Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for webgui and ssh to configure management IP #4554

Closed
wants to merge 8 commits into from
Closed

Add option for webgui and ssh to configure management IP #4554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2a6026b
system: add "ip" option for webgui and ssh
fraenki Dec 28, 2020
3359a27
fix: correctly display currently relevant input field
fraenki Jan 7, 2021
1f665a4
fix: improve wording in help text
fraenki Jan 7, 2021
f3927a7
fix: improve wording in help text
fraenki Jan 7, 2021
5127322
fix: only use specified management IP
fraenki Jan 24, 2021
1ff1c04
fix: improve wording in Management IP dropdown list
fraenki Jan 24, 2021
40f8e4b
fix: improve wording in WebGUI Management IP dropdown list
fraenki Jan 24, 2021
438b470
fix: improve wording in inline help text
fraenki Jan 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 11 additions & 5 deletions src/etc/inc/plugins.inc.d/openssh.inc
View file
Open in desktop
Expand Up @@ -195,11 +195,17 @@ function openssh_configure_do($verbose = false, $interface = '')

$listeners = array();

foreach (interfaces_addresses($interfaces) as $tmpaddr => $info) {
if ($info['scope']) {
/* link-local does not seem to be supported */
continue;
}
/* bind on (all/selected) interfaces or use specified IP */
if (isset($config['system']['ssh']['managementaccess']) &&
$config['system']['ssh']['managementaccess'] === 'ip' &&
isset($config['system']['ssh']['ip'])) {
$listeners[] = $config['system']['ssh']['ip'];
} else {
foreach (interfaces_addresses($interfaces) as $tmpaddr => $info) {
if ($info['scope']) {
/* link-local does not seem to be supported */
continue;
}

if (count($listeners) < 16) {
$listeners[] = $tmpaddr;
Expand Down
19 changes: 13 additions & 6 deletions src/etc/inc/plugins.inc.d/webgui.inc
View file
Open in desktop
Expand Up @@ -66,13 +66,20 @@ function webgui_configure_do($verbose = false, $interface = '')

$listeners = count($interfaces) ? array() : array('0.0.0.0', '::');

foreach (interfaces_addresses($interfaces) as $tmpaddr => $info) {
if ($info['scope']) {
/* link-local does not seem to be supported */
continue;
}
/* bind on (all/selected) interfaces or use specified IP */
if (isset($config['system']['webgui']['managementaccess']) &&
$config['system']['webgui']['managementaccess'] === 'ip' &&
isset($config['system']['webgui']['ip'])) {
$listeners = array($config['system']['webgui']['ip']);
} else {
foreach (interfaces_addresses($interfaces) as $tmpaddr => $info) {
if ($info['scope']) {
/* link-local does not seem to be supported */
continue;
}

$listeners[] = $tmpaddr;
$listeners[] = $tmpaddr;
}
}

chdir('/usr/local/www');
Expand Down
115 changes: 115 additions & 0 deletions src/www/system_advanced_admin.php
View file
Open in desktop
Expand Up @@ -41,6 +41,8 @@
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
$pconfig['webguiinterfaces'] = !empty($config['system']['webgui']['interfaces']) ? explode(',', $config['system']['webgui']['interfaces']) : array();
$pconfig['webguiip'] = !empty($config['system']['webgui']['ip']) ? $config['system']['webgui']['ip'] : null;
$pconfig['webgui_managementaccess'] = !empty($config['system']['webgui']['managementaccess']) ? $config['system']['webgui']['managementaccess'] : null;
$pconfig['authmode'] = !empty($config['system']['webgui']['authmode']) ? explode(',', $config['system']['webgui']['authmode']) : array();
$pconfig['session_timeout'] = !empty($config['system']['webgui']['session_timeout']) ? $config['system']['webgui']['session_timeout'] : null;
$pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
Expand All @@ -67,6 +69,8 @@
$pconfig['enablesshd'] = $config['system']['ssh']['enabled'];
$pconfig['sshport'] = $config['system']['ssh']['port'];
$pconfig['sshinterfaces'] = !empty($config['system']['ssh']['interfaces']) ? explode(',', $config['system']['ssh']['interfaces']) : array();
$pconfig['sship'] = !empty($config['system']['ssh']['ip']) ? $config['system']['ssh']['ip'] : null;
$pconfig['ssh_managementaccess'] = !empty($config['system']['ssh']['managementaccess']) ? $config['system']['ssh']['managementaccess'] : null;
$pconfig['ssh-kex'] = !empty($config['system']['ssh']['kex']) ? explode(',', $config['system']['ssh']['kex']) : array();
$pconfig['ssh-ciphers'] = !empty($config['system']['ssh']['ciphers']) ? explode(',', $config['system']['ssh']['ciphers']) : array();
$pconfig['ssh-macs'] = !empty($config['system']['ssh']['macs']) ? explode(',', $config['system']['ssh']['macs']) : array();
Expand Down Expand Up @@ -123,7 +127,9 @@
$config['system']['webgui']['ssl-certref'] != $pconfig['ssl-certref'] ||
$config['system']['webgui']['compression'] != $pconfig['compression'] ||
$config['system']['webgui']['ssl-ciphers'] != $newciphers ||
$config['system']['webgui']['managementaccess'] != $pconfig['webgui_managementaccess'] ||
$config['system']['webgui']['interfaces'] != $newinterfaces ||
$config['system']['webgui']['ip'] != $pconfig['webguiip'] ||
(empty($pconfig['httpaccesslog'])) != empty($config['system']['webgui']['httpaccesslog']) ||
(empty($pconfig['ssl-hsts'])) != empty($config['system']['webgui']['ssl-hsts']) ||
($pconfig['disablehttpredirect'] == "yes") != !empty($config['system']['webgui']['disablehttpredirect']);
Expand All @@ -132,9 +138,16 @@
$config['system']['webgui']['port'] = $pconfig['webguiport'];
$config['system']['webgui']['ssl-certref'] = $pconfig['ssl-certref'];
$config['system']['webgui']['ssl-ciphers'] = $newciphers;
$config['system']['webgui']['managementaccess'] = $pconfig['webgui_managementaccess'];
$config['system']['webgui']['interfaces'] = $newinterfaces;
$config['system']['webgui']['compression'] = $pconfig['compression'];

