def apache_http_configuration(proxy_config, auth_config, miscellaneous_headers, https_redirection): default_cofig_path = '/etc/apache2/sites-available/' default_config_name = '000-default.conf' default_config_file = default_cofig_path + default_config_name if https_redirection: write_contents = '\n\tRewriteEngine on\n\tRewriteCond %{SERVER_NAME} =' + settings.DOMAIN_NAME + \ '\n\tRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} ' \ '[END,NE,R=permanent]\n' else: write_contents = proxy_config + auth_config + miscellaneous_headers settings.backup_file(default_config_file) with open(default_config_file, 'r') as file: default_contents = file.readlines() if len(default_contents) == 0: print('[ERROR]The {} file has no contents'.format(default_config_file)) sys.exit() with open(default_config_file, 'w') as file: for line in default_contents: file.write(line) if line.strip() == 'DocumentRoot /var/www/html': file.write(write_contents) # Enabling the http virtual host subprocess.check_output(['a2ensite', default_config_name])
def isc_dhcp_server_configuration(): dhcpd_file = '/etc/dhcp/dhcpd.conf' dhcp_config = ('\nddns-update-style none;\ndeny declines;\ndeny bootp;\n' 'subnet 192.168.7.0 netmask 255.255.255.0 {\n' '\trange 192.168.7.2 192.168.7.254;\n' '\toption routers 192.168.7.1;\n' '\toption broadcast-address 192.168.7.255;\n' '\tdefault-lease-time 3600;\n' '\tmax-lease-time 7200;\n' '}') print( 'Adding the raspberry pi dhcp server configuration to {} file'.format( dhcpd_file)) settings.backup_file(dhcpd_file) with open(dhcpd_file, 'w') as file_object: file_object.write(dhcp_config) subprocess.check_output([ 'sed', '-i', '--', 's|INTERFACESv4=""|INTERFACESv4="eth0"|g', '/etc/default/isc-dhcp-server' ]) print('Restarting the dhcp server service') subprocess.check_output(['service', 'isc-dhcp-server', 'restart'])
def apache_https_configuration(proxy_config, auth_config, miscellaneous_headers, email_address, self_signed_cert): ssl_stapling_cache = ( '\n\n\t# The SSL Stapling Cache global parameter' '\n\tSSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(128000)' '\n') # OSCP stapling configuration for our server ocsp_stapling_config = ('\n\n\t#OSCP Stapling Configuration' '\n\tSSLUseStapling on' '\n\tSSLStaplingReturnResponderErrors off' '\n\tSSLStaplingResponderTimeout 5' '\n\n') # HSTS configuration hsts_config = ( '\n\n\t# HSTS for 1 year including the subdomains' '\n\tHeader always set Strict-Transport-Security "max-age=31536000; includeSubDomains"' '\n') common_ssl_configuration = proxy_config + miscellaneous_headers + hsts_config if self_signed_cert: ssl_config_path = '/etc/apache2/sites-available/' ssl_config_name = '000-default-minidmz-ssl.conf' ssl_config_file = ssl_config_path + ssl_config_name apache_self_signed_configuration(ssl_config_file, email_address, settings.DOMAIN_NAME) subprocess.check_output(['a2enmod', 'ssl']) # Enabling the http virtual host subprocess.check_output(['a2ensite', ssl_config_name]) else: ssl_config_file = '/etc/apache2/sites-available/000-default-le-ssl.conf' # OSCP stapling configured if certbot is used. common_ssl_configuration = common_ssl_configuration + ocsp_stapling_config https_config(common_ssl_configuration, auth_config, ssl_config_file) # No need to enable OSCP if self signed if not self_signed_cert: ssl_mod_file = '/etc/apache2/mods-available/ssl.conf' settings.backup_file(ssl_mod_file) with open(ssl_mod_file, 'r') as file: contents = file.readlines() if len(contents) == 0: print('[ERROR]The {} file has no contents'.format(ssl_mod_file)) sys.exit() with open(ssl_mod_file, 'w') as file: for line in contents: file.write(line) if line.strip() == '<IfModule mod_ssl.c>': file.write(ssl_stapling_cache)
def https_config(ssl_configuration, auth_config, ssl_config_file): settings.backup_file(ssl_config_file) with open(ssl_config_file, 'r') as file: contents = file.readlines() if len(contents) == 0: print('[ERROR]The {} file has no contents'.format(ssl_config_file)) sys.exit() with open(ssl_config_file, 'w') as file: for line in contents: file.write(line) if line.strip() == 'DocumentRoot /var/www/html': file.write(ssl_configuration + auth_config)
