mirror of
https://github.com/unraid/webgui.git
synced 2026-05-11 06:40:58 -05:00
wildcard cert support
This commit is contained in:
Tom Mortensen
@@ -47,23 +47,31 @@ $addr = ipaddr($ethX);
|
||||
$rebindip = "192.168.42.42";
|
||||
$keyfile = @file_get_contents($var['regFILE']);
|
||||
if ($keyfile !== false) $keyfile = base64_encode($keyfile);
|
||||
$certFile = "/boot/config/ssl/certs/certificate_bundle.pem";
|
||||
$certPresent = file_exists("$certFile");
|
||||
$certSubject = $certPresent ? exec("openssl x509 -noout -subject -nameopt multiline -in $certFile 2>/dev/null|sed -n 's/ *commonName *= //p'") : "";
|
||||
$isLEcert = $certPresent && preg_match('/.*\.unraid\.net$/', $certSubject);
|
||||
|
||||
$isRegistered = !empty($remote['username']); // signed in to unraid.net or not
|
||||
|
||||
if ($isLEcert) {
|
||||
exec("openssl x509 -checkend 2592000 -noout -in $certFile 2>/dev/null", $arrout, $retval_expired);
|
||||
$prot = $$ethX['PROTOCOL:0']=='ipv6' ? '-6' : '-4';
|
||||
$rebindtest_ip = exec("host $prot rebindtest.unraid.net 2>/dev/null|awk '{print \$4}'");
|
||||
$dnsRebindingProtection = ($rebindtest_ip != $rebindip);
|
||||
if (!$dnsRebindingProtection) {
|
||||
$certtest_ip = exec("host $prot $certSubject 2>/dev/null|awk '{print \$4}'");
|
||||
$dnsValid = is_array($addr) ? in_array($certtest_ip,$addr) : $certtest_ip==$addr;
|
||||
$certFile = "/boot/config/ssl/certs/certificate_bundle.pem";
|
||||
$certPresent = file_exists("$certFile");
|
||||
if ($certPresent) {
|
||||
$certSubject = exec("/usr/bin/openssl x509 -in $certFile -noout -subject -nameopt multiline 2>/dev/null|sed -n 's/ *commonName *= //p'");
|
||||
$certIssuer = exec("/usr/bin/openssl x509 -in $certFile -noout -text | sed -n -e 's/^.*Issuer: //p'");
|
||||
$certExpires = exec("/usr/bin/openssl x509 -in $certFile -noout -text | sed -n -e 's/^.*Not After : //p'");
|
||||
$isLegacyCert = preg_match('/.*\.unraid\.net$/', $certSubject);
|
||||
$isWildcardCert = preg_match('/.*\.myunraid\.net$/', $certSubject);
|
||||
$isLEcert = $isLegacyCert || $isWildcardCert;
|
||||
$subjectURL = $certSubject;
|
||||
if ($isLEcert) {
|
||||
if ($isWildcardCert) $subjectURL = str_replace("*", str_replace(".", "-", $addr), $subjectURL);
|
||||
exec("openssl x509 -checkend 2592000 -noout -in $certFile 2>/dev/null", $arrout, $retval_expired);
|
||||
$protocol = $$ethX['PROTOCOL:0']=='ipv6' ? '-6' : '-4';
|
||||
$rebindtest_ip = exec("host $protocol rebindtest.unraid.net 2>/dev/null|awk '{print \$4}'");
|
||||
$dnsRebindingProtection = ($rebindtest_ip != $rebindip);
|
||||
if (!$dnsRebindingProtection) {
|
||||
$certtest_ip = exec("host $protocol $subjectURL 2>/dev/null|awk '{print \$4}'");
|
||||
$dnsValid = is_array($addr) ? in_array($certtest_ip, $addr) : $certtest_ip==$addr;
|
||||
}
|
||||
// more: similar test for "www.$certSubject" dns valid goes here
|
||||
}
|
