aboutsummaryrefslogtreecommitdiffstats
path: root/config/apache_mod_security
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2011-03-16 17:02:57 -0400
committerScott Ullrich <sullrich@pfsense.org>2011-03-16 17:03:06 -0400
commit61676806852bc46250c6777718815929f356a682 (patch)
tree2dca703524de0c5efdfae349882eff02b581549d /config/apache_mod_security
parent3a6df9ab1f0507c608e824c3d7c7e9aad873780c (diff)
downloadpfsense-packages-61676806852bc46250c6777718815929f356a682.tar.gz
pfsense-packages-61676806852bc46250c6777718815929f356a682.tar.bz2
pfsense-packages-61676806852bc46250c6777718815929f356a682.zip
Adding bug fixes to apache mod security package from Matthew Dovey
Diffstat (limited to 'config/apache_mod_security')
-rw-r--r--config/apache_mod_security/apache_mod_security.inc108
-rw-r--r--config/apache_mod_security/apache_mod_security.xml33
-rw-r--r--config/apache_mod_security/apache_mod_security_settings.xml31
3 files changed, 120 insertions, 52 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 1349ab8c..82fc5a5a 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -140,15 +140,21 @@ function generate_apache_configuration() {
if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']) {
$global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'];
} else {
- $global_site_email = "admin@admin.comn";
+ $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com";
+ $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'];
+ // update configuration with default value in this case
+ write_config($pkg['addedit_string']);
log_error("WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address.");
}
// Set ServerName
- if($config['installedpackages']['apachemodsecuritysettings']['config']['hostname']) {
+ if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']) {
$servername = "ServerName {$config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']}\n";
} else {
$servername = "ServerName " . `hostname` . "\n";
+ $config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname'] = `hostname`;
+ // update configuration with default value in this case
+ write_config($pkg['addedit_string']);
}
// Set global listening directive and ensure nothing is listening on this port already
@@ -170,7 +176,10 @@ function generate_apache_configuration() {
else
$global_listen .= ":80";
} else {
- $global_listen = "{$config['system']['hostname']}.{$config['system']['domain']}";
+ $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'] = "{$config['system']['hostname']}.{$config['system']['domain']}";
+ $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'];
+ // update configuration with default value in this case
+ write_config($pkg['addedit_string']);
if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport'])
$global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport'];
else
@@ -268,9 +277,27 @@ EOF;
#-------------------------------------------------
#####################################################
*/
+ $mod_proxy .= "\n";
+ $configuredaliases = array();
+ // Read already configured addresses
+ if($config['installedpackages']['apachemodsecuritysettings']['config']['0']) {
+ foreach($config['installedpackages']['apachemodsecuritysettings']['config']['0']['row'] as $row) {
+ if ($row['ipaddress'] && $row['ipport']) {
+ $configuredaliases[] = $row;
+ }
+ }
+ }
+
+
+ // clear list of bound addresses
+ $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'] = array();
+
+ // Process proxy sites
// Configure NameVirtualHost directives
+ $aliases = "";
$processed = array();
+
if($config['installedpackages']['apachemodsecurity']) {
foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) {
if($ams['ipaddress'] && $ams['port'])
@@ -281,7 +308,9 @@ EOF;
if(!in_array($local_ip_port, $processed)) {
// explicit bind if not global ip:port
if ($local_ip_port != $global_listen) {
- $mod_proxy .= "Listen $local_ip_port\n";
+ $aliases .= "Listen $local_ip_port\n";
+ // Automatically add this to configuration
+ $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']);
}
$mod_proxy .= "NameVirtualHost $local_ip_port\n";
$processed[] = $local_ip_port;
@@ -289,32 +318,57 @@ EOF;
}
}
+//** Uncomment to allow adding ip/ports not used by any site proxies
+//** Otherwise unused addresses/ports will be automatically deleted from the configuration
+// foreach ($configuredaliases as $ams) {
+// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}";
+// if(!in_array($local_ip_port, $processed)) {
+// // explicit bind if not global ip:port
+// if ($local_ip_port != $global_listen) {
+// $aliases .= "Listen $local_ip_port\n";
+// // Automatically add this to configuration
+// $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']);
+// }
+// }
+// }
+
+ // update configuration with actual ip bindings
+ write_config($pkg['addedit_string']);
+
+
// Setup mod_proxy entries $mod_proxy
if($config['installedpackages']['apachemodsecurity']) {
foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) {
// Set rowhelper used variables
+ $additionalsitehostnames = "";
foreach($ams['row'] as $row) {
- // Ensure leading http(s)://
- if(!strstr($row['additionalsitehostnames'], "http"))
- $additionalsitehostnames .= "http://";
- $additionalsitehostnames .= "{$row['additionalsitehostnames']}";
- // Ensure trailing /
- if(substr($row['additionalsitehostnames'],count($row['additionalsitehostnames']),1) != "/")
- $additionalsitehostnames .= "/ ";
- else
- $additionalsitehostnames .= " ";
+ if ($row['additionalsitehostnames']) {
+ $additionalsitehostnames .= "{$row['additionalsitehostnames']} ";
}
- $backend_sites = ""; // not technically needed. added for readability due to .='s
+ }
+ $backend_sites = "";
+ $sslproxyengine = "";
+ $backend_sites_count = 0;
+ $balancer_members = ""; // not technically needed.
foreach($ams['row'] as $row) {
+ if ($row['webserveripaddr']) {
+ $normalised_ipaddr = "";
+ if (substr(trim($row['webserveripaddr']), 0, strlen("https:")) == "https:") {
+ // if backend is https, then enable SSLProxyEngine
+ $sslproxyengine = "SSLProxyEngine on";
+ } else if (substr(trim($row['webserveripaddr']), 0, strlen("http:")) != "http:") {
// Ensure leading http(s)://
- if(!strstr($row['webserveripaddr'], "http"))
- $backend_sites .= "http://";
- $backend_sites .= "{$row['webserveripaddr']}";
+ $normalised_ipaddr .= "http://";
+ }
+ $normalised_ipaddr .= trim($row['webserveripaddr']);
+ $balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n";
// Ensure trailing /
- if(substr($row['webserveripaddr'],count($row['webserveripaddr']),1) != "/")
- $backend_sites .= "/ ";
- else
- $backend_sites .= " ";
+ if(substr($normalised_ipaddr,-1) != "/") {
+ $normalised_ipaddr .= "/";
+ }
+ $backend_sites .= $normalised_ipaddr . " ";
+ $backend_sites_count++;
+ }
}
// Set general items
if($ams['siteemail'])
@@ -323,8 +377,6 @@ EOF;
$serveradmin = $global_site_email;
if($ams['primarysitehostname'])
$primarysitehostname = $ams['primarysitehostname'];
- if($ams['primarysitehostname'])
- $additionalsitehostnames = $ams['primarysitehostname'];
$sitename = str_replace(" ", "", $ams['sitename']);
// Set local listening directive
if($ams['ipaddress'] && $ams['port'])
@@ -332,13 +384,12 @@ EOF;
else
$local_ip_port = $global_listen;
// Is this item a load balancer
- if(count($ams['row'])>1) {
+ if($backend_sites_count>1) {
$balancer = true;
$mod_proxy .= "<Proxy balancer://{$sitename}>\n";
- foreach($ams['row'] as $row)
- $mod_proxy .= " BalancerMember {$row['webserveripaddr']}\n";
+ $mod_proxy .= $balancer_members;
$mod_proxy .= "</Proxy>\n";
- $backend_sites = " balancer://{$sitename}\n";
+ $backend_sites = " balancer://{$sitename}/";
$sitename = ""; // we are not using sitename in this case
}
// Set SSL items
@@ -361,6 +412,8 @@ EOF;
if ($certificatechainfile)
$mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n";
}
+ if($sslproxyengine)
+ $mod_proxy .= " {$sslproxyengine}\n";
if($additionalsitehostnames)
$mod_proxy .= " ServerAlias $additionalsitehostnames\n";
if($serveradmin)
@@ -508,6 +561,7 @@ ServerRoot "/usr/local"
# prevent Apache from glomming onto all bound IP addresses.
#
Listen {$global_listen}
+{$aliases}
#
# Dynamic Shared Object (DSO) Support
diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml
index f2cba156..ada5a29c 100644
--- a/config/apache_mod_security/apache_mod_security.xml
+++ b/config/apache_mod_security/apache_mod_security.xml
@@ -194,38 +194,25 @@
<field>
<fielddescr>
<![CDATA[
- Additional site hostnames
- <br/>
- (not required)
+ Backend Web Servers and Additional Site Hostnames
]]>
</fielddescr>
- <fieldname>additionalsitehostnames</fieldname>
+ <fieldname>additionalparameters</fieldname>
<type>rowhelper</type>
<rowhelper>
<rowhelperfield>
- <fielddescr>Additional Site Hostname</fielddescr>
- <fieldname>additionalsitehostnames</fieldname>
- <description>Add each webserver hostname address here.</description>
+ <fielddescr>Web server backend URLs</fielddescr>
+ <fieldname>webserveripaddr</fieldname>
+ <description>Add each web server IP address here.</description>
<type>input</type>
- <size>53</size>
+ <size>40</size>
</rowhelperfield>
- </rowhelper>
- </field>
- <field>
- <fielddescr>
- <![CDATA[
- Backend web servers
- ]]>
- </fielddescr>
- <fieldname>webservers</fieldname>
- <type>rowhelper</type>
- <rowhelper>
<rowhelperfield>
- <fielddescr>Web server backend URL</fielddescr>
- <fieldname>webserveripaddr</fieldname>
- <description>Add each web server IP address here.</description>
+ <fielddescr>Additional Site Hostnames (not required)</fielddescr>
+ <fieldname>additionalsitehostnames</fieldname>
+ <description>Add each webserver hostname address here.</description>
<type>input</type>
- <size>53</size>
+ <size>40</size>
</rowhelperfield>
</rowhelper>
</field>
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index 4bbc4ea2..479e7509 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -77,7 +77,7 @@
<type>input</type>
</field>
<field>
- <fielddescr>Bind to IP Address</fielddescr>
+ <fielddescr>Default Bind to IP Address</fielddescr>
<fieldname>globalbindtoipaddr</fieldname>
<description>
<![CDATA[
@@ -89,7 +89,7 @@
<type>input</type>
</field>
<field>
- <fielddescr>Bind to port</fielddescr>
+ <fielddescr>Default Bind to port</fielddescr>
<fieldname>globalbindtoport</fieldname>
<description>
<![CDATA[
@@ -101,6 +101,33 @@
<type>input</type>
</field>
<field>
+ <fielddescr>
+ <![CDATA[
+ Additional Addresses<br/>
+ Do not edit. This field will be automatically populated from Site Proxies settings.
+ ]]>
+ </fielddescr>
+ <fieldname>additionaladdresses</fieldname>
+ <description></description>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr>IP Address</fielddescr>
+ <fieldname>ipaddress</fieldname>
+ <description></description>
+ <type>input</type>
+ <size>45</size>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>Port</fielddescr>
+ <fieldname>ipport</fieldname>
+ <description></description>
+ <type>input</type>
+ <size>10</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ <field>
<fielddescr>Use mod_mem_cache</fielddescr>
<fieldname>mod_mem_cache</fieldname>
<description>