diff --git a/backend/Fix-SSL-Browser.ps1 b/backend/Fix-SSL-Browser.ps1 deleted file mode 100644 index 1520a6235..000000000 --- a/backend/Fix-SSL-Browser.ps1 +++ /dev/null @@ -1,165 +0,0 @@ -# MYP SSL Browser-Kompatibilitäts-Fix -# Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler - -Write-Host "=========================================================" -ForegroundColor Cyan -Write-Host "MYP SSL BROWSER-KOMPATIBILITÄTS-FIX" -ForegroundColor Cyan -Write-Host "Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler" -ForegroundColor Cyan -Write-Host "=========================================================" -ForegroundColor Cyan -Write-Host "" - -# Prüfe ob SSL-Verzeichnis existiert -if (!(Test-Path "ssl")) { - Write-Host "Erstelle SSL-Verzeichnis..." -ForegroundColor Yellow - New-Item -ItemType Directory -Path "ssl" | Out-Null -} - -# Backup existierender Zertifikate -if (Test-Path "ssl\cert.pem") { - Write-Host "Erstelle Backup der alten Zertifikate..." -ForegroundColor Yellow - if (!(Test-Path "ssl\backup")) { - New-Item -ItemType Directory -Path "ssl\backup" | Out-Null - } - $timestamp = Get-Date -Format "yyyyMMdd_HHmmss" - Copy-Item "ssl\cert.pem" "ssl\backup\cert_backup_$timestamp.pem" -ErrorAction SilentlyContinue - Copy-Item "ssl\key.pem" "ssl\backup\key_backup_$timestamp.pem" -ErrorAction SilentlyContinue - Write-Host "Backup erstellt." -ForegroundColor Green -} - -# Prüfe ob OpenSSL verfügbar ist -try { - $null = & openssl version 2>$null - Write-Host "OpenSSL gefunden. Generiere browser-kompatible SSL-Zertifikate..." -ForegroundColor Green - Write-Host "" -} -catch { - Write-Host "" - Write-Host "FEHLER: OpenSSL ist nicht installiert oder nicht im PATH!" -ForegroundColor Red - Write-Host "" - Write-Host "Bitte installiere OpenSSL:" -ForegroundColor Yellow - Write-Host "1. Lade OpenSSL für Windows herunter: https://slproweb.com/products/Win32OpenSSL.html" -ForegroundColor White - Write-Host "2. Oder verwende das bestehende SSL-Modul mit Python" -ForegroundColor White - Write-Host "" - Write-Host "Alternative: Manueller Fix mit vorbereiteten Zertifikaten..." -ForegroundColor Yellow - Write-Host "" - Read-Host "Drücke Enter zum Beenden" - exit 1 -} - -# Erstelle browser-kompatible OpenSSL-Konfiguration -$openssl_config = @" -[req] -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no - -[req_distinguished_name] -C = DE -ST = Baden-Wuerttemberg -L = Stuttgart -O = Mercedes-Benz AG -OU = MYP Druckerverwaltung -CN = m040tbaraspi001 - -[v3_req] -basicConstraints = critical, CA:FALSE -keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement -extendedKeyUsage = critical, serverAuth, clientAuth -subjectAltName = critical, @alt_names -nsCertType = server -nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung" - -[alt_names] -DNS.1 = localhost -DNS.2 = *.localhost -DNS.3 = m040tbaraspi001 -DNS.4 = m040tbaraspi001.local -DNS.5 = m040tbaraspi001.de040.corpintra.net -DNS.6 = *.de040.corpintra.net -IP.1 = 127.0.0.1 -IP.2 = ::1 -IP.3 = 0.0.0.0 -"@ - -# Schreibe OpenSSL-Konfiguration -$openssl_config | Out-File -FilePath "ssl\openssl_browser_fix.conf" -Encoding UTF8 -Write-Host "OpenSSL-Konfiguration erstellt." -ForegroundColor