module "/pliant/util/crypto/rsa.pli"
module "/pliant/util/crypto/legal.pli"
module "/pliant/admin/file.pli"
module "/pliant/language/context.pli"
module "/pliant/fullpliant/this_computer.pli"
module "/pliant/fullpliant/user.pli"
module "/pliant/protocol/dns/name.pli"
module "site.pli"
module "/pliant/language/stream.pli"
module "/pliant/util/network/ping.pli"
module "/pliant/util/encoding/base64.pli"
requires "browse_configuration"
title "Sites administration"
para
note "HTTP and FTP global settings for this computer"
read_only not allowed:"administrator"
title "This computer HTTP and FTP settings"
header "HTTP settings"
table columns 3 border 0
cell [HTTP service:]
cell
fixed [Yes]
cell [We always run the HTTP server because we need it to remote configure the server.]
cell [Secured connections:]
cell
fixed [Yes]
cell [We always listen for secured connections on TCP port 580 because it's unsafe to remote configure using a clear text connection.]
cell [Log file:]
cell
var Str log := this_computer "pliant" "http" "log"
input "" log length 30 noeol
cell [If not empty, all dialogs with HTTP clients connecting to this HTTP server will be logged in the specifyed file.]
cell [TCP port:]
cell
var Str port := this_computer "pliant" "http" "port"
input "" port length 4 noeol
cell [The default TCP port for the HTTP server is 80, but you can force it.]
header "FTP settings"
table columns 3 border 0
cell [FTP service:]
cell
var Str ftp := this_computer "pliant" "ftp" "service"
select "" ftp
option "Yes" "true"
option "No" "false"
cell [Should we run the FTP service on this server ?]
if allowed:"administrator"
button "Update"
this_computer "pliant" "http" "log" := log
this_computer "pliant" "http" "port" := port
this_computer "pliant" "ftp" "service" := ftp
goto_backward
table columns 4
cell header
[Site name]
cell header
[Status]
cell header
[Abstract]
cell
void
each s site
var Str id := keyof s
if (s:computer="" or s:computer=computer_fullname) and s:area:size>0
cell color (color hsl 120 25 80)
link id "http://"+id+"/"
if (id search ":" -1)<>(-1)
eol ; highlight "you should not specify "+(id (id search ":" id:len) id:len)
eif s:computer="" or s:computer=computer_fullname
cell color (color hsl 120 10 80)
link id "http://"+id+"/"
if (id search ":" -1)<>(-1)
eol ; highlight "you should not specify "+(id (id search ":" id:len) id:len)
else
cell
link id "http://"+id+"/"
if (id search ":" -1)<>(-1)
eol ; highlight "you should not specify "+(id (id search ":" id:len) id:len)
cell
small
text s:root
if s:computer<>""
text "[lf]on "+s:computer
var Int bits := rsa_nbbits s:public_key
if bits=defined
if site_secret_database:data:site:id:private_key<>""
bold
text "[lf]"+string:bits+" bits"
if (site_secret_database:data:site:id:private_key parse word:"rsa" _ any:(var Str part1a) _ any) and (s:public_key parse word:"rsa" _ any:(var Str part1b) _ any) and part1a<>part1b
fixed [ ] ; highlight "key is corrupted !"
else
font color (color hsl 0 0 50)
text "[lf]"+string:bits+" bits"
cell
text s:abstract
if s:docurl<>""
small
eol ; link "Site extensive technical documentation" s:docurl
cell
page button "Edit"
read_only not allowed:"administrator"
title "Site '"+id+"'"
table columns 3 border 0
cell
[Site name:]
cell
fixed text:id
cell
[The site name is the name a client on the internet will use to connect to the site: an example can be] ; fixed [ art.pliant.cx ] ; eol
cell
[Serveur name:]
cell
input "" s:computer
cell
[The full name (including the domain) of the server running the site. An example could be] ; fixed [ server1.pliant.cx] ; eol
[If you leave this field blank, it means that the site runs on all your servers.] ; eol
cell
[IP and port:]
cell
input "" s:ip length 15 noeol ; input " " s:port length 5
cell
[The IP address and the port the site serveur is using.] ; eol
[Most of you can leave this field blank.] ; eol
note "more details"
title "IP and port fields"
para
[When a client connects to an HTTP server, it should provide a 'Host' information in the header of the HTTP request, telling the server the name of the site it expects to connect to. ]
[Very old or nonstandard browsers may not provide this information. In such a case, the TCP socket IP and port will be used to decide, if possible, the site the client is connecting to. ]
[It will possible to safely decide if and only if one site only in the database has the correponding IP and port.] ; eol
[So, if you don't specify an IP and port, stupid browser will not be abble to connect to your site.]
