def apache_http_configuration(proxy_config, auth_config, miscellaneous_headers,
https_redirection):
default_cofig_path = '/etc/apache2/sites-available/'
default_config_name = '000-default.conf'
default_config_file = default_cofig_path + default_config_name
if https_redirection:
write_contents = '\n\tRewriteEngine on\n\tRewriteCond %{SERVER_NAME} =' + settings.DOMAIN_NAME + \
'\n\tRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} ' \
'[END,NE,R=permanent]\n'
else:
write_contents = proxy_config + auth_config + miscellaneous_headers
settings.backup_file(default_config_file)
with open(default_config_file, 'r') as file:
default_contents = file.readlines()
if len(default_contents) == 0:
print('[ERROR]The {} file has no contents'.format(default_config_file))
sys.exit()
with open(default_config_file, 'w') as file:
for line in default_contents:
file.write(line)
if line.strip() == 'DocumentRoot /var/www/html':
file.write(write_contents)
# Enabling the http virtual host
subprocess.check_output(['a2ensite', default_config_name])
def isc_dhcp_server_configuration():
dhcpd_file = '/etc/dhcp/dhcpd.conf'
dhcp_config = ('\nddns-update-style none;\ndeny declines;\ndeny bootp;\n'
'subnet 192.168.7.0 netmask 255.255.255.0 {\n'
'\trange 192.168.7.2 192.168.7.254;\n'
'\toption routers 192.168.7.1;\n'
'\toption broadcast-address 192.168.7.255;\n'
'\tdefault-lease-time 3600;\n'
'\tmax-lease-time 7200;\n'
'}')
print(
'Adding the raspberry pi dhcp server configuration to {} file'.format(
dhcpd_file))
settings.backup_file(dhcpd_file)
with open(dhcpd_file, 'w') as file_object:
file_object.write(dhcp_config)
subprocess.check_output([
'sed', '-i', '--', 's|INTERFACESv4=""|INTERFACESv4="eth0"|g',
'/etc/default/isc-dhcp-server'
])
print('Restarting the dhcp server service')
subprocess.check_output(['service', 'isc-dhcp-server', 'restart'])
def apache_https_configuration(proxy_config, auth_config,
miscellaneous_headers, email_address,
self_signed_cert):
ssl_stapling_cache = (
'\n\n\t# The SSL Stapling Cache global parameter'
'\n\tSSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(128000)'
'\n')
# OSCP stapling configuration for our server
ocsp_stapling_config = ('\n\n\t#OSCP Stapling Configuration'
'\n\tSSLUseStapling on'
'\n\tSSLStaplingReturnResponderErrors off'
'\n\tSSLStaplingResponderTimeout 5'
'\n\n')
# HSTS configuration
hsts_config = (
'\n\n\t# HSTS for 1 year including the subdomains'
'\n\tHeader always set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
'\n')
common_ssl_configuration = proxy_config + miscellaneous_headers + hsts_config
if self_signed_cert:
ssl_config_path = '/etc/apache2/sites-available/'
ssl_config_name = '000-default-minidmz-ssl.conf'
ssl_config_file = ssl_config_path + ssl_config_name
apache_self_signed_configuration(ssl_config_file, email_address,
settings.DOMAIN_NAME)
subprocess.check_output(['a2enmod', 'ssl'])
# Enabling the http virtual host
subprocess.check_output(['a2ensite', ssl_config_name])
else:
ssl_config_file = '/etc/apache2/sites-available/000-default-le-ssl.conf'
# OSCP stapling configured if certbot is used.
common_ssl_configuration = common_ssl_configuration + ocsp_stapling_config
https_config(common_ssl_configuration, auth_config, ssl_config_file)
# No need to enable OSCP if self signed
if not self_signed_cert:
ssl_mod_file = '/etc/apache2/mods-available/ssl.conf'
settings.backup_file(ssl_mod_file)
with open(ssl_mod_file, 'r') as file:
contents = file.readlines()
if len(contents) == 0:
print('[ERROR]The {} file has no contents'.format(ssl_mod_file))
sys.exit()
with open(ssl_mod_file, 'w') as file:
for line in contents:
file.write(line)
if line.strip() == '<IfModule mod_ssl.c>':
file.write(ssl_stapling_cache)
def https_config(ssl_configuration, auth_config, ssl_config_file):
settings.backup_file(ssl_config_file)
with open(ssl_config_file, 'r') as file:
contents = file.readlines()
if len(contents) == 0:
print('[ERROR]The {} file has no contents'.format(ssl_config_file))
sys.exit()
with open(ssl_config_file, 'w') as file:
for line in contents:
file.write(line)
if line.strip() == 'DocumentRoot /var/www/html':
file.write(ssl_configuration + auth_config)
def pi_configuration():
# Pi for a headless application then you can reduce the memory split
# between the GPU and the rest of the system down to 16mb
print('Setting GPU memory to 16mb')
config_file = '/boot/config.txt'
try:
settings.backup_file(config_file)
except OSError as error:
if 'Permission denied' in error.strerror:
print("[ERROR] Code is executed as a non privileged user."
"\n[ERROR] Please re-run the script as superuser. [ sudo ./{} ]".format(os.path.basename(__file__)))
sys.exit()
print('[ERROR] Unknown error occurred while accessing {} file'.format(config_file))
print('[ERROR] {}'.format(error.strerror))
sys.exit()
with open(config_file, 'a') as file:
file.write('gpu_mem=16')
# Forcing user to change default pi password
print('Please change the default Rapberry Pi password')
while True:
try:
subprocess.check_output('passwd pi', shell=True)
except subprocess.CalledProcessError:
print("[ERROR] Please try again!")
continue
break
# Creating a file called ssh in boot.
# This is required to enable ssh connection to pi
with open('/boot/ssh', 'w') as file:
file.write('')
# Changing default keyboard layout to 'US'
subprocess.check_output(['sed', '-i', '--',
's|pc105|pc104|g',
'/etc/default/keyboard'])
subprocess.check_output(['sed', '-i', '--',
's|gb|us|g',
'/etc/default/keyboard'])
def apache_configuration(http_setup, self_signed_cert, email_id, saml):
print(
"Creating the Reverse Proxy Configuration and securing Apache server")
# The first proxy pass MUST be to websocket tunnel.
# If the first proxy pass is for just guacamole connection defaults to HTTP Tunnel
# and causes degraded performance, file transfer breaks.
# Note that proxy is to localhost port 8080. Hence container port 8080 should be binded to localhost:8080
proxy_config = (
'\n\n\t# Proxy configuration'
'\n\tProxyPass /guacamole/websocket-tunnel ws://127.0.0.1:8080/guacamole/websocket-tunnel'
'\n\tProxyPassReverse /guacamole/websocket-tunnel ws://127.0.0.1:8080/guacamole/websocket-tunnel'
'\n\n\tProxyPass /guacamole/ http://127.0.0.1:8080/guacamole/ flushpackets=on'
'\n\tProxyPassReverse /guacamole/ http://127.0.0.1:8080/guacamole/')
# Hiding apache web server signature
apache_signature_config = ('\n# Hiding apache web server signature'
'\nServerSignature Off'
'\nServerTokens Prod\n')
# Other headers
miscellaneous_headers = (
'\n\tHeader set X-Content-Type-Options nosniff'
'\n\tHeader always set X-Frame-Options "SAMEORIGIN"'
'\n\tHeader always set X-Xss-Protection "1; mode=block"\n')
# Authentication module installation command, Authentication module configuration
auth_modules, auth_packages, auth_config = fetch_authentication_configuration(
saml)
if http_setup:
apache_http_configuration(proxy_config, auth_config,
miscellaneous_headers, False)
else:
apache_https_configuration(proxy_config, auth_config,
miscellaneous_headers, email_id,
self_signed_cert)
subprocess.call(['apt-get', '-y', 'install'] + auth_packages)
apache_config_file = '/etc/apache2/apache2.conf'
settings.backup_file(apache_config_file)
with open(apache_config_file, 'a') as file:
file.write(apache_signature_config)
# Disabling directory browsing
subprocess.check_output([
'sed', '-i', '--',
's|Options Indexes FollowSymLinks|Options FollowSymLinks|g',
apache_config_file
])
# Enabling modules for proxying, HSTS and CAS
subprocess.check_output(
['a2enmod', 'proxy_http', 'proxy_wstunnel', 'headers'] + auth_modules)
# Remove index file from /var/www/html
try:
os.remove('/var/www/html/index.html')
except OSError as error:
if 'No such file or directory' not in error.strerror:
print(
'[WARNING] Unable to delete index.html file from document root (/var/www/html) of apache.'
)
print('[DEBUG] Error was {}'.format(error))
def saml_specific_configuration(domain_name, contact_email):
sso_entity_id, metadata_uri = read_saml_configuration()
sibboleth_config_file = '/etc/shibboleth/shibboleth2.xml'
settings.backup_file(sibboleth_config_file)
# Entity ID, Breaks if http configuration. TODO: Fix this later
application_entity_id = 'https://{}/shibboleth'.format(domain_name)
# Generating certificate for shibboleth
cert_gen_command = (
'openssl req -newkey rsa:4096 -new -x509 -days 3652 -nodes -text '
'-out /etc/shibboleth/sp-key.pem -keyout /etc/shibboleth/sp-cert.pem -subj "/C=US/ST=Indiana'
'/L=Bloomington/O=Indiana University/'
'OU=UITS/CN={}/emailAddress={}"').format(domain_name, contact_email)
subprocess.check_output(cert_gen_command, shell=True)
# Setting the application entityID
subprocess.check_output([
'sed', '-i', '--',
's|ApplicationDefaults entityID="https://sp.example.org/shibboleth"|'
'ApplicationDefaults entityID="{}"|g'.format(application_entity_id),
sibboleth_config_file
])
# Setting the SSO entityID
subprocess.check_output([
'sed', '-i', '--',
's|SSO entityID="https://idp.example.org/idp/shibboleth"|'
'SSO entityID="{}"|g'.format(sso_entity_id), sibboleth_config_file
])
# HTTPS configuration
subprocess.check_output([
'sed', '-i', '--', 's|handlerSSL="false"|handlerSSL="true"|g',
sibboleth_config_file
])
subprocess.check_output([
'sed', '-i', '--', 's|cookieProps="http"|cookieProps="https"|g',
sibboleth_config_file
])
# Error contact configuration
subprocess.check_output([
'sed', '-i', '--',
's|supportContact="root@localhost"|supportContact="{}"|g'.format(
contact_email), sibboleth_config_file
])
metadata_value = '<MetadataProvider type="XML" reloadInterval="86400" uri="{}"/>'.format(
metadata_uri)
# Metadata configuration
sed_command = (
's|<!-- Example of remotely supplied batch of signed metadata. -->|'
'<!-- Example of remotely supplied batch of signed metadata. -->{}|g'
).format(metadata_value)
subprocess.check_output(
['sed', '-i', '--', sed_command, sibboleth_config_file])
def network_configuration(wifi_ssid, wpa_username, wpa_password, no_dynamic_dns, manual_config):
print('Setting up the internet configuration')
# For wifi configuration
wpa_config_file = '/etc/wpa_supplicant/wpa_supplicant.conf'
interfaces_file = '/etc/network/interfaces'
loopback_config = (
'\nauto lo\n'
'iface lo inet loopback\n'
)
ethernet_config_instrument = (
'\nauto eth0\n'
'iface eth0 inet static\n'
'\taddress 192.168.7.1\n'
'\tnetmask 255.255.255.0\n'
'\tnetwork 192.168.7.0\n\n'
)
# Taking a backup of interfaces file
settings.backup_file(interfaces_file)
ethernet_config_internet = (
'\nauto eth1\n'
'iface eth1 inet dhcp\n'
'iface eth1 inet6 dhcp\n'
)
# Wired internet connection
if wifi_ssid is None:
write_values = loopback_config + ethernet_config_instrument
if not manual_config:
write_values = write_values + ethernet_config_internet
with open(interfaces_file, 'a') as file:
file.write(write_values)
return
# Wireless internet connection
if wpa_username is not None:
# WPA-EAP Configuration
wpa_config = (
'\tssid="{}"\n'
'\tkey_mgmt=WPA-EAP\n'
'\tpairwise=CCMP TKIP\n'
'\tgroup=CCMP TKIP\n'
'\teap=PEAP\n'
'\tphase1="peapver=0"\n'
'\tphase2="MSCHAPV2"\n'
'\tidentity="{}"\n'
'\tpassword="******"\n'
).format(wifi_ssid, wpa_username, wpa_password)
else:
# WPA-PSK Configuration
# Note this configuration has not been (and won't be) tested.
wpa_config = (
'\tssid="{}"\n'
'\tpsk="{}"\n'
).format(wifi_ssid, wpa_password)
final_wpa_config = '\nnetwork={\n' + wpa_config + '}\n'
wifi_config_list = [
'\nauto wlan0\n',
'allow-hotplug wlan0\n',
'iface wlan0 inet dhcp\n',
'\twpa-conf /etc/wpa_supplicant/wpa_supplicant.conf\n'
# '\tpre-up /bin/bash /etc/firewall/iptables.sh\n'
]
if not no_dynamic_dns:
wifi_config_list.append('\tpost-up /bin/bash /etc/dns/dynv6.sh\n')
print('Adding WPA configuration to {} file'.format(wpa_config_file))
settings.backup_file(wpa_config_file)
with open(wpa_config_file, 'a') as file:
file.write(final_wpa_config)
print('Adding WIFI configuration to {} file'.format(interfaces_file))
with open(interfaces_file, 'a') as file:
file.write(loopback_config + ethernet_config_instrument + ''.join(wifi_config_list))