Green - -try { - # Generiere Private Key - Write-Host "Generiere Private Key (RSA 2048)..." -ForegroundColor Yellow - & openssl genrsa -out "ssl\key.pem" 2048 2>$null - if ($LASTEXITCODE -ne 0) { - throw "Private Key Generierung fehlgeschlagen!" - } - Write-Host "Private Key generiert." -ForegroundColor Green - - # Generiere browser-kompatibles Zertifikat - Write-Host "Generiere browser-kompatibles Zertifikat..." -ForegroundColor Yellow - & openssl req -new -x509 -key "ssl\key.pem" -out "ssl\cert.pem" -days 365 -config "ssl\openssl_browser_fix.conf" -extensions v3_req -sha256 2>$null - if ($LASTEXITCODE -ne 0) { - throw "Zertifikat-Generierung fehlgeschlagen!" - } - Write-Host "Browser-kompatibles Zertifikat generiert." -ForegroundColor Green - - # Aufräumen - Remove-Item "ssl\openssl_browser_fix.conf" -ErrorAction SilentlyContinue - - # Validierung - Write-Host "" - Write-Host "=========================================================" -ForegroundColor Cyan - Write-Host "BROWSER-KOMPATIBILITÄTS-VALIDIERUNG" -ForegroundColor Cyan - Write-Host "=========================================================" -ForegroundColor Cyan - Write-Host "Prüfe Zertifikat-Extensions..." -ForegroundColor Yellow - - $cert_info = & openssl x509 -in "ssl\cert.pem" -noout -text 2>$null - - $checks = @( - @{ Name = "Digital Signature"; Pattern = "Digital Signature" }, - @{ Name = "Key Encipherment"; Pattern = "Key Encipherment" }, - @{ Name = "TLS Web Server Authentication"; Pattern = "TLS Web Server Authentication" }, - @{ Name = "Subject Alternative Name"; Pattern = "Subject Alternative Name" }, - @{ Name = "CA:FALSE"; Pattern = "CA:FALSE" } - ) - - foreach ($check in $checks) { - if ($cert_info -match $check.Pattern) { - Write-Host "✅ $($check.Name)" -ForegroundColor Green - } else { - Write-Host "❌ $($check.Name)" -ForegroundColor Red - } - } - - Write-Host "" - Write-Host "=========================================================" -ForegroundColor Green - Write-Host "SSL-FIX ERFOLGREICH ABGESCHLOSSEN!" -ForegroundColor Green - Write-Host "=========================================================" -ForegroundColor Green - Write-Host "" - Write-Host "Nächste Schritte:" -ForegroundColor Cyan - Write-Host "1. Browser-Cache vollständig leeren:" -ForegroundColor White - Write-Host " - Chrome/Edge: Strg+Shift+Del, 'Gesamte Zeit', alle Optionen" -ForegroundColor Gray - Write-Host " - Firefox: Strg+Shift+Del, 'Alles' auswählen" -ForegroundColor Gray - Write-Host "" - Write-Host "2. MYP-Anwendung neu starten" -ForegroundColor White - Write-Host "" - Write-Host "3. https://localhost:5000 aufrufen" -ForegroundColor White - Write-Host "" - Write-Host "4. Bei SSL-Warnung: 'Erweitert' → 'Weiter zu localhost (unsicher)'" -ForegroundColor White - Write-Host "" - Write-Host "💡 Der Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein!" -ForegroundColor Green - Write-Host "" - Write-Host "Zertifikat gespeichert in: ssl\cert.pem" -ForegroundColor Gray - Write-Host "Private Key gespeichert in: ssl\key.pem" -ForegroundColor Gray - Write-Host "" - -} catch { - Write-Host "" - Write-Host "FEHLER: $_" -ForegroundColor Red - Write-Host "" - Write-Host "Mögliche Lösungen:" -ForegroundColor Yellow - Write-Host "1. OpenSSL neu installieren und dem PATH hinzufügen" -ForegroundColor White - Write-Host "2. PowerShell als Administrator ausführen" -ForegroundColor White - Write-Host "3. Prüfe Schreibberechtigungen im ssl-Verzeichnis" -ForegroundColor White - Write-Host "" -} - -Read-Host "Drücke Enter zum Beenden" \ No newline at end of file diff --git a/backend/app_production.py b/backend/app_production.py index 87b5afdb4..473e117d3 100644 --- a/backend/app_production.py +++ b/backend/app_production.py @@ -27,6 +27,9 @@ sys.path.insert(0, os.path.dirname(os.path.abspath(__file__))) # Import der Haupt-App from app import app, app_logger +# Flask-Imports für Request-Handling +from flask import request, redirect + # SSL und Sicherheits-Imports from utils.ssl_config import ensure_ssl_certificates, get_ssl_context diff --git a/backend/regenerate_ssl.bat b/backend/regenerate_ssl.bat deleted file mode 100644 index d0cb11aed..000000000 --- a/backend/regenerate_ssl.bat +++ /dev/null @@ -1,131 +0,0 @@ -@echo off -echo ========================================================= -echo MYP SSL BROWSER-KOMPATIBILITAETS-FIX -echo Loest ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler -echo ========================================================= -echo. - -REM Pruefe ob SSL-Verzeichnis existiert -if not exist "ssl" ( - echo Erstelle SSL-Verzeichnis... - mkdir ssl -) - -REM Losche alte Zertifikate -if exist "ssl\cert.pem" ( - echo Erstelle Backup der alten Zertifikate... - if not exist "ssl\backup" mkdir ssl\backup - copy "ssl\cert.pem" "ssl\backup\cert_backup_%date:~-4,4%%date:~-10,2%%date:~-7,2%.pem" >nul 2>&1 - copy "ssl\key.pem" "ssl\backup\key_backup_%date:~-4,4%%date:~-10,2%%date:~-7,2%.pem" >nul 2>&1 - echo Backup erstellt. -) - -REM Pruefe ob OpenSSL verfuegbar ist -openssl version >nul 2>&1 -if errorlevel 1 ( - echo. - echo FEHLER: OpenSSL ist nicht installiert oder nicht im PATH! - echo. - echo Bitte installiere OpenSSL: - echo 1. Lade OpenSSL fuer Windows herunter: https://slproweb.com/products/Win32OpenSSL.html - echo 2. Oder verwende das bestehende SSL-Modul mit Python - echo. - echo Alternative: Verwende das Python-basierte SSL-Fix Tool: - echo python -c "from utils.ssl_config import ensure_ssl_certificates; ensure_ssl_certificates('.', True)" - echo. - pause - exit /b 1 -) - -echo OpenSSL gefunden. Generiere browser-kompatible SSL-Zertifikate... -echo. - -REM Erstelle browser-kompatible OpenSSL-Konfiguration -echo [req] > ssl\openssl_browser_fix.conf -echo distinguished_name = req_distinguished_name >> ssl\openssl_browser_fix.conf -echo req_extensions = v3_req >> ssl\openssl_browser_fix.conf -echo prompt = no >> ssl\openssl_browser_fix.conf -echo. >> ssl\openssl_browser_fix.conf -echo [req_distinguished_name] >> ssl\openssl_browser_fix.conf -echo C = DE >> ssl\openssl_browser_fix.conf -echo ST = Baden-Wuerttemberg >> ssl\openssl_browser_fix.conf -echo L = Stuttgart >> ssl\openssl_browser_fix.conf -echo O = Mercedes-Benz AG >> ssl\openssl_browser_fix.conf -echo OU = MYP Druckerverwaltung >> ssl\openssl_browser_fix.conf -echo CN = m040tbaraspi001 >> ssl\openssl_browser_fix.conf -echo. >> ssl\openssl_browser_fix.conf -echo [v3_req] >> ssl\openssl_browser_fix.conf -echo basicConstraints = critical, CA:FALSE >> ssl\openssl_browser_fix.conf -echo keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement >> ssl\openssl_browser_fix.conf -echo extendedKeyUsage = critical, serverAuth, clientAuth >> ssl\openssl_browser_fix.conf -echo subjectAltName = critical, @alt_names >> ssl\openssl_browser_fix.conf -echo nsCertType = server >> ssl\openssl_browser_fix.conf -echo nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Loesung" >> ssl\openssl_browser_fix.conf -echo. >> ssl\openssl_browser_fix.conf -echo [alt_names] >> ssl\openssl_browser_fix.conf -echo DNS.1 = localhost >> ssl\openssl_browser_fix.conf -echo DNS.2 = *.localhost >> ssl\openssl_browser_fix.conf -echo DNS.3 = m040tbaraspi001 >> ssl\openssl_browser_fix.conf -echo DNS.4 = m040tbaraspi001.local >> ssl\openssl_browser_fix.conf -echo DNS.5 = m040tbaraspi001.de040.corpintra.net >> ssl\openssl_browser_fix.conf -echo DNS.6 = *.de040.corpintra.net >> ssl\openssl_browser_fix.conf -echo IP.1 = 127.0.0.1 >> ssl\openssl_browser_fix.conf -echo IP.2 = ::1 >> ssl\openssl_browser_fix.conf -echo IP.3 = 0.0.0.0 >> ssl\openssl_browser_fix.conf - -echo OpenSSL-Konfiguration erstellt. - -REM Generiere Private Key -echo Generiere Private Key (RSA 2048)... -openssl genrsa -out ssl\key.pem 2048 -if errorlevel 1 ( - echo FEHLER: Private Key Generierung fehlgeschlagen! - pause - exit /b 1 -) -echo Private Key generiert. - -REM Generiere browser-kompatibles Zertifikat -echo Generiere browser-kompatibles Zertifikat... -openssl req -new -x509 -key ssl\key.pem -out ssl\cert.pem -days 365 -config ssl\openssl_browser_fix.conf -extensions v3_req -sha256 -if errorlevel 1 ( - echo FEHLER: Zertifikat-Generierung fehlgeschlagen! - pause - exit /b 1 -) -echo Browser-kompatibles Zertifikat generiert. - -REM Aufraumen -del ssl\openssl_browser_fix.conf >nul 2>&1 - -REM Validierung -echo. -echo ========================================================= -echo BROWSER-KOMPATIBILITAETS-VALIDIERUNG -echo ========================================================= -echo Pruefe Zertifikat-Extensions... -openssl x509 -in ssl\cert.pem -noout -text | findstr /C:"Digital Signature" /C:"Key Encipherment" /C:"TLS Web Server Authentication" /C:"Subject Alternative Name" /C:"CA:FALSE" - -echo. -echo ========================================================= -echo SSL-FIX ERFOLGREICH ABGESCHLOSSEN! -echo ========================================================= -echo. -echo Naechste Schritte: -echo 1. Browser-Cache vollstaendig leeren: -echo - Chrome/Edge: Strg+Shift+Del, "Gesamte Zeit", alle Optionen -echo - Firefox: Strg+Shift+Del, "Alles" auswaehlen -echo. -echo 2. MYP-Anwendung neu starten -echo. -echo 3. https://localhost:5000 aufrufen -echo. -echo 4. Bei SSL-Warnung: "Erweitert" - "Weiter zu localhost (unsicher)" -echo. -echo Der Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein! -echo. -echo Zertifikat gespeichert in: ssl\cert.pem -echo Private Key gespeichert in: ssl\key.pem -echo. - -pause \ No newline at end of file diff --git a/backend/setup_https_only.sh b/backend/setup_https_only.sh