aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/apache_mod_security/apache_mod_security.inc658
-rw-r--r--config/apache_mod_security/apache_mod_security.xml204
-rw-r--r--config/apache_mod_security/apache_mod_security_settings.xml241
-rw-r--r--config/apache_mod_security/apache_mod_security_view_logs.php139
-rw-r--r--config/avahi/avahi.inc118
-rw-r--r--config/avahi/avahi.xml211
-rw-r--r--config/bacula-client/bacula-client.inc14
-rw-r--r--config/bacula-client/bacula-client.xml5
-rw-r--r--config/bacula-client/bacula-client_view_config.php8
-rw-r--r--config/havp/havp.inc13
-rw-r--r--config/havp/havp.xml4
-rw-r--r--config/vhosts/vhosts.inc3
-rw-r--r--pkg_config.10.xml10
-rw-r--r--pkg_config.8.xml28
-rw-r--r--pkg_config.8.xml.amd6428
15 files changed, 990 insertions, 694 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 8bcf3ddd..69cc2126 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -1,8 +1,9 @@
<?php
/*
apache_mod_security.inc
- part of apache_mod_security package (http://www.pfSense.com)
+ part of pfSense (https://www.pfSense.org/)
Copyright (C) 2009, 2010 Scott Ullrich
+ Copyright (C) 2015 ESF, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -26,64 +27,31 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
+require_once("/etc/inc/pkg-utils.inc");
-// Rules directory location
-define("rules_directory", "/usr/local/apachemodsecurity/rules");
-
-// Ensure NanoBSD can write. pkg_mgr will remount RO
-conf_mount_rw();
-
-// Needed mod_security directories
-if(!is_dir("/usr/local/apachemodsecurity"))
- safe_mkdir("/usr/local/apachemodsecurity");
-if(!is_dir("/usr/local/apachemodsecurity/rules"))
- safe_mkdir("/usr/local/apachemodsecurity/rules");
-
-// Startup function
-function apache_mod_security_start() {
- exec("/usr/local/sbin/httpd -k start");
-}
-
-// Shutdown function
-function apache_mod_security_stop() {
- exec("/usr/local/sbin/httpd -k stop");
+$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
+if ($pf_version == "2.1" || $pf_version == "2.2") {
+ define('APACHEDIR', '/usr/pbi/proxy_mod_security-' . php_uname("m") . "/local");
+} else {
+ define('APACHEDIR', '/usr/local');
}
+define('APACHEVERSION', 'apache22');
-// Restart function
-function apache_mod_security_restart() {
- if(is_process_running("httpd")) {
- exec("/usr/local/sbin/httpd -k graceful");
- } else {
- apache_mod_security_start();
- }
-}
+// Rules directory location
+define('RULES_DIR', '/usr/local/apachemodsecurity/rules');
-// Install function
+// Install package routines
function apache_mod_security_install() {
global $config, $g;
- // We might be reinstalling and a configuration
- // already exists.
+ safe_mkdir("/usr/local/apachemodsecurity/rules");
+ // We might be reinstalling and a configuration already exists.
generate_apache_configuration();
$filename = "apache_mod_security.sh";
+ $start = APACHEDIR . "/sbin/httpd -k start";
+ $stop = APACHEDIR . "/sbin/httpd -k stop";
- $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP
- <?php
- require_once(\"functions.inc\");
- require_once(\"/usr/local/pkg/apache_mod_security.inc\");
- apache_mod_security_start();
- ?>
-ENDPHP\n";
-
- $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP
- <?php
- require_once(\"functions.inc\");
- require_once(\"/usr/local/pkg/apache_mod_security.inc\");
- apache_mod_security_stop();
- ?>
-ENDPHP\n";
-
write_rcfile(array(
"file" => $filename,
"start" => $start,
@@ -94,148 +62,93 @@ ENDPHP\n";
// Deinstall package routines
function apache_mod_security_deinstall() {
+ if (is_dir("/usr/local/apachemodsecurity")) {
+ mwexec("/bin/rm -rf /usr/local/apachemodsecurity");
+ }
+ if (is_dir("/var/db/apachemodsecuritycache")) {
+ mwexec("/bin/rm -rf /var/db/apachemodsecuritycache");
+ }
+}
+
+// Check Apache configuration syntax
+function apache_mod_security_checkconfig() {
global $config, $g;
- apache_mod_security_stop();
- exec("/bin/rm -rf /usr/local/apachemodsecurity");
- exec("/bin/rm -f /usr/local/etc/rc.d/apache_mod_security.sh");
+ $status = mwexec(APACHEDIR . "/sbin/httpd -t");
+ if ($status) {
+ $input_errors[] = "[apache_mod_security]: There was an error parsing the Apache configuration: {$status}";
+ log_error("[apache_mod_security]: There was an error parsing the Apache configuration: {$status}");
+ }
+}
+
+// Restart service function
+function apache_mod_security_restart() {
+ if (is_process_running("httpd")) {
+ mwexec(APACHEDIR . "/sbin/httpd -k graceful");
+ } else {
+ start_service("apache_mod_security");
+ }
}
// Regenerate apache configuration and handle server restart
function apache_mod_security_resync() {
global $config, $g;
- apache_mod_security_install();
- if(!file_exists(rules_directory . "/10_asl_rules.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/10_asl_rules.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/10_asl_rules.conf");
- if(!file_exists(rules_directory . "/a_exclude.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/a_exclude.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/a_exclude.conf");
- if(!file_exists(rules_directory . "/blacklist.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/blacklist.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/blacklist.conf");
- if(!file_exists(rules_directory . "/default.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/rules/default.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/default.conf");
- if(!file_exists(rules_directory . "/recons.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/recons.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/recons.conf");
- if(!file_exists(rules_directory . "/rootkits.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/rootkits.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/rootkits.conf");
- if(!file_exists(rules_directory . "/useragents.conf"))
- exec("/usr/bin/fetch -q -o " . rules_directory . "/useragents.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/useragents.conf");
+ generate_apache_configuration();
apache_mod_security_checkconfig();
apache_mod_security_restart();
}
-function apache_mod_security_checkconfig() {
- global $config, $g;
- $status = mwexec("/usr/local/sbin/httpd -t");
- if($status) {
- $input_error = "apache_mod_security_package: There was an error parsing the Apache configuration: {$status}";
- log_error("apache_mod_security_package: There was an error parsing the Apache configuration: {$status}");
- }
-}
-
// Generate mod_proxy specific configuration
function generate_apache_configuration() {
- global $config, $g;
- $mod_proxy = "";
+ global $config, $g, $modsec_config;
+ $modsec_config =& $config['installedpackages']['apachemodsecuritysettings']['config'][0];
// Set global site e-mail
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']) {
- $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'];
- } else {
- $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com";
- $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'];
- // update configuration with default value in this case
- write_config($pkg['addedit_string']);
- log_error("WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address.");
- }
+ $global_site_email = $modsec_config['globalsiteadminemail'] ?: "admin@example.com";
// Set ServerName
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']) {
- $servername = "ServerName {$config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']}\n";
+ if ($modsec_config['hostname']) {
+ $servername = "ServerName {$modsec_config['hostname']}\n";
} else {
- $servername = "ServerName " . `hostname` . "\n";
- $config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname'] = `hostname`;
- // update configuration with default value in this case
- write_config($pkg['addedit_string']);
+ $servername = "ServerName " . $config['system']['hostname'] . "\n";
}
// Set global listening directive and ensure nothing is listening on this port already
- $globalbind = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'];
- $socksstat = split("\n", `/usr/bin/sockstat | awk '{ print $6 }' | grep ":{$globalbind}" | cut -d ":" -f2`);
- if(is_array($socksstat)) {
- foreach($socksstat as $ss) {
- if($ss == $globalbind) {
- $already_binded = true;
- $input_errors[] = "Sorry, there is a process already listening on port {$globalbind}";
- }
- }
+ $global_listen = $modsec_config['globalbindtoipaddr'] ?: "";
+ if ($modsec_config['globalbindtoport']) {
+ $global_listen .= ":" . $modsec_config['globalbindtoport'];
+ } else {
+ $global_listen .= ":80";
}
-// if(!$already_binded) {
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']) {
- $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'];
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport'])
- $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport'];
- else
- $global_listen .= ":80";
- } else {
- $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'] = "";
- $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'];
- // update configuration with default value in this case
- write_config($pkg['addedit_string']);
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport'])
- $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport'];
- else
- $global_listen .= ":80";
- }
-// } else {
-// log_error("Could not start mod_security + mod_proxy on port {$global_listen}. Process is already bound to this port.");
-// }
-
+
// Setup mem_cache
- if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) {
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache']) {
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size'])
- $mcachesize = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size'];
- else
- $mcachesize = "100";
- //$mem_cache = "MCacheSize $mcachesize\n";
+ if (file_exists(APACHEDIR . "/libexec/" . APACHEVERSION . "/mod_mem_cache.so")) {
+ if ($modsec_config['mod_mem_cache']) {
+ $mcachesize = $modsec_config['mod_mem_cache_size'] ?: "100";
+ $mem_cache = "MCacheSize $mcachesize\n";
}
}
- // CacheRoot Directive
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_disk_cache']) {
+ // Setup mod_disk_cache
+ if ($modsec_config['mod_disk_cache']) {
safe_mkdir("/var/db/apachemodsecuritycache");
$cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n";
+ $dcachemaxfilesize = $modsec_config['mod_disk_cache_max_filesize'] ?: "1000000";
+ $disk_cache = "CacheMaxFileSize $dcachemaxfilesize\n";
}
// SecRequestBodyInMemoryLimit Directive
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit'])
- $secrequestbodyinmemorylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit'];
- else
- $secrequestbodyinmemorylimit = "131072";
+ $secrequestbodyinmemorylimit = $modsec_config['secrequestbodyinmemorylimit'] ?: "131072";
// SecRequestBodyLimit
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit'])
- $secrequestbodylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit'];
- else
- $secrequestbodylimit = "10485760";
+ $secrequestbodylimit = $modsec_config['secrequestbodylimit'] ?: "10485760";
// ErrorDocument
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['errordocument'])
- $errordocument = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['errordocument'];
- else
- $errordocument = "";
+ $errordocument = isset($modsec_config['errordocument_custom']) ? preg_replace("/\r\n/", "\n", base64_decode($modsec_config['errordocument_custom'])) : "";
// SecAuditEngine
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine'])
- $secauditengine = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine'];
- else
- $secauditengine = "RelevantOnly";
-
- // SecReadStateLimit
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['SecReadStateLimit'])
- $secreadstatelimit = "SecReadStateLimit " . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['SecReadStateLimit'] ."\n";
- else
- $secreadstatelimit = "";
+ $secauditengine = $modsec_config['secauditengine'] ?: "RelevantOnly";
+ $mod_proxy = "";
$mod_proxy .= <<<EOF
# Off when using ProxyPass
@@ -248,7 +161,7 @@ ProxyRequests off
EOF;
- /*
+ /*
#####################################################
# Format for the Proxy servers:
# Please do not delete these from the source file
@@ -281,36 +194,37 @@ EOF;
$configuredaliases = array();
// Read already configured addresses
- if($config['installedpackages']['apachemodsecuritysettings']['config']['0']) {
- foreach($config['installedpackages']['apachemodsecuritysettings']['config']['0']['row'] as $row) {
+ if ($modsec_config) {
+ foreach ($modsec_config['row'] as $row) {
if ($row['ipaddress'] && $row['ipport']) {
- $configuredaliases[] = $row;
+ $configuredaliases[] = $row;
}
}
- }
+ }
// clear list of bound addresses
- $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'] = array();
+ $modsec_config['row'] = array();
// Process proxy sites
// Configure NameVirtualHost directives
$aliases = "";
$processed = array();
- if($config['installedpackages']['apachemodsecurity']) {
+ if ($config['installedpackages']['apachemodsecurity']) {
foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) {
- if($ams['ipaddress'] && $ams['port'])
+ if ($ams['ipaddress'] && $ams['port']) {
$local_ip_port = "{$ams['ipaddress']}:{$ams['port']}";
- else
+ } else {
$local_ip_port = $global_listen;
+ }
// Do not add entries twice.