para
[If you use ] ; link "FullPliant" "/pliant/linux/fullpliant/" ; [ distribution, then if the IP of the web site is specifyed, it will be used to set the IP of the web site in the DNS server. ]
[If no IP is specifyed, then the IP of the computer specifyed in the 'Server name' field will be used.]
cell
[Forward:]
cell
input "" s:forward
cell
[A request will be automatically forwarded to the specified destination.] ; eol
[An example could be:] ; eol
fixed [tcp://mycomputer.mydomain.org/client/8080]
cell
[Protocol:]
cell
select "" s:protocol
|
option "All" ""
|
option "" ""
|
option "HTTP" "HTTP"
option "FTP" "FTP"
option "proxy" "proxy"
cell
[If you don't select 'All', then the site can be accessed only using the specifyed protocol.]
cell
[From IPs:]
cell
input "" s:from_ip
cell
[Restricts the set of IPs allowed to use the service. Sample value could be] ; fixed [ 10.0.0.0/255.0.0.0]
cell
[Public key:]
cell
input "" s:public_key length 30 noeol
if allowed:"administrator"
button "Generate"
title "Generate a public/private key pair for '"+id+"'"
var Int bits := min max_legal_key_bits 1024
input "Number of bits: " bits length 4 noeol
button "Generate now"
var DateTime start := datetime
rsa_generate "site:"+id bits ""
console "generated a " bits " bits key in " datetime:seconds-start:seconds " seconds." eol
goto_backward
if max_legal_key_bits<10000
para
[This software cannot generate more than ] ; text string:max_legal_key_bits ; [ bits keys. ]
[If you live in a country where cryptography is not restricted, then you should make your own version of the software through changing the ] ; link "/pliant/util/crypto/legal.pli" "/pliant/util/crypto/legal.pli"; [ source module.]
para
[Generating a long key pair will take a very long time. ]
[Let's say one hour for a 1024 bits key on a 300Mhz computer. ]
[If the key length is double, then the consumed time will be roughly multiplyed by five.]
para
[The public key will be stored in] ; fixed [ security:/site.pdb ] ; [database file (] ; fixed (text file_os_name:"security:/site.pdb"+" ") ; [ system file on this computer), ]
[and the private key will be stored in] ; fixed [ security:/site_key.pdb ] ; [database file (] ; fixed (text file_os_name:"security:/site_key.pdb"+" ") ; [ system file on this computer).] ; eol
[You can publish the] ; fixed [ security:/site.pdb ] ; [file, but have to keep the] ; fixed [ security:/site_key.pdb ] ; [file secret.] ; eol
table columns 1 border 0
cell color (color hsl 0 10 80)
[Anybody that knows or can read the content of] ; fixed [ security:/site_key.pdb ] ; [file can bypass the Pliant HTTP server security mechanism, can probably also corrupt the all server content, and can make clients believe that one of his systems is this HTTP server.]
var Int bits := rsa_nbbits s:public_key
if bits=defined
small
eol ; [The current key is ] ; text string:bits ; [ bits wild.]
cell
[The server key is used to prove the server identity to the clients connecting to it an so prevent from DNS corruption and session spoofing.] ; eol
[You need to generate a key if you want to enable clients to securely connect to the server using ] ; link "Pliant secured proxy" "/pliant/protocol/http/" section "security" ; [.]