def pi_configuration(): # Pi for a headless application then you can reduce the memory split # between the GPU and the rest of the system down to 16mb print('Setting GPU memory to 16mb') config_file = '/boot/config.txt' try: settings.backup_file(config_file) except OSError as error: if 'Permission denied' in error.strerror: print("[ERROR] Code is executed as a non privileged user." "\n[ERROR] Please re-run the script as superuser. [ sudo ./{} ]".format(os.path.basename(__file__))) sys.exit() print('[ERROR] Unknown error occurred while accessing {} file'.format(config_file)) print('[ERROR] {}'.format(error.strerror)) sys.exit() with open(config_file, 'a') as file: file.write('gpu_mem=16') # Forcing user to change default pi password print('Please change the default Rapberry Pi password') while True: try: subprocess.check_output('passwd pi', shell=True) except subprocess.CalledProcessError: print("[ERROR] Please try again!") continue break # Creating a file called ssh in boot. # This is required to enable ssh connection to pi with open('/boot/ssh', 'w') as file: file.write('') # Changing default keyboard layout to 'US' subprocess.check_output(['sed', '-i', '--', 's|pc105|pc104|g', '/etc/default/keyboard']) subprocess.check_output(['sed', '-i', '--', 's|gb|us|g', '/etc/default/keyboard'])
def apache_configuration(http_setup, self_signed_cert, email_id, saml): print( "Creating the Reverse Proxy Configuration and securing Apache server") # The first proxy pass MUST be to websocket tunnel. # If the first proxy pass is for just guacamole connection defaults to HTTP Tunnel # and causes degraded performance, file transfer breaks. # Note that proxy is to localhost port 8080. Hence container port 8080 should be binded to localhost:8080 proxy_config = ( '\n\n\t# Proxy configuration' '\n\tProxyPass /guacamole/websocket-tunnel ws://127.0.0.1:8080/guacamole/websocket-tunnel' '\n\tProxyPassReverse /guacamole/websocket-tunnel ws://127.0.0.1:8080/guacamole/websocket-tunnel' '\n\n\tProxyPass /guacamole/ http://127.0.0.1:8080/guacamole/ flushpackets=on' '\n\tProxyPassReverse /guacamole/ http://127.0.0.1:8080/guacamole/') # Hiding apache web server signature apache_signature_config = ('\n# Hiding apache web server signature' '\nServerSignature Off' '\nServerTokens Prod\n') # Other headers miscellaneous_headers = ( '\n\tHeader set X-Content-Type-Options nosniff' '\n\tHeader always set X-Frame-Options "SAMEORIGIN"' '\n\tHeader always set X-Xss-Protection "1; mode=block"\n') # Authentication module installation command, Authentication module configuration auth_modules, auth_packages, auth_config = fetch_authentication_configuration( saml) if http_setup: apache_http_configuration(proxy_config, auth_config, miscellaneous_headers, False) else: apache_https_configuration(proxy_config, auth_config, miscellaneous_headers, email_id, self_signed_cert) subprocess.call(['apt-get', '-y', 'install'] + auth_packages) apache_config_file = '/etc/apache2/apache2.conf' settings.backup_file(apache_config_file) with open(apache_config_file, 'a') as file: file.write(apache_signature_config) # Disabling directory browsing subprocess.check_output([ 'sed', '-i', '--', 's|Options Indexes FollowSymLinks|Options FollowSymLinks|g', apache_config_file ]) # Enabling modules for proxying, HSTS and CAS subprocess.check_output( ['a2enmod', 'proxy_http', 'proxy_wstunnel', 'headers'] + auth_modules) # Remove index file from /var/www/html try: os.remove('/var/www/html/index.html') except OSError as error: if 'No such file or directory' not in error.strerror: print( '[WARNING] Unable to delete index.html file from document root (/var/www/html) of apache.' ) print('[DEBUG] Error was {}'.format(error))
