From 14c48d7928ae1d8651b7fb52c34c995e7ba262e6 Mon Sep 17 00:00:00 2001 From: Bill Zimmerman Date: Tue, 7 Jan 2020 09:04:18 +0100 Subject: [PATCH] Created Manual installation (markdown) --- Manual-installation.md | 120 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 Manual-installation.md diff --git a/Manual-installation.md b/Manual-installation.md new file mode 100644 index 0000000..42e4a80 --- /dev/null +++ b/Manual-installation.md @@ -0,0 +1,120 @@ +These steps apply to the latest release of Raspbian (currently [Buster](https://www.raspberrypi.org/downloads/raspbian/)). Notes for previously released versions are provided, where applicable. Start off by installing git, lighttpd, php7, hostapd and dnsmasq. +```sh +sudo apt-get install git lighttpd php7.1-cgi hostapd dnsmasq vnstat +``` +**Note:** for Raspbian Stretch, replace `php7.1-cgi` with `php7.0-cgi`. For Raspbian Jessie and older versions, use `php5-cgi`. After that, enable PHP for lighttpd and restart it for the settings to take effect. +```sh +sudo lighttpd-enable-mod fastcgi-php +sudo service lighttpd restart +``` +Now comes the fun part. For security reasons, the `www-data` user which lighttpd runs under is not allowed to start or stop daemons, or run commands like ifdown and ifup, all of which we want our page to do. +So what I have done is added the `www-data` user to the sudoers file, but with restrictions on what commands the user can run. Add the following to the end of `/etc/sudoers`: + +```sh +www-data ALL=(ALL) NOPASSWD:/sbin/ifdown +www-data ALL=(ALL) NOPASSWD:/sbin/ifup +www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant.conf +www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] scan_results +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] scan +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] reconfigure +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] select_network +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/hostapddata /etc/hostapd/hostapd.conf +www-data ALL=(ALL) NOPASSWD:/bin/systemctl start hostapd.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop hostapd.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl start dnsmasq.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop dnsmasq.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl start openvpn-client@client +www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop openvpn-client@client +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/openvpn.ovpn /etc/openvpn/client/client.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/authdata /etc/openvpn/client/login.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dnsmasqdata /etc/dnsmasq.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dhcpddata /etc/dhcpcd.conf +www-data ALL=(ALL) NOPASSWD:/sbin/shutdown -h now +www-data ALL=(ALL) NOPASSWD:/sbin/reboot +www-data ALL=(ALL) NOPASSWD:/sbin/ip link set wlan[0-9] down +www-data ALL=(ALL) NOPASSWD:/sbin/ip link set wlan[0-9] up +www-data ALL=(ALL) NOPASSWD:/sbin/ip -s a f label wlan[0-9] +www-data ALL=(ALL) NOPASSWD:/bin/cp /etc/raspap/networking/dhcpcd.conf /etc/dhcpcd.conf +www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/enablelog.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/disablelog.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/servicestart.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/lighttpd/configport.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/openvpn/configauth.sh +``` + +Once those modifications are done, git clone the files to `/var/www/html`. +**Note:** for older versions of Raspbian (before Jessie, May 2016) use +`/var/www` instead. +```sh +sudo rm -rf /var/www/html +sudo git clone https://github.com/billz/raspap-webgui /var/www/html +``` +Move the high-res favicons to the web root. +``` +sudo mv /var/www/html/app/icons/* /var/www/html +``` +Set the files ownership to `www-data` user. +```sh +sudo chown -R www-data:www-data /var/www/html +``` +Move the RaspAP configuration file to the correct location. +```sh +sudo mkdir /etc/raspap +sudo mv /var/www/html/raspap.php /etc/raspap/ +sudo chown -R www-data:www-data /etc/raspap +``` +Move the HostAPD logging and service control shell scripts to the correct location. +```sh +sudo mkdir /etc/raspap/hostapd +sudo mv /var/www/html/installers/*log.sh /etc/raspap/hostapd +sudo mv /var/www/html/installers/service*.sh /etc/raspap/hostapd +``` +Set ownership and permissions for logging and service control scripts. +```sh +sudo chown -c root:www-data /etc/raspap/hostapd/*.sh +sudo chmod 750 /etc/raspap/hostapd/*.sh +``` +Add the following lines to `/etc/rc.local` before `exit 0`. +```sh +echo 1 > /proc/sys/net/ipv4/ip_forward #RASPAP +iptables -t nat -A POSTROUTING -j MASQUERADE #RASPAP +iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE #RASPAP +``` +Force a reload of new settings in `/etc/rc.local`. +```sh +sudo systemctl restart rc-local.service +sudo systemctl daemon-reload +``` +Unmask and enable the hostapd service. +```sh +sudo systemctl unmask hostapd.service +sudo systemctl enable hostapd.service +``` +Move the raspap service to the correct location and enable it. +``` +sudo mv /var/www/html/installers/raspap.service /lib/systemd/system +sudo systemctl enable raspap.service +``` +Copy the configuration files for dhcpcd, dnsmasq, and hostapd. +``` +sudo mv /var/www/html/config/default_hostapd /etc/default/hostapd +sudo mv /var/www/html/config/hostapd.conf /etc/hostapd/hostapd.conf +sudo mv /var/www/html/config/dnsmasq.conf /etc/dnsmasq.conf +sudo mv /var/www/html/config/dhcpcd.conf /etc/dhcpcd.conf +sudo mv /var/www/html/config/config.php /var/www/html/includes/ +``` +(Optional) Optimize PHP +``` +sudo sed -i -E 's/^session\.cookie_httponly\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.cookie_httponly = 1/' /etc/php/7.1/cgi/php.ini +sudo sed -i -E 's/^;?opcache\.enable\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/opcache.enable = 1/' /etc/php/7.1/cgi/php.ini +sudo phpenmod opcache +``` +Reboot and it should be up and running! +```sh +sudo reboot +``` + +The default username is 'admin' and the default password is 'secret'. \ No newline at end of file