diff options
Diffstat (limited to 'satellit_installer/static_files/lighttpd')
6 files changed, 407 insertions, 0 deletions
diff --git a/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf b/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf new file mode 100644 index 0000000..0ae7c9d --- /dev/null +++ b/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf @@ -0,0 +1,54 @@ +server.modules = ( + "mod_access", +# "mod_alias", + "mod_compress", + "mod_redirect", + "mod_rewrite", +# "mod_proxy", +) + +server.document-root = "/srv/openslx/www" +server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) +server.errorlog = "/var/log/lighttpd/error.log" +server.pid-file = "/var/run/lighttpd.pid" +server.username = "www-data" +server.groupname = "www-data" +server.port = 80 +server.reject-expect-100-with-417 = "disable" + + +index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) +url.access-deny = ( "~", ".inc" ) +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +compress.cache-dir = "/var/cache/lighttpd/compress/" +compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) + +# default listening port for IPv6 falls back to the IPv4 port +include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port +include_shell "/usr/share/lighttpd/create-mime.conf.pl" +include "/etc/lighttpd/conf-enabled/*.conf" +# Check if server.pem exists, if so output configuration block for HTTPS +include_shell "/usr/share/lighttpd/auto-ssl.sh" + +url.rewrite-once = ( + "^/*boot/+([a-z0-9_/-]+)/+config$" => "/slx-admin/api.php?do=getconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\?(.*)$" => "/slx-admin/api.php?$2&do=getconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\.tgz$" => "/slx-admin/api.php?do=sysconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\.tgz\?(.*)$" => "/slx-admin/api.php?$2&do=sysconfig&type=$1", + "^/*boot/+ipxe$" => "/slx-admin/api.php?do=serversetup", + "^/*boot/+ipxe\?(.*)$" => "/slx-admin/api.php?$1&do=serversetup", + "^/*vmchooser/+list[^?]*$" => "/slx-admin/api.php?do=dozmod&resource=list", + "^/*vmchooser/+list[^?]*\?(.*)$" => "/slx-admin/api.php?$1&do=dozmod&resource=list", + "^/*vmchooser/+lecture/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=vmx&lecture=$1", + "^/*vmchooser/+lecture/+([^/]+)/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=$2&lecture=$1", + "^/*vmchooser/+([^/]+)$" => "/slx-admin/api.php?do=news&type=$1", + "^/panel/([^?]{36})$" => "/slx-admin/?do=locationinfo&show=panel&uuid=$1", + "^/panel/([^?]*\.(js|css|png|svg))$" => "/slx-admin/$1", + "^/panel/api/([^?]*)$" => "/slx-admin/api.php?$1&do=locationinfo" +) + +# Add support for a conf.d directory -- include /etc/lighttpd/conf.d/* +# Use this is you want to modify the satellite server, as future updates might overwrite lighttpd.conf +include_shell "/usr/share/lighttpd/include-conf-d.sh" + diff --git a/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf b/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf new file mode 100644 index 0000000..ab7d5f4 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/usr/local/sbin/patch_lighttpd_phpchildren diff --git a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert new file mode 100755 index 0000000..3f5cc3e --- /dev/null +++ b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert @@ -0,0 +1,232 @@ +#!