mirror of
https://github.com/unraid/webgui.git
synced 2026-03-08 03:49:53 -05:00
move SSL provisioning and DNS update execute from client-side to server-side
This commit is contained in:
Tom Mortensen
@@ -67,7 +67,7 @@ function provisionSSL(button) {
|
||||
}).fail(failure);
|
||||
};
|
||||
|
||||
$.post("https://keys.lime-technology.com/account/ssl/provisioncert",{internalip:"<?=$internalip?>",internalport:<?=$var['PORTSSL']?>,keyfile:"<?=$keyfile?>"},success_provision).fail(failure);
|
||||
$.post("/webGui/include/ProvisionCert.php",success_provision).fail(failure);
|
||||
}
|
||||
|
||||
function updateDNS(button) {
|
||||
@@ -87,7 +87,7 @@ function updateDNS(button) {
|
||||
swal("","Your local IP address <?=$internalip?> has been updated for unraid.net.","success");
|
||||
};
|
||||
|
||||
$.post("https://keys.lime-technology.com/account/ssl/updatedns",{internalip:"<?=$internalip?>",internalport:<?=$var['PORTSSL']?>,keyfile:"<?=$keyfile?>"},success).fail(failure);
|
||||
$.post("/webGui/include/UpdateDNS.php",success).fail(failure);
|
||||
}
|
||||
</script>
|
||||
<form markdown="1" name="SSLSettings" method="POST" action="/update.htm" target="progressFrame">
|
||||
|
||||
84
plugins/dynamix/include/ProvisionCert.php
Normal file
84
plugins/dynamix/include/ProvisionCert.php
Normal file
@@ -0,0 +1,84 @@
|
||||
<?PHP
|
||||
/* Copyright 2005-2017, Lime Technology
|
||||
* Copyright 2012-2017, Bergware International.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License version 2,
|
||||
* as published by the Free Software Foundation.
|
||||
*
|
||||
* The above copyright notice and this permission notice shall be included in
|
||||
* all copies or substantial portions of the Software.
|
||||
*/
|
||||
?>
|
||||
<?
|
||||
$cli = php_sapi_name()=='cli';
|
||||
|
||||
function response_complete($httpcode, $result, $cli_success_msg='') {
|
||||
global $cli;
|
||||
if ($cli) {
|
||||
$json = @json_decode($result,true);
|
||||
if (!empty($json['error'])) {
|
||||
echo 'Error: '.$json['error'].PHP_EOL;
|
||||
exit(1);
|
||||
}
|
||||
exit($cli_success_msg.PHP_EOL);
|
||||
}
|
||||
header('Content-Type: application/json');
|
||||
http_response_code($httpcode);
|
||||
exit((string)$result);
|
||||
}
|
||||
|
||||
$var = parse_ini_file("/var/local/emhttp/var.ini");
|
||||
extract(parse_ini_file('/var/local/emhttp/network.ini',true));
|
||||
|
||||
if (file_exists("/boot/config/ssl/certs/certificate_bundle.pem")) {
|
||||
$subject = exec("/usr/bin/openssl x509 -subject -noout -in /etc/ssl/certs/unraid_bundle.pem");
|
||||
if (!preg_match('/.*\.unraid\.net$/', $subject)) {
|
||||
if ($cli) exit(0); // cert common name isn't <hash>.unraid.net
|
||||
response_complete(406, '{"error":"Cannot provision cert that would overwrite your existing custom cert at /boot/config/ssl/certs/certificate_bundle.pem"}');
|
||||
}
|
||||
exec("/usr/bin/openssl x509 -checkend 2592000 -noout -in /etc/ssl/certs/unraid_bundle.pem",$arrout,$retval_expired);
|
||||
if ($retval_expired === 0) {
|
||||
if ($cli) exit(0); // not within 30 days of cert expire date
|
||||
response_complete(406, '{"error":"Cannot renew cert until within 30 days of expiry"}');
|
||||
}
|
||||
}
|
||||
|
||||
$keyfile = @file_get_contents($var['regFILE']);
|
||||
if ($keyfile === false) {
|
||||
if ($cli) exit(0);
|
||||
response_complete(406, '{"error":"License key required"}');
|
||||
}
|
||||
$keyfile = @base64_encode($keyfile);
|
||||
$internalip = $eth0['IPADDR:0'];
|
||||
