Commit 30930e15 authored by Franco Fichtner's avatar Franco Fichtner

system: merge webgui pluginification from master

Includes a fix by Alexander Graf for IPv6 SSL cipher configuration.
parent c216d613
......@@ -44,13 +44,4 @@ if /usr/local/etc/rc.d/configd status > /dev/null; then
/usr/local/etc/rc.d/configd restart
fi
echo "Flush Phalcon volt templates"
rm -f /usr/local/opnsense/mvc/app/cache/*.php
echo "Reloading GUI configuration"
/usr/local/etc/rc.php_ini_setup
if pgrep -q php-cgi; then
pkill -HUP php-cgi
fi
/usr/local/etc/rc.configure_firmware
......@@ -53,6 +53,7 @@
/usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
/usr/local/etc/inc/plugins.inc.d/suricata.inc
/usr/local/etc/inc/plugins.inc.d/unbound.inc
/usr/local/etc/inc/plugins.inc.d/webgui.inc
/usr/local/etc/inc/rrd.inc
/usr/local/etc/inc/services.inc
/usr/local/etc/inc/system.inc
......@@ -121,7 +122,6 @@
/usr/local/etc/rc.newwanip
/usr/local/etc/rc.newwanipv6
/usr/local/etc/rc.openvpn
/usr/local/etc/rc.php_ini_setup
/usr/local/etc/rc.reboot
/usr/local/etc/rc.recover
/usr/local/etc/rc.reload_all
......@@ -724,6 +724,10 @@
/usr/local/opnsense/service/templates/OPNsense/Sample/sub2/example_sub2.txt
/usr/local/opnsense/service/templates/OPNsense/Syslog/+TARGETS
/usr/local/opnsense/service/templates/OPNsense/Syslog/newsyslog.conf
/usr/local/opnsense/service/templates/OPNsense/WebGui/+TARGETS
/usr/local/opnsense/service/templates/OPNsense/WebGui/php.etc.ini
/usr/local/opnsense/service/templates/OPNsense/WebGui/php.ini
/usr/local/opnsense/service/templates/OPNsense/WebGui/php.lib.ini
/usr/local/opnsense/service/tests/__init__.py
/usr/local/opnsense/service/tests/config/config.xml
/usr/local/opnsense/service/tests/core.py
......
<?php
/*
* Copyright (C) 2016-2017 Franco Fichtner <franco@opnsense.org>
* Copyright (C) 2004-2007 Scott Ullrich <sullrich@gmail.com>
* Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
*INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
function webgui_configure()
{
return array(
'earlybootup' => array('webgui_configure_do'),
'local' => array('webgui_configure_do'),
);
}
function webgui_configure_do($verbose = false)
{
global $config;
if ($verbose) {
echo 'Starting web GUI...';
flush();
}
chdir('/usr/local/www');
/* defaults */
$portarg = '80';
$crt = '';
$key = '';
$ca = '';
/* non-standard port? */
if (isset($config['system']['webgui']['port']) && $config['system']['webgui']['port'] <> "") {
$portarg = "{$config['system']['webgui']['port']}";
}
if ($config['system']['webgui']['protocol'] == "https") {
$cert =& lookup_cert($config['system']['webgui']['ssl-certref']);
if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) {
if (!is_array($config['ca'])) {
$config['ca'] = array();
}
$a_ca =& $config['ca'];
if (!is_array($config['cert'])) {
$config['cert'] = array();
}
$a_cert =& $config['cert'];
log_error("Creating SSL certificate for this host");
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = 'Web GUI SSL certificate';
mwexec(
/* XXX ought to be replaced by PHP calls */
'/usr/local/bin/openssl req -new ' .
'-newkey rsa:4096 -sha256 -days 365 -nodes -x509 ' .
'-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' .