- if(!in_array($local_ip_port, $processed)) {
+ if (!in_array($local_ip_port, $processed)) {
// explicit bind if not global ip:port
if ($local_ip_port != $global_listen) {
$aliases .= "Listen $local_ip_port\n";
// Automatically add this to configuration
- $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']);
+ $modsec_config['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']);
}
$mod_proxy .= "NameVirtualHost $local_ip_port\n";
$processed[] = $local_ip_port;
@@ -318,36 +232,34 @@ EOF;
}
}
-//** Uncomment to allow adding ip/ports not used by any site proxies
-//** Otherwise unused addresses/ports will be automatically deleted from the configuration
-// foreach ($configuredaliases as $ams) {
-// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}";
-// if(!in_array($local_ip_port, $processed)) {
-// // explicit bind if not global ip:port
-// if ($local_ip_port != $global_listen) {
-// $aliases .= "Listen $local_ip_port\n";
-// // Automatically add this to configuration
-// $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']);
-// }
-// }
-// }
-
- // update configuration with actual ip bindings
- write_config($pkg['addedit_string']);
-
+/* Uncomment to allow adding ip/ports not used by any site proxies */
+/* Otherwise unused addresses/ports will be automatically deleted from the configuration */
+/*
+ foreach ($configuredaliases as $ams) {
+ $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}";
+ if (!in_array($local_ip_port, $processed)) {
+ // explicit bind if not global ip:port
+ if ($local_ip_port != $global_listen) {
+ $aliases .= "Listen $local_ip_port\n";
+ // Automatically add this to configuration
+ $modsec_config['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']);
+ }
+ }
+ }
+*/
// Setup mod_proxy entries $mod_proxy
- if($config['installedpackages']['apachemodsecurity']) {
- foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) {
+ if ($config['installedpackages']['apachemodsecurity']) {
+ foreach ($config['installedpackages']['apachemodsecurity']['config'] as $ams) {
// Set rowhelper used variables
$additionalsitehostnames = "";
foreach($ams['row'] as $row) {
if ($row['additionalsitehostnames']) {
$additionalsitehostnames .= "{$row['additionalsitehostnames']} ";
- }
- }
- $backend_sites = "";
- $sslproxyengine = "";
+ }
+ }
+ $backend_sites = "";
+ $sslproxyengine = "";
$backend_sites_count = 0;
$balancer_members = ""; // not technically needed.
foreach($ams['row'] as $row) {
@@ -360,10 +272,10 @@ EOF;
// Ensure leading http(s)://
$normalised_ipaddr .= "http://";
}
- $normalised_ipaddr .= trim($row['webserveripaddr']);
+ $normalised_ipaddr .= trim($row['webserveripaddr']);
$balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n";
// Ensure trailing /
- if(substr($normalised_ipaddr,-1) != "/") {
+ if (substr($normalised_ipaddr,-1) != "/") {
$normalised_ipaddr .= "/";
}
$backend_sites .= $normalised_ipaddr . " ";
@@ -371,20 +283,23 @@ EOF;
}
}
// Set general items
- if($ams['siteemail'])
+ if ($ams['siteemail']) {
$serveradmin = $ams['siteemail'];
- else
+ } else {
$serveradmin = $global_site_email;
- if($ams['primarysitehostname'])
+ }
+ if ($ams['primarysitehostname']) {
$primarysitehostname = $ams['primarysitehostname'];
- $sitename = str_replace(" ", "", $ams['sitename']);
+ }
+ $sitename = str_replace(" ", "", $ams['sitename']);
// Set local listening directive
- if($ams['ipaddress'] && $ams['port'])
+ if ($ams['ipaddress'] && $ams['port']) {
$local_ip_port = "{$ams['ipaddress']}:{$ams['port']}";
- else
+ } else {
$local_ip_port = $global_listen;
+ }
// Is this item a load balancer
- if($backend_sites_count>1) {
+ if ($backend_sites_count > 1) {
$balancer = true;
$mod_proxy .= "<Proxy balancer://{$sitename}>\n";
$mod_proxy .= $balancer_members;
@@ -393,63 +308,76 @@ EOF;
$sitename = ""; // we are not using sitename in this case
}
// Set SSL items
- if($ams['siteurl'])
+ if ($ams['siteurl']) {
$siteurl = $ams['siteurl'];
- if($ams['certificatefile'])
+ }
+ if ($ams['certificatefile']) {
$certificatefile = $ams['certificatefile'];
- if($ams['certificatekeyfile'])
+ }
+ if ($ams['certificatekeyfile']) {
$certificatekeyfile = $ams['certificatekeyfile'];
- if($ams['certificatechainfile'])
+ }
+ if ($ams['certificatechainfile']) {
$certificatechainfile = $ams['certificatechainfile'];
+ }
// Begin VirtualHost
$mod_proxy .= "\n<VirtualHost {$local_ip_port}>\n";
- if($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) {
+ if ($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) {
$mod_proxy .= " SSLEngine on\n";
- if ($certificatefile)
- $mod_proxy .= " SSLCertificateFile /usr/local/etc/apache22/$certificatefile\n";
- if ($certificatekeyfile)
- $mod_proxy .= " SSLCertificateKeyFile /usr/local/etc/apache22/$certificatekeyfile\n";
- if ($certificatechainfile)
- $mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n";
+ if ($certificatefile) {
+ $mod_proxy .= " SSLCertificateFile " . APACHEDIR . "/etc/" . APACHEVERSION . "/{$certificatefile}\n";
+ }
+ if ($certificatekeyfile) {
+ $mod_proxy .= " SSLCertificateKeyFile " . APACHEDIR . "/etc/" . APACHEVERSION . "/{$certificatekeyfile}\n";
+ }
+ if ($certificatechainfile) {
+ $mod_proxy .= " SSLCertificateChainFile " . APACHEDIR . "/etc" . APACHEVERSION . "/{$certificatechainfile}\n";
+ }
}
- if($sslproxyengine)
+ if ($sslproxyengine) {
$mod_proxy .= " {$sslproxyengine}\n";
- if($additionalsitehostnames)
- $mod_proxy .= " ServerAlias $additionalsitehostnames\n";
- if($serveradmin)
- $mod_proxy .= " ServerAdmin $serveradmin\n";
- if($primarysitehostname)
- $mod_proxy .= " ServerName $primarysitehostname \n";
- if($backend_sites) {
+ }
+ if ($additionalsitehostnames) {
+ $mod_proxy .= " ServerAlias {$additionalsitehostnames}\n";
+ }
+ if ($serveradmin) {
+ $mod_proxy .= " ServerAdmin {$serveradmin}\n";
+ }
+ if ($primarysitehostname) {
+ $mod_proxy .= " ServerName {$primarysitehostname} \n";
+ }
+ if ($backend_sites) {
$mod_proxy .= " ProxyPassReverse /{$sitename} {$backend_sites}\n";
$mod_proxy .= " ProxyPass / {$backend_sites}\n";
}
- if($ams['preserveproxyhostname'])
+ if ($ams['preserveproxyhostname']) {
$mod_proxy .= " ProxyPreserveHost on\n";
+ }
$mod_proxy .= "</VirtualHost>\n\n";
- // End VirtualHost
+ // End VirtualHost
}
}
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['modsecuritycustom'])
- $mod_security_custom = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['modsecuritycustom'];
-
- // Process and include rules
- if(is_dir(rules_directory)) {
- $mod_security_rules = "";
- $files = return_dir_as_array(rules_directory);
- foreach($files as $file) {
- if(file_exists(rules_directory . "/" . $file)) {
- // XXX: TODO integrate snorts rule on / off thingie
- $file_txt = file_get_contents(rules_directory . "/" . $file);
- $mod_security_rules .= $file_txt . "\n";
+
+ // Mod_security enabled?
+ if ($modsec_config['enablemodsecurity']) {
+
+ // Process and include rules
+ if (is_dir(RULES_DIR)) {
+ $mod_security_rules = "";
+ $files = return_dir_as_array(RULES_DIR);
+ foreach ($files as $file) {
+ if (file_exists(RULES_DIR . "/" . $file)) {
+ // XXX: TODO integrate snorts rule on / off thingie
+ $file_txt = file_get_contents(RULES_DIR . "/" . $file);
+ $mod_security_rules .= $file_txt . "\n";
+ }
}
}
- }
- // Mod_security enabled?
