mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-03-12 13:59:50 -05:00
Code Issues Packages Projects Releases Wiki Activity

Move DNS rebind detection in to javascript; uses /dnscheck nginx endpoint to test this

Browse Source
This commit is contained in:
Eric Schultz
2017-09-02 13:13:13 -05:00
parent 84838c7cef
commit 6440d16fa5
2 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/dynamix/SSLSettings.page
View File

@@ -27,13 +27,17 @@ function provisionSSL(internalip, keyfile, form) {
result = false;
};
$.post('https://keys.lime-technology.com/account/ssl/provisioncert',{internalip:internalip,keyfile:keyfile},function(data) {
$.post("https://keys.lime-technology.com/account/ssl/provisioncert",{internalip:internalip,keyfile:keyfile},function(data) {
if (data.bundle) {
$.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:'<?=$var['csrf_token']?>'},function(data) {
var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
"for local IP address "+internalip+" has been created on unraid.net.";
swal({title:'',text:msg,type:'success'},function(){form.submit();});
}).fail(failure);
$.get("//"+data.internal_dns+"/dnscheck",function() {
$.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:"<?=$var['csrf_token']?>"},function(data) {
var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
"for local IP address "+internalip+" has been created on unraid.net.";
swal({title:'',text:msg,type:'success'},function(){form.submit();});
}).fail(failure);
}).fail(function(){
failure({"status": 403, "responseJSON": {"error": "Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working. See help for more details and workarounds"}});
});
} else {
failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}});
}

15
plugins/dynamix/include/CertUpload.php
View File

@@ -16,20 +16,7 @@ $text = $_POST['text'] ?? '';
file_put_contents('/boot/config/ssl/certs/certificate_bundle.pem.new', $text);
//validate certificate_bundle.pem.new is for *.unraid.net before moving it over to certificate_bundle.pem
if (preg_match('/CN=([0-9a-f]{40}\.unraid\.net)$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'), $matches)) {
// Successful cases:
// If unraid.net and <hash>.unraid.net both fail then the dns servers are inaccessible ==> cross-fingers and hope their browser has proper dns
// If unraid.net and <hash>.unraid.net both resolve ==> dns rebinding protection isn't going to be a issue
//
// Failure case:
// If unraid.net resolves but <hash>.unraid.net fails ==> dns rebinding protection is a issue
if (count(dns_get_record('unraid.net', DNS_A)) !== count(dns_get_record($matches[1], DNS_A))) {
http_response_code(406);
header("Content-Type: application/json");
echo json_encode(['error' => 'Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working. See help for more details and workarounds']);
exit;
}
if (preg_match('/CN=[0-9a-f]{40}\.unraid\.net$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'))) {
rename('/boot/config/ssl/certs/certificate_bundle.pem.new', '/boot/config/ssl/certs/certificate_bundle.pem');
} else {
unlink('/boot/config/ssl/certs/certificate_bundle.pem.new');