Project

General

Profile

Download (18.3 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/* $Id$ */
3
/*
4
	system_advanced_admin.php
5
	part of pfSense
6
	Copyright (C) 2005-2010 Scott Ullrich
7
	Copyright (C) 2008 Shrew Soft Inc
8
	Copyright (C) 2013-2015 Electric Sheep Fencing, LP
9

    
10
	originally part of m0n0wall (http://m0n0.ch/wall)
11
	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12
	All rights reserved.
13

    
14
	Redistribution and use in source and binary forms, with or without
15
	modification, are permitted provided that the following conditions are met:
16

    
17
	1. Redistributions of source code must retain the above copyright notice,
18
	   this list of conditions and the following disclaimer.
19

    
20
	2. Redistributions in binary form must reproduce the above copyright
21
	   notice, this list of conditions and the following disclaimer in the
22
	   documentation and/or other materials provided with the distribution.
23

    
24
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33
	POSSIBILITY OF SUCH DAMAGE.
34
*/
35
/*
36
	pfSense_BUILDER_BINARIES:	/usr/bin/killall
37
	pfSense_MODULE:	system
38
*/
39

    
40
##|+PRIV
41
##|*IDENT=page-system-advanced-admin
42
##|*NAME=System: Advanced: Admin Access Page
43
##|*DESCR=Allow access to the 'System: Advanced: Admin Access' page.
44
##|*MATCH=system_advanced_admin.php*
45
##|-PRIV
46

    
47
require("guiconfig.inc");
48
require_once("functions.inc");
49
require_once("filter.inc");
50
require_once("shaper.inc");
51

    
52
$pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
53
$pconfig['webguiport'] = $config['system']['webgui']['port'];
54
$pconfig['max_procs'] = ($config['system']['webgui']['max_procs']) ? $config['system']['webgui']['max_procs'] : 2;
55
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
56
$pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
57
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
58
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
59
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
60
$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
61
$pconfig['pagenamefirst'] = isset($config['system']['webgui']['pagenamefirst']);
62
$pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']);
63
$pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
64
$pconfig['enableserial'] = $config['system']['enableserial'];
65
$pconfig['serialspeed'] = $config['system']['serialspeed'];
66
$pconfig['primaryconsole'] = $config['system']['primaryconsole'];
67
$pconfig['enablesshd'] = $config['system']['enablesshd'];
68
$pconfig['sshport'] = $config['system']['ssh']['port'];
69
$pconfig['sshdkeyonly'] = isset($config['system']['ssh']['sshdkeyonly']);
70
$pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);
71

    
72
$a_cert =& $config['cert'];
73

    
74
$certs_available = false;
75
if (is_array($a_cert) && count($a_cert))
76
	$certs_available = true;
77

    
78
if (!$pconfig['webguiproto'] || !$certs_available)
79
	$pconfig['webguiproto'] = "http";
80

    
81
if ($_POST) {
82

    
83
	unset($input_errors);
84
	$pconfig = $_POST;
85

    
86
	/* input validation */
87
	if ($_POST['tcp-port'])
88
		if(!is_port($_POST['tcp-port']))
89
			$input_errors[] = gettext("You must specify a valid webConfigurator port number");
90

    
91
	if ($_POST['max-processes'])
92
		if(!is_numericint($_POST['max-processes']) || ($_POST['max-processes'] < 1) || ($_POST['max-processes'] > 500))
93
			$input_errors[] = gettext("Max Processes must be a number 1 or greater");
94

    
95
	if ($_POST['alternate-hostnames']) {
96
		$althosts = explode(" ", $_POST['alternate-hostnames']);
97
		foreach ($althosts as $ah)
98
			if (!is_hostname($ah))
99
				$input_errors[] = sprintf(gettext("Alternate hostname %s is not a valid hostname."),htmlspecialchars($ah));
100
	}
101

    
102
	if ($_POST['ssh-port'])
103
		if(!is_port($_POST['ssh-port']))
104
			$input_errors[] = gettext("You must specify a valid port number");
105

    
106
	if($_POST['authentication-method'] == "yes")
107
		$config['system']['ssh']['sshdkeyonly'] = "enabled";
108
	else if (isset($config['system']['ssh']['sshdkeyonly']))
109
		unset($config['system']['ssh']['sshdkeyonly']);
110

