diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-09-18 00:58:45 -0300 |
---|---|---|
committer | marcelloc <marcellocoutinho@gmail.com> | 2012-09-18 00:58:45 -0300 |
commit | d3ff95f426054f64222e919f22f89a1e3066bb6e (patch) | |
tree | 09137f5bd1b50b2ec0c9290574b92dbe699e6a86 /config/apache_mod_security-dev | |
parent | d9da90aafffd420af84ac4dcf3fa4e779cb2faf3 (diff) | |
download | pfsense-packages-d3ff95f426054f64222e919f22f89a1e3066bb6e.tar.gz pfsense-packages-d3ff95f426054f64222e919f22f89a1e3066bb6e.tar.bz2 pfsense-packages-d3ff95f426054f64222e919f22f89a1e3066bb6e.zip |
apache2+modsecurity - new package gui devel version
need pbi to be rebuild to get apache worker options working
Diffstat (limited to 'config/apache_mod_security-dev')
15 files changed, 3768 insertions, 0 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template new file mode 100644 index 00000000..69ffb9c7 --- /dev/null +++ b/config/apache_mod_security-dev/apache.template @@ -0,0 +1,572 @@ +<?php + // Mod_security enabled? + if($settings['memcachesize'] != "0") { + if(file_exists( APACHEDIR ."/libexec/apache22/mod_memcache.so")) + $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; + } + +/* +<IfModule mod_security2.c> + + + # Turn the filtering engine On or Off + SecFilterEngine On + + # XXX Add knobs for these + SecRuleEngine On + SecRequestBodyAccess On + SecResponseBodyAccess On + + SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} + SecRequestBodyLimit {$secrequestbodylimit} + + {$mod_security_custom} + + SecResponseBodyMimeTypesClear + SecResponseBodyMimeType (null) text/plain text/html text/css text/xml + + # XXX Add knobs for these + SecUploadDir /var/spool/apache/private + SecUploadKeepFiles Off + + # The audit engine works independently and + # can be turned On of Off on the per-server or + # on the per-directory basis + SecAuditEngine {$secauditengine} + + # XXX Add knobs for these + # Make sure that URL encoding is valid + SecFilterCheckURLEncoding On + + # XXX Add knobs for these + # Unicode encoding check + SecFilterCheckUnicodeEncoding On + + # XXX Add knobs for these + # Only allow bytes from this range + SecFilterForceByteRange 1 255 + + # Help prevent the effects of a Slowloris-type of attack + # $secreadstatelimit + + # Cookie format checks. + SecFilterCheckCookieFormat On + + # The name of the audit log file + SecAuditLog logs/audit_log + + #http-guardian Anti-dos protection + {$SecGuardianLog} + + # Should mod_security inspect POST payloads + SecFilterScanPOST On + + # Include rules from rules/ directory + {$mod_security_rules} + +</IfModule> + +*/ + +$apache_dir=APACHEDIR; + $apache_config = <<<EOF +################################################################################## +# NOTE: This file was generated by the pfSense package management system. # +# Please do not edit this file by hand! If you need to add functionality # +# then edit /usr/local/pkg/apache_mod_security* files. # +# # +# And don't forget to submit your changes to coreteam@pfsense.org # +################################################################################### +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See <URL:http://httpd.apache.org/docs/2.2> for detailed information. +# In particular, see +# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html> +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log" +# with ServerRoot set to "/usr/local" will be interpreted by the +# server as "/usr/local//var/log/foo_log". + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to point the LockFile directive +# at a local disk. If you wish to share the same ServerRoot for multiple +# httpd daemons, you will need to change at least LockFile and PidFile. +# +ServerRoot "{$apache_dir}" + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the <VirtualHost> +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +Listen {$global_listen} +{$aliases} + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +# have to place corresponding `LoadModule' lines at this location so the +# LoadModule foo_module modules/mod_foo.so +LoadModule authn_file_module libexec/apache22/mod_authn_file.so +LoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.so +LoadModule authn_anon_module libexec/apache22/mod_authn_anon.so +LoadModule authn_default_module libexec/apache22/mod_authn_default.so +LoadModule authn_alias_module libexec/apache22/mod_authn_alias.so +LoadModule authz_host_module libexec/apache22/mod_authz_host.so +LoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.so +LoadModule authz_user_module libexec/apache22/mod_authz_user.so +LoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.so +LoadModule authz_owner_module libexec/apache22/mod_authz_owner.so +LoadModule authz_default_module libexec/apache22/mod_authz_default.so +LoadModule auth_basic_module libexec/apache22/mod_auth_basic.so +LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so +LoadModule file_cache_module libexec/apache22/mod_file_cache.so +LoadModule cache_module libexec/apache22/mod_cache.so +LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so +LoadModule dumpio_module libexec/apache22/mod_dumpio.so +LoadModule include_module libexec/apache22/mod_include.so +LoadModule filter_module libexec/apache22/mod_filter.so +LoadModule charset_lite_module libexec/apache22/mod_charset_lite.so +LoadModule deflate_module libexec/apache22/mod_deflate.so +LoadModule log_config_module libexec/apache22/mod_log_config.so +LoadModule logio_module libexec/apache22/mod_logio.so +LoadModule env_module libexec/apache22/mod_env.so +LoadModule mime_magic_module libexec/apache22/mod_mime_magic.so +LoadModule cern_meta_module libexec/apache22/mod_cern_meta.so +LoadModule expires_module libexec/apache22/mod_expires.so +LoadModule headers_module libexec/apache22/mod_headers.so +LoadModule usertrack_module libexec/apache22/mod_usertrack.so +LoadModule unique_id_module libexec/apache22/mod_unique_id.so +LoadModule setenvif_module libexec/apache22/mod_setenvif.so +LoadModule version_module libexec/apache22/mod_version.so +LoadModule proxy_module libexec/apache22/mod_proxy.so +LoadModule proxy_connect_module libexec/apache22/mod_proxy_connect.so +LoadModule proxy_ftp_module libexec/apache22/mod_proxy_ftp.so +LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so +LoadModule proxy_ajp_module libexec/apache22/mod_proxy_ajp.so +LoadModule proxy_balancer_module libexec/apache22/mod_proxy_balancer.so +LoadModule ssl_module libexec/apache22/mod_ssl.so +LoadModule mime_module libexec/apache22/mod_mime.so +LoadModule status_module libexec/apache22/mod_status.so +LoadModule autoindex_module libexec/apache22/mod_autoindex.so +LoadModule asis_module libexec/apache22/mod_asis.so +LoadModule info_module libexec/apache22/mod_info.so +LoadModule cgi_module libexec/apache22/mod_cgi.so +LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so +LoadModule negotiation_module libexec/apache22/mod_negotiation.so +LoadModule dir_module libexec/apache22/mod_dir.so +LoadModule imagemap_module libexec/apache22/mod_imagemap.so +LoadModule actions_module libexec/apache22/mod_actions.so +LoadModule speling_module libexec/apache22/mod_speling.so +LoadModule userdir_module libexec/apache22/mod_userdir.so +LoadModule alias_module libexec/apache22/mod_alias.so +LoadModule rewrite_module libexec/apache22/mod_rewrite.so +LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so +{$mod_mem_cache} + +<IfModule !mpm_netware_module> +<IfModule !mpm_winnt_module> +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User www +Group www + +</IfModule> +</IfModule> + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# <VirtualHost> definition. These values also provide defaults for +# any <VirtualHost> containers you may define later in the file. +# +# All of these directives may appear inside <VirtualHost> containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# +# worker MPM +<IfModule worker.c> +{$performance_settings} +</IfModule> +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin {$global_site_email} + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +ServerName {$servername} + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "{$apache_dir}/www/apache22" + +# +# Each directory to which Apache has access can be configured with respect +# to which services and features are allowed and/or disabled in that +# directory (and its subdirectories). +# +# First, we configure the "default" to be a very restrictive set of +# features. +# +<Directory /> + AllowOverride None + Order deny,allow + Deny from all +</Directory> + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# This should be changed to whatever you set DocumentRoot to. +# +#<Directory "{$apache_dir}/www/apachemodsecurity/"> +# # +# # Possible values for the Options directive are "None", "All", +# # or any combination of: +# # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews +# # +# # Note that "MultiViews" must be named *explicitly* --- "Options All" +# # doesn't give it to you. +# # +# # The Options directive is both complicated and important. Please see +# # http://httpd.apache.org/docs/2.2/mod/core.html#options +# # for more information. +# # +# Options Indexes FollowSymLinks +# +# # +# # AllowOverride controls what directives may be placed in .htaccess files. +# # It can be "All", "None", or any combination of the keywords: +# # Options FileInfo AuthConfig Limit +# # +# AllowOverride None +# +# # +# # Controls who can get stuff from this server. +# # +# Order allow,deny +# Allow from all +# +#</Directory> +# +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +#<IfModule dir_module> +# DirectoryIndex index.html +#</IfModule> +# +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# +#<FilesMatch "^\.ht"> +# Order allow,deny +# Deny from all +# Satisfy All +#</FilesMatch> +# +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a <VirtualHost> +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a <VirtualHost> +# container, that host's errors will be logged there and not here. +# +ErrorLog "/var/log/httpd-error.log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + +<IfModule log_config_module> + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + <IfModule logio_module> + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + </IfModule> + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a <VirtualHost> + # container, they will be logged here. Contrariwise, if you *do* + # define per-<VirtualHost> access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "/var/log/httpd-access.log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + CustomLog "/var/log/httpd-access.log" combined +</IfModule> + +#<IfModule alias_module> +# # +# # Redirect: Allows you to tell clients about documents that used to +# # exist in your server's namespace, but do not anymore. The client +# # will make a new request for the document at its new location. +# # Example: +# # Redirect permanent /foo http://www.example.com/bar +# +# # +# # Alias: Maps web paths into filesystem paths and is used to +# # access content that does not live under the DocumentRoot. +# # Example: +# # Alias /webpath /full/filesystem/path +# # +# # If you include a trailing / on /webpath then the server will +# # require it to be present in the URL. You will also likely +# # need to provide a <Directory> section to allow access to +# # the filesystem path. +# +# # +# # ScriptAlias: This controls which directories contain server scripts. +# # ScriptAliases are essentially the same as Aliases, except that +# # documents in the target directory are treated as applications