From 05c387d539e2cef09116a1ac3eb0325c6d679345 Mon Sep 17 00:00:00 2001 From: Zach Brown Date: Sun, 7 Apr 2024 01:46:29 +0000 Subject: [PATCH] First WIP of rework to lighttpd --- RMxxx_rgmii_toolkit.sh | 20 ++++++++------ lighttpd/README.md | 7 +++++ lighttpd/gencert.sh | 4 +++ lighttpd/lighttpd.conf | 47 ++++++++++++++++++++++++++++++++ lighttpd/lighttpd.service | 14 ++++++++++ simplefirewall/simplefirewall.sh | 2 +- sshd/README.md | 10 +++++++ sshd/sshd.service | 20 ++++++++++++++ ttyd/systemd/ttyd.service | 2 +- 9 files changed, 116 insertions(+), 10 deletions(-) create mode 100644 lighttpd/README.md create mode 100644 lighttpd/gencert.sh create mode 100644 lighttpd/lighttpd.conf create mode 100644 lighttpd/lighttpd.service create mode 100644 sshd/README.md create mode 100644 sshd/sshd.service diff --git a/RMxxx_rgmii_toolkit.sh b/RMxxx_rgmii_toolkit.sh index 51bff03..ed22bc1 100644 --- a/RMxxx_rgmii_toolkit.sh +++ b/RMxxx_rgmii_toolkit.sh @@ -302,6 +302,18 @@ configure_simple_firewall() { # Function to install/update Simple Admin install_simple_admin() { + # Check for existing Entware/opkg installation, install if not installed + if [ ! -f "/opt/bin/opkg" ]; then + echo -e "\e[1;32mInstalling Entware/OPKG\e[0m" + cd /tmp && wget -O installentware.sh "https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/$GITTREE/installentware.sh" && chmod +x installentware.sh && ./installentware.sh + if [ "$?" -ne 0 ]; then + echo -e "\e[1;31mEntware/OPKG installation failed. Please check your internet connection or the repository URL.\e[0m" + exit 1 + fi + cd / + else + echo -e "\e[1;32mEntware/OPKG is already installed.\e[0m" + fi while true; do echo -e "\e[1;32mWhat version of Simple Admin do you want to install? This will start a webserver on port 8080\e[0m" echo -e "\e[1;32m1) Stable current version, (Main Branch)\e[0m" @@ -328,7 +340,6 @@ install_simple_admin() { mkdir $SIMPLE_ADMIN_DIR/www/js cd $SIMPLE_ADMIN_DIR/systemd wget https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/main/simpleadmin/systemd/simpleadmin_generate_status.service - wget https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/main/simpleadmin/systemd/simpleadmin_httpd.service sleep 1 cd $SIMPLE_ADMIN_DIR/scripts wget https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/main/simpleadmin/scripts/build_modem_status @@ -361,11 +372,9 @@ install_simple_admin() { cp -rf $SIMPLE_ADMIN_DIR/systemd/* /lib/systemd/system systemctl daemon-reload sleep 1 - ln -sf /lib/systemd/system/simpleadmin_httpd.service /lib/systemd/system/multi-user.target.wants/ ln -sf /lib/systemd/system/simpleadmin_generate_status.service /lib/systemd/system/multi-user.target.wants/ systemctl start simpleadmin_generate_status sleep 1 - systemctl start simpleadmin_httpd remount_ro echo -e "\e[1;32msimpleadmin has been installed and is now ready for use!\e[0m" break @@ -387,7 +396,6 @@ install_simple_admin() { mkdir $SIMPLE_ADMIN_DIR/www/js cd $SIMPLE_ADMIN_DIR/systemd wget https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/development/simpleadmin/systemd/simpleadmin_generate_status.service - wget https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/development/simpleadmin/systemd/simpleadmin_httpd.service sleep 1 cd $SIMPLE_ADMIN_DIR/scripts wget https://raw.githubusercontent.com/$GITUSER/quectel-rgmii-toolkit/development/simpleadmin/scripts/build_modem_status @@ -422,11 +430,9 @@ install_simple_admin() { cp -rf $SIMPLE_ADMIN_DIR/systemd/* /lib/systemd/system systemctl daemon-reload sleep 1 - ln -sf /lib/systemd/system/simpleadmin_httpd.service /lib/systemd/system/multi-user.target.wants/ ln -sf /lib/systemd/system/simpleadmin_generate_status.service /lib/systemd/system/multi-user.target.wants/ systemctl start simpleadmin_generate_status sleep 1 - systemctl start simpleadmin_httpd remount_ro echo -e "\e[1;32msimpleadmin has been installed and is now ready for use!\e[0m" break @@ -508,9 +514,7 @@ uninstall_simpleadmin_components() { read -p "Enter your choice (1 or 2): " choice_simpleadmin if [ "$choice_simpleadmin" -eq 1 ]; then echo "Uninstalling the rest of Simpleadmin..." - systemctl stop simpleadmin_httpd systemctl stop simpleadmin_generate_status - rm -f /lib/systemd/system/simpleadmin_httpd.service rm -f /lib/systemd/system/simpleadmin_generate_status.service systemctl daemon-reload rm -rf "$SIMPLE_ADMIN_DIR" diff --git a/lighttpd/README.md b/lighttpd/README.md new file mode 100644 index 0000000..85017ea --- /dev/null +++ b/lighttpd/README.md @@ -0,0 +1,7 @@ +lighttpd +lighttpd-mod-auth +lighttpd-mod-authn_file +lighttpd-mod-cgi +lighttpd-mod-openssl +lighttpd-mod-proxy +printf "USER:$(openssl passwd -crypt PASSWORD)\n" >> .htpasswd diff --git a/lighttpd/gencert.sh b/lighttpd/gencert.sh new file mode 100644 index 0000000..a98208e --- /dev/null +++ b/lighttpd/gencert.sh @@ -0,0 +1,4 @@ +#!