initial commit of file from CVS for smeserver-phpki-ng on Sat Sep 7 20:50:40 AEST 2024
This commit is contained in:
parent
216095c0ea
commit
c46ac6300b
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
*.rpm
|
||||||
|
*.log
|
||||||
|
*spec-20*
|
||||||
|
*.tar.xz
|
21
Makefile
Normal file
21
Makefile
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# Makefile for source rpm: smeserver-phpki-ng
|
||||||
|
# $Id: Makefile,v 1.1 2020/11/24 16:28:21 jcrisp Exp $
|
||||||
|
NAME := smeserver-phpki-ng
|
||||||
|
SPECFILE = $(firstword $(wildcard *.spec))
|
||||||
|
|
||||||
|
define find-makefile-common
|
||||||
|
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||||
|
endef
|
||||||
|
|
||||||
|
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||||
|
|
||||||
|
ifeq ($(MAKEFILE_COMMON),)
|
||||||
|
# attept a checkout
|
||||||
|
define checkout-makefile-common
|
||||||
|
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
|
||||||
|
endef
|
||||||
|
|
||||||
|
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
|
||||||
|
endif
|
||||||
|
|
||||||
|
include $(MAKEFILE_COMMON)
|
14
README.md
14
README.md
@ -1,3 +1,15 @@
|
|||||||
# smeserver-phpki-ng
|
# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-phpki-ng
|
||||||
|
|
||||||
SMEServer Koozali developed git repo for smeserver-phpki-ng smecontribs
|
SMEServer Koozali developed git repo for smeserver-phpki-ng smecontribs
|
||||||
|
|
||||||
|
## Wiki
|
||||||
|
<br />https://wiki.koozali.org/
|
||||||
|
|
||||||
|
## Bugzilla
|
||||||
|
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-phpki-ng&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
|
||||||
|
*Once it has been checked, then this comment will be deleted*
|
||||||
|
<br />
|
||||||
|
1
contriborbase
Normal file
1
contriborbase
Normal file
@ -0,0 +1 @@
|
|||||||
|
contribs10
|
60
createlinks
Normal file
60
createlinks
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
#!/usr/bin/perl -w
|
||||||
|
|
||||||
|
use esmith::Build::CreateLinks qw(:all);
|
||||||
|
|
||||||
|
# Start and stop links
|
||||||
|
|
||||||
|
#service_link_enhanced("httpd-pki", "S86", "7");
|
||||||
|
#service_link_enhanced("httpd-pki", "K15", "6");
|
||||||
|
#service_link_enhanced("httpd-pki", "K15", "0");
|
||||||
|
#service_link_enhanced("httpd-pki", "K15", "1");
|
||||||
|
|
||||||
|
#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/httpd-pki');
|
||||||
|
#safe_symlink("/var/service/httpd-pki" , 'root/service/httpd-pki');
|
||||||
|
|
||||||
|
# Panel links
|
||||||
|
|
||||||
|
panel_link("phpki", 'manager');
|
||||||
|
|
||||||
|
# Events links
|
||||||
|
event_link("phpki-fixtakey", qw(bootstrap-console-save post-upgrade), "50");
|
||||||
|
event_link("phpki-fixownership", qw(bootstrap-console-save post-upgrade), "02");
|
||||||
|
templates2events("/etc/httpd/pki-conf/httpd.conf", qw(bootstrap-console-save conf-userpanel domain-modify));
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/conf-userpanel/services2adjust/httpd-pki");
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/domain-modify/services2adjust/httpd-pki");
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/logrotate/services2adjust/httpd-pki");
|
||||||
|
|
||||||
|
|
||||||
|
# our event specific for updating with yum without reboot
|
||||||
|
$event = "smeserver-phpki-ng-update";
|
||||||
|
#add here the path to your templates needed to expand
|
||||||
|
#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
|
||||||
|
|
||||||
|
foreach my $file (qw(
|
||||||
|
/etc/systemd/system-preset/49-koozali.preset
|
||||||
|
/etc/httpd/conf/httpd.conf
|
||||||
|
/etc/httpd/pki-conf/httpd.conf
|
||||||
|
/etc/opt/remi/php73/php-fpm.d/www.conf
|
||||||
|
/opt/phpki/html/config.php
|
||||||
|
))
|
||||||
|
{
|
||||||
|
templates2events( $file, $event );
|
||||||
|
}
|
||||||
|
|
||||||
|
#action needed in case we have a systemd unit
|
||||||
|
event_link("systemd-default", $event, "10");
|
||||||
|
event_link("systemd-reload", $event, "50");
|
||||||
|
|
||||||
|
#action specific to this package
|
||||||
|
event_link("phpki-fixownership", $event, "02");
|
||||||
|
event_link("phpki-fixtakey", $event, "50");
|
||||||
|
#event_link("conf-timezone", $event, "30");
|
||||||
|
#services we need to restart
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-pki");
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/php73-php-fpm");
|
||||||
|
|
||||||
|
use esmith::Build::Backup qw(:all);
|
||||||
|
backup_includes("smeserver-phpki-ng", qw(
|
||||||
|
/opt/phpki/
|
||||||
|
));
|
1
root/etc/e-smith/db/accounts/defaults/phpki/type
Normal file
1
root/etc/e-smith/db/accounts/defaults/phpki/type
Normal file
@ -0,0 +1 @@
|
|||||||
|
system
|
@ -0,0 +1 @@
|
|||||||
|
940
|
@ -0,0 +1 @@
|
|||||||
|
enabled
|
@ -0,0 +1 @@
|
|||||||
|
service
|
9
root/etc/e-smith/events/actions/phpki-fixownership
Normal file
9
root/etc/e-smith/events/actions/phpki-fixownership