||||
// more: similar test for "www.$certSubject" dns valid goes here
|
||||
$cert_time_format = $display['date'].($display['date']!='%c' ? ', '.str_replace(['%M','%R'],['%M:%S','%R:%S'],$display['time']):'');
|
||||
}
|
||||
|
||||
$provisionlabel = $isLEcert ? _('Renew') : _('Provision');
|
||||
@@ -71,6 +79,7 @@ $disabled_provision = !$isRegistered || $keyfile===false || ($isLEcert && $retva
|
||||
$disabled_updatedns = $isRegistered && $keyfile!==false && $isLEcert ? '' : 'disabled';
|
||||
$disabled_delete = $certPresent && $var['USE_SSL']!='auto' ? '' : 'disabled';
|
||||
$disabled_auto = $isRegistered && $isLEcert && !$dnsRebindingProtection && $dnsValid ? '' : 'disabled';
|
||||
$upgradelabel = _('Upgrade Cert');
|
||||
|
||||
// Get ports in use
|
||||
$portsInUse = [];
|
||||
@@ -90,6 +99,7 @@ var notRegisteredMsg = '<?= _('Sign In to Unraid.net required') ?>';
|
||||
|
||||
function provisionHandler(event, form) { // provisions and renewals require being Signed In to Unraid.net
|
||||
if (event.submitter.value === 'Delete') return true; // always allow deletes regardless of isRegistered value
|
||||
if (event.submitter.value === 'Renew') return true; // always allow renewals regardless of isRegistered value
|
||||
if (!isRegistered) {
|
||||
event.preventDefault();
|
||||
return alert(notRegisteredMsg);
|
||||
@@ -175,7 +185,7 @@ $(function(){
|
||||
</script>
|
||||
<form markdown="1" name="SSLSettings" method="POST" action="/update.htm" target="progressFrame">
|
||||
<input type="hidden" name="changePorts" value="Apply">
|
||||
<input type="hidden" name="server_name" value="<?=$_SERVER['SERVER_NAME']?>">
|
||||
<input type="hidden" name="server_name" value="<?=$_SERVER['HTTP_HOST']?>">
|
||||
<input type="hidden" name="server_addr" value="<?=$_SERVER['SERVER_ADDR']?>">
|
||||
_(User 'root')_:
|
||||
: [_(Manage)_](/Settings/Users/ManagementAccess/UserEdit?name=root)
|
||||
@@ -263,31 +273,20 @@ _(Local TLD)_:
|
||||
</form>
|
||||
<div style="height:24px"></div>
|
||||
<form markdown="1" name="Provision" method="POST" target="progressFrame" action="/update.htm" onsubmit="provisionHandler(event, this)">
|
||||
<input type="hidden" name="server_name" value="<?=$_SERVER['SERVER_NAME']?>">
|
||||
<input type="hidden" name="server_name" value="<?=$_SERVER['HTTP_HOST']?>">
|
||||
<input type="hidden" name="server_addr" value="<?=$_SERVER['SERVER_ADDR']?>">
|
||||
<?if ($certPresent):?>
|
||||
_(CA-signed certificate file)_:
|
||||
: <?=$certFile?>
|
||||
|
||||
_(Certificate subject)_:
|
||||
: [<?=$certSubject?>](https://<?=$certSubject?>:<?=$var['PORTSSL']?>)
|
||||
: [<?=$certSubject?>](https://<?=$subjectURL?>:<?=$var['PORTSSL']?>)
|
||||
|
||||
_(Certificate issuer)_:
|
||||
: <?=shell_exec("/usr/bin/openssl x509 -text -noout -in $certFile | sed -n -e 's/^.*Issuer: //p'")?>
|
||||
: <?=$certIssuer?>
|
||||
|
||||
<?
