also force TLS when requiring user authentication in WebUI

Force TLS _and_ a valid login when accessing protected directories.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

generate ECDSA key on existing installations

This is required since Apache crashes if any of the key/certificate files
does not exist.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ship changed files for Apache and ECDSA

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

enable dual-stack ECDSA and RSA certificates in Apache

Note: Apache crashes if any of these files does not exist. Thereof it
is necessary to generate missing keys on existing installations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

generate ECDSA key on existing installations

Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

prefer ECDSA over RSA and remove clutter

Priorize ECDSA before RSA and remove unused cipher suites.
Remove redundant OpenSSL directives to make SSL configuration more readable.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web-user-interface: Removed 'dial.cgi' from lfs-file

'dial.cgi' was removed in

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=dc6ed83537e1bcc1347ad16bee095ef4d641bc69

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

netboot: Update to 1.2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Allow editing terms in coupon mode

Since the terms are always shown when set, we need a way
to edit them in coupon mode as well.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Ship updated extrahd.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove PRINT-line in extrahd.pl

As shown in https://forum.ipfire.org/viewtopic.php?f=50&t=19563#p111055
PRINT-output somehow garbles bash-prompt.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Ship latest OpenVPN changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

OpenVPN: Fix for '--ns-cert-type server is deprecated' .

- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.

- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.

If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

remove unused dial.cgi directives from Apache vhosts config

Remove configuration lines in Apache vhosts files which
are not used anymore (old dial.cgi stuff).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

delete unused dial.cgi file

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: No need to reload apache after it has been restarted

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Regenerate IPsec configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

add missing check for Curve25519 in vpnmain.cgi

This fixes bug #11501 which causes IPsec connections to crash if
Curve25519 has been enabled.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Rebuild language cache during update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Ship updated apache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

apache: Update to 2.4.28

http://apache.mirror.digionline.de//httpd/CHANGES_2.4.28

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix saving empty terms

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Download ISO images from https://downloads.ipfire.org

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Pull latest translations for installer & setup from Transifex

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Include captive portal in updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Add captive portal cron jobs to updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive portal: Correctly initialise an array for 8h timeout

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive portal: Reload firewall rules after cleanup

This is not necessary to stop any clients from accessing the
Internet, but if we know that we don't need a line for certain
any more, we can as well remove the firewall rule straight away.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captivectrl: Remove unused code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive portal: Don't remove unlimited access after one hour

Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'captive-portal' into next

captive portal: Allow sessions to expire after 8 hours

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive-portal: Serve Ubuntu font files locally

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add Ubuntu font family package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Ship update for OpenVPN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to 2.3.18

Fixes CVE-2017-12166: out of bounds write in key-method 1

For details see:

https://community.openvpn.net/openvpn/wiki/CVE-2017-12166

Changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.18

Removed an unrecognized 'configure'-option.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Update to 3.1.7

Fixes TROVE-2017-008 and CVE-2017-0380 and others....

For details see  https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.3.1.7
"Tor 0.3.1.7 is the first stable release in the 0.3.1 series."

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Ship cosmetic improvements in proxy.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy.cgi: Some cosmetics for the absolutely lazy ones (V2)

Added clickable links for 'URL filter' and 'Update accelerator' for faster access,
this time without the need to alter the language-files.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

start core115

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'master' into next

core114: add php to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

wpa_supplicant: Update to 2.6

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'origin/next'

finish core114

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core114: force update addons after core update

apache needs new vhost configs so all addons must updated to work with new
apache.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

captive: Update configuration for Apache 2.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Show access page in browser language

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Daniel Weismüller <daniel.weismüller@ipfire.org>

captive: Do not try to execute the favicon

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix passing redirection URL

Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Run apache in HTTP/1.0 mode

Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Tested-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix another typo in captivectrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix typo in German translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Let apache follow symlinks to load bootstrap

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix directory permissions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Logo directory no longer exists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

apache2: Create captive portal logging directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Actually build bootstrap

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update German translation for captive portal

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Link .map files as well

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bootstrap: Install map files, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Show message when an invalid coupon code was entered

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Do not show checkbox when in coupon mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Verify that the user actually accepted the terms and conditions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Style any error messages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Show a message when no coupon code was entered

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix some template updates that I forgot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Drop duplicate function to list active clients

There was a function with different name but essentially
same functionality which is already existant in &show_clients().

Therefore this patch drops the old function without any functional
changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Redesign clients list box

Mostly code cleanup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Redesign generated coupons table

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Correctly set coupon lifetime

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Remember selected coupon expiry time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Allow creating multiple coupons in bulk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Reformat times

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Cleanup coupon generation block

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Cleanup logo upload

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Cleanup authentication selection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Code cleanup

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Allow uploading JPEG images, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Serve logo through an extra CGI script

This CGI script makes saving the logo easier (especially for
backup purposes).

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Save logo in /var/ipfire/captive

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Allow selecting the session expiry time for terms

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Group settings together and create branding section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Some more CGI cleanup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Rename "Voucher" mode to "Coupon"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Rename "License" mode to "Terms & Conditions"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Allow selecting highlight colour in web interface

To be able to customise the access page, we now allow the
user to select a brand colour.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Refactor the access page

This brings no functional changes, but cleans up the code
to re-use more and write less.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Get MAC address of a device without calling arp

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Don't compare action string

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Import new design

This is the new design of the access page of the captive
portal. It is based on the Bootstrap 4 grid system and
reboot but does not use anything else from it.

It is responsive and customisable.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bootstrap: New package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive-portal: Use template engine to render HTML template

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive-portal: Move CGI files to CGI directory

Previously the assets directory has ExecCGI privileges
which is not at all required and potentially dangerous.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive-portal: Code cleanup

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix bug with multiple license clients

If one active client with a license existed, any other client
authenticating will overwrite the configuration line.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Do not generally allow access to TCP/1013

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Only make CGI script executable in document root

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>