From 765d2fc198acf5f0e6deeaa9187a7aacb2ae26fa Mon Sep 17 00:00:00 2001 From: b Date: Tue, 10 Nov 2015 21:57:54 +0000 Subject: [PATCH] Portability. Config generation. git-svn-id: svn://botcastle1b/yplom/proxy@4 05ce6ebb-7522-4a6e-a768-0026ae12be9f --- access.1.c | 13 ++++++ access.pl => access.1.pl | 8 ++-- access.c | 13 ------ config.1.txt | 63 ++++++++++++++++++++++++++ configure.pl | 92 ++++++++++++++++++++++++++++++++++++++ make.sh | 6 +++ makefile | 30 ------------- makefile.1.mak | 53 ++++++++++++++++++++++ proxy.1.c | 13 ++++++ proxy.pl => proxy.1.pl | 38 ++++++++-------- proxy.c | 13 ------ readthis.txt | 25 +++++++++++ rewrite.pl => rewrite.1.pl | 4 +- settings | 44 ++++++++++++++++++ 14 files changed, 335 insertions(+), 80 deletions(-) create mode 100644 access.1.c rename access.pl => access.1.pl (85%) delete mode 100644 access.c create mode 100644 config.1.txt create mode 100755 configure.pl create mode 100644 make.sh delete mode 100644 makefile create mode 100644 makefile.1.mak create mode 100644 proxy.1.c rename proxy.pl => proxy.1.pl (84%) delete mode 100644 proxy.c create mode 100644 readthis.txt rename rewrite.pl => rewrite.1.pl (60%) create mode 100644 settings diff --git a/access.1.c b/access.1.c new file mode 100644 index 0000000..160d4b8 --- /dev/null +++ b/access.1.c @@ -0,0 +1,13 @@ +//The SETUID wrapper. + +#include +#include + +###ACCESS_PL; +###ACCESS_PL_ERRLOG; + +int main(int argc, char *argv[], char *envp[]) +{ + freopen(ACCESS_PL_ERRLOG,"at",stderr); + return execve(ACCESS_PL,argv,envp); +} diff --git a/access.pl b/access.1.pl similarity index 85% rename from access.pl rename to access.1.pl index d8886cc..2d0cf82 100644 --- a/access.pl +++ b/access.1.pl @@ -1,8 +1,8 @@ -#!/usr/bin/perl +###PERL; -use constant ACCESS_PATH => '/yplom/data/proxy/access/'; -use constant TIMEOUT_UNLOCK => 90; -use constant TIMEOUT_INACT => 15; +###ACCESS_PATH; +###TIMEOUT_UNLOCK; +###TIMEOUT_INACT; $|=1; $timeout_unlock = TIMEOUT_UNLOCK*60; diff --git a/access.c b/access.c deleted file mode 100644 index bb67bbd..0000000 --- a/access.c +++ /dev/null @@ -1,13 +0,0 @@ -//The SETUID wrapper. - -#include -#include - -#define ACCESS_PATH "/yplom/bin/proxy/access.pl" -#define ACCESS_LOG "/yplom/log/proxy/access-stderr.log" - -int main(int argc, char *argv[], char *envp[]) -{ - freopen(ACCESS_LOG,"at",stderr); - return execve(ACCESS_PATH,argv,envp); -} diff --git a/config.1.txt b/config.1.txt new file mode 100644 index 0000000..f1c983b --- /dev/null +++ b/config.1.txt @@ -0,0 +1,63 @@ +################################################################################ +#copy this to your Apache2 configuration, +#remember to make the server listen on these ports: +###LISTEN_HTTP; +####LISTEN_HTTPS; + +###VIRTUAL_HOST_HTTP; +###SERVER_ADMIN; +###SERVER_NAME_HTTP; +###DOCUMENT_ROOT; +###CGI_ALIAS; + + ErrorLog ${APACHE_LOG_DIR}/err-proxy.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/proxy.log combined + + + +###VIRTUAL_HOST_HTTPS; +###SERVER_ADMIN; +###SERVER_NAME_HTTPS; +###DOCUMENT_ROOT; +###CGI_ALIAS; + + SSLEngine on + SSLCertificateFile /etc/apache2/ssl/botm.crt + SSLCertificateKeyFile /etc/apache2/ssl/botm.key + + #SSLOptions +StdEnvVars + + ErrorLog ${APACHE_LOG_DIR}/err-proxyssl.