'-keyout /tmp/ssl.key -out /tmp/ssl.crt'
);
$crt = file_get_contents('/tmp/ssl.crt');
$key = file_get_contents('/tmp/ssl.key');
unlink('/tmp/ssl.key');
unlink('/tmp/ssl.crt');
cert_import($cert, $crt, $key);
$a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid'];
write_config('Created web GUI SSL certificate');
} else {
$crt = base64_decode($cert['crt']);
$key = base64_decode($cert['prv']);
}
if (!$config['system']['webgui']['port']) {
$portarg = '443';
}
$ca = ca_chain($cert);
}
if (webgui_generate_config($portarg, $crt, $key, $ca)) {
/* only stop the frontend when the generation was successful */
killbypid('/var/run/lighty-webConfigurator.pid', 'TERM', true);
/* flush Phalcon volt templates */
foreach (glob('/usr/local/opnsense/mvc/app/cache/*.php') as $filename) {
unlink($filename);
}
/* regenerate the php.ini files in case the setup has changed */
configd_run('template reload OPNsense/WebGui');
/*
* Force reloading all php-cgi children to
* avoid hiccups with moved include files.
*/
killbyname('php-cgi', 'HUP');
/* start lighthttpd */
mwexec('/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf');
}
if ($verbose) {
echo "done.\n";
}
}
function webgui_generate_config($port, $cert, $key, $ca)
{
global $config;
$cert_location = 'cert.pem';
$ca_location = 'ca.pem';
@mkdir('/tmp/lighttpdcompress');
$http_rewrite_rules = <<<EOD
# Phalcon ui and api routing
alias.url += ( "/ui/" => "/usr/local/opnsense/www/" )
alias.url += ( "/api/" => "/usr/local/opnsense/www/" )
url.rewrite-if-not-file = ( "^/ui/([^\?]+)(\?(.*))?" => "/ui/index.php?_url=/$1&$3" ,
"^/api/([^\?]+)(\?(.*))?" => "/api/api.php?_url=/$1&$3"
)
EOD;
$server_upload_dirs = "server.upload-dirs = ( \"/root/\", \"/tmp/\", \"/var/\" )\n";
$server_max_request_size = "server.max-request-size = 2097152";
$cgi_config = "cgi.assign = ( \".cgi\" => \"\" )";
$lighty_port = $port;
if(!isset($config['syslog']['nologlighttpd'])) {
$lighty_use_syslog = <<<EOD
## where to send error-messages to
server.errorlog-use-syslog="enable"
EOD;
}
$fast_cgi_path = "/tmp/php-fastcgi.socket";
$fastcgi_config = <<<EOD
#### fastcgi module
## read fastcgi.txt for more info
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "{$fast_cgi_path}",
"max-procs" => 2,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3",
"PHP_FCGI_MAX_REQUESTS" => "100"
),
"bin-path" => "/usr/local/bin/php-cgi"
)
)
)
EOD;
$lighty_config = <<<EOD
#
# lighttpd configuration file
#
# use a it as base for lighttpd 1.0.0 and above
#
############ Options you really have to take care of ####################
## FreeBSD!
server.event-handler = "freebsd-kqueue"
server.network-backend = "writev"
#server.use-ipv6 = "enable"
## modules to load
server.modules = ( "mod_access", "mod_expire", "mod_compress", "mod_redirect",
"mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite"
)
server.max-keep-alive-requests = 15
server.max-keep-alive-idle = 30
## a static document-root, for virtual-hosting take look at the
## server.virtual-* options
server.document-root = "/usr/local/www/"
{$http_rewrite_rules}
# Maximum idle time with nothing being written (php downloading)
server.max-write-idle = 999
{$lighty_use_syslog}
# files to check for if .../ is requested
server.indexfiles = ( "index.php", "index.html",
"index.htm", "default.htm" )
# mimetype mapping
mimetype.assign = (
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "audio/x-wav",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".svg" => "image/svg+xml",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar"
)
# Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetypes.use-xattr = "enable"
