Using `$(INSTALL_CONF)` will cause the program has no access to
configurations file when someone enabled the selinux support.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Xray now is no longer planning to keep compatibility with original
v2ray. Remove PROVIDES before it is totally broken.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
From mosquitto 2.x, port became optional and deprecated in the config,
and it was recommended that listeners be used instead. Drop the hard
requirement in our config conversion script.
Reported in: https://github.com/openwrt/packages/issues/15506
Signed-off-by: <karlp@etactica.com>
Maintainer: @neheb / @BKPepe / @zhanhb
Compile tested: ipq806x, generic, netgear_r7800, master
Run tested: ipq806x, generic, netgear_r7800, openwrt-19.07
Description:
Squid now only support HTTPS proxy in TCP tunnel mode (e.g. `ssl_bump splice all`):
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
ssl_bump splice all
In order to operate in SSL Bump mode, we need to compile with `--enable-ssl-crtd` for following configuration:
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
sslcrtd_program /usr/lib/squid/security_file_certgen -s /car/cache/squid/ssl_db -M 4MB
ssl_bump stare all
ssl_bump bump all
This PR switch the `SQUID_enable-ssl-crtd` into `default y`, therefore default enable SSL Bump mode.
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Staging certificates have the advantage that their retry limits are loose.
Therefore they can be obtained quickly when automatic retries are used.
Unfortunately they can not be used for deployments because their CA is not
accepted by clients. Production certificates do not have this limitation, but
their retry limits are strict. For production certificates, automatic retries
can only be performed a few times per hour. This makes automatic obtainment of
certificates tenacious.
With use_auto_staging=1, the advantages of the two certificate types are
combined. Uacme will first obtain a staging certificate. When the staging
certificate is successfully obtained, uacme will switch and obtain a production
certificate. Since the staging certificate has already been successfully
obtained, we can ensure that the production certificate is successfully
obtained in the first attempt. This means that "retries" are performed on the
staging certificate and the production certificate is obtained in the first
attempt.
In summary, this feature enables fast obtaining of production certificates when
automatic retries are used.
By default, this feature is set to use_auto_staging=0, which means that
uacme will behave as before by default.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
With this commit, issue_cert() can be called multiple times alternating
between staging and production certificates within a script.
Before this commit, the production state dir was stored in $STATE_DIR.
But in the case of $use_staging=1, this variable was overwritten in
issue_cert() with $STAGING_STATE_DIR. This made it impossible to call
issue_cert() with $use_staging=0 afterwards. Now the production state
dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden
anymore and issue_cert() can be called multiple times alternating with
production and staging.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
The get_bool() functionality was already merged to lib/functions.sh, so
it is redundant in the init script. Remove it.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- Exit start if a probe_key is not present
- Add create_key command to generate a private_key based on the provided username in the atlas config.
- Add registration instruction in /etc/atlas
- Rework script to save probe_key on sysupgrade (the key are now adviced to be placed in the /etc/atlas dir and a link is used to make them accessible in the atlas-sw-scripts etc dir)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* lots of fixes for many subsystems
* new messenger group chat service
* 'abd' temporarily removed due to upstream issue
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes two related security vulnerabilities (CVE-2020-15078) which
under very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup. In combination with "--auth-gen-token" or
a user-specific token auth solution it can be possible to get access to
a VPN with an otherwise-invalid account.
OpenVPN 2.5.2 also includes other bug fixes and improvements.
Add CI build test script.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* add a "whitelist only" mode, this option allows to restrict Internet
access from/to a small number of secure websites/IPs, and block access
from/to the rest of the Internet.
Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is largely based on the work from Daniel Dickinson in
PR #2096 which was never merged. I tweaked it in a number of ways.
All bugs with this package are mine, not his.
Signed-off-by: Aaron Curley <accwebs@gmail.com>
* support the RPZ trigger 'RPZ-CLIENT-IP' to always allow/block certain
clients based on their IP (currently only supported by bind!)