and +# # run by the server when requested rather than as documents sent to the +# # client. The same rules about trailing "/" apply to ScriptAlias +# # directives as to Alias. +# # +# ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" +# +#</IfModule> + +#<IfModule cgid_module> +# # +# # ScriptSock: On threaded servers, designate the path to the UNIX +# # socket used to communicate with the CGI daemon of mod_cgid. +# # +# #Scriptsock /var/run/cgisock +#</IfModule> + +# +# "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# +#<Directory "{$apache_dir}/www/apache22/cgi-bin"> +# AllowOverride None +# Options None +# Order allow,deny +# Allow from all +#</Directory> + +# +# DefaultType: the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +DefaultType text/plainm + +<IfModule mime_module> + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig etc/apache22/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml +</IfModule> + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile etc/apache22/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: + +{$errordocument} + +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# +#EnableMMAP off +#EnableSendfile off + +# Supplemental configuration +# +# The configuration files in the etc/apache22/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +#Include etc/apache22/extra/httpd-mpm.conf + +# Multi-language error messages +#Include etc/apache22/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +#Include etc/apache22/extra/httpd-autoindex.conf + +# Language settings +#Include etc/apache22/extra/httpd-languages.conf + +# User home directories +#Include etc/apache22/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include etc/apache22/extra/httpd-info.conf + +# Virtual hosts +#Include etc/apache22/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include etc/apache22/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include etc/apache22/extra/httpd-dav.conf + +# Various default settings +#Include etc/apache22/extra/httpd-default.conf + +# Secure (SSL/TLS) connections +#Include etc/apache22/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# +<IfModule ssl_module> +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin +</IfModule> + +# Cache settings +{$mem_cache} +{$cache_root} + +#accf_http are not present on current build +AcceptFilter http none +AcceptFilter https none + +# Mod security +{$mod_security} + +# Proxysettings +{$mod_proxy} + +# Include anything else +Include etc/apache22/Includes/*.conf + +EOF; + +?>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_balancer.template b/config/apache_mod_security-dev/apache_balancer.template new file mode 100644 index 00000000..361a5ed4 --- /dev/null +++ b/config/apache_mod_security-dev/apache_balancer.template @@ -0,0 +1,40 @@ +<?php +$balancer_config= <<<EOF +################################################################################## +# NOTE: This file was generated by the pfSense package management system. # +# Please do not edit this file by hand! If you need to add functionality # +# then edit /usr/local/pkg/apache_* files. # +# # +# And don't forget to submit your changes to: # +# https://github.com/bsdperimeter/pfsense-packages # +################################################################################## +SetOutputFilter DEFLATE +SetInputFilter DEFLATE + +SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary +SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary +SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary + +AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/js text/javascript + +DeflateCompressionLevel 9 + +ProxyVia On +ProxyRequests Off +ProxyTimeout 600 + +<Proxy *> + Order Deny,Allow + Allow from all +</Proxy> + +<ProxyMatch \.(?i:cmd|exe|bat|com|vb?|ida|printer|htr|iso)$> + Order allow,deny + deny from all +</ProxyMatch> + +Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED + + +EOF; +?>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml new file mode 100755 index 00000000..b3acba57 --- /dev/null +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -0,0 +1,199 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_balancer.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>apachebalancer</name> + <version>none</version> + <title>Apache reverse proxy: Internal Web Servers Pool</title> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + <active/> + </tab> + <tab> + <text>Virutal Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Alias</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Protocol</fielddescr> + <fieldname>Proto</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>apache Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>enable</fieldname> + <description>If this field is checked, then this server poll will be available for virtual hosts config.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Balancer name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this peer on apache conf<br> + example: www_site1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Peer Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Protocol</fielddescr> + <fieldname>proto</fieldname> + <description><![CDATA[Protocol listening on this internal server(s) port.]]></description> + <type>select</type> + <options> + <option> <name>HTTP</name> <value>http</value> </option> + <option> <name>HTTPS</name> <value>https</value> </option> + </options> + </field> +<field> + <fielddescr> + <![CDATA[Internal Servers]]> + </fielddescr> + <fieldname>additionalparameters</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>fqdn or ip</fielddescr> + <fieldname>host</fieldname> + <description>Internal site IP or Hostnamesite</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>port</fielddescr> + <fieldname>port</fieldname> + <description>Internal site port</description> + <type>input</type> + <size>4</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>routeid</fielddescr> + <fieldname>routeid</fieldname> + <description>id to define stick connections</description> + <type>input</type> + <size>4</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>weight</fielddescr> + <fieldname>loadfactor</fieldname> + <description>Server weight</description> + <type>input</type> + <size>4</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>ping</fielddescr> + <fieldname>ping</fieldname> + <description>Server ping test interval</description> + <type>input</type> + <size>4</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>ttl</fielddescr> + <fieldname>ttl</fieldname> + <description>Server pint ttl</description> + <type>input</type> + <size>4</size> + </rowhelperfield> + </rowhelper> + </field> + + </fields> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_logs_data.php b/config/apache_mod_security-dev/apache_logs_data.php new file mode 100644 index 00000000..256ff144 --- /dev/null +++ b/config/apache_mod_security-dev/apache_logs_data.php @@ -0,0 +1,195 @@ +<?php +/* ========================================================================== */ +/* + apache_logs_data.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +# ------------------------------------------------------------------------------ +# Defines +# ------------------------------------------------------------------------------ +require_once("guiconfig.inc"); +# ------------------------------------------------------------------------------ +# Requests +# ------------------------------------------------------------------------------ + +if ($_GET) { + # Actions + $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_REQUEST['strfilter'])); + $logtype = strtolower($_REQUEST['logtype']); + + // Get log type (access or error) + if ($logtype == "error") + $error="-error"; + + // Define log file name + $logfile ='/var/log/httpd-'. preg_replace("/(\s|'|\"|;)/","",$_REQUEST['logfile']) . $error.'.log'; + + if ($logfile == '/var/log/httpd-access-error.log') + $logfile = '/var/log/httpd-error.log'; + + //debug + echo "<tr valign=\"top\">\n"; + echo "<td colspan=\"5\" class=\"listlr\" align=\"center\" nowrap >$logfile</td>\n"; + if (file_exists($logfile)){ + + switch ($logtype) { + + case 'access': + //show table headers + show_tds(array("Time","Host","Response","Method","Request")); + + //fetch lines + $logarr=fetch_log($logfile); + + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + /* + field 1: 189.29.36.26 + field 2: - + field 3: - + field 4: 04/Jul/2012 + field 5: 10:54:39 + field 6: -0300 + field 7: GET + field 8: / + field 9: HTTP/1.1 + field 10: 303 + field 11: - + field 12: - + field 13: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19 + */ + $regex = '/^(\S+) (\S+) (\S+) \[([^:]+):(\d+:\d+:\d+) ([^\]]+)\] \"(\S+) (.*?) (\S+)\" (\S+) (\S+) "([^"]*)" "([^"]*)"$/'; + if (preg_match($regex, $logline[0],$line)) { + // Apply filter and color + if ($filter != "") + $line = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$line); + $agent_info="onmouseover=\"jQuery('#bowserinfo').empty().html('{$line[13]}');\"\n"; + echo "<tr valign=\"top\" $agent_info>\n"; + echo "<td class=\"listlr\" align=\"center\" nowrap>{$line[5]}({$line[6]})</td>\n"; + echo "<td class=\"listr\" align=\"center\">{$line[1]}</td>\n"; + echo "<td class=\"listr\" align=\"center\">{$line[10]}</td>\n"; + echo "<td class=\"listr\" align=\"center\">{$line[7]}</td>\n"; + //echo "<td class=\"listr\" width=\"*\" onmouseout=\"this.style.color = ''; domTT_mouseout(this, event);\" onmouseover=\"domTT_activate(this, event, 'content', '{$line[13]}', 'trail', true, 'delay', 0, 'fade', 'both', 'fadeMax', 87, 'styleClass', 'niceTitle');\">{$line[8]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$line[8]}</td>\n"; + echo "</tr>\n"; + } + } + break; + + case 'error': + //show table headers + show_tds(array("DateTime","Severity","Message")); + + //fetch lines + $logarr=fetch_log($logfile); + + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + /* + field 1: Wed Jul 04 20:22:28 2012 + field 2: error + field 3: 187.10.53.87 + field 4: proxy: DNS lookup failure for: 192.168.15.272 returned by / + */ + $regex = '/^\[([^\]]+)\] \[([^\]]+)\] (?:\[client ([^\]]+)\])?\s*(.*)$/i'; + if (preg_match($regex, $logline[0],$line)) { + // Apply filter and color + if ($filter != "") + $line = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$line); + + if ($line[3]) + $line[3] = gettext("Client address:") . " [{$line[3]}]"; + + echo "<tr valign=\"top\">\n"; + echo "<td class=\"listlr\" align=\"center\" nowrap>{$line[1]}</td>\n"; + echo "<td class=\"listr\" align=\"center\">{$line[2]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$line[3]} {$line[4]}</td>\n"; + echo "</tr>\n"; + } + } + break; + } + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +// From SquidGuard Package +function html_autowrap($cont) +{ + # split strings + $p = 0; + $pstep = 25; + $str = $cont; + $cont = ''; + for ( $p = 0; $p < strlen($str); $p += $pstep ) { + $s = substr( $str, $p, $pstep ); + if ( !$s ) break; + $cont .= $s . "<wbr/>"; + } + return $cont; +} + +// Show Logs +function fetch_log($log){ + global $filter; + // Get Data from form post + $lines = $_REQUEST['maxlines']; + if (preg_match("/!/",htmlspecialchars($_REQUEST['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines}" , $logarr); + } + else { + exec("tail -r -n {$lines} {$log}", $logarr); + } + // return logs + return $logarr; +} + +function show_tds($tds){ + echo "<tr valign='top'>\n"; + foreach ($tds as $td){ + echo "<td class='listhdrr' align='center'>".gettext($td)."</td>\n"; + } + echo "</tr>\n"; +} + +?