mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-01-23 09:59:59 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
26e59bfb5cbd45953b26cfba38966b26d01b4d9d
webgui/plugins/dynamix/SSLSettings.page
bergware 1b6fad459d Corrected USG typo
2017-09-04 09:47:29 +02:00

128 lines
5.4 KiB
Plaintext
Raw Blame History

Menu="Identification"
Title="SSL Certificate Settings"
Icon="ident.png"
Tag="expeditedssl"
---
<?PHP
/* Copyright 2005-2017, Lime Technology
* Copyright 2012-2017, Bergware International.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*/
?>
<script>
function provisionSSL(internalip, keyfile, form) {
var result = true;
var failure = function(data) {
var status = data.status;
var obj = data.responseJSON;
var msg = "Sorry, an error ("+status+") occurred provisioning your SSL certificate. " +
"The error is: "+obj.error+".";
swal('Oops',msg,'error');
result = false;
};
$.post("https://keys.lime-technology.com/account/ssl/provisioncert",{internalip:internalip,keyfile:keyfile},function(data) {
if (data.bundle) {
$.get("//"+data.internal_dns+"/dnscheck",function() {
$.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:"<?=$var['csrf_token']?>"},function(data) {
var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
"for local IP address "+internalip+" has been created on unraid.net.";
swal({title:'',text:msg,type:'success'},function(){form.submit();});
}).fail(failure);
}).fail(function(){
failure({"status": 403, "responseJSON": {"error": "Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working. See help for more details and workarounds"}});
});
} else {
failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}});
}
}).fail(failure);
return result;
}
</script>
<?
$keyfile = base64_encode(file_get_contents($var['regFILE']));
$disabled = file_exists("/boot/config/ssl/certs/certificate_bundle.pem") ? 'disabled' : '';
?>
<form markdown="1" name="SSLSettings" method="POST" action="/update.htm" target="progressFrame">
Use SSL/TLS:
: <select name="USE_SSL" size="1" class="narrow">
<?=mk_option($var['USE_SSL'], "auto", "Auto")?>
<?=mk_option($var['USE_SSL'], "no", "No")?>
<?=mk_option($var['USE_SSL'], "yes", "Yes")?>
<?=mk_option($var['USE_SSL'], "only", "Only")?>
</select>
> Determines how the webGui responds to http and/or https protocol.
>
> Select **No** to disable https.
>
> Select **Yes** to enable https; in this case http is also redirected to https.
>
> Select **Only** to enable only https.
>
> With **Auto** selected, https is enabled and http is redirected if a non-self-signed SSL certificate is
> installed; otherwise, https is disabled.
>
> We **highly** recommend using a static IP address if https is enabled.
http port:
: <input type="number" name="PORT" min="0" max="65535" value="<?=htmlspecialchars($var['PORT'])?>">
> Enter the http port, default is 80.
https port:
: <input type="number" name="PORTSSL" min="0" max="65535" value="<?=htmlspecialchars($var['PORTSSL'])?>">
> Enter the https port, default is 443.
&nbsp;
: <input type="submit" name="changeNames" value="Apply"><input type="button" value="Done" onclick="done()">
</form>
<form markdown="1" name="Provision" method="POST" action="/update.htm" target="progressFrame">
<input type="hidden" name="changeNames" value="apply">
Certificate info:
: <?echo "<pre>".shell_exec("/usr/bin/openssl x509 -text -noout -in /etc/ssl/certs/unraid_bundle.pem")."</pre>";?>
&nbsp;
: <input type="button" value="Provision" onclick="provisionSSL('<?=$eth0['IPADDR:0']?>', '<?=$keyfile?>', this.form)" <?=$disabled?>><input type="button" value="Renew" disabled>
> **Provision** may be used to allocate a *free* SSL Certficiate from [Let's Encrypt](https://letsencrypt.org/) and
> then upload to your server.
> Note: **Provision** may fail if your router or upstream DNS server has
> [DNS rebinding protection](https://en.wikipedia.org/wiki/DNS_rebinding) enabled. DNS rebinding
> protection prevents DNS from resolving a private IP network range. DNS rebinding protection is meant as
> a security feature on a local LAN which includes legacy devices with buggy/insecure "web" interfaces.
> One source of DNS rebinding protection could be your ISP DNS server. In this case the problem may be solved by
> switching to a different DNS server such as Google's public DNS.
> More commonly, DNS rebinding protection could be enabled in your router. Most consumer routers do not implement DNS
> rebinding protection; but, if they do, a configuration setting should be available to turn it off.
> Higher end routers usually do enable DNS rebinding protection however. Typically there are ways of turning it off
> entirely or selectively based on domain. Examples:
> **DD-WRT:** If you are using "dnsmasq" with DNS rebinding protection enabled, you can add this line to your router
> configuration file:
> `rebind-domain-ok=/unraid.net/`
> **pfSense:** If you are using pfSense internal DNS resolver service, you can add these Custom Option lines:
> `server:`<br>
> `private-domain: "unraid.net"`
> **Ubiquiti USG router:** you can add this configuration line:
> `set service dns forwarding options rebind-domain-ok=/unraid.net/`
</form>
Reference in New Issue View Git Blame Copy Permalink