/bin/bash + +# OpenSLX SSL Certificate management + +if ! mkdir "/run/openslx-cert-manager"; then + echo "Already in progress." + exit 1 +fi +trap 'rm -rf -- /run/openslx-cert-manager' EXIT + +declare -rg BASE="/etc/ssl/openslx" +declare -rg PRIV="$BASE/private" +declare -rg CERT="$BASE/cert" +declare -rg LIGHT="$BASE/lighttpd" + +mkdir -p "$BASE" "$PRIV" "$CERT" + +chown -R root:root "$BASE" || exit 1 +chmod u+rwx,go+rx-w "$BASE" "$CERT" || exit 1 +chmod u+rwx,go-rwx "$PRIV" || exit 1 +# Before doing anything, make sure we have a CA with enough validity left +# File name format for ca is: +# ${PRIV}/ca-FFFFFFFFFF-TTTTTTTTTT.key +# ${CERT}/ca-TTTTTTTTTT.crt +# Where TT is the unix timestamp of "validTo" of that cert +# And FF is the unix timestamp of when we should starting using a CA to +# sign our certificates. This is for a grace period between CA certs. +# We deliver a new CA certificate immediately when it was generated, but +# only start signing server certificates with it after a grace period of +# 180 days. Any client that rebooted within those 180 days will not run +# into any certificate issues, but if you wanted to cover that case too +# you could make it so the client re-downloads trusted CA-certs every +# couple days. + +declare -rg NOW="$( date +%s )" +# PROD +declare -rg ca_days="$(( 10 * 365 ))" # 10y +declare -rg ca_min_remain_s="$(( 400 * 86400 ))" # bit more than 1y +declare -rg ca_new_expire_ts="$(( ca_days * 86400 + NOW ))" +declare -rg srv_days=365 # 1y +declare -rg srv_min_remain_s="$(( 180 * 86400 ))" # half a year +declare -rg srv_new_ts="$(( srv_days * 86400 + NOW ))" +# TEST +#declare -rg ca_days=1825 # 5y +#declare -rg ca_min_remain_s="$(( 1260 ))" # bit more than 1y +#declare -rg ca_new_expire_ts="$(( 1320 + NOW ))" +#declare -rg srv_days=365 # 1y +#declare -rg srv_min_remain_s="$(( 1200 ))" # half a year +#declare -rg srv_new_ts="$(( 1230 + NOW ))" + + +get_ts () { + ts="${1%.*}" + ts="${ts##*/ca-}" + ts="${ts##*/srv-}" + from="${ts%-*}" + if [ "$from" = "$ts" ]; then + from= + else + ts="${ts#*-}" + fi +} + +create_conf () { + ca_dir="$( mktemp -d /tmp/bwlp-XXXXXXXX )" + [ -z "$ca_dir" ] && exit 1 + mkdir "$ca_dir"/{certs,crl,newcerts,private} + touch "$ca_dir"/index.txt + ca_config="$ca_dir/openssl.cnf" + cp -f "/etc/ssl/openssl.cnf" "$ca_config" + cat >> "$ca_config" <<-MYCA + [ CA_openslx ] + dir = $ca_dir + certs = \$dir/certs + crl_dir = \$dir/crl + database = \$dir/index.txt + new_certs_dir = \$dir/newcerts + serial = \$dir/serial + crl = \$dir/crl.pem + x509_extensions = usr_cert + name_opt = ca_default + cert_opt = ca_default + default_md = default + preserve = no + policy = policy_match + MYCA +} + +ca_last= +for i in "${PRIV}"/ca-??????????.key; do + [ -f "$i" ] || continue + get_ts "$i" + if ! [ -f "${CERT}/ca-${ts}.crt" ] || (( ts < NOW )); then + # Missing cert, or expired -> delete + rm -f -- "${CERT}/ca-${ts}.crt" "${PRIV}/ca-${ts}.key" + continue + fi + ca_last="$ts" +done + +mknew= +if [ -z "$ca_last" ] || (( NOW + ca_min_remain_s > ca_last )); then + # Make new CA + echo "Creating new CA..." + openssl req -new -newkey rsa:4096 -x509 -days "$ca_days" -extensions v3_ca \ + -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=ca-${NOW}.bwlehrpool" \ + -keyout "${PRIV}/ca-${ca_new_expire_ts}.key" -out "${CERT}/ca-${ca_new_expire_ts}.crt" || exit 2 + mknew=1 + # + # Create new intermediate, sign with all CAs + csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" + # Create request, CA:TRUE + echo "Generate intermediate key+CSR..." + [ -f "${PRIV}/intermediate.key" ] || openssl genrsa -out "${PRIV}/intermediate.key" 4096 + openssl req -new -key "${PRIV}/intermediate.key" \ + -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=intermediate.bwlehrpool" \ + -out "$csr" || exit 2 + create_conf + # Sign request, CA:TRUE + echo "Sign new intermediate key with CA..." + openssl ca -config "$ca_config" -extensions v3_ca -create_serial \ + -policy policy_anything -days "$ca_days" \ + -cert "${CERT}/ca-${ca_new_expire_ts}.crt" -keyfile "${PRIV}/ca-${ca_new_expire_ts}.key" \ + -notext -name CA_openslx -batch -out "${CERT}/intermediate-${ca_new_expire_ts}.crt" -in "$csr" || exit 2 + rm -rf -- "$ca_dir" "$csr" +fi + +if [ -n "$mknew" ]; then + # Rebuild config module for clients + echo "Updating client config module..." + ( + tmpdir="$( mktemp -d '/tmp/bwlp-XXXXXXX' )" + cp -a "${CERT}/"ca-*.crt "$tmpdir/" + cd "$tmpdir/" || exit 6 + openssl rehash . + tar -c -k -f "/opt/openslx/configs/modules/self-signed-ca.tar" \ + --transform 's#^[./][./]*#/opt/openslx/ssl/#' . + cd /tmp + rm -rf -- "$tmpdir" + sudo -u www-data -n php /srv/openslx/www/slx-admin/api.php sysconfig --action rebuild + echo "." + ) +fi + +# Now check the server certificate + +declare -a srv_list +srv_list=() +for i in "${PRIV}"/srv-??????????.key; do + [ -f "$i" ] || continue + get_ts "$i" + if (( ts < NOW )) || ! [ -f "${CERT}/srv-${ts}.crt" ]; then + rm -f -- "$i" "${CERT}/srv-${ts}.crt" + continue + fi + srv_list+=( "$ts" ) +done + +if [ -n "$mknew" ] || [ "${#srv_list[@]}" = 0 ] \ + || [ "$(( NOW + srv_min_remain_s ))" -gt "${srv_list[-1]}" ]; then + # Request ServerCert + csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" + echo "Generating new Server Certificate. Key+CSR..." + rm -f -- "${CERT}"/srv-*.crt "${PRIV}/srv.key.tmp" "${PRIV}"/srv-*.key + openssl req -new -nodes -keyout "${PRIV}/srv.key.tmp" -out "$csr" \ + -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=satellite.bwlehrpool" || exit 4 + echo "Signing Server Certificate with intermediate..." + declare -a in_list + in_list=() + for i in "${CERT}"/intermediate-??????????.crt; do + [ -f "$i" ] || continue + get_ts "$i" + if (( ts < NOW )); then + echo "Expired intermediate $i" + rm -f -- "$i" + continue + fi + echo "Have intermediate $i" + in_list+=( "$i" ) + done + if [ "${#in_list[@]}" = 0 ]; then + echo "ERROR: Have no intermediate certificate" + exit 11 + fi + for in_cert in "${in_list[@]}"; do + get_ts "$in_cert" + (( ts < 30 * 86400 + NOW )) && continue # Expiring in a month, ignore + break # Need only one really + done + echo "Signing with $in_cert" + create_conf + # Need extfile for SAN, chromium doesn't honor CN anymore + cat > "${csr}.cnf" <<-END + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth + subjectAltName = @alt_names + [alt_names] + DNS.1 = satellite.bwlehrpool + END + openssl ca -config "$ca_config" -create_serial -policy policy_anything -days "$srv_days" \ + -cert "$in_cert" -keyfile "${PRIV}/intermediate.key" -extfile "${csr}.cnf" \ + -notext -name CA_openslx -batch -out "${CERT}/srv-${srv_new_ts}.crt" -in "$csr" || exit 4 + rm -rf -- "$ca_dir" + rm -f -- "$csr" "${csr}.cnf" + mv "${PRIV}/srv.key.tmp" "${PRIV}/srv-${srv_new_ts}.key" || exit 5 + srv_list+=( "$srv_new_ts" ) + + # Combine and prepare for lighttpd + + mkdir -p "$LIGHT" || exit 10 + + # Combine cert and key, as required by lighttpd + echo "Writing out lighttpd PEMs..." + cat "${CERT}/srv-${srv_new_ts}.crt" "${PRIV}/srv-${srv_new_ts}.key" > "${LIGHT}/server.pem" || exit 10 + chmod 0600 "${LIGHT}/server.pem" + + # Create ca-chain + cat "${in_list[@]}" > "${LIGHT}/ca-chain.pem" + + if [ "$1" = "--restart" ] || [ -t 0 ]; then + echo "Restarting lighttpd..." + systemctl restart lighttpd.service + fi +fi + +echo "Done." +exit 0 diff --git a/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren b/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren new file mode 100755 index 0000000..a8e44e5 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren @@ -0,0 +1,23 @@ +#!