> diff --git a/config/apache_mod_security-dev/apache_logs_data.teste.php b/config/apache_mod_security-dev/apache_logs_data.teste.php new file mode 100644 index 00000000..c3f270bf --- /dev/null +++ b/config/apache_mod_security-dev/apache_logs_data.teste.php @@ -0,0 +1,186 @@ +<?php +/* ========================================================================== */ +/* + apache_logs_data.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +# ------------------------------------------------------------------------------ +# Defines +# ------------------------------------------------------------------------------ +require_once("guiconfig.inc"); + +# ------------------------------------------------------------------------------ +# Requests +# ------------------------------------------------------------------------------ + +if ($_GET) { + # Actions + $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_GET['strfilter'])); + $logtype = strtolower($_GET['logtype']); + switch ($logtype) { + case 'access': + //192.168.15.227 - - [02/Jul/2012:19:57:29 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.22 (FreeBSD) mod_ssl/2.2.22 OpenSSL/0.9.8q (internal dummy connection)" + $regex = '/^(\S+) (\S+) (\S+) \[([^:]+):(\d+:\d+:\d+) ([^\]]+)\] \"(\S+) (.*?) (\S+)\" (\S+) (\S+) "([^"]*)" "([^"]*)"$/i'; + + // Define log file + $log='/var/log/httpd-access.log'; + + //fetch lines + $logarr=fetch_log($log); + + /* + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + + echo $logline[0]."\n<br/>"; + } + */ + $x=1; + foreach ($logarr as $logent) { + + $logline = preg_split("/\n/", $logent); + if (preg_match($regex, $logline[0],$line)) { + echo "campo 1: $line[1] <br/>"; + echo "campo 2: $line[2] <br/>"; + echo "campo 3: $line[3] <br/>"; + echo "campo 4: $line[4] <br/>"; + echo "campo 5: $line[5] <br/>"; + echo "campo 6: $line[6] <br/>"; + echo "campo 7: $line[7] <br/>"; + echo "campo 8: $line[8] <br/>"; + echo "campo 9: $line[9] <br/>"; + echo "campo 10: $line[10] <br/>"; + echo "campo 11: $line[11] <br/>"; + echo "campo 12: $line[12] <br/>"; + echo "campo 13: $line[13] <br/>"; + } + echo "$x ===================<br>"; + $x++; + } + + + break; + + case 'error': + //[Wed Jul 04 20:22:28 2012] [error] [client 187.10.53.87] proxy: DNS lookup failure for: 192.168.15.272 returned by / + $regex = $regex = '/^\[([^\]]+)\] \[([^\]]+)\] (?:\[client ([^\]]+)\])?\s*(.*)$/i'; + + // Define log file + $log='/var/log/httpd-error.log'; + + //fetch lines + $logarr=fetch_log($log); + + /* + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + + echo $logline[0]."\n<br/>"; + } + */ + $x=1; + foreach ($logarr as $logent) { + + $logline = preg_split("/\n/", $logent); + if (preg_match($regex, $logline[0],$line)) { + echo "campo 1: $line[1] <br/>"; + echo "campo 2: $line[2] <br/>"; + echo "campo 3: $line[3] <br/>"; + echo "campo 4: $line[4] <br/>"; + echo "campo 5: $line[5] <br/>"; + echo "campo 6: $line[6] <br/>"; + echo "campo 7: $line[7] <br/>"; + echo "campo 8: $line[8] <br/>"; + echo "campo 9: $line[9] <br/>"; + echo "campo 10: $line[10] <br/>"; + echo "campo 11: $line[11] <br/>"; + echo "campo 12: $line[12] <br/>"; + echo "campo 13: $line[13] <br/>"; + } + echo "$x ===================<br>"; + $x++; + } + + + break; + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + + + +// Show Squid Logs +function fetch_log($log){ + global $filter; + // Get Data from form post + $lines = $_GET['maxlines']; + if (preg_match("/!/",htmlspecialchars($_GET['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines}" , $logarr); + } + else { + exec("tail -r -n {$lines} {$log}", $logarr); + } + // return logs + return $logarr; +} + + + +foreach ($config['installedpackages']['apachevirtualhost']['config'] as $virtualhost){ + if (is_array($virtualhost['row']) && $virtualhost['enable'] == 'on'){ + if (preg_match("/(\S+)/",base64_decode($virtualhost['primarysitehostname']),$matches)) { + echo $matches[1]."<br>"; + } + } +} +?> diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc new file mode 100644 index 00000000..cdee4f6b --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -0,0 +1,653 @@ +<?php +/* + apache_mod_security.inc + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C) 2009, 2010 Scott Ullrich + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +// Check to find out on which system the package is running +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('APACHEDIR', '/usr/pbi/proxy_mod_security-' . php_uname("m")); +else + define('APACHEDIR', '/usr/local'); +// End of system check +define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +// Rules directory location +define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +function apache_textarea_decode($base64){ + return preg_replace("/\r\n/","\n",base64_decode($base64)); +} + +function apache_get_real_interface_address($iface) { + global $config; + if ($iface == "All") + return array("*", ""); + if (preg_match("/\d+\.\d+/",$iface)) + return array($iface, ""); + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + return array($ip, long2ip(hexdec($netmask))); +} + +// Ensure NanoBSD can write. pkg_mgr will remount RO +conf_mount_rw(); + +// Needed mod_security directories +if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) + safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); + +// Startup function +function apache_mod_security_start() { + exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); +} + +// Shutdown function +function apache_mod_security_stop() { + exec(APACHEDIR . "/sbin/httpd -k stop"); +} + +// Restart function +function apache_mod_security_restart() { + if(is_process_running("httpd")) { + exec(APACHEDIR . "/sbin/httpd -k graceful"); + } else { + apache_mod_security_start(); + } +} + +// Install function +function apache_mod_security_install() { + global $config, $g; + + // We might be reinstalling and a configuration + // already exists. + generate_apache_configuration(); + + $filename = "apache_mod_security.sh"; + + $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP + <?php + require_once(\"functions.inc\"); + require_once(\"/usr/local/pkg/apache_mod_security.inc\"); + apache_mod_security_start(); + ?> +ENDPHP\n"; + + $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP + <?php + require_once(\"functions.inc\"); + require_once(\"/usr/local/pkg/apache_mod_security.inc\"); + apache_mod_security_stop(); + ?> +ENDPHP\n"; + + write_rcfile(array( + "file" => $filename, + "start" => $start, + "stop" => $stop + ) + ); +} + +// Deinstall package routines +function apache_mod_security_deinstall() { + global $config, $g; + apache_mod_security_stop(); + exec("/bin/rm -rf " . APACHEDIR . "/". MODSECURITY_DIR); + exec("/bin/rm -f /usr/local/etc/rc.d/apache_mod_security.sh"); +} + +// Regenerate apache configuration and handle server restart +function apache_mod_security_resync() { + global $config, $g; + apache_mod_security_install(); + $dirs=array("base", "experimental","optional", "slr"); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) + exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + $write_config=0; + foreach ($dirs as $dir){ + if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); + } + } + if ($write_config > 0) + write_config(); + apache_mod_security_checkconfig(); + apache_mod_security_restart(); +} + +function apache_mod_security_checkconfig() { + global $config, $g; + $status = mwexec(APACHEDIR ."/sbin/httpd -t"); + if($status) { + $input_error = "apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"; + log_error("apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"); + } +} + +// Generate mod_proxy specific configuration +function generate_apache_configuration() { + global $config, $g; + $mod_proxy = ""; + $write_config=0; + // check current config + if (is_array($config['installedpackages']['apachesettings'])) + $settings=$config['installedpackages']['apachesettings']['config'][0]; + else + $setting=sarray(); + + // Set global site e-mail + if ($settings['globalsiteadminemail']){ + $global_site_email = $settings['globalsiteadminemail']; + } + else { + $global_site_email = "admin@admin.com"; + $config['installedpackages']['apachesettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com"; + // update configuration with default value in this case + log_error("apache_mod_security_package: WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address."); + $write_config ++; + } + + // Set ServerName + if($settings['hostname'] != ""){ + $servername = $settings['hostname']; + } + else { + $servername = php_uname('n'); + $config['installedpackages']['apachesettings']['config'][0]['hostname'] = `hostname`; + // update configuration with default value in this case + $write_config ++; + } + + //check if servername has an valid ip + $ip=gethostbyname(php_uname('n')); + if ($ip==php_uname('n')){ + $error='apache_mod_security_package: Apache cannot start, hostname does not resolv. You can workaround this if you add a dns entry for '.php_uname('n').' or add a Host Overrides entry on services -> Dns Forwarder pointing '.php_uname('n').' to 127.0.0.1.'; + log_error($error); + file_notice("apache_mod_security", $error, "apache_mod_security", ""); + } + // Set global listening directive and ensure nothing is listening on this port already + $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $globalbind_port = $settings['globalbindtoport']; + if ($globalbind_port == ""){ + $globalbind_port ="80"; + $config['installedpackages']['apachesettings']['config'][0]['globalbindtoipport'] = $globalbind_port; + $write_config ++; + } + $global_listen ="{$globalbind_ip}:{$globalbind_port}"; + // update configuration with default value in this case + if ($write_config > 0) + write_config(); + + // check if any daemon is using apache ip/port + exec("/usr/bin/sockstat | grep -v ' httpd ' | awk '{ print $6 }' | grep ':{$globalbind_port}'",$socksstat); + unset ($already_binded); + if(is_array($socksstat)) { + foreach($socksstat as $ss) { + list($ss_ip,$ss_port)=explode(":",$ss); + #check if port is in use + if($ss_port == $globalbind_port) { + #check if it's the same ip or any ip + if ($globalbind_ip = "*" || $globalbind_ip == $ss_ip) + $already_binded = true; + $input_errors[] = "Sorry, there is a process already listening on port {$globalbind}"; + } + } + } + if(isset($already_binded)) + log_error("apache_mod_security_package: Could not start daemon on port {$global_listen}. Another process is already bound to this port."); + + //performance settings + //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html + $performance_settings="KeepAlive {$settings['keepalive']}\n"; + if ($settings['maxkeepalivereq']) + $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; + if ($settings['keepalivetimeout']) + $performance_settings .= "KeepAliveTimeout {$settings['keepalivetimeout']}\n"; + if ($settings['serverlimit']) + $performance_settings .= "ServerLimit {$settings['serverlimit']}\n"; + if ($settings['startservers']) + $performance_settings .= "StartServers {$settings['startservers']}\n"; + if ($settings['minsparethreads']) + $performance_settings .= "MinSpareThreads {$settings['minsparethreads']}\n"; + if ($settings['maxsparethreads']) + $performance_settings .= "MaxSpareThreads {$settings['maxsparethreads']}\n"; + if ($settings['threadslimit']) + $performance_settings .= "ThreadsLimit {$settings['threadslimit']}\n"; + if ($settings['threadstacksize']) + $performance_settings .= "ThreadStackSize {$settings['threadstacksize']}\n"; + if ($settings['threadsperchild']) + $performance_settings .= "ThreadsPerChild {$settings['threadsperchild']}\n"; + if ($settings['maxclients']) + $performance_settings .= "MaxClients {$settings['maxclients']}\n"; + if ($settings['maxrequestsperchild']) + $performance_settings .= "MaxRequestsPerChild {$settings['maxrequestsperchild']}\n"; + + // Setup mem_cache + if(file_exists(APACHEDIR ."/libexec/apache22/mod_memcache.so") && $settings['memcachesize'] != "0") { + //$mem_cache = "MCacheSize ".( $settings['memcachesize'] ? $settings['memcachesize'] : "100")."\n"; + } + + // CacheRoot Directive + if($settings['diskcachesize'] != "0") { + safe_mkdir("/var/db/apachemodsecuritycache"); + $cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n"; + $cache_root .= "CacheMaxFileSize ".($settings['diskcachesize'] ? $settings['diskcachesize'] : "1000000")."\n"; + } + + // SecRequestBodyInMemoryLimit Directive + $secrequestbodyinmemorylimit = ($settings['secrequestbodyinmemorylimit'] ? $settings['secrequestbodyinmemorylimit'] : "131072"); + + // SecRequestBodyLimit + $secrequestbodylimit = ($settings['secrequestbodylimit'] ? $settings['secrequestbodylimit'] :"10485760"); + + // ErrorDocument + $errordocument = ($settings['errordocument'] ? $settings['errordocument'] : ""); + + // SecAuditEngine + $secauditengine = ($settings['secauditengine'] ? $settings['secauditengine'] : "RelevantOnly"); + + // SecReadStateLimit + $secreadstatelimit = ($settings['SecReadStateLimit'] ? $settings['SecReadStateLimit'] :""); + + //Configure balancers/backends + if (is_array($config['installedpackages']['apachebalancer'])){ + #load conf template + include("/usr/local/pkg/apache_balancer.template"); + + #check balancer members + foreach ($config['installedpackages']['apachebalancer']['config'] as $balancer){ + if (is_array($balancer['row']) && $balancer['enable'] == 'on'){ + $balancer_config.="# {$balancer['description']}\n"; + $balancer_config.="<Proxy balancer://{$balancer['name']}>\n"; + foreach($balancer['row'] as $server){ + $options =($server['port'] ? ":{$server['port']}" : ""); + + $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); + $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); + if (isset($server['ping'])){ + $options.= " ping={$server['ping']}"; + $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); + } + $balancer_config.=" BalancerMember {$balancer['proto']}://{$server['host']}{$options}\n"; + } + #check if stick connections are set + if ($balancer['row'][0]['routeid'] !="") + $balancer_config.=" ProxySet stickysession=ROUTEID\n"; + $balancer_config.="</Proxy>\n\n"; + } + } + //write balancer conf + file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); + } + + //configure virtual hosts + if (is_array($config['installedpackages']['apachevirtualhost'])){ + $vh_config= <<<EOF +################################################################################## +# NOTE: This file was generated by the pfSense package management system. # +# Please do not edit this file by hand! If you need to add functionality # +# then edit /usr/local/pkg/apache_* files. # +# # +# And don't forget to submit your changes to: # +# https://github.com/bsdperimeter/pfsense-packages # +################################################################################## + + +EOF; + $default_port=array('http'=>'80', 'https'=> '443'); + foreach ($config['installedpackages']['apachevirtualhost']['config'] as $virtualhost){ + if (is_array($virtualhost['row']) && $virtualhost['enable'] == 'on'){ + $iface_address = apache_get_real_interface_address($virtualhost['interface']); + $ip=$iface_address[0]; + $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + $vh_config.="# {$virtualhost['description']}\n"; + $vh_config.="<VirtualHost {$ip}:{$port}>\n"; + $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; + $vh_config.=" ServerAdmin ".($virtualhost['siteemail'] ? $virtualhost['siteemail'] : $settings['globalsiteadminemail'])."\n"; + #check log + switch ($virtualhost['logfile']){ + case "default": + $vh_config.=" ErrorLog /var/log/httpd-error.log\n"; + $vh_config.=" CustomLog /var/log/httpd.log combined\n"; + break; + case "create": + if(preg_match("/(\S+)/",base64_decode($virtualhost['primarysitehostname']),$matches)) + $vh_config.=" ErrorLog /var/log/httpd-{$matches[1]}-error.log\n"; + $vh_config.=" CustomLog /var/log/httpd-{$matches[1]}.log combined\n"; + break; + } + + if($virtualhost['preserveproxyhostname']) + $vh_config .= " ProxyPreserveHost on\n"; + + #check ssl + if(isset($virtualhost["ssl_cert"]) && $virtualhost["ssl_cert"] !="none" && $virtualhost["proto"] == "https") { + $vh_config.= " SSLEngine on\n SSLProtocol all -SSLv2\n SSLProxyEngine on\n SSLProxyVerify none\n"; + $vh_config.= " SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\n"; + + $svr_cert = lookup_cert($virtualhost["ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.crt",apache_textarea_decode($svr_cert['crt']),LOCK_EX); + $vh_config.= " SSLCertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.crt\n"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key",apache_textarea_decode($svr_cert['prv']),LOCK_EX); + $vh_config.= " SSLCertificateKeyFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key\n"; + } + } + $svr_ca =lookup_ca($virtualhost["reverse_int_ca"]); + if ($svr_ca != false) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($svr_ca['crt']),LOCK_EX); + $vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt\n"; + } + } + #Custom Options + $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; + + #Check virtualhost locations + foreach ($virtualhost['row'] as $backend){ + $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } + } + } + $vh_config.=" </Location>\n\n"; + } + $vh_config.="</VirtualHost>\n"; + } + } + //write balancer conf + file_put_contents(APACHEDIR."/etc/apache22/Includes/virtualhosts.conf",$vh_config,LOCK_EX); + } + // check/fix perl version on mod_security util files + $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); + foreach ($perl_files as $perl_file){ + $file_path=rules_directory."/util/"; + if (file_exists($file_path.$perl_file)){ + $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); + file_put_contents($file_path.$perl_file,$script,LOCK_EX); + } + } + // check/fix spread libs location + $perl_libs= array("libspread.a","libspread.so.1"); + foreach ($perl_libs as $perl_lib){ + $file_path=APACHEDIR."/lib/"; + if (!file_exists("/lib/".$perl_lib) && file_exists("{$file_path}{$perl_lib}")){ + copy("{$file_path}{$perl_lib}","/lib/{$perl_lib}"); + if ($perl_lib == "libspread.so.1") + copy("{$file_path}{$perl_lib}","/lib/libspread.so"); + } + } + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; + } + + //fix http-guardian.pl block bins + //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; + //if (file_exists("/lib/".$perl_lib) && file_exists($file_path.$perl_lib)){ + + //old code + $mod_proxy .= <<<EOF + +# Off when using ProxyPass +ProxyRequests off + +<Proxy *> + Order deny,allow + Allow from all +</Proxy> + +EOF; + + /* + ##################################################### + # Format for the Proxy servers: + # Please do not delete these from the source file + # in any "cleanups" that you feel you are performing. + # They are here for sanity checking the code. + #----------------1 backend ip--------------------- + #<VirtualHost IP:port> + # ServerAdmin $serveradmin + # ServerName $primarysitehostname + # ServerAlias $additionalsitehostnames + # ProxyPass / $backendwebserverURL + # ProxyPassReverse / $backendwebserverURL + #</VirtualHost> + #where serveralias will be a space-separated list of "additional site hostnames" + #i.e. if you have www1.example.com and www2.example.com there, it's "ServerAlias www1.example.com www2.example.com" + #------------------------------------------------- + #------------mutliple backend ips----------------- + # Add: + #<Proxy balancer://$sitename> + # BalancerMember $backend1 + # BalancerMember $backend2 + #</Proxy> + # Change: + # ProxyPass / balancer://$sitename/ + # ProxyPassReverse / balancer://$sitename/ + #------------------------------------------------- + ##################################################### + */ + $mod_proxy .= "\n"; + + $configuredaliases = array(); + // Read already configured addresses + if (is_array($settings['row'])){ + foreach($settings['row'] as $row) { + if ($row['ipaddress'] && $row['ipport']) + $configuredaliases[] = $row; + } + } + + // clear list of bound addresses before updating + $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); + + // Process proxy sites + // Configure NameVirtualHost directives + $aliases = ""; + $processed = array(); + if(is_array($config['installedpackages']['apachemodsecurity'])) { + foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + if($ams['ipaddress'] && $ams['port']) + $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; + else + $local_ip_port = $global_listen; + // Do not add entries twice. + if(!in_array($local_ip_port, $processed)) { + // explicit bind if not global ip:port + if ($local_ip_port != $global_listen) { + $aliases .= "Listen $local_ip_port\n"; + // Automatically add this to configuration + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); + } + $mod_proxy .= "NameVirtualHost $local_ip_port\n"; + $processed[] = $local_ip_port; + } + } + } + +//** Uncomment to allow adding ip/ports not used by any site proxies +//** Otherwise unused addresses/ports will be automatically deleted from the configuration +// foreach ($configuredaliases as $ams) { +// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; +// if(!in_array($local_ip_port, $processed)) { +// // explicit bind if not global ip:port +// if ($local_ip_port != $global_listen) { +// $aliases .= "Listen $local_ip_port\n"; +// // Automatically add this to configuration +// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); +// } +// } +// } + + // update configuration with actual ip bindings + write_config($pkg['addedit_string']); + + + // Setup mod_proxy entries $mod_proxy + if($config['installedpackages']['apachemodsecurity']) { + foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + // Set rowhelper used variables + $additionalsitehostnames = ""; + if (is_array($ams['row'])){ + foreach($ams['row'] as $row) { + if ($row['additionalsitehostnames']) + $additionalsitehostnames .= "{$row['additionalsitehostnames']} "; + } + } + $backend_sites = ""; + $sslproxyengine = ""; + $backend_sites_count = 0; + $balancer_members = ""; // not technically needed. + if (is_array($ams['row'])){ + foreach($ams['row'] as $row) { + if ($row['webserveripaddr']) { + $normalised_ipaddr = ""; + if (substr(trim($row['webserveripaddr']), 0, strlen("https:")) == "https:") { + // if backend is https, then enable SSLProxyEngine + $sslproxyengine = "SSLProxyEngine on"; + } else if (substr(trim($row['webserveripaddr']), 0, strlen("http:")) != "http:") { + // Ensure leading http(s):// + $normalised_ipaddr .= "http://"; + } + $normalised_ipaddr .= trim($row['webserveripaddr']); + $balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n"; + // Ensure trailing / + if(substr($normalised_ipaddr,-1) != "/") { + $normalised_ipaddr .= "/"; + } + $backend_sites .= $normalised_ipaddr . " "; + $backend_sites_count++; + } + } + } + // Set general items + if($ams['siteemail']) + $serveradmin = $ams['siteemail']; + else + $serveradmin = $global_site_email; + if($ams['primarysitehostname']) + $primarysitehostname = $ams['primarysitehostname']; + $sitename = str_replace(" ", "", $ams['sitename']); + // Set local listening directive + if($ams['ipaddress'] && $ams['port']) + $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; + else + $local_ip_port = $global_listen; + // Is this item a load balancer + if($backend_sites_count>1) { + $balancer = true; + $mod_proxy .