- if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['enablemodsecurity']) {
- $enable_mod_security = true;
+ // Custom mod_security rules
+ $mod_security_custom = isset($modsec_config['modsecuritycustom_adv']) ? preg_replace("/\r\n/", "\n", base64_decode($modsec_config['modsecuritycustom_adv'])) : "";
+
$mod_security = <<< EOF
<IfModule mod_security.c>
@@ -490,9 +418,6 @@ EOF;
# Only allow bytes from this range
SecFilterForceByteRange 1 255
- # Help prevent the effects of a Slowloris-type of attack
- # $secreadstatelimit
-
# Cookie format checks.
SecFilterCheckCookieFormat On
@@ -511,9 +436,13 @@ EOF;
}
-if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so"))
- $mod_mem_cacheLoad = "Module mem_cache_module libexec/apache22/mod_mem_cache.so\n";
-
+ // Cannot use constants to replace stuff in the template
+ $apache_dir = APACHEDIR;
+ $apache_version = APACHEVERSION;
+ if (file_exists(APACHEDIR . "/libexec/" . APACHEVERSION . "/mod_mem_cache.so")) {
+ $mod_mem_cache = "LoadModule mem_cache_module libexec/{$apache_version}/mod_mem_cache.so\n";
+ }
+
$apache_config = <<<EOF
##################################################################################
# NOTE: This file was generated by the pfSense package management system. #
@@ -526,13 +455,13 @@ if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so"))
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
-# In particular, see
+# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
-# consult the online docs. You have been warned.
+# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
@@ -550,14 +479,14 @@ if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so"))
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
-ServerRoot "/usr/local"
+ServerRoot "{$apache_dir}"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
-# Change this to Listen on specific IP addresses as shown below to
+# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
Listen {$global_listen}
@@ -577,67 +506,67 @@ Listen {$global_listen}
#
# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
-LoadModule authn_file_module libexec/apache22/mod_authn_file.so
-LoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.so
-LoadModule authn_anon_module libexec/apache22/mod_authn_anon.so
-LoadModule authn_default_module libexec/apache22/mod_authn_default.so
-LoadModule authn_alias_module libexec/apache22/mod_authn_alias.so
-LoadModule authz_host_module libexec/apache22/mod_authz_host.so
-LoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.so
-LoadModule authz_user_module libexec/apache22/mod_authz_user.so
-LoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.so
-LoadModule authz_owner_module libexec/apache22/mod_authz_owner.so
-LoadModule authz_default_module libexec/apache22/mod_authz_default.so
-LoadModule auth_basic_module libexec/apache22/mod_auth_basic.so
-LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so
-LoadModule file_cache_module libexec/apache22/mod_file_cache.so
-LoadModule cache_module libexec/apache22/mod_cache.so
-LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so
-LoadModule dumpio_module libexec/apache22/mod_dumpio.so
-LoadModule include_module libexec/apache22/mod_include.so
-LoadModule filter_module libexec/apache22/mod_filter.so
-LoadModule charset_lite_module libexec/apache22/mod_charset_lite.so
-LoadModule deflate_module libexec/apache22/mod_deflate.so
-LoadModule log_config_module libexec/apache22/mod_log_config.so
-LoadModule logio_module libexec/apache22/mod_logio.so
-LoadModule env_module libexec/apache22/mod_env.so
-LoadModule mime_magic_module libexec/apache22/mod_mime_magic.so
-LoadModule cern_meta_module libexec/apache22/mod_cern_meta.so
-LoadModule expires_module libexec/apache22/mod_expires.so
-LoadModule headers_module libexec/apache22/mod_headers.so
-LoadModule usertrack_module libexec/apache22/mod_usertrack.so
-LoadModule unique_id_module libexec/apache22/mod_unique_id.so
-LoadModule setenvif_module libexec/apache22/mod_setenvif.so
-LoadModule version_module libexec/apache22/mod_version.so
-LoadModule proxy_module libexec/apache22/mod_proxy.so
-LoadModule proxy_connect_module libexec/apache22/mod_proxy_connect.so
-LoadModule proxy_ftp_module libexec/apache22/mod_proxy_ftp.so
-LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so
-LoadModule proxy_ajp_module libexec/apache22/mod_proxy_ajp.so
-LoadModule proxy_balancer_module libexec/apache22/mod_proxy_balancer.so
-LoadModule ssl_module libexec/apache22/mod_ssl.so
-LoadModule mime_module libexec/apache22/mod_mime.so
-LoadModule status_module libexec/apache22/mod_status.so
-LoadModule autoindex_module libexec/apache22/mod_autoindex.so
-LoadModule asis_module libexec/apache22/mod_asis.so
-LoadModule info_module libexec/apache22/mod_info.so
-LoadModule cgi_module libexec/apache22/mod_cgi.so
-LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so
-LoadModule negotiation_module libexec/apache22/mod_negotiation.so
-LoadModule dir_module libexec/apache22/mod_dir.so
-LoadModule imagemap_module libexec/apache22/mod_imagemap.so
-LoadModule actions_module libexec/apache22/mod_actions.so
-LoadModule speling_module libexec/apache22/mod_speling.so
-LoadModule userdir_module libexec/apache22/mod_userdir.so
-LoadModule alias_module libexec/apache22/mod_alias.so
-LoadModule rewrite_module libexec/apache22/mod_rewrite.so
+LoadModule authn_file_module libexec/{$apache_version}/mod_authn_file.so
+LoadModule authn_dbm_module libexec/{$apache_version}/mod_authn_dbm.so
+LoadModule authn_anon_module libexec/{$apache_version}/mod_authn_anon.so
+LoadModule authn_default_module libexec/{$apache_version}/mod_authn_default.so
+LoadModule authn_alias_module libexec/{$apache_version}/mod_authn_alias.so
+LoadModule authz_host_module libexec/{$apache_version}/mod_authz_host.so
+LoadModule authz_groupfile_module libexec/{$apache_version}/mod_authz_groupfile.so
+LoadModule authz_user_module libexec/{$apache_version}/mod_authz_user.so
+LoadModule authz_dbm_module libexec/{$apache_version}/mod_authz_dbm.so
+LoadModule authz_owner_module libexec/{$apache_version}/mod_authz_owner.so
+LoadModule authz_default_module libexec/{$apache_version}/mod_authz_default.so
+LoadModule auth_basic_module libexec/{$apache_version}/mod_auth_basic.so
+LoadModule auth_digest_module libexec/{$apache_version}/mod_auth_digest.so
+LoadModule file_cache_module libexec/{$apache_version}/mod_file_cache.so
+LoadModule cache_module libexec/{$apache_version}/mod_cache.so
+LoadModule disk_cache_module libexec/{$apache_version}/mod_disk_cache.so
+LoadModule dumpio_module libexec/{$apache_version}/mod_dumpio.so
+LoadModule include_module libexec/{$apache_version}/mod_include.so
+LoadModule filter_module libexec/{$apache_version}/mod_filter.so
+LoadModule charset_lite_module libexec/{$apache_version}/mod_charset_lite.so
+LoadModule deflate_module libexec/{$apache_version}/mod_deflate.so
+LoadModule log_config_module libexec/{$apache_version}/mod_log_config.so
+LoadModule logio_module libexec/{$apache_version}/mod_logio.so
+LoadModule env_module libexec/{$apache_version}/mod_env.so
+LoadModule mime_magic_module libexec/{$apache_version}/mod_mime_magic.so
+LoadModule cern_meta_module libexec/{$apache_version}/mod_cern_meta.so
+LoadModule expires_module libexec/{$apache_version}/mod_expires.so
+LoadModule headers_module libexec/{$apache_version}/mod_headers.so
+LoadModule usertrack_module libexec/{$apache_version}/mod_usertrack.so
+LoadModule unique_id_module libexec/{$apache_version}/mod_unique_id.so
+LoadModule setenvif_module libexec/{$apache_version}/mod_setenvif.so
+LoadModule version_module libexec/{$apache_version}/mod_version.so
+LoadModule proxy_module libexec/{$apache_version}/mod_proxy.so
+LoadModule proxy_connect_module libexec/{$apache_version}/mod_proxy_connect.so
+LoadModule proxy_ftp_module libexec/{$apache_version}/mod_proxy_ftp.so
+LoadModule proxy_http_module libexec/{$apache_version}/mod_proxy_http.so
+LoadModule proxy_ajp_module libexec/{$apache_version}/mod_proxy_ajp.so
+LoadModule proxy_balancer_module libexec/{$apache_version}/mod_proxy_balancer.so
+LoadModule ssl_module libexec/{$apache_version}/mod_ssl.so
+LoadModule mime_module libexec/{$apache_version}/mod_mime.so
+LoadModule status_module libexec/{$apache_version}/mod_status.so
+LoadModule autoindex_module libexec/{$apache_version}/mod_autoindex.so
+LoadModule asis_module libexec/{$apache_version}/mod_asis.so
+LoadModule info_module libexec/{$apache_version}/mod_info.so
+LoadModule cgi_module libexec/{$apache_version}/mod_cgi.so
+LoadModule vhost_alias_module libexec/{$apache_version}/mod_vhost_alias.so
+LoadModule negotiation_module libexec/{$apache_version}/mod_negotiation.so
+LoadModule dir_module libexec/{$apache_version}/mod_dir.so
+LoadModule imagemap_module libexec/{$apache_version}/mod_imagemap.so
+LoadModule actions_module libexec/{$apache_version}/mod_actions.so
+LoadModule speling_module libexec/{$apache_version}/mod_speling.so
+LoadModule userdir_module libexec/{$apache_version}/mod_userdir.so
+LoadModule alias_module libexec/{$apache_version}/mod_alias.so
+LoadModule rewrite_module libexec/{$apache_version}/mod_rewrite.so
{$mod_mem_cache}
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
#
# If you wish httpd to run as a different user or group, you must run
-# httpd as root initially and it will switch.
+# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
@@ -682,15 +611,15 @@ ServerAdmin {$global_site_email}
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/usr/local/apachemodsecurity"
+DocumentRoot "{$apache_dir}/www/{$apache_version}"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
-# directory (and its subdirectories).
+# directory (and its subdirectories).
#
-# First, we configure the "default" to be a very restrictive set of
-# features.
+# First, we configure the "default" to be a very restrictive set of
+# features.
#
<Directory />
AllowOverride None
@@ -708,7 +637,7 @@ DocumentRoot "/usr/local/apachemodsecurity"
#
# This should be changed to whatever you set DocumentRoot to.
#
-#<Directory "/usr/local/www/apachemodsecurity/">
+#<Directory "{$apache_dir}/www/apachemodsecurity/">
# #
# # Possible values for the Options directive are "None", "All",
# # or any combination of:
@@ -747,8 +676,8 @@ DocumentRoot "/usr/local/apachemodsecurity"
#</IfModule>
#
#
-# The following lines prevent .htaccess and .htpasswd files from being
-# viewed by Web clients.
