mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-01-17 15:10:02 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
f70dc2a3cd87f485d562d85170e2e6cfa640fa5f
webgui/plugins/dynamix/ManagementAccess.page
Tom Mortensen c717a4df72 wildcard cert handling improvements
2022-01-17 08:48:43 -08:00

323 lines
12 KiB
Plaintext
Raw Blame History

Menu="OtherSettings"
Type="xmenu"
Title="Management Access"
Icon="icon-key"
Tag="expeditedssl"
---
<?PHP
/* Copyright 2005-2021, Lime Technology
* Copyright 2012-2021, Bergware International.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*/
?>
<?
function find_tasks() {
global $site;
$tasks = [];
foreach ($site as $page) {
if (empty($page['Menu'])) continue;
$menu = strtok($page['Menu'], ' ');
switch ($menu[0]) {
case '$': $menu = get_ini_key($menu,strtok(' ')); break;
case '/': $menu = get_file_key($menu,strtok(' ')); break;
}
while ($menu !== false) {
if (substr($menu,0,5) == 'Tasks') {
if (empty($page['Cond'])) $tasks[] = $page['name'];
break;
}
$menu = strtok(' ');
}
}
sort($tasks);
return $tasks;
}
function plain($ip) {
return str_replace(['[',']'],'',$ip);
}
$tasks = find_tasks();
$ethX = 'eth0';
$addr = ipaddr($ethX);
$rebindip = "192.168.42.42";
$keyfile = @file_get_contents($var['regFILE']);
if ($keyfile !== false) $keyfile = base64_encode($keyfile);
$isRegistered = !empty($remote['username']); // signed in to unraid.net or not
$certFile = "/boot/config/ssl/certs/certificate_bundle.pem";
$certPresent = file_exists("$certFile");
if ($certPresent) {
$certSubject = exec("/usr/bin/openssl x509 -in $certFile -noout -subject -nameopt multiline 2>/dev/null|sed -n 's/ *commonName *= //p'");
$certIssuer = exec("/usr/bin/openssl x509 -in $certFile -noout -text | sed -n -e 's/^.*Issuer: //p'");
$certExpires = exec("/usr/bin/openssl x509 -in $certFile -noout -text | sed -n -e 's/^.*Not After : //p'");
$isLegacyCert = preg_match('/.*\.unraid\.net$/', $certSubject);
$isWildcardCert = preg_match('/.*\.myunraid\.net$/', $certSubject);
$isLEcert = $isLegacyCert || $isWildcardCert;
$subjectURL = $certSubject;
if ($isLEcert) {
if ($isWildcardCert) $subjectURL = str_replace("*", str_replace(".", "-", $addr), $subjectURL);
exec("openssl x509 -checkend 2592000 -noout -in $certFile 2>/dev/null", $arrout, $retval_expired);
$protocol = $$ethX['PROTOCOL:0']=='ipv6' ? '-6' : '-4';
$rebindtest_ip = exec("host $protocol rebindtest.unraid.net 2>/dev/null|awk '{print \$4}'");
$dnsRebindingProtection = ($rebindtest_ip != $rebindip);
if (!$dnsRebindingProtection) {
$certtest_ip = exec("host $protocol $subjectURL 2>/dev/null|awk '{print \$4}'");
$dnsValid = $certtest_ip==$addr;
}
// more: similar test for "www.$certSubject" dns valid goes here
}
$cert_time_format = $display['date'].($display['date']!='%c' ? ', '.str_replace(['%M','%R'],['%M:%S','%R:%S'],$display['time']):'');
}
$provisionlabel = $isLEcert ? _('Renew') : _('Provision');
$disabled_provision = !$isRegistered || $keyfile===false || ($isLEcert && $retval_expired===0) ? 'disabled' : '';
$disabled_updatedns = $isRegistered && $keyfile!==false && $isLEcert ? '' : 'disabled';
$disabled_delete = $certPresent && $var['USE_SSL']!='auto' ? '' : 'disabled';
$disabled_auto = $isRegistered && $isLEcert && !$dnsRebindingProtection && $dnsValid ? '' : 'disabled';
$upgradelabel = _('Upgrade Cert');
// Get ports in use
$portsInUse = [];
exec("lsof -Pni|awk '/LISTEN/ && \$9!~/127.0.0.1/ && \$9!~/\\[::1\\]/{print \$9}'|sort -u", $output);
$bind = $var['BIND_MGT']=='yes';
$list = ['*',$addr];
foreach ($output as $line) {
[$ip, $port] = my_explode(':', $line);
if (!in_array($port,$portsInUse) && (!$bind || in_array(plain($ip),$list))) $portsInUse[] = $port;
}
?>
<script>
var isRegistered = <?= $isRegistered ? 1 : 0 ?>;
var notRegisteredMsg = '<?= _('Sign In to Unraid.net required') ?>';
function provisionHandler(event, form) { // provisions and renewals require being Signed In to Unraid.net
if (event.submitter.value === 'Delete') return true; // always allow deletes regardless of isRegistered value
if (event.submitter.value === 'Renew') return true; // always allow renewals regardless of isRegistered value
if (!isRegistered) {
event.preventDefault();