/bin/sh + +# Could be written in one line, but for better editing when values change... +MEM=$(grep ^MemTotal /proc/meminfo | awk '{print $2}') # RAM in KB +MEM=$(( MEM / 1024 / 4 )) # to MB, and assess a fourth of RAM for PHP +CHILDREN=$(( MEM / 16 )) # assume 16 MB per child +# min 16, no more than 128 (inverse logic to handle NaN) +[ "$CHILDREN" -ge 16 ] || CHILDREN=16 +[ "$CHILDREN" -le 128 ] || CHILDREN=128 + +## Use ?? in case the ordering changes one day +file=$(echo /etc/lighttpd/conf-enabled/??-fastcgi-php.conf) +if [ -f "$file" ]; then + sed -i 's/"PHP_FCGI_CHILDREN.*$/"PHP_FCGI_CHILDREN" => "'$CHILDREN'",/' "$file" + if ! grep -qF '"PHP_FCGI_CHILDREN" => "'$CHILDREN'"' "$file"; then + echo "WARNING: Cannot adjust php cgildren count for fastcgi -- line not found in $file" >&2 + fi +else + echo "WARNING: Cannot adjust php children count for fastcgi -- file not found" >&2 + exit 1 +fi +exit 0 + diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh new file mode 100755 index 0000000..0f88864 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" +declare -rg CHAIN="/etc/lighttpd/chain.pem" +declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" +declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" +declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" +declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" + +if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then + openssl dhparam -out "$DHPARAM" 2048 &>/dev/null & +fi + +/opt/openslx/slx-cert >&2 & + +wait + +[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= +readonly INTERNAL_CHAIN + +cat <<HEREDOC +\$SERVER["socket"] == ":443" { + protocol = "https://" + ssl.engine = "enable" + ssl.disable-client-renegotiation = "enable" + + # ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves") + ssl.ec-curve = "secp384r1" + # Compression is by default off at compile-time, but use if needed + # ssl.use-compression = "disable" + + # Environment flag for HTTPS enabled + setenv.add-environment = ( + "HTTPS" => "on" + ) + + # intermediate configuration, tweak to your needs + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + ssl.honor-cipher-order = "enable" + ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" + + # pemfile is cert+privkey, ca-file is the intermediate chain in one file +HEREDOC +if [ -s "$PUBLIC_BOTH" ]; then + echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" + [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" +elif [ -s "$INTERNAL_BOTH" ]; then + echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" + echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" +fi + +[ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" + +# VHost for server.bwlehrpool +if [ -s "${INTERNAL_BOTH}" ]; then + cat <<HEREDOC + \$HTTP["host"] == "satellite.bwlehrpool" { + ssl.pemfile = "${INTERNAL_BOTH}" + ssl.ca-file = "${INTERNAL_CHAIN}" + } +HEREDOC + # +fi + +echo "}" # End main block + +[ -f "$REDIR_FLAG" ] && cat <<"HEREDOC" +$HTTP["scheme"] == "http" { + # capture vhost name with regex condition -> %0 in redirect pattern + # must be the most inner block to the redirect rule + $HTTP["host"] =~ ".*" { + url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" ) + url.redirect-code = 302 + } +} +HEREDOC + +exit 0 + diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh new file mode 100755 index 0000000..a54ed3f --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +if [ -n "$1" ]; then + DIR="$1" +else + DIR="/etc/lighttpd" +fi + +cd "$DIR" || exit 1 +[ -d "conf.d" ] || exit 0 + +for file in conf.d/*; do + [ -f "$file" ] && echo 'include "'"$DIR/$file"'"' +done +exit 0 + |