diff options
| author | Simon Rettberg | 2020-12-17 15:08:14 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2020-12-17 15:08:14 +0100 |
| commit | b5c3eb9e01b09367935f558a57633b68a65a1a21 (patch) | |
| tree | b6c322f3089192124779b9d7a29c8365eb39533f /satellit_installer/static_files/lighttpd | |
| parent | [SSPS] slx-cert: Put hostname in SAN too, chromium requires this (diff) | |
| download | setup-scripts-b5c3eb9e01b09367935f558a57633b68a65a1a21.tar.gz setup-scripts-b5c3eb9e01b09367935f558a57633b68a65a1a21.tar.xz setup-scripts-b5c3eb9e01b09367935f558a57633b68a65a1a21.zip | |
[SSPS] Refactor static_files: Submodules with tree
Add submodules (aka directories) to static_files, named according to
what component they are for. Add function "install_files" to copy the
contents of one of those modules to the root directory.
This should make the resulting setup more obvious and require less
manual copying of files everywhere.
Diffstat (limited to 'satellit_installer/static_files/lighttpd')
6 files changed, 407 insertions, 0 deletions
diff --git a/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf b/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf new file mode 100644 index 0000000..0ae7c9d --- /dev/null +++ b/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf @@ -0,0 +1,54 @@ +server.modules = ( + "mod_access", +# "mod_alias", + "mod_compress", + "mod_redirect", + "mod_rewrite", +# "mod_proxy", +) + +server.document-root = "/srv/openslx/www" +server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) +server.errorlog = "/var/log/lighttpd/error.log" +server.pid-file = "/var/run/lighttpd.pid" +server.username = "www-data" +server.groupname = "www-data" +server.port = 80 +server.reject-expect-100-with-417 = "disable" + + +index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) +url.access-deny = ( "~", ".inc" ) +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +compress.cache-dir = "/var/cache/lighttpd/compress/" +compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) + +# default listening port for IPv6 falls back to the IPv4 port +include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port +include_shell "/usr/share/lighttpd/create-mime.conf.pl" +include "/etc/lighttpd/conf-enabled/*.conf" +# Check if server.pem exists, if so output configuration block for HTTPS +include_shell "/usr/share/lighttpd/auto-ssl.sh" + +url.rewrite-once = ( + "^/*boot/+([a-z0-9_/-]+)/+config$" => "/slx-admin/api.php?do=getconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\?(.*)$" => "/slx-admin/api.php?$2&do=getconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\.tgz$" => "/slx-admin/api.php?do=sysconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\.tgz\?(.*)$" => "/slx-admin/api.php?$2&do=sysconfig&type=$1", + "^/*boot/+ipxe$" => "/slx-admin/api.php?do=serversetup", + "^/*boot/+ipxe\?(.*)$" => "/slx-admin/api.php?$1&do=serversetup", + "^/*vmchooser/+list[^?]*$" => "/slx-admin/api.php?do=dozmod&resource=list", + "^/*vmchooser/+list[^?]*\?(.*)$" => "/slx-admin/api.php?$1&do=dozmod&resource=list", + "^/*vmchooser/+lecture/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=vmx&lecture=$1", + "^/*vmchooser/+lecture/+([^/]+)/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=$2&lecture=$1", + "^/*vmchooser/+([^/]+)$" => "/slx-admin/api.php?do=news&type=$1", + "^/panel/([^?]{36})$" => "/slx-admin/?do=locationinfo&show=panel&uuid=$1", + "^/panel/([^?]*\.(js|css|png|svg))$" => "/slx-admin/$1", + "^/panel/api/([^?]*)$" => "/slx-admin/api.php?