kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

adding ssl.conf for apache + updateTrigger() when a new cert arrives to update sub_domaines

This commit is contained in:
Benjamin Sonntag 2015-02-13 11:38:27 +01:00
parent 73b41264f1
commit 5a0280607f
5 changed files with 164 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/alternc-ssl.dirs vendored
View File

@ -1,4 +1,4 @@
etc/alternc/templates/apache2 etc/alternc/templates/apache2/mods-available
etc/apache2/conf.d etc/apache2/conf.d
usr/lib/alternc/install.d usr/lib/alternc/install.d
usr/share/alternc/install usr/share/alternc/install

14
ssl/alternc-ssl.install.php
View File

@ -5,11 +5,17 @@
synchronize the required domain templates with the current install synchronize the required domain templates with the current install
(do they have php52, roundcube, squirrelmail, etc.?) (do they have php52, roundcube, squirrelmail, etc.?)
*/ */
if ($argv[1] == "templates") {
// install ssl.conf
echo "[alternc-ssl] Installing ssl.conf template\n";
copy("/etc/alternc/templates/apache2/mods-available/ssl.conf","/etc/apache2/mods-available/ssl.conf");
}
if ($argv[1] == "before-reload") { if ($argv[1] == "before-reload") {
// Bootstrap // Bootstrap
require_once("/usr/share/alternc/panel/class/config_nochk.php"); require_once("/usr/share/alternc/panel/class/config_nochk.php");
echo "[alternc-ssl] Installing domaines-types\n";
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES $db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('vhost-ssl', 'Locally hosted forcing HTTPS', 'DIRECTORY', '%SUB% IN A @@PUBLIC_IP@@', 'vhost,url,txt,defmx,defmx2,mx,mx2', 'ALL', 0, 0, 0);"); ('vhost-ssl', 'Locally hosted forcing HTTPS', 'DIRECTORY', '%SUB% IN A @@PUBLIC_IP@@', 'vhost,url,txt,defmx,defmx2,mx,mx2', 'ALL', 0, 0, 0);");
@ -19,7 +25,7 @@ if ($argv[1] == "before-reload") {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES $db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('panel-ssl', 'AlternC panel access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'ip,ipv6,cname,txt,mx,mx2,defmx,defmx2', 'ALL', 0, 0, 1);"); ('panel-ssl', 'AlternC panel access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'ip,ipv6,cname,txt,mx,mx2,defmx,defmx2', 'ALL', 0, 0, 1);");
$db - query("SELECT * FROM domaines_type WHERE name='roundcube';"); $db->query("SELECT * FROM domaines_type WHERE name='roundcube';");
if ($db->next_record()) { if ($db->next_record()) {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES $db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('roundcube-ssl', 'Roundcube Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL', 0, 0, 1;"); ('roundcube-ssl', 'Roundcube Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL', 0, 0, 1;");
@ -28,7 +34,7 @@ if ($argv[1] == "before-reload") {
$db->query("UPDATE sub_domaines SET web_action='DELETE' WHERE type='roundcube-ssl';"); $db->query("UPDATE sub_domaines SET web_action='DELETE' WHERE type='roundcube-ssl';");
} }
$db - query("SELECT * FROM domaines_type WHERE name='squirrelmail';"); $db->query("SELECT * FROM domaines_type WHERE name='squirrelmail';");
if ($db->next_record()) { if ($db->next_record()) {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES $db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('squirrelmail-ssl', 'Squirrelmail Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL', 0, 0, 1);"); ('squirrelmail-ssl', 'Squirrelmail Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL', 0, 0, 1);");
@ -37,7 +43,7 @@ if ($argv[1] == "before-reload") {
$db->query("UPDATE sub_domaines SET web_action='DELETE' WHERE type='squirrelmail-ssl';"); $db->query("UPDATE sub_domaines SET web_action='DELETE' WHERE type='squirrelmail-ssl';");
} }
$db - query("SELECT * FROM domaines_type WHERE name='php52';"); $db->query("SELECT * FROM domaines_type WHERE name='php52';");
if ($db->next_record()) { if ($db->next_record()) {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES $db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('php52-ssl', 'php52 forcing HTTPS', 'DIRECTORY', '%SUB% IN A @@PUBLIC_IP@@', 'vhost,url,txt,defmx,defmx2,mx,mx2', 'ALL', 0, 0, 0);"); ('php52-ssl', 'php52 forcing HTTPS', 'DIRECTORY', '%SUB% IN A @@PUBLIC_IP@@', 'vhost,url,txt,defmx,defmx2,mx,mx2', 'ALL', 0, 0, 0);");
@ -69,6 +75,4 @@ if ($argv[1] == "before-reload") {
fclose($f); fclose($f);
} }
} }
} // before-reload } // before-reload