$internalport = $var['PORTSSL'];
|
||||
|
||||
$ch = curl_init('https://keys.lime-technology.com/account/ssl/provisioncert');
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, [
|
||||
'internalip' => $internalip,
|
||||
'internalport' => $internalport,
|
||||
'keyfile' => $keyfile
|
||||
]);
|
||||
$result = curl_exec($ch);
|
||||
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
|
||||
curl_close($ch);
|
||||
|
||||
// go ahead and save the cert then reload nginx for cli
|
||||
if ($cli) {
|
||||
$json = @json_decode($result,true);
|
||||
if (empty($json['bundle'])) {
|
||||
$strError = 'Server was unable to provision SSL certificate';
|
||||
if (!empty($json['error'])) {
|
||||
$strError .= ' - '.$json['error'];
|
||||
}
|
||||
response_complete(406, '{"error":"'.$strError.'"}');
|
||||
}
|
||||
$_POST['text'] = $json['bundle']; // nice way to leverage CertUpload.php to save the cert
|
||||
include(__DIR__.'/CertUpload.php');
|
||||
exec("/etc/rc.d/rc.nginx reload");
|
||||
}
|
||||
|
||||
response_complete($httpcode, $result, 'LE Cert Provisioned successfully');
|
||||
?>
|
||||
66
plugins/dynamix/include/UpdateDNS.php
Normal file
66
plugins/dynamix/include/UpdateDNS.php
Normal file
@@ -0,0 +1,66 @@
|
||||
<?PHP
|
||||
/* Copyright 2005-2017, Lime Technology
|
||||
* Copyright 2012-2017, Bergware International.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License version 2,
|
||||
* as published by the Free Software Foundation.
|
||||
*
|
||||
* The above copyright notice and this permission notice shall be included in
|
||||
* all copies or substantial portions of the Software.
|
||||
*/
|
||||
?>
|
||||
<?
|
||||
$cli = php_sapi_name()=='cli';
|
||||
|
||||
function response_complete($httpcode, $result, $cli_success_msg='') {
|
||||
global $cli;
|
||||
if ($cli) {
|
||||
$json = @json_decode($result,true);
|
||||
if (!empty($json['error'])) {
|
||||
echo 'Error: '.$json['error'].PHP_EOL;
|
||||
exit(1);
|
||||
}
|
||||
exit($cli_success_msg.PHP_EOL);
|
||||
}
|
||||
header('Content-Type: application/json');
|
||||
http_response_code($httpcode);
|
||||
exit((string)$result);
|
||||
}
|
||||
|
||||
// protocol, hostname, internalport
|
||||
list($protocol, $hostname, $internalport) = explode(":", rtrim(file_get_contents("/var/run/nginx.origin")));
|
||||
$hostname = substr($hostname, 2);
|
||||
if (!preg_match('/.*\.unraid\.net$/', $hostname)) {
|
||||
response_complete(406, '{"error":"Nothing to do"}');
|
||||
}
|
||||
|
||||
// keyfile
|
||||
$keyfile = @file_get_contents($var['regFILE']);
|
||||
if ($keyfile === false) {
|
||||
response_complete(406, '{"error":"Registration key required"}');
|
||||
}
|
||||
$keyfile = @base64_encode($keyfile);
|
||||
|
||||
// internalip
|
||||
extract(parse_ini_file('/var/local/emhttp/network.ini',true));
|
||||
$internalip = $eth0['IPADDR:0'];
|
||||
|
||||
$ch = curl_init('https://keys.lime-technology.com/account/server/register');
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, [
|
||||
'internalip' => $internalip,
|
||||
'keyfile' => $keyfile
|
||||
]);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
$result = curl_exec($ch);
|
||||
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
|
||||
$error = curl_error($ch);
|
||||
curl_close($ch);
|
||||
|
||||
if ($result === false) {
|
||||
response_complete(500, '{"error":"'.$error.'"}');
|
||||
}
|
||||
|
||||
response_complete($httpcode, $result, 'success');
|
||||
?>
|
||||
Reference in New Issue
Block a user