$1&do=locationinfo" +) + +# Add support for a conf.d directory -- include /etc/lighttpd/conf.d/* +# Use this is you want to modify the satellite server, as future updates might overwrite lighttpd.conf +include_shell "/usr/share/lighttpd/include-conf-d.sh" + diff --git a/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf b/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf new file mode 100644 index 0000000..ab7d5f4 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/usr/local/sbin/patch_lighttpd_phpchildren diff --git a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert new file mode 100755 index 0000000..3f5cc3e --- /dev/null +++ b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert @@ -0,0 +1,232 @@ +#!/bin/bash + +# OpenSLX SSL Certificate management + +if ! mkdir "/run/openslx-cert-manager"; then + echo "Already in progress." + exit 1 +fi +trap 'rm -rf -- /run/openslx-cert-manager' EXIT + +declare -rg BASE="/etc/ssl/openslx" +declare -rg PRIV="$BASE/private" +declare -rg CERT="$BASE/cert" +declare -rg LIGHT="$BASE/lighttpd" + +mkdir -p "$BASE" "$PRIV" "$CERT" + +chown -R root:root "$BASE" || exit 1 +chmod u+rwx,go+rx-w "$BASE" "$CERT" || exit 1 +chmod u+rwx,go-rwx "$PRIV" || exit 1 +# Before doing anything, make sure we have a CA with enough validity left +# File name format for ca is: +# ${PRIV}/ca-FFFFFFFFFF-TTTTTTTTTT.key +# ${CERT}/ca-TTTTTTTTTT.crt +# Where TT is the unix timestamp of "validTo" of that cert +# And FF is the unix timestamp of when we should starting using a CA to +# sign our certificates. This is for a grace period between CA certs. +# We deliver a new CA certificate immediately when it was generated, but +# only start signing server certificates with it after a grace period of +# 180 days. Any client that rebooted within those 180 days will not run +# into any certificate issues, but if you wanted to cover that case too +# you could make it so the client re-downloads trusted CA-certs every +# couple days. + +declare -rg NOW="$( date +%s )" +# PROD +declare -rg ca_days="$(( 10 * 365 ))" # 10y +declare -rg ca_min_remain_s="$(( 400 * 86400 ))" # bit more than 1y +declare -rg ca_new_expire_ts="$(( ca_days * 86400 + NOW ))" +declare -rg srv_days=365 # 1y +declare -rg srv_min_remain_s="$(( 180 * 86400 ))" # half a year +declare -rg srv_new_ts="$(( srv_days * 86400 + NOW ))" +# TEST +#declare -rg ca_days=1825 # 5y +#declare -rg ca_min_remain_s="$(( 1260 ))" # bit more than 1y +#declare -rg ca_new_expire_ts="$(( 1320 + NOW ))" +#declare -rg srv_days=365 # 1y +#declare -rg srv_min_remain_s="$(( 1200 ))" # half a year +#declare -rg srv_new_ts="$(( 1230 + NOW ))" + + +get_ts () { + ts="${1%.*}" + ts="${ts##*/ca-}" + ts="${ts##*/srv-}" + from="${ts%-*}" + if [ "$from" = "$ts" ]; then + from= + else + ts="${ts#*-}" + fi +} + +create_conf () { + ca_dir="$( mktemp -d /tmp/bwlp-XXXXXXXX )" + [ -z "$ca_dir" ] && exit 1 + mkdir "$ca_dir"/{certs,crl,newcerts,private} + touch "$ca_dir"/index.txt + ca_config="$ca_dir/openssl.cnf" + cp -f "/etc/ssl/openssl.cnf" "$ca_config" + cat >> "$ca_config" <<-MYCA + [ CA_openslx ] + dir = $ca_dir + certs = \$dir/certs + crl_dir = \$dir/crl + database = \$dir/index.txt + new_certs_dir = \$dir/newcerts + serial = \$dir/serial + crl = \$dir/crl.pem + x509_extensions = usr_cert + name_opt = ca_default + cert_opt = ca_default + default_md = default + preserve = no + policy = policy_match + MYCA +} + +ca_last= +for i in "${PRIV}"/ca-??????????.key; do + [ -f "$i" ] || continue + get_ts "$i" + if ! [ -f "${CERT}/ca-${ts}.crt" ] || (( ts < NOW )); then + # Missing cert, or expired -> delete + rm -f -- "${CERT}/ca-${ts}.crt" "${PRIV}/ca-${ts}.key" + continue + fi + ca_last="$ts" +done + +mknew= +if [ -z "$ca_last" ] || (( NOW + ca_min_remain_s > ca_last )); then + # Make new CA + echo "Creating new CA..." + openssl req -new -newkey rsa:4096 -x509 -days "$ca_days" -extensions v3_ca \ + -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=ca-${NOW}.bwlehrpool" \ + -keyout "${PRIV}/ca-${ca_new_expire_ts}.key" -out "${CERT}/ca-${ca_new_expire_ts}.crt" || exit 2 + mknew=1 + # + # Create new intermediate, sign with all CAs + csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" + # Create