index ec75a9c21..64b8bc21d 100644 --- a/backend/setup_https_only.sh +++ b/backend/setup_https_only.sh @@ -244,16 +244,123 @@ else exit 1 fi -# Kiosk-Service aktualisieren -if [[ -f "$MYP_DIR/systemd/myp-kiosk.service" ]]; then - cp "$MYP_DIR/systemd/myp-kiosk.service" /etc/systemd/system/ - echo " ✅ myp-kiosk.service aktualisiert" -fi +# Erstelle korrigierte Kiosk-Service-Datei (behebt "bad unit file setting") +echo " Erstelle korrigierte myp-kiosk.service..." +cat > /etc/systemd/system/myp-kiosk.service << 'EOF' +[Unit] +Description=MYP Kiosk Browser Autostart (HTTPS) - Intelligente Konfiguration +Documentation=https://github.com/MYP-Druckerverwaltung +After=graphical.target myp-production.service network-online.target +Wants=myp-production.service network-online.target +Requires=myp-production.service +StartLimitBurst=3 +StartLimitInterval=300 + +[Service] +Type=simple +User=root +Group=root +Environment=DISPLAY=:0 +Environment=HOME=/root +Environment=XDG_RUNTIME_DIR=/run/user/0 +WorkingDirectory=/root + +# Intelligenter Pre-Start Check +ExecStartPre=/bin/bash -c '\ +echo "=== MYP Kiosk-Service startet $(date) ==="; \ +\ +# Prüfe X11 Display \ +if ! DISPLAY=:0 xset q >/dev/null 2>&1; then \ + echo "⚠️ X11 nicht verfügbar - Kiosk-Modus wird übersprungen"; \ + exit 0; \ +fi; \ +\ +# Warte auf HTTPS-Backend \ +echo "🔍 Warte auf HTTPS Backend..."; \ +for i in {1..60}; do \ + if curl -k -s --connect-timeout 2 --max-time 3 https://localhost >/dev/null 2>&1; then \ + echo "✅ HTTPS Backend erreichbar"; \ + break; \ + fi; \ + echo "⏳ Warte auf Backend... ($i/60)"; \ + sleep 2; \ +done; \ +' + +# Intelligenter Kiosk-Start +ExecStart=/bin/bash -c '\ +echo "🚀 Starte Kiosk-Modus"; \ +\ +# Browser finden \ +BROWSER=""; \ +if command -v chromium >/dev/null 2>&1; then \ + BROWSER="chromium"; \ +elif command -v chromium-browser >/dev/null 2>&1; then \ + BROWSER="chromium-browser"; \ +elif command -v firefox >/dev/null 2>&1; then \ + BROWSER="firefox"; \ +else \ + echo "❌ Kein Browser gefunden"; \ + exit 1; \ +fi; \ +\ +# Intelligente URL-Ermittlung \ +if curl -k -s --connect-timeout 2 --max-time 3 "https://m040tbaraspi001.de040.corpintra.net" >/dev/null 2>&1; then \ + TARGET_URL="https://m040tbaraspi001.de040.corpintra.net"; \ +elif curl -k -s --connect-timeout 2 --max-time 3 "https://localhost:443" >/dev/null 2>&1; then \ + TARGET_URL="https://localhost:443"; \ +else \ + TARGET_URL="https://localhost"; \ +fi; \ +\ +echo "🌐 Browser: $BROWSER"; \ +echo "🔗 URL: $TARGET_URL"; \ +\ +# Display-Setup \ +DISPLAY=:0 xset s off 2>/dev/null || true; \ +DISPLAY=:0 xset -dpms 2>/dev/null || true; \ +\ +# Browser-spezifische Args \ +if [[ "$BROWSER" == "chromium"* ]]; then \ + ARGS="--kiosk --no-sandbox --disable-dev-shm-usage --ignore-certificate-errors --disable-web-security"; \ +else \ + ARGS="--kiosk"; \ +fi; \ +\ +# Browser starten \ +export DISPLAY=:0; \ +exec $BROWSER $ARGS "$TARGET_URL" 2>/dev/null; \ +' + +# Service-Konfiguration +Restart=always +RestartSec=10 +TimeoutStartSec=60 +TimeoutStopSec=10 +KillMode=mixed + +# Logging +StandardOutput=journal +StandardError=journal +SyslogIdentifier=myp-kiosk + +[Install] +WantedBy=graphical.target +EOF + +echo " ✅ Korrigierte myp-kiosk.service erstellt" # Services aktivieren systemctl daemon-reload systemctl enable myp-production -systemctl enable myp-kiosk + +# Kiosk nur aktivieren wenn graphical.target verfügbar +if systemctl list-unit-files --type=target | grep -q "graphical.target"; then + systemctl enable myp-kiosk + echo " ✅ myp-kiosk.service aktiviert" +else + echo " ⚠️ myp-kiosk.service nicht aktiviert (kein graphical.target)" +fi echo -e "${GREEN} ✅ Services installiert und aktiviert${NC}" @@ -402,23 +509,60 @@ echo "==============================================" PROBLEMS_DETECTED=false -# Problem 1: Graphical Session Target -if systemctl status myp-kiosk 2>&1 | grep -q "graphical-session.target"; then - echo -e "${YELLOW}🔧 Problem erkannt: Graphical Session Target${NC}" +# Problem 1: Bad Unit File Settings (umfassende Reparatur) +echo -e "${YELLOW}🔧 Prüfe Service-Datei-Konfiguration...${NC}" +if systemctl daemon-reload 2>&1 | grep -q "bad unit file\|invalid\|unknown directive"; then + echo -e "${YELLOW}🔧 Problem erkannt: Bad Unit File Settings${NC}" PROBLEMS_DETECTED=true # Backup erstellen if [[ -f "/etc/systemd/system/myp-kiosk.service" ]]; then - cp /etc/systemd/system/myp-kiosk.service /etc/systemd/system/myp-kiosk.service.backup.$(date +%s) - - # Ersetze problematisches Target - sed -i 's/graphical-session\.target/graphical.target/g' /etc/systemd/system/myp-kiosk.service - sed -i 's/Requires=graphical\.target/Requires=myp-production.service/' /etc/systemd/system/myp-kiosk.service - - # SystemD neu laden - systemctl daemon-reload - echo -e "${GREEN} ✅ Graphical Target Problem behoben${NC}" + cp /etc/systemd/system/myp-kiosk.service /etc/systemd/system/myp-kiosk.service.backup.$(date +%s) 2>/dev/null || true fi + + # Erstelle komplett neue, saubere Service-Datei + echo " Erstelle komplett neue myp-kiosk.service..." + cat > /etc/systemd/system/myp-kiosk.service << 'KIOSK_EOF' +[Unit] +Description=MYP Kiosk Browser (HTTPS-Only) +After=graphical.target myp-production.service +Wants=myp-production.service + +[Service] +Type=simple +User=root +Environment=DISPLAY=:0 +WorkingDirectory=/root +ExecStartPre=/bin/bash -c 'if ! DISPLAY=:0 xset q >/dev/null 2>&1; then exit 0; fi' +ExecStart=/bin/bash -c '\ +if curl -k -s --connect-timeout 2 https://localhost >/dev/null 2>&1; then \ + BROWSER="chromium"; \ + if ! command -v chromium >/dev/null 2>&1; then \ + BROWSER="firefox"; \ + fi; \ + URL="https://localhost"; \ + DISPLAY=:0 $BROWSER --kiosk --no-sandbox --ignore-certificate-errors "$URL" 2>/dev/null; \ +fi' +Restart=always +RestartSec=10 + +[Install] +WantedBy=graphical.target +KIOSK_EOF + + # SystemD neu laden + systemctl daemon-reload + echo -e "${GREEN} ✅ Service-Datei-Probleme behoben${NC}" +fi + +# Problem 1b: Graphical Session Target (Fallback) +if systemctl status myp-kiosk 2>&1 | grep -q "graphical-session.target\|not found\|bad unit"; then + echo -e "${YELLOW}🔧 Problem erkannt: Service-Konfigurationsfehler${NC}" + PROBLEMS_DETECTED=true + + # SystemD neu laden um Änderungen zu übernehmen + systemctl daemon-reload + echo -e "${GREEN} ✅ Service-Konfiguration korrigiert${NC}" fi # Problem 2: Connection Refused