= "<Proxy balancer://{$sitename}>\n"; + $mod_proxy .= $balancer_members; + $mod_proxy .= "</Proxy>\n"; + $backend_sites = " balancer://{$sitename}/"; + $sitename = ""; // we are not using sitename in this case + } + // Set SSL items + if($ams['siteurl']) + $siteurl = $ams['siteurl']; + if($ams['certificatefile']) + $certificatefile = $ams['certificatefile']; + if($ams['certificatekeyfile']) + $certificatekeyfile = $ams['certificatekeyfile']; + if($ams['certificatechainfile']) + $certificatechainfile = $ams['certificatechainfile']; + // Begin VirtualHost + $mod_proxy .= "\n<VirtualHost {$local_ip_port}>\n"; + if($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) { + $mod_proxy .= " SSLEngine on\n"; + if ($certificatefile) + $mod_proxy .= " SSLCertificateFile /usr/local/etc/apache22/$certificatefile\n"; + if ($certificatekeyfile) + $mod_proxy .= " SSLCertificateKeyFile /usr/local/etc/apache22/$certificatekeyfile\n"; + if ($certificatechainfile) + $mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n"; + } + if($sslproxyengine) + $mod_proxy .= " {$sslproxyengine}\n"; + if($additionalsitehostnames) + $mod_proxy .= " ServerAlias $additionalsitehostnames\n"; + if($serveradmin) + $mod_proxy .= " ServerAdmin $serveradmin\n"; + if($primarysitehostname) + $mod_proxy .= " ServerName $primarysitehostname \n"; + if($backend_sites) { + $mod_proxy .= " ProxyPassReverse /{$sitename} {$backend_sites}\n"; + $mod_proxy .= " ProxyPass / {$backend_sites}\n"; + } + if($ams['preserveproxyhostname']) + $mod_proxy .= " ProxyPreserveHost on\n"; + $mod_proxy .= "</VirtualHost>\n\n"; + // End VirtualHost + } + } + + if($config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']) + $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; + + // Process and include rules + if(is_dir(rules_directory)) { + $mod_security_rules = ""; + $files = return_dir_as_array(rules_directory); + foreach($files as $file) { + if(file_exists(rules_directory . "/" . $file)) { + // XXX: TODO integrate snorts rule on / off thingie + $file_txt = file_get_contents(rules_directory . "/" . $file); + $mod_security_rules .= $file_txt . "\n"; + } + } + } + + #include file templates + include ("/usr/local/pkg/apache.template"); + + file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); +} + +?> diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template new file mode 100644 index 00000000..e5a2c864 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -0,0 +1,210 @@ +<?php + // Mod_security enabled? + if($modsec_settings['enablemodsecurity']) { + $enable_mod_security = true; + $mod_security = <<< EOF +# -- Rule engine initialization ---------------------------------------------- + +# Enable ModSecurity, attaching it to every transaction. Use detection +# only to start with, because that minimises the chances of post-installation +# disruption. +# +SecRuleEngine DetectionOnly + + +# -- Request body handling --------------------------------------------------- + +# Allow ModSecurity to access request bodies. If you don't, ModSecurity +# won't be able to see any POST parameters, which opens a large security +# hole for attackers to exploit. +# +SecRequestBodyAccess On + + +# Enable XML request body parser. +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + + +# Maximum request body size we will accept for buffering. If you support +# file uploads then the value given on the first line has to be as large +# as the largest file you are willing to accept. The second value refers +# to the size of data, with files excluded. You want to keep that value as +# low as practical. +# +SecRequestBodyLimit 13107200 +SecRequestBodyNoFilesLimit 131072 + +# Store up to 128 KB of request body data in memory. When the multipart +# parser reachers this limit, it will start using your hard disk for +# storage. That is slow, but unavoidable. +# +SecRequestBodyInMemoryLimit 131072 + +# What do do if the request body size is above our configured limit. +# Keep in mind that this setting will automatically be set to ProcessPartial +# when SecRuleEngine is set to DetectionOnly mode in order to minimize +# disruptions when initially deploying ModSecurity. +# +SecRequestBodyLimitAction Reject + +# Verify that we've correctly processed the request body. +# As a rule of thumb, when failing to process a request body +# you should reject the request (when deployed in blocking mode) +# or log a high-severity alert (when deployed in detection-only mode). +# +SecRule REQBODY_ERROR "!@eq 0" \ +"phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + +# By default be strict with what we accept in the multipart/form-data +# request body. If the rule below proves to be too strict for your +# environment consider changing it to detection-only. You are encouraged +# _not_ to remove it altogether. +# +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ +failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_SEMICOLON_MISSING}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + +# Did we see anything that might be a boundary? +# +SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ +"phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + +# PCRE Tuning +# We want to avoid a potential RegEx DoS condition +# +SecPcreMatchLimit 1000 +SecPcreMatchLimitRecursion 1000 + +# Some internal errors will set flags in TX and we will need to look for these. +# All of these are prefixed with "MSC_". The following flags currently exist: +# +# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. +# +SecRule TX:/^MSC_/ "!@streq 0" \ + "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + +# -- Response body handling -------------------------------------------------- + +# Allow ModSecurity to access response bodies. +# You should have this directive enabled in order to identify errors +# and data leakage issues. +# +# Do keep in mind that enabling this directive does increases both +# memory consumption and response latency. +# +SecResponseBodyAccess On + +# Which response MIME types do you want to inspect? You should adjust the +# configuration below to catch documents but avoid static files +# (e.g., images and archives). +# +SecResponseBodyMimeType text/plain text/html text/xml + +# Buffer response bodies of up to 512 KB in length. +SecResponseBodyLimit 524288 + +# What happens when we encounter a response body larger than the configured +# limit? By default, we process what we have and let the rest through. +# That's somewhat less secure, but does not break any legitimate pages. +# +SecResponseBodyLimitAction ProcessPartial + + +# -- Filesystem configuration ------------------------------------------------ + +# The location where ModSecurity stores temporary files (for example, when +# it needs to handle a file upload that is larger than the configured limit). +# +# This default setting is chosen due to all systems have /tmp available however, +# this is less than ideal. It is recommended that you specify a location that's private. +# +SecTmpDir /tmp/ + +# The location where ModSecurity will keep its persistent data. This default setting +# is chosen due to all systems have /tmp available however, it +# too should be updated to a place that other users can't access. +# +SecDataDir /tmp/ + + +# -- File uploads handling configuration ------------------------------------- + +# The location where ModSecurity stores intercepted uploaded files. This +# location must be private to ModSecurity. You don't want other users on +# the server to access the files, do you? +# +#SecUploadDir /opt/modsecurity/var/upload/ + +# By default, only keep the files that were determined to be unusual +# in some way (by an external inspection script). For this to work you +# will also need at least one file inspection rule. +# +#SecUploadKeepFiles RelevantOnly + +# Uploaded files are by default created with permissions that do not allow +# any other user to access them. You may need to relax that if you want to +# interface ModSecurity to an external program (e.g., an anti-virus). +# +#SecUploadFileMode 0600 + + +# -- Debug log configuration ------------------------------------------------- + +# The default debug log configuration is to duplicate the error, warning +# and notice messages from the error log. +# +#SecDebugLog /opt/modsecurity/var/log/debug.log +#SecDebugLogLevel 3 + + +# -- Audit log configuration ------------------------------------------------- + +# Log the transactions that are marked by a rule, as well as those that +# trigger a server error (determined by a 5xx or 4xx, excluding 404, +# level response status codes). +# +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" + +# Log everything we know about a transaction. +SecAuditLogParts ABIJDEFHZ + +# Use a single file for logging. This is much easier to look at, but +# assumes that you will use the audit log only ocassionally. +# +SecAuditLogType Serial +SecAuditLog /var/log/modsec_audit.log + +# Specify the path for concurrent audit logging. +#SecAuditLogStorageDir /opt/modsecurity/var/audit/ + + +# -- Miscellaneous ----------------------------------------------------------- + +# Use the most commonly used application/x-www-form-urlencoded parameter +# separator. There's probably only one application somewhere that uses +# something else so don't expect to change this value. +# +SecArgumentSeparator & + +# Settle on version 0 (zero) cookies, as that is what most applications +# use. Using an incorrect cookie version may open your installation to +# evasion attacks (against the rules that examine named cookies). +# +SecCookieFormat 0 + diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml new file mode 100644 index 00000000..92b41243 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml @@ -0,0 +1,211 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_mod_security_settings.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C) 2008, 2009, 2010 Scott Ullrich + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>apachemodsecuritygroups</name> + <version>1.0</version> + <title>Services: Mod_Security+Apache+Proxy: Settings</title> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <active/> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Module options</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Rule Groups</text> + <url>/pkg.php?xml=apache_mod_security_groups.xml</url> + <tab_level>2</tab_level> + <active/> + </tab> + <tab> + <text>Rule Manipulation</text> + <url>/pkg.php?xml=apache_mod_security_manipulation.xml</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Modsecurity group options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter group name</description> + <type>input</type> + <size>25</size> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter group description</description> + <type>input</type> + <size>45</size> + </field> + <field> + <fielddescr>Base Rules</fielddescr> + <fieldname>baserules</fieldname> + <description><![CDATA[Select Modsecurity Base rules to apply (all are recommended)<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['modsecurityfilesbase']['config']]]></source> + <source_name>file</source_name> + <source_value>file</source_value> + <multiple/> + <size>10</size> + </field> + <field> + <fielddescr>Optional Rules</fielddescr> + <fieldname>optionalrules</fieldname> + <description><![CDATA[Select Modsecurity Optional rules to apply<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['modsecurityfilesoptional']['config']]]></source> + <source_name>file</source_name> + <source_value>file</source_value> + <multiple/> + <size>10</size> + </field> + <field> + <fielddescr>SLR Rules</fielddescr> + <fieldname>slrrules</fieldname> + <description><![CDATA[Select Modsecurity SLR rules to apply<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['modsecurityfilesslr']['config']]]></source> + <source_name>file</source_name> + <source_value>file</source_value> + <multiple/> + <size>10</size> + </field> + <field> + <fielddescr>Experimental Rules</fielddescr> + <fieldname>experimentalrules</fieldname> + <description><![CDATA[Select Modsecurity Experimental rules to apply<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['modsecurityfilesexperimental']['config']]]></source> + <source_name>file</source_name> + <source_value>file</source_value> + <multiple/> + <size>10</size> + </field> + <field> + <name>Modsecurity Logging options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Logging engine.</fielddescr> + <fieldname>secauditengine</fieldname> + <description>Configures ModSecurity audit logging engine.</description> + <type>select</type> + <options> + <option><name>RelevantOnly</name><value>RelevantOnly</value></option> + <option><name>All</name><value>On</value></option> + <option><name>Off</name><value>Off</value></option> + </options> + </field> + <field> + <fielddescr>Debug log file.</fielddescr> + <fieldname>SecDebugLogLevel</fieldname> + <description><![CDATA[Configures the verboseness of the debug log data.<br> + High logging levels are not recommended in production as it affects performance.]]> + </description> + <type>select</type> + <options> + <option><name>No logging (Default for performance)</name><value>0</value></option> + <option><name>Errors (intercepted requests) only</name><value>1</value></option> + <option><name>Warnings</name><value>2</value></option> + <option><name>Notices (Recommended for logging)</name><value>3</value></option> + <option><name>Details of how transactions are handled</name><value>4</value></option> + <option><name>As above, but including information about each piece of information handled</name><value>5</value></option> + <option><name>log everything, including very detailed debugging information</name><value>9</value></option> + </options> + </field> + + <field> + <name>Custom options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom mod_security ErrorDocument</fielddescr> + <fieldname>errordocument</fieldname> + <description></description> + <type>textarea</type> + <rows>10</rows> + <cols>75</cols> + </field> + <field> + <fielddescr>Custom mod_security rules</fielddescr> + <fieldname>modsecuritycustom</fieldname> + <description>Paste any custom mod_security rules that you would like to use</description> + <type>textarea</type> + <rows>10</rows> + <cols>75</cols> + </field> + </fields> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml new file mode 100644 index 00000000..54738d83 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -0,0 +1,144 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_mod_security_manipulation.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C) 2008, 2009, 2010 Scott Ullrich + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>apachemodsecuritymanipulation</name> + <version>1.0</version> + <title>Services: Mod_Security+Apache+Proxy: Settings</title> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <active/> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Module options</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Rule Groups</text> + <url>/pkg.php?xml=apache_mod_security_groups.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Rule Manipulation</text> + <url>/pkg.php?xml=apache_mod_security_manipulation.xml</url> + <tab_level>2</tab_level> + <active/> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Modsecurity group options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter group name</description> + <type>input</type> + <size>25</size> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter group description</description> + <type>input</type> + <size>45</size> + </field> + <field> + <fielddescr> + <![CDATA[Location(s)]]> + </fielddescr> + <fieldname>locations</fieldname> + <description><![CDATA[<br><strong>Rule Manipulation Samples:</strong><br><br> + SecRuleRemoveById 125<br> + SecRuleRemoveById 125-128<br> + SecRuleRemoveByMsg "Client error occurred"<br> + SecRuleUpdateActionById 125 pass<br> + SecRuleUpdateTargetsById 125 "!ARGS:username"]]></description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr><![CDATA[Type]]></fielddescr> + <fieldname>type</fieldname> + <description><![CDATA[Select the type of change you want to apply on this group.]]></description> + <type>select</type> + <options> + <option><name>Remove Rule By Id</name><value>SecRuleRemoveById</value></option> + <option><name>Remove Rule By Message</name><value>SecRuleRemoveByMsg</value></option> + <option><name>Update Action By Id</name><value>SecRuleUpdateActionById</value></option> + <option><name>Update Target By Id</name><value>SecRuleUpdateTargetsById</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[Value]]></fielddescr> + <fieldname>value</fieldname> + <description><![CDATA[Input the change value you want to apply on selected action.]]></description> + <type>input</type> + <size>30</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_settings.xml b/config/apache_mod_security-dev/apache_mod_security_settings.xml new file mode 100644 index 00000000..985f6bcc --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_settings.xml @@ -0,0 +1,167 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_mod_security_settings.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C) 2008, 2009, 2010 Scott Ullrich + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>apachemodsecuritysettings</name> + <version>1.0</version> + <title>Services: Mod_Security+Apache+Proxy: Settings</title> + <aftersaveredirect>pkg_edit.php?xml=apache_mod_security_settings.xml&id=0</aftersaveredirect> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <active/> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Module options</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <active/> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Rule Groups</text> + <url>/pkg.php?xml=apache_mod_security_groups.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Rule Manipulation</text> + <url>/pkg.php?xml=apache_mod_security_manipulation.xml</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <fields> + <field> + <name>Security options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>ModSecurity protection</fielddescr> + <fieldname>enablemodsecurity</fieldname> + <description><![CDATA[Enables ModSecurity protection for sites being proxied by apache<br> + More info about ModSecurity can be found here: http://www.modsecurity.org/]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable Backend Compression</fielddescr> + <fieldname>secbackendcompression</fieldname> + <description><![CDATA[Disables backend compression while leaving the frontend compression enabled.<br> + This directive is mandatory in reverse proxy mode to ModSecurity be able to inspect response bodies.]]></description> + <type>select</type> + <options> + <option><name>On (Highly recommended)</name><value>on</value></option> + <option><name>Off</name><value>Of</value></option> + </options> + </field> + <field> + <fielddescr>Max request per IP</fielddescr> + <fieldname>SecReadStateLimit</fieldname> + <description> + //274 + <![CDATA[This option limits number of POSTS accepted from same IP address and help prevent the effects of a Slowloris-type of attack.<br> + More info about this attack can be found here: http://en.wikipedia.org/wiki/Slowloris + ]]> + </description> + <type>input</type> + <size>10</size> + </field> + <field> + <fielddescr>Maximum request body size in memory.</fielddescr> + <fieldname>secrequestbodyinmemorylimit</fieldname> + <description>Configures the maximum request body size ModSecurity will store in memory.</description> + <type>input</type> + <size>10</size> + </field> + <field> + <fielddescr>Maximum request body size for buffering.</fielddescr> + <fieldname>secrequestbodylimit</fieldname> + <description>Configures the maximum request body size ModSecurity will accept for buffering.</description> + <type>input</type> + <size>10</size> + </field> + <field> + <name>Modsecurity addons</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Http-guardian.pl</fielddescr> + <fieldname>enablehttpdguardian</fieldname> + <description><![CDATA[http-guardian script is designed to monitor all web server requests through the piped logging mechanism. + It keeps track of the number of requests sent from each IP address. Request speed is calculated at 1 minute and 5 minute intervals. + Once a threshold is reached, httpd-guardian can either emit a warning or execute a script to block the IP address.<br> + NOTE: In order for this script to be effective it must be able to see all requests coming to the web server, so no per-virtual host option for this script.]]></description> + <type>select</type> + <options> + <option><name>Disable</name><value></value></option> + <option><name>Enable and block when threshold is reached</name><value>block</value></option> + <option><name>Enable but just log when threshold is reached</name><value>log</value></option> + </options> + </field> + <field> + <fielddescr>Threshold 1min</fielddescr> + <fieldname>threshold1min</fieldname> + <description> + <![CDATA[Max. speed allowed, in requests per second measured over a 1-minute period.]]> + </description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Threshold 5min</fielddescr> + <fieldname>threshold5min</fieldname> + <description> + <![CDATA[Max. speed allowed, in requests per second measured over a 5-minute period.]]> + </description> + <type>input</type> + <size>5</size> + </field> + </fields> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml new file mode 100755 index 00000000..0d8d8c8f --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -0,0 +1,99 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>apachesync</name> + <version>1.0</version> + <title>Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync apache configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync apache changes to the hosts defined below.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_view_logs.php b/config/apache_mod_security-dev/apache_mod_security_view_logs.php new file mode 100755 index 00000000..1956a217 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_view_logs.php @@ -0,0 +1,182 @@ +<?php +/* ========================================================================== */ +/* + squid_monitor.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("/etc/inc/util.inc"); +require_once("/etc/inc/functions.inc"); +require_once("/etc/inc/pkg-utils.inc"); +require_once("/etc/inc/globals.inc"); +require_once("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Apache Proxy: Logs"; +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> + + <p class="pgtitle"><?=$pgtitle?></font></p> + +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<!-- Function to call programs logs --> +<script language="JavaScript"> + +</script> +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Apache"), false, "/pkg_edit.php?xml=apache_settings.xml&id=0"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); + $tab_array[] = array(gettext("Backends"), false, "/pkg.php?xml=apache_mod_security_backends.xml",2); + $tab_array[] = array(gettext("VirtualHosts"), false, "/pkg.php?xml=apache_mod_security.xml",2); + $tab_array[] = array(gettext("Logs"), true, "/apache_mod_security_view_logs.php",2); + display_top_tabs($tab_array); + ?> +</td></tr> + <tr> + <td> +<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> + <form id="paramsForm" name="paramsForm" method="post"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tbody> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Max. lines:");?></td> + <td width="78%" class="vtable"> + <select name="maxlines" id="maxlines"> + <option value="5">5 lines</option> + <option value="10" selected="selected">10 lines</option> + <option value="15">15 lines</option> + <option value="20">20 lines</option> + <option value="25">25 lines</option> + <option value="30">30 lines</option> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Max. lines to be displayed.");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Vhosts");?></td> + <td width="78%" class="vtable"> + <select name="vhosts" id="vhosts"> + <option value="10" selected="selected">xxxxx</option> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Max. lines to be displayed.");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("String filter:");?></td> + <td width="78%" class="vtable"> + <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value=""> + <br/> + <span class="vexpl"> + <?=gettext("Enter a grep like string/pattern to filterlog.");?><br> + <?=gettext("eg. username, ip addr, url.");?><br> + <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?> + </span> + </td> + </tr> + </tbody> + </table> + </form> + + <!-- Squid Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="6" class="listtopic"><center><?=gettext("Http access logs"); ?><center></td> + </tr> + <tbody id="httpaccesslog"> + <script language="JavaScript"> + // Call function to show squid log + //showLog('squidView', 'squid_monitor_data.php','squid'); + </script> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> + <!-- SquidGuard Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="5" class="listtopic"><center><?=gettext("Http error logs"); ?><center></td> + </tr> + <tbody id="httperrorlog"> + <script language="JavaScript"> + // Call function to show squidGuard log + //showLog('sguardView', 'squid_monitor_data.php','sguard'); + </script> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> +</div> +</td> +</tr> +</table> +</div> + + +<?php +include("fend.inc"); +?> + +</body> +</html> diff --git a/config/apache_mod_security-dev/apache_settings.xml b/config/apache_mod_security-dev/apache_settings.xml new file mode 100644 index 00000000..20ba59c2 --- /dev/null +++ b/config/apache_mod_security-dev/apache_settings.xml @@ -0,0 +1,286 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_mod_security_settings.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C) 2008, 2009, 2010 Scott Ullrich + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>apachesettings</name> + <version>1.0</version> + <title>Apache reverse proxy: Settings</title> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + <active/> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virutal Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <fields> + <field> + <name>General</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Global site E-mail administrator</fielddescr> + <fieldname>globalsiteadminemail</fieldname> + <description>Enter the site administrators e-mail address</description> + <type>input</type> + </field> + <field> + <fielddescr>Server hostname</fielddescr> + <fieldname>hostname</fieldname> + <description> + <![CDATA[Enter the servers hostname<br/ + NOTE: Leave blank to use this devices hostname.]]> + </description> + <type>input</type> + </field> + <field> + <fielddescr>Default Bind to IP Address</fielddescr> + <fieldname>globalbindtoipaddr</fieldname> + <description> + <![CDATA[ + This is the IP address the Proxy Server will listen on. + <br/> + NOTE: Leave blank to bind to * + ]]> + </description> + <type>input</type> + </field> + <field> + <fielddescr>Default Bind to port</fielddescr> + <fieldname>globalbindtoport</fieldname> + <description> + <![CDATA[ + This is the port the Proxy Server will listen on.<br> + NOTE: Leave blank to bind to 80 + ]]> + </description> + <type>input</type> + <size>5</size> + </field> + <field> + <name>Performance</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Keep alive</fielddescr> + <fieldname>keepalive</fieldname> + <description> + <![CDATA[Whether or not to allow persistent connections (more than one request per connection).]]> + </description> + <type>select</type> + <options> + <option><name>On</name><value>On</value></option> + <option><name>Off</name><value>Off</value></option> + </options> + </field> + <field> + <fielddescr>Max keep alive Requests</fielddescr> + <fieldname>maxkeepalivereq</fieldname> + <description> + <![CDATA[The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount.<br> + It's recommend to leave this number high, for maximum performance.<br>Leave empty to use apache defaults.]]> + </description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>keep alive timeout</fielddescr> + <fieldname>keepalivetimeout</fieldname> + <description><![CDATA[Number of seconds to wait for the next request from the same client on the same connection.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Servers Limit</fielddescr> + <fieldname>serverlimit</fieldname> + <description><![CDATA[For the prefork MPM, this directive sets the maximum configured value for MaxClients for the lifetime of the Apache process. For the worker MPM, this directive in combination with ThreadLimit sets the maximum configured value for MaxClients for the lifetime of the Apache process. Any attempts to change this directive during a restart will be ignored, but MaxClients can be modified during a restart.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Start Servers</fielddescr> + <fieldname>startservers</fieldname> + <description><![CDATA[The StartServers directive sets the number of child server processes created on startup. As the number of processes is dynamically controlled depending on the load, there is usually little reason to adjust this parameter.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Min Spare Threads</fielddescr> + <fieldname>minsparethreads</fieldname> + <description><![CDATA[Minimum number of idle threads available to handle request spikes.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Max Spare Threads</fielddescr> + <fieldname>maxsparethreads</fieldname> + <description><![CDATA[Maximum number of idle threads.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Threads Limit</fielddescr> + <fieldname>threadslimit</fieldname> + <description><![CDATA[This directive sets the maximum configured value for ThreadsPerChild for the lifetime of the Apache process. Any attempts to change this directive during a restart will be ignored, but ThreadsPerChild can be modified during a restart up to the value of this directive.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Thread Stack Size</fielddescr> + <fieldname>threadstacksize</fieldname> + <description><![CDATA[The ThreadStackSize directive sets the size of the stack (for autodata) of threads which handle client connections and call modules to help process those connections. In most cases the operating system default for stack size is reasonable.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>threadsperchild</fielddescr> + <fieldname>threadsperchild</fieldname> + <description><![CDATA[This directive sets the number of threads created by each child process. The child creates these threads at startup and never creates more. The total number of threads should be high enough to handle the common load on the server.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>MaxClients</fielddescr> + <fieldname>maxclients</fieldname> + <description><![CDATA[The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>MaxRequestsPerChild</fielddescr> + <fieldname>maxrequestsperchild</fieldname> + <description><![CDATA[The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.<br>Leave empty to use apache defaults.]]></description> + <type>input</type> + <size>5</size> + </field> + <field> + <name>Cache settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Memory cache size</fielddescr> + <fieldname>memcachesize</fieldname> + <description> + <![CDATA[Sets the memory usage in megabytes.<br>Leave empty to use default value or 0 to disable memory cache.<br> + Enables mod_mem_cache which stores cached documents in memory.]]> + </description> + <type>input</type> + <size>10</size> + </field> + <field> + <fielddescr>Disk Cache Max File Size</fielddescr> + <fieldname>diskcachesize</fieldname> + <description> + <![CDATA[Set the maximum size (in bytes) of a document to be placed in the cache.<br>Leave empty to use default value or 0 to disable disk cache.<br> + mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache.]]> + </description> + <type>input</type> + <size>10</size> + </field> + <field> + <name>Connection limits (DoS protection)</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>header</fielddescr> + <fieldname>header_time_out</fieldname> + <description> + <![CDATA[Set header timeouts for requests in min,max,MinRate format. Leave empty to do not limit request headers.<br> + Sample: To allow at least 10 seconds to receive the request including the headers and increase the timeout by 1 second for every 500 bytes received but do not allow more than 30 seconds for the request including the headers:<br> + <strong>10,30,500</strong>]]> + </description> + <type>input</type> + <size>10</size> + </field> + <field> + <fielddescr>body</fielddescr> + <fieldname>body_time_out</fieldname> + <description> + <![CDATA[Set body timeouts for requests in min,max,MinRate format. Leave empty to do not limit request bodies.<br> + Sample: To allow at least 10 seconds to receive the request body and if the client sends data, increase the timeout by 1 second for every 1000 bytes received, with no upper limit for the timeout (exept for the limit given indirectly by LimitRequestBody):<br> + <strong>10,1000</strong>]]> + </description> + <type>input</type> + <size>10</size> + </field> + <field> + <fielddescr>Limit Request Body</fielddescr> + <fieldname>LimitRequestBody</fieldname> + <description> + <![CDATA[This directive specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body.<br> + The LimitRequestBody directive allows the user to set a limit on the allowed size of an HTTP request message body within the context in which the directive is given (server, per-directory, per-file or per-location). If the client request exceeds that limit, the server will return an error response instead of servicing the request.]]> + </description> + <type>input</type> + <size>10</size> + </field> + </fields> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui>
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php new file mode 100644 index 00000000..da82baaa --- /dev/null +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -0,0 +1,222 @@ +<?php +/* ========================================================================== */ +/* + apache_view_logs.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2009, 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("/etc/inc/util.inc"); +require_once("/etc/inc/functions.inc"); +require_once("/etc/inc/pkg-utils.inc"); +require_once("/etc/inc/globals.inc"); +require_once("guiconfig.inc"); +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Status: Apache Vhosts Logs"; +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> + + <p class="pgtitle"><?=$pgtitle?></font></p> + +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<!-- Function to call programs logs --> +<script language="JavaScript"> +function showLog(content,url,logtype) +{ + jQuery.ajax({ + type: 'get', + cache: false, + url: url, + dataType: 'json', + data: { + maxlines: jQuery('#maxlines').val(), + strfilter: jQuery('#strfilter').val(), + logfile: jQuery('#logs').val(), + logtype: logtype + }, + complete: function(data){ + jQuery('#'+content).empty().html(data.responseText); + } + }); +} + + + // Call function to show squid log + jQuery(document).ready(function() { + var refreshId = setInterval( function() + { + showLog('accesslog', 'apache_logs_data.php','access'); + showLog('errorlog', 'apache_logs_data.php','error'); + }, 1000); + }); + +</script> +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&id=0"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr><td> + <?php + unset ($tab_array); + $tab_array[] = array(gettext("Daemon Options"), false, "pkg_edit.php?xml=apache_settings.xml"); + $tab_array[] = array(gettext("Backends / Balancers"), false, "/pkg.php?xml=apache_balancer.xml"); + $tab_array[] = array(gettext("Virtual Hosts"), false, "/pkg.php?xml=apache_virtualhost.xml"); + $tab_array[] = array(gettext("Logs"), true, "/apache_view_logs.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> +<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> + <form id="paramsForm" name="paramsForm" method="post"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tbody> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Max. lines:");?></td> + <td width="78%" class="vtable"> + <select name="maxlines" id="maxlines"> + <option value="5">5 lines</option> + <option value="10" selected="selected">10 lines</option> + <option value="15">15 lines</option> + <option value="20">20 lines</option> + <option value="25">25 lines</option> + <option value="30">30 lines</option> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Max. lines to be displayed.");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Log file:");?></td> + <td width="78%" class="vtable"> + <select name="logs" id="logs"> + <?php + if ($handle = opendir('/var/log')) { + /* This is the correct way to loop over the directory. */ + while (false !== ($entry = readdir($handle))) { + if (preg_match("/httpd-(\S+).log/",$entry,$matches)) + if (!preg_match("/error/",$matches[1])) + print "<option value={$matches[1]}>{$matches[1]}.log</option>\n"; + } + closedir($handle); + } + ?> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Max. lines to be displayed.");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("String filter:");?></td> + <td width="78%" class="vtable"> + <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value=""> + <br/> + <span class="vexpl"> + <?=gettext("Enter a grep like string/pattern to filterlog.");?><br> + <?=gettext("eg. username, ip addr, url.");?><br> + <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?> + </span> + </td> + </tr> + </tbody> + </table> + </form> + <div id="bowserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> + <span><span> + </div> + <!-- Squid Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="5" class="listtopic"><center><?=gettext("Httpd Access Log"); ?><center></td> + </tr> + <tbody id="accesslog"> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> + <!-- SquidGuard Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="3" class="listtopic"><center><?=gettext("Http error logs"); ?><center></td> + </tr> + <tbody id="errorlog"> + + </tbody> + </table> + </td> + </tr> + </tbody> + </table> +</div> +</td> +</tr> +</table> +</div> + + +<?php +include("fend.inc"); +?> + +</body> +</html> diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml new file mode 100644 index 00000000..9ac23dd6 --- /dev/null +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -0,0 +1,402 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ + /* $Id$ */ + /* ========================================================================== */ + /* + apache_virtualhost.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2009, 2010 Scott Ullrich + Copyright (C)2012 Marcello Coutinho + All rights reserved. + */ + /* ========================================================================== */ + /* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + /* ========================================================================== */ + ]]> + </copyright> + <name>apachevirtualhost</name> + <version>1.0</version> + <title>Apache reverse proxy: Site Proxies</title> + <menu> + <name>Mod_Security+Apache+Proxy</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>apache_virtualhost.xml</configfile> + </menu> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security.template</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_groups.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_settings.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_view_logs.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache.tempalte</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_balancer.tempalte</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_balancer.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_logs_data.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_manipulator.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_settings.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php</item> + </additional_files_needed> + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virutal Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + <active/> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Iface</fielddescr> + <fieldname>interface</fieldname> + </columnitem> + <columnitem> + <fielddescr>protocol</fielddescr> + <fieldname>proto</fieldname> + </columnitem> + <columnitem> + <fielddescr>Server name(s)</fielddescr> + <fieldname>primarysitehostname</fieldname> + <encoding>base64</encoding> + </columnitem> + <columnitem> + <fielddescr>port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Listening Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>enable</fieldname> + <description>Enable this virtual host</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Protocol(s)</fielddescr> + <fieldname>proto</fieldname> + <description>Select protocols that this virtual host will accept connections</description> + <type>select</type> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </field> + <field> + <fielddescr>Server Name(s)</fielddescr> + <fieldname>primarysitehostname</fieldname> + <description> + <![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/> + Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]> + </description> + <cols>40</cols> + <rows>2</rows> + <type>textarea</type> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Inbound Interface(s)</fielddescr> + <fieldname>interface</fieldname> + <description><![CDATA[Default: <strong>WAN</strong><br>Select interface(s) that this virtualhost will listen on.]]></description> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <showips/> + <required/> + </field> + <field> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Leave blank to use the default global port.</description> + <size>10</size> + <type>input</type> + </field> + <field> + <fielddescr>Site Webmaster E-Mail address</fielddescr> + <fieldname>siteemail</fieldname> + <size>50</size> + <description> + <![CDATA[ + Enter the Webmaster E-Mail address for this site. + ]]> + </description> + <type>input</type> + </field> + <field> + <fielddescr>Site description</fielddescr> + <fieldname>description</fieldname> + <size>50</size> + <description> + <![CDATA[Enter a site description]]> + </description> + <type>input</type> + </field> + <field> + <fielddescr>HTTPS SSL certificate</fielddescr> + <fieldname>ssl_cert</fieldname> + <description>Choose the SSL Server Certificate here.</description> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr>intermediate CA certificate(optional)</fielddescr> + <fieldname>reverse_int_ca</fieldname> + <description>Select intermediate CA assigned to certificate. Not all certificates require this.</description> + <type>select_source</type> + <source><![CDATA[$config['ca']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr> + <![CDATA[Location(s)]]> + </fielddescr> + <fieldname>locations</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr><![CDATA[gzip?]]></fielddescr> + <fieldname>compress</fieldname> + <description>Compress data to save bandwidth?</description> + <type>select</type> + <options> + <option><name>yes</name><value>yes</value></option> + <option><name>no</name><value>no</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[site path]]></fielddescr> + <fieldname>sitepath</fieldname> + <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> + <type>input</type> + <size>5</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[Balancer]]></fielddescr> + <fieldname>balancer</fieldname> + <description>Server balancer / pool</description> + <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + <type>select_source</type> + <size>5</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LbMethod</a>]]></fielddescr> + <fieldname>lbmethod</fieldname> + <description>Server balance method</description> + <type>select</type> + <options> + <option><name>byrequests</name><value>byrequests</value></option> + <option><name>bytraffic</name><value>bytraffic</value></option> + <option><name>bybusyness</name><value>bybusyness</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Backend path</fielddescr> + <fieldname>backendpath</fieldname> + <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> + <type>input</type> + <size>5</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[ModSecurity]]></fielddescr> + <fieldname>modsecgroup</fieldname> + <description>Choose Modsecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[Manipulations]]></fielddescr> + <fieldname>modsecmanipulation</fieldname> + <description>Choose Modsecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </rowhelperfield> + <rowhelperfield> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> + <fieldname>options</fieldname> + <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> + <type>input</type> + <size>5</size> + </rowhelperfield> + </rowhelper> + </field> + <field> + <name>Logging</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Preserve Proxy hostname</fielddescr> + <fieldname>preserveproxyhostname</fieldname> + <description> + <![CDATA[ + When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. + ]]> + </description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log file</fielddescr> + <fieldname>logfile</fieldname> + <description> + <![CDATA[Enable access and error log for this virtual host.]]> + </description> + <type>select</type> + <options> + <option><name>Log to default apache log file</name><value>default</value></option> + <option><name>Create a log file for this site</name><value>create</value></option> + <option><name>Do not not this website</name><value>disabled</value></option> + </options> + </field> + <field> + <name>Custom Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom</fieldname> + <description>Paste extra apache config for this virtualhost. This is usefull for rewrite rules for example.</description> + <type>textarea</type> + <cols>65</cols> + <rows>10</rows> + <encoding>base64</encoding> + </field> + + </fields> + <service> + <name>apache_mod_security</name> + <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <executable>httpd</executable> + </service> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui>
\ No newline at end of file |