return alert(notRegisteredMsg);
}
};
function updateDNS(button) {
if (!isRegistered) return alert(notRegisteredMsg);
$(button).prop("disabled", true).html("<i class='fa fa-circle-o-notch fa-spin fa-fw'></i>_(Update DNS)_");
var failure = function(data) {
var status = data.status;
var obj = data.responseJSON;
var msg = "_(Sorry, an error occurred updating unraid.net DNS records)_. _(The error is)_: "+obj.error+".";
$(button).prop("disabled", false).html("_(Update DNS)_");
swal({title:"_(Oops)_",text:msg,type:"error",html:true,confirmButtonText:"_(Ok)_"});
};
var success = function(data) {
$(button).prop("disabled", false).html("_(Update DNS)_");
<?$text = _('Your local IP address %s has been updated for unraid.net')?>
swal({title:"",text:"<?=sprintf($text,$addr)?>",type:"success",html:true,confirmButtonText:"_(Ok)_"});
};
$.post("/webGui/include/UpdateDNS.php",success).fail(failure);
}
function checkPorts(form) {
var portsInUse = JSON.parse('<?=json_encode($portsInUse)?>');
var range = [], list = [], duplicates = [];
var checks = [
{'key':"PORTTELNET", 'used':"<?=$var['USE_TELNET']=='yes'?>", 'port':"<?=$var['PORTTELNET']?>", 'default':"23" , 'name':"_(TELNET port)_"},
{'key':"PORTSSH" , 'used':"<?=$var['USE_SSH']=='yes'?>" , 'port':"<?=$var['PORTSSH']?>" , 'default':"22" , 'name':"_(SSH port)_"},
{'key':"PORT" , 'used':"<?=$var['USE_SSL']=='no'?>" , 'port':"<?=$var['PORT']?>" , 'default':"80" , 'name':"_(HTTP port)_"},
{'key':"PORTSSL" , 'used':"<?=$var['USE_SSL']!='no'?>" , 'port':"<?=$var['PORTSSL']?>" , 'default':"443", 'name':"_(HTTPS port)_"}
];
for (var i=0,check; check=checks[i]; i++) {
var item = $(form).find('input[name="'+check['key']+'"]');
if ($(item).is(':disabled')) continue;
item.val(parseInt(item.val()));
var current = (check['port']||check['default']).toString();
var userPort = (item.val()||check['default']).toString();
if (userPort < 1 || userPort > 65535) range.push(userPort+' ('+check['name']+')');
duplicates.push(userPort);
if (check['used'] == '1' && userPort != current) {
if (portsInUse.includes(userPort)) list.push(userPort+' ('+check['name']+')');
}
}
duplicates = duplicates.reduce(function(acc, el, i, arr) {
if (arr.indexOf(el) !== i && acc.indexOf(el) < 0) acc.push(el); return acc;
}, []);
if (range.length > 0) {
swal({title:'_(Port out of range)_',text:sprintf('_(Port %s is out of range (minimum 1 maximum 65535))_',range.join(', ')),type:'error',showCancelButton:false,confirmButtonText:"_(OK)_"});
return;
}
if (list.length > 0) {
swal({title:'_(Port already in use)_',text:sprintf('_(Port %s is already in use by other services)_',list.join(', ')),type:'error',showCancelButton:false,confirmButtonText:"_(OK)_"});
return;
}
if (duplicates.length > 0) {
swal({title:'_(Duplicate port entered)_',text:sprintf('_(Port %s is duplicated)_',duplicates.join(', ')),type:'error',showCancelButton:false,confirmButtonText:"_(OK)_"});
return;
}
form.submit();
}
function updateTELNET(form) {
form.PORTTELNET.disabled = form.USE_TELNET.value=='no';
}
function updateSSH(form) {
form.PORTSSH.disabled = form.USE_SSH.value=='no';
}
function updateSSL(form) {
form.PORT.disabled = form.USE_SSL.value=='yes';
}
$(function(){
var form = document.SSLSettings;
updateTELNET(form);
updateSSH(form);
updateSSL(form);
});
</script>
<form markdown="1" name="SSLSettings" method="POST" action="/update.htm" target="progressFrame">
<input type="hidden" name="changePorts" value="Apply">
<input type="hidden" name="server_https" value="<?=$_SERVER['HTTPS']?>">
<input type="hidden" name="server_name" value="<?=$_SERVER['HTTP_HOST']?>">
<input type="hidden" name="server_addr" value="<?=$_SERVER['SERVER_ADDR']?>">
_(User 'root')_:
: [_(Manage)_](/Settings/Users/ManagementAccess/UserEdit?name=root)
_(Start page)_:
: <select name="START_PAGE">
<?foreach ($tasks as $task) echo mk_option($var['START_PAGE']??'Main', $task, _($task));?>
</select>
:mgmt_start_page_help:
<!--
Restrict access:
: <select name="BIND_MGT" class="narrow">
<?=mk_option($var['BIND_MGT'], "no", _('No'))?>
<?=mk_option($var['BIND_MGT'], "yes", _('Yes'))?>
</select>
> By default GUI, SSH and TELNET access are available on all active interfaces of the system.
