Browse Source

adding #34

master
Björn 4 years ago
parent
commit
df7645c21e
4 changed files with 167 additions and 2 deletions
  1. +105
    -0
      app/Commands/MariadbClientInstallCommand.php
  2. +55
    -1
      app/Commands/MariadbInstallCommand.php
  3. +6
    -0
      resources/fail2ban/jail.d/mysql-auth.conf
  4. +1
    -1
      resources/nginx/templates/layouts/ssl.blade.php

+ 105
- 0
app/Commands/MariadbClientInstallCommand.php View File

@ -0,0 +1,105 @@
<?php
namespace App\Commands;
use Illuminate\Console\Scheduling\Schedule;
use LaravelZero\Framework\Commands\Command;
use Illuminate\Support\Facades\File;
use App\Facades\Install;
use Hackzilla\PasswordGenerator\Generator\ComputerPasswordGenerator;
use Hackzilla\PasswordGenerator\RandomGenerator\Php7RandomGenerator;
/**
* Install Mariadb Client for Remote Access
*
* @author Björn Hase, Tentakelfabrik
* @license http://opensource.org/licenses/MIT The MIT License
* @link https://gitea.tentakelfabrik.de/Tentakelfabrik/mcp
*
*/
class MariadbClientInstallCommand extends Command
{
/**
* The signature of the command.
*
* @var string
*/
protected $signature = 'mariadb-client:install {remote_user} {remote_host} {version=10.4}';
/**
* The description of the command.
*
* @var string
*/
protected $description = 'Install Mariadb Client and set configuration';
/**
* Execute the console command.
*
* @return mixed
*/
public function handle()
{
$this->info('Mariadb Client install...');
$version = $this->argument('version');
exec('apt update 2>&1', $output);
// @TODO apt add a Warning for no good, in a later version output will be scanned for helpfull infos
$this->line(implode("\n", Install::filterAptMessages($output)));
if ($version === '10.4') {
$this->info('Mariadb try install 10.04...');
// getting release
$release = Install::getDistributionRelease();
if (Install::getDistributionId() === 'Ubuntu' && ($release === '18.04' || $release === '20.04')) {
$this->info('Mariadb install for Ubuntu '.$release.'...');
$output = [];
exec('apt install -y software-properties-common 2>&1', $output);
exec('apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 2>&1', $output);
exec('add-apt-repository -y "deb [arch=amd64,arm64,ppc64el] http://mariadb.mirror.liquidtelecom.com/repo/10.4/ubuntu '.Install::getDistributionCodename().' main" 2>&1', $output);
exec('apt update 2>&1', $output);
}
}
exec('apt install -y mariadb-client 2>&1', $output);
// @TODO apt add a Warning for no good, in a later version output will be scanned for helpfull infos
$this->line(implode("\n", Install::filterAptMessages($output)));
if (Install::isReady('mariadb-client')) {
if (!is_dir('/etc/mysql/ssl')) {
system('mkdir /etc/mysql/ssl');
}
// getting
system('rsync -rv --include="ca-cert.pem" --include="client-cert.pem" --include="client-key.pem" --exclude="*" '.$this->argument('remove_user').'@'.$this->argument('remove_host').':/etc/mysql/ssl/ /etc/mysql/ssl/');
// checking if certificates are exists from remote server
if (!file_exist('/etc/mysql/ssl/ca-cert.pem') || !file_exist('/etc/mysql/ssl/client-cert.pem') || file_exist('/etc/mysql/ssl/client-key.pem')) {
$this->error('Failed! Certificates not found!');
exit();
}
system('cat >> /etc/mysql/my.cnf << EOF
[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
EOF');
system('chown -R mysql:mysql /etc/mysql/ssl');
system('chmod 644 /etc/mysql/ssl/*cert*');
system('chmod 644 /etc/mysql/ssl/*key*');
} else {
$this->error('Failed! Please check log-file!');
}
}
}

+ 55
- 1
app/Commands/MariadbInstallCommand.php View File

@ -32,7 +32,7 @@ class MariadbInstallCommand extends Command
* *
* @var string * @var string
*/ */
protected $signature = 'mariadb:install {version=10.4}';
protected $signature = 'mariadb:install {version=10.4} {--remote}';
/** /**
* The description of the command. * The description of the command.
@ -123,8 +123,62 @@ class MariadbInstallCommand extends Command
$this->info('Mariadb installing...Success! \o/'); $this->info('Mariadb installing...Success! \o/');
if ($this->option('remote') === true) {
$this->removeAccess();
}
} else { } else {
$this->error('Failed! Please check log-file!'); $this->error('Failed! Please check log-file!');
} }
} }
/**
*
*
*/
private function remoteAccess()
{
$this->info('Mariadb remote...');
system('mkdir -p /etc/mysql/ssl');
$this->info('Generating CA');
system('openssl genrsa 4096 > /etc/mysql/ssl/ca-key.pem');
system('openssl req -new -x509 -nodes -days 365000 -key /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem -subj "/CN='.$name.'-mysql-ca"');
$this->info('Generating Server Certificate');
system('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem -subj "/CN='.$name.'-mysql-server"');
system('openssl rsa -in /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-key.pem');
system('openssl x509 -req -in /etc/mysql/ssl/server-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/server-cert.pem');
$this->info('Generating Client Certificate');
system('openssl req -newkey rsa:4096 -days 365000 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem -subj "/CN='.$name.'-mysql-server"');
system('openssl rsa -in /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-key.pem');
system('openssl x509 -req -in /etc/mysql/ssl/client-req.pem -days 365000 -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -set_serial 01 -out /etc/mysql/ssl/client-cert.pem');
$this->info('Validate Certificates');
system('openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem');
system('cat >> /etc/mysql/my.cnf << EOF
[mysqld]
bind-address = 0.0.0.0
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
EOF');
system('chown -R mysql:mysql /etc/mysql/ssl');
system('chmod 644 /etc/mysql/ssl/*cert*');
system('chmod 644 /etc/mysql/ssl/*key*');
system('service restart mariadb');
system('ufw allow mysql');
$this->info('Mariadb remote...Success! \o/');
}
} }

+ 6
- 0
resources/fail2ban/jail.d/mysql-auth.conf View File

@ -0,0 +1,6 @@
[mysqld-auth]
enabled = true
filter = mysqld-auth
port = 3306
logpath = /var/log/mysql/error.log

+ 1
- 1
resources/nginx/templates/layouts/ssl.blade.php View File

@ -28,7 +28,7 @@ server {
ssl_certificate /etc/letsencrypt/live/{{ $domain }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ $domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ $domain }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ $domain }}/privkey.pem;
include /etc/nginx/snippets/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/secure-headers.conf; include /etc/nginx/snippets/secure-headers.conf;
add_header Content-Security-Policy " add_header Content-Security-Policy "


Loading…
Cancel
Save