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
chown root:phpki /opt/phpki/html/config.php
|
||||||
|
chown root:phpki /opt/phpki/html/openssl.cnf
|
||||||
|
chown phpki:phpki -R /opt/phpki/phpki-store*
|
||||||
|
chown root:phpki /opt/phpki/html/ca
|
||||||
|
|
||||||
|
chmod +x /opt/phpki/html/
|
||||||
|
chmod +x /opt/phpki/html/ca
|
8
root/etc/e-smith/events/actions/phpki-fixtakey
Normal file
8
root/etc/e-smith/events/actions/phpki-fixtakey
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [[ -f /opt/phpki/phpki-store/CA/private/cakey.pem && ! -f /opt/phpki/phpki-store/CA/private/takey.pem ]]
|
||||||
|
then
|
||||||
|
echo "creating missing takey.pem"
|
||||||
|
runuser -u phpki -- openvpn --genkey --secret /opt/phpki/phpki-store/CA/private/takey.pem
|
||||||
|
fi
|
||||||
|
|
@ -0,0 +1,8 @@
|
|||||||
|
<lexicon lang="fr" params="lexicon_params()">
|
||||||
|
<!-- vim: ft=xml
|
||||||
|
-->
|
||||||
|
<entry>
|
||||||
|
<base>Certificate Management</base>
|
||||||
|
<trans>Gestion des certificats</trans>
|
||||||
|
</entry>
|
||||||
|
</lexicon>
|
@ -0,0 +1,3 @@
|
|||||||
|
FILTER=sub { $_[0] =~ /^\s*$/ ? '' : $_[0] }
|
||||||
|
GID='phpki'
|
||||||
|
PERMS=0660
|
@ -0,0 +1,69 @@
|
|||||||
|
{
|
||||||
|
# vim: ft=perl:
|
||||||
|
|
||||||
|
|
||||||
|
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
|
||||||
|
|
||||||
|
$OUT = '';
|
||||||
|
if ((${'httpd-pki'}{'status'} || 'disabled') eq 'enabled'){
|
||||||
|
|
||||||
|
if (($port eq "80") && ($haveSSL eq 'yes')){
|
||||||
|
$OUT .= " RewriteRule ^/phpki(/.*|\$) https://%{HTTP_HOST}/phpki\$1 [L,R]\n";
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
$OUT .= " ProxyPass /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n";
|
||||||
|
$OUT .= " ProxyPassReverse /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
$OUT .=<<"HERE";
|
||||||
|
|
||||||
|
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
|
||||||
|
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
|
||||||
|
#LoadModule proxy_express_module modules/mod_proxy_express.so
|
||||||
|
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
|
||||||
|
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
|
||||||
|
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
|
||||||
|
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
|
||||||
|
|
||||||
|
<Location /phpki>
|
||||||
|
SSLRequireSSL on
|
||||||
|
Require ip $localAccess $externalSSLAccess
|
||||||
|
</Location>
|
||||||
|
# we want Public access to ns_revoke_query.php
|
||||||
|
<Location /phpki/ns_revoke_query.php>
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
# we want Public access to policy
|
||||||
|
<Location /phpki/policy.html>
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
# we want Public access to help
|
||||||
|
<Location /phpki/help>
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
<Location /phpki/help.php>
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
# we want Public access to crl list
|
||||||
|
<Location /phpki/dl_crl.php>
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
<Location /phpki/dl_crl_pem.php>
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
# and we redirect old config to our new safer script
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{QUERY_STRING} stage=dl_crl(&|\$)
|
||||||
|
RewriteRule ^ /phpki/dl_crl.php [QSD,R=302,L]
|
||||||
|
RewriteCond %{QUERY_STRING} stage=dl_crl_pem(&|\$)
|
||||||
|
RewriteRule ^ /phpki/dl_crl_pem.php [QSD,R=302,L]
|
||||||
|
|
||||||
|
HERE
|
||||||
|
# safely redirect crl request to php script striping all GET requests
|
||||||
|
# but would leave POST
|
||||||
|
#RewriteEngine On
|
||||||
|
#RewriteCond %{REQUEST_URI} ^/?phpki/dl_crl/?\$
|
||||||
|
#RewriteRule ^ /phpki/index.php?stage=dl_crl [P,NC]
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,28 @@
|
|||||||
|
{
|
||||||
|
|
||||||
|
use esmith::AccountsDB;
|
||||||
|
|
||||||
|
sub getUsersList ($){
|
||||||
|
my ($panelName) = @_;
|
||||||
|
my $a = esmith::AccountsDB->open_ro || die "Error opening accounts db";
|
||||||
|
my @users = $a->users();
|
||||||
|
my @groups = $a->groups();
|
||||||
|
my @Users = ();
|
||||||
|
foreach my $user (@users){
|
||||||
|
my $panels = $user->prop('AdminPanels') || '';
|
||||||
|
push(@Users,$user->key) if ($panels =~ /^(.*,)?$panelName(,.*)?$/);
|
||||||
|
}
|
||||||
|
foreach my $group (@groups){
|
||||||
|
$panels = $group->prop('AdminPanels') || '';
|
||||||
|
if ($panels =~ /^(.*,)?$panelName(,.*)?$/){
|
||||||
|
my @members = split(/,/,($group->prop('Members') || ''));
|
||||||
|
push(@Users,@members);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
my %seen = ();
|
||||||
|
my $u = join (' ', grep { ! $seen{ $_ }++ } @Users);
|
||||||
|
return $u;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,23 @@
|
|||||||
|
{
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# Grab ValidFrom access list property of httpd-admin