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
#
#<FilesMatch "^\.ht">
# Order allow,deny
@@ -803,8 +732,8 @@ LogLevel warn
#<IfModule alias_module>
# #
-# # Redirect: Allows you to tell clients about documents that used to
-# # exist in your server's namespace, but do not anymore. The client
+# # Redirect: Allows you to tell clients about documents that used to
+# # exist in your server's namespace, but do not anymore. The client
# # will make a new request for the document at its new location.
# # Example:
# # Redirect permanent /foo http://www.example.com/bar
@@ -821,14 +750,14 @@ LogLevel warn
# # the filesystem path.
#
# #
-# # ScriptAlias: This controls which directories contain server scripts.
+# # ScriptAlias: This controls which directories contain server scripts.
# # ScriptAliases are essentially the same as Aliases, except that
# # documents in the target directory are treated as applications and
# # run by the server when requested rather than as documents sent to the
# # client. The same rules about trailing "/" apply to ScriptAlias
# # directives as to Alias.
# #
-# ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/"
+# ScriptAlias /cgi-bin/ "{$apache_dir}/www/{$apache_version}/cgi-bin/"
#
#</IfModule>
@@ -844,7 +773,7 @@ LogLevel warn
# "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-#<Directory "/usr/local/www/apache22/cgi-bin">
+#<Directory "{$apache_dir}/www/{$apache_version}/cgi-bin">
# AllowOverride None
# Options None
# Order allow,deny
@@ -867,7 +796,7 @@ DefaultType text/plainm
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
- TypesConfig etc/apache22/mime.types
+ TypesConfig etc/{$apache_version}/mime.types
#
# AddType allows you to add to or override the MIME configuration
@@ -915,7 +844,7 @@ DefaultType text/plainm
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
-#MIMEMagicFile etc/apache22/magic
+#MIMEMagicFile etc/{$apache_version}/magic
#
# Customizable error responses come in three flavors:
@@ -932,10 +861,10 @@ DefaultType text/plainm
#
#
-# EnableMMAP and EnableSendfile: On systems that support it,
+# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files. This usually improves server performance, but must
-# be turned off when serving from networked-mounted
+# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
#
@@ -944,43 +873,43 @@ DefaultType text/plainm
# Supplemental configuration
#
-# The configuration files in the etc/apache22/extra/ directory can be
-# included to add extra features or to modify the default configuration of
-# the server, or you may simply copy their contents here and change as
+# The configuration files in the etc/{$apache_version}/extra/ directory can be
+# included to add extra features or to modify the default configuration of
+# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
-#Include etc/apache22/extra/httpd-mpm.conf
+#Include etc/{$apache_version}/extra/httpd-mpm.conf
# Multi-language error messages
-#Include etc/apache22/extra/httpd-multilang-errordoc.conf
+#Include etc/{$apache_version}/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
-#Include etc/apache22/extra/httpd-autoindex.conf
+#Include etc/{$apache_version}/extra/httpd-autoindex.conf
# Language settings
-#Include etc/apache22/extra/httpd-languages.conf
+#Include etc/{$apache_version}/extra/httpd-languages.conf
# User home directories
-#Include etc/apache22/extra/httpd-userdir.conf
+#Include etc/{$apache_version}/extra/httpd-userdir.conf
# Real-time info on requests and configuration
-#Include etc/apache22/extra/httpd-info.conf
+#Include etc/{$apache_version}/extra/httpd-info.conf
# Virtual hosts
-#Include etc/apache22/extra/httpd-vhosts.conf
+#Include etc/{$apache_version}/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
-#Include etc/apache22/extra/httpd-manual.conf
+#Include etc/{$apache_version}/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
-#Include etc/apache22/extra/httpd-dav.conf
+#Include etc/{$apache_version}/extra/httpd-dav.conf
# Various default settings
-#Include etc/apache22/extra/httpd-default.conf
+#Include etc/{$apache_version}/extra/httpd-default.conf
# Secure (SSL/TLS) connections
-#Include etc/apache22/extra/httpd-ssl.conf
+#Include etc/{$apache_version}/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
@@ -993,6 +922,7 @@ SSLRandomSeed connect builtin
# Cache settings
{$mem_cache}
+{$disk_cache}
{$cache_root}
# Mod security
@@ -1002,16 +932,13 @@ SSLRandomSeed connect builtin
{$mod_proxy}
# Include anything else
-Include etc/apache22/Includes/*.conf
+Include etc/{$apache_version}/Includes/*.conf
EOF;
- if (!is_dir('/usr/local/etc/apache22')) {
- mkdir('/usr/local/etc/apache22', 0775, true);
- }
- $fd = fopen("/usr/local/etc/apache22/httpd.conf", "w");
- if(!$fd) {
+
+ $fd = fopen(APACHEDIR . "/etc/". APACHEVERSION . "/httpd.conf", "w");
+ if (!$fd) {
$error_text = "Could not open httpd.conf for writing!";
- echo $error_text;
log_error($error_text);
exit;
}
@@ -1019,4 +946,65 @@ EOF;
fclose($fd);
}
+function apache_mod_security_upgrade_config() {
+ global $config, $modsec_config;
+ $modsec_config =& $config['installedpackages']['apachemodsecuritysettings']['config'][0];
+ $changes = 0;
+ if (!is_array($modsec_config)) {
+ $modsec_config = array();
+ }
+ if (isset($modsec_config['modsecuritycustom'])) {
+ $modsec_config['modsecuritycustom_adv'] = base64_encode($modsec_config['modsecuritycustom']);
+ unset($modsec_config['modsecuritycustom']);
+ $changes++;
+ }
+ if (isset($modsec_config['errordocument'])) {
+ $modsec_config['errordocument_custom'] = base64_encode($modsec_config['errordocument']);
+ unset($modsec_config['errordocument']);
+ $changes++;
+ }
+ if ($changes > 0 ) {
+ write_config("[apache_mod_security] Upgraded old package configuration.");
+ }
+}
+
+function apache_mod_security_validate_input($post, &$input_errors) {
+ if (!empty($post['hostname'])) {
+ if (!is_hostname($post['hostname'])) {
+ $input_errors[] = "'Server Hostname' must be either empty, or a valid hostname.";
+ }
+ }
+ if (!empty($post['globalbindtoipaddr'])) {
+ if (!is_ipaddr($post['globalbindtoipaddr'])) {
+ $input_errors[] = "'Default Bind to IP Address' must be either empty, or a valid IP address.";
+ }
+ }
+ if (!empty($post['globalbindtoport'])) {
+ if (!is_port($post['globalbindtoport'])) {
+ $input_errors[] = "'Default Bind to Port' must be either empty, or a valid port.";
+ }
+ }
+ if (!empty($post['mod_mem_cache_size'])) {
+ if (!is_numericint($post['mod_mem_cache_size'])) {
+ $input_errors[] = "'mod_mem_cache Memory Usage' must be either empty, or a non-negative integer.";
+ }
+ }
+ if (!empty($post['mod_disk_cache_max_filesize'])) {
+ if (!is_numericint($post['mod_disk_cache_max_filesize'])) {
+ $input_errors[] = "'mod_disk_cache CacheMaxFileSize' must be either empty, or a non-negative integer.";
+ }
+ }
+ if (!empty($post['SecRequestBodyInMemoryLimit'])) {
+ if (!is_numericint($post['SecRequestBodyInMemoryLimit'])) {
+ $input_errors[] = "'SecRequestBodyInMemoryLimit' must be either empty, or a non-negative integer.";
+ }
+ }
+ if (!empty($post['SecRequestBodyLimit'])) {
+ if (!is_numericint($post['SecRequestBodyLimit'])) {
+ $input_errors[] = "'SecRequestBodyLimit' must be either empty, or a non-negative integer.";
+ }
+ }
+
+}
+
?>
diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml
index 0b973689..ee8c7fbb 100644
--- a/config/apache_mod_security/apache_mod_security.xml
+++ b/config/apache_mod_security/apache_mod_security.xml
@@ -1,76 +1,111 @@
<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
-<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
<packagegui>
- <copyright>
- <![CDATA[
- /* $Id$ */
- /* ========================================================================== */
- /*
- apache_mod_security.xml
- part of apache_mod_security package (http://www.pfSense.com)
- Copyright (C)2009, 2010 Scott Ullrich
- All rights reserved.
- */
- /* ========================================================================== */
- /*
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
+ <copyright>
+<![CDATA[
+/* $Id$ */
+/* ====================================================================================== */
+/*
+ apache_mod_security.xml
+ part of pfSense (https://www.pfSense.org/)
+ Copyright (C) 2009, 2010 Scott Ullrich
+ Copyright (C) 2015 ESF, LLC
+ All rights reserved.
+*/
+/* ====================================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
- */
- /* ========================================================================== */
- ]]>
- </copyright>
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+/* ====================================================================================== */
+ ]]>
+ </copyright>
<name>apache_mod_security</name>
- <version>1.0</version>
+ <version>0.1.8</version>
<title>Services: Mod_Security+Apache+Proxy: Site Proxies</title>
+ <include_file>/usr/local/pkg/apache_mod_security.inc</include_file>
<menu>
<name>Mod_Security+Apache+Proxy</name>
<tooltiptext></tooltiptext>
<section>Services</section>
<configfile>apache_mod_security.xml</configfile>
</menu>
+ <service>
+ <name>apache_mod_security</name>
+ <rcfile>apache_mod_security.sh</rcfile>
+ <executable>httpd</executable>
+ <description>HTTP Daemon with mod_security</description>
+ </service>
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
- <chmod>0644</chmod>
<item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.inc</item>
</additional_files_needed>
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
- <chmod>0644</chmod>
<item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security_settings.xml</item>
</additional_files_needed>
<additional_files_needed>
<prefix>/usr/local/www/</prefix>
- <chmod>0644</chmod>
<item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security_view_logs.php</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/10_asl_rules.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/a_exclude.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/blacklist.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/default.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/recons.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/rootkits.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/apachemodsecurity/rules</prefix>
+ <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/useragents.conf</item>
+ </additional_files_needed>
<tabs>
<tab>
<text>Proxy Server Settings</text>
- <url>/pkg_edit.php?xml=apache_mod_security_settings.xml&amp;id=0</url>
+ <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url>
</tab>
<tab>
<text>Site Proxies</text>
<url>/pkg.php?xml=apache_mod_security.xml</url>
- <active/>
+ <active/>
</tab>
<tab>
<text>Logs</text>
@@ -79,7 +114,7 @@
</tabs>
<adddeleteeditpagefields>
<columnitem>
- <fielddescr>Site name</fielddescr>
+ <fielddescr>Site Name</fielddescr>
<fieldname>sitename</fieldname>
</columnitem>
<columnitem>
@@ -89,21 +124,21 @@
</adddeleteeditpagefields>
<fields>
<field>
- <fielddescr>Site name</fielddescr>
+ <fielddescr>Site Name</fielddescr>
<fieldname>sitename</fieldname>
<description>
<![CDATA[
- Enter a short descriptive name for the site. (e.g. intranet)
+ Enter a short descriptive name for the site. (e.g. intranet)
]]>
</description>
<type>input</type>
</field>
<field>
- <fielddescr>Site Webmaster E-Mail address</fielddescr>
+ <fielddescr>Site Webmaster E-Mail Address</fielddescr>
<fieldname>siteemail</fieldname>
<description>
<![CDATA[
- Enter the Webmaster E-Mail address for this site.
+ Enter the Webmaster E-Mail address for this site.
]]>
</description>
<type>input</type>
@@ -113,10 +148,10 @@
<fieldname>siteurl</fieldname>
<description></description>
<size>1</size>
- <type>select</type>
+ <type>select</type>
<options>
- <option><name>HTTP</name><value>HTTP</value></option>
- <option><name>HTTPS</name><value>HTTPS</value></option>
+ <option><name>HTTP</name><value>HTTP</value></option>
+ <option><name>HTTPS</name><value>HTTPS</value></option>
</options>
</field>
<field>
@@ -138,8 +173,8 @@
<fieldname>certificatefile</fieldname>
<description>
<![CDATA[
- Name of certificate file under /usr/local/apache22/etc/<br/>
- (required if Protocol is https)
+ Name of certificate file under /usr/local/apache22/etc/<br />
+ (Required if 'Protocol' is HTTPS.)
]]>
</description>
<size>40</size>
@@ -150,8 +185,8 @@
<fieldname>certificatekeyfile</fieldname>
<description>
<![CDATA[
- Name of certificate key file under /usr/local/apache22/etc/<br/>
- (required if Protocol is https)
+ Name of certificate key file under /usr/local/apache22/etc/<br />
+ (Required if 'Protocol' is HTTPS.)
]]>
</description>
<size>40</size>
@@ -162,30 +197,30 @@
<fieldname>certificatechainfile</fieldname>
<description>
<![CDATA[
- Name of certificate chain file under /usr/local/apache22/etc/<br/>
- (not required)
- ]]>
+ Name of certificate chain file under /usr/local/apache22/etc/<br />
+ (Not required.)
+ ]]>
</description>
<size>40</size>
<type>input</type>
</field>
<field>
- <fielddescr>Preserve Proxy hostname</fielddescr>
+ <fielddescr>Preserve Proxy Hostname</fielddescr>
<fieldname>preserveproxyhostname</fieldname>
<description>
<![CDATA[
- When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.
+ When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.
]]>
</description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Primary site hostname</fielddescr>
+ <fielddescr>Primary Site Hostname</fielddescr>
<fieldname>primarysitehostname</fieldname>
<description>
<![CDATA[
- Enter the primary hostname (FQDN) for this website (e.g. www.example.com)<br/>
- Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)
+ Enter the primary hostname (FQDN) for this website (e.g. www.example.com).<br />
+ Leave blank and define the IP Address / Port above for IP site proxy (i.e. not named site proxy).
]]>
</description>
<size>40</size>
@@ -194,37 +229,40 @@
<field>
<fielddescr>
<![CDATA[
- Backend Web Servers and Additional Site Hostnames
+ Backend Web Servers and Additional Site Hostnames
]]>
</fielddescr>
<fieldname>additionalparameters</fieldname>
- <type>rowhelper</type>
- <rowhelper>
+ <type>rowhelper</type>
+ <rowhelper>
<rowhelperfield>
- <fielddescr>Web server backend URLs</fielddescr>
- <fieldname>webserveripaddr</fieldname>
- <description>Add each web server IP address here.</description>
- <type>input</type>
- <size>40</size>
+ <fielddescr>Web Server Backend URLs</fielddescr>
+ <fieldname>webserveripaddr</fieldname>
+ <description>Add each web server IP address here.</description>
+ <type>input</type>
+ <size>40</size>
</rowhelperfield>
<rowhelperfield>
- <fielddescr>Additional Site Hostnames (not required)</fielddescr>
- <fieldname>additionalsitehostnames</fieldname>
- <description>Add each webserver hostname address here.</description>
- <type>input</type>
- <size>40</size>
+ <fielddescr>Additional Site Hostnames (Optional)</fielddescr>
+ <fieldname>additionalsitehostnames</fieldname>
+ <description>Add each webserver hostname address here.</description>
+ <type>input</type>
+ <size>40</size>
</rowhelperfield>
- </rowhelper>
+ </rowhelper>
</field>
</fields>
- <service>
- <name>apache_mod_security</name>
- <rcfile>apache_mod_security.sh</rcfile>
- <executable>httpd</executable>
- <description>HTTP Daemon with mod_security</description>
- </service>
+ <custom_php_install_command>
+ apache_mod_security_install();
+ apache_mod_security_upgrade_config();
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ apache_mod_security_deinstall();
+ </custom_php_deinstall_command>
<custom_php_resync_config_command>
apache_mod_security_resync();
</custom_php_resync_config_command>
- <include_file>/usr/local/pkg/apache_mod_security.inc</include_file>
-</packagegui> \ No newline at end of file
+ <custom_php_validation_command>
+ apache_mod_security_validate_input($_POST, $input_errors);
+ </custom_php_validation_command>
+</packagegui>
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index 479e7509..c5f1da5c 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -1,52 +1,57 @@
<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
-<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
<packagegui>
- <copyright>
- <![CDATA[
+ <copyright>
+<![CDATA[
/* $Id$ */
-/* ========================================================================== */
+/* ====================================================================================== */
/*
- apache_mod_security_settings.xml
- part of apache_mod_security package (http://www.pfSense.com)
- Copyright (C) 2008, 2009, 2010 Scott Ullrich
- All rights reserved.
- */
-/* ========================================================================== */
+ apache_mod_security_settings.xml
+ part of pfSense (https://www.pfSense.org/)
+ Copyright (C) 2008-2010 Scott Ullrich
+ Copyright (C) 2015 ESF, LLC
+ All rights reserved.
+*/
+/* ====================================================================================== */
/*
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
- */
-/* ========================================================================== */
- ]]>
- </copyright>
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+/* ====================================================================================== */
+ ]]>
+ </copyright>
<name>apache_mod_security_settings</name>
- <version>1.0</version>
+ <version>0.1.8</version>
<title>Services: Mod_Security+Apache+Proxy: Settings</title>
- <aftersaveredirect>pkg_edit.php?xml=apache_mod_security_settings.xml&amp;id=0</aftersaveredirect>
+ <include_file>/usr/local/pkg/apache_mod_security.inc</include_file>
+ <aftersaveredirect>pkg_edit.php?xml=apache_mod_security_settings.xml</aftersaveredirect>
+ <advanced_options>enabled</advanced_options>
<tabs>
<tab>
<text>Proxy Server Settings</text>
- <url>/pkg_edit.php?xml=apache_mod_security_settings.xml&amp;id=0</url>
- <active/>
+ <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url>
+ <active/>
</tab>
<tab>
<text>Site Proxies</text>
@@ -59,19 +64,23 @@
</tabs>
<fields>
<field>
- <fielddescr>Global site E-mail administrator</fielddescr>
+ <name>General Proxy Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Global Site Administrator E-Mail Address</fielddescr>
<fieldname>globalsiteadminemail</fieldname>
- <description>Enter the site administrators e-mail address</description>
+ <description>Enter the e-mail address of the global site administrator.</description>
<type>input</type>
+ <default_value>admin@example.com</default_value>
</field>
<field>
- <fielddescr>Server hostname</fielddescr>
+ <fielddescr>Server Hostname</fielddescr>
<fieldname>hostname</fieldname>
<description>
<![CDATA[
- Enter the servers hostname
- <br/>
- NOTE: Leave blank to use this devices hostname.
+ Enter the server's hostname.<br />
+ NOTE: Leave blank to use the hostname of this device.
]]>
</description>
<type>input</type>
@@ -81,47 +90,43 @@
<fieldname>globalbindtoipaddr</fieldname>
<description>
<![CDATA[
- This is the IP address the Proxy Server will listen on.
- <br/>
- NOTE: Leave blank to bind to *
+ This is the IP address the Proxy Server will listen on.<br />
+ NOTE: Leave blank to bind to * (any).
]]>
</description>
<type>input</type>
</field>
<field>
- <fielddescr>Default Bind to port</fielddescr>
+ <fielddescr>Default Bind to Port</fielddescr>
<fieldname>globalbindtoport</fieldname>
<description>
<![CDATA[
- This is the port the Proxy Server will listen on.
- <br/>
- NOTE: Leave blank to bind to 80
- ]]>
+ This is the port the Proxy Server will listen on.<br />
+ NOTE: Leaving this blank will bind to default port 80.
+ ]]>
</description>
<type>input</type>
+ <default_value>80</default_value>
</field>
<field>
<fielddescr>
<![CDATA[
- Additional Addresses<br/>
- Do not edit. This field will be automatically populated from Site Proxies settings.
+ Additional Addresses<br />
+ <strong>DO NOT EDIT!</strong> This field will be automatically populated from Site Proxies settings.
]]>
</fielddescr>
<fieldname>additionaladdresses</fieldname>
- <description></description>
<type>rowhelper</type>
<rowhelper>
<rowhelperfield>
<fielddescr>IP Address</fielddescr>
<fieldname>ipaddress</fieldname>
- <description></description>
<type>input</type>
<size>45</size>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Port</fielddescr>
<fieldname>ipport</fieldname>
- <description></description>
<type>input</type>
<size>10</size>
</rowhelperfield>
@@ -132,99 +137,133 @@
<fieldname>mod_mem_cache</fieldname>
<description>
<![CDATA[
- Enables mod_mem_cache which stores cached documents in memory.
- ]]>
+ Enables mod_mem_cache which stores cached documents in memory.
+ ]]>
</description>
<type>checkbox</type>
+ <enablefields>mod_mem_cache_size</enablefields>
</field>
<field>
- <fielddescr>mod_mem_cache memory usage</fielddescr>
+ <fielddescr>mod_mem_cache Memory Usage</fielddescr>
<fieldname>mod_mem_cache_size</fieldname>
<description>
<![CDATA[
- Sets the memory usage in megabytes.
- ]]>
+ The maximum amount of memory used by mod_mem_cache in KBytes. (Default: 100)
+ ]]>
</description>
<type>input</type>
+ <default_value>100</default_value>
</field>
<field>
<fielddescr>Use mod_disk_cache</fielddescr>
<fieldname>mod_disk_cache</fieldname>
<description>
<![CDATA[
- mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache.
- ]]>
+ mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache.
+ ]]>
</description>
<type>checkbox</type>
+ <enablefields>mod_disk_cache_max_filesize</enablefields>
</field>
<field>
- <fielddescr>mod_disk_cache memory usage</fielddescr>
- <fieldname>mod_disk_cache_size</fieldname>
+ <fielddescr>mod_disk_cache CacheMaxFileSize</fielddescr>
+ <fieldname>mod_disk_cache_max_filesize</fieldname>
<description>
<![CDATA[
- Sets the memory usage in Kbytes.
- ]]>
+ The maximum size (in bytes) of a document to be placed in the cache. (Default: 1000000)
+ ]]>
</description>
<type>input</type>
+ <default_value>1000000</default_value>
</field>
<field>
- <fielddescr>Limits number of POSTS accepted from same IP address</fielddescr>
- <fieldname>SecReadStateLimit</fieldname>
- <description>
- <![CDATA[
- Help prevent the effects of a Slowloris-type of attack. More information about this attack can be found here: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
- ]]>
- </description>
- <type>input</type>
+ <name>mod_security Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable mod_security Protection</fielddescr>
+ <fieldname>enablemodsecurity</fieldname>
+ <description>Enables mod_security protection for all sites being proxied.</description>
+ <type>checkbox</type>
+ <enablefields>secrequestbodyinmemorylimit,secrequestbodylimit</enablefields>
</field>
<field>
- <fielddescr>Configures the maximum request body size ModSecurity will store in memory.</fielddescr>
+ <fielddescr>SecRequestBodyInMemoryLimit</fielddescr>
<fieldname>secrequestbodyinmemorylimit</fieldname>
- <description>Configures the maximum request body size ModSecurity will store in memory.</description>
+ <description>
+ <![CDATA[
+ Configures the maximum request body size (in bytes) ModSecurity will store in memory. (Default: 131072)
+ ]]>
+ </description>
<type>input</type>
+ <default_value>131072</default_value>
</field>
<field>
- <fielddescr>Configures the maximum request body size ModSecurity will accept for buffering.</fielddescr>
+ <fielddescr>SecRequestBodyLimit</fielddescr>
<fieldname>secrequestbodylimit</fieldname>
- <description>Configures the maximum request body size ModSecurity will accept for buffering.</description>
+ <description>
+ <![CDATA[
+ Configures the maximum request body size (in bytes) ModSecurity will accept for buffering. Default: 10485760)
+ ]]>
+ </description>
<type>input</type>
+ <default_value>10485760</default_value>
</field>
<field>
- <fielddescr>Enable mod_security protection</fielddescr>
- <fieldname>enablemodsecurity</fieldname>
- <description>Enables mod_security protection for all sites being proxied</description>
- <type>checkbox</type>
- </field>
- <field>
- <fielddescr>Configures the audit logging engine.</fielddescr>
+ <fielddescr>SecAuditEngine</fielddescr>
<fieldname>secauditengine</fieldname>
- <description>Configures the audit logging engine.</description>
- <type>select</type>
+ <description>
+ <![CDATA[
+ Configures the audit logging engine.<br /><br />
+ <strong>On:</strong> Log all transactions.<br />
+ <strong>Off:</strong> Do not log any transactions.<br />
+ <strong>RelevantOnly:</strong> Only the log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant.
+ ]]>
+ </description>
+ <type>select</type>
<options>
- <option><name>RelevantOnly</name><value>RelevantOnly</value></option>
- <option><name>All</name><value>On</value></option>
- <option><name>Off</name><value>Off</value></option>
+ <option><name>RelevantOnly</name><value>RelevantOnly</value></option>
+ <option><name>All</name><value>On</value></option>
+ <option><name>Off</name><value>Off</value></option>
</options>
</field>
<field>
<fielddescr>Custom mod_security ErrorDocument</fielddescr>
- <fieldname>errordocument</fieldname>
- <description></description>
+ <fieldname>errordocument_custom</fieldname>
<type>textarea</type>
- <rows>10</rows>
- <cols>75</cols>
+ <rows>10</rows>
+ <cols>75</cols>
+ <description>
+ <![CDATA[
+ See <a href="http://httpd.apache.org/docs/2.2/mod/core.html#errordocument">Apache Core Features - ErrorDocument Directive</a> for documentation.<br /><br />
+ Example:<br />
+ ErrorDocument 403 "Sorry, can't allow you access today"<br />
+ ErrorDocument 404 http://banned.example.com/notfound.php<br />
+ ErrorDocument 500 /denied.html
+ ]]>
+ </description>
+ <encoding>base64</encoding>
</field>
<field>
- <fielddescr>Custom mod_security rules</fielddescr>
- <fieldname>modsecuritycustom</fieldname>
- <description>Paste any custom mod_security rules that you would like to use</description>
+ <fielddescr>Custom mod_security Rules</fielddescr>
+ <fieldname>modsecuritycustom_adv</fieldname>
+ <description>
+ <![CDATA[
+ Paste any custom mod_security rules that you would like to use.<br />
+ See <a href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual">ModSecurity Reference Manual</a>.
+ ]]>
+ </description>
<type>textarea</type>
- <rows>10</rows>
- <cols>75</cols>
+ <rows>10</rows>
+ <cols>75</cols>
+ <encoding>base64</encoding>
+ <advancedfield/>
</field>
</fields>
<custom_php_resync_config_command>
apache_mod_security_resync();
</custom_php_resync_config_command>
- <include_file>/usr/local/pkg/apache_mod_security.inc</include_file>
-</packagegui> \ No newline at end of file
+ <custom_php_validation_command>
+ apache_mod_security_validate_input($_POST, $input_errors);
+ </custom_php_validation_command>
+</packagegui>
diff --git a/config/apache_mod_security/apache_mod_security_view_logs.php b/config/apache_mod_security/apache_mod_security_view_logs.php
index b2e60320..2fbcdcaa 100644
--- a/config/apache_mod_security/apache_mod_security_view_logs.php
+++ b/config/apache_mod_security/apache_mod_security_view_logs.php
@@ -1,9 +1,9 @@
<?php
-/* $Id$ */
/*
apache_mod_security_view_logs.php
- part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2009, 2010 Scott Ullrich <sullrich@gmail.com>
+ part of pfSense (https://www.pfSense.org/)
+ Copyright (C) 2009, 2010 Scott Ullrich
+ Copyright (C) 2015 ESF, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -27,31 +27,33 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-
-require("guiconfig.inc");
+require_once("guiconfig.inc");
+require_once("util.inc");
+require_once("/usr/local/pkg/apache_mod_security.inc");
if($_REQUEST['getactivity']) {
- if($_REQUEST['logtype'] == "error")
- $apachelogs = `cat /var/log/httpd-error.log`;
- else
- $apachelogs = `cat /var/log/httpd-access.log`;
- echo "</pre><h1>Apache+Mod_Security_Proxy Server logs as of " . date("D M j G:i:s T Y") . "</h1><pre>\n\n";
+ if ($_REQUEST['logtype'] == "error") {
+ $apachelogs = shell_exec("/bin/cat /var/log/httpd-error.log");
+ $logtype = "Error";
+ } else {
+ $apachelogs = shell_exec("/bin/cat /var/log/httpd-access.log");
+ $logtype = "Access";
+ }
+ echo "</pre><h2>Apache+Mod_Security_Proxy Server {$logtype} Logs as of " . date("D M j G:i:s T Y") . "</h2><pre>\n\n";
echo $apachelogs;
exit;
}
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version < 2.0)
- $one_two = true;
+if ($_POST['clear']) {
+ unlink_if_exists("/var/log/httpd-error.log");
+ unlink_if_exists("/var/log/httpd-access.log");
+ apache_mod_security_restart();
+}
+$closehead = false;
$pgtitle = "Services: Mod_Security+Apache+Proxy: Logs";
include("head.inc");
-
-/* XXX */
-if ($_POST['clear']) { }
-
?>
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<style type='text/css'>
pre {
overflow-x: auto; /* Use horizontal scroller if needed; for Firefox 2, not needed in Firefox 3 */
@@ -64,65 +66,76 @@ pre {
}
</style>
<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script>
- <script type="text/javascript">
- function getlogactivity() {
- var url = "/apache_mod_security_view_logs.php";
- var pars = 'getactivity=yes';
- var myAjax = new Ajax.Request(
- url,
- {
- method: 'post',
- parameters: pars,
- onComplete: activitycallback
- });
- }
- function activitycallback(transport) {
- $('apachelogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>';
- setTimeout('getlogactivity()', 2500);
- }
- setTimeout('getlogactivity()', 1000);
- </script>
+<script type="text/javascript">
+//<![CDATA[
+ function getlogactivity() {
+<?php
+ if ($_REQUEST['logtype'] != "error") {
+ $viewurl = "/apache_mod_security_view_logs.php";
+ } else {
+ $viewurl = "/apache_mod_security_view_logs.php?logtype=error";
+ }
+?>
+ var url = "<? echo $viewurl ?>";
+ var pars = 'getactivity=yes';
+ var myAjax = new Ajax.Request(
+ url,
+ {
+ method: 'post',
+ parameters: pars,
+ onComplete: activitycallback
+ });
+ }
+ function activitycallback(transport) {
+ $('apachelogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>';
+ setTimeout('getlogactivity()', 2500);
+ }
+ setTimeout('getlogactivity()', 1000);
+//]]>
+</script>
+</head>
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
-
-<?php if($one_two): ?>
-<p class="pgtitle"><?=$pgtitle?></font></p>
-<?php endif; ?>
-
<?php if ($savemsg) print_info_box($savemsg); ?>
<div id="mainlevel">
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr><td>
<?php
$tab_array = array();
$tab_array[] = array(gettext("Proxy Server Settings"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml&amp;id=0");
- $tab_array[] = array(gettext("Site Proxies"), false, "/pkg.php?xml=apache_mod_security.xml");
+ $tab_array[] = array(gettext("Site Proxies"), false, "/pkg.php?xml=apache_mod_security.xml");
$tab_array[] = array(gettext("Logs"), true, "/apache_mod_security_view_logs.php");
display_top_tabs($tab_array);
?>
-</table>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="tabcont" >
- <form action="apache_mod_security_view_logs.php" method="post">
- <br>
- <div id="apachelogs">
- <pre>One moment please, loading Apache logs...</pre>
+ </td></tr>
+ <tr><td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr><td class="tabcont" >
+ <form action="apache_mod_security_view_logs.php" method="post">
+ <br />
+ <div id="apachelogs">
+ <pre>One moment please, loading Apache logs...</pre>
+ </div>
+ </form>
+ </td></tr>
+ </table>
</div>
- </td>
- </tr>
-</table>
-<td align="left" valign="top">
- <form id="filterform" name="filterform" action="apache_mod_security_view_logs.php" method="post" style="margin-top: 14px;">
- <p/>
- <input id="submit" name="clear" type="submit" class="formbtn" value="<?=gettext("Clear log");?>" />
- </form>
-</td>
+ </td></tr>
+ <tr><td align="left" valign="top">
+ <form id="filterform" name="filterform" action="apache_mod_security_view_logs.php" method="post" style="margin-top: 14px;">
+ <p />
+ <input id="submit" name="clear" type="submit" class="formbtn" value="<?=gettext("Clear log");?>" />
+ </form>
+ </td></tr>
+ </table>
</div>
<?php
- if($_REQUEST['logtype'] = "error") {
- echo "<br/>View <a href='apache_mod_security_view_logs.php?logtype=error'>error</a> logs";
+ if ($_REQUEST['logtype'] != "error") {
+ echo "<br /><a href='apache_mod_security_view_logs.php?logtype=error'>View Error Logs</a>";
} else {
- echo "<br/>View <a href='apache_mod_security_view_logs.php'>access</a> logs";
+ echo "<br /><a href='apache_mod_security_view_logs.php'>View Access Logs</a>";
}
?>
<?php include("fend.inc"); ?>
diff --git a/config/avahi/avahi.inc b/config/avahi/avahi.inc
index 4c824e71..ba89676f 100644
--- a/config/avahi/avahi.inc
+++ b/config/avahi/avahi.inc
@@ -63,23 +63,36 @@ function avahi_deinstall() {
}
function avahi_write_config() {
- global $config;
+ global $config, $avahi_config;
conf_mount_rw();
// Pull some various values out of config.xml
+ if (isset($config['installedpackages']['avahi']['config'][0])) {
+ $avahi_config = $config['installedpackages']['avahi']['config'][0];
+ }
+ // Server Options
$hostname = $config['system']['hostname'];
$domain = $config['system']['domain'];
- $enable = $config['installedpackages']['avahi']['config'][0]['enable'];
- $browsedomains = $config['installedpackages']['avahi']['config'][0]['browsedomains'];
- $denyif = $config['installedpackages']['avahi']['config'][0]['denyinterfaces'];
- $useipv4 = ($config['installedpackages']['avahi']['config'][0]['disable_ipv4']) ? "no" : "yes";
- $useipv6 = ($config['installedpackages']['avahi']['config'][0]['disable_ipv6']) ? "no" : "yes";
- $usedbus = ($config['installedpackages']['avahi']['config'][0]['disable_dbus']) ? "no" : "yes";
-
- // No supplied domains? Use the defaults.
- if (!$browsedomains) {
- $browsedomains = "local, 0pointer.de, zeroconf.org";
- }
+ $enable = $avahi_config['enable'];
+ $browsedomains = $avahi_config['browsedomains'] ?: "local";
+ $denyif = $avahi_config['denyinterfaces'];
+ $useipv4 = ($avahi_config['enable_ipv4']) ? "yes" : "no";
+ $useipv6 = ($avahi_config['enable_ipv6']) ? "yes" : "no";
+ $usedbus = ($avahi_config['disable_dbus']) ? "no" : "yes";
+ // Wide Area
+ $widearea = ($avahi_config['enable_wide_area']) ? "yes" : "no";
+ // Publishing Options
+ $publish = ($avahi_config['disable_publishing']) ? "no" : "yes";
+ $userpublish = ($avahi_config['disable_user_service_publishing']) ? "no" : "yes";
+ $addresspublish = ($avahi_config['publish_addresses']) ? "yes" : "no";
+ $cookie = ($avahi_config['add_service_cookie']) ? "yes" : "no";
+ $hinfopublish = ($avahi_config['publish_hinfo']) ? "yes" : "no";
+ $wspublish = ($avahi_config['publish_workstation']) ? "yes" : "no";
+ $aaaaonv4 = ($avahi_config['publish_aaaa_on_ipv4']) ? "yes" : "no";
+ $aonv6 = ($avahi_config['publish_a_on_ipv6']) ? "yes" : "no";
+ // Reflector Options
+ $reflect = ($avahi_config['enable_reflector']) ? "yes" : "no";
+ $reflectipv = ($avahi_config['reflect_ipv']) ? "yes" : "no";
// Never pass along WAN. Bad.
$denyinterfaces = $config['interfaces']['wan']['if'];
@@ -94,6 +107,15 @@ function avahi_write_config() {
}
}
}
+
+ // Process DNS servers and omit localhost if present in /etc/resolv.conf
+ $publishdns = '';
+ $dns = implode(" ", get_dns_servers());
+ $dns = trim(str_replace('127.0.0.1', '', $dns));
+ $dns = str_replace(' ', ', ', $dns);
+ if ($dns) {
+ $publishdns = "publish-dns-servers={$dns}";
+ }
// Construct the avahi configuration
$avahiconfig = <<<EOF
@@ -116,24 +138,24 @@ enable-dbus={$usedbus}
allow-point-to-point=yes
[wide-area]
-enable-wide-area=yes
+enable-wide-area={$widearea}
[publish]
-#disable-publishing=no
-#disable-user-service-publishing=no
-#add-service-cookie=no
-#publish-addresses=yes
-#publish-hinfo=yes
-#publish-workstation=yes
+disable-publishing={$publish}
+disable-user-service-publishing={$userpublish}
+add-service-cookie={$cookie}
+publish-addresses={$addresspublish}
+publish-hinfo={$hinfopublish}
+publish-workstation={$wspublish}
#publish-domain=yes
-#publish-dns-servers=192.168.50.1, 192.168.50.2
+{$publishdns}
#publish-resolv-conf-dns-servers=yes
-#publish-aaaa-on-ipv4=yes
-#publish-a-on-ipv6=no
+publish-aaaa-on-ipv4={$aaaaonv4}
+publish-a-on-ipv6={$aonv6}
[reflector]
-enable-reflector=yes
-#reflect-ipv=no
+enable-reflector={$reflect}
+reflect-ipv={$reflectipv}
[rlimits]
rlimit-core=0
@@ -162,7 +184,7 @@ EOF;
$start .= " /bin/ln -sf " . AVAHI_BASE . "/etc/gnome.subr /usr/local/etc/gnome.subr\n";
$start .= "fi\n";
$start .= "/usr/bin/killall avahi-daemon >/dev/null 2>&1\n";
- if (!$config['installedpackages']['avahi']['config'][0]['disable_dbus']) {
+ if (!$avahi_config['disable_dbus']) {
$start .= "if [ ! -d /var/run/dbus ]; then\n";
$start .= " /bin/mkdir /var/run/dbus\n";
$start .= " /usr/sbin/chown messagebus:messagebus /var/run/dbus\n";
@@ -178,7 +200,7 @@ EOF;
$start .= "/etc/rc.conf_mount_ro\n";
$stop = "/usr/bin/killall avahi-daemon >/dev/null 2>&1\n";
- if (!$config['installedpackages']['avahi']['config'][0]['disable_dbus']) {
+ if (!$avahi_config['disable_dbus']) {
if (file_exists(AVAHI_BASE . "/etc/rc.d/dbus")) {
$stop .= AVAHI_BASE . "/etc/rc.d/dbus onestop\n";
$stop .= "/bin/rm /var/run/dbus/dbus.pid >/dev/null 2>&1\n";
@@ -203,9 +225,51 @@ function avahi_sync() {
}
avahi_write_config();
// Is package enabled?
- if (($config['installedpackages']['avahi']['config'][0]['enable']) && file_exists("/usr/local/etc/rc.d/avahi-daemon.sh")) {
+ if ($config['installedpackages']['avahi']['config'][0]['enable']) {
start_service("avahi");
}
}
+function avahi_upgrade_config() {
+ global $config, $avahi_config;
+
+ $avahi_config =& $config['installedpackages']['avahi']['config'][0];
+ if (!is_array($avahi_config)) {
+ $avahi_config = array();
+ }
+ $changes = 0;
+ // Convert previous disable values to enable ones
+ // If broken settings were configured due to lack of validation, just set to defaults
+ if (isset($avahi_config['disable_ipv4']) && isset($avahi_config['disable_ipv6']) && $avahi_config['disable_ipv4'] == "on" && $avahi_config['disable_ipv6'] == "on") {
+ $avahi_config['enable_ipv4'] = "on";
+ $avahi_config['enable_ipv6'] = "on";
+ unset($avahi_config['disable_ipv4']);
+ unset($avahi_config['disable_ipv6']);
+ $changes++;
+ } elseif (isset($avahi_config['disable_ipv4']) && $avahi_config['disable_ipv4'] != "on") {
+ $avahi_config['enable_ipv4'] = "on";
+ unset($avahi_config['disable_ipv4']);
+ $changes++;
+ } elseif (isset($avahi_config['disable_ipv6']) && $avahi_config['disable_ipv6'] != "on") {
+ $avahi_config['enable_ipv6'] = "on";
+ unset($avahi_config['disable_ipv6']);
+ $changes++;
+ }
+ if ($changes > 0 ) {
+ write_config("[avahi] Upgraded old package configuration.");
+ }
+}
+
+function avahi_validate_input($post, &$input_errors) {
+ if (($post['enable_ipv4'] != "on" ) && ($post['enable_ipv6'] != "on" )) {
+ $input_errors[] = gettext("You cannot disable both IPv4 and IPv6!");
+ }
+ if (($post['enable_ipv4'] != "on" ) && ($post['publish_aaaa_on_ipv4'] == "on" )) {
+ $input_errors[] = gettext("'Publish AAAA records on IPv4' makes no sense with IPv4 disabled.");
+ }
+ if (($post['enable_ipv6'] != "on" ) && ($post['publish_a_on_ipv6'] == "on" )) {
+ $input_errors[] = gettext("'Publish A records on IPv6' makes no sense with IPv6 disabled.");
+ }
+}
+
?>
diff --git a/config/avahi/avahi.xml b/config/avahi/avahi.xml
index 0b49fea3..0c18e097 100644
--- a/config/avahi/avahi.xml
+++ b/config/avahi/avahi.xml
@@ -51,7 +51,7 @@
<name>Avahi</name>
<tooltiptext>Modify avahi settings.</tooltiptext>
<section>Services</section>
- <url>pkg_edit.php?xml=avahi.xml&amp;id=0</url>
+ <url>pkg_edit.php?xml=avahi.xml</url>
</menu>
<service>
<name>avahi</name>
@@ -73,61 +73,242 @@
</additional_files_needed>
<fields>
<field>
+ <name>Server Options</name>
+ <type>listtopic</type>
+ </field>
+ <field>
<fielddescr>Enable</fielddescr>
<fieldname>enable</fieldname>
<description>Enable Avahi Bonjour/Zeroconf proxy.</description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Browse domains (comma separated)</fielddescr>
+ <fielddescr>Browse Domains</fielddescr>
<fieldname>browsedomains</fieldname>
<description>
<![CDATA[
- Enter the domains that you would like proxied.<br />
- (Example: local, pfsense.org, mydomain.com)
+ Enter the (comma separated) list of domains that you would like proxied. (Example: local, pfsense.org, mydomain.com)<br />
+ (Default: local)
]]>
</description>
<type>input</type>
+ <default_value>local</default_value>
</field>
<field>
<fielddescr>Deny interfaces</fielddescr>
<fieldname>denyinterfaces</fieldname>
<description>
<![CDATA[
- Interfaces that you do NOT want Avahi to listen on.