## deny access the file-extensions
#
# ~ is for backupfiles from vi, emacs, joe, ...
# .inc is often used for code includes which should in general not be part
# of the document-root
url.access-deny = ( "~", ".inc" )
######### Options that are good to be but not neccesary to be changed #######
## bind to port (default: 80)
EOD;
$lighty_config .= "server.bind = \"0.0.0.0\"\n";
$lighty_config .= "server.port = {$lighty_port}\n";
$ssl_config = '';
$cert = str_replace("\r", "", $cert);
$key = str_replace("\r", "", $key);
$ca = str_replace("\r", "", $ca);
$cert = str_replace("\n\n", "\n", $cert);
$key = str_replace("\n\n", "\n", $key);
$ca = str_replace("\n\n", "\n", $ca);
if($cert <> "" and $key <> "") {
$fd = fopen("/var/etc/{$cert_location}", "w");
if (!$fd) {
log_error('Error: cannot open cert.pem');
return 0;
}
chmod("/var/etc/{$cert_location}", 0600);
fwrite($fd, $cert);
fwrite($fd, "\n");
fwrite($fd, $key);
fclose($fd);
if(!(empty($ca) || (strlen(trim($ca)) == 0))) {
$fd = fopen("/var/etc/{$ca_location}", "w");
if (!$fd) {
log_error('Error: cannot open ca.pem');
return 0;
}
chmod("/var/etc/{$ca_location}", 0600);
fwrite($fd, $ca);
fclose($fd);
}
$ssl_config = "\n";
$ssl_config .= "## ssl configuration\n";
$ssl_config .= "ssl.engine = \"enable\"\n";
$ssl_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n";
// Harden SSL a bit for PCI conformance testing
$ssl_config .= "ssl.use-sslv2 = \"disable\"\n";
if (empty($config['system']['webgui']['ssl-ciphers'])) {
$ssl_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL;
} else {
$ssl_config .= 'ssl.cipher-list = "'.$config['system']['webgui']['ssl-ciphers'].'"' . PHP_EOL;
}
if(!(empty($ca) || (strlen(trim($ca)) == 0))) {
$ssl_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";
}
}
$lighty_config .= "\$SERVER[\"socket\"] == \"[::]:{$lighty_port}\" {\n";
/* address a bug in IPv6 handling */
if ($config['system']['webgui']['protocol'] == "https") {
$lighty_config .= $ssl_config;
}
$lighty_config .= "}\n\n";
$lighty_config .= "\$SERVER[\"socket\"] == \"0.0.0.0:{$lighty_port}\" { }\n";
if ($config['system']['webgui']['protocol'] == "https") {
$lighty_config .= $ssl_config;
}
$lighty_config .= <<<EOD
## error-handler for status 404
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"
## to help the rc.scripts
server.pid-file = "/var/run/lighty-webConfigurator.pid"
## virtual directory listings
server.dir-listing = "disable"
## enable debugging
debug.log-request-header = "disable"
debug.log-response-header = "disable"
debug.log-request-handling = "disable"
debug.log-file-not-found = "disable"
# gzip compression
compress.cache-dir = "/tmp/lighttpdcompress/"
compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript" )
{$server_upload_dirs}
{$server_max_request_size}
{$fastcgi_config}
{$cgi_config}
expire.url = (
"" => "access 50 hours",
)
EOD;
// Add HTTP to HTTPS redirect
if ($config['system']['webgui']['protocol'] == "https" && !isset($config['system']['webgui']['disablehttpredirect'])) {
if($lighty_port != "443") {
$redirectport = ":{$lighty_port}";
} else {
$redirectport = "";
}
$lighty_config .= <<<EOD
\$SERVER["socket"] == ":80" {
\$HTTP["host"] =~ "(.*)" {
url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" )
}
}
\$SERVER["socket"] == "[::]:80" {
\$HTTP["host"] =~ "(.*)" {
url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" )
}
}
EOD;
}
if (false === file_put_contents('/var/etc/lighty-webConfigurator.conf', $lighty_config)) {
log_error('Error: cannot write configuration');
return 0;
}
return 1;
}
......@@ -905,95 +905,6 @@ function system_clear_clog($logfile, $restart_syslogd = true)
}
}
function system_webgui_configure($verbose = false)
{
global $config;
if ($verbose) {
echo 'Starting web GUI...';
flush();
}
chdir('/usr/local/www');
/* defaults */
$portarg = "80";
$crt = "";
$key = "";
$ca = "";
/* non-standard port? */
if (isset($config['system']['webgui']['port']) && $config['system']['webgui']['port'] <> "") {
$portarg = "{$config['system']['webgui']['port']}";
}
if ($config['system']['webgui']['protocol'] == "https") {
$cert =& lookup_cert($config['system']['webgui']['ssl-certref']);
if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) {
if (!is_array($config['ca'])) {
$config['ca'] = array();
}
$a_ca =& $config['ca'];
if (!is_array($config['cert'])) {
$config['cert'] = array();
}
$a_cert =& $config['cert'];
log_error("Creating SSL certificate for this host");
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = 'Web GUI SSL certificate';
mwexec(
/* XXX ought to be replaced by PHP calls */
'/usr/local/bin/openssl req -new ' .