|
||||||
|
# SSL enabled virtual hosts should only allow access from IP's in
|
||||||
|
# this list, as well as local networks.
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
use esmith::NetworksDB;
|
||||||
|
|
||||||
|
my $ndb = esmith::NetworksDB->open_ro();
|
||||||
|
|
||||||
|
my @localAccess = $ndb->local_access_spec();
|
||||||
|
my $validFrom = ${'httpd-admin'}{'ValidFrom'};
|
||||||
|
if ($validFrom)
|
||||||
|
{
|
||||||
|
push @localAccess, split /,/, $validFrom;
|
||||||
|
}
|
||||||
|
$localAccess .= join ' ',
|
||||||
|
map { s:/255.255.255.255::; $_ }
|
||||||
|
@localAccess;
|
||||||
|
|
||||||
|
"";
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
$OUT .= "LoadModule auth_tkt_module modules/mod_auth_tkt.so\n";
|
||||||
|
|
||||||
|
my $secret = ${'httpd-admin'}{TKTAuthSecret} || "34322500-7330-4400-423A-3A00434F5245";
|
||||||
|
$OUT .= "TKTAuthSecret \"$secret\"\n";
|
||||||
|
$OUT .= "TKTAuthDigestType SHA256\n";
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,162 @@
|
|||||||
|
{
|
||||||
|
my $port = ${'httpd-pki'}{TCPPort} || '940';
|
||||||
|
$OUT .= "Listen 127.0.0.1:$port\n";
|
||||||
|
|
||||||
|
$OUT .= <<HERE;
|
||||||
|
|
||||||
|
HostnameLookups off
|
||||||
|
|
||||||
|
ServerAdmin admin@$DomainName
|
||||||
|
ServerRoot /etc/httpd
|
||||||
|
ServerTokens ProductOnly
|
||||||
|
|
||||||
|
User phpki
|
||||||
|
Group phpki
|
||||||
|
|
||||||
|
ErrorLog /var/log/httpd/pki_error_log
|
||||||
|
LogLevel warn
|
||||||
|
HERE
|
||||||
|
|
||||||
|
foreach (qw(
|
||||||
|
env
|
||||||
|
log_config
|
||||||
|
mime
|
||||||
|
negotiation
|
||||||
|
status
|
||||||
|
info
|
||||||
|
include
|
||||||
|
autoindex
|
||||||
|
dir
|
||||||
|
asis
|
||||||
|
imagemap
|
||||||
|
actions
|
||||||
|
userdir
|
||||||
|
proxy
|
||||||
|
proxy_http
|
||||||
|
alias
|
||||||
|
rewrite
|
||||||
|
auth
|
||||||
|
auth_anon
|
||||||
|
auth_digest
|
||||||
|
expires
|
||||||
|
headers
|
||||||
|
usertrack
|
||||||
|
setenvif
|
||||||
|
ssl
|
||||||
|
cgi
|
||||||
|
mpm_prefork
|
||||||
|
unixd
|
||||||
|
authn_core
|
||||||
|
authz_core
|
||||||
|
authz_user
|
||||||
|
authz_host
|
||||||
|
proxy_ajp
|
||||||
|
proxy_connect
|
||||||
|
proxy_express
|
||||||
|
proxy_fcgi
|
||||||
|
proxy_ftp
|
||||||
|
proxy_html
|
||||||
|
proxy_scgi
|
||||||
|
proxy_wstunnel
|
||||||
|
))
|
||||||
|
{
|
||||||
|
next unless -f "/usr/lib/httpd/modules/mod_${_}.so" ||
|
||||||
|
-f "/usr/lib64/httpd/modules/mod_${_}.so";
|
||||||
|
$OUT .= "LoadModule ${_}_module modules/mod_${_}.so\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
$OUT .= "# we do not use php module anymore, but php-fpm";
|
||||||
|
|
||||||
|
$OUT .=<<"HERE";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
PidFile /var/run/httpd-pki.pid
|
||||||
|
ScoreBoardFile /var/run/httpd-pki.scoreboard
|
||||||
|
UseCanonicalName off
|
||||||
|
LogFormat "%h %l %u %t \\"%r\\" %>s %b" common
|
||||||
|
LogFormat "%{User-agent}i" agent
|
||||||
|
|
||||||
|
CustomLog /var/log/httpd/pki_access_log common
|
||||||
|
|
||||||
|
KeepAlive On
|
||||||
|
MaxKeepAliveRequests 100
|
||||||
|
KeepAliveTimeout 15
|
||||||
|
|
||||||
|
MaxClients 150
|
||||||
|
MaxRequestsPerChild 100
|
||||||
|
|
||||||
|
ServerName www.$DomainName
|
||||||
|
|
||||||
|
MinSpareServers 1
|
||||||
|
MaxSpareServers 5
|
||||||
|
StartServers 1
|
||||||
|
Timeout 300
|
||||||
|
|
||||||
|
DefaultIcon /icons/unknown.gif
|
||||||
|
DirectoryIndex index.htm index.html index.php index.cgi
|
||||||
|
IndexOptions FancyIndexing VersionSort NameWidth=*
|
||||||
|
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
|
||||||
|
AccessFileName .htaccess
|
||||||
|
|
||||||
|
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
|
||||||
|
AddIconByType (TXT,/icons/text.gif) text/*
|
||||||
|
AddIconByType (IMG,/icons/image2.gif) image/*
|
||||||
|
AddIconByType (SND,/icons/sound2.gif) audio/*
|
||||||
|
AddIconByType (VID,/icons/movie.gif) video/*
|
||||||
|
TypesConfig /etc/mime.types
|
||||||
|
|
||||||
|
AddEncoding x-compress Z
|
||||||
|
AddEncoding x-gzip gz
|
||||||
|
|
||||||
|
AddIcon /icons/binary.gif .bin .exe
|
||||||
|
AddIcon /icons/binhex.gif .hqx
|
||||||
|
AddIcon /icons/tar.gif .tar
|
||||||
|
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
|
||||||
|
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
|
||||||
|
AddIcon /icons/a.gif .ps .ai .eps
|
||||||
|
AddIcon /icons/layout.gif .html .shtml .htm .pdf
|
||||||
|
AddIcon /icons/text.gif .txt
|
||||||
|
AddIcon /icons/c.gif .c
|
||||||
|
AddIcon /icons/p.gif .pl .py
|
||||||
|
AddIcon /icons/f.gif .for
|
||||||
|
AddIcon /icons/dvi.gif .dvi
|
||||||
|
AddIcon /icons/uuencoded.gif .uu
|
||||||
|
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
|
||||||
|
AddIcon /icons/tex.gif .tex
|
||||||
|
AddIcon /icons/bomb.gif core
|
||||||
|
|
||||||
|
AddIcon /icons/back.gif ..
|
||||||
|
AddIcon /icons/hand.right.gif README
|
||||||
|
AddIcon /icons/folder.gif ^^DIRECTORY^^
|
||||||
|
AddIcon /icons/blank.gif ^^BLANKICON^^
|
||||||
|
|
||||||
|
AddLanguage en .en
|
||||||
|
AddLanguage fr .fr
|
||||||
|
AddLanguage de .de
|
||||||
|
AddLanguage da .da
|
||||||
|
AddLanguage el .el
|
||||||
|
AddLanguage it .it
|
||||||
|
|
||||||
|
LanguagePriority en fr de
|
||||||
|
|
||||||
|
AddType text/html .shtml
|
||||||
|
AddType application/x-pkcs7-crl .crl
|
||||||
|
|
||||||
|
AddType application/x-x509-ca-cert .crt
|
||||||
|
|
||||||
|
BrowserMatch "Mozilla/2" nokeepalive
|
||||||
|
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
|
||||||
|
BrowserMatch "RealPlayer 4\.0" force-response-1.0
|
||||||
|
BrowserMatch "Java/1\.0" force-response-1.0
|
||||||
|
BrowserMatch "JDK/1\.0" force-response-1.0
|
||||||
|
|
||||||
|
AddHandler cgi-script .cgi
|
||||||
|
AddHandler server-parsed .shtml
|
||||||
|
AddHandler imap-file map
|
||||||
|
|
||||||
|
DocumentRoot /opt/phpki/html
|
||||||
|
|
||||||
|
HERE
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,11 @@
|
|||||||
|
|
||||||
|
# First, we configure the "default" to be a very restrictive set of
|
||||||
|
# permissions.
|
||||||
|
|
||||||
|
<Directory />
|
||||||
|
Options None
|
||||||
|
AllowOverride None
|
||||||
|
Require all denied
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
|
@ -0,0 +1,52 @@
|
|||||||
|
|
||||||
|
Alias /phpki /opt/phpki/html/
|
||||||
|
|
||||||
|
# Main access allowed for valid user
|
||||||
|
<Directory /opt/phpki/html>
|
||||||
|
AddType application/x-httpd-php .php
|
||||||
|
Options FollowSymLinks
|
||||||
|
{
|
||||||
|
my $key = "phpki";
|
||||||
|
my $pool_name = lc $key;
|
||||||
|
my $version = ${httpd-pki}{'PHPVersion'} || '73';
|
||||||
|
$OUT .="
|
||||||
|
<FilesMatch .php\$>
|
||||||
|
SetHandler \"proxy:unix:/var/run/php-fpm/php${version}-${pool_name}.sock|fcgi://localhost\"
|
||||||
|
</FilesMatch>\n";
|
||||||
|
}
|
||||||
|
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
|
||||||
|
SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1
|
||||||
|
AddType application/x-x509-ca-cert .crt .pem
|
||||||
|
AddType application/pkix-crl .crl
|
||||||
|
AddType application/pkix-cert .cer .der
|
||||||
|
AllowOverride None
|
||||||
|
Require ip 127.0.0.1
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# /ca is only allowed for admin and explicitely authorized users
|
||||||
|
<Location /phpki/ca>
|
||||||
|
AuthName "PHPKI Admin"
|
||||||
|
AuthType Basic
|
||||||
|
TKTAuthLoginURL /server-common/cgi-bin/login
|
||||||
|
<RequireAll>
|
||||||
|
Require user admin {getUsersList("phpki");}
|
||||||
|
Require ip 127.0.0.1
|
||||||
|
</RequireAll>
|
||||||
|
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
|
||||||
|
SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1
|
||||||
|
{
|
||||||
|
my $ManagerTimeout = ${'httpd-admin'}{ManagerTimeout} || "30m";
|
||||||
|
$OUT = " TKTAuthTimeout $ManagerTimeout\n";
|
||||||
|
my $Cookie = ${'httpd-admin'}{Cookie} || "disabled";
|
||||||
|
$OUT .= " TKTAuthCookieExpires $ManagerTimeout\n" if "$Cookie" eq "enabled";
|
||||||
|
my $ManagerTimeoutReset = ${'httpd-admin'}{ManagerTimeoutReset} || "0.66";
|
||||||
|
$OUT .= " TKTAuthTimeoutRefresh $ManagerTimeoutReset\n";
|
||||||
|
}
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
# Disable access to /admin, which is used to configure user/password
|
||||||
|
# via an htaccess file
|
||||||
|
<Directory /opt/phpki/html/admin>
|
||||||
|
Require all denied
|
||||||
|
</Directory>
|
||||||
|
|
69
root/etc/e-smith/templates/etc/php-fpm.d/www.conf/20pki
Normal file
69
root/etc/e-smith/templates/etc/php-fpm.d/www.conf/20pki
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
{
|
||||||
|
use esmith::ConfigDB;
|
||||||
|
my $c = esmith::ConfigDB->open_ro || die "Couldn't open the configuration database\n";
|
||||||
|
my $httpdpki = $c->get( 'httpd-pki' );
|
||||||
|
|
||||||
|
my $version = $httpdpki->prop('PHPVersion') || '73';
|
||||||
|
# we enable both the httpd server and php pool with same status
|
||||||
|
my $status = $httpdpki->prop('status') || 'disabled';
|
||||||
|
return unless ($status eq 'enabled' && $version eq $PHP_VERSION);
|
||||||
|
my $key = 'phpki';
|
||||||
|
my $pool_name = lc $key;
|
||||||
|
my $include_path = ".:/usr/share/pear-addons:/usr/share/pear:/usr/share/pear-data:/usr/share/php:/usr/sbin/:/usr/bin:/opt/phpki/html:/opt/phpki/html/include";
|
||||||
|
my $open_basedir = "/opt/phpki:/var/lib/php/phpki:/usr/sbin/openvpn:/usr/bin/which:/usr/bin/cat:/usr/bin/egrep:$include_path";
|
||||||
|
my $disabled_functions = 'show_source,dl,passthru'
|
||||||
|
;
|
||||||
|
# Format vars
|
||||||
|
$disabled_functions = join(', ', split /[,;:]/, $disabled_functions);
|
||||||
|
$open_basedir = join(':', split(/[,;:]/, $open_basedir . ",/usr/share/php"));
|
||||||
|
|
||||||
|
$OUT .=<<"_EOF" if ($version eq $PHP_VERSION);
|
||||||
|
|
||||||
|
[$pool_name]
|
||||||
|
user = phpki
|
||||||
|
group = phpki
|
||||||
|
listen.owner = root
|
||||||
|
listen.group = phpki
|
||||||
|
listen.mode = 0660
|
||||||
|
listen = /var/run/php-fpm/php$version-$pool_name.sock
|
||||||
|
catch_workers_output = yes
|
||||||
|
pm = dynamic
|
||||||
|
pm.max_children = 15
|
||||||
|
pm.start_servers = 3
|
||||||
|
pm.min_spare_servers = 3
|
||||||
|
pm.max_spare_servers = 4
|
||||||
|
pm.max_requests = 1000
|
||||||
|
slowlog = /var/log/$key/slow.log
|
||||||
|
php_admin_value[session.save_path] = /var/lib/php/$key/session
|
||||||
|
php_admin_value[opcache.file_cache] = /var/lib/php/$key/opcache
|
||||||
|
php_admin_value[upload_tmp_dir] = /var/lib/php/$key/tmp
|
||||||
|
php_admin_value[sys_temp_dir] = /var/lib/php/$key/tmp
|
||||||
|
php_admin_flag[display_errors] = off
|
||||||
|
php_admin_value[error_reporting] =E_ERROR | E_WARNING | E_PARSE
|
||||||
|
php_admin_value[error_log] = /var/log/$key/error.log
|
||||||
|
php_admin_flag[log_errors] = on
|
||||||
|
; php_admin_value[max_execution_time] = $max_execution_time
|
||||||
|
php_admin_value[disable_functions] = $disabled_functions
|
||||||
|
php_admin_flag[allow_url_fopen] = off
|
||||||
|
php_admin_flag[file_upload] = off
|
||||||
|
php_admin_flag[session.cookie_httponly] = on
|
||||||
|
php_admin_flag[allow_url_include] = off
|
||||||
|
php_admin_value[session.save_handler] = files
|
||||||
|
php_admin_value[open_basedir] = $open_basedir
|
||||||
|
|
||||||
|
php_admin_value[auto_prepend_file] = /usr/share/php/auth_translation.php
|
||||||
|
php_value[include_path] = $include_path
|