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/proxyssl.log combined + + + +################################################################################ +#copy this to your Squid configuration. + +###HTTP_PORT_SSL; + +acl allowed_ports port 80 +acl allowed_ports port 443 + +###EXTERNAL_ACL; + +acl CONNECT method CONNECT +acl unlocked external unlocked-check +###UNLOCK_DOMAIN_ACL; + +http_access deny !allowed_ports +http_access allow unlockdomain +http_access deny !unlocked +http_access allow CONNECT +http_access deny all + +coredump_dir /var/spool/squid + +###EXTERNAL_REWRITE; + +################################################################################ +#Copy this to your crontab: +###RM_ACCESS_CRONTAB; diff --git a/configure.pl b/configure.pl new file mode 100755 index 0000000..0daff92 --- /dev/null +++ b/configure.pl @@ -0,0 +1,92 @@ +#!/usr/bin/perl + +unless ($ARGV[0]) { + print STDERR "Configfile missing.\n"; + exit 1; +} + +unless (open $configfile, "<", $ARGV[0]) { + print STDERR "Cannot open configfile\n"; + exit 2; +} + +while ($line = <$configfile>) { + $line =~ s/[\r\n]//g; + $line =~ s/#.*$//; + if ($line =~ /^ *([a-zA-Z0-9_]+) *= *(.*)$/){ + $name=$1; + $value=$2; + $value =~ s/ *$//; + $set{$name}=$value; + } +} +close ($configfile); + +$def{'UNLOCK_LOG'} = "use constant UNLOCK_LOG => '".$set{'log_path'}."unlock.log';"; +$def{'DATA_PATH'} = "use constant DATA_PATH => '".$set{'data_path'}."';"; +$def{'PASS_PATH'} = "use constant PASS_PATH => '".$set{'data_path'}."pass/';"; +$def{'ACCESS_PATH'} = "use constant ACCESS_PATH => '".$set{'data_path'}."access/';"; +$def{'UNLOCK_PROXY_URL'} = "use constant UNLOCK_PROXY_URL => 'http://".$set{'unlock_domain'}.$set{'unlock_path'}."';"; +$def{'UNLOCK_PROXY_URL_S'}= "use constant UNLOCK_PROXY_URL_S => 'https://".$set{'unlock_domain'}.$set{'unlock_path'}."';"; +$def{'UNLOCK_PROXY_HOST'} = "use constant UNLOCK_PROXY_HOST => qr/".$set{'unlock_domain_regex'}."/;"; +$def{'UNLOCK_PROXY_PATH'} = "use constant UNLOCK_PROXY_PATH => qr/".$set{'unlock_path_regex'}."/;"; +$def{'TIMEOUT_UNLOCK'} = "use constant TIMEOUT_UNLOCK => ".$set{'timeout_unlock'}.";"; +$def{'TIMEOUT_INACT'} = "use constant TIMEOUT_INACT => ".$set{'timeout_inact'}.";"; +$def{'REWRITE_URL'} = "use constant REWRITE_URL => '".$set{'https_proxy_domain'}.":".$set{'https_proxy_port'}."';"; + +$def{'PATH'} = "\$ENV{'PATH'} = '".$set{'path'}."';"; + +$def{'PERL'} = "#!".$set{'perl'}; + +$def{'PROXY_PL'} = '#define PROXY_PL "'.$set{'bin_path'}.'proxy.pl"'; +$def{'PROXY_PL_ERRLOG'} = '#define PROXY_PL_ERRLOG "'.$set{'log_path'}.'proxy-stderr.log"'; +$def{'ACCESS_PL'} = '#define ACCESS_PL "'.$set{'bin_path'}.'access.pl"'; +$def{'ACCESS_PL_ERRLOG'} = '#define ACCESS_PL_ERRLOG "'.$set{'log_path'}.'access-stderr.log"'; + +$def{'VIRTUAL_HOST_HTTP'} = ''; +$def{'VIRTUAL_HOST_HTTPS'}= ''; +$def{'SERVER_ADMIN'} = "\tServerAdmin ".$set{'server_admin'}; +$def{'SERVER_NAME_HTTP'} = "\tServerName ".$set{'http_proxy_domain'}; +$def{'SERVER_NAME_HTTPS'} = "\tServerName ".$set{'https_proxy_domain'}; +$def{'DOCUMENT_ROOT'} = "\tDocumentRoot ".$set{'www_path'}; +$def{'CGI_ALIAS'} = "\tScriptAliasMatch (.*) ".$set{'bin_path'}.'proxy$1'; +$def{'SSL_CERT'} = "\tSSLCertificateFile ".