fixed gateway url
parent
f53e8ae1f0
commit
ff507b6e07
|
|
@ -342,7 +342,7 @@ menu:
|
||||||
caption: Create phpMyAdmin Gateway
|
caption: Create phpMyAdmin Gateway
|
||||||
action: create_pma_gateway
|
action: create_pma_gateway
|
||||||
settings: pmaGatewayConfig
|
settings: pmaGatewayConfig
|
||||||
successText: "${response.out}"
|
successText: "Gateway URL: ${response.out}"
|
||||||
|
|
||||||
settings:
|
settings:
|
||||||
checkDomainConfig:
|
checkDomainConfig:
|
||||||
|
|
@ -1014,7 +1014,7 @@ actions:
|
||||||
- bash /home/litespeed/mbmanager/pma-gateway/create_pma_gateway.sh --validity="${settings.validity}" --slug="${settings.slug}" | tail -n1
|
- bash /home/litespeed/mbmanager/pma-gateway/create_pma_gateway.sh --validity="${settings.validity}" --slug="${settings.slug}" | tail -n1
|
||||||
- return:
|
- return:
|
||||||
type: info
|
type: info
|
||||||
message: "${response.out}"
|
message: "Gateway URL: ${response.out}"
|
||||||
|
|
||||||
responses:
|
responses:
|
||||||
enableSuccess:
|
enableSuccess:
|
||||||
|
|
|
||||||
|
|
@ -37,50 +37,70 @@ SECRET_FILE="/var/lib/jelastic/keys/mbadmin_secret"
|
||||||
sudo mkdir -p "$(dirname $SECRET_FILE)"
|
sudo mkdir -p "$(dirname $SECRET_FILE)"
|
||||||
if [[ ! -f "$SECRET_FILE" ]]; then
|
if [[ ! -f "$SECRET_FILE" ]]; then
|
||||||
sudo sh -c "openssl rand -hex 32 > $SECRET_FILE"
|
sudo sh -c "openssl rand -hex 32 > $SECRET_FILE"
|
||||||
sudo chmod 600 "$SECRET_FILE"
|
|
||||||
fi
|
fi
|
||||||
SECRET=$(sudo cat "$SECRET_FILE")
|
sudo chown litespeed:litespeed "$SECRET_FILE"
|
||||||
|
sudo chmod 644 "$SECRET_FILE"
|
||||||
|
SECRET=$(sudo cat "$SECRET_FILE" | xargs)
|
||||||
|
|
||||||
now=$(date +%s)
|
now=$(date +%s)
|
||||||
expires=$((now + VALIDITY*60))
|
expires=$((now + VALIDITY*60))
|
||||||
# token = base64("$SLUG:$expires") . '.' . HMAC_SHA256(secret, data)
|
# token = base64("$SLUG:$expires") . '.' . HMAC_SHA256(secret, data)
|
||||||
data="$SLUG:$expires"
|
data="$SLUG:$expires"
|
||||||
base=$(printf "%s" "$data" | base64 -w0)
|
base=$(printf "%s" "$data" | base64 | tr -d '\n')
|
||||||
mac=$(printf "%s" "$data" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)
|
mac=$(php -r "echo hash_hmac('sha256', '$data', '$SECRET');")
|
||||||
token="$base.$mac"
|
token="$base.$mac"
|
||||||
|
|
||||||
sudo tee "$GATEWAY_FILE" >/dev/null <<PHP
|
sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP'
|
||||||
<?php
|
<?php
|
||||||
// auto-generated gateway, valid until $expires
|
// Secure phpMyAdmin gateway – auto-generated, do NOT edit manually.