||||||
|
php_flag[magic_quotes_gpc] = off
|
||||||
|
php_flag[track_vars] = on
|
||||||
|
php_flag[session.use_trans_sid] = off
|
||||||
|
php_flag[register_globals] = off
|
||||||
|
php_flag[register_long_arrays] = on
|
||||||
|
|
||||||
|
; Needed so shell_exec does it right
|
||||||
|
env[PATH] = $include_path
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,38 @@
|
|||||||
|
{
|
||||||
|
# use Data::Validate::IP;
|
||||||
|
use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
|
||||||
|
our $KeySize = $modSSL{KeySize} ||'4096';
|
||||||
|
our $FQDN = "$SystemName.$DomainName";
|
||||||
|
our $Country = $modSSL{Country} || "--";
|
||||||
|
our $State = $modSSL{State} || "----";
|
||||||
|
our $commonName = $modSSL{CommonName} || $FQDN;
|
||||||
|
our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
|
||||||
|
our $key = "/home/e-smith/ssl.key/$FQDN.key";
|
||||||
|
our $defaultCity = $ldap{defaultCity} || '-';
|
||||||
|
our $defaultCompany = $ldap{defaultCompany} || $commonName ;
|
||||||
|
our $defaultDepartment = $ldap{defaultDepartment} || '-';
|
||||||
|
our $email = "admin\@$DomainName";
|
||||||
|
our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
|
||||||
|
chomp @subjectAlt;
|
||||||
|
our $subjectAltName = "";
|
||||||
|
my $i=0;
|
||||||
|
for my $elem (@subjectAlt) {
|
||||||
|
$subjectAltName .= ", " if $i>0;
|
||||||
|
$i++;
|
||||||
|
if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
|
||||||
|
$subjectAltName .= "IP:$elem";
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
$subjectAltName .= "DNS:$elem";
|
||||||
|
}
|
||||||
|
$subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
|
||||||
|
|
||||||
|
# crop fields that are too long for X509:
|
||||||
|
$Country = substr($Country, 0, 2);
|
||||||
|
$defaultCity = substr($defaultCity, 0, 128);
|
||||||
|
$defaultCompany = substr($defaultCompany, 0, 64);
|
||||||
|
$defaultDepartment = substr($defaultDepartment, 0, 64);
|
||||||
|
$email = substr($email, 0, 64);
|
||||||
|
$commonName = substr($commonName, 0, 64);
|
||||||
|
$OUT="";
|
||||||
|
}
|
@ -0,0 +1,30 @@
|
|||||||
|
{
|
||||||
|
my $phone = ${ldap}{defaultPhoneNumber} || "none";
|
||||||
|
my $zip = ${ldap}{postalCode} || "H0H 0H0";
|
||||||
|
my $street = ${ldap}{defaultStreet} || "Address Line #1";
|
||||||
|
@lines = map {
|
||||||
|
m:\$config\['common_name'\]: && s/.*/\$config['common_name']='$commonName';/;
|
||||||
|
m:\$config\['unit'\]: && s/.*/\$config['unit']='$defaultDepartment';/;
|
||||||
|
m:\$config\['keysize'\]: && s/.*/\$config['keysize']='4096';/;
|
||||||
|
m:\$config\['country'\]: && s/.*/\$config['country']='$Country';/;
|
||||||
|
m:\$config\['province'\]: && s/.*/\$config['province']='$State';/;
|
||||||
|
m:\$config\['locality'\]: && s/.*/\$config['locality']='$defaultCity';/;
|
||||||
|
m:\$config\['organization'\]: && s/.*/\$config['organization']='$defaultCompany';/;
|
||||||
|
m:\$config\['contact'\]: && s/.*/\$config['contact']='$email';/;
|
||||||
|
m:\$config\['base_url'\]: && s/.*/\$config['base_url']='https:\/\/$commonName\/phpki\/';/;
|
||||||
|
s/(^|\n)[\n\s]*/$1/g;;
|
||||||
|
$_
|
||||||
|
} @lines;
|
||||||
|
push @lines, "\$config['common_name']='$commonName';" unless grep( /\$config\['common_name'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['unit']='$defaultDepartment';" unless grep( /\$config\['unit'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['keysize']='4096';" unless grep( /\$config\['keysize'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['country']='$Country';" unless grep( /\$config\['country'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['province']='$State';" unless grep( /\$config\['province'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['locality']='$defaultCity';" unless grep( /\$config\['locality'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['organization']='$defaultCompany';" unless grep( /\$config\['organization'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['contact']='$email';" unless grep( /\$config\['contact'\]/ ,@lines);
|
||||||
|
push @lines, "\$config['base_url']='https://$commonName/phpki/';" unless grep( /\$config\['base_url'\]/ ,@lines);
|
||||||
|
# we do not update the following as it will mess up the file.
|
||||||
|
push @lines, "\$config[\'getting_help\']=\'<b>Contact:</b><br>\nFirst-Name Last-Name<br>\n$defaultCompany/$defaultDepartment<br>\n$street<br>\n$defaultCity, $State, $zip<br>\n<br>\nPhone: $phone<br>\nE-mail: <a href=mailto:$email>$email</a> <i><b>E-mail is preferred.</b></i><br>\';" unless grep( /\$config\['getting_help'\]/ ,@lines);
|
||||||
|
"";
|
||||||
|
}
|
@ -0,0 +1,12 @@
|
|||||||
|
{
|
||||||
|
$OUT .= "";
|
||||||
|
foreach my $line (@lines)
|
||||||
|
{
|
||||||
|
chomp $line;
|
||||||
|
next if grep { /^$/ } $line ;
|
||||||
|
push @lines, $_;
|
||||||
|
|
||||||
|
$OUT .= "$line\n";
|
||||||
|
}
|
||||||
|
$OUT .= "?>";
|
||||||
|
}
|
@ -0,0 +1,17 @@
|
|||||||
|
{
|
||||||
|
# vim: ft=perl:
|
||||||
|
%lines = ();
|
||||||
|
@lines = ();
|
||||||
|
open (RD, "</opt/phpki/html/config.php")
|
||||||
|
|| warn "Cannot open input file /opt/phpki/html/config.php: $!\n";
|
||||||
|
while (<RD>)
|
||||||
|
{
|
||||||
|
chomp;
|
||||||
|
next if grep { /^$/ } $_ ;
|
||||||
|
next if grep { /^\?/ } $_;
|
||||||
|
push @lines, $_;
|
||||||
|
$lines{$_} = 1;
|
||||||
|
}
|
||||||
|
close(RD);
|
||||||
|
"";
|
||||||
|
}
|
32
root/etc/e-smith/web/functions/phpki
Normal file
32
root/etc/e-smith/web/functions/phpki
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
#!/usr/bin/perl
|
||||||
|
#----------------------------------------------------------------------
|
||||||
|
# heading : Security
|
||||||
|
# description : Certificate Management
|
||||||
|
# navigation : 4000 4200
|
||||||
|
#----------------------------------------------------------------------
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use CGI':all';
|
||||||
|
use CGI::Carp qw(fatalsToBrowser);
|
||||||
|
|
||||||
|
|
||||||
|
BEGIN
|
||||||
|
{
|
||||||
|
$ENV {'PATH'} = '/bin:/usr/bin:/sbin';
|
||||||
|
$ENV {'SHELL'} = '/bin/bash';
|
||||||
|
delete $ENV {'ENV'};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
my $q = new CGI;
|
||||||
|
my $content="0; url=https://".$ENV {'HTTP_X_FORWARDED_HOST'}."/phpki/ca/";
|
||||||
|
$q->default_dtd('-//W3C//DTD XHTML 1.0 Transitional//EN');
|
||||||
|
|
||||||
|
print $q->header ('text/html');
|
||||||
|
print $q->start_html (-head=>meta({-http_equiv=>'refresh', -content=>$content}));
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
print $q->end_html;