* avoid promiscuous mode in tcpdump setup for adblock reporting
* speed up dns report preparation
* support dns report mailing (/etc/init.d/adblock report mail)
* fix bind autodetection
* update LuCI-frontend (separate PR)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
NLS means Native Language Support and when you have it enabled (it is
not default), clamav can not be compiled as it shows following error:
Package clamav is missing dependencies for the following libraries:
libiconv.so.2
Also, it is required that package libiconv-full is compiled first/before
than clamav and then try to compile clamav.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
/etc/profile.d/50-openvpn-easy-rsa.sh was not listed as configfile
and changes were lost during upgrades.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libseccomp can't be built on ARC, so we must disable the option here as
well. A different fix was first proposed by @zxlhhyccc in #15377.
Fixes: #15313
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add patch fixing compilation without deprecated OpenSSL APIs.
Fix installation. This never worked as the section was misnamed.
Updated tool names.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This patch prevents multiple cron jobs from being created to run the
safe-search-maintenance script.
To reproduce this bug, perform the following:
- Install safe-search
- Perform an OpenWRT firmware upgrade (choose to preserve user settings)
- Install safe-search again
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Rework the bonding.sh protocol handler to accept slave interface names
encoded in uci list notation. Also replace ifconfig up/down with ip
link calls while we're at it.
Fixes: #11455
Fixes: https://github.com/openwrt/luci/issues/4473
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag.
Symptoms of the problem (which are also debugging steps):
* Finder refuses to open the OpenWRT "computer" in the Network list.
* Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown.
* `dns-sd -L OpenWrt _smb._tcp` doesn't return any address.
Signed-off-by: Kirill Nikolaev <cyril7@gmail.com>
This is a security fix, affecting 2.0.0 through to 2.0.9. Mosquitto instances
could be remotely DoS'd by authenticated clients.
Release notes at: https://github.com/eclipse/mosquitto/blob/v2.0.10/ChangeLog.txt
CVE number has not yet been assigned.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Prior to this commit, the acme service attempted to obtain certificates
once and then terminated, regardless of whether the certificate could be
obtained or not. This commit introduces a new uci option "retries" to
the "certificate" section. If this option is set to N, the acme service
will attempt to obtain the certificate up to N times before terminating.
There is a waiting pause between the retries to comply with the rate
limits of Let'sEncrypt.
The waiting pause is:
- 2 minutes for staging certificates
- 24 minutes for production certificates
The current "Failed Validation" rate limits of Let'sEncrypt are:
- staging: 60 per hour -> 1 failure every 1 minute in avg.
- production: 5 per hour -> 1 failure every 12 minutes in avg.
This means that we are within rate limits by a factor of two.
By default the option "retries" is set to "1", which means that acme
behaves as before by default. If the variable is set to "0", infinite
retries are performed.
This feature is helpful, when you already want to initiate the
certificate request, but you are still waiting for your dns server to be
configured, your network to appear or other conditions.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
Before this commit, issue_cert always returned 1 no matter if uacme
returned 1, 2, 3, ... With this commit, the return code of the uacme
binary is propagated. Therefore the caller of issue_cert can
differentiate between "no renew necessary" and "an error occurred".
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
With this commit, the run-acme script can be included into other scripts
by setting INLCUDE_ONLY=1.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
netifyd supports a '-F' filter option in 'bpf' notation to filter
packets from its consideration.
Add support for a uci 'filter' option. eg. filter to exclude SSDP
multicasts from a particularly noisy device:
option filter 'not (udp and dst 239.255.255.250 and dst port 1900 and src 192.168.1.5)'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Even it's only cosmetic and should not affect the function of regular system,
fix the name of the IPKG_INSTROOT variable.
Typo was added long ago with 8400c9a6ec.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Since v1.4.1, Xray has introduced a new feature to transfer data via
browsers, which can disguise itself as a normal browser to cheat
network censorship.
For more details, see https://github.com/XTLS/Xray-core/pull/421.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