request, CA:TRUE + echo "Generate intermediate key+CSR..." + [ -f "${PRIV}/intermediate.key" ] || openssl genrsa -out "${PRIV}/intermediate.key" 4096 + openssl req -new -key "${PRIV}/intermediate.key" \ + -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=intermediate.bwlehrpool" \ + -out "$csr" || exit 2 + create_conf + # Sign request, CA:TRUE + echo "Sign new intermediate key with CA..." + openssl ca -config "$ca_config" -extensions v3_ca -create_serial \ + -policy policy_anything -days "$ca_days" \ + -cert "${CERT}/ca-${ca_new_expire_ts}.crt" -keyfile "${PRIV}/ca-${ca_new_expire_ts}.key" \ + -notext -name CA_openslx -batch -out "${CERT}/intermediate-${ca_new_expire_ts}.crt" -in "$csr" || exit 2 + rm -rf -- "$ca_dir" "$csr" +fi + +if [ -n "$mknew" ]; then + # Rebuild config module for clients + echo "Updating client config module..." + ( + tmpdir="$( mktemp -d '/tmp/bwlp-XXXXXXX' )" + cp -a "${CERT}/"ca-*.crt "$tmpdir/" + cd "$tmpdir/" || exit 6 + openssl rehash . + tar -c -k -f "/opt/openslx/configs/modules/self-signed-ca.tar" \ + --transform 's#^[./][./]*#/opt/openslx/ssl/#' . + cd /tmp + rm -rf -- "$tmpdir" + sudo -u www-data -n php /srv/openslx/www/slx-admin/api.php sysconfig --action rebuild + echo "." + ) +fi + +# Now check the server certificate + +declare -a srv_list +srv_list=() +for i in "${PRIV}"/srv-??????????.key; do + [ -f "$i" ] || continue + get_ts "$i" + if (( ts < NOW )) || ! [ -f "${CERT}/srv-${ts}.crt" ]; then + rm -f -- "$i" "${CERT}/srv-${ts}.crt" + continue + fi + srv_list+=( "$ts" ) +done + +if [ -n "$mknew" ] || [ "${#srv_list[@]}" = 0 ] \ + || [ "$(( NOW + srv_min_remain_s ))" -gt "${srv_list[-1]}" ]; then + # Request ServerCert + csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" + echo "Generating new Server Certificate. Key+CSR..." + rm -f -- "${CERT}"/srv-*.crt "${PRIV}/srv.key.tmp" "${PRIV}"/srv-*.key + openssl req -new -nodes -keyout "${PRIV}/srv.key.tmp" -out "$csr" \ + -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=satellite.bwlehrpool" || exit 4 + echo "Signing Server Certificate with intermediate..." + declare -a in_list + in_list=() + for i in "${CERT}"/intermediate-??????????.crt; do + [ -f "$i" ] || continue + get_ts "$i" + if (( ts < NOW )); then + echo "Expired intermediate $i" + rm -f -- "$i" + continue + fi + echo "Have intermediate $i" + in_list+=( "$i" ) + done + if [ "${#in_list[@]}" = 0 ]; then + echo "ERROR: Have no intermediate certificate" + exit 11 + fi + for in_cert in "${in_list[@]}"; do + get_ts "$in_cert" + (( ts < 30 * 86400 + NOW )) && continue # Expiring in a month, ignore + break # Need only one really + done + echo "Signing with $in_cert" + create_conf + # Need extfile for SAN, chromium doesn't honor CN anymore + cat > "${csr}.cnf" <<-END + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth + subjectAltName = @alt_names + [alt_names] + DNS.1 = satellite.bwlehrpool + END + openssl ca -config "$ca_config" -create_serial -policy policy_anything -days "$srv_days" \ + -cert "$in_cert" -keyfile "${PRIV}/intermediate.key" -extfile "${csr}.cnf" \ + -notext -name CA_openslx -batch -out "${CERT}/srv-${srv_new_ts}.crt" -in "$csr" || exit 4 + rm -rf -- "$ca_dir" + rm -f -- "$csr" "${csr}.cnf" + mv "${PRIV}/srv.key.tmp" "${PRIV}/srv-${srv_new_ts}.key" || exit 5 + srv_list+=( "$srv_new_ts" ) + + # Combine and prepare for lighttpd + + mkdir -p "$LIGHT" || exit 10 + + # Combine cert and key, as required by lighttpd + echo "Writing out lighttpd PEMs..." + cat "${CERT}/srv-${srv_new_ts}.crt" "${PRIV}/srv-${srv_new_ts}.key" > "${LIGHT}/server.pem" || exit 10 + chmod 0600 "${LIGHT}/server.pem" + + # Create ca-chain + cat "${in_list[@]}" > "${LIGHT}/ca-chain.pem" + + if [ "$1" = "--restart" ] || [ -t 0 ]; then + echo "Restarting lighttpd..." + systemctl restart lighttpd.service + fi +fi + +echo "Done." +exit 0 diff --git a/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren b/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren new file mode 100755 index 0000000..a8e44e5 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren @@ -0,0 +1,23 @@ +#!