php b/packages/web/index.php index c9716867ad..56d0e04e30 100644 --- a/packages/web/index.php +++ b/packages/web/index.php @@ -19,5 +19,5 @@ * @license http://opensource.org/licenses/gpl-3.0 GPLv3 * @link https://fogproject.org */ -header('Location: /fog/management/index.php'); +header('Location: ./management/index.php'); exit; From 16a2e07ac9c39da0a996348b0981cf5841c8d6e7 Mon Sep 17 00:00:00 2001 From: Ty9000 <58993020+Ty9000@users.noreply.github.com> Date: Thu, 16 Jan 2020 10:41:04 -0500 Subject: [PATCH 15/15] Add files via upload --- lib/common/functions.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/common/functions.sh b/lib/common/functions.sh index bff02e973e..0cb3574382 100755 --- a/lib/common/functions.sh +++ b/lib/common/functions.sh @@ -36,7 +36,7 @@ registerStorageNode() { if [[ $storageNodeExists != exists ]]; then [[ -z $maxClients ]] && maxClients=10 dots "Node being registered" - wget --no-check-certificate -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" + wget --no-check-certificate -qO - $httpproto://$ipaddress/${webroot}/maintenance/create_update_node.php --post-data="newNode&name=$(echo -n $ipaddress| base64)&path=$(echo -n $storageLocation|base64)&ftppath=$(echo -n $storageLocation|base64)&snapinpath=$(echo -n $snapindir|base64)&sslpath=$(echo -n $sslpath|base64)&ip=$(echo -n $ipaddress|base64)&maxClients=$(echo -n $maxClients|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&interface=$(echo -n $interface|base64)&bandwidth=$(echo -n $interface|base64)&webroot=$(echo -n $webroot|base64)&fogverified" echo "Done" else echo " * Node is registered" @@ -46,14 +46,13 @@ updateStorageNodeCredentials() { [[ -z $webroot ]] && webroot="/" dots "Ensuring node username and passwords match" wget --no-check-certificate -qO - $httpproto://$ipaddress${webroot}maintenance/create_update_node.php --post-data="nodePass&ip=$(echo -n $ipaddress|base64)&user=$(echo -n $username|base64)&pass=$(echo -n $password|base64)&fogverified" - fi echo "Done" } backupDB() { dots "Backing up database" if [[ -d $backupPath/fog_web_${version}.BACKUP ]]; then [[ ! -d $backupPath/fogDBbackups ]] && mkdir -p $backupPath/fogDBbackups >>$workingdir/error_logs/fog_error_${version}.log 2>&1 - wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + wget --no-check-certificate -O $backupPath/fogDBbackups/fog_sql_${version}_$(date +"%Y%m%d_%I%M%S").sql "${httpproto}://$hostname/$webroot/maintenance/backup_db.php" --post-data="type=sql&fogajaxonly=1" >>$workingdir/error_logs/fog_error_${version}.log 2>&1 fi errorStat $? } @@ -64,7 +63,7 @@ updateDB() { local replace='s/[]"\/$&*.^|[]/\\&/g' local escstorageLocation=$(echo $storageLocation | sed -e $replace) sed -i -e "s/'\/images\/'/'$escstorageLocation'/g" $webdirdest/commons/schema.php - wget --no-check-certificate -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${ipaddress}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 + wget --no-check-certificate -qO - --post-data="confirm&fogverified" --no-proxy ${httpproto}://${ipaddress}/${webroot}management/index.php?node=schema >>$workingdir/error_logs/fog_error_${version}.log 2>&1 errorStat $? ;; *) @@ -418,7 +417,7 @@ configureFTP() { } configureDefaultiPXEfile() { [[ -z $webroot ]] && webroot='/' - echo -e "#!ipxe\ncpuid --ext 29 && set arch x86_64 || set arch \${buildarch}\nparams\nparam mac0 \${net0/mac}\nparam arch \${arch}\nparam platform \${platform}\nparam product \${product}\nparam manufacturer \${product}\nparam ipxever \${version}\nparam filename \${filename}\nparam sysuuid \${uuid}\nisset \${net1/mac} && param mac1 \${net1/mac} || goto bootme\nisset \${net2/mac} && param mac2 \${net2/mac} || goto bootme\n:bootme\nchain http://${hostname}/fog/service/ipxe/boot.php##params" > "$tftpdirdst/default.ipxe" + echo -e "#!ipxe\ncpuid --ext 29 && set arch x86_64 || set arch \${buildarch}\nparams\nparam mac0 \${net0/mac}\nparam arch \${arch}\nparam platform \${platform}\nparam product \${product}\nparam manufacturer \${product}\nparam ipxever \${version}\nparam filename \${filename}\nparam sysuuid \${uuid}\nisset \${net1/mac} && param mac1 \${net1/mac} || goto bootme\nisset \${net2/mac} && param mac2 \${net2/mac} || goto bootme\n:bootme\nchain ${httpproto}://${ipaddress}/fog/service/ipxe/boot.php##params" > "$tftpdirdst/default.ipxe" } configureTFTPandPXE() { [[ -d ${tftpdirdst}.prev ]] && rm -rf ${tftpdirdst}.prev >>$workingdir/error_logs/fog_error_${version}.log 2>&1 @@ -1729,8 +1728,8 @@ EOF echo " SetHandler \"proxy:fcgi://127.0.0.1:9000/\"" >> "$etcconf" fi echo " " >> "$etcconf" - echo " ServerName $hostname" >> "$etcconf" - echo " ServerAlias $ipaddress" >> "$etcconf" + echo " ServerName $ipaddress" >> "$etcconf" + echo " ServerAlias $hostname" >> "$etcconf" echo " RewriteEngine On" >> "$etcconf" echo " RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)" >> "$etcconf" echo " RewriteRule .* - [F]" >> "$etcconf" @@ -2143,7 +2142,7 @@ class Config */ private static function _initSetting() { - define('TFTP_HOST', \"${hostname}\"); + define('TFTP_HOST', \"${ipaddress}\"); define('TFTP_FTP_USERNAME', \"${username}\"); define( 'TFTP_FTP_PASSWORD',