    
111
	ob_flush();
112
	flush();
113

    
114
	if (!$input_errors) {
115

    
116
		if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['protocol']))
117
			$restart_webgui = true;
118
		if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['tcp-port']))
119
			$restart_webgui = true;
120
		if (update_if_changed("webgui certificate", $config['system']['webgui']['ssl-certref'], $_POST['ssl-certificate']))
121
			$restart_webgui = true;
122
		if (update_if_changed("webgui max processes", $config['system']['webgui']['max_procs'], $_POST['max-processes']))
123
			$restart_webgui = true;
124

    
125
		if ($_POST['webgui-redirect'] == "yes") {
126
			$config['system']['webgui']['disablehttpredirect'] = true;
127
			$restart_webgui = true;
128
		} else {
129
			unset($config['system']['webgui']['disablehttpredirect']);
130
			$restart_webgui = true;
131
		}
132
		if ($_POST['webgui-login-messages'] == "yes") {
133
			$config['system']['webgui']['quietlogin'] = true;
134
		} else {
135
			unset($config['system']['webgui']['quietlogin']);
136
		}
137

    
138
		if($_POST['console-menu'] == "yes")
139
			$config['system']['disableconsolemenu'] = true;
140
		else
141
			unset($config['system']['disableconsolemenu']);
142

    
143
		if ($_POST['anti-lockout'] == "yes")
144
			$config['system']['webgui']['noantilockout'] = true;
145
		else
146
			unset($config['system']['webgui']['noantilockout']);
147

    
148
		if ($_POST['serial-terminal'] == "yes" || $g['enableserial_force'])
149
			$config['system']['enableserial'] = true;
150
		else
151
			unset($config['system']['enableserial']);
152

    
153
		if (is_numericint($_POST['serial-speed']))
154
			$config['system']['serialspeed'] = $_POST['serial-speed'];
155
		else
156
			unset($config['system']['serialspeed']);
157

    
158
		if ($_POST['primary-console'])
159
			$config['system']['primaryconsole'] = $_POST['primary-console'];
160
		else
161
			unset($config['system']['primaryconsole']);
162

    
163
		if ($_POST['dns-rebind-check'] == "yes")
164
			$config['system']['webgui']['nodnsrebindcheck'] = true;
165
		else
166
			unset($config['system']['webgui']['nodnsrebindcheck']);
167

    
168
		if ($_POST['browser-http_referer-enforcement'] == "yes")
169
			$config['system']['webgui']['nohttpreferercheck'] = true;
170
		else
171
			unset($config['system']['webgui']['nohttpreferercheck']);
172

    
173
		if ($_POST['pagenamefirst'] == "yes")
174
			$config['system']['webgui']['pagenamefirst'] = true;
175
		else
176
			unset($config['system']['webgui']['pagenamefirst']);
177

    
178
		if ($_POST['webgui-login-autocomplete'] == "yes")
179
			$config['system']['webgui']['loginautocomplete'] = true;
180
		else
181
			unset($config['system']['webgui']['loginautocomplete']);
182

    
183
		if ($_POST['alternate-hostnames'])
184
			$config['system']['webgui']['althostnames'] = $_POST['alternate-hostnames'];
185
		else
186
			unset($config['system']['webgui']['althostnames']);
187

    
188
		$sshd_enabled = $config['system']['enablesshd'];
189
		if($_POST['secure-shell-server'])
190
			$config['system']['enablesshd'] = "enabled";
191
		else
192
			unset($config['system']['enablesshd']);
193

    
194
		$sshd_keyonly = isset($config['system']['sshdkeyonly']);
195
		if ($_POST['authentication-method'])
196
			$config['system']['sshdkeyonly'] = true;
197
		else
198
			unset($config['system']['sshdkeyonly']);
199

    
200
		$sshd_port = $config['system']['ssh']['port'];
201
		if ($_POST['ssh-port'])
202
			$config['system']['ssh']['port'] = $_POST['ssh-port'];
203
		else if (isset($config['system']['ssh']['port']))
204
			unset($config['system']['ssh']['port']);
205