/bin/sh + +# Could be written in one line, but for better editing when values change... +MEM=$(grep ^MemTotal /proc/meminfo | awk '{print $2}') # RAM in KB +MEM=$(( MEM / 1024 / 4 )) # to MB, and assess a fourth of RAM for PHP +CHILDREN=$(( MEM / 16 )) # assume 16 MB per child +# min 16, no more than 128 (inverse logic to handle NaN) +[ "$CHILDREN" -ge 16 ] || CHILDREN=16 +[ "$CHILDREN" -le 128 ] || CHILDREN=128 + +## Use ?? in case the ordering changes one day +file=$(echo /etc/lighttpd/conf-enabled/??-fastcgi-php.conf) +if [ -f "$file" ]; then + sed -i 's/"PHP_FCGI_CHILDREN.*$/"PHP_FCGI_CHILDREN" => "'$CHILDREN'",/' "$file" + if ! grep -qF '"PHP_FCGI_CHILDREN" => "'$CHILDREN'"' "$file"; then + echo "WARNING: Cannot adjust php cgildren count for fastcgi -- line not found in $file" >&2 + fi +else + echo "WARNING: Cannot adjust php children count for fastcgi -- file not found" >&2 + exit 1 +fi +exit 0 + diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh new file mode 100755 index 0000000..0f88864 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" +declare -rg CHAIN="/etc/lighttpd/chain.pem" +declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" +declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" +declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" +declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" + +if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then + openssl dhparam -out "$DHPARAM" 2048 &>/dev/null & +fi + +/opt/openslx/slx-cert >&2 & + +wait + +[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= +readonly INTERNAL_CHAIN + +cat <<HEREDOC +\$SERVER["socket"] == ":443" { + protocol = "https://" + ssl.engine = "enable" + ssl.disable-client-renegotiation = "enable" + + # ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves") + ssl.ec-curve = "secp384r1" + # Compression is by default off at compile-time, but use if needed + # ssl.use-compression = "disable" + + # Environment flag for HTTPS enabled + setenv.add-environment = ( + "HTTPS" => "on" + ) + + # intermediate configuration, tweak to your needs + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + ssl.honor-cipher-order = "enable" + ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" + + # pemfile is cert+privkey, ca-file is the intermediate chain in one file +HEREDOC +if [ -s "$PUBLIC_BOTH" ]; then + echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" + [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" +elif [ -s "$INTERNAL_BOTH" ]; then + echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" + echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" +fi + +[ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" + +# VHost for server.bwlehrpool +if [ -s "${INTERNAL_BOTH}" ]; then + cat <<HEREDOC + \$HTTP["host"] == "satellite.bwlehrpool" { + ssl.pemfile = "${INTERNAL_BOTH}" + ssl.ca-file = "${INTERNAL_CHAIN}" + } +HEREDOC + # +fi + +echo "}" # End main block + +[ -f "$REDIR_FLAG" ] && cat <<"HEREDOC" +$HTTP["scheme"] == "http" { + # capture vhost name with regex condition -> %0 in redirect pattern + # must be the most inner block to the redirect rule + $HTTP["host"] =~ ".*" { + url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" ) + url.redirect-code = 302 + } +} +HEREDOC + +exit 0 + diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh new file mode 100755 index 0000000..a54ed3f --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +if [ -n "$1" ]; then + DIR="$1" +else + DIR="/etc/lighttpd" +fi + +cd "$DIR" || exit 1 +[ -d "conf.d" ] || exit 0 + +for file in conf.d/*; do + [ -f "$file" ] && echo 'include "'"$DIR/$file"'"' +done +exit 0 + |