/bin/bash +openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ + -subj "/C=US/ST=MI/L=Romulus/O=RMIITools/CN=localhost" \ + -keyout server.key -out server.crt diff --git a/lighttpd/lighttpd.conf b/lighttpd/lighttpd.conf new file mode 100644 index 0000000..6487a6e --- /dev/null +++ b/lighttpd/lighttpd.conf @@ -0,0 +1,47 @@ +server.modules = ( + "mod_redirect", + "mod_cgi", + "mod_proxy", + "mod_openssl", + "mod_authn_file", +) + +server.username = "nobody" +server.groupname = "nogroup" + +server.port = 80 +server.document-root = "/usrdata/simpleadmin/www" +index-file.names = ( "index.html" ) + +auth.backend = "htpasswd" +auth.backend.htpasswd.userfile = "/usrdata/lighttpd/.htpasswd" + +$SERVER["socket"] == "0.0.0.0:443" { + ssl.engine = "enable" + ssl.privkey= "/usrdata/lighttpd/server.key" + ssl.pemfile= "/usrdata/lighttpd/server.crt" + ssl.acme-tls-1 = "/etc/lighttpd/dehydrated/tls-alpn-01" + ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # (lighttpd 1.4.56 default; recommended to accept only TLSv1.2 and TLSv1.3) + auth.require = ( "/" => ( + "method" => "basic", + "realm" => "Authorized users only", + "require" => "valid-user" + ) + ) +} + +# Redirect everything to https +$HTTP["scheme"] == "http" { + url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") +} + +# Anything in /cgi-bin will be run as a script +$HTTP["url"] =~ "/cgi-bin/" { + cgi.assign = ( "" => "" ) +} + +# Handle proxy to ttyd if it's running +$HTTP["url"] =~ "(^/ttyd)" { + proxy.header = ("map-urlpath" => ( "/ttyd" => "/" ), "upgrade" => "enable" ) + proxy.server = ( "" => ("" => ( "host" => "127.0.0.1", "port" => 8443 ))) +} diff --git a/lighttpd/lighttpd.service b/lighttpd/lighttpd.service new file mode 100644 index 0000000..a40c389 --- /dev/null +++ b/lighttpd/lighttpd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Lighttpd Daemon +After=network.target + +[Service] +Type=simple +PIDFile=/opt/var/run/lighttpd.pid +ExecStartPre=/opt/sbin/lighttpd -tt -f /usrdata/lighttpd/lighttpd.conf +ExecStart=/opt/sbin/lighttpd -D -f /usrdata/lighttpd/lighttpd.conf +ExecReload=/bin/kill -USR1 $MAINPID +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/simplefirewall/simplefirewall.sh b/simplefirewall/simplefirewall.sh index 47394bc..f208465 100644 --- a/simplefirewall/simplefirewall.sh +++ b/simplefirewall/simplefirewall.sh @@ -1,7 +1,7 @@ #!/bin/bash # Define the ports you want to block -PORTS=("80" "8080" "8088" "443") # Default ports, will be modified by the install script +PORTS=("80" "443") # Default ports, will be modified by the install script # First, allow specified ports on bridge0, eth0, and tailscale0 for port in "${PORTS[@]}"; do diff --git a/sshd/README.md b/sshd/README.md new file mode 100644 index 0000000..64656a0 --- /dev/null +++ b/sshd/README.md @@ -0,0 +1,10 @@ +# Generate Host Keys +ssh-keygen -A + +# Must edit in /opt/etc/ssh/sshd_config +PasswordAuthentication yes +UsePAM yes +PermitRootLogin yes + +# Need to add ssh user in /opt/etc/passwd +sshd:x:106:65534:Linux User,,,:/opt/run/sshd:/bin/nologin diff --git a/sshd/sshd.service b/sshd/sshd.service new file mode 100644 index 0000000..799bd33 --- /dev/null +++ b/sshd/sshd.service @@ -0,0 +1,20 @@ +[Unit] +Description=OpenBSD Secure Shell server +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target + +[Service] +ExecStartPre=/opt/usr/sbin/sshd -t +ExecStart=/opt/usr/sbin/sshd -D +ExecReload=/opt/usr/sbin/sshd -t +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 + +[Install] +WantedBy=multi-user.target +Alias=sshd.service diff --git a/ttyd/systemd/ttyd.service b/ttyd/systemd/ttyd.service index 36280b8..225fd68 100644 --- a/ttyd/systemd/ttyd.service +++ b/ttyd/systemd/ttyd.service @@ -5,7 +5,7 @@ After=network.target [Service] Type=simple ExecStartPre=/bin/sleep 5 -ExecStart=/usrdata/ttyd/ttyd -p 443 -t 'theme={"foreground":"white","background":"black"}' -t fontSize=25 --writable /usrdata/ttyd/scripts/ttyd.bash +ExecStart=/usrdata/ttyd/ttyd -i 127.0.0.1 -p 8088 -t 'theme={"foreground":"white","background":"black"}' -t fontSize=25 --writable /usrdata/ttyd/scripts/ttyd.bash Restart=on-failure [Install]