if (!empty($pconfig['webguiip'])) {
$config['system']['webgui']['ip'] = $pconfig['webguiip'];
} elseif (isset($config['system']['webgui']['ip'])) {
unset($config['system']['webgui']['ip']);
}

if (!empty($pconfig['ssl-hsts'])) {
$config['system']['webgui']['ssl-hsts'] = true;
} elseif (isset($config['system']['webgui']['ssl-hsts'])) {
Expand Down Expand Up @@ -239,6 +252,7 @@
/* always store setting to prevent installer auto-start */
$config['system']['ssh']['noauto'] = 1;

$config['system']['ssh']['managementaccess'] = $pconfig['ssh_managementaccess'];
$config['system']['ssh']['interfaces'] = !empty($pconfig['sshinterfaces']) ? implode(',', $pconfig['sshinterfaces']) : null;
$config['system']['ssh']['kex'] = !empty($pconfig['ssh-kex']) ? implode(',', $pconfig['ssh-kex']) : null;
$config['system']['ssh']['ciphers'] = !empty($pconfig['ssh-ciphers']) ? implode(',', $pconfig['ssh-ciphers']) : null;
Expand Down Expand Up @@ -281,6 +295,12 @@
unset($config['system']['ssh']['port']);
}

if (!empty($pconfig['sship'])) {
$config['system']['ssh']['ip'] = $pconfig['sship'];
} elseif (isset($config['system']['ssh']['ip'])) {
unset($config['system']['ssh']['ip']);
}

if (!empty($pconfig['sshdpermitrootlogin'])) {
$config['system']['ssh']['permitrootlogin'] = true;
} elseif (isset($config['system']['ssh']['permitrootlogin'])) {
Expand Down Expand Up @@ -362,6 +382,41 @@
});
$(".proto").change();

// Show/hide options for WebGUI management access.
$("#webgui_managementaccess").change(function(){
var mgmt_type = 'webgui_managementaccess_' + $(this).val();
$(".webgui_managementaccess_choices").hide();
$("."+mgmt_type).show();
});
$("#webgui_managementaccess").change();

$('#webgui_managementaccess').change(function () {
if ($('#webgui_managementaccess option:selected').val() == 'interfaces') {
$.webgui_managementaccess_warned = 0;
} else if ($.webgui_managementaccess_warned != 1) {
$.webgui_managementaccess_warned = 1;
BootstrapDialog.confirm({
title: '<?= html_safe(gettext('Warning!')) ?>',
message: '<?= html_safe(gettext('Changing the management access configuration of the web GUI may ' .
'prevent you from accessing this page if you continue. It is recommended to keep ' .
'this set to the default unless you know what you are doing.')) ?>',
type: BootstrapDialog.TYPE_WARNING,
btnOKClass: 'btn-warning',
btnOKLabel: '<?= html_safe(gettext('I know what I am doing')) ?>',
btnCancelLabel: '<?= html_safe(gettext('Use the default')) ?>',
callback: function(result) {
if (!result) {
$('#webgui_managementaccess option:selected').prop('selected', false);
$('#webgui_managementaccess').selectpicker('refresh');
fraenki marked this conversation as resolved.
Show resolved Hide resolved
$("#webgui_managementaccess").change();
$.webgui_managementaccess_warned = 0;
}
}
});
}
});
$.webgui_managementaccess_warned = $('#webguiinterface option:selected').val() == 'interfaces' ? 1 : 0;

