From 7716a503b9ba3fa80eacc98db9f3b370942fc7bc Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 13 Oct 2015 13:06:48 +0000
Subject: [PATCH] (captiveportal, new) lighttpd-zone.conf additions

---
 .../OPNsense/Captiveportal/lighttpd-zone.conf | 43 ++++++++++++++-----
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/src/opnsense/service/templates/OPNsense/Captiveportal/lighttpd-zone.conf b/src/opnsense/service/templates/OPNsense/Captiveportal/lighttpd-zone.conf
index abe6f9928..6699fc345 100644
--- a/src/opnsense/service/templates/OPNsense/Captiveportal/lighttpd-zone.conf
+++ b/src/opnsense/service/templates/OPNsense/Captiveportal/lighttpd-zone.conf
@@ -6,7 +6,7 @@
         {% for intf_tag in item.interfaces.split(',') %}
             {% for conf_key, conf_inf in interfaces.iteritems() %}
                 {% if conf_key == intf_tag and conf_inf.ipaddr != 'dhcp' %}
-                    {% do item.update({'interface_ipaddr':conf_inf.ipaddr}) %}
+                    {% do item.update({'interface_hostaddr':conf_inf.ipaddr}) %}
                 {% endif %}
             {% endfor %}
         {% endfor %}
@@ -16,16 +16,26 @@
 {% set cp_zone_item = cp_zone_item[0]|default(None) %}
 
 {% if cp_zone_item != None %}
+    {% if cp_zone_item.servername|default("") != "" %}
+      {% do cp_zone_item.update({'interface_hostaddr':cp_zone_item.servername}) %}
+    {% endif %}
+
     {# generate zone redirect address #}
-    {% do cp_zone_item.update({'redirect_host':'https://'+cp_zone_item.interface_ipaddr + ':'  ~ (cp_zone_item.zoneid|int + 8000) ~ '/index.html?zone=' ~ cp_zone_item.zoneid  }) %}
-    {% do cp_zone_item.update({'redirect_host_match':cp_zone_item.interface_ipaddr.replace('.','\.') ~ ':' ~ (cp_zone_item.zoneid|int + 8000) }) %}
+    {% if cp_zone_item.certificate|default("") != "" %}
+      # ssl enabled, redirect to https
+      {% do cp_zone_item.update({'redirect_host':'https://'+cp_zone_item.interface_hostaddr + ':'  ~ (cp_zone_item.zoneid|int + 8000) ~ '/index.html?zone=' ~ cp_zone_item.zoneid  }) %}
+    {% else %}
+      # ssl disabled, redirect to http
+      {% do cp_zone_item.update({'redirect_host':'http://'+cp_zone_item.interface_hostaddr + ':'  ~ (cp_zone_item.zoneid|int + 8000) ~ '/index.html?zone=' ~ cp_zone_item.zoneid  }) %}
+    {% endif %}
+    {% do cp_zone_item.update({'redirect_host_match':cp_zone_item.interface_hostaddr.replace('.','\.') ~ ':' ~ (cp_zone_item.zoneid|int + 8000) }) %}
 
 
-#######################################################
+#############################################################################################
 ###  Captive portal zone {{ cp_zone_item.zoneid  }} lighttpd.conf  BEGIN
 ###  -- listen on port {{ cp_zone_item.zoneid|int + 8000  }} for primary (ssl) connections
 ###  -- forward on port {{ cp_zone_item.zoneid|int + 9000  }} for plain http redirection
-#######################################################
+#############################################################################################
 #
 #### modules to load
 server.modules           = ( "mod_expire",
@@ -69,20 +79,19 @@ server.bind              = "0.0.0.0"
 server.port              = {{ cp_zone_item.zoneid|int + 8000  }}
 
 ##
-#url.rewrite-once = ( "(.*)" => "/index.html?redirurl=$1" )
 $HTTP["host"] !~ "(.*{{cp_zone_item.redirect_host_match}}.*)" {
 	$HTTP["host"] =~ "([^:/]+)" {
 		url.redirect = ( "^(.*)$" => "{{cp_zone_item.redirect_host}}&redirurl=%1$1")
 	}
 }
 
-## redirect http traffic to https
-$SERVER["socket"] == ":{{ cp_zone_item.zoneid|int + 9000  }}" {
+## redirect http traffic to http(s) main target
+$SERVER["socket"] == ":{{ cp_zone_item.zoneid|int + 9000 }}" {
 	$HTTP["host"] =~ "([^:/]+)" {
 		url.redirect = ( "^(.*)$" => "{{cp_zone_item.redirect_host}}&redirurl=%1$1")
 	}
 }
-$SERVER["socket"] == "[::]:{{ cp_zone_item.zoneid|int + 9000  }}" {
+$SERVER["socket"] == "[::]:{{ cp_zone_item.zoneid|int + 9000 }}" {
 	$HTTP["host"] =~ "([^:/]+)" {
 		url.redirect = ( "(.*)" => "{{cp_zone_item.redirect_host}}&redirurl=%1$1")
 	}
@@ -128,13 +137,25 @@ index-file.names         = ( "index.html" )
 #### disable auto index directory listings
 dir-listing.activate     = "disable"
 
-### ssl.engine               = "disable"
+##
 ## ssl configuration
+##
+{% if cp_zone_item.certificate|default("") != "" %}
 ssl.engine = "enable"
-ssl.pemfile = "/var/etc/cert.pem"
+ssl.pemfile = "/var/etc/cert-cp-zone{{cp_zone_item.zoneid}}.pem"
+{# set ca-file if ca is provided #}
+{% for certItem in helpers.toList('cert') %}
+{%    if certItem.refid == cp_zone_item.certificate and certItem.caref %}
+ssl.ca-file = "/var/etc/ca-cp-zone{{cp_zone_item.zoneid}}.pem"
+{%    endif %}
+{% endfor %}
 
 ssl.use-sslv2 = "disable"
+ssl.use-sslv3 = "disable"
 ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+{% else %}
+ssl.engine               = "disable"
+{% endif %}
 
 #### compress module
 compress.cache-dir       = "/tmp/"