'-newkey rsa:4096 -sha256 -days 365 -nodes -x509 ' .
'-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' .
'-keyout /tmp/ssl.key -out /tmp/ssl.crt'
);
$crt = file_get_contents('/tmp/ssl.crt');
$key = file_get_contents('/tmp/ssl.key');
unlink('/tmp/ssl.key');
unlink('/tmp/ssl.crt');
cert_import($cert, $crt, $key);
$a_cert[] = $cert;
$config['system']['webgui']['ssl-certref'] = $cert['refid'];
write_config('Created web GUI SSL certificate');
} else {
$crt = base64_decode($cert['crt']);
$key = base64_decode($cert['prv']);
}
if (!$config['system']['webgui']['port']) {
$portarg = '443';
}
$ca = ca_chain($cert);
}
/* generate lighttpd configuration */
system_generate_lighty_config("/var/etc/lighty-webConfigurator.conf",
$crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/",
"cert.pem", "ca.pem");
killbypid('/var/run/lighty-webConfigurator.pid', 'TERM', true);
/*
* Force reloading all php-cgi children to
* avoid hiccups with moved include files.
*/
killbyname('php-cgi', 'HUP');
/* regenerate the php.ini files in case the setup has changed */
mwexec('/usr/local/etc/rc.php_ini_setup');
/* start lighthttpd */
mwexec('/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf');
if ($verbose) {
echo "done.\n";
}
}
/*
* get_memory()
* returns an array listing the amount of
......@@ -1008,352 +919,6 @@ function get_memory() {
return array(($physmem/1048576),($realmem/1048576));
}
function system_generate_lighty_config(
$filename,
$cert,
$key,
$ca,
$pid_file,
$port = 80,
$document_root = '/usr/local/www/',
$cert_location = 'cert.pem',
$ca_location = 'ca.pem')
{
global $config;
@mkdir('/tmp/lighttpdcompress');
$http_rewrite_rules = <<<EOD
# Phalcon ui and api routing
alias.url += ( "/ui/" => "/usr/local/opnsense/www/" )
alias.url += ( "/api/" => "/usr/local/opnsense/www/" )
url.rewrite-if-not-file = ( "^/ui/([^\?]+)(\?(.*))?" => "/ui/index.php?_url=/$1&$3" ,
"^/api/([^\?]+)(\?(.*))?" => "/api/api.php?_url=/$1&$3"
)
EOD;
$server_upload_dirs = "server.upload-dirs = ( \"/root/\", \"/tmp/\", \"/var/\" )\n";
$server_max_request_size = "server.max-request-size = 2097152";
$cgi_config = "cgi.assign = ( \".cgi\" => \"\" )";
if (empty($port)) {
$lighty_port = "80";
} else {
$lighty_port = $port;
}
if(!isset($config['syslog']['nologlighttpd'])) {
$lighty_use_syslog = <<<EOD
## where to send error-messages to
server.errorlog-use-syslog="enable"
EOD;
}
$fast_cgi_path = "/tmp/php-fastcgi.socket";
$fastcgi_config = <<<EOD
#### fastcgi module
## read fastcgi.txt for more info
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "{$fast_cgi_path}",
"max-procs" => 2,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3",
"PHP_FCGI_MAX_REQUESTS" => "100"
),
"bin-path" => "/usr/local/bin/php-cgi"
)
)
)
EOD;
$lighty_config = <<<EOD
#
# lighttpd configuration file
#
# use a it as base for lighttpd 1.0.0 and above
#
############ Options you really have to take care of ####################
## FreeBSD!
server.event-handler = "freebsd-kqueue"
server.network-backend = "writev"
#server.use-ipv6 = "enable"
## modules to load
server.modules = ( "mod_access", "mod_expire", "mod_compress", "mod_redirect",
"mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite"
)
server.max-keep-alive-requests = 15
server.max-keep-alive-idle = 30
## a static document-root, for virtual-hosting take look at the
## server.virtual-* options
server.document-root = "{$document_root}"
{$http_rewrite_rules}
# Maximum idle time with nothing being written (php downloading)
server.max-write-idle = 999
{$lighty_use_syslog}
# files to check for if .../ is requested
server.indexfiles = ( "index.php", "index.html",
"index.htm", "default.htm" )
# mimetype mapping
mimetype.assign = (
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "audio/x-wav",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".svg" => "image/svg+xml",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar"
)
# Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetypes.use-xattr = "enable"