def saml_specific_configuration(domain_name, contact_email): sso_entity_id, metadata_uri = read_saml_configuration() sibboleth_config_file = '/etc/shibboleth/shibboleth2.xml' settings.backup_file(sibboleth_config_file) # Entity ID, Breaks if http configuration. TODO: Fix this later application_entity_id = 'https://{}/shibboleth'.format(domain_name) # Generating certificate for shibboleth cert_gen_command = ( 'openssl req -newkey rsa:4096 -new -x509 -days 3652 -nodes -text ' '-out /etc/shibboleth/sp-key.pem -keyout /etc/shibboleth/sp-cert.pem -subj "/C=US/ST=Indiana' '/L=Bloomington/O=Indiana University/' 'OU=UITS/CN={}/emailAddress={}"').format(domain_name, contact_email) subprocess.check_output(cert_gen_command, shell=True) # Setting the application entityID subprocess.check_output([ 'sed', '-i', '--', 's|ApplicationDefaults entityID="https://sp.example.org/shibboleth"|' 'ApplicationDefaults entityID="{}"|g'.format(application_entity_id), sibboleth_config_file ]) # Setting the SSO entityID subprocess.check_output([ 'sed', '-i', '--', 's|SSO entityID="https://idp.example.org/idp/shibboleth"|' 'SSO entityID="{}"|g'.format(sso_entity_id), sibboleth_config_file ]) # HTTPS configuration subprocess.check_output([ 'sed', '-i', '--', 's|handlerSSL="false"|handlerSSL="true"|g', sibboleth_config_file ]) subprocess.check_output([ 'sed', '-i', '--', 's|cookieProps="http"|cookieProps="https"|g', sibboleth_config_file ]) # Error contact configuration subprocess.check_output([ 'sed', '-i', '--', 's|supportContact="root@localhost"|supportContact="{}"|g'.format( contact_email), sibboleth_config_file ]) metadata_value = '<MetadataProvider type="XML" reloadInterval="86400" uri="{}"/>'.format( metadata_uri) # Metadata configuration sed_command = ( 's|<!-- Example of remotely supplied batch of signed metadata. -->|' '<!-- Example of remotely supplied batch of signed metadata. -->{}|g' ).format(metadata_value) subprocess.check_output( ['sed', '-i', '--', sed_command, sibboleth_config_file])
def network_configuration(wifi_ssid, wpa_username, wpa_password, no_dynamic_dns, manual_config): print('Setting up the internet configuration') # For wifi configuration wpa_config_file = '/etc/wpa_supplicant/wpa_supplicant.conf' interfaces_file = '/etc/network/interfaces' loopback_config = ( '\nauto lo\n' 'iface lo inet loopback\n' ) ethernet_config_instrument = ( '\nauto eth0\n' 'iface eth0 inet static\n' '\taddress 192.168.7.1\n' '\tnetmask 255.255.255.0\n' '\tnetwork 192.168.7.0\n\n' ) # Taking a backup of interfaces file settings.backup_file(interfaces_file) ethernet_config_internet = ( '\nauto eth1\n' 'iface eth1 inet dhcp\n' 'iface eth1 inet6 dhcp\n' ) # Wired internet connection if wifi_ssid is None: write_values = loopback_config + ethernet_config_instrument if not manual_config: write_values = write_values + ethernet_config_internet with open(interfaces_file, 'a') as file: file.write(write_values) return # Wireless internet connection if wpa_username is not None: # WPA-EAP Configuration wpa_config = ( '\tssid="{}"\n' '\tkey_mgmt=WPA-EAP\n' '\tpairwise=CCMP TKIP\n' '\tgroup=CCMP TKIP\n' '\teap=PEAP\n' '\tphase1="peapver=0"\n' '\tphase2="MSCHAPV2"\n' '\tidentity="{}"\n' '\tpassword="******"\n' ).format(wifi_ssid, wpa_username, wpa_password) else: # WPA-PSK Configuration # Note this configuration has not been (and won't be) tested. wpa_config = ( '\tssid="{}"\n' '\tpsk="{}"\n' ).format(wifi_ssid, wpa_password) final_wpa_config = '\nnetwork={\n' + wpa_config + '}\n' wifi_config_list = [ '\nauto wlan0\n', 'allow-hotplug wlan0\n', 'iface wlan0 inet dhcp\n', '\twpa-conf /etc/wpa_supplicant/wpa_supplicant.conf\n' # '\tpre-up /bin/bash /etc/firewall/iptables.sh\n' ] if not no_dynamic_dns: wifi_config_list.append('\tpost-up /bin/bash /etc/dns/dynv6.sh\n') print('Adding WPA configuration to {} file'.format(wpa_config_file)) settings.backup_file(wpa_config_file) with open(wpa_config_file, 'a') as file: file.write(final_wpa_config) print('Adding WIFI configuration to {} file'.format(interfaces_file)) with open(interfaces_file, 'a') as file: file.write(loopback_config + ethernet_config_instrument + ''.join(wifi_config_list))