cell
[Site root path:]
cell
input "" s:root length 40
cell
[Keep in mind that a Pliant path starting with] ; fixed [ / ] ; [is specifying a directory within Pliant tree. If you want to specify a directory outside Pliant tree, it must start with] ; fixed [ file:/] ; eol
[Futhermore, a Pliant path must end with a] ; fixed [ /]
cell
[Style:]
cell
input "" s:style length 40
cell
[The style will define the vocabulary that you can use in .page dynamic pages.] ; eol
small
[The default is] ; fixed [ /pliant/protocol/http/style/default.style ] ; [and is defined ] ; link "here" "/pliant/protocol/http/page"
cell
[Style options:]
cell
text_input "" s:style_options columns 60 rows 10
cell
[Enables you to customize the style.] ; eol
note "more details"
execute_dynamic_page "/pliant/protocol/http/style/default_customize.html"
|
cell
[Default page:]
cell
input "" s:default length 40
cell
[What virtual tree page will be called if the requested URL does not resolve.] ; eol
[The true file extension is .page, but here you have to use .html anyway.]
|
table columns 2 border 0
cell [Abstract:]
cell (text_input "" s:abstract rows 5 columns 60)
|
table columns 10
|
table columns 8
|
cell header [Area ID]
cell header [Path]
|
cell header [Extension]
cell header [Mode]
|
cell header [Read]
cell header [Write]
cell header [Root path]
cell header [Style]
cell header [Style options]
cell header [Forward]
cell header
small
[Must be unique, but does not have any meaning.]
cell header
small
[A path must end with a] ; fixed [ / ] ; [sign.]
cell header
small
|
[If specifyed, only files with the corresponding extension are concerned.] ; eol
[An extension is something like] ; fixed [ .jpeg]
cell header
void
cell header
small
|
[The right a user need to own in order to access the area.] ; eol
[An empty field means that the operation is not allowed, except for the server administrator.] ; eol
[If a user is granted the right you specify here, then he will also be granted 'read' special right.] ; eol
link "more details" "/pliant/protocol/http/" section "security"
cell header
small
[The right a user need to own in order to upload (change) files in the area.] ; eol
[If a user is granted the right you specify here, then he will also be granted 'write' special right.]
cell header
small
[If specifyed, this area will not use the general site root path.]
cell header
small
[If specifyed, this area will not use the general site style.]
cell header
small
[Will add extra options that are specific to this area.]
|
cell void
|
cell header
small
[If specified, the connection will be forwarded to the specified remote TCP port.]
|
var CBool ok := false
each a s:area
|
if a:path="/" and a:extension="" and a:read<>""
|
if a:path="/" and a:read<>""
|
ok := true
cell
text keyof:a
cell
input "" a:path length 30
cell
|
input "" a:extension length 6
cell
select "" a:mode
option "" ""
option "Static" "static"
option "Dynamic" "dynamic"
option "Open" "open"
cell
|
input "" a:read length 16 noeol
note "*"
title "List of users with '"+a:read+"' right"
table columns 4
cell header [User]
cell header [Authentification mechanism]
cell header [Client IP]
cell header [Computers names]
each u user
each r u:right
if r:right=a:read
read_only
cell (text keyof:u)
cell
select "" r:auth
option "None" "0"
option "Clear password" "1"
option "Chalenge password" "2"
option "Strong crypto" "3"
cell
input "" r:ip length 16
cell
input "" r:server length 16
if a:read="read" or a:read="write"
eol ; highlight "You should not use 'read' or 'write' in configuration tables."
cell
input "" a:write length 16
if a:write="read" or a:write="write"
highlight "You should not use 'read' or 'write' in configuration tables."