    
206
		if (($sshd_enabled != $config['system']['enablesshd']) ||
207
			($sshd_keyonly != $config['system']['sshdkeyonly']) ||
208
			($sshd_port != $config['system']['ssh']['port']))
209
			$restart_sshd = true;
210

    
211
		if ($restart_webgui) {
212
			global $_SERVER;
213
			$http_host_port = explode("]", $_SERVER['HTTP_HOST']);
214
			/* IPv6 address check */
215
			if(strstr($_SERVER['HTTP_HOST'], "]")) {
216
				if(count($http_host_port) > 1) {
217
					array_pop($http_host_port);
218
					$host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
219
					$host = "[{$host}]";
220
				} else {
221
					$host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
222
					$host = "[{$host}]";
223
				}
224
			} else {
225
				list($host) = explode(":", $_SERVER['HTTP_HOST']);
226
			}
227
			$prot = $config['system']['webgui']['protocol'];
228
			$port = $config['system']['webgui']['port'];
229
			if ($port)
230
				$url = "{$prot}://{$host}:{$port}/system_advanced_admin.php";
231
			else
232
				$url = "{$prot}://{$host}/system_advanced_admin.php";
233
		}
234

    
235
		write_config();
236

    
237
		$retval = filter_configure();
238
		$savemsg = get_std_save_message($retval);
239

    
240
		if ($restart_webgui)
241
			$savemsg .= sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."),$url);
242

    
243
		conf_mount_rw();
244
		setup_serial_port();
245
		// Restart DNS in case dns rebinding toggled
246
		if (isset($config['dnsmasq']['enable']))
247
			services_dnsmasq_configure();
248
		elseif (isset($config['unbound']['enable']))
249
			services_unbound_configure();
250
		conf_mount_ro();
251
	}
252
}
253

    
254
$pgtitle = array(gettext("System"),gettext("Advanced: Admin Access"));
255
include("head.inc");
256

    
257
if ($input_errors)
258
	print_input_errors($input_errors);
259
if ($savemsg)
260
	print_info_box($savemsg);
261

    
262
$tab_array = array();
263
$tab_array[] = array(gettext("Admin Access"), true, "system_advanced_admin.php");
264
$tab_array[] = array(gettext("Firewall / NAT"), false, "system_advanced_firewall.php");
265
$tab_array[] = array(gettext("Networking"), false, "system_advanced_network.php");
266
$tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php");
267
$tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php");
268
$tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php");
269
display_top_tabs($tab_array);
270

    
271
?><div id="container"><?php
272

    
273
require('classes/Form.class.php');
274
$form = new Form;
275
$section = new Form_Section('WebConfigurator');
276
$group = new Form_Group('Protocol');
277

    
278
$group->add(new Form_Checkbox(
279
	'protocol',
280
	'Protocol',
281
	'HTTP',
282
	($pconfig['webguiproto']=='http'),
283
	'http'
284
))->displayAsRadio()->toggles('#ssl-certificate');
285

    
286
$group->add($input = new Form_Checkbox(
287
	'protocol',
288
	'Protocol',
289
	'HTTPS',
290
	($pconfig['webguiproto']=='https'),
291
	'https'
292
))->displayAsRadio()->toggles('#ssl-certificate');
293

    
294
$section->add($group);
295

    
296
if (!$certs_available)
297
{
298
	$input->setDisabled();
299
	$input->setHelp('No Certificates have been defined. You must '.
300
	'<a href="system_certmanager.php">'. gettext("Create or Import").'</a> '.
301
	'a Certificate before SSL can be enabled.');
302
} else {
303
	$values = array();
304
	foreach($a_cert as $cert)
305
		$values[ $cert['refid'] ] = $cert['descr'];
306

    
307
	$section->addInput($input = new Form_Select(
308
		'ssl-certificate',
309
		'SSL Certificate',
310
		$pconfig['ssl-certref'],
311
		$values
312
	));
313

    
314
	if ($pconfig['webguiproto'] == 'http')
315
		$input->addClass('collapse');
316
}
317

    
318
$section->addInput(new Form_Input(
319
	'tcp-port',
320
	'TCP port',
321
	'number',
322
	$config['system']['webgui']['port'],
323
	['min' => 1, 'max' => 65535]
324
))->setHelp('Enter a custom port number for the webConfigurator '.
325
	'above if you want to override the default (80 for HTTP, 443 '.
326
	'for HTTPS). Changes will take effect immediately after save.');
327