|
||||||
|
|
||||||
ini_set('session.cookie_httponly', 1);
|
ini_set('session.cookie_httponly', 1);
|
||||||
|
$param = 'token';
|
||||||
|
|
||||||
function fail() { header('HTTP/1.1 403 Forbidden'); echo 'Access denied'; exit; }
|
function deny() {
|
||||||
|
http_response_code(403);
|
||||||
|
echo 'Access denied';
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
if (!isset(
|
if (!isset($_GET[$param])) {
|
||||||
|
deny();
|
||||||
_PHPMYADMIN_PMA_GATEWAY_TOKEN')){fail();}
|
}
|
||||||
$token =
|
|
||||||
_PHPMYADMIN_PMA_GATEWAY_TOKEN;
|
$token = $_GET[$param];
|
||||||
if (!strpos($token,'.')){fail();}
|
if (strpos($token, '.') === false) {
|
||||||
list(
|
deny();
|
||||||
|
}
|
||||||
base, $sig) = explode('.', $token, 2);
|
|
||||||
|
list($base, $sig) = explode('.', $token, 2);
|
||||||
$data = base64_decode($base, true);
|
$data = base64_decode($base, true);
|
||||||
if ($data === false){fail();}
|
if ($data === false) {
|
||||||
list(
|
deny();
|
||||||
|
}
|
||||||
slug, $exp) = explode(':', $data, 2);
|
|
||||||
if (time()>intval($exp)){fail();}
|
if (strpos($data, ':') === false) {
|
||||||
$secret = trim(file_get_contents('$SECRET_FILE'));
|
deny();
|
||||||
if (hash_equals($sig, hash_hmac('sha256', $data, $secret)) === false){fail();}
|
}
|
||||||
// set auth cookie then redirect
|
|
||||||
|
list($slug, $exp) = explode(':', $data, 2);
|
||||||
|
if (time() > intval($exp)) {
|
||||||
|
deny();
|
||||||
|
}
|
||||||
|
|
||||||
|
$secret = trim(file_get_contents('/var/lib/jelastic/keys/mbadmin_secret'));
|
||||||
|
if (!hash_equals($sig, hash_hmac('sha256', $data, $secret))) {
|
||||||
|
deny();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Issue short-lived cookie (same expiry as token) and redirect to phpMyAdmin root
|
||||||
setcookie('pma_token', $sig, intval($exp), '/', '', true, true);
|
setcookie('pma_token', $sig, intval($exp), '/', '', true, true);
|
||||||
header('Location: /');
|
header('Location: /');
|
||||||
exit;
|
exit;
|
||||||
?>
|
?>
|
||||||
PHP
|
PHP
|
||||||
|
|
||||||
sudo chmod 640 "$GATEWAY_FILE"
|
sudo chown litespeed:litespeed "$GATEWAY_FILE"
|
||||||
|
sudo chmod 644 "$GATEWAY_FILE"
|
||||||
|
|
||||||
URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token"
|
URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token"
|
||||||
echo "$URL"
|
echo "$URL"
|
||||||
|
|
|
||||||
|
|
@ -177,16 +177,16 @@ validate_http_access() {
|
||||||
}
|
}
|
||||||
|
|
||||||
issue_certificate() {
|
issue_certificate() {
|
||||||
if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
|
if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
|
||||||
log_success "Certificate already exists for '$1'. Skipping issuance."
|
log_success "Certificate already exists for '$1'. Skipping issuance."
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
log "Issuing SSL certificate for domain '$1' with email '$2'..."
|
log "Issuing SSL certificate for domain '$1' with email '$2'..."
|
||||||
sudo certbot certonly --webroot -w "/var/www/webroot/ROOT" -d "$1" --non-interactive --agree-tos --email "$2" || {
|
sudo certbot certonly --webroot -w "/var/www/webroot/ROOT" -d "$1" --non-interactive --agree-tos --email "$2" || {
|
||||||
log_error "Failed to issue certificate for '$1'"
|
log_error "Failed to issue certificate for '$1'"
|
||||||
SCRIPT_EXIT_STATUS=1; return 1
|
SCRIPT_EXIT_STATUS=1; return 1
|
||||||
}
|
}
|
||||||
log_success "Certificate successfully issued for '$1'"
|
log_success "Certificate successfully issued for '$1'"
|
||||||
}
|
}
|
||||||
|
|
||||||
issue_certificate_san() {
|
issue_certificate_san() {
|
||||||
|
|
@ -204,15 +204,15 @@ issue_certificate_san() {
|
||||||
}
|
}
|
||||||
|
|
||||||
update_httpd_config() {
|
update_httpd_config() {
|
||||||
local domain="$1"
|
local domain="$1"
|
||||||
local ip="$2"
|
local ip="$2"
|
||||||
local vhost_name="$domain" # vhost named after the domain
|
local vhost_name="$domain" # vhost named after the domain
|
||||||
local vhost_dir="$VHOSTS_DIR/$domain"
|
local vhost_dir="$VHOSTS_DIR/$domain"
|
||||||
local vhconf_file="$vhost_dir/vhconf.xml"
|
local vhconf_file="$vhost_dir/vhconf.xml"
|
||||||
|
|
||||||
log "Configuring SNI for domain '$domain' on existing HTTPS listener (443)"
|
log "Configuring SNI for domain '$domain' on existing HTTPS listener (443)"
|
||||||
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
|
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
|
||||||
