forked from FreePBX/certman
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFirewallAPI.class.php
145 lines (132 loc) · 5.37 KB
/
FirewallAPI.class.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<?php
// vim: set ai ts=4 sw=4 ft=php:
// License for all code of this FreePBX module can be found in the license file inside the module directory
// Copyright 2014 Schmooze Com Inc.
//
namespace FreePBX\modules\Certman;
/**
* Implements a trivial API for use with Certman
*/
class FirewallAPI {
/** Is firewall available on this machine? */
private $fw = false;
/** Firewall object */
private $fwobj;
public function __construct() {
// Is firewall enabled and active?
try {
$this->fwobj = \FreePBX::Firewall();
$this->fw = $this->fwobj->isEnabled();
} catch (\Exception $e) {
// Firewall not active, or not enabled, don't do anything
return;
}
}
/**
* Is firewall available on this machine?
*
* @return bool
*/
public function isAvailable() {
return $this->fw;
}
/**
* enableLERules
*
* @return void
*/
public function enableLeRules(){
if($this->fw){
$this->fwobj->enableLeRules();
}
}
/**
* disableLERules
*
* @return void
*/
public function disableLeRules(){
if($this->fw){
$this->fwobj->disableLeRules();
}
}
/**
* getLeOptions
*
* @return array
*/
public function getLeOptions(){
$serviceenabled = false;
$lerules = false;
$leports = array();
$fwzones = array();
$hints = array();
$brand = \FreePBX::Config()->get("DASHBOARD_FREEPBX_BRAND");
// firewall module installed/enabled in module admin, and enabled in firewall settings
if($this->fw){
$as = $this->fwobj->getAdvancedSettings();
$fwservice = $this->fwobj->getService('letsencrypt');
if ($as['lefilter'] == "enabled") {
$lerules = true;
}
if (isset($fwservice['fw'][0]['port'])) {
$serviceenabled = true;
$leports[] = $fwservice['fw'][0]['port'];
if (!$fwservice['disabled']) {
$fwzones = $fwservice['zones'];
}
} else {
$allservices = $this->fwobj->getServices();
unset($allservices['custom']); // ignore custom services
foreach ($allservices as $services) {
foreach($services as $service) {
$s = $this->fwobj->getService($service);
if (!$s['disabled']) {
foreach ($s['fw'] as $fw) {
if ($fw['leport']) {
$leports[] = $fw['port'];
}
}
}
}
}
}
$cli = php_sapi_name() == 'cli';
if ($this->isAvailable()) {
$asurl = '<a href="?display=firewall&page=advanced&tab=settings" class="alert-link"><em>';
$servicesurl = '<a href="?display=firewall&page=services&tab=servicestab" class="alert-link"><em>';
$closeanchor = '</em></a>';
if (!$lerules) {
if ($cli) {
$hints[] = _("<options=bold>Responsive LetsEncrypt Rules</> are not enabled. Enabling <options=bold>Responsive LetsEncrypt Rules</> is recommended. Enable at the command line with '<info>fwconsole firewall lerules enable</>' or within the web interface at <info>Connectivity->Firewall->Advanced->Advanced Settings</>.");
} else {
$hints[] = sprintf(_("%sResponsive LetsEncrypt Rules%s are not enabled. Enabling %sResponsive LetsEncrypt Rules%s is recommended."), $asurl, $closeanchor, $asurl, $closeanchor, $asurl, $closeanchor);
}
}
if ($serviceenabled && !$lerules && !in_array("external", $fwzones)) {
if ($cli) {
$hints[] = _("Internet Zone access is not enabled for the LetsEncrypt Service, make sure public access to the service is available via port 80.\n\nUse <options=bold>Responsive LetsEncrypt Rules</> (recommended) or enable Internet Zone access for the LetsEncypt Service in the web interface at <info>Connectivity->Firewall->Services</info>.");
} else {
$hints[] = sprintf(_("Internet Zone access is not enabled for the LetsEncrypt Service, make sure public access to the service is available via port 80. Enable %sResponsive LetsEncrypt Rules%s (recommended) or manually enable LetsEncrypt Service Internet Zone access at %sConnectivity->Firewall->Services%s."),$asurl, $closeanchor, $servicesurl, $closeanchor);
}
}
if (!in_array(80, $leports)) {
if ($serviceenabled) {
$hints[] = sprintf(_("The LetsEncrypt Service is listening on port %s. Using a custom port other than 80 is not officially supported.\n\nThe LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail unless your network redirects incoming port 80 requests to port %s."), $leports[0], $leports[0]);
} else {
$hints[] = sprintf(_("%s http services are not listening on port 80. LetsEncrypt using a port other than 80 is not officially supported.\n\nThe LetsEncrypt servers only send challenge queries to port 80. %s http services are currently listening on %s %s. Certificate requests will fail unless your network redirects incoming port 80 requests to a listening http port."), $brand, $brand, count($leports)==1?_("port"):_("ports"), preg_replace("/,([^,]+)$/", _(" and") . "$1", implode(', ',$leports)));
}
}
}
}
// firewall module installed/enabled in module admin, but disabled in firewall settings
if (isset($this->fwobj) && !$this->fw) {
$hints[] = sprintf(_("The %s Firewall is not enabled."), $brand);
}
// firewall not installed or not enabled
if (!$this->fw) {
$hints[] = _("The LetsEncrypt servers only send challenge queries to port 80. Certificate requests will fail if public access via port 80 is not available.");
}
return array('service' => $serviceenabled, 'ports' => $leports, 'fwzones' => $fwzones, 'lerules' => $lerules, 'hints' => $hints);
}
}