fixed gateway url

2025-08-27 01:27:43 +08:00 · 2025-08-27 01:27:43 +08:00 · ff507b6e07
parent f53e8ae1f0
commit ff507b6e07
4 changed files with 72 additions and 52 deletions
--- a/mbadmin.jps
+++ b/mbadmin.jps
@ -342,7 +342,7 @@ menu:
    caption: Create phpMyAdmin Gateway
    action: create_pma_gateway
    settings: pmaGatewayConfig
-    successText: "${response.out}"
+    successText: "Gateway URL: ${response.out}"

 settings:
  checkDomainConfig:
@ -1014,7 +1014,7 @@ actions:
          - bash /home/litespeed/mbmanager/pma-gateway/create_pma_gateway.sh --validity="${settings.validity}" --slug="${settings.slug}" | tail -n1
    - return:
        type: info
-        message: "${response.out}"
+        message: "Gateway URL: ${response.out}"

 responses:
  enableSuccess:
--- a/scripts/OLDdbPreparation.sh
+++ b/scripts/OLDdbPreparation.sh
--- a/scripts/pma-gateway/create_pma_gateway.sh
+++ b/scripts/pma-gateway/create_pma_gateway.sh
@ -37,50 +37,70 @@ SECRET_FILE="/var/lib/jelastic/keys/mbadmin_secret"
 sudo mkdir -p "$(dirname $SECRET_FILE)"
 if [[ ! -f "$SECRET_FILE" ]]; then
  sudo sh -c "openssl rand -hex 32 > $SECRET_FILE"
-  sudo chmod 600 "$SECRET_FILE"
 fi
-SECRET=$(sudo cat "$SECRET_FILE")
+sudo chown litespeed:litespeed "$SECRET_FILE"
+sudo chmod 644 "$SECRET_FILE"
+SECRET=$(sudo cat "$SECRET_FILE" | xargs)

 now=$(date +%s)
 expires=$((now + VALIDITY*60))
 # token = base64("$SLUG:$expires") . '.' . HMAC_SHA256(secret, data)
 data="$SLUG:$expires"
-base=$(printf "%s" "$data" | base64 -w0)
-mac=$(printf "%s" "$data" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)
+base=$(printf "%s" "$data" | base64 | tr -d '\n')
+mac=$(php -r "echo hash_hmac('sha256', '$data', '$SECRET');")
 token="$base.$mac"

-sudo tee "$GATEWAY_FILE" >/dev/null <<PHP
+sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP'
 <?php
-// auto-generated gateway, valid until $expires
+// Secure phpMyAdmin gateway – auto-generated, do NOT edit manually.
+
 ini_set('session.cookie_httponly', 1);
+$param = 'token';

-function fail() { header('HTTP/1.1 403 Forbidden'); echo 'Access denied'; exit; }
+function deny() {
+    http_response_code(403);
+    echo 'Access denied';
+    exit;
+}

-if (!isset(
+if (!isset($_GET[$param])) {
+    deny();
+}

-_PHPMYADMIN_PMA_GATEWAY_TOKEN')){fail();}
-$token = 
-_PHPMYADMIN_PMA_GATEWAY_TOKEN;
-if (!strpos($token,'.')){fail();}
-list(
+$token = $_GET[$param];
+if (strpos($token, '.') === false) {
+    deny();
+}

-base, $sig) = explode('.', $token, 2);
+list($base, $sig) = explode('.', $token, 2);
 $data = base64_decode($base, true);
-if ($data === false){fail();}
-list(
+if ($data === false) {
+    deny();
+}

-slug, $exp) = explode(':', $data, 2);
-if (time()>intval($exp)){fail();}
-$secret = trim(file_get_contents('$SECRET_FILE'));
-if (hash_equals($sig, hash_hmac('sha256', $data, $secret)) === false){fail();}
-// set auth cookie then redirect
+if (strpos($data, ':') === false) {
+    deny();
+}
+
+list($slug, $exp) = explode(':', $data, 2);
+if (time() > intval($exp)) {
+    deny();
+}
+
+$secret = trim(file_get_contents('/var/lib/jelastic/keys/mbadmin_secret'));
+if (!hash_equals($sig, hash_hmac('sha256', $data, $secret))) {
+    deny();
+}
+
+// Issue short-lived cookie (same expiry as token) and redirect to phpMyAdmin root
 setcookie('pma_token', $sig, intval($exp), '/', '', true, true);
 header('Location: /');
 exit;
 ?>
 PHP