    
328
$section->addInput(new Form_Input(
329
	'max-processes',
330
	'Max Processes',
331
	'number',
332
	$pconfig['max_procs']
333
))->setHelp('Enter the number of webConfigurator processes you '.
334
	'want to run. This defaults to 2. Increasing this will allow more '.
335
	'users/browsers to access the GUI concurrently.');
336

    
337
$section->addInput(new Form_Checkbox(
338
	'webgui-redirect',
339
	'WebGUI redirect',
340
	'Disable webConfigurator redirect rule',
341
	$pconfig['disablehttpredirect']
342
))->setHelp('When this is unchecked, access to the webConfigurator '.
343
	'is always permitted even on port 80, regardless of the listening port configured. '.
344
	'Check this box to disable this automatically added redirect rule.');
345

    
346
$section->addInput(new Form_Checkbox(
347
	'webgui-login-autocomplete',
348
	'WebGUI Login Autocomplete',
349
	'Enable webConfigurator login autocomplete',
350
	$pconfig['loginautocomplete']
351
))->setHelp('When this is checked, login credentials for the webConfigurator may '.
352
	'be saved by the browser. While convenient, some security standards require this '.
353
	'to be disabled. Check this box to enable autocomplete on the login form so that '.
354
	'browsers will prompt to save credentials (NOTE: Some browsers do not respect '.
355
	'this option).');
356

    
357
$section->addInput(new Form_Checkbox(
358
	'webgui-login-messages',
359
	'WebGUI login messages',
360
	'Disable logging of webConfigurator successful logins',
361
	$pconfig['quietlogin']
362
))->setHelp('When this is checked, successful logins to the webConfigurator will '.
363
	'not be logged.');
364

    
365
if ($config['interfaces']['lan'])
366
	$lockout_interface = "LAN";
367
else
368
	$lockout_interface = "WAN";
369

    
370
$section->addInput(new Form_Checkbox(
371
	'anti-lockout',
372
	'Anti-lockout',
373
	'Disable webConfigurator anti-lockout rule',
374
	$pconfig['noantilockout']
375
))->setHelp('When this is '.
376
	'unchecked, access to the webConfigurator on the %s interface is always '.
377
	'permitted, regardless of the user-defined firewall rule set. Check this box to '.
378
	'disable this automatically added rule, so access to the webConfigurator is '.
379
	'controlled by the user-defined firewall rules (ensure you have a firewall rule '.
380
	'in place that allows you in, or you will lock yourself out!)<em>Hint: the &quot;Set interface(s) IP address&quot; '.
381
	'option in the console menu resets this setting as well.</em>', [$lockout_interface]);
382

    
383
$section->addInput(new Form_Checkbox(
384
	'dns-rebind-check',
385
	'DNS Rebind Check',
386
	'Disable DNS Rebinding Checks',
387
	$pconfig['nodnsrebindcheck']
388
))->setHelp('When this is unchecked, your system is protected against<a '.
389
	'href=\"http://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding attacks</a>. '.
390
	'This blocks private IP responses from your configured DNS servers. Check this '.
391
	'box to disable this protection if it interferes with webConfigurator access or '.
392
	'name resolution in your environment.');
393

    
394
$section->addInput(new Form_Input(
395
	'alternate-hostnames',
396
	'Alternate Hostnames',
397
	'text',
398
	htmlspecialchars($pconfig['althostnames'])
399
))->setHelp('Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks. Here '.
400
	'you can specify alternate hostnames by which the router may be queried, to '.
401
	'bypass the DNS Rebinding Attack checks. Separate hostnames with spaces.');
402

    
403
$section->addInput(new Form_Checkbox(
404
	'browser-http_referer-enforcement',
405
	'Browser HTTP_REFERER enforcement',
406
	'Disable HTTP_REFERER enforcement check',
407
	$pconfig['nohttpreferercheck']
408
))->setHelp('When this is unchecked, access to the webConfigurator is protected '.
409
	'against HTTP_REFERER redirection attempts. Check this box to disable this '.
410
	'protection if you find that it interferes with webConfigurator access in certain '.
411
	'corner cases such as using external scripts to interact with this system. More '.
412
	'information on HTTP_REFERER is available from<a target="_blank" '.
413
	'href="http://en.wikipedia.org/wiki/HTTP_referrer">Wikipedia</a>.');
414