cell
input "" a:root
cell
input "" a:style
cell
text a:style_options
if a:style_options<>""
eol
button "edit"
title "Style options for site '"+keyof:s+"' area '"+keyof:a+"'"
text_input "Style options: " a:style_options columns 80 rows 15
button "update"
goto_backward
cell
input "" a:forward
if not ok
[You have to create at least one area with path] ; fixed [ / ] ; [and with a non blank read right.] ; eol
if allowed:"administrator"
input "Area ID: " (var Str aid) noeol
button "Create the new area" noeol
s:area create aid
reload_page
button "Delete the area"
s:area delete aid
reload_page
button "Update site informations"
goto_backward
if allowed:"administrator"
input "Site name: " (var Str sid) noeol
button "Create the new site" noeol
site create sid
reload_page
button "Delete the site"
site delete sid
site_secret_database:data:site delete sid
reload_page
page button "Test strong crypto access"
var Str host := sid
var CBool ok := true
if user_secret_database:data:user:user_name:private_key=""
text "You have no private key !" ; eol
ok := false
eif user:user_name:public_key=""
text "You have no public key !" ; eol
ok := false
if site:host:public_key<>"" and name_database:data:host:host:public_key<>""
text "'"+host+"' is defined both as a web site and as a host in the name database !" ; eol
ok := false
eif site:host:public_key="" and name_database:data:host:host:public_key=""
text "This computer does not know '"+host+"' public key !" ; eol
ok := false
if net_ping:host=failure
text "Cannot access '"+host+"' through the network !" ; eol
ok := false
else
var Int port := name_database:data:host:host:http_port
(var Stream tcp) open "tcp://"+host+"/client/"+(string 500+(shunt port=defined port 80)) in+out+safe
if tcp=failure
text "Secured HTTP server service is not running on "+host+" !" ; eol
ok := false
if tcp=success
tcp writeline "server-site: "+base64_encode:host
tcp writeline "client-user: "+base64_encode:user_name
tcp writeline "query-server-key"
tcp writeline "query-client-key"
tcp writeline ""
while { var Str l := tcp readline ; l<>"" }
l parse "server-key" ":" any:(var Str server_public_key)
l parse "client-key" ":" any:(var Str client_public_key)
if server_public_key=site:host:public_key or server_public_key=name_database:data:host:host:public_key
void
eif site:host:public_key="" and name_database:data:host:host:public_key=""
text host+" says that it's public key is: " ; eol
fixed text:server_public_key ; eol
eif server_public_key=""
text "'"+host+"' does not have a public key !"
ok := false
else
text "The public key of '"+host+"' on this computer seems to be wrong !" ; eol
text "'"+host+"' says that it's public key is: " ; eol
fixed text:server_public_key ; eol
ok := false
if client_public_key=user:user_name:public_key
void
eif user:user_name:public_key=""
void # this computer has no public key
eif client_public_key=""
text "'"+host+"' does not know your public key !"
ok := false
else
text "Your public key on '"+host+"' is wrong !" ; eol
text "The right one is: " ; eol
fixed (text user:user_name:public_key) ; eol
ok := false
if ok
[Everything seems to be ok.]
para
[The site name is the name you use in the browser to connect to it, without the port number.] ; eol
[As an example, if the URL of the site is] ; fixed [ http://art.pliant.cx/ ] ; [then the name of the site is] ; fixed [ art.pliant.cx ]
[and if the URL of the site is] ; fixed [ http://mysite.mycorp.com:8080/ ] ; [then the name of the site is] ; fixed [ mysite.mycorp.com] ; eol
para
table columns 2 border 0
cell
table columns 1
cell color (color hsl 120 25 80)
fixed [ ]
cell
[A site with light green ground is a site that can be accessed on this computer.] ; eol
[You should carrefully check it's various areas definition in order to verify that it does not introduce security holes on the computer.]
cell
table columns 1
cell color (color hsl 120 10 80)
fixed [ ]
cell
[A site with dull green ground is a site that can be accessed on this computer, but only by users having administrator rights and using Pliant secured channel.]
if allowed:"administrator"
var CBool migrate := false
each s site
if s:computer=keyof:s
migrate := true
if migrate
para
page button "Migrate hosts definitions to the names database"
each s site
if s:computer=keyof:s
name_database:data:host create keyof:s
var Data:NameHost h :> name_database:data:host keyof:s
h public_key := s public_key
h http_port := shunt s:port=defined s:port (cast 80 Int)
name_secret_database:data:host create keyof:s
var Data:NameSecret hs :> name_secret_database:data:host keyof:s
hs private_key := site_secret_database:data:site:(keyof s) private_key
site delete keyof:s
site_secret_database:data:site delete keyof:s
reload_page
|