FSI/VM_OPENSSL_APACHE.sh

#!/bin/bash

# configuracao
source VM_CONFIG.sh

sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator 
sudo yum install -y mod_session

# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john

# dar acesso ao apache para ler o .google_authenticator
groupadd -f totp
usermod -aG totp apache
usermod -aG totp john

sudo chown apache:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator

if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0

# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3

cp conf/openssl.cnf /etc/pki/tls/

# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR

# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &


# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp

# NOTA(vasco) é preciso desativar home protection outra vez
mkdir -p /etc/systemd/system/httpd.service.d
echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/httpd.service.d/override.conf
systemctl daemon-reload

# sim, é preciso fazer isto para carregar serviços
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf

# mega paginas webs
cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/

systemctl enable --now httpd