$set{'ssl_cert'}; +$def{'SSL_KEY'} = "\tSSLCertificateKEYFile ".$set{'ssl_key'}; +$def{'CUSTOM_LOG_HTTP'} = "\tCustomLog ".$set{'log_path'}.'http.log combined'; +$def{'ERROR_LOG_HTTP'} = "\tErrorLog ".$set{'log_path'}.'http-err.log'; +$def{'CUSTOM_LOG_HTTPS'} = "\tCustomLog ".$set{'log_path'}.'https.log combined'; +$def{'ERROR_LOG_HTTPS'} = "\tErrorLog ".$set{'log_path'}.'https-err.log'; +$def{'LISTEN_HTTP'} = '# Listen '.$set{'http_proxy_port'}; +$def{'LISTEN_HTTPS'} = '# Listen '.$set{'https_proxy_port'}; + +$def{'HTTP_PORT_SSL'} = 'http_port '.$set{'ssl_proxy_port'}; +$def{'EXTERNAL_ACL'} = 'external_acl_type unlocked-check ttl=15 negative_ttl=0 %SRC '.$set{'bin_path'}.'access'; +$def{'EXTERNAL_REWRITE'} = 'url_rewrite_program '.$set{'bin_path'}.'rewrite'; +$def{'UNLOCK_DOMAIN_ACL'} = 'acl unlockdomain dstdomain '.$set{'unlock_domain'}; +$def{'RM_ACCESS_CRONTAB'} = $set{'rm_access_crontab'}.' '.$set{'rm'}.' '.$set{'data_path'}.'access/*'; + +$def{'CC'} = 'CC='.$set{'gcc'}; +$def{'CF'} = 'CF='.$set{'c_flags'}; +$def{'PL'} = 'PL='.$set{'perl'}; +$def{'MV'} = 'MV='.$set{'mv'}; +$def{'CP'} = 'CM='.$set{'cp'}; +$def{'RM'} = 'RM='.$set{'rm'}; +$def{'OD'} = 'OD='.$set{'bin_path'}; +$def{'CM'} = 'CM='.$set{'chmod'}; + + + + +while ($line = ) { + $line =~ s/[\r\n]//g; + if ($line =~ /###([a-zA-Z0-9_]+);/) { + print "$def{$1}\n"; + } + else { + print "$line\n"; + } +} + + + + \ No newline at end of file diff --git a/make.sh b/make.sh new file mode 100644 index 0000000..ed4980f --- /dev/null +++ b/make.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +set -x +perl configure.pl settings makefile +make +rm makefile diff --git a/makefile b/makefile deleted file mode 100644 index dee34ee..0000000 --- a/makefile +++ /dev/null @@ -1,30 +0,0 @@ -CC=gcc -#CC2=g++ -CF=-g -Wall -#LF=-lIL -LF2=-lcgi - -OD=/yplom/bin/proxy - -all: moveout copyout - -moveout: proxy rewrite access setuid exec - mv proxy access rewrite $(OD) - -copyout: proxy.pl access.pl setuid exec - cp proxy.pl access.pl $(OD) - -setuid: proxy access - chmod u+s proxy access - -exec: rewrite access.pl proxy.pl proxy - chmod +x rewrite access.pl proxy.pl proxy - -proxy: proxy.c - $(CC) $(CF) -o proxy proxy.c - -rewrite: rewrite.pl - cp rewrite.pl rewrite - -access: access.c - $(CC) $(CF) -o access access.c diff --git a/makefile.1.mak b/makefile.1.mak new file mode 100644 index 0000000..f3ad995 --- /dev/null +++ b/makefile.1.mak @@ -0,0 +1,53 @@ +###CC; +###CF; +###PL; +###CP; +###MV; +###RM; +###CM; +###OD; + +all: moveout copyout remove config.txt + + +moveout: proxy proxy.pl rewrite access access.pl setuid exec + $(MV) proxy proxy.pl access access.pl rewrite $(OD) + +copyout: setuid exec +# $(CP) access.pl $(OD) + +setuid: proxy access + $(CM) u+s proxy access + +exec: rewrite access.pl proxy.pl + $(CM) +x rewrite access.pl proxy.pl + +remove: proxy proxy.c access access.c copyout moveout setuid exec + $(RM) proxy.c access.c + + + +proxy.pl: proxy.1.pl configure.pl settings + $(PL) configure.pl settings proxy.pl + +proxy.c: proxy.1.c configure.pl settings + $(PL) configure.pl settings proxy.c + +proxy: proxy.c + $(CC) $(CF) -o proxy proxy.c + +rewrite: rewrite.1.pl configure.pl settings + $(PL) configure.pl settings rewrite + +access.pl: access.1.pl