$('#webguiinterface').change(function () {
if ($('#webguiinterface option:selected').text() == '') {
$.webguiinterface_warned = 0;
Expand All @@ -388,6 +443,14 @@
});
$.webguiinterface_warned = $('#webguiinterface option:selected').length ? 1 : 0;

// Show/hide options for SSH management access.
$("#ssh_managementaccess").change(function(){
var mgmt_type = 'ssh_managementaccess_' + $(this).val();
$(".ssh_managementaccess_choices").hide();
$("."+mgmt_type).show();
});
$("#ssh_managementaccess").change();

<?php
if (isset($restart_webgui) && $restart_webgui): ?>
BootstrapDialog.show({
Expand Down Expand Up @@ -624,6 +687,22 @@ function reloadWaitOld () {
</td>
</tr>
<tr>
<td><a id="help_for_webgui_managementaccess" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Management Access') ?></td>
<td>
<select id="webgui_managementaccess" name="webgui_managementaccess" class="selectpicker">
<option value="interfaces" <?= empty($pconfig['webgui_managementaccess']) || $pconfig['webgui_managementaccess'] === 'interfaces' ? 'selected="selected"' : '';?>>
<?=gettext("Listen on specified interfaces (recommended)");?>
</option>
<option value="ip" <?=$pconfig['webgui_managementaccess'] === 'ip' ? 'selected="selected"' : '';?>>
<?=gettext("Listen on specified IP address");?>
</option>
</select>
<div class="hidden" data-for="help_for_webgui_managementaccess">
<?= gettext('Choose how the WebGUI should be accessible. Use with care.') ?>
fraenki marked this conversation as resolved.
Show resolved Hide resolved
</div>
</td>
</tr>
<tr class="webgui_managementaccess_choices webgui_managementaccess_interfaces">
<td><a id="help_for_webguiinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
<td>
<select id="webguiinterface" name="webguiinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
Expand All @@ -636,6 +715,16 @@ function reloadWaitOld () {
</div>
</td>
</tr>
<tr class="webgui_managementaccess_choices webgui_managementaccess_ip">
<td><a id="help_for_webguiip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Management IP") ?></td>
<td>
<input name="webguiip" type="text" value="<?= $pconfig['webguiip'] ?>"/>
<?=gettext("Web GUI only listen on specified IP address. Use with care."); ?>
<div class="hidden" data-for="help_for_webguiip">
<?= gettext('The WebGUI only listens on the selected IP address. You may need to manually add required firewall rules first. Use with care.') ?>
fraenki marked this conversation as resolved.
Show resolved Hide resolved
</div>
</td>
</tr>
<tr>
<td><a id="help_for_nohttpreferercheck" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("HTTP_REFERER enforcement"); ?></td>
<td>
Expand Down Expand Up @@ -713,6 +802,22 @@ function reloadWaitOld () {
</td>
</tr>
<tr>
<td><a id="help_for_ssh_managementaccess" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Management Access') ?></td>
<td>
<select id="ssh_managementaccess" name="ssh_managementaccess" class="selectpicker">
<option value="interfaces" <?= empty($pconfig['ssh_managementaccess']) || $pconfig['ssh_managementaccess'] === 'interfaces' ? 'selected="selected"' : '';?>>
<?=gettext("Listen on specified interfaces (recommended)");?>
</option>
<option value="ip" <?=$pconfig['ssh_managementaccess'] === 'ip' ? 'selected="selected"' : '';?>>
<?=gettext("Listen on specified IP address");?>
</option>
</select>
<div class="hidden" data-for="help_for_ssh_managementaccess">
<?= gettext('Choose how the SSH service should be accessible. Use with care.') ?>
</div>
</td>
</tr>
<tr class="ssh_managementaccess_choices ssh_managementaccess_interfaces">
<td><a id="help_for_sshinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
<td>
<select name="sshinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
Expand All @@ -725,6 +830,16 @@ function reloadWaitOld () {
</div>
</td>
</tr>
<tr class="ssh_managementaccess_choices ssh_managementaccess_ip">
<td><a id="help_for_sship" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Management IP") ?></td>
<td>
<input name="sship" type="text" value="<?= $pconfig['sship'] ?>"/>
<?=gettext("Only accept connections on the specified IP address. Use with care."); ?>
<div class="hidden" data-for="help_for_sship">
<?= gettext('The SSH service only listens on the specified IP address. You may need to manually add required firewall rules first. Use with care.') ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_sshkex" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Key exchange algorithms"); ?></td>
<td>
Expand Down