|
||||
$time = strtotime(exec("/usr/bin/openssl x509 -text -noout -in $certFile | sed -n -e 's/^.*Not After : //p'"));
|
||||
$format = $display['date'].($display['date']!='%c' ? ', '.str_replace(['%M','%R'],['%M:%S','%R:%S'],$display['time']):'');
|
||||
?>
|
||||
_(Certificate expiration)_:
|
||||
: <?=_(strftime($format, $time),0)?>
|
||||
|
||||
<?if (!$isRegistered):?>
|
||||
|
||||
:
|
||||
<!-- <span class="red" style="padding-left: 0;"><i class="fa fa-warning"></i> _(Certificate will not renew unless you are signed in to Unraid.net)_</span> -->
|
||||
<span><i class="fa fa-warning icon warning"></i> <em>_(Certificate will not renew unless you are signed in to Unraid.net)_</em></span>
|
||||
<?endif;?>
|
||||
: <?=_(strftime($cert_time_format, strtotime($certExpires)),0)?>
|
||||
|
||||
<?if ($dnsRebindingProtection):?>
|
||||
|
||||
@@ -311,6 +310,11 @@ _(CA-signed certificate file)_:
|
||||
|
||||
: <button type="submit" name="changePorts" value="Provision" <?=$disabled_provision?>><?=$provisionlabel?></button><button type="submit" name="changePorts" value="Delete" <?=$disabled_delete?> >_(Delete)_</button><button type="button" onclick="updateDNS(this)" <?=$disabled_updatedns?>>_(Update DNS)_</button>
|
||||
|
||||
<?if ($certPresent && $isLegacyCert):?>
|
||||
|
||||
: <button type="submit" name="changePorts" value="Upgrade"><?=$upgradelabel?></button>
|
||||
<?endif;?>
|
||||
|
||||
:mgmt_certificate_expiration_help:
|
||||
|
||||
</form>
|
||||
|
||||
@@ -17,8 +17,11 @@ $text = $_POST['text'] ?? '';
|
||||
file_put_contents("{$certFile}.new", $text);
|
||||
|
||||
//validate certificate_bundle.pem.new is for *.unraid.net before moving it over to certificate_bundle.pem
|
||||
if (preg_match('/[0-9a-f]{40}\.unraid\.net$/', exec("/usr/bin/openssl x509 -in {$certFile}.new -subject -noout 2>&1"))) {
|
||||
$certSubject = exec("/usr/bin/openssl x509 -in {$certFile}.new -subject -noout 2>&1");
|
||||
$isLEcert = preg_match('/.*\.myunraid\.net$/', $certSubject) || preg_match('/.*\.unraid\.net$/', $certSubject);
|
||||
if ($isLEcert) {
|
||||
rename("{$certFile}.new", "$certFile");
|
||||
syslog(LOG_NOTICE, 'Updated *.hash.myunraid.net certificate: '.$certFile);
|
||||
} else {
|
||||
unlink("{$certFile}.new");
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
?>
|
||||
<?
|
||||
$docroot = $docroot ?? $_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp';
|
||||
$certFile = "/boot/config/ssl/certs/certificate_bundle.pem";
|
||||
$certPath = "/boot/config/ssl/certs/certificate_bundle.pem";
|
||||
// add translations
|
||||
$_SERVER['REQUEST_URI'] = 'settings';
|
||||
require_once "$docroot/webGui/include/Translations.php";
|
||||
@@ -46,18 +46,23 @@ if (!$isRegistered) {
|
||||
response_complete(406, '{"error":"'._('Must be signed in to Unraid.net to provision cert').'"}');
|
||||
}
|
||||
|
||||
if (file_exists($certFile)) {
|
||||
$subject = exec("/usr/bin/openssl x509 -subject -noout -in $certFile");
|
||||
if (!preg_match('/.*\.unraid\.net$/', $subject)) {
|
||||
// cert common name isn't <hash>.unraid.net
|
||||
response_complete(406, '{"error":"'._('Cannot provision cert that would overwrite your existing custom cert at').' $certFile"}');
|
||||
}
|
||||
exec("/usr/bin/openssl x509 -checkend 2592000 -noout -in $certFile",$arrout,$retval_expired);
|
||||
if ($retval_expired === 0) {
|
||||
// not within 30 days of cert expire date
|
||||
response_complete(406, '{"error":"'._('Cannot renew cert until within 30 days of expiry').'"}');
|
||||
$certPresent = file_exists($certPath);
|
||||
if ($certPresent) {
|
||||
