Merge branch 'development' into copilot/fix-b5adb213-37cc-4cb3-b094-28ab67b1773a

Signed-off-by: Dominik <[email protected]>

Author: DL6ER

src/api/docs/content/specs/config.yaml

@@ -431,6 +431,8 @@ components:
                   properties:
                     cert:
                       type: string
+                    validity:
+                      type: integer
                 paths:
                   type: object
                   properties:
@@ -769,6 +771,7 @@ components:
               restore: true
             tls:
               cert: "/etc/pihole/tls.pem"
+              validity: 47
             paths:
               webroot: "/var/www/html"
               webhome: "/admin/"

src/args.c

@@ -417,12 +417,16 @@ void parse_args(int argc, char *argv[])
 			printf(" RSA with domain: %s --gen-x509 /etc/pihole/tls.pem nanopi.lan rsa\n", argv[0]);
 			exit(EXIT_FAILURE);
 		}
+		// Read config
+		readFTLconf(&config, false);
+
 		// Enable stdout printing
 		cli_mode = true;
 		log_ctrl(false, true);
+
 		const char *domain = argc > 3 ? argv[3] : "pi.hole";
 		const bool rsa = argc > 4 && strcasecmp(argv[4], "rsa") == 0;
-		exit(generate_certificate(argv[2], rsa, domain) ? EXIT_SUCCESS : EXIT_FAILURE);
+		exit(generate_certificate(argv[2], rsa, domain, config.webserver.tls.validity.v.ui) ? EXIT_SUCCESS : EXIT_FAILURE);
 #else
 		printf("Error: FTL was compiled without TLS support. Certificate generation is not available.\n");
 		exit(EXIT_FAILURE);

src/config/config.c

@@ -1045,8 +1045,8 @@ void initConfig(struct config *conf)
 	conf->webserver.threads.c = validate_stub; // Only type-based checking
 
 	conf->webserver.headers.k = "webserver.headers";
-	conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here.\n - Content-Security-Policy: [...] 'unsafe-inline' is both required by Chart.js styling some elements directly, and index.html containing some inlined Javascript code.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the  Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io";
-	conf->webserver.headers.a = cJSON_CreateStringReference("array of HTTP headers");
+	conf->webserver.headers.h = "Additional HTTP headers added to the web server responses.\n\n The headers are added to all responses, including those for the API.\n Note about the default additional headers:\n - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name resolution on links that the user may choose to follow. We disable DNS prefetching here.\n - Content-Security-Policy: [...] 'unsafe-inline' is both required by Chart.js styling some elements directly, and index.html containing some inlined Javascript code.\n - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the site attempting to do so.\n - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This header is usually enabled by default in browsers, and is not recommended as it can hurt the security of the site. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the MIME types advertised in the  Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. Site security testers usually expect this header to be set.\n - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.\n The latter four headers are set as expected by https://securityheaders.io";
+	conf->webserver.headers.a = cJSON_CreateStringReference("An array of HTTP headers");
 	conf->webserver.headers.t = CONF_JSON_STRING_ARRAY;
 	conf->webserver.headers.f = FLAG_RESTART_FTL;
 	conf->webserver.headers.d.json = cJSON_CreateArray();
@@ -1059,28 +1059,33 @@ void initConfig(struct config *conf)
 	conf->webserver.headers.c = validate_stub; // Only type-based checking
 
 	conf->webserver.serve_all.k = "webserver.serve_all";
-	conf->webserver.serve_all.h = "Should the web server serve all files in webserver.paths.webroot directory? If disabled, only files within the path defined through webserver.paths.webhome and /api will be served.";
+	conf->webserver.serve_all.h = "Should the web server serve all files in webserver.paths.webroot directory?\n\n If disabled, only files within the path defined through webserver.paths.webhome and /api will be served.";
 	conf->webserver.serve_all.t = CONF_BOOL;
 	conf->webserver.serve_all.d.b = false;
 	conf->webserver.serve_all.c = validate_stub;
 