## deny access the file-extensions
#
# ~ is for backupfiles from vi, emacs, joe, ...
# .inc is often used for code includes which should in general not be part
# of the document-root
url.access-deny = ( "~", ".inc" )
######### Options that are good to be but not neccesary to be changed #######
## bind to port (default: 80)
EOD;
$lighty_config .= "server.bind = \"0.0.0.0\"\n";
$lighty_config .= "server.port = {$lighty_port}\n";
$lighty_config .= "\$SERVER[\"socket\"] == \"0.0.0.0:{$lighty_port}\" { }\n";
$lighty_config .= "\$SERVER[\"socket\"] == \"[::]:{$lighty_port}\" { \n";
if($cert <> "" and $key <> "") {
$lighty_config .= "\n";
$lighty_config .= "## ssl configuration\n";
$lighty_config .= "ssl.engine = \"enable\"\n";
$lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n";
if($ca <> "") {
$lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";
}
}
$lighty_config .= " }\n";
$lighty_config .= <<<EOD
## error-handler for status 404
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"
## to help the rc.scripts
server.pid-file = "/var/run/{$pid_file}"
## virtual directory listings
server.dir-listing = "disable"
## enable debugging
debug.log-request-header = "disable"
debug.log-response-header = "disable"
debug.log-request-handling = "disable"
debug.log-file-not-found = "disable"
# gzip compression
compress.cache-dir = "/tmp/lighttpdcompress/"
compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript" )
{$server_upload_dirs}
{$server_max_request_size}
{$fastcgi_config}
{$cgi_config}
expire.url = (
"" => "access 50 hours",
)
EOD;
$cert = str_replace("\r", "", $cert);
$key = str_replace("\r", "", $key);
$ca = str_replace("\r", "", $ca);
$cert = str_replace("\n\n", "\n", $cert);
$key = str_replace("\n\n", "\n", $key);
$ca = str_replace("\n\n", "\n", $ca);
if($cert <> "" and $key <> "") {
$fd = fopen("/var/etc/{$cert_location}", "w");
if (!$fd) {
log_error('Error: cannot open cert.pem in system_webgui_configure()');
return 1;
}
chmod("/var/etc/{$cert_location}", 0600);
fwrite($fd, $cert);
fwrite($fd, "\n");
fwrite($fd, $key);
fclose($fd);
if(!(empty($ca) || (strlen(trim($ca)) == 0))) {
$fd = fopen("/var/etc/{$ca_location}", "w");
if (!$fd) {
log_error('Error: cannot open ca.pem in system_webgui_configure()');
return 1;
}
chmod("/var/etc/{$ca_location}", 0600);
fwrite($fd, $ca);
fclose($fd);
}
$lighty_config .= "\n";
$lighty_config .= "## ssl configuration\n";
$lighty_config .= "ssl.engine = \"enable\"\n";
$lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n";
// Harden SSL a bit for PCI conformance testing
$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
if (empty($config['system']['webgui']['ssl-ciphers'])) {
$lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL;
} else {
$lighty_config .= 'ssl.cipher-list = "'.$config['system']['webgui']['ssl-ciphers'].'"' . PHP_EOL;
}
if(!(empty($ca) || (strlen(trim($ca)) == 0))) {
$lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";
}
}
// Add HTTP to HTTPS redirect
if ($config['system']['webgui']['protocol'] == "https" && !isset($config['system']['webgui']['disablehttpredirect'])) {
if($lighty_port != "443") {
$redirectport = ":{$lighty_port}";
} else {
$redirectport = "";
}
$lighty_config .= <<<EOD
\$SERVER["socket"] == ":80" {
\$HTTP["host"] =~ "(.*)" {
url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" )
}
}
\$SERVER["socket"] == "[::]:80" {
\$HTTP["host"] =~ "(.*)" {
url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" )
}
}
EOD;
}
$fd = fopen("{$filename}", "w");
if (!$fd) {