$subject = exec("/usr/bin/openssl x509 -subject -noout -in ".escapeshellarg($certPath));
|
||||
$isLegacyCert = preg_match('/.*\.unraid\.net$/', $certSubject);
|
||||
$isWildcardCert = preg_match('/.*\.myunraid\.net$/', $certSubject);
|
||||
if ($isLegacyCert || $isWildcardCert) {
|
||||
exec("/usr/bin/openssl x509 -checkend 2592000 -noout -in ".escapeshellarg($certPath), $arrout, $retval_expired);
|
||||
if ($retval_expired === 0) {
|
||||
// not within 30 days of cert expire date
|
||||
response_complete(406, '{"error":"'._('Cannot renew cert until within 30 days of expiry').'"}');
|
||||
}
|
||||
} else {
|
||||
// assume custom cert
|
||||
response_complete(406, '{"error":"'._('Cannot provision cert that would overwrite your existing custom cert at').' $certPath"}');
|
||||
}
|
||||
}
|
||||
$endpoint = ($certPresent && $isLegacyCert) ? "provisioncert" : "provisionwildcard";
|
||||
|
||||
$keyfile = @file_get_contents($var['regFILE']);
|
||||
if ($keyfile === false) {
|
||||
@@ -68,7 +73,7 @@ $ethX = 'eth0';
|
||||
$internalip = ipaddr($ethX);
|
||||
$internalport = $var['PORTSSL'];
|
||||
|
||||
$ch = curl_init('https://keys.lime-technology.com/account/ssl/provisioncert');
|
||||
$ch = curl_init("https://keys.lime-technology.com/account/ssl/$endpoint");
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, [
|
||||
@@ -90,9 +95,9 @@ if ($cli) {
|
||||
}
|
||||
response_complete(406, '{"error":"'.$strError.'"}');
|
||||
}
|
||||
$_POST['text'] = $json['bundle']; // nice way to leverage CertUpload.php to save the cert and reload nginx
|
||||
$_POST['text'] = $json['bundle']; // nice way to leverage CertUpload.php to save the cert
|
||||
include(__DIR__.'/CertUpload.php');
|
||||
}
|
||||
|
||||
response_complete($httpcode, $result, _('LE Cert Provisioned successfully'));
|
||||
?>
|
||||
?>
|
||||
|
||||
@@ -17,9 +17,26 @@ $_SERVER['REQUEST_URI'] = 'settings';
|
||||
require_once "$docroot/webGui/include/Translations.php";
|
||||
require_once "$docroot/webGui/include/Helpers.php";
|
||||
|
||||
// add 'ipaddr' function for 6.9 backwards compatibility
|
||||
if (!function_exists('ipaddr')) {
|
||||
function ipaddr($ethX='eth0') {
|
||||
global $$ethX;
|
||||
switch ($$ethX['PROTOCOL:0']) {
|
||||
case 'ipv4':
|
||||
return $$ethX['IPADDR:0'];
|
||||
case 'ipv6':
|
||||
return $$ethX['IPADDR6:0'];
|
||||
case 'ipv4+ipv6':
|
||||
return [$$ethX['IPADDR:0'],$$ethX['IPADDR6:0']];
|
||||
default:
|
||||
return $$ethX['IPADDR:0'];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function host_lookup_ip($host) {
|
||||
$result = dns_get_record($host, DNS_A);
|
||||
$ip = $result[0]['ip'];
|
||||
$result = @dns_get_record($host, DNS_A);
|
||||
$ip = ($result) ? $result[0]['ip'] : '';
|
||||
return($ip);
|
||||
}
|
||||
function format_port($port) {
|
||||
@@ -27,7 +44,11 @@ function format_port($port) {
|
||||
}
|
||||
function anonymize_host($host) {
|
||||
global $anon;
|
||||
return ($anon) ? preg_replace('/.*\.unraid\.net/', 'hash.unraid.net', $host) : $host;
|
||||
if ($anon) {
|
||||
$host = preg_replace('/.*\.myunraid\.net/', '*.hash.myunraid.net', $host);
|
||||
$host = preg_replace('/.*\.unraid\.net/', 'hash.unraid.net', $host);
|
||||
}
|
||||
return $host;
|
||||
}
|
||||
function anonymize_ip($ip) {
|
||||
global $anon;
|
||||
@@ -36,37 +57,61 @@ function anonymize_ip($ip) {
|
||||
}
|
||||
return $ip;
|
||||
}
|
||||
function generate_internal_host($host, $ip) {
|
||||
if (strpos($host,'.myunraid.net') !== false) {
|
||||
$host = str_replace('*', str_replace('.', '-', $ip), $host);
|
||||
}
|
||||
return $host;
|
||||
}
|
||||
function generate_external_host($host, $ip) {
|
||||