-	// sub-struct session
+	conf->webserver.tls.validity.k = "webserver.tls.validity";
+	conf->webserver.tls.validity.h = "Number of days the automatically generated self-signed TLS/SSL certificate will be valid for.\n\n Defaults to 47 days. A minimum of 7 days is enforced.\n Some devices may enforce shorter validity ranges. Note that defining a lower validity range may require you to accept the self-signed certificate more often in your browser.\n Pi-hole will regenerate certificates it created itself two days prior to expiration. If you are using your own certificate, you need to regenerate it yourself. In this case, it is advised to set the validity range to 0 days, so that Pi-hole does not try to regenerate your certificate. If you set the validity range to 0 days and still try to generate a certificate, Pi-hole will set a fixed validity range of roughly 30 years for the certificate.";
+	conf->webserver.tls.validity.t = CONF_UINT;
+	conf->webserver.tls.validity.d.ui = 47; // 47 days
+	conf->webserver.tls.validity.c = validate_ui_min_7_or_0;
+
+	// sub-struct webserver.session
 	conf->webserver.session.timeout.k = "webserver.session.timeout";
-	conf->webserver.session.timeout.h = "Session timeout in seconds. If a session is inactive for more than this time, it will be terminated. Sessions are continuously refreshed by the web interface, preventing sessions from timing out while the web interface is open.\n\n This option may also be used to make logins persistent for long times, e.g. 86400 seconds (24 hours), 604800 seconds (7 days) or 2592000 seconds (30 days). Note that the total number of concurrent sessions is limited so setting this value too high may result in users being rejected and unable to log in if there are already too many sessions active.";
+	conf->webserver.session.timeout.h = "Session timeout in seconds.\n\n If a session is inactive for more than this time, it will be terminated. Sessions are continuously refreshed by the web interface, preventing sessions from timing out while the web interface is open.\n\n This option may also be used to make logins persistent for long times, e.g. 86400 seconds (24 hours), 604800 seconds (7 days) or 2592000 seconds (30 days). Note that the total number of concurrent sessions is limited so setting this value too high may result in users being rejected and unable to log in if there are already too many sessions active.";
 	conf->webserver.session.timeout.a = cJSON_CreateStringReference("A positive integer value in seconds");
 	conf->webserver.session.timeout.t = CONF_UINT;
 	conf->webserver.session.timeout.d.ui = 1800u;
 	conf->webserver.session.timeout.c = validate_stub; // Only type-based checking
 
 	conf->webserver.session.restore.k = "webserver.session.restore";
-	conf->webserver.session.restore.h = "Should Pi-hole backup and restore sessions from the database? This is useful if you want to keep your sessions after a restart of the web interface.";
-	conf->webserver.session.restore.a = cJSON_CreateStringReference("true or false");
+	conf->webserver.session.restore.h = "Should Pi-hole backup and restore sessions from the database?\n\n This is useful if you want to keep your sessions after a restart of the web interface.";
 	conf->webserver.session.restore.t = CONF_BOOL;
 	conf->webserver.session.restore.d.b = true;
 	conf->webserver.session.restore.c = validate_stub; // Only type-based checking
 
 	conf->webserver.tls.cert.k = "webserver.tls.cert";
-	conf->webserver.tls.cert.h = "Path to the TLS (SSL) certificate file. All directories along the path must be readable and accessible by the user running FTL (typically 'pihole'). This option is only required when at least one of webserver.port is TLS. The file must be in PEM format, and it must have both, private key and certificate (the *.pem file created must contain a 'CERTIFICATE' section as well as a 'RSA PRIVATE KEY' section).\n\n The *.pem file can be created using `cp server.crt server.pem && cat server.key >> server.pem` if you have these files instead";
+	conf->webserver.tls.cert.h = "Path to the TLS (SSL) certificate file.\n\n All directories along the path must be readable and accessible by the user running FTL (typically 'pihole'). This option is only required when at least one of webserver.port is TLS. The file must be in PEM format, and it must have both, private key and certificate (the *.pem file created must contain a 'CERTIFICATE' section as well as a 'RSA PRIVATE KEY' section).\n\n The *.pem file can be created using `cp server.crt server.pem && cat server.key >> server.pem` if you have these files instead";
 	conf->webserver.tls.cert.a = cJSON_CreateStringReference("A valid TLS certificate file (*.pem)");
 	conf->webserver.tls.cert.f = FLAG_RESTART_FTL;
 	conf->webserver.tls.cert.t = CONF_STRING;

src/config/config.h

@@ -255,6 +255,7 @@ struct config {
 		} session;
 		struct {
 			struct conf_item cert;
+			struct conf_item validity;
 		} tls;
 		struct {
 			struct conf_item webroot;

src/config/validator.c

@@ -545,6 +545,17 @@ bool validate_dns_revServers(union conf_value *val, const char *key, char err[VA
 	return true;
 }
 
+bool validate_ui_min_7_or_0(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN])
+{
+	if(val->ui < 7 && val->ui != 0)
+	{
+		snprintf(err, VALIDATOR_ERRBUF_LEN, "%s: cannot be lower than 7", key);
+		return false;
+	}
+
+	return true;
+}
+
 // Sanitize the dns.hosts array
 // This function normalizes whitespace formatting in the dns.hosts entries
 // to ensure consistent formatting when saving to pihole.toml

src/config/validator.h

@@ -26,6 +26,7 @@ bool validate_filepath_empty(union conf_value *val, const char *key, char err[VA
 bool validate_filepath_dash(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_regex_array(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_dns_revServers(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
+bool validate_ui_min_7_or_0(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 void sanitize_dns_hosts(union conf_value *val);
 