|
||||||
|
|
||||||
|
|
163
root/etc/httpd/pki-conf/httpd.conf
Normal file
163
root/etc/httpd/pki-conf/httpd.conf
Normal file
@ -0,0 +1,163 @@
|
|||||||
|
#------------------------------------------------------------
|
||||||
|
# !!DO NOT MODIFY THIS FILE!!
|
||||||
|
#
|
||||||
|
# Manual changes will be lost when this file is regenerated.
|
||||||
|
#
|
||||||
|
# Please read the developer's guide, which is available
|
||||||
|
# at http://www.contribs.org/development/
|
||||||
|
#
|
||||||
|
# Copyright (C) 1999-2006 Mitel Networks Corporation
|
||||||
|
#------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
LoadModule auth_tkt_module modules/mod_auth_tkt.so
|
||||||
|
TKTAuthSecret "1234"
|
||||||
|
|
||||||
|
|
||||||
|
Listen 127.0.0.1:940
|
||||||
|
|
||||||
|
HostnameLookups off
|
||||||
|
|
||||||
|
ServerAdmin admin
|
||||||
|
ServerRoot /etc/httpd
|
||||||
|
ServerTokens ProductOnly
|
||||||
|
|
||||||
|
User phpki
|
||||||
|
Group phpki
|
||||||
|
|
||||||
|
ErrorLog /var/log/httpd/pki_error_log
|
||||||
|
LogLevel warn
|
||||||
|
LoadModule env_module modules/mod_env.so
|
||||||
|
LoadModule log_config_module modules/mod_log_config.so
|
||||||
|
LoadModule mime_module modules/mod_mime.so
|
||||||
|
LoadModule negotiation_module modules/mod_negotiation.so
|
||||||
|
LoadModule status_module modules/mod_status.so
|
||||||
|
LoadModule info_module modules/mod_info.so
|
||||||
|
LoadModule include_module modules/mod_include.so
|
||||||
|
LoadModule autoindex_module modules/mod_autoindex.so
|
||||||
|
LoadModule dir_module modules/mod_dir.so
|
||||||
|
LoadModule asis_module modules/mod_asis.so
|
||||||
|
#LoadModule imap_module modules/mod_imap.so
|
||||||
|
LoadModule actions_module modules/mod_actions.so
|
||||||
|
LoadModule userdir_module modules/mod_userdir.so
|
||||||
|
LoadModule proxy_module modules/mod_proxy.so
|
||||||
|
LoadModule proxy_http_module modules/mod_proxy_http.so
|
||||||
|
LoadModule alias_module modules/mod_alias.so
|
||||||
|
LoadModule rewrite_module modules/mod_rewrite.so
|
||||||
|
#LoadModule access_module modules/mod_access.so
|
||||||
|
#LoadModule auth_module modules/mod_auth.so
|
||||||
|
#LoadModule auth_anon_module modules/mod_auth_anon.so
|
||||||
|
LoadModule auth_digest_module modules/mod_auth_digest.so
|
||||||
|
LoadModule expires_module modules/mod_expires.so
|
||||||
|
LoadModule headers_module modules/mod_headers.so
|
||||||
|
LoadModule usertrack_module modules/mod_usertrack.so
|
||||||
|
LoadModule setenvif_module modules/mod_setenvif.so
|
||||||
|
LoadModule ssl_module modules/mod_ssl.so
|
||||||
|
LoadModule cgi_module modules/mod_cgi.so
|
||||||
|
|
||||||
|
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
|
||||||
|
LoadModule unixd_module modules/mod_unixd.so
|
||||||
|
LoadModule access_compat_module modules/mod_access_compat.so
|
||||||
|
LoadModule authn_core_module modules/mod_authn_core.so
|
||||||
|
LoadModule authz_core_module modules/mod_authz_core.so
|
||||||
|
|
||||||
|
PidFile /var/run/httpd-bkpc.pid
|
||||||
|
ScoreBoardFile /var/run/httpd-bkpc.scoreboard
|
||||||
|
UseCanonicalName off
|
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
||||||
|
LogFormat "%{User-agent}i" agent
|
||||||
|
|
||||||
|
CustomLog /var/log/httpd/pki_access_log common
|
||||||
|
|
||||||
|
KeepAlive On
|
||||||
|
MaxKeepAliveRequests 100
|
||||||
|
KeepAliveTimeout 15
|
||||||
|
|
||||||
|
MaxClients 150
|
||||||
|
MaxRequestsPerChild 100
|
||||||
|
|
||||||
|
ServerName www.domain.tld
|
||||||
|
|
||||||
|
MinSpareServers 1
|
||||||
|
MaxSpareServers 5
|
||||||
|
StartServers 1
|
||||||
|
Timeout 300
|
||||||
|
|
||||||
|
DefaultIcon /icons/unknown.gif
|
||||||
|
DirectoryIndex index.htm index.html index.php index.cgi
|
||||||
|
IndexOptions FancyIndexing VersionSort NameWidth=*
|
||||||
|
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
|
||||||
|
AccessFileName .htaccess
|
||||||
|
|
||||||
|
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
|
||||||
|
AddIconByType (TXT,/icons/text.gif) text/*
|
||||||
|
AddIconByType (IMG,/icons/image2.gif) image/*
|
||||||
|
AddIconByType (SND,/icons/sound2.gif) audio/*
|
||||||
|
AddIconByType (VID,/icons/movie.gif) video/*
|
||||||
|
DefaultType text/plain
|
||||||
|
TypesConfig /etc/mime.types
|
||||||
|
|
||||||
|
AddEncoding x-compress Z
|
||||||
|
AddEncoding x-gzip gz
|
||||||
|
|
||||||
|
AddIcon /icons/binary.gif .bin .exe
|
||||||
|
AddIcon /icons/binhex.gif .hqx
|
||||||
|
AddIcon /icons/tar.gif .tar
|
||||||
|
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
|
||||||
|
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
|
||||||
|
AddIcon /icons/a.gif .ps .ai .eps
|
||||||
|
AddIcon /icons/layout.gif .html .shtml .htm .pdf
|
||||||
|
AddIcon /icons/text.gif .txt
|
||||||
|
AddIcon /icons/c.gif .c
|
||||||
|
AddIcon /icons/p.gif .pl .py
|
||||||
|
AddIcon /icons/f.gif .for
|
||||||
|
AddIcon /icons/dvi.gif .dvi
|
||||||
|
AddIcon /icons/uuencoded.gif .uu
|
||||||
|
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
|
||||||
|
AddIcon /icons/tex.gif .tex
|
||||||
|
AddIcon /icons/bomb.gif core
|
||||||
|
|
||||||
|
AddIcon /icons/back.gif ..