configure.pl settings + $(PL) configure.pl settings access.pl + +access.c: access.1.c configure.pl settings + $(PL) configure.pl settings access.c + +access: access.c + $(CC) $(CF) -o access access.c + + +config.txt: config.1.txt configure.pl settings + $(PL) configure.pl settings config.txt diff --git a/proxy.1.c b/proxy.1.c new file mode 100644 index 0000000..edf32c4 --- /dev/null +++ b/proxy.1.c @@ -0,0 +1,13 @@ +//The SETUID wrapper. + +#include +#include + +###PROXY_PL; +###PROXY_PL_ERRLOG; + +int main(int argc, char *argv[], char *envp[]) +{ + freopen(PROXY_PL_ERRLOG,"at",stderr); + return execve(PROXY_PL,argv,envp); +} diff --git a/proxy.pl b/proxy.1.pl similarity index 84% rename from proxy.pl rename to proxy.1.pl index 1f9691d..5655ebd 100755 --- a/proxy.pl +++ b/proxy.1.pl @@ -1,24 +1,24 @@ -#!/usr/bin/perl +###PERL; use POSIX qw(strftime); -use constant ACCESS_LOG => '/yplom/log/proxy/access.log'; -use constant DATA_PATH => '/yplom/data/proxy/'; -use constant PASS_PATH => '/yplom/data/proxy/pass/'; -use constant ACCESS_PATH => '/yplom/data/proxy/access/'; -use constant UNLOCK_PROXY_URL => 'http://yplom.bicyclesonthemoon.info/proxy/unlock'; -use constant UNLOCK_PROXY_URL_S => 'https://yplom.bicyclesonthemoon.info/proxy/unlock'; -use constant UNLOCK_PROXY_HOST => qr/^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$/; -use constant UNLOCK_PROXY_PATH => qr/^\/proxy\/unlock\/?$/; -use constant TIMEOUT_UNLOCK => 90; -use constant TIMEOUT_INACT => 15; +###UNLOCK_LOG; +###DATA_PATH; +###PASS_PATH; +###ACCESS_PATH; +###UNLOCK_PROXY_URL; +###UNLOCK_PROXY_URL_S; +###UNLOCK_PROXY_HOST; +###UNLOCK_PROXY_PATH; +###TIMEOUT_UNLOCK; +###TIMEOUT_INACT; $accesstime = time(); $timeout_unlock = TIMEOUT_UNLOCK*60; $timeout_inact = TIMEOUT_INACT*60; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; -$ENV{'PATH'}='/usr/local/bin:/usr/bin:/bin'; +###PATH; if (($ENV{'HTTP_HOST'} =~ UNLOCK_PROXY_HOST) and ($ENV{'PATH_INFO'} =~ UNLOCK_PROXY_PATH)){ unlock(); @@ -121,8 +121,8 @@ sub unlock { return unlockpage('Wrong username or password.',"Status: 403 Forbidden\n"); } - open ($logfile, ">>", ACCESS_LOG) or return unlockpage("Couldn't log your action.","Status: 500 Internal Server Error\n"); - print $logfile strftime("%d.%m.%Y %H:%M:%S", gmtime($accesstime))." $ENV{'REMOTE_ADDR'} $CGI{'username'}\n"; + open ($logfile, ">>", UNLOCK_LOG) or return unlockpage("Couldn't log your action.","Status: 500 Internal Server Error\n"); + print $logfile strftime("%d.%m.%Y %H:%M:%S", gmtime($accesstime))." $IP $CGI{'username'}\n"; close($logfile); $accesspath=ACCESS_PATH.$IP; @@ -181,8 +181,9 @@ sub unlockpage { print 'action from your IP will be assumed to be your action. By submitting '; print 'this form you agree to this.

'; print 'The proxy will be locked again:
    '; - print '
  • $timeout_unlock minutes after unlocking
    • '; - print '
  • after $timeoout_inact minutes of inactivity
    • '; + print '
  • '.TIMEOUT_UNLOCK.' minutes after unlocking
    • '; + print '
  • after '.TIMEOUT_INACT.' minutes of inactivity
    • '; + print '
  • when the proxy removes its temporary files
    • '; print "
\n"; } @@ -196,8 +197,9 @@ sub unlockedpage { print '

Unlocked

'; print "The proxy is now unlocked for IP $IP.