 #endif // CONFIG_VALIDATOR_H

src/dnsmasq_interface.c

@@ -3341,6 +3341,13 @@ void FTL_fork_and_bind_sockets(struct passwd *ent_pw, bool dnsmasq_start)
 		exit(EXIT_FAILURE);
 	}
 
+	// Start webserver thread
+	if(pthread_create( &threads[WEBSERVER], &attr, webserver_thread, NULL ) != 0)
+	{
+		log_crit("Unable to create webserver thread. Exiting...");
+		exit(EXIT_FAILURE);
+	}
+
 	// Chown files if FTL started as user root but a dnsmasq config
 	// option states to run as a different user/group (e.g. "nobody")
 	if(getuid() == 0)

src/enums.h

@@ -247,6 +247,7 @@ enum thread_types {
 	NTP_CLIENT,
 	NTP_SERVER4,
 	NTP_SERVER6,
+	WEBSERVER,
 	THREADS_MAX
 } __attribute__ ((packed));
 
@@ -331,7 +332,9 @@ enum cert_check {
 	CERT_CANNOT_PARSE_KEY,
 	CERT_DOMAIN_MISMATCH,
 	CERT_DOMAIN_MATCH,
-	CERT_OKAY
+	CERT_NOT_YET_VALID,
+	CERT_EXPIRES_SOON,
+	CERT_OKAY,
 } __attribute__ ((packed));
 
 enum http_method {

src/signals.c

@@ -42,6 +42,7 @@ const char * const thread_names[THREADS_MAX] = {
 	"ntp-client",
 	"ntp-server4",
 	"ntp-server6",
+	"webserver",
  };
 
 // Return the (null-terminated) name of the calling thread

src/webserver/webserver.c

@@ -30,6 +30,8 @@
 #include "database/message-table.h"
 // create_cli_password()
 #include "config/password.h"
+// thread_names
+#include "signals.h"
 
 // Server context handle
 static struct mg_context *ctx = NULL;
@@ -649,7 +651,7 @@ void http_init(void)
 		// Try to generate certificate if not present
 		if(!file_readable(config.webserver.tls.cert.v.s))
 		{
-			if(generate_certificate(config.webserver.tls.cert.v.s, false, config.webserver.domain.v.s))
+			if(generate_certificate(config.webserver.tls.cert.v.s, false, config.webserver.domain.v.s, config.webserver.tls.validity.v.ui))
 			{
 				log_info("Created SSL/TLS certificate for %s at %s",
 				         config.webserver.domain.v.s, config.webserver.tls.cert.v.s);
@@ -878,3 +880,58 @@ void http_terminate(void)
 	if(webheaders != NULL)
 		free(webheaders);
 }
+
+static void restart_http(void)
+{
+	// Stop the server
+	http_terminate();
+
+	// Reinitialize the webserver
+	http_init();
+}
+
+void *webserver_thread(void *val)
+{
+	(void)val;
+	// Set thread name
+	prctl(PR_SET_NAME, thread_names[WEBSERVER], 0, 0, 0);
+
+	// Initial delay until we check the certificate for the first time
+	thread_sleepms(WEBSERVER, 2000);
+
+	while(!killed)
+	{
+		// Check if the certificate is about to expire soon
+		const enum cert_check status = cert_currently_valid(config.webserver.tls.cert.v.s, 2);
+
+		if(status == CERT_EXPIRES_SOON &&
+		   config.webserver.tls.validity.v.ui > 0)
+		{
+			if(is_pihole_certificate(config.webserver.tls.cert.v.s))
+			{
+				log_info("TLS certificate at %s is about to expire soon, generating new one",
+				         config.webserver.tls.cert.v.s);
+				generate_certificate(config.webserver.tls.cert.v.s, false,
+				             config.webserver.domain.v.s,
+				             config.webserver.tls.validity.v.ui);
+
+				log_info("Restarting HTTP server");
+				restart_http();
+
+				log_info("Done. The new certificate is valid for %u days",
+				         config.webserver.tls.validity.v.ui);
+			}
+			else
+			{
+				log_err("TLS certificate at %s is about to expire soon, but it is not a Pi-hole certificate. Please renew it manually!",
+				        config.webserver.tls.cert.v.s);
+			}
+		}
+
+		// Idle for 1 day (24 hours)
+		thread_sleepms(WEBSERVER, 86400000);
+	}
+
+	log_info("Terminating webserver thread");
+	return NULL;
+}