if (strpos($host,'.myunraid.net') !== false) {
|
||||
$host = str_replace('*', str_replace('.', '-', $ip), $host);
|
||||
} elseif (strpos($host,'.unraid.net') !== false) {
|
||||
$host = "www.".$host;
|
||||
}
|
||||
return $host;
|
||||
}
|
||||
function verbose_output($httpcode, $result) {
|
||||
global $cli, $verbose, $anon, $post, $var, $certhostname, $isRegistered, $isCertUnraidNet, $rebindDisabled, $remote;
|
||||
global $remoteaccess;
|
||||
global $icon_warn, $icon_ok;
|
||||
if (!$cli || !$verbose) return;
|
||||
|
||||
if ($anon) echo "(Output is anonymized, use '-vv' to see full details)".PHP_EOL;
|
||||
echo "Unraid OS {$var['version']}".PHP_EOL;
|
||||
echo "Unraid OS {$var['version']}".((strpos($post['plgversion'], "base-") === false) ? " with My Servers plugin version {$post['plgversion']}" : '').PHP_EOL;
|
||||
echo ($isRegistered) ? "{$icon_ok}Signed in to Unraid.net as {$remote['username']}".PHP_EOL : "{$icon_warn}Not signed in to Unraid.net".PHP_EOL ;
|
||||
echo "Use SSL is {$var['USE_SSL']}".PHP_EOL;
|
||||
echo ($rebindDisabled) ? "{$icon_ok}Rebind protection is disabled".PHP_EOL : "{$icon_warn}Rebind protection is enabled".PHP_EOL;
|
||||
if ($post) {
|
||||
$wanip = trim(@file_get_contents("https://wanip4.unraid.net/"));
|
||||
// check the data
|
||||
if ($certhostname) {
|
||||
$certhostip = host_lookup_ip($certhostname);
|
||||
$certhostip = host_lookup_ip(generate_internal_host($certhostname, $post['internalip']));
|
||||
$certhosterr = ($certhostip != $post['internalip']);
|
||||
}
|
||||
if ($post['internalhostname'] != $certhostname) {
|
||||
$internalhostip = host_lookup_ip($post['internalhostname']);
|
||||
$internalhostip = host_lookup_ip(generate_internal_host($post['internalhostname'], $post['internalip']));
|
||||
$internalhosterr = ($internalhostip != $post['internalip']);
|
||||
}
|
||||
// anonymize data
|
||||
if ($post['externalhostname']) {
|
||||
$externalhostip = host_lookup_ip(generate_external_host($post['externalhostname'], $wanip));
|
||||
$externalhosterr = ($externalhostip != $wanip);
|
||||
}
|
||||
// anonymize data. no caclulations can be done with this data beyond this point.
|
||||
if ($anon) {
|
||||
if ($certhostip) $certhostip = anonymize_ip($certhostip);
|
||||
if ($certhostname) $certhostname = anonymize_host($certhostname);
|
||||
if ($internalhostip) $internalhostip = anonymize_ip($internalhostip);
|
||||
if ($externalhostip) $externalhostip = anonymize_ip($externalhostip);
|
||||
if ($wanip) $wanip = anonymize_ip($wanip);
|
||||
if ($post['internalip']) $post['internalip'] = anonymize_ip($post['internalip']);
|
||||
if ($post['internalhostname']) $post['internalhostname'] = anonymize_host($post['internalhostname']);
|
||||
if ($post['externalhostname']) $post['externalhostname'] = anonymize_host($post['externalhostname']);
|
||||
if ($post['externalport']) $post['externalport'] = "[redacted]";
|
||||
}
|
||||
// output notes
|
||||
if ($post['internalprotocol'] && $post['internalhostname'] && $post['internalport']) {
|
||||
$localurl = $post['internalprotocol']."://".$post['internalhostname'].format_port($post['internalport']);
|
||||
$localurl = $post['internalprotocol']."://".generate_internal_host($post['internalhostname'], $post['internalip']).format_port($post['internalport']);
|
||||
echo 'Local Access url: '.$localurl.PHP_EOL;
|
||||
if ($internalhostip) {
|
||||
// $internalhostip will not be defined for .local domains, ok to skip
|
||||
@@ -77,11 +122,19 @@ function verbose_output($httpcode, $result) {
|
||||
}
|
||||
if ($certhostname) {
|
||||
echo ($certhosterr) ? $icon_warn : $icon_ok;