4
ssl/hosting_vhost-ssl.sh
View File

@ -30,7 +30,7 @@ if ( ($argv[1]=="create" || $argv[1]=="postinst" || $argv[1]=="delete") ) {
print_r($argv); print_r($argv);
exit(); exit();
} }
$ssl->update_domain($argv[1], $argv[2], $argv[3], $argv[4]); $ssl->updateDomain($argv[1], $argv[2], $argv[3], $argv[4]);
exit(); exit();
} }
if ( ($argv[1]=="enable" || $argv[1]=="disable") ) { if ( ($argv[1]=="enable" || $argv[1]=="disable") ) {
@ -39,7 +39,7 @@ if ( ($argv[1]=="enable" || $argv[1]=="disable") ) {
print_r($argv); print_r($argv);
exit(); exit();
} }
$ssl->update_domain($argv[1], $argv[2], $argv[3] ); $ssl->updateDomain($argv[1], $argv[2], $argv[3] );
exit(); exit();
} }

33
ssl/panel/class/m_ssl.php
View File

@ -44,7 +44,7 @@ class m_ssl {
const FILTER_SHARED = 8; const FILTER_SHARED = 8;
const SSL_INCRON_FILE = "/var/run/alternc/ssl/generate_certif_alias"; const SSL_INCRON_FILE = "/var/run/alternc/ssl/generate_certif_alias";
var $myDomainesTypes = array("vhost-ssl", "url-ssl", "panel-ssl", "roundcube-ssl", "squirrelmail-ssl"); var $myDomainesTypes = array("vhost-ssl", "vhost-mixssl", "panel-ssl", "roundcube-ssl", "squirrelmail-ssl","php52-ssl","php52-mixssl");
const KEY_REPOSITORY = "/var/lib/alternc/ssl/private"; const KEY_REPOSITORY = "/var/lib/alternc/ssl/private";
@ -222,13 +222,14 @@ class m_ssl {
global $db, $err, $cuid; global $db, $err, $cuid;
$err->log("ssl", "share"); $err->log("ssl", "share");
$id = intval($id); $id = intval($id);
$db->query("SELECT id FROM certificates WHERE uid='$cuid' AND status=" . self::STATUS_OK . " AND id='$id';"); $db->query("SELECT * FROM certificates WHERE uid='$cuid' AND status=" . self::STATUS_OK . " AND id='$id';");
if (!$db->next_record()) { if (!$db->next_record()) {
$err->raise("ssl", _("Can't find this Certifcate")); $err->raise("ssl", _("Can't find this Certifcate"));
return false; return false;
} }
if ($action) { if ($action) {
$action = 1; $action = 1;
$this->updateTrigger($db->Record["fqdn"],$db->Record["altnames"]);
} else { } else {
$action = 0; $action = 0;
} }
@ -306,6 +307,7 @@ class m_ssl {
$err->raise("ssl", _("Can't save the Key/Crt/Chain now. Please try later.")); $err->raise("ssl", _("Can't save the Key/Crt/Chain now. Please try later."));
return false; return false;
} }
$this->updateTrigger($fqdn,$altnames);
return $id; return $id;
} }
@ -342,6 +344,7 @@ class m_ssl {
$err->raise("ssl", _("Can't save the Crt/Chain now. Please try later.")); $err->raise("ssl", _("Can't save the Crt/Chain now. Please try later."));
return false; return false;
} }
$this->updateTrigger($fqdn,$altnames);
return $certid; return $certid;
} }
@ -374,6 +377,24 @@ class m_ssl {
return $q; return $q;
} }
// -----------------------------------------------------------------
/** Launched by functions in this class
* when a certificate is validated, expired or shared.
* so that existing vhost using expired or self-signed certificates
* may have the chance to use a proper one automagically
* @param string $fqdn the FQDN of the certificate
* @param string $altnames any alternative names this certificate may have.
*/
public function updateTrigger($fqdn, $altnames = "") {
global $db;
$fqdns = array($fqdn);
$an = explode("\n", $altnames);
foreach ($an as $a)
if (trim($a))
$fqdns[] = trim($a);
$db->query("UPDATE sub_domaines SET web_action='UPDATE' WHERE if(LENGTH(sub)>0,CONCAT(sub,'.',domaine),domaine) IN ('" . implode("','", $fqdns) . "');");
}
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Launched by hosting_functions.sh launched by update_domaines.sh /** Launched by hosting_functions.sh launched by update_domaines.sh