|
|
||||||
# 1) Ensure virtualHostList entry exists for this domain
|
# 1) Ensure virtualHostList entry exists for this domain
|
||||||
local vh_exists
|
local vh_exists
|
||||||
vh_exists=$(xmlstarlet sel -t -v "/httpServerConfig/virtualHostList/virtualHost[name='$vhost_name']/name" "$CONF_FILE" 2>/dev/null || true)
|
vh_exists=$(xmlstarlet sel -t -v "/httpServerConfig/virtualHostList/virtualHost[name='$vhost_name']/name" "$CONF_FILE" 2>/dev/null || true)
|
||||||
|
|
@ -227,38 +227,38 @@ update_httpd_config() {
|
||||||
<docRoot>\$VH_ROOT/ROOT/</docRoot>
|
<docRoot>\$VH_ROOT/ROOT/</docRoot>
|
||||||
<enableGzip>1</enableGzip>
|
<enableGzip>1</enableGzip>
|
||||||
<vhssl>
|
<vhssl>
|
||||||
<keyFile>/etc/letsencrypt/live/$domain/privkey.pem</keyFile>
|
<keyFile>/etc/letsencrypt/live/$domain/privkey.pem</keyFile>
|
||||||
<certFile>/etc/letsencrypt/live/$domain/fullchain.pem</certFile>
|
<certFile>/etc/letsencrypt/live/$domain/fullchain.pem</certFile>
|
||||||
<certChain>1</certChain>
|
<certChain>1</certChain>
|
||||||
</vhssl>
|
</vhssl>
|
||||||
</virtualHostConfig>
|
</virtualHostConfig>
|
||||||
EOF
|
EOF
|
||||||
# Add virtualHost entry
|
# Add virtualHost entry
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList" -t elem -n "virtualHost" \
|
-s "/httpServerConfig/virtualHostList" -t elem -n "virtualHost" \
|
||||||
"$CONF_FILE" || { log_error "Failed to create virtualHost node"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to create virtualHost node"; return 1; }
|
||||||
|
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "name" -v "$vhost_name" \
|
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "name" -v "$vhost_name" \
|
||||||
"$CONF_FILE" || { log_error "Failed to set virtualHost name"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to set virtualHost name"; return 1; }
|
||||||
|
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "vhRoot" -v "$SERVER_ROOT/webroot/" \
|
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "vhRoot" -v "$SERVER_ROOT/webroot/" \
|
||||||
"$CONF_FILE" || { log_error "Failed to set vhRoot"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to set vhRoot"; return 1; }
|
||||||
|
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "configFile" -v "$vhost_dir/vhconf.xml" \
|
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "configFile" -v "$vhost_dir/vhconf.xml" \
|
||||||
"$CONF_FILE" || { log_error "Failed to set configFile"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to set configFile"; return 1; }
|
||||||
|
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "allowSymbolLink" -v "1" \
|
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "allowSymbolLink" -v "1" \
|
||||||
"$CONF_FILE" || { log_error "Failed to set allowSymbolLink"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to set allowSymbolLink"; return 1; }
|
||||||
|
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "enableScript" -v "1" \
|
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "enableScript" -v "1" \
|
||||||
"$CONF_FILE" || { log_error "Failed to set enableScript"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to set enableScript"; return 1; }
|
||||||
|
|
||||||
sudo xmlstarlet ed -L \
|
sudo xmlstarlet ed -L \
|
||||||
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "restrained" -v "1" \
|
-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "restrained" -v "1" \
|
||||||
"$CONF_FILE" || { log_error "Failed to set restrained"; return 1; }
|
"$CONF_FILE" || { log_error "Failed to set restrained"; return 1; }
|
||||||
else
|
else
|
||||||
|
|
@ -297,11 +297,11 @@ EOF
|
||||||
done
|
done
|
||||||
|
|
||||||
# 3) Validate final config
|
# 3) Validate final config
|
||||||
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
|
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
|
||||||
log_error "Invalid XML structure after SNI configuration. Restoring backup..."
|
log_error "Invalid XML structure after SNI configuration. Restoring backup..."
|
||||||
sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
|
sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
|
||||||
SCRIPT_EXIT_STATUS=1; return 1
|
SCRIPT_EXIT_STATUS=1; return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
log_success "SNI configured for '$domain' on port 443 with vhost '$vhost_name'"
|
log_success "SNI configured for '$domain' on port 443 with vhost '$vhost_name'"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue