def _run_wsgi(self):
if self.ssl:
self._setup_server_cert()
logger.info('Starting server...')
if self.auto_start_servers:
from pritunl.server import Server
for server in Server.iter_servers():
if server.org_count:
try:
server.start()
except:
logger.exception('Failed to auto start server. %r' % {
'server_id': server.id,
})
server = cherrypy.wsgiserver.CherryPyWSGIServer(
(self.bind_addr, self.port), self.app,
request_queue_size=SERVER_REQUEST_QUEUE_SIZE,
server_name=cherrypy.wsgiserver.CherryPyWSGIServer.version)
if self.ssl:
server.ConnectionClass = HTTPConnectionPatch
server.ssl_adapter = SSLAdapter(
self._server_cert_path, self._server_key_path)
try:
server.start()
except (KeyboardInterrupt, SystemExit):
pass
except:
logger.exception('Server error occurred')
raise
finally:
signal.signal(signal.SIGINT, signal.SIG_IGN)
logger.info('Stopping server...')
self._on_exit()
def status_get():
orgs_count = 0
servers_count = 0
servers_online_count = 0
clients_count = 0
for server in Server.iter_servers():
servers_count += 1
if server.status:
servers_online_count += 1
clients_count += len(server.clients)
user_count = 0
for org in Organization.iter_orgs():
orgs_count += 1
user_count += org.user_count
local_networks = utils.get_local_networks()
return utils.jsonify({
'org_count': orgs_count,
'users_online': clients_count,
'user_count': user_count,
'servers_online': servers_online_count,
'server_count': servers_count,
'server_version': __version__,
'public_ip': app_server.public_ip,
'local_networks': local_networks,
})
def server_get(server_id=None):
if server_id:
return utils.jsonify(Server.get_server(server_id).dict())
else:
servers = []
servers_dict = {}
servers_sort = []
for server in Server.iter_servers():
servers.append(server.dict())
return utils.jsonify(servers)
def status_get():
orgs_count = 0
servers_count = 0
servers_online_count = 0
clients_count = 0
for server in Server.iter_servers():
servers_count += 1
if server.status:
servers_online_count += 1
clients_count += len(server.clients)
user_count = 0
for org in Organization.iter_orgs():
orgs_count += 1
user_count += org.user_count
local_networks = utils.get_local_networks()
if app_server.openssl_heartbleed:
notification = 'You are running an outdated version of openssl ' + \
'containting the heartbleed bug. This could allow an attacker ' + \
'to compromise your server. Please upgrade your openssl ' + \
'package and restart the pritunl service.'
else:
notification = app_server.notification
return utils.jsonify({
'org_count': orgs_count,
'users_online': clients_count,
'user_count': user_count,
'servers_online': servers_online_count,
'server_count': servers_count,
'server_version': __version__,
'public_ip': app_server.public_ip,
'local_networks': local_networks,
'notification': notification,
})
def server_put_post(server_id=None):
network_used = set()
interface_used = set()
port_used = set()
for server in Server.iter_servers():
if server.id == server_id:
continue
network_used.add(server.network)
interface_used.add(server.interface)
port_used.add('%s%s' % (server.port, server.protocol))
name = None
name_def = False
if 'name' in flask.request.json:
name_def = True
name = utils.filter_str(flask.request.json['name'])
network = None
network_def = False
if 'network' in flask.request.json:
network_def = True
network = flask.request.json['network']
if network not in SAFE_PUB_SUBNETS:
network_split = network.split('/')
if len(network_split) != 2:
return _network_invalid()
address = network_split[0].split('.')
if len(address) != 4:
return _network_invalid()
for i, value in enumerate(address):
try:
address[i] = int(value)
except ValueError:
return _network_invalid()
if address[0] != 10:
return _network_invalid()
if address[1] > 255 or address[1] < 0 or \
address[2] > 255 or address[2] < 0:
return _network_invalid()
if address[3] != 0:
return _network_invalid()
try:
subnet = int(network_split[1])
except ValueError:
return _network_invalid()
if subnet < 8 or subnet > 24:
return _network_invalid()
interface = None
interface_def = False
if 'interface' in flask.request.json:
interface_def = True
interface = flask.request.json['interface']
if not re.match('^[a-z0-9]+$', interface):
return _interface_invalid()
if interface[:3] != 'tun':
return _interface_invalid()
try:
interface_num = int(interface[3:])
except ValueError:
return _interface_invalid()
if interface_num > 64:
return _interface_invalid()
interface = interface[:3] + str(interface_num)
protocol = 'udp'
protocol_def = False
if 'protocol' in flask.request.json:
protocol_def = True
protocol = flask.request.json['protocol'].lower()
if protocol not in ('udp', 'tcp'):
return utils.jsonify({
'error': PROTOCOL_INVALID,
'error_msg': PROTOCOL_INVALID_MSG,
}, 400)
port = None
port_def = False
if 'port' in flask.request.json:
port_def = True
port = flask.request.json['port']
try:
port = int(port)
except ValueError:
return _port_invalid()
if port < 1 or port > 65535:
return _port_invalid()
dh_param_bits = None
dh_param_bits_def = False
if 'dh_param_bits' in flask.request.json:
dh_param_bits_def = True
dh_param_bits = flask.request.json['dh_param_bits']
try:
dh_param_bits = int(dh_param_bits)
except ValueError:
return _dh_param_bits_invalid()
if dh_param_bits not in VALID_DH_PARAM_BITS:
return _dh_param_bits_invalid()
mode = None
mode_def = False
if 'mode' in flask.request.json:
mode_def = True
mode = flask.request.json['mode']
if mode not in (ALL_TRAFFIC, LOCAL_TRAFFIC, VPN_TRAFFIC):
return utils.jsonify({
'error': MODE_INVALID,
'error_msg': MODE_INVALID_MSG,
}, 400)
local_networks = None
local_networks_def = False
if 'local_networks' in flask.request.json:
local_networks_def = True
local_networks = flask.request.json['local_networks'] or []
for local_network in local_networks:
local_network_split = local_network.split('/')
if len(local_network_split) != 2:
return _local_network_invalid()
address = local_network_split[0].split('.')
if len(address) != 4:
return _local_network_invalid()
for i, value in enumerate(address):
try:
address[i] = int(value)
except ValueError:
return _local_network_invalid()
if address[0] > 255 or address[0] < 0 or \
address[1] > 255 or address[1] < 0 or \
address[2] > 255 or address[2] < 0 or \
address[3] > 254 or address[3] < 0:
return _local_network_invalid()
try:
subnet = int(local_network_split[1])
except ValueError:
return _local_network_invalid()
if subnet < 8 or subnet > 30:
return _local_network_invalid()
dns_servers = None
dns_servers_def = False
if 'dns_servers' in flask.request.json:
dns_servers_def = True
dns_servers = flask.request.json['dns_servers'] or []
for dns_server in dns_servers:
if not re.match(IP_REGEX, dns_server):
return _dns_server_invalid()
search_domain = None
search_domain_def = False
if 'search_domain' in flask.request.json:
search_domain_def = True
search_domain = utils.filter_str(flask.request.json['search_domain'])
public_address = None
public_address_def = False
if 'public_address' in flask.request.json:
public_address_def = True
public_address = utils.filter_str(flask.request.json['public_address'])
debug = False
debug_def = False
if 'debug' in flask.request.json:
debug_def = True
debug = True if flask.request.json['debug'] else False
otp_auth = False
otp_auth_def = False
if 'otp_auth' in flask.request.json:
otp_auth_def = True
otp_auth = True if flask.request.json['otp_auth'] else False
lzo_compression = False
lzo_compression_def = False
if 'lzo_compression' in flask.request.json:
lzo_compression_def = True
lzo_compression = True if flask.request.json[
'lzo_compression'] else False
if not server_id:
if not name_def:
return utils.jsonify({
'error': MISSING_PARAMS,
'error_msg': MISSING_PARAMS_MSG,
}, 400)
if not network_def:
network_def = True
for i in xrange(5000):
rand_network = '10.%s.%s.0/24' % (
random.randint(15,250), random.randint(15,250))
if rand_network not in network_used:
network = rand_network
break
if not network:
return utils.jsonify({
'error': NETWORK_IN_USE,
'error_msg': NETWORK_IN_USE_MSG,
}, 400)
if not interface_def:
interface_def = True
for i in xrange(64):
rand_interface = 'tun%s' % i
if rand_interface not in interface_used:
interface = rand_interface
break
if not interface:
return utils.jsonify({
'error': INTERFACE_IN_USE,
'error_msg': INTERFACE_IN_USE_MSG,
}, 400)
if not port_def:
port_def = True
rand_ports = range(10000, 19999)
random.shuffle(rand_ports)
for rand_port in rand_ports:
if '%s%s' % (rand_port, protocol) not in port_used:
port = rand_port
break
if not port:
return utils.jsonify({
'error': PORT_PROTOCOL_IN_USE,
'error_msg': PORT_PROTOCOL_IN_USE_MSG,
}, 400)
if not dh_param_bits_def:
dh_param_bits_def = True
dh_param_bits = DEFAULT_DH_PARAM_BITS
if not mode_def:
mode_def = True
if local_networks_def and local_networks:
mode = LOCAL_TRAFFIC
else:
mode = ALL_TRAFFIC
if not public_address_def:
public_address_def = True
public_address = app_server.public_ip
if network_def:
if network in network_used:
return utils.jsonify({
'error': NETWORK_IN_USE,
'error_msg': NETWORK_IN_USE_MSG,
}, 400)
if interface_def:
if interface in interface_used:
return utils.jsonify({
'error': INTERFACE_IN_USE,
'error_msg': INTERFACE_IN_USE_MSG,
}, 400)
if port_def:
if '%s%s' % (port, protocol) in port_used:
return utils.jsonify({
'error': PORT_PROTOCOL_IN_USE,
'error_msg': PORT_PROTOCOL_IN_USE_MSG,
}, 400)
if not server_id:
server = Server.new_server(
name=name,
network=network,
interface=interface,
port=port,
protocol=protocol,
dh_param_bits=dh_param_bits,
mode=mode,
local_networks=local_networks,
dns_servers=dns_servers,
search_domain=search_domain,
public_address=public_address,
otp_auth=otp_auth,
lzo_compression=lzo_compression,
debug=debug,
)
else:
server = Server.get_server(id=server_id)
if server.status:
return utils.jsonify({
'error': SERVER_NOT_OFFLINE,
'error_msg': SERVER_NOT_OFFLINE_SETTINGS_MSG,
}, 400)
if name_def:
server.name = name
if network_def:
server.network = network
if interface_def:
server.interface = interface
if port_def:
server.port = port
if protocol_def:
server.protocol = protocol
if dh_param_bits_def and server.dh_param_bits != dh_param_bits:
server.dh_param_bits = dh_param_bits
server.generate_dh_param()
if mode_def:
server.mode = mode
if local_networks_def:
server.local_networks = local_networks
if dns_servers_def:
server.dns_servers = dns_servers
if search_domain_def:
server.search_domain = search_domain
if public_address_def:
server.public_address = public_address
if otp_auth_def:
server.otp_auth = otp_auth
if lzo_compression_def:
server.lzo_compression = lzo_compression
if debug_def:
server.debug = debug
server.commit()
LogEntry(message='Created server "%s".' % server.name)
Event(type=SERVERS_UPDATED)
for org in server.iter_orgs():
Event(type=USERS_UPDATED, resource_id=org.id)
return utils.jsonify(server.dict())
def export_get():
data_path = app_server.data_path
temp_path = os.path.join(data_path, TEMP_DIR)
empty_temp_path = os.path.join(temp_path, EMPTY_TEMP_DIR)
data_archive_name = '%s_%s.tar' % (APP_NAME,
time.strftime('%Y_%m_%d_%H_%M_%S', time.localtime()))
data_archive_path = os.path.join(temp_path, data_archive_name)
# Create empty temp directory to recreate temp dirs in tarfile
if not os.path.exists(empty_temp_path):
os.makedirs(empty_temp_path)
tar_file = tarfile.open(data_archive_path, 'w')
try:
tar_add(tar_file, os.path.join(data_path, AUTH_LOG_NAME))
tar_add(tar_file, os.path.join(data_path, 'pritunl.db'))
tar_add(tar_file, os.path.join(data_path, SERVER_CERT_NAME))
tar_add(tar_file, os.path.join(data_path, SERVER_KEY_NAME))
tar_add(tar_file, os.path.join(data_path, VERSION_NAME))
for org in Organization.iter_orgs():
tar_add(tar_file, org.get_path())
tar_file.add(empty_temp_path,
arcname=os.path.relpath(os.path.join(org.path, TEMP_DIR),
data_path))
for user in org.iter_users():
tar_add(tar_file, user.reqs_path)
tar_add(tar_file, user.key_path)
tar_add(tar_file, user.cert_path)
tar_add(tar_file, user.get_path())
tar_add(tar_file, org.ca_cert.reqs_path)
tar_add(tar_file, org.ca_cert.key_path)
tar_add(tar_file, org.ca_cert.cert_path)
tar_add(tar_file, org.ca_cert.get_path())
for server in Server.iter_servers():
tar_add(tar_file, server.dh_param_path)
tar_add(tar_file, server.ip_pool_path)
tar_add(tar_file, server.get_path())
tar_add(tar_file, os.path.join(server.path, NODE_SERVER))
tar_file.add(empty_temp_path,
arcname=os.path.relpath(os.path.join(server.path, TEMP_DIR),
data_path))
tar_file.close()
with open(data_archive_path, 'r') as archive_file:
response = flask.Response(response=archive_file.read(),
mimetype='application/octet-stream')
response.headers.add('Content-Disposition',
'attachment; filename="%s"' % data_archive_name)
return response
finally:
try:
tar_file.close()
except OSError:
pass
try:
os.remove(data_archive_path)
except OSError:
pass
def server_put_post(server_id=None):
network_used = set()
interface_used = set()
port_used = set()
for server in Server.iter_servers():
if server.id == server_id:
continue
network_used.add(server.network)
interface_used.add(server.interface)
port_used.add("%s%s" % (server.port, server.protocol))
name = None
name_def = False
if "name" in flask.request.json:
name_def = True
name = utils.filter_str(flask.request.json["name"])
type = SERVER
type_def = False
if "type" in flask.request.json:
type_def = True
if flask.request.json["type"] == NODE_SERVER:
type = NODE_SERVER
network = None
network_def = False
if "network" in flask.request.json:
network_def = True
network = flask.request.json["network"]
if network not in SAFE_PUB_SUBNETS:
network_split = network.split("/")
if len(network_split) != 2:
return _network_invalid()
address = network_split[0].split(".")
if len(address) != 4:
return _network_invalid()
for i, value in enumerate(address):
try:
address[i] = int(value)
except ValueError:
return _network_invalid()
if address[0] != 10:
return _network_invalid()
if address[1] > 255 or address[1] < 0 or address[2] > 255 or address[2] < 0:
return _network_invalid()
if address[3] != 0:
return _network_invalid()
try:
subnet = int(network_split[1])
except ValueError:
return _network_invalid()
if subnet < 8 or subnet > 24:
return _network_invalid()
interface = None
interface_def = False
if "interface" in flask.request.json:
interface_def = True
interface = flask.request.json["interface"]
if not re.match("^[a-z0-9]+$", interface):
return _interface_invalid()
if interface[:3] != "tun":
return _interface_invalid()
try:
interface_num = int(interface[3:])
except ValueError:
return _interface_invalid()
if interface_num > 64:
return _interface_invalid()
interface = interface[:3] + str(interface_num)
protocol = "udp"
protocol_def = False
if "protocol" in flask.request.json:
protocol_def = True
protocol = flask.request.json["protocol"].lower()
if protocol not in ("udp", "tcp"):
return utils.jsonify({"error": PROTOCOL_INVALID, "error_msg": PROTOCOL_INVALID_MSG}, 400)
port = None
port_def = False
if "port" in flask.request.json:
port_def = True
port = flask.request.json["port"]
try:
port = int(port)
except ValueError:
return _port_invalid()
if port < 1 or port > 65535:
return _port_invalid()
dh_param_bits = None
dh_param_bits_def = False
if "dh_param_bits" in flask.request.json:
dh_param_bits_def = True
dh_param_bits = flask.request.json["dh_param_bits"]
try:
dh_param_bits = int(dh_param_bits)
except ValueError:
return _dh_param_bits_invalid()
if dh_param_bits not in {1024, 1536, 2048, 3072, 4096}:
return _dh_param_bits_invalid()
mode = None
mode_def = False
if "mode" in flask.request.json:
mode_def = True
mode = flask.request.json["mode"]
if mode not in (ALL_TRAFFIC, LOCAL_TRAFFIC, VPN_TRAFFIC):
return utils.jsonify({"error": MODE_INVALID, "error_msg": MODE_INVALID_MSG}, 400)
local_networks = None
local_networks_def = False
if "local_networks" in flask.request.json:
local_networks_def = True
local_networks = flask.request.json["local_networks"] or []
for local_network in local_networks:
local_network_split = local_network.split("/")
if len(local_network_split) != 2:
return _local_network_invalid()
address = local_network_split[0].split(".")
if len(address) != 4:
return _local_network_invalid()
for i, value in enumerate(address):
try:
address[i] = int(value)
except ValueError:
return _local_network_invalid()
if (
address[0] > 255
or address[0] < 0
or address[1] > 255
or address[1] < 0
or address[2] > 255
or address[2] < 0
or address[3] > 254
or address[3] < 0
):
return _local_network_invalid()
try:
subnet = int(local_network_split[1])
except ValueError:
return _local_network_invalid()
if subnet < 8 or subnet > 30:
return _local_network_invalid()
dns_servers = None
dns_servers_def = False
if "dns_servers" in flask.request.json:
dns_servers_def = True
dns_servers = flask.request.json["dns_servers"] or []
for dns_server in dns_servers:
if not re.match(IP_REGEX, dns_server):
return _dns_server_invalid()
public_address = None
public_address_def = False
if "public_address" in flask.request.json:
public_address_def = True
public_address = utils.filter_str(flask.request.json["public_address"])
debug = False
debug_def = False
if "debug" in flask.request.json:
debug_def = True
debug = True if flask.request.json["debug"] else False
otp_auth = False
otp_auth_def = False
if "otp_auth" in flask.request.json:
otp_auth_def = True
otp_auth = True if flask.request.json["otp_auth"] else False
lzo_compression = False
lzo_compression_def = False
if "lzo_compression" in flask.request.json:
lzo_compression_def = True
lzo_compression = True if flask.request.json["lzo_compression"] else False
node_host = None
node_host_def = False
if "node_host" in flask.request.json:
node_host_def = True
node_host = utils.filter_str(flask.request.json["node_host"])
node_port = None
node_port_def = False
if "node_port" in flask.request.json:
node_port_def = True
node_port = flask.request.json["node_port"]
if node_port is not None:
try:
node_port = int(node_port)
except ValueError:
return _port_invalid()
if node_port < 1 or node_port > 65535:
return _port_invalid()
node_key = None
node_key_def = False
if "node_key" in flask.request.json:
node_key_def = True
node_key = utils.filter_str(flask.request.json["node_key"])
if not server_id:
if not name_def:
return utils.jsonify({"error": MISSING_PARAMS, "error_msg": MISSING_PARAMS_MSG}, 400)
if not network_def:
network_def = True
for i in xrange(5000):
rand_network = "10.%s.%s.0/24" % (random.randint(15, 250), random.randint(15, 250))
if rand_network not in network_used:
network = rand_network
break
if not network:
return utils.jsonify({"error": NETWORK_IN_USE, "error_msg": NETWORK_IN_USE_MSG}, 400)
if not interface_def:
interface_def = True
for i in xrange(64):
rand_interface = "tun%s" % i
if rand_interface not in interface_used:
interface = rand_interface
break
if not interface:
return utils.jsonify({"error": INTERFACE_IN_USE, "error_msg": INTERFACE_IN_USE_MSG}, 400)
if not port_def:
port_def = True
rand_ports = range(10000, 19999)
random.shuffle(rand_ports)
for rand_port in rand_ports:
if "%s%s" % (rand_port, protocol) not in port_used:
port = rand_port
break
if not port:
return utils.jsonify({"error": PORT_PROTOCOL_IN_USE, "error_msg": PORT_PROTOCOL_IN_USE_MSG}, 400)
if not dh_param_bits_def:
dh_param_bits_def = True
dh_param_bits = DEFAULT_DH_PARAM_BITS
if not mode_def:
mode_def = True
if local_networks_def and local_networks:
mode = LOCAL_TRAFFIC
else:
mode = ALL_TRAFFIC
if not public_address_def:
public_address_def = True
public_address = app_server.public_ip
if network_def:
if network in network_used:
return utils.jsonify({"error": NETWORK_IN_USE, "error_msg": NETWORK_IN_USE_MSG}, 400)
if interface_def:
if interface in interface_used:
return utils.jsonify({"error": INTERFACE_IN_USE, "error_msg": INTERFACE_IN_USE_MSG}, 400)
if port_def:
if "%s%s" % (port, protocol) in port_used:
return utils.jsonify({"error": PORT_PROTOCOL_IN_USE, "error_msg": PORT_PROTOCOL_IN_USE_MSG}, 400)
if not server_id:
if type == NODE_SERVER:
server = NodeServer(
name=name,
network=network,
interface=interface,
port=port,
protocol=protocol,
dh_param_bits=dh_param_bits,
mode=mode,
local_networks=local_networks,
dns_servers=dns_servers,
public_address=public_address,
otp_auth=otp_auth,
lzo_compression=lzo_compression,
debug=debug,
node_host=node_host,
node_port=node_port,
node_key=node_key,
)
else:
server = Server(
name=name,
network=network,
interface=interface,
port=port,
protocol=protocol,
dh_param_bits=dh_param_bits,
mode=mode,
local_networks=local_networks,
dns_servers=dns_servers,
public_address=public_address,
otp_auth=otp_auth,
lzo_compression=lzo_compression,
debug=debug,
)
else:
server = Server.get_server(id=server_id)
if server.status:
return utils.jsonify({"error": SERVER_NOT_OFFLINE, "error_msg": SERVER_NOT_OFFLINE_SETTINGS_MSG}, 400)
if name_def:
server.name = name
if network_def:
server.network = network
if interface_def:
server.interface = interface
if port_def:
server.port = port
if protocol_def:
server.protocol = protocol
if dh_param_bits_def:
server.dh_param_bits = dh_param_bits
if mode_def:
server.mode = mode
if local_networks_def:
server.local_networks = local_networks
if dns_servers_def:
server.dns_servers = dns_servers
if public_address_def:
server.public_address = public_address
if otp_auth_def:
server.otp_auth = otp_auth
if lzo_compression_def:
server.lzo_compression = lzo_compression
if debug_def:
server.debug = debug
if server.type == NODE_SERVER:
if node_host_def:
server.node_host = node_host
if node_port_def:
server.node_port = node_port
if node_key_def:
server.node_key = node_key
server.commit()
for org in server.iter_orgs():
Event(type=USERS_UPDATED, resource_id=org.id)
return utils.jsonify(server.dict())