* Action may be create/postinst/delete/enable/disable * Action may be create/postinst/delete/enable/disable
@ -381,7 +402,7 @@ class m_ssl {
* An algorithm determine the best possible certificate, which may be a BAD one * An algorithm determine the best possible certificate, which may be a BAD one
* (like a generic admin-shared or self-signed for localhost as a last chance) * (like a generic admin-shared or self-signed for localhost as a last chance)
*/ */
public function update_domain($action, $type, $fqdn, $mail = 0, $value = "") { public function updateDomain($action, $type, $fqdn, $mail = 0, $value = "") {
global $db, $err; global $db, $err;
$err->log("ssl", "update_domain($action,$type,$fqdn)"); $err->log("ssl", "update_domain($action,$type,$fqdn)");
if (!in_array($type, $this->myDomainesTypes)) { if (!in_array($type, $this->myDomainesTypes)) {
@ -408,8 +429,6 @@ class m_ssl {
// found and $db point to it: // found and $db point to it:
$subdom = $db->Record; $subdom = $db->Record;
$TARGET_FILE = "/var/lib/alternc/apache-vhost/" . substr($subdom["compte"], -1) . "/" . $subdom["compte"] . "/" . $fqdn . ".conf"; $TARGET_FILE = "/var/lib/alternc/apache-vhost/" . substr($subdom["compte"], -1) . "/" . $subdom["compte"] . "/" . $fqdn . ".conf";
// DEBUG
echo "TARGET_FILE:".$TARGET_FILE."\n";
$cert = $this->searchBestCert($subdom["compte"], $fqdn); $cert = $this->searchBestCert($subdom["compte"], $fqdn);
// DEBUG echo "Return from searchBestCert(" . $subdom["compte"] . "," . $fqdn . ") is "; print_r($cert); // DEBUG echo "Return from searchBestCert(" . $subdom["compte"] . "," . $fqdn . ") is "; print_r($cert);
// Save crt/key/chain into KEY_REPOSITORY // Save crt/key/chain into KEY_REPOSITORY
@ -433,7 +452,7 @@ class m_ssl {
} // action==create } // action==create
} }
// --------------op--------------------------------------------------- // ----------------------------------------------------------------
/** Search for the best certificate for a user and a fqdn /** Search for the best certificate for a user and a fqdn
* Return a hash with sslcrt, sslkey and maybe sslchain. * Return a hash with sslcrt, sslkey and maybe sslchain.
* return ANYWAY : if necessary, return a newly created (and stored in KEY_REPOSITORY localhost self-signed certificate... * return ANYWAY : if necessary, return a newly created (and stored in KEY_REPOSITORY localhost self-signed certificate...
@ -449,7 +468,7 @@ class m_ssl {
. "AND (fqdn='" . $fqdn . "' OR fqdn='" . $wildcard . "' OR altnames LIKE '%" . $fqdn . "%') " . "AND (fqdn='" . $fqdn . "' OR fqdn='" . $wildcard . "' OR altnames LIKE '%" . $fqdn . "%') "
. "ORDER BY (validstart<=NOW() AND validend>=NOW()) DESC, validstart DESC "); . "ORDER BY (validstart<=NOW() AND validend>=NOW()) DESC, validstart DESC ");
while ($db->next_record()) { while ($db->next_record()) {
if ($db->fqdn == $fqdn) { if ($db->Record["fqdn"] == $fqdn) {
return $db->Record; return $db->Record;
} }
$altnames = explode("\n", $db->Record["altnames"]); $altnames = explode("\n", $db->Record["altnames"]);

91
ssl/ssl.conf Normal file
View File

@ -0,0 +1,91 @@
# ############################################################################
# WARNING : this file is overwritten by alternc.install.
# Edit /etc/alternc/templates/apache2/mods-available/ instead.
# ############################################################################
<IfModule mod_ssl.c>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM
# Other possible ciphersuite (requires wheezy-version of apache2 at least)
#SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
#SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
SSLStrictSNIVHostCheck Off
</IfModule>