"; print 'The proxy will be locked again:
    '; - print '
  • $timeout_unlock minutes after unlocking
    • '; - print '
  • after $timeoout_inact minutes of inactivity
    • '; + print '
  • '.TIMEOUT_UNLOCK.' minutes after unlocking
    • '; + print '
  • after '.TIMEOUT_INACT.' minutes of inactivity
    • '; + print '
  • when the proxy removes its temporary files
    • '; print "
\n"; } diff --git a/proxy.c b/proxy.c deleted file mode 100644 index 70a44c1..0000000 --- a/proxy.c +++ /dev/null @@ -1,13 +0,0 @@ -//The SETUID wrapper. - -#include -#include - -#define PROXY_PATH "/yplom/bin/proxy/proxy.pl" -#define PROXY_LOG "/yplom/log/proxy/proxy-stderr.log" - -int main(int argc, char *argv[], char *envp[]) -{ - freopen(PROXY_LOG,"at",stderr); - return execve(PROXY_PATH,argv,envp); -} diff --git a/readthis.txt b/readthis.txt new file mode 100644 index 0000000..34f7efc --- /dev/null +++ b/readthis.txt @@ -0,0 +1,25 @@ +There will be more information later. + +Recommended situation is when the software and data directories belong to a +dedicatad user account. + +data_path, tmp_path, log_path should only be accessible by this user. +bin_path should be publicly accessible - the programs will be called from the +server. Some will have the SETUID bit set. + +To compile/install: + +Log in to the user account that will own the proxy. +(If not, you will have to change file ownerships later.) +Edit the file 'settings' to have values relevant to your server. +Create the directories defined there and set correct permissions and ownership. +Run 'make.sh'. It will generate the programs and copy them to the correct +location. +It will also generate config.txt. +Open this file and copy its fragments to your Apache2 config, Squid config and +crontab. +Restart Apache2 and Squid. + +To set an username/password: +Create a file in data_path/pass. Username is filename. +Inside the file should be one line with URL-encoded password. diff --git a/rewrite.pl b/rewrite.1.pl similarity index 60% rename from rewrite.pl rename to rewrite.1.pl index 2fc4088..1578162 100755 --- a/rewrite.pl +++ b/rewrite.1.pl @@ -1,6 +1,6 @@ -#!/usr/bin/perl +###PERL; -use constant REWRITE_URL => 'bicyclesonthemoon.info:59443'; +###REWRITE_URL; $|=1; diff --git a/settings b/settings new file mode 100644 index 0000000..39b4a7a --- /dev/null +++ b/settings @@ -0,0 +1,44 @@ +#all directory paths must end with '/' and must already exist. + +bin_path = /yplom/bin/proxy/ #Where the software will be located +data_path = /yplom/data/proxy/ #where the proxy will remember data; subdir: + #access, pass, archive +log_path = /yplom/log/proxy/ #where the proxy will remember data +tmp_path = /yplom/tmp/proxy/ #for temporary fies +www_path = /yplom/www/proxy/ #for the www server (unused) + +#the server must recognise these domains as itself (127.0.0.1) +#http and ssl proxy ports must be accessible from outside +http_proxy_domain = bicyclesonthemoon.info +https_proxy_domain = bicyclesonthemoon.info +ssl_proxy_domain = bicyclesonthemoon.info +http_proxy_port = 59080 +https_proxy_port = 59443 +ssl_proxy_port = 59557 +server_admin = bicyclesonthemoon@chirpingmustard.info + +# No matter what key you use there will be ALWAYS an unavoidable certifficate +# mismatch warning. Because the proxy does an equivalent to a MITM attack. +ssl_key = /etc/apache2/ssl/botm.key +ssl_cert = /etc/apache2/ssl/botm.crt + +#doesn't have to be a real domain +unlock_domain = yplom.bicyclesonthemoon.info +unlock_path = /proxy/unlock +unlock_domain_regex = ^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$ +unlock_path_regex = ^\/proxy\/unlock\/?$ + +#Time in minutes +timeout_unlock = 90 +timeout_inact = 15 + +path = /usr/local/bin:/usr/bin:/bin +perl = /usr/bin/perl +chmod = /bin/chmod +cp = /bin/cp +mv = /bin/mv +rm = /bin/rm +gcc = /usr/bin/gcc +c_flags = -g -Wall + +rm_access_crontab = 0 0 * * * #How often to remove leftover unlock info. -- 2.30.2