>
> *Restrict access* limits GUI, SSH and TELNET access to the management interface only (eth0).
-->
_(Use TELNET)_:
: <select name="USE_TELNET" onchange="updateTELNET(this.form)">
<?=mk_option($var['USE_TELNET'], "no", _('No'))?>
<?=mk_option($var['USE_TELNET'], "yes", _('Yes'))?>
</select>
:mgmt_use_telnet_help:
_(TELNET port)_:
: <input type="number" name="PORTTELNET" class="narrow" min="1" max="65535" value="<?=$var['PORTTELNET']?>" placeholder="23">
:mgmt_telnet_port_help:
_(Use SSH)_:
: <select name="USE_SSH" onchange="updateSSH(this.form)">
<?=mk_option($var['USE_SSH'], "no", _('No'))?>
<?=mk_option($var['USE_SSH'], "yes", _('Yes'))?>
</select>
:mgmt_use_ssh_help:
_(SSH port)_:
: <input type="number" name="PORTSSH" class="narrow" min="1" max="65535" value="<?=$var['PORTSSH']?>" placeholder="22">
:mgmt_ssh_port_help:
_(Use UPnP)_:
: <select name="USE_UPNP">
<?=mk_option($var['USE_UPNP'], "yes", _('Yes'))?>
<?=mk_option($var['USE_UPNP'], "no", _('No'))?>
</select>
:mgmt_use_upnp_help:
_(Use SSL/TLS)_:
: <select name="USE_SSL" onchange="updateSSL(this.form)">
<?=mk_option($var['USE_SSL'], "no", _('No'))?>
<?=mk_option($var['USE_SSL'], "yes", _('Yes'))?>
<?=mk_option($var['USE_SSL'], "auto", _('Auto'), $disabled_auto)?>
</select>
:mgmt_use_ssl_tls_help:
_(HTTP port)_:
: <input type="number" name="PORT" class="narrow" min="1" max="65535" value="<?=$var['PORT']?>" placeholder="80">
:mgmt_http_port_help:
_(HTTPS port)_:
: <input type="number" name="PORTSSL" class="narrow" min="1" max="65535" value="<?=$var['PORTSSL']?>" placeholder="443">
:mgmt_https_port_help:
_(Local TLD)_:
: <input type="text" name="LOCAL_TLD" class="narrow" value="<?=htmlspecialchars($var['LOCAL_TLD'])?>">
:mgmt_local_tld_help:
&nbsp;
: <input type="button" value="_(Apply)_" onclick="checkPorts(this.form)" disabled><input type="button" value="_(Done)_" onclick="done()">
</form>
<div style="height:24px"></div>
<form markdown="1" name="Provision" method="POST" target="progressFrame" action="/update.htm" onsubmit="provisionHandler(event, this)">
<input type="hidden" name="server_https" value="<?=$_SERVER['HTTPS']?>">
<input type="hidden" name="server_name" value="<?=$_SERVER['HTTP_HOST']?>">
<input type="hidden" name="server_addr" value="<?=$_SERVER['SERVER_ADDR']?>">
<?if ($certPresent):?>
_(CA-signed certificate file)_:
: <?=$certFile?>
_(Certificate subject)_:
: [<?=$certSubject?>](https://<?=$subjectURL?>:<?=$var['PORTSSL']?>)
_(Certificate issuer)_:
: <?=$certIssuer?>
_(Certificate expiration)_:
: <?=_(strftime($cert_time_format, strtotime($certExpires)),0)?>
<?if ($dnsRebindingProtection):?>
&nbsp;
: _(DNS Rebinding Protection is ENABLED)_
<?elseif ($dnsValid !== true):?>
&nbsp;
: _(DNS Propagation is PENDING)_
<?endif;?>
<?else:?>
_(CA-signed certificate file)_:
: _(Not present)_
<?if (!$isRegistered):?>
&nbsp;
: <i class="fa fa-warning icon warning"></i> <em>_(You must be signed in to Unraid.net in order to generate an Unraid.net SSL certificate)_</em>
<?endif;?>
<?endif;?>
&nbsp;
: <button type="submit" name="changePorts" value="Provision" <?=$disabled_provision?>><?=$provisionlabel?></button><button type="submit" name="changePorts" value="Delete" <?=$disabled_delete?> >_(Delete)_</button><button type="button" onclick="updateDNS(this)" <?=$disabled_updatedns?>>_(Update DNS)_</button>
<?if ($certPresent && $isLegacyCert):?>
&nbsp;
: <button type="submit" name="changePorts" value="Upgrade"><?=$upgradelabel?></button>
<?endif;?>
:mgmt_certificate_expiration_help:
</form>
Reference in New Issue View Git Blame Copy Permalink