|
||||
echo "{$certhostname} ";
|
||||
echo generate_internal_host($certhostname, $post['internalip']).' ';
|
||||
echo ($certhostip) ? "resolves to {$certhostip}" : "does not resolve to an IP address";
|
||||
echo ($certhosterr) ? ", it should resolve to {$post['internalip']}" : "";
|
||||
echo PHP_EOL;
|
||||
}
|
||||
if ($remoteaccess == 'yes' && $isCertUnraidNet && $post['externalprotocol'] && $post['externalhostname'] && $post['externalport']) {
|
||||
$remoteurl = $post['externalprotocol']."://".generate_external_host($post['externalhostname'], $wanip).format_port($post['externalport']);
|
||||
echo 'Remote Access url: '.$remoteurl.PHP_EOL;
|
||||
echo ($externalhosterr) ? $icon_warn : $icon_ok;
|
||||
echo generate_external_host($post['externalhostname'], $wanip).' ';
|
||||
echo ($externalhosterr) ? "does not resolve to an IP address" : "resolves to {$externalhostip}";
|
||||
echo PHP_EOL;
|
||||
}
|
||||
}
|
||||
// output post data
|
||||
if ($post['keyfile']) $post['keyfile'] = substr($post['keyfile'], 0, 5)."...";
|
||||
@@ -128,20 +181,70 @@ $icon_ok = "✅ ";
|
||||
if (file_exists('/boot/config/plugins/dynamix.my.servers/myservers.cfg')) {
|
||||
@extract(parse_ini_file('/boot/config/plugins/dynamix.my.servers/myservers.cfg',true));
|
||||
}
|
||||
$remoteaccess = 'no';
|
||||
if (empty($remote)) {
|
||||
$remote = [
|
||||
"apikey" => "",
|
||||
"wanaccess" => "no",
|
||||
"wanport" => "443"
|
||||
];
|
||||
}
|
||||
if (empty($remote['wanport'])) {
|
||||
$remote['wanport'] = 443;
|
||||
}
|
||||
// remoteaccess, externalport
|
||||
if ($cli) {
|
||||
$remoteaccess = $remote['wanaccess'];
|
||||
$externalport = $remote['wanport'];
|
||||
} else {
|
||||
$remoteaccess = $_POST['remoteaccess'];
|
||||
$externalport = intval($_POST['externalport']);
|
||||
|
||||
if ($remoteaccess != 'yes') {
|
||||
$remoteaccess = 'no';
|
||||
}
|
||||
|
||||
if ($externalport < 1 || $externalport > 65535) {
|
||||
$externalport = 443;
|
||||
}
|
||||
|
||||
if ($remote['wanaccess'] != $remoteaccess) {
|
||||
// update the wanaccess ini value
|
||||
$orig = @parse_ini_file('/boot/config/plugins/dynamix.my.servers/myservers.cfg',true);
|
||||
if ($orig === false) {
|
||||
$orig = ['remote' => $remote];
|
||||
}
|
||||
$orig['remote']['wanaccess'] = $remoteaccess;
|
||||
$text = '';
|
||||
foreach ($orig as $section => $block) {
|
||||
$pairs = "";
|
||||
foreach ($block as $key => $value) if (strlen($value)) $pairs .= "$key=\"$value\"\n";
|
||||
if ($pairs) $text .= "[$section]\n".$pairs;
|
||||
}
|
||||
if ($text) file_put_contents('/boot/config/plugins/dynamix.my.servers/myservers.cfg', $text);
|
||||
// reload nginx
|
||||
exec("/etc/rc.d/rc.nginx reload &>/dev/null");
|
||||
}
|
||||
}
|
||||
$isRegistered = !empty($remote) && !empty($remote['username']);
|
||||
|
||||
$certpath = '/boot/config/ssl/certs/certificate_bundle.pem';
|
||||
$hasCert = file_exists($certpath);
|
||||
$certhostname = $hasCert ? trim(exec("/usr/bin/openssl x509 -subject -noout -in $certpath | awk -F' = ' '{print $2}'")) : '';
|
||||
// handle wildcard certs
|
||||
$certhostname = str_replace('*', $var['NAME'], $certhostname);
|
||||
$isCertUnraidNet = preg_match('/.*\.unraid\.net$/', $certhostname);
|
||||
$certhostname = '';
|
||||
$certPath = '/boot/config/ssl/certs/certificate_bundle.pem';
|
||||
$hasCert = file_exists($certPath);
|
||||
if ($hasCert) {
|
||||
$certhostname = trim(exec("/usr/bin/openssl x509 -subject -noout -in ".escapeshellarg($certPath)." | awk -F' = ' '{print $2}'"));
|
||||
$isCertUnraidNet = preg_match('/.*\.(my)?unraid\.net$/', $certhostname);
|
||||