|
||||||
|
AddIcon /icons/hand.right.gif README
|
||||||
|
AddIcon /icons/folder.gif ^^DIRECTORY^^
|
||||||
|
AddIcon /icons/blank.gif ^^BLANKICON^^
|
||||||
|
|
||||||
|
AddLanguage en .en
|
||||||
|
AddLanguage fr .fr
|
||||||
|
AddLanguage de .de
|
||||||
|
AddLanguage da .da
|
||||||
|
AddLanguage el .el
|
||||||
|
AddLanguage it .it
|
||||||
|
|
||||||
|
LanguagePriority en fr de
|
||||||
|
|
||||||
|
AddType text/html .shtml
|
||||||
|
AddType application/x-pkcs7-crl .crl
|
||||||
|
|
||||||
|
AddType application/x-x509-ca-cert .crt
|
||||||
|
|
||||||
|
BrowserMatch "Mozilla/2" nokeepalive
|
||||||
|
BrowserMatch "MSIE 4.0b2;" nokeepalive downgrade-1.0 force-response-1.0
|
||||||
|
BrowserMatch "RealPlayer 4.0" force-response-1.0
|
||||||
|
BrowserMatch "Java/1.0" force-response-1.0
|
||||||
|
BrowserMatch "JDK/1.0" force-response-1.0
|
||||||
|
|
||||||
|
AddHandler cgi-script .cgi
|
||||||
|
AddHandler server-parsed .shtml
|
||||||
|
AddHandler imap-file map
|
||||||
|
|
||||||
|
DocumentRoot /opt/phpki/
|
||||||
|
|
||||||
|
|
||||||
|
# First, we configure the "default" to be a very restrictive set of
|
||||||
|
# permissions.
|
||||||
|
|
||||||
|
<Directory />
|
||||||
|
Options None
|
||||||
|
AllowOverride None
|
||||||
|
order deny,allow
|
||||||
|
deny from all
|
||||||
|
allow from none
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
|
9
root/usr/lib/systemd/system/httpd-pki.service
Normal file
9
root/usr/lib/systemd/system/httpd-pki.service
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Certificate management
|
||||||
|
After=network.service
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
ExecStart=/usr/sbin/systemd/httpd-pki
|
||||||
|
[Install]
|
||||||
|
WantedBy=sme-server.target
|
||||||
|
|
12
root/usr/sbin/systemd/httpd-pki
Normal file
12
root/usr/sbin/systemd/httpd-pki
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#----------------------------------------------------------------------
|
||||||
|
# copyright (C) 1999-2004 Mitel Networks Corporation
|
||||||
|
#----------------------------------------------------------------------
|
||||||
|
|
||||||
|
config=/etc/httpd/pki-conf/httpd.conf
|
||||||
|
|
||||||
|
[ -e $config ] || exit 1
|
||||||
|
|
||||||
|
exec 2>&1
|
||||||
|
exec chpst -P /usr/sbin/httpd -f $config -D FOREGROUND &
|
||||||
|
|
0
root/var/lib/php/phpki/opcache/.gitignore
vendored
Normal file
0
root/var/lib/php/phpki/opcache/.gitignore
vendored
Normal file
0
root/var/lib/php/phpki/session/.gitignore
vendored
Normal file
0
root/var/lib/php/phpki/session/.gitignore
vendored
Normal file
0
root/var/lib/php/phpki/tmp/.gitignore
vendored
Normal file
0
root/var/lib/php/phpki/tmp/.gitignore
vendored
Normal file
0
root/var/log/phpki/.gitignore
vendored
Normal file
0
root/var/log/phpki/.gitignore
vendored
Normal file
0
root/var/service/.gitignore
vendored
Normal file
0
root/var/service/.gitignore
vendored
Normal file
198
smeserver-phpki-ng.spec
Normal file
198
smeserver-phpki-ng.spec
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
# $Id: smeserver-phpki.spec,v 1.6 2017/05/03 21:08:27 unnilennium Exp $
|
||||||
|
# Authority: vip-ire
|
||||||
|
# Name: Daniel Berteaud
|
||||||
|
|
||||||
|
Name: smeserver-phpki-ng
|
||||||
|
Version: 0.3
|
||||||
|
Release: 23%{?dist}
|
||||||
|
Summary: php integration into SME server
|
||||||
|
|
||||||
|
Group: Applications/System
|
||||||
|
License: GPL
|
||||||
|
URL: http://phpki.sourceforge.net/
|
||||||
|
Source: %{name}-%{version}.tar.xz
|
||||||
|
|
||||||
|
#Patch0: smeserver-phpki-0.2-fix_redirect_with_user-manager_and_sso.patch
|
||||||
|
#Patch1: smeserver-phpki-0.2.bz10267.updatetktauth.patch
|
||||||
|
|
||||||
|
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
BuildRequires: e-smith-devtools
|
||||||
|
|
||||||
|
Requires: mod_auth_tkt
|
||||||
|
Requires: openvpn
|
||||||
|
Requires: e-smith-base
|
||||||
|
Requires: phpki-ng >= 0.84-14
|
||||||
|
Requires: php-process
|
||||||
|
Requires: e-smith-manager >= 2.6.0-22
|
||||||
|
Requires: e-smith-apache >= 2.6.0-19
|
||||||
|
Requires: smeserver-php >= 3.0.0-44
|
||||||
|
Provides: smeserver-phpki
|
||||||
|
#Obsoletes: smeserver-phpki
|
||||||
|
|
||||||
|
%description
|
||||||
|
PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance.
|
||||||
|
With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled
|
||||||
|
e-mail clients, SSL servers, and VPN applications.
|
||||||
|
This package contains specific configuration for SME server
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Sat Sep 07 2024 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.3-23.sme
|
||||||
|
- Roll up patches and move to git repo [SME: 12338]
|
||||||
|
|
||||||
|
* Sat Sep 07 2024 BogusDateBot
|
||||||
|
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
|
||||||
|
by assuming the date is correct and changing the weekday.