    
415
$section->addInput(new Form_Checkbox(
416
	'browser-tab-text',
417
	'Browser tab text',
418
	'Display page name first in browser tab',
419
	$pconfig['pagenamefirst']
420
))->setHelp('When this is unchecked, the browser tab shows the host name followed '.
421
	'by the current page. Check this box to display the current page followed by the '.
422
	'host name.');
423

    
424
$form->add($section);
425
$section = new Form_Section('Secure Shell');
426

    
427
$section->addInput(new Form_Checkbox(
428
	'secure-shell-server',
429
	'Secure Shell Server',
430
	'Enable Secure Shell',
431
	isset($pconfig['enablesshd'])
432
));
433

    
434
$section->addInput(new Form_Checkbox(
435
	'authentication-method',
436
	'Authentication Method',
437
	'Disable password login for Secure Shell (RSA/DSA key only)',
438
	$pconfig['sshdkeyonly']
439
))->setHelp('When enabled, authorized keys need to be configured for each<a '.
440
	'href="system_usermanager.php">user</a>that has been granted secure shell '.
441
	'access.');
442

    
443
$section->addInput(new Form_Input(
444
	'ssh-port',
445
	'SSH port',
446
	'number',
447
	$pconfig['sshport'],
448
	['min' => 1, 'max' => 65535, 'placeholder' => 22]
449
))->setHelp('Note: Leave this blank for the default of 22.');
450

    
451

    
452
if (!$g['enableserial_force'] && ($g['platform'] == "pfSense" || $g['platform'] == "cdrom" || file_exists("/etc/nano_use_vga.txt")))
453
{
454
	$form->add($section);
455
	$section = new Form_Section('Serial Communications');
456

    
457
	$section->addInput(new Form_Checkbox(
458
		'serial-terminal',
459
		'Serial Terminal',
460
		'Enables the first serial port with 115200/8/N/1 by default, or another speed selectable below.',
461
		isset($pconfig['enableserial'])
462
	))->setHelp('Note:  This will redirect the console output and messages to '.
463
		'the serial port. You can still access the console menu from the internal video '.
464
		'card/keyboard. A<b>null modem</b>serial cable or adapter is required to use the '.
465
		'serial console.');
466

    
467
	$section->addInput(new Form_Select(
468
		'serial-speed',
469
		'Serial Speed',
470
		$pconfig['serialspeed'],
471
		array(115200, 57600, 38400, 19200, 14400, 9600)
472
	))->setHelp('Allows selection of different speeds for the serial console port.');
473

    
474
	$section->addInput(new Form_Select(
475
		'primary-console',
476
		'Primary Console',
477
		$pconfig['primaryconsole'],
478
		array(
479
			'serial' => 'Serial Console',
480
			'video' => 'VGA Console',
481
		)
482
	))->setHelp('Select the preferred console if multiple consoles are present. '.
483
		'The preferred console will show pfSense boot script output. All consoles '.
484
		'display OS boot messages, console messages, and the console menu.');
485
}
486

    
487
$form->add($section);
488
$section = new Form_Section('Console Options');
489

    
490
$section->addInput(new Form_Checkbox(
491
	'console-menu',
492
	'Console menu',
493
	'Password protect the console menu',
494
	$pconfig['disableconsolemenu']
495
));
496

    
497
$form->add($section);
498
print $form;
499

    
500
include("foot.inc");
501

    
502
if ($restart_webgui)
503
	echo "<meta http-equiv=\"refresh\" content=\"20;url={$url}\" />";
504

    
505
if ($restart_sshd)
506
{
507
	killbyname("sshd");
508
	log_error(gettext("secure shell configuration has changed. Stopping sshd."));
509

    
510
	if ($config['system']['enablesshd']) {
511
		log_error(gettext("secure shell configuration has changed. Restarting sshd."));
512
		send_event("service restart sshd");
513
	}
514
}
515

    
516
if ($restart_webgui)
517
{
518
	ob_flush();
519
	flush();
520
	log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator."));
521
	send_event("service restart webgui");
522
}
(191-191/241)