if (!$isCertUnraidNet) {
|
||||
// handle custom wildcard certs
|
||||
$certhostname = str_replace('*', $var['NAME'], $certhostname);
|
||||
}
|
||||
}
|
||||
|
||||
// protocols, hostnames, ports
|
||||
$internalprotocol = 'http';
|
||||
$internalport = $var['PORT'];
|
||||
$internalhostname = $var['NAME'] . (empty($var['LOCAL_TLD']) ? '' : '.'.$var['LOCAL_TLD']);
|
||||
$externalprotocol = 'https';
|
||||
$externalhostname = $certhostname;
|
||||
|
||||
if ($var['USE_SSL']!='no' && $hasCert) {
|
||||
$internalprotocol = 'https';
|
||||
@@ -149,8 +252,9 @@ if ($var['USE_SSL']!='no' && $hasCert) {
|
||||
$internalhostname = $certhostname;
|
||||
}
|
||||
|
||||
// only proceed when signed in
|
||||
if (!$isRegistered) {
|
||||
// only proceed when when signed in (or when (my)?unraid.net SSL certificate is active in 6.10.0-rc1 and earlier)
|
||||
$requireAuth = !version_compare($var['version'], '6.10.0-rc1', '<=');
|
||||
if (($requireAuth && !$isRegistered) || (!$requireAuth && !$isRegistered && !$isCertUnraidNet)) {
|
||||
response_complete(406, '{"error":"'._('Nothing to do').'"}');
|
||||
}
|
||||
|
||||
@@ -167,7 +271,7 @@ $ethX = 'eth0';
|
||||
$internalip = ipaddr($ethX);
|
||||
|
||||
// My Servers version
|
||||
$plgversion = 'base-'.$var['version'];
|
||||
$plgversion = trim(@exec('/usr/local/sbin/plugin version /var/log/plugins/dynamix.unraid.net*.plg 2>/dev/null'));
|
||||
|
||||
// DNS Rebind Protection
|
||||
$rebindDisabled = (host_lookup_ip("rebindtest.unraid.net") == "192.168.42.42");
|
||||
@@ -181,14 +285,24 @@ if ($isCertUnraidNet) {
|
||||
// if there is an unraid.net cert, enable local ddns regardless of use_ssl value
|
||||
$post['internalip'] = is_array($internalip) ? $internalip[0] : $internalip;
|
||||
// if DNS Rebind Protection is disabled and host.unraid.net does not resolve to the internalip, disable caching
|
||||
if ($rebindDisabled && (host_lookup_ip($certhostname) != $post['internalip'])) $dnserr = true;
|
||||
if ($rebindDisabled && host_lookup_ip(generate_internal_host($certhostname, $post['internalip'])) != $post['internalip']) $dnserr = true;
|
||||
}
|
||||
if ($isRegistered) {
|
||||
$post['internalhostname'] = $internalhostname;
|
||||
$post['internalport'] = $internalport;
|
||||
$post['internalprotocol'] = $internalprotocol;
|
||||
$post['remoteaccess'] = $remoteaccess;
|
||||
$post['servercomment'] = $var['COMMENT'];
|
||||
$post['servername'] = $var['NAME'];
|
||||
if ($remoteaccess == 'yes') {
|
||||
// include wanip in the cache file so we can track if it changes
|
||||
$post['_wanip'] = trim(@file_get_contents("https://wanip4.unraid.net/"));
|
||||
$post['externalhostname'] = $externalhostname;
|
||||
$post['externalport'] = $externalport;
|
||||
$post['externalprotocol'] = $externalprotocol;
|
||||
// if wanip.hash.myunraid.net or www.hash.unraid.net does not resolve to the wanip, disable caching
|
||||
if (host_lookup_ip(generate_external_host($post['externalhostname'], $post['_wanip'])) != $post['_wanip']) $dnserr = true;
|
||||
}
|
||||
}
|
||||
|
||||
// maxage is 36 hours
|
||||
@@ -202,6 +316,9 @@ if ($datanew == $dataprev && (time()-filemtime($datafile) < $maxage)) {
|
||||
}
|
||||
file_put_contents($datafile,$datanew);
|
||||
|
||||
// do not submit the wanip, it will be captured from the submission if needed for remote access
|
||||
unset($post['_wanip']);
|
||||
|
||||
// report necessary server details to limetech for DNS updates
|
||||
$ch = curl_init('https://keys.lime-technology.com/account/server/register');
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
|
||||
Reference in New Issue
Block a user