|
||||||
|
|
||||||
|
* Thu May 11 2023 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-22.sme
|
||||||
|
- fix httpd needs QSD in place of ? [SME: 12354]
|
||||||
|
|
||||||
|
* Wed Dec 28 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-21.sme
|
||||||
|
- fix chop isntead of chomp for config.php [SME: 12293]
|
||||||
|
fix PATH not right for exec
|
||||||
|
|
||||||
|
* Sat Dec 17 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-19.sme
|
||||||
|
- small fixes for config.php and httpd
|
||||||
|
|
||||||
|
* Wed Dec 14 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-18.sme
|
||||||
|
- revert log/phpki [SME: 12266]
|
||||||
|
- phpki-ng autopopulate base info from ldap [SME: 11440]
|
||||||
|
- ensure user are seen by php-pool [SME: 12268]
|
||||||
|
- safe remote access for crl [SME: 11439]
|
||||||
|
- 17-18: applying patches
|
||||||
|
|
||||||
|
* Tue Dec 13 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-15.sme
|
||||||
|
- fix typo preventing httpd-pki to start 2
|
||||||
|
|
||||||
|
* Sun Nov 20 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-14.sme
|
||||||
|
- fix typo preventing httpd-pki to start
|
||||||
|
|
||||||
|
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-13.sme
|
||||||
|
- add some more needed bins which cat and egrep [SME: 11438]
|
||||||
|
|
||||||
|
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-11.sme
|
||||||
|
- fix missing takey [SME: 11438]
|
||||||
|
|
||||||
|
* Fri Nov 18 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-10.sme
|
||||||
|
- ease migration from smeserver-phpki smeserver-phpki-ng using Provides [SME: 12222]
|
||||||
|
- fix ownership on migration (backup/restore) [SME: 12228]
|
||||||
|
- remove /var/service/httpd-pki [SME: 12229]
|
||||||
|
- remove old logrotate [SME: 11873]
|
||||||
|
- remove /var/log/phpki and /var/log/httpd-pki [SME: 12198]
|
||||||
|
|
||||||
|
* Tue Oct 04 2022 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-9.sme
|
||||||
|
- Fix spec file versioning
|
||||||
|
|
||||||
|
* Sat Jul 30 2022 Brian Read <brianr@bjsystems.co.uk> 0.3-8.sme
|
||||||
|
- Re-build and link to latest devtools [SME: 11997]
|
||||||
|
|
||||||
|
* Thu Jul 21 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-7.sme
|
||||||
|
- add to core backup [SME: 12021]
|
||||||
|
- httpd 2.4 access syntax [SME: 12054]
|
||||||
|
|
||||||
|
* Thu Aug 05 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-6.sme
|
||||||
|
- remove modules from patch file [SME: 11402]
|
||||||
|
|
||||||
|
* Sun Mar 07 2021 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-5.sme
|
||||||
|
- modify dirs in spec file
|
||||||
|
|
||||||
|
* Thu Feb 25 2021 Jean-Philipe Pialasse <tests@pialasse.com> 0.3-4.sme
|
||||||
|
- configure php73 pool [SME: 11207]
|
||||||
|
tidy httpd.conf file
|
||||||
|
reuse phpki user and group
|
||||||
|
|
||||||
|
* Sat Feb 13 2021 Brian Read <brianr@bjsystems.co.uk> 0.3-3.sme
|
||||||
|
- Set execution bit on /opt/phpki/html/ca in spec file[SME: 11207]
|
||||||
|
|
||||||
|
* Tue Feb 09 2021 Brian Read <brianr@bjsystems.co.uk> 0.3-3.sme
|
||||||
|
- Add-in-systemd-startup [SME: 11207]
|
||||||
|
|
||||||
|
* Thu Nov 26 2020 Brian Read <brianr@bjsystems.co.uk> 0.3-2.sme
|
||||||
|
- Add in Loadmodules needed to pki-conf/httpd.conf [SME: 11207]
|
||||||
|
|
||||||
|
* Fri Apr 03 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-1.sme
|
||||||
|
- New release for phpki-ng-0.84 based on phpki-0.83
|
||||||
|
|
||||||
|
* Wed May 03 2017 Jean-Philipe Pialasse <tests@pialasse.com> 0.2-3.sme
|
||||||
|
- update TKT auth parameter for SME 9.2 update [SME: 10267]
|
||||||
|
|
||||||
|
* Mon Nov 18 2013 Daniel B. <daniel@firewall-services.com> - 0.2-2.sme
|
||||||
|
- Fix a redirect issue with user-manager and LemonLDAP::NG as SSO
|
||||||
|
|
||||||
|
* Mon Nov 11 2013 Daniel B. <daniel@firewall-services.com> - 0.2-1.sme
|
||||||
|
- Rebuild for SME9
|
||||||
|
- Do not disable httpd-pki service on uninstall
|
||||||
|
|
||||||
|
* Fri May 24 2013 JP Pialasse <tests@pialasse.com> - 0.1-6.sme
|
||||||
|
- added php-process as dependency [SME: 7439]
|
||||||
|
|
||||||
|
* Thu Oct 13 2011 Daniel B. <daniel@firewall-services.com> - 0.1-5.sme
|
||||||
|
- Change session path [SME: 6661]
|
||||||
|
|
||||||
|
* Wed Jul 20 2011 Daniel B. <daniel@firewall-services.com> - 0.1-5.sme
|
||||||
|
- Protect by location (so we can set another location protected by LemonLDAP::NG)
|
||||||
|
|
||||||
|
* Mon Feb 23 2009 Daniel B. <daniel@firewall-services.com> [0.1-4]
|
||||||
|
- Fix logrotate issue (send a sigusr1 signal to httpd-pki)
|
||||||
|
|
||||||
|
* Mon Dec 15 2008 Daniel B. <daniel@firewall-services.com> [0.1-3]
|
||||||
|
- Move server-manager panel to "security" section
|
||||||
|
|
||||||
|
* Wed Dec 10 2008 Daniel B. <daniel@firewall-services.com> [0.1-2]
|
||||||
|
- expand-templates in bootstrap-console-save instead of post-upgrade
|
||||||
|
- Disable authentication for the public part (so CRL can be updated automatically)
|
||||||
|
- Change the name of the menue in server-manager to certificate Management
|
||||||
|
|
||||||
|
* Tue Dec 02 2008 Daniel B. <daniel@firewall-services.com> [0.1-1]
|
||||||
|
- Restrict access to /phpki/ca for admin, ask for a valid user for /phpki
|
||||||
|
- expand-templates on signal events conf-userpanels and domain-modify
|
||||||
|
|
||||||
|
* Thu Nov 27 2008 Daniel B. <daniel@firewall-services.com> [0.1-0]
|
||||||
|
- initial release
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q -n %{name}-%{version}
|
||||||
|
mkdir -p root/var/lib/php/phpki/{tmp,session,opcache}
|
||||||
|
rm -rf root/var/lib/php/pki-session
|
||||||
|
mkdir -p root/var/log/phpki
|
||||||
|
rm -rf root/var/service/httpd-pki
|
||||||
|
|
||||||
|
%build
|
||||||
|
perl createlinks
|
||||||
|
|
||||||
|
%install
|
||||||
|
|
||||||
|
%{__mkdir_p} $RPM_BUILD_ROOT/var/lib/php/pki-session
|
||||||
|
|
||||||
|
|
||||||
|
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
|
||||||
|
|
||||||
|
chmod +x $RPM_BUILD_ROOT/usr/sbin/systemd/httpd-pki
|
||||||
|
|
||||||
|
/bin/rm -f %{name}-%{version}-filelist
|
||||||
|
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
|
||||||
|
--dir /var/lib/php/phpki 'attr(0770,root,phpki)' \
|
||||||
|
--dir /var/lib/php/phpki/session 'attr(0770,root,phpki)' \
|
||||||
|
--dir /var/lib/php/phpki/opcache 'attr(0770,root,phpki)' \
|
||||||
|
--dir /var/lib/php/phpki/tmp 'attr(0770,root,phpki)' \
|
||||||
|
--dir /var/log/phpki 'attr(0770,phpki,phpki)' \
|
||||||
|
> %{name}-%{version}-filelist
|
||||||
|
|
||||||
|
%post
|
||||||
|
|
||||||
|
%clean
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
%files -f %{name}-%{version}-filelist
|
||||||
|
%defattr(-,root,root)
|
||||||
|
|
||||||
|
%pre
|
||||||
|
#/sbin/e-smith/create-system-user phpki 455 'Phpki User' /opt/phpki /bin/false >& /dev/null || :
|
||||||
|
|
||||||
|
%preun
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user