log_error(sprintf('Error: cannot open %s in system_webgui_configure()', $filename));
return 1;
}
fwrite($fd, $lighty_config);
fclose($fd);
return 0;
}
function system_firmware_configure($verbose = false)
{
global $config;
if ($verbose) {
echo 'Writing firmware setting...';
flush();
}
/* rewrite the config via the defaults */
$origin_conf = '/usr/local/etc/pkg/repos/origin.conf';
copy("${origin_conf}.sample", $origin_conf);
if (!empty($config['system']['firmware']['mirror'])) {
mwexecf(
'/usr/local/sbin/opnsense-update %s %s',
array('-sm', str_replace('/', '\/', $config['system']['firmware']['mirror']))
);
}
if (!empty($config['system']['firmware']['flavour'])) {
$osabi = '';
switch ($config['system']['firmware']['flavour']) {
case 'libressl':
case 'latest':
/* if this is known flavour we treat it with ABI prefix */
$osabi = trim(file_get_contents('/usr/local/opnsense/version/opnsense.abi')) . '/';
break;
default:
break;
}
mwexecf(
'/usr/local/sbin/opnsense-update %s %s',
array('-sn', str_replace('/', '\/', $osabi . $config['system']['firmware']['flavour']))
);
}
if ($verbose) {
echo "done.\n";
}
}
function system_timezone_configure($verbose = false)
{
global $config;
......
......@@ -231,9 +231,6 @@ echo "done."
# Recreate capabilities DB
/usr/bin/cap_mkdb /etc/login.conf
# Set up the correct php.ini content
/usr/local/etc/rc.php_ini_setup
# Execute the early syshook / plugin commands
/usr/local/etc/rc.syshook early
......
......@@ -103,7 +103,6 @@ system_resolvconf_generate(true);
filter_configure_sync(true);
filter_pflog_start(true);
setup_gateways_monitor(true);
system_webgui_configure(true);
plugins_configure('earlybootup', true);
system_cron_configure(true, true);
system_routing_configure('', true);
......
#!/bin/sh
# Copyright (C) 2014-2017 Franco Fichtner <franco@opnsense.org>
# Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
PHP_INI=$(mktemp -q /tmp/php_ini.XXXXXX)
chmod 644 ${PHP_INI}
# Fetch the timezone from the XML and set it here
TIMEZONE=Etc/UTC
if [ -f /conf/config.xml ]; then
TIMEZONE=`cat /conf/config.xml | egrep -E '<timezone>(.*?)</timezone>' | awk -F'>' '{print $2}'|awk -F'<' '{print $1}'`
fi
# Get a loaded module list in the stock php
# Populate a dummy php.ini to avoid
# the file being clobbered and the firewall
# not being able to boot back up.
cat >> ${PHP_INI} << EOF
; File generated via rc.php_ini_setup
output_buffering = "0"
expose_php = Off
implicit_flush = true
magic_quotes_gpc = Off
max_execution_time = 900
max_input_time = 1800
max_input_vars = 5000
memory_limit = 384M
register_argc_argv = On
register_long_arrays = Off
variables_order = "GPCS"
file_uploads = On
upload_tmp_dir = /tmp
upload_max_filesize = 200M
post_max_size = 200M
html_errors = Off
zlib.output_compression = Off
zlib.output_compression_level = 1
include_path = ".:/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/share/pear:/usr/local/opnsense/contrib"
ignore_repeated_errors = on
error_reporting = E_ALL ^ (E_NOTICE | E_DEPRECATED | E_STRICT)
display_errors=on
log_errors=on
error_log=/tmp/PHP_errors.log
date.timezone="${TIMEZONE}"
[xdebug]
xdebug.profiler_enable_trigger = 1
xdebug.profiler_output_name = cachegrind.out.%t.%p
EOF
cp ${PHP_INI} /usr/local/etc/php.ini
cp ${PHP_INI} /usr/local/lib/php.ini
rm ${PHP_INI}
......@@ -42,10 +42,6 @@ if (count($argv) > 1 && is_numeric($argv[1])) {
sleep($argv[1]);
}
log_error("rc.reload_all: Reloading web GUI.");
system_webgui_configure(true);
log_error("rc.reload_all: Reloading all configuration settings.");
system_firmware_configure(true);
......