-sudo chmod 640 "$GATEWAY_FILE"
+sudo chown litespeed:litespeed "$GATEWAY_FILE"
+sudo chmod 644 "$GATEWAY_FILE"

 URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token"
 echo "$URL"
--- a/scripts/ssl-manager/ssl_manager.sh
+++ b/scripts/ssl-manager/ssl_manager.sh
@ -177,16 +177,16 @@ validate_http_access() {
 }

 issue_certificate() {
-	if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
-		log_success "Certificate already exists for '$1'. Skipping issuance."
-		return
-	fi
-	log "Issuing SSL certificate for domain '$1' with email '$2'..."
+    if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
+        log_success "Certificate already exists for '$1'. Skipping issuance."
+        return
+    fi
+    log "Issuing SSL certificate for domain '$1' with email '$2'..."
 	sudo certbot certonly --webroot -w "/var/www/webroot/ROOT" -d "$1" --non-interactive --agree-tos --email "$2" || {
-		log_error "Failed to issue certificate for '$1'"
-		SCRIPT_EXIT_STATUS=1; return 1
-	}
-	log_success "Certificate successfully issued for '$1'"
+        log_error "Failed to issue certificate for '$1'"
+        SCRIPT_EXIT_STATUS=1; return 1
+    }
+    log_success "Certificate successfully issued for '$1'"
 }

 issue_certificate_san() {
@ -204,14 +204,14 @@ issue_certificate_san() {
 }

 update_httpd_config() {
-	local domain="$1"
-	local ip="$2"
+    local domain="$1"
+    local ip="$2"
 	local vhost_name="$domain"   # vhost named after the domain
 	local vhost_dir="$VHOSTS_DIR/$domain"
 	local vhconf_file="$vhost_dir/vhconf.xml"

 	log "Configuring SNI for domain '$domain' on existing HTTPS listener (443)"
-	sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
+            sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
            
 	# 1) Ensure virtualHostList entry exists for this domain
 	local vh_exists
@ -227,38 +227,38 @@ update_httpd_config() {
  <docRoot>\$VH_ROOT/ROOT/</docRoot>
  <enableGzip>1</enableGzip>
  <vhssl>
-    <keyFile>/etc/letsencrypt/live/$domain/privkey.pem</keyFile>
-    <certFile>/etc/letsencrypt/live/$domain/fullchain.pem</certFile>
+  <keyFile>/etc/letsencrypt/live/$domain/privkey.pem</keyFile>
+  <certFile>/etc/letsencrypt/live/$domain/fullchain.pem</certFile>
    <certChain>1</certChain>
  </vhssl>
 </virtualHostConfig>
 EOF
 		# Add virtualHost entry
-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList" -t elem -n "virtualHost" \
 			"$CONF_FILE" || { log_error "Failed to create virtualHost node"; return 1; }

-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "name" -v "$vhost_name" \
 			"$CONF_FILE" || { log_error "Failed to set virtualHost name"; return 1; }

-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "vhRoot" -v "$SERVER_ROOT/webroot/" \
 			"$CONF_FILE" || { log_error "Failed to set vhRoot"; return 1; }

-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "configFile" -v "$vhost_dir/vhconf.xml" \
 			"$CONF_FILE" || { log_error "Failed to set configFile"; return 1; }

-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "allowSymbolLink" -v "1" \
 			"$CONF_FILE" || { log_error "Failed to set allowSymbolLink"; return 1; }

-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "enableScript" -v "1" \
 			"$CONF_FILE" || { log_error "Failed to set enableScript"; return 1; }

-		sudo xmlstarlet ed -L \
+    sudo xmlstarlet ed -L \
 			-s "/httpServerConfig/virtualHostList/virtualHost[last()]" -t elem -n "restrained" -v "1" \
 			"$CONF_FILE" || { log_error "Failed to set restrained"; return 1; }
 	else
@ -297,11 +297,11 @@ EOF
 	done

 	# 3) Validate final config
-	if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
+    if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
 		log_error "Invalid XML structure after SNI configuration. Restoring backup..."
-		sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
+        sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
 		SCRIPT_EXIT_STATUS=1; return 1
-	fi
+    fi

 	log_success "SNI configured for '$domain' on port 443 with vhost '$vhost_name'"
 }