mirror of
https://github.com/unraid/webgui.git
synced 2026-01-17 23:20:02 -06:00
Merge pull request #963 from limetech/feat/unraid-cert-requires-sign-in
Feat/unraid cert requires sign in
This commit is contained in:
tom mortensen
@@ -1136,7 +1136,7 @@ Determines how the webGUI responds to HTTP and/or HTTPS protocol on your LAN.
|
||||
Select **No** to disable HTTPS.
|
||||
|
||||
Select **Yes** to enable HTTPS and redirect HTTP to HTTPS. A
|
||||
self-signed SSL certificate will be generated automatically.
|
||||
self-signed SSL certificate will be generated automatically if a Let's Encrypt SSL certificate has not been provisioned.
|
||||
|
||||
Select **Auto** if you have *Provisioned* a Let's Encrypt SSL
|
||||
certificate. In this case webGUI access will use HTTPS with the Let's Encrypt
|
||||
@@ -1191,10 +1191,10 @@ Enter your local Top Level Domain. May be blank.
|
||||
|
||||
:mgmt_certificate_expiration_help:
|
||||
**Provision** may be used to install a *free* SSL Certficiate from
|
||||
[Let's Encrypt](https://letsencrypt.org/).
|
||||
[Let's Encrypt](https://letsencrypt.org/), if the server is signed in to unraid.net.
|
||||
|
||||
After a Let's Encrypt SSL Certificate has been installed, two
|
||||
background services are activated:
|
||||
background services are activated while the server is signed in to unraid.net:
|
||||
|
||||
- *updatedns* - This starts 30 seconds after server reboot has completed and contacts the Lime Technology
|
||||
DNS service to register the servers local IP address. Thereafter it wakes up every 10 minutes in case
|
||||
@@ -1207,7 +1207,7 @@ provisioned and downloaded to your server.
|
||||
|
||||
**Delete** may be used to delete the Let's Encrypt certificate file.
|
||||
|
||||
**Update DNS** may be used to manually initiate updating the DNS A-record of your server FQDN on unraid.net. Note
|
||||
**Update DNS** may be used to manually initiate updating the DNS A-record of your server FQDN on unraid.net, assuming the server is signed in. Note
|
||||
that world-wide DNS propagation could take anywhere from 1 minute to several hours (we set TTL to 60 seconds). For
|
||||
this reason, we also recommend assigning a static IP address to the server on your LAN.
|
||||
|
||||
|
||||
@@ -57,6 +57,19 @@
|
||||
'openDropdown' => _('Open dropdown'),
|
||||
'pleaseConfirmClosureYouHaveOpenPopUp' => _('Please confirm closure').'. '._('You have an open pop-up').'.',
|
||||
'trialHasExpiredSeeOptions' => _('Trial has expired see options below'),
|
||||
'errorCertRequiresSignIn' => _('Sign In before your Unraid.net SSL certificate expires'),
|
||||
'noRemoteApikeyRegisteredWithPlg' => [
|
||||
'heading' => _('My Servers Error'),
|
||||
'msg' => _('Unraid.net re-authentication required'),
|
||||
],
|
||||
'errorTooManyDisks' => [
|
||||
'heading' => 'Too many devices',
|
||||
'msg' => [
|
||||
'base' => 'You must upgrade your key to support more devices.',
|
||||
'basic' => 'Your Basic key supports 6 devices.',
|
||||
'plus' => 'Your Plus key supports 12 devices.',
|
||||
],
|
||||
],
|
||||
'extraLinks' => [
|
||||
'newTab' => sprintf(_('Opens %s in new tab'), '{0}'),
|
||||
'myServers' => _('My Servers Dashboard'),
|
||||
@@ -436,8 +449,10 @@
|
||||
],
|
||||
],
|
||||
'wanIpCheck' => [
|
||||
'checking' => _('Checking Wan IPs'),
|
||||
'match' => sprintf(_('Remark: your WAN IPv4 is **%s**'), '{0}'),
|
||||
'mismatch' => sprintf(_("Remark: Unraid's WAN IPv4 **%1s** does not match your client's WAN IPv4 **%2s**"), '{0}', '{1}').'. '._('This may indicate a complex network that will not work with this Remote Access solution').'. '._('Ignore this message if you are currently connected via Remote Access or VPN').'.',
|
||||
'resolveError' => _('DNS issue, unable to resolve mothership.unraid.net'),
|
||||
],
|
||||
],
|
||||
];
|
||||
@@ -459,6 +474,7 @@
|
||||
"internalip" => $_SERVER['SERVER_ADDR'],
|
||||
"internalport" => $_SERVER['SERVER_PORT'],
|
||||
"keyfile" => str_replace(['+','/','='], ['-','_',''], trim(base64_encode(@file_get_contents($var['regFILE'])))),
|
||||
"osVersion" => $var['version'],
|
||||
"plgVersion" => 'base-'.$var['version'],
|
||||
"protocol" => $_SERVER['REQUEST_SCHEME'],
|
||||
"reggen" => (int)$var['regGen'],
|
||||
@@ -472,6 +488,7 @@
|
||||
'configError' => $var['configValid'] !== 'yes'
|
||||
? (array_key_exists($var['configValid'], $configErrorEnum) ? $configErrorEnum[$var['configValid']] : 'UNKNOWN_ERROR')
|
||||
: null,
|
||||
'hasUnraidNetSSL' => file_exists('/boot/config/ssl/certs/certificate_bundle.pem') ? preg_match('/.*\.unraid\.net$/', $_SERVER['SERVER_NAME']) : 0, // required for boolean to check if user has unraid.net Let's Encrypt cert. Using for a less expensive check w/ $_SERVER['SERVER_NAME'] compared to reading cert file contents on every page load
|
||||
];
|
||||
?>
|
||||
<unraid-user-profile
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -52,6 +52,8 @@ $certPresent = file_exists("$certFile");
|
||||
$certSubject = $certPresent ? exec("openssl x509 -noout -subject -nameopt multiline -in $certFile 2>/dev/null|sed -n 's/ *commonName *= //p'") : "";
|
||||
$isLEcert = $certPresent && preg_match('/.*\.unraid\.net$/', $certSubject);
|
||||
|
||||
$isRegistered = !empty($remote['username']); // signed in to unraid.net or not
|
||||
|
||||
if ($isLEcert) {
|
||||
exec("openssl x509 -checkend 2592000 -noout -in $certFile 2>/dev/null", $arrout, $retval_expired);
|
||||
$prot = $$ethX['PROTOCOL:0']=='ipv6' ? '-6' : '-4';
|
||||
@@ -65,10 +67,11 @@ if ($isLEcert) {
|
||||
}
|
||||
|
||||
$provisionlabel = $isLEcert ? _('Renew') : _('Provision');
|
||||
$disabled_provision = $keyfile===false || ($isLEcert && $retval_expired===0) ? 'disabled' : '';
|
||||
$disabled_updatedns = $keyfile!==false && $isLEcert ? '' : 'disabled';
|
||||
$disabled_provision = !$isRegistered || $keyfile===false || ($isLEcert && $retval_expired===0) ? 'disabled' : '';
|
||||
$disabled_updatedns = $isRegistered && $keyfile!==false && $isLEcert ? '' : 'disabled';
|
||||
$disabled_delete = $certPresent && $var['USE_SSL']!='auto' ? '' : 'disabled';
|
||||
$disabled_auto = $isLEcert && !$dnsRebindingProtection && $dnsValid ? '' : 'disabled';
|
||||
$disabled_yes = (!$isRegistered && $isLEcert) || $keyfile===false ? 'disabled' : '';
|
||||
$disabled_auto = $isRegistered && $isLEcert && !$dnsRebindingProtection && $dnsValid ? '' : 'disabled';
|
||||
|
||||
// Get ports in use
|
||||
$portsInUse = [];
|
||||
@@ -83,7 +86,19 @@ foreach ($output as $line) {
|
||||
}
|
||||
?>
|
||||
<script>
|
||||
var isRegistered = <?= $isRegistered ? 1 : 0 ?>;
|
||||
var notRegisteredMsg = '<?= _('Sign In to Unraid.net required') ?>';
|
||||
|
||||
function provisionHandler(event, form) { // provisions and renewals require being Signed In to Unraid.net
|
||||
if (event.submitter.value === 'Delete') return true; // always allow deletes regardless of isRegistered value
|
||||
if (!isRegistered) {
|
||||
event.preventDefault();
|
||||
return alert(notRegisteredMsg);
|
||||
}
|
||||
};
|
||||
|
||||
function updateDNS(button) {
|
||||
if (!isRegistered) return alert(notRegisteredMsg);
|
||||
$(button).prop("disabled", true).html("<i class='fa fa-circle-o-notch fa-spin fa-fw'></i>_(Update DNS)_");
|
||||
var failure = function(data) {
|
||||
var status = data.status;
|
||||
@@ -222,7 +237,7 @@ _(Use UPnP)_:
|
||||
_(Use SSL/TLS)_:
|
||||
: <select name="USE_SSL" onchange="updateSSL(this.form)">
|
||||
<?=mk_option($var['USE_SSL'], "no", _('No'))?>
|
||||
<?=mk_option($var['USE_SSL'], "yes", _('Yes'))?>
|
||||
<?=mk_option($var['USE_SSL'], "yes", _('Yes'), $disabled_yes)?>
|
||||
<?=mk_option($var['USE_SSL'], "auto", _('Auto'), $disabled_auto)?>
|
||||
</select>
|
||||
|
||||
@@ -248,7 +263,7 @@ _(Local TLD)_:
|
||||
|
||||
</form>
|
||||
<div style="height:24px"></div>
|
||||
<form markdown="1" name="Provision" method="POST" action="/update.htm" target="progressFrame">
|
||||
<form markdown="1" name="Provision" method="POST" target="progressFrame" action="/update.htm" onsubmit="provisionHandler(event, this)">
|
||||
<input type="hidden" name="server_name" value="<?=$_SERVER['SERVER_NAME']?>">
|
||||
<input type="hidden" name="server_addr" value="<?=$_SERVER['SERVER_ADDR']?>">
|
||||
<?if ($certPresent):?>
|
||||
@@ -268,6 +283,13 @@ $format = $display['date'].($display['date']!='%c' ? ', '.str_replace(['%M','%R'
|
||||
_(Certificate expiration)_:
|
||||
: <?=_(strftime($format, $time),0)?>
|
||||
|
||||
<?if (!$isRegistered):?>
|
||||
|
||||
:
|
||||
<!-- <span class="red" style="padding-left: 0;"><i class="fa fa-warning"></i> _(Certificate will not renew unless you are signed in to Unraid.net)_</span> -->
|
||||
<span><i class="fa fa-warning icon warning"></i> <em>_(Certificate will not renew unless you are signed in to Unraid.net)_</em></span>
|
||||
<?endif;?>
|
||||
|
||||
<?if ($dnsRebindingProtection):?>
|
||||
|
||||
: _(DNS Rebinding Protection is ENABLED)_
|
||||
@@ -281,6 +303,11 @@ _(Certificate expiration)_:
|
||||
_(CA-signed certificate file)_:
|
||||
: _(Not present)_
|
||||
|
||||
<?if (!$isRegistered):?>
|
||||
|
||||
: <i class="fa fa-warning icon warning"></i> <em>_(You must be signed in to Unraid.net in order to generate an Unraid.net SSL certificate)_</em>
|
||||
<?endif;?>
|
||||
|
||||
<?endif;?>
|
||||
|
||||
: <button type="submit" name="changePorts" value="Provision" <?=$disabled_provision?>><?=$provisionlabel?></button><button type="submit" name="changePorts" value="Delete" <?=$disabled_delete?> >_(Delete)_</button><button type="button" onclick="updateDNS(this)" <?=$disabled_updatedns?>>_(Update DNS)_</button>
|
||||
|
||||
Reference in New Issue
Block a user