......@@ -6,11 +6,12 @@ require_once('interfaces.inc');
require_once('rrd.inc');
require_once('util.inc');
require_once('system.inc');
require_once('plugins.inc.d/webgui.inc');
if (count($argv) > 1 && is_numeric($argv[1])) {
// starting delayed.
sleep($argv[1]);
}
system_webgui_configure(true);
webgui_configure_do(true);
rrd_configure(true);
php.etc.ini:/usr/local/etc/php.ini
php.lib.ini:/usr/local/lib/php.ini
; File generated via configd
output_buffering = "0"
expose_php = Off
implicit_flush = true
magic_quotes_gpc = Off
max_execution_time = 900
max_input_time = 1800
max_input_vars = 5000
memory_limit = 384M
register_argc_argv = On
register_long_arrays = Off
variables_order = "GPCS"
file_uploads = On
upload_tmp_dir = /tmp
upload_max_filesize = 200M
post_max_size = 200M
html_errors = Off
zlib.output_compression = {% if system.webgui.compression|default('') != "" %}On{%else%}Off{%endif%}
zlib.output_compression_level = {{system.webgui.compression|default('1')}}
include_path = ".:/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/share/pear:/usr/local/opnsense/contrib"
ignore_repeated_errors = on
error_reporting = E_ALL ^ (E_NOTICE | E_DEPRECATED | E_STRICT)
display_errors=on
log_errors=on
error_log=/tmp/PHP_errors.log
date.timezone="{{system.timezone|default('Etc/UTC')}}"
[xdebug]
xdebug.profiler_enable_trigger = 1
xdebug.profiler_output_name = cachegrind.out.%t.%p
......@@ -39,6 +39,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
$pconfig['webguiport'] = $config['system']['webgui']['port'];
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
$pconfig['compression'] = isset($config['system']['webgui']['compression']) ? $config['system']['webgui']['compression'] : null;
if (!empty($config['system']['webgui']['ssl-ciphers'])) {
$pconfig['ssl-ciphers'] = explode(':', $config['system']['webgui']['ssl-ciphers']);
} else {
......@@ -98,6 +99,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if ($config['system']['webgui']['protocol'] != $pconfig['webguiproto'] ||
$config['system']['webgui']['port'] != $pconfig['webguiport'] ||
$config['system']['webgui']['ssl-certref'] != $pconfig['ssl-certref'] ||
$config['system']['webgui']['compression'] != $pconfig['compression'] ||
$config['system']['webgui']['ssl-ciphers'] != $newciphers ||
($pconfig['disablehttpredirect'] == "yes") != !empty($config['system']['webgui']['disablehttpredirect'])
) {
......@@ -110,6 +112,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$config['system']['webgui']['port'] = $pconfig['webguiport'];
$config['system']['webgui']['ssl-certref'] = $pconfig['ssl-certref'];
$config['system']['webgui']['ssl-ciphers'] = $newciphers;
$config['system']['webgui']['compression'] = $pconfig['compression'];
if ($pconfig['disablehttpredirect'] == "yes") {
$config['system']['webgui']['disablehttpredirect'] = true;
......@@ -485,6 +488,29 @@ include("head.inc");
</div>
</td>
</tr>
<tr>
<td><a id="help_for_compression" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("WebGui Compression")?></td>
<td width="78%">
<select name="compression" class="formselect selectpicker">
<option value="" <?=empty($pconfig['compression'])? 'selected="selected"' : '';?>>
<?=gettext("Off");?>
</option>
<option value="1" <?=$pconfig['compression'] == "1" ? 'selected="selected"' : '';?>>
<?=gettext("Low");?>
</option>
<option value="5" <?=$pconfig['compression'] == "5" ? 'selected="selected"' : '';?>>
<?=gettext("Medium");?>
</option>
<option value="9" <?=$pconfig['compression'] == "9" ? 'selected="selected"' : '';?>>
<?=gettext("High");?>
</option>
</select>
<div class="hidden" for="help_for_compression">
<?=gettext("Enable compression of webgui pages and dynamic content.");?><br/>
<?=gettext("Transfer less data to the client for an additional cost in processing power.");?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_nohttpreferercheck" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("HTTP_REFERER enforcement"); ?></td>
<td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment