diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-09-18 00:58:45 -0300 |
---|---|---|
committer | marcelloc <marcellocoutinho@gmail.com> | 2012-09-18 00:58:45 -0300 |
commit | d3ff95f426054f64222e919f22f89a1e3066bb6e (patch) | |
tree | 09137f5bd1b50b2ec0c9290574b92dbe699e6a86 /config/apache_mod_security-dev/apache_mod_security.inc | |
parent | d9da90aafffd420af84ac4dcf3fa4e779cb2faf3 (diff) | |
download | pfsense-packages-d3ff95f426054f64222e919f22f89a1e3066bb6e.tar.gz pfsense-packages-d3ff95f426054f64222e919f22f89a1e3066bb6e.tar.bz2 pfsense-packages-d3ff95f426054f64222e919f22f89a1e3066bb6e.zip |
apache2+modsecurity - new package gui devel version
need pbi to be rebuild to get apache worker options working
Diffstat (limited to 'config/apache_mod_security-dev/apache_mod_security.inc')
-rw-r--r-- | config/apache_mod_security-dev/apache_mod_security.inc | 653 |
1 files changed, 653 insertions, 0 deletions
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc new file mode 100644 index 00000000..cdee4f6b --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -0,0 +1,653 @@ +<?php +/* + apache_mod_security.inc + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C) 2009, 2010 Scott Ullrich + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +// Check to find out on which system the package is running +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('APACHEDIR', '/usr/pbi/proxy_mod_security-' . php_uname("m")); +else + define('APACHEDIR', '/usr/local'); +// End of system check +define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +// Rules directory location +define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +function apache_textarea_decode($base64){ + return preg_replace("/\r\n/","\n",base64_decode($base64)); +} + +function apache_get_real_interface_address($iface) { + global $config; + if ($iface == "All") + return array("*", ""); + if (preg_match("/\d+\.\d+/",$iface)) + return array($iface, ""); + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + return array($ip, long2ip(hexdec($netmask))); +} + +// Ensure NanoBSD can write. pkg_mgr will remount RO +conf_mount_rw(); + +// Needed mod_security directories +if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) + safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); + +// Startup function +function apache_mod_security_start() { + exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); +} + +// Shutdown function +function apache_mod_security_stop() { + exec(APACHEDIR . "/sbin/httpd -k stop"); +} + +// Restart function +function apache_mod_security_restart() { + if(is_process_running("httpd")) { + exec(APACHEDIR . "/sbin/httpd -k graceful"); + } else { + apache_mod_security_start(); + } +} + +// Install function +function apache_mod_security_install() { + global $config, $g; + + // We might be reinstalling and a configuration + // already exists. + generate_apache_configuration(); + + $filename = "apache_mod_security.sh"; + + $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP + <?php + require_once(\"functions.inc\"); + require_once(\"/usr/local/pkg/apache_mod_security.inc\"); + apache_mod_security_start(); + ?> +ENDPHP\n"; + + $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP + <?php + require_once(\"functions.inc\"); + require_once(\"/usr/local/pkg/apache_mod_security.inc\"); + apache_mod_security_stop(); + ?> +ENDPHP\n"; + + write_rcfile(array( + "file" => $filename, + "start" => $start, + "stop" => $stop + ) + ); +} + +// Deinstall package routines +function apache_mod_security_deinstall() { + global $config, $g; + apache_mod_security_stop(); + exec("/bin/rm -rf " . APACHEDIR . "/". MODSECURITY_DIR); + exec("/bin/rm -f /usr/local/etc/rc.d/apache_mod_security.sh"); +} + +// Regenerate apache configuration and handle server restart +function apache_mod_security_resync() { + global $config, $g; + apache_mod_security_install(); + $dirs=array("base", "experimental","optional", "slr"); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) + exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + $write_config=0; + foreach ($dirs as $dir){ + if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); + } + } + if ($write_config > 0) + write_config(); + apache_mod_security_checkconfig(); + apache_mod_security_restart(); +} + +function apache_mod_security_checkconfig() { + global $config, $g; + $status = mwexec(APACHEDIR ."/sbin/httpd -t"); + if($status) { + $input_error = "apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"; + log_error("apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"); + } +} + +// Generate mod_proxy specific configuration +function generate_apache_configuration() { + global $config, $g; + $mod_proxy = ""; + $write_config=0; + // check current config + if (is_array($config['installedpackages']['apachesettings'])) + $settings=$config['installedpackages']['apachesettings']['config'][0]; + else + $setting=sarray(); + + // Set global site e-mail + if ($settings['globalsiteadminemail']){ + $global_site_email = $settings['globalsiteadminemail']; + } + else { + $global_site_email = "admin@admin.com"; + $config['installedpackages']['apachesettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com"; + // update configuration with default value in this case + log_error("apache_mod_security_package: WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address."); + $write_config ++; + } + + // Set ServerName + if($settings['hostname'] != ""){ + $servername = $settings['hostname']; + } + else { + $servername = php_uname('n'); + $config['installedpackages']['apachesettings']['config'][0]['hostname'] = `hostname`; + // update configuration with default value in this case + $write_config ++; + } + + //check if servername has an valid ip + $ip=gethostbyname(php_uname('n')); + if ($ip==php_uname('n')){ + $error='apache_mod_security_package: Apache cannot start, hostname does not resolv. You can workaround this if you add a dns entry for '.php_uname('n').' or add a Host Overrides entry on services -> Dns Forwarder pointing '.php_uname('n').' to 127.0.0.1.'; + log_error($error); + file_notice("apache_mod_security", $error, "apache_mod_security", ""); + } + // Set global listening directive and ensure nothing is listening on this port already + $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $globalbind_port = $settings['globalbindtoport']; + if ($globalbind_port == ""){ + $globalbind_port ="80"; + $config['installedpackages']['apachesettings']['config'][0]['globalbindtoipport'] = $globalbind_port; + $write_config ++; + } + $global_listen ="{$globalbind_ip}:{$globalbind_port}"; + // update configuration with default value in this case + if ($write_config > 0) + write_config(); + + // check if any daemon is using apache ip/port + exec("/usr/bin/sockstat | grep -v ' httpd ' | awk '{ print $6 }' | grep ':{$globalbind_port}'",$socksstat); + unset ($already_binded); + if(is_array($socksstat)) { + foreach($socksstat as $ss) { + list($ss_ip,$ss_port)=explode(":",$ss); + #check if port is in use + if($ss_port == $globalbind_port) { + #check if it's the same ip or any ip + if ($globalbind_ip = "*" || $globalbind_ip == $ss_ip) + $already_binded = true; + $input_errors[] = "Sorry, there is a process already listening on port {$globalbind}"; + } + } + } + if(isset($already_binded)) + log_error("apache_mod_security_package: Could not start daemon on port {$global_listen}. Another process is already bound to this port."); + + //performance settings + //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html + $performance_settings="KeepAlive {$settings['keepalive']}\n"; + if ($settings['maxkeepalivereq']) + $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; + if ($settings['keepalivetimeout']) + $performance_settings .= "KeepAliveTimeout {$settings['keepalivetimeout']}\n"; + if ($settings['serverlimit']) + $performance_settings .= "ServerLimit {$settings['serverlimit']}\n"; + if ($settings['startservers']) + $performance_settings .= "StartServers {$settings['startservers']}\n"; + if ($settings['minsparethreads']) + $performance_settings .= "MinSpareThreads {$settings['minsparethreads']}\n"; + if ($settings['maxsparethreads']) + $performance_settings .= "MaxSpareThreads {$settings['maxsparethreads']}\n"; + if ($settings['threadslimit']) + $performance_settings .= "ThreadsLimit {$settings['threadslimit']}\n"; + if ($settings['threadstacksize']) + $performance_settings .= "ThreadStackSize {$settings['threadstacksize']}\n"; + if ($settings['threadsperchild']) + $performance_settings .= "ThreadsPerChild {$settings['threadsperchild']}\n"; + if ($settings['maxclients']) + $performance_settings .= "MaxClients {$settings['maxclients']}\n"; + if ($settings['maxrequestsperchild']) + $performance_settings .= "MaxRequestsPerChild {$settings['maxrequestsperchild']}\n"; + + // Setup mem_cache + if(file_exists(APACHEDIR ."/libexec/apache22/mod_memcache.so") && $settings['memcachesize'] != "0") { + //$mem_cache = "MCacheSize ".( $settings['memcachesize'] ? $settings['memcachesize'] : "100")."\n"; + } + + // CacheRoot Directive + if($settings['diskcachesize'] != "0") { + safe_mkdir("/var/db/apachemodsecuritycache"); + $cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n"; + $cache_root .= "CacheMaxFileSize ".($settings['diskcachesize'] ? $settings['diskcachesize'] : "1000000")."\n"; + } + + // SecRequestBodyInMemoryLimit Directive + $secrequestbodyinmemorylimit = ($settings['secrequestbodyinmemorylimit'] ? $settings['secrequestbodyinmemorylimit'] : "131072"); + + // SecRequestBodyLimit + $secrequestbodylimit = ($settings['secrequestbodylimit'] ? $settings['secrequestbodylimit'] :"10485760"); + + // ErrorDocument + $errordocument = ($settings['errordocument'] ? $settings['errordocument'] : ""); + + // SecAuditEngine + $secauditengine = ($settings['secauditengine'] ? $settings['secauditengine'] : "RelevantOnly"); + + // SecReadStateLimit + $secreadstatelimit = ($settings['SecReadStateLimit'] ? $settings['SecReadStateLimit'] :""); + + //Configure balancers/backends + if (is_array($config['installedpackages']['apachebalancer'])){ + #load conf template + include("/usr/local/pkg/apache_balancer.template"); + + #check balancer members + foreach ($config['installedpackages']['apachebalancer']['config'] as $balancer){ + if (is_array($balancer['row']) && $balancer['enable'] == 'on'){ + $balancer_config.="# {$balancer['description']}\n"; + $balancer_config.="<Proxy balancer://{$balancer['name']}>\n"; + foreach($balancer['row'] as $server){ + $options =($server['port'] ? ":{$server['port']}" : ""); + + $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); + $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); + if (isset($server['ping'])){ + $options.= " ping={$server['ping']}"; + $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); + } + $balancer_config.=" BalancerMember {$balancer['proto']}://{$server['host']}{$options}\n"; + } + #check if stick connections are set + if ($balancer['row'][0]['routeid'] !="") + $balancer_config.=" ProxySet stickysession=ROUTEID\n"; + $balancer_config.="</Proxy>\n\n"; + } + } + //write balancer conf + file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); + } + + //configure virtual hosts + if (is_array($config['installedpackages']['apachevirtualhost'])){ + $vh_config= <<<EOF +################################################################################## +# NOTE: This file was generated by the pfSense package management system. # +# Please do not edit this file by hand! If you need to add functionality # +# then edit /usr/local/pkg/apache_* files. # +# # +# And don't forget to submit your changes to: # +# https://github.com/bsdperimeter/pfsense-packages # +################################################################################## + + +EOF; + $default_port=array('http'=>'80', 'https'=> '443'); + foreach ($config['installedpackages']['apachevirtualhost']['config'] as $virtualhost){ + if (is_array($virtualhost['row']) && $virtualhost['enable'] == 'on'){ + $iface_address = apache_get_real_interface_address($virtualhost['interface']); + $ip=$iface_address[0]; + $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + $vh_config.="# {$virtualhost['description']}\n"; + $vh_config.="<VirtualHost {$ip}:{$port}>\n"; + $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; + $vh_config.=" ServerAdmin ".($virtualhost['siteemail'] ? $virtualhost['siteemail'] : $settings['globalsiteadminemail'])."\n"; + #check log + switch ($virtualhost['logfile']){ + case "default": + $vh_config.=" ErrorLog /var/log/httpd-error.log\n"; + $vh_config.=" CustomLog /var/log/httpd.log combined\n"; + break; + case "create": + if(preg_match("/(\S+)/",base64_decode($virtualhost['primarysitehostname']),$matches)) + $vh_config.=" ErrorLog /var/log/httpd-{$matches[1]}-error.log\n"; + $vh_config.=" CustomLog /var/log/httpd-{$matches[1]}.log combined\n"; + break; + } + + if($virtualhost['preserveproxyhostname']) + $vh_config .= " ProxyPreserveHost on\n"; + + #check ssl + if(isset($virtualhost["ssl_cert"]) && $virtualhost["ssl_cert"] !="none" && $virtualhost["proto"] == "https") { + $vh_config.= " SSLEngine on\n SSLProtocol all -SSLv2\n SSLProxyEngine on\n SSLProxyVerify none\n"; + $vh_config.= " SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\n"; + + $svr_cert = lookup_cert($virtualhost["ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.crt",apache_textarea_decode($svr_cert['crt']),LOCK_EX); + $vh_config.= " SSLCertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.crt\n"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key",apache_textarea_decode($svr_cert['prv']),LOCK_EX); + $vh_config.= " SSLCertificateKeyFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key\n"; + } + } + $svr_ca =lookup_ca($virtualhost["reverse_int_ca"]); + if ($svr_ca != false) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($svr_ca['crt']),LOCK_EX); + $vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt\n"; + } + } + #Custom Options + $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; + + #Check virtualhost locations + foreach ($virtualhost['row'] as $backend){ + $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } + } + } + $vh_config.=" </Location>\n\n"; + } + $vh_config.="</VirtualHost>\n"; + } + } + //write balancer conf + file_put_contents(APACHEDIR."/etc/apache22/Includes/virtualhosts.conf",$vh_config,LOCK_EX); + } + // check/fix perl version on mod_security util files + $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); + foreach ($perl_files as $perl_file){ + $file_path=rules_directory."/util/"; + if (file_exists($file_path.$perl_file)){ + $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); + file_put_contents($file_path.$perl_file,$script,LOCK_EX); + } + } + // check/fix spread libs location + $perl_libs= array("libspread.a","libspread.so.1"); + foreach ($perl_libs as $perl_lib){ + $file_path=APACHEDIR."/lib/"; + if (!file_exists("/lib/".$perl_lib) && file_exists("{$file_path}{$perl_lib}")){ + copy("{$file_path}{$perl_lib}","/lib/{$perl_lib}"); + if ($perl_lib == "libspread.so.1") + copy("{$file_path}{$perl_lib}","/lib/libspread.so"); + } + } + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; + } + + //fix http-guardian.pl block bins + //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; + //if (file_exists("/lib/".$perl_lib) && file_exists($file_path.$perl_lib)){ + + //old code + $mod_proxy .= <<<EOF + +# Off when using ProxyPass +ProxyRequests off + +<Proxy *> + Order deny,allow + Allow from all +</Proxy> + +EOF; + + /* + ##################################################### + # Format for the Proxy servers: + # Please do not delete these from the source file + # in any "cleanups" that you feel you are performing. + # They are here for sanity checking the code. + #----------------1 backend ip--------------------- + #<VirtualHost IP:port> + # ServerAdmin $serveradmin + # ServerName $primarysitehostname + # ServerAlias $additionalsitehostnames + # ProxyPass / $backendwebserverURL + # ProxyPassReverse / $backendwebserverURL + #</VirtualHost> + #where serveralias will be a space-separated list of "additional site hostnames" + #i.e. if you have www1.example.com and www2.example.com there, it's "ServerAlias www1.example.com www2.example.com" + #------------------------------------------------- + #------------mutliple backend ips----------------- + # Add: + #<Proxy balancer://$sitename> + # BalancerMember $backend1 + # BalancerMember $backend2 + #</Proxy> + # Change: + # ProxyPass / balancer://$sitename/ + # ProxyPassReverse / balancer://$sitename/ + #------------------------------------------------- + ##################################################### + */ + $mod_proxy .= "\n"; + + $configuredaliases = array(); + // Read already configured addresses + if (is_array($settings['row'])){ + foreach($settings['row'] as $row) { + if ($row['ipaddress'] && $row['ipport']) + $configuredaliases[] = $row; + } + } + + // clear list of bound addresses before updating + $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); + + // Process proxy sites + // Configure NameVirtualHost directives + $aliases = ""; + $processed = array(); + if(is_array($config['installedpackages']['apachemodsecurity'])) { + foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + if($ams['ipaddress'] && $ams['port']) + $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; + else + $local_ip_port = $global_listen; + // Do not add entries twice. + if(!in_array($local_ip_port, $processed)) { + // explicit bind if not global ip:port + if ($local_ip_port != $global_listen) { + $aliases .= "Listen $local_ip_port\n"; + // Automatically add this to configuration + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); + } + $mod_proxy .= "NameVirtualHost $local_ip_port\n"; + $processed[] = $local_ip_port; + } + } + } + +//** Uncomment to allow adding ip/ports not used by any site proxies +//** Otherwise unused addresses/ports will be automatically deleted from the configuration +// foreach ($configuredaliases as $ams) { +// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; +// if(!in_array($local_ip_port, $processed)) { +// // explicit bind if not global ip:port +// if ($local_ip_port != $global_listen) { +// $aliases .= "Listen $local_ip_port\n"; +// // Automatically add this to configuration +// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); +// } +// } +// } + + // update configuration with actual ip bindings + write_config($pkg['addedit_string']); + + + // Setup mod_proxy entries $mod_proxy + if($config['installedpackages']['apachemodsecurity']) { + foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + // Set rowhelper used variables + $additionalsitehostnames = ""; + if (is_array($ams['row'])){ + foreach($ams['row'] as $row) { + if ($row['additionalsitehostnames']) + $additionalsitehostnames .= "{$row['additionalsitehostnames']} "; + } + } + $backend_sites = ""; + $sslproxyengine = ""; + $backend_sites_count = 0; + $balancer_members = ""; // not technically needed. + if (is_array($ams['row'])){ + foreach($ams['row'] as $row) { + if ($row['webserveripaddr']) { + $normalised_ipaddr = ""; + if (substr(trim($row['webserveripaddr']), 0, strlen("https:")) == "https:") { + // if backend is https, then enable SSLProxyEngine + $sslproxyengine = "SSLProxyEngine on"; + } else if (substr(trim($row['webserveripaddr']), 0, strlen("http:")) != "http:") { + // Ensure leading http(s):// + $normalised_ipaddr .= "http://"; + } + $normalised_ipaddr .= trim($row['webserveripaddr']); + $balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n"; + // Ensure trailing / + if(substr($normalised_ipaddr,-1) != "/") { + $normalised_ipaddr .= "/"; + } + $backend_sites .= $normalised_ipaddr . " "; + $backend_sites_count++; + } + } + } + // Set general items + if($ams['siteemail']) + $serveradmin = $ams['siteemail']; + else + $serveradmin = $global_site_email; + if($ams['primarysitehostname']) + $primarysitehostname = $ams['primarysitehostname']; + $sitename = str_replace(" ", "", $ams['sitename']); + // Set local listening directive + if($ams['ipaddress'] && $ams['port']) + $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; + else + $local_ip_port = $global_listen; + // Is this item a load balancer + if($backend_sites_count>1) { + $balancer = true; + $mod_proxy .= "<Proxy balancer://{$sitename}>\n"; + $mod_proxy .= $balancer_members; + $mod_proxy .= "</Proxy>\n"; + $backend_sites = " balancer://{$sitename}/"; + $sitename = ""; // we are not using sitename in this case + } + // Set SSL items + if($ams['siteurl']) + $siteurl = $ams['siteurl']; + if($ams['certificatefile']) + $certificatefile = $ams['certificatefile']; + if($ams['certificatekeyfile']) + $certificatekeyfile = $ams['certificatekeyfile']; + if($ams['certificatechainfile']) + $certificatechainfile = $ams['certificatechainfile']; + // Begin VirtualHost + $mod_proxy .= "\n<VirtualHost {$local_ip_port}>\n"; + if($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) { + $mod_proxy .= " SSLEngine on\n"; + if ($certificatefile) + $mod_proxy .= " SSLCertificateFile /usr/local/etc/apache22/$certificatefile\n"; + if ($certificatekeyfile) + $mod_proxy .= " SSLCertificateKeyFile /usr/local/etc/apache22/$certificatekeyfile\n"; + if ($certificatechainfile) + $mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n"; + } + if($sslproxyengine) + $mod_proxy .= " {$sslproxyengine}\n"; + if($additionalsitehostnames) + $mod_proxy .= " ServerAlias $additionalsitehostnames\n"; + if($serveradmin) + $mod_proxy .= " ServerAdmin $serveradmin\n"; + if($primarysitehostname) + $mod_proxy .= " ServerName $primarysitehostname \n"; + if($backend_sites) { + $mod_proxy .= " ProxyPassReverse /{$sitename} {$backend_sites}\n"; + $mod_proxy .= " ProxyPass / {$backend_sites}\n"; + } + if($ams['preserveproxyhostname']) + $mod_proxy .= " ProxyPreserveHost on\n"; + $mod_proxy .= "</VirtualHost>\n\n"; + // End VirtualHost + } + } + + if($config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']) + $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; + + // Process and include rules + if(is_dir(rules_directory)) { + $mod_security_rules = ""; + $files = return_dir_as_array(rules_directory); + foreach($files as $file) { + if(file_exists(rules_directory . "/" . $file)) { + // XXX: TODO integrate snorts rule on / off thingie + $file_txt = file_get_contents(rules_directory . "/" . $file); + $mod_security_rules .= $file_txt . "\n"; + } + } + } + + #include file templates + include ("/usr/local/pkg/apache.template"); + + file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); +} + +?> |