diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2011-03-16 17:02:57 -0400 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2011-03-16 17:03:06 -0400 |
commit | 61676806852bc46250c6777718815929f356a682 (patch) | |
tree | 2dca703524de0c5efdfae349882eff02b581549d /config/apache_mod_security | |
parent | 3a6df9ab1f0507c608e824c3d7c7e9aad873780c (diff) | |
download | pfsense-packages-61676806852bc46250c6777718815929f356a682.tar.gz pfsense-packages-61676806852bc46250c6777718815929f356a682.tar.bz2 pfsense-packages-61676806852bc46250c6777718815929f356a682.zip |
Adding bug fixes to apache mod security package from Matthew Dovey
Diffstat (limited to 'config/apache_mod_security')
-rw-r--r-- | config/apache_mod_security/apache_mod_security.inc | 108 | ||||
-rw-r--r-- | config/apache_mod_security/apache_mod_security.xml | 33 | ||||
-rw-r--r-- | config/apache_mod_security/apache_mod_security_settings.xml | 31 |
3 files changed, 120 insertions, 52 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 1349ab8c..82fc5a5a 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -140,15 +140,21 @@ function generate_apache_configuration() { if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']) { $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']; } else { - $global_site_email = "admin@admin.comn"; + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com"; + $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']; + // update configuration with default value in this case + write_config($pkg['addedit_string']); log_error("WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address."); } // Set ServerName - if($config['installedpackages']['apachemodsecuritysettings']['config']['hostname']) { + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']) { $servername = "ServerName {$config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']}\n"; } else { $servername = "ServerName " . `hostname` . "\n"; + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname'] = `hostname`; + // update configuration with default value in this case + write_config($pkg['addedit_string']); } // Set global listening directive and ensure nothing is listening on this port already @@ -170,7 +176,10 @@ function generate_apache_configuration() { else $global_listen .= ":80"; } else { - $global_listen = "{$config['system']['hostname']}.{$config['system']['domain']}"; + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'] = "{$config['system']['hostname']}.{$config['system']['domain']}"; + $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; + // update configuration with default value in this case + write_config($pkg['addedit_string']); if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; else @@ -268,9 +277,27 @@ EOF; #------------------------------------------------- ##################################################### */ + $mod_proxy .= "\n"; + $configuredaliases = array(); + // Read already configured addresses + if($config['installedpackages']['apachemodsecuritysettings']['config']['0']) { + foreach($config['installedpackages']['apachemodsecuritysettings']['config']['0']['row'] as $row) { + if ($row['ipaddress'] && $row['ipport']) { + $configuredaliases[] = $row; + } + } + } + + + // clear list of bound addresses + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'] = array(); + + // Process proxy sites // Configure NameVirtualHost directives + $aliases = ""; $processed = array(); + if($config['installedpackages']['apachemodsecurity']) { foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { if($ams['ipaddress'] && $ams['port']) @@ -281,7 +308,9 @@ EOF; if(!in_array($local_ip_port, $processed)) { // explicit bind if not global ip:port if ($local_ip_port != $global_listen) { - $mod_proxy .= "Listen $local_ip_port\n"; + $aliases .= "Listen $local_ip_port\n"; + // Automatically add this to configuration + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); } $mod_proxy .= "NameVirtualHost $local_ip_port\n"; $processed[] = $local_ip_port; @@ -289,32 +318,57 @@ EOF; } } +//** Uncomment to allow adding ip/ports not used by any site proxies +//** Otherwise unused addresses/ports will be automatically deleted from the configuration +// foreach ($configuredaliases as $ams) { +// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; +// if(!in_array($local_ip_port, $processed)) { +// // explicit bind if not global ip:port +// if ($local_ip_port != $global_listen) { +// $aliases .= "Listen $local_ip_port\n"; +// // Automatically add this to configuration +// $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); +// } +// } +// } + + // update configuration with actual ip bindings + write_config($pkg['addedit_string']); + + // Setup mod_proxy entries $mod_proxy if($config['installedpackages']['apachemodsecurity']) { foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { // Set rowhelper used variables + $additionalsitehostnames = ""; foreach($ams['row'] as $row) { - // Ensure leading http(s):// - if(!strstr($row['additionalsitehostnames'], "http")) - $additionalsitehostnames .= "http://"; - $additionalsitehostnames .= "{$row['additionalsitehostnames']}"; - // Ensure trailing / - if(substr($row['additionalsitehostnames'],count($row['additionalsitehostnames']),1) != "/") - $additionalsitehostnames .= "/ "; - else - $additionalsitehostnames .= " "; + if ($row['additionalsitehostnames']) { + $additionalsitehostnames .= "{$row['additionalsitehostnames']} "; } - $backend_sites = ""; // not technically needed. added for readability due to .='s + } + $backend_sites = ""; + $sslproxyengine = ""; + $backend_sites_count = 0; + $balancer_members = ""; // not technically needed. foreach($ams['row'] as $row) { + if ($row['webserveripaddr']) { + $normalised_ipaddr = ""; + if (substr(trim($row['webserveripaddr']), 0, strlen("https:")) == "https:") { + // if backend is https, then enable SSLProxyEngine + $sslproxyengine = "SSLProxyEngine on"; + } else if (substr(trim($row['webserveripaddr']), 0, strlen("http:")) != "http:") { // Ensure leading http(s):// - if(!strstr($row['webserveripaddr'], "http")) - $backend_sites .= "http://"; - $backend_sites .= "{$row['webserveripaddr']}"; + $normalised_ipaddr .= "http://"; + } + $normalised_ipaddr .= trim($row['webserveripaddr']); + $balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n"; // Ensure trailing / - if(substr($row['webserveripaddr'],count($row['webserveripaddr']),1) != "/") - $backend_sites .= "/ "; - else - $backend_sites .= " "; + if(substr($normalised_ipaddr,-1) != "/") { + $normalised_ipaddr .= "/"; + } + $backend_sites .= $normalised_ipaddr . " "; + $backend_sites_count++; + } } // Set general items if($ams['siteemail']) @@ -323,8 +377,6 @@ EOF; $serveradmin = $global_site_email; if($ams['primarysitehostname']) $primarysitehostname = $ams['primarysitehostname']; - if($ams['primarysitehostname']) - $additionalsitehostnames = $ams['primarysitehostname']; $sitename = str_replace(" ", "", $ams['sitename']); // Set local listening directive if($ams['ipaddress'] && $ams['port']) @@ -332,13 +384,12 @@ EOF; else $local_ip_port = $global_listen; // Is this item a load balancer - if(count($ams['row'])>1) { + if($backend_sites_count>1) { $balancer = true; $mod_proxy .= "<Proxy balancer://{$sitename}>\n"; - foreach($ams['row'] as $row) - $mod_proxy .= " BalancerMember {$row['webserveripaddr']}\n"; + $mod_proxy .= $balancer_members; $mod_proxy .= "</Proxy>\n"; - $backend_sites = " balancer://{$sitename}\n"; + $backend_sites = " balancer://{$sitename}/"; $sitename = ""; // we are not using sitename in this case } // Set SSL items @@ -361,6 +412,8 @@ EOF; if ($certificatechainfile) $mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n"; } + if($sslproxyengine) + $mod_proxy .= " {$sslproxyengine}\n"; if($additionalsitehostnames) $mod_proxy .= " ServerAlias $additionalsitehostnames\n"; if($serveradmin) @@ -508,6 +561,7 @@ ServerRoot "/usr/local" # prevent Apache from glomming onto all bound IP addresses. # Listen {$global_listen} +{$aliases} # # Dynamic Shared Object (DSO) Support diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index f2cba156..ada5a29c 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -194,38 +194,25 @@ <field> <fielddescr> <![CDATA[ - Additional site hostnames - <br/> - (not required) + Backend Web Servers and Additional Site Hostnames ]]> </fielddescr> - <fieldname>additionalsitehostnames</fieldname> + <fieldname>additionalparameters</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr>Additional Site Hostname</fielddescr> - <fieldname>additionalsitehostnames</fieldname> - <description>Add each webserver hostname address here.</description> + <fielddescr>Web server backend URLs</fielddescr> + <fieldname>webserveripaddr</fieldname> + <description>Add each web server IP address here.</description> <type>input</type> - <size>53</size> + <size>40</size> </rowhelperfield> - </rowhelper> - </field> - <field> - <fielddescr> - <![CDATA[ - Backend web servers - ]]> - </fielddescr> - <fieldname>webservers</fieldname> - <type>rowhelper</type> - <rowhelper> <rowhelperfield> - <fielddescr>Web server backend URL</fielddescr> - <fieldname>webserveripaddr</fieldname> - <description>Add each web server IP address here.</description> + <fielddescr>Additional Site Hostnames (not required)</fielddescr> + <fieldname>additionalsitehostnames</fieldname> + <description>Add each webserver hostname address here.</description> <type>input</type> - <size>53</size> + <size>40</size> </rowhelperfield> </rowhelper> </field> diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 4bbc4ea2..479e7509 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -77,7 +77,7 @@ <type>input</type> </field> <field> - <fielddescr>Bind to IP Address</fielddescr> + <fielddescr>Default Bind to IP Address</fielddescr> <fieldname>globalbindtoipaddr</fieldname> <description> <![CDATA[ @@ -89,7 +89,7 @@ <type>input</type> </field> <field> - <fielddescr>Bind to port</fielddescr> + <fielddescr>Default Bind to port</fielddescr> <fieldname>globalbindtoport</fieldname> <description> <![CDATA[ @@ -101,6 +101,33 @@ <type>input</type> </field> <field> + <fielddescr> + <![CDATA[ + Additional Addresses<br/> + Do not edit. This field will be automatically populated from Site Proxies settings. + ]]> + </fielddescr> + <fieldname>additionaladdresses</fieldname> + <description></description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description></description> + <type>input</type> + <size>45</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>ipport</fieldname> + <description></description> + <type>input</type> + <size>10</size> + </rowhelperfield> + </rowhelper> + </field> + <field> <fielddescr>Use mod_mem_cache</fielddescr> <fieldname>mod_mem_cache</fieldname> <description> |