- <strong>NOTE: WAN is always disabled (so it is not shown here).</strong>
+ Interfaces that you do NOT want Avahi to listen on.<br />
+ <strong>Note: WAN is always disabled (so it is not shown here).</strong>
]]>
</description>
<type>interfaces_selection</type>
- <hideinterfaceregex>wan</hideinterfaceregex>
+ <hideinterfaceregex>(wan|loopback)</hideinterfaceregex>
<multiple>true</multiple>
</field>
<field>
- <fielddescr>Disable IPv6</fielddescr>
- <fieldname>disable_ipv6</fieldname>
- <description>Disable IPv6 support in Avahi.</description>
+ <fielddescr>Enable IPv4</fielddescr>
+ <fieldname>enable_ipv4</fieldname>
+ <description>Enable IPv4 support in Avahi. (Default: enabled)</description>
<type>checkbox</type>
+ <default_value>on</default_value>
+ <enablefields>publish_aaaa_on_ipv4</enablefields>
</field>
<field>
- <fielddescr>Disable IPv4</fielddescr>
- <fieldname>disable_ipv4</fieldname>
- <description>Disable IPv4 support in Avahi.</description>
+ <fielddescr>Enable IPv6</fielddescr>
+ <fieldname>enable_ipv6</fieldname>
+ <description>Enable IPv6 support in Avahi. (Default: enabled)</description>
<type>checkbox</type>
+ <default_value>on</default_value>
+ <enablefields>publish_a_on_ipv6</enablefields>
</field>
<field>
- <fielddescr>Disable D-BUS</fielddescr>
+ <fielddescr>Disable D-Bus</fielddescr>
<fieldname>disable_dbus</fieldname>
- <description>Disable D-BUS client API support in Avahi.</description>
+ <description>Disable D-Bus client API support in Avahi. (Default: no)</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>Wide Area</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable Wide-Area DNS-SD</fielddescr>
+ <fieldname>enable_wide_area</fieldname>
+ <description>
+ <![CDATA[
+ Enable wide-area DNS-SD, aka DNS-SD over unicast DNS. If this is enabled only
+ domains ending in .local will be resolved on mDNS, all other domains are resolved via unicast DNS.<br />
+ If you want to maintain multiple different multicast DNS domains even with this option enabled,
+ use subdomains of .local, such as "kitchen.local".<br />
+ (Default: enabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <name>Publishing Options</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Disable Publishing</fielddescr>
+ <fieldname>disable_publishing</fieldname>
+ <description>
+ <![CDATA[
+ If checked, no record will be published by Avahi, not even address records for the local host. Avahi will be started in a querying-only mode.<br />
+ You can use this is a security measure. <strong>Warning: Do NOT disable publishing unless you know what you are doing!</strong><br />
+ (Default: no)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>Disable User Service Publishing</fielddescr>
+ <fieldname>disable_user_service_publishing</fieldname>
+ <description>
+ <![CDATA[
+ If checked, Avahi will still publish address records and suchlike but will not allow user applications to publish services.
+ You can use this is a security measure.<br />
+ (Default: no)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>Add Service Cookie</fielddescr>
+ <fieldname>add_service_cookie</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, an implicit TXT entry will be added to all locally registered services.
+ This can be used to detect if two services on two different interfaces/protocols are actually identical.<br />
+ (Default: disabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>Publish Addresses</fielddescr>
+ <fieldname>publish_addresses</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will register mDNS address records for all local IP addresses. Unless you want to use Avahi exclusively
+ for browsing it’s recommended to enable this. If you want to register local services you need to enable this option.<br />
+ (Default: enabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Publish HINFO</fielddescr>
+ <fieldname>publish_hinfo</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will register an mDNS HINFO record on all interfaces which contains information about the local operating system and CPU.<br />
+ This is recommended by the mDNS specification but not required. For the sake of privacy you might choose to disable this feature.<br />
+ (Default: enabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Publish Workstation</fielddescr>
+ <fieldname>publish_workstation</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will register will register a service of type "_workstation._tcp" on the local LAN.
+ This might be useful for administrative purposes (i.e. browse for all PCs on the LAN).<br />
+ (Default: enabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Publish DNS Servers</fielddescr>
+ <fieldname>publish_resolv_conf_dns_servers</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will publish the unicast DNS servers configured in System - General settings.
+ You can use this to announce unicast DNS servers via mDNS.<br />
+ When used in conjunction with avahi-dnsconfd on the client side this allows DHCP-like configuration of unicast DNS servers.<br />
+ (Default: disabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>Publish AAAA records on IPv4</fielddescr>
+ <fieldname>publish_aaaa_on_ipv4</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will publish an IPv6 AAAA record via IPv4, i.e. the local IPv6 addresses can be resolved using an IPv4 transport.<br />
+ (Default: enabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Publish A records on IPv6</fielddescr>
+ <fieldname>publish_a_on_ipv6</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will publish an IPv4 A record via IPv6, i.e. the local IPv4 addresses can be resolved using an IPv6 transport.<br />
+ (Default: disabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <name>Reflector Options</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable Reflector</fielddescr>
+ <fieldname>enable_reflector</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will reflect incoming mDNS requests to all local network interfaces,
+ effectively allowing clients to browse mDNS/DNS-SD services on all networks connected to the gateway.<br />
+ (Default: enabled)
+ ]]>
+ </description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Reflect IPv</fielddescr>
+ <fieldname>reflect_ipv</fieldname>
+ <description>
+ <![CDATA[
+ If enabled, Avahi will forward mDNS traffic between IPv4 and IPv6, which is usually not recommended.<br />
+ (Default: disabled)
+ ]]>
+ </description>
<type>checkbox</type>
+ <default_value>off</default_value>
</field>
</fields>
<custom_php_resync_config_command>
avahi_sync();
</custom_php_resync_config_command>
<custom_php_install_command>
+ avahi_upgrade_config();
avahi_install();
</custom_php_install_command>
<custom_php_deinstall_command>
avahi_deinstall();
</custom_php_deinstall_command>
+ <custom_php_validation_command>
+ avahi_validate_input($_POST, $input_errors);
+ </custom_php_validation_command>
</packagegui>
diff --git a/config/bacula-client/bacula-client.inc b/config/bacula-client/bacula-client.inc
index 397cf7a4..a251baae 100644
--- a/config/bacula-client/bacula-client.inc
+++ b/config/bacula-client/bacula-client.inc
@@ -50,6 +50,7 @@ function baculaclient_custom_php_deinstall_command(){
function baculaclient_custom_php_write_config(){
global $config, $LocalDirector;
+ $RemoteDirector = "";
conf_mount_rw();
// Check config_file
@@ -72,21 +73,22 @@ function baculaclient_custom_php_write_config(){
switch ($bc['type']) {
case "Director":
$baculaclient_conf .= "Director { \n\tName = {$bc['director']}-dir #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n}\n";
+ $RemoteDirector = $bc['director'];
break;
case "Monitor":
$baculaclient_conf .= "Director { \n\tName = {$bc['director']}-mon #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n\tMonitor = yes\n}\n";
break;
case "Local":
- $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-dir #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n}\n";
- $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-mon #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n\tMonitor = yes\n}\n";
+ $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-fd #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n}\n";
$LocalDirector = $bc['director'];
}
}
- // Create Messages
- if (!empty($LocalDirector)) {
- $baculaclient_conf .= "Messages { \n\tName = Standard \n\tdirector = {$LocalDirector}-dir = all, !skipped, !restored\n}\n";
+ // Create Messages.
+ // Messages should be sent to the master Director
+ if (!empty($RemoteDirector)) {
+ $baculaclient_conf .= "Messages { \n\tName = Standard #send messages here\n\tdirector = {$RemoteDirector}-dir = all, !skipped, !restored\n}\n";
}
// Create FileDaemon
if (is_array($config['installedpackages']['baculaclientfd']['config'])) {
@@ -94,7 +96,7 @@ function baculaclient_custom_php_write_config(){
$jobs = $config['installedpackages']['baculaclientfd']['config'][0]['jobs'] ?: '20';
}
if (!empty($LocalDirector)) {
- $baculaclient_conf .= "FileDaemon { \n\tName = {$LocalDirector}-fd #\n\tFDport = {$port}\n\tWorkingDirectory = /var/db/bacula\n\tPid Directory = /var/run\n\tMaximum Concurrent Jobs = {$jobs}\n}\n";
+ $baculaclient_conf .= "FileDaemon { \n\tName = {$LocalDirector}-fd #this is the local pfSense Director\n\tFDport = {$port}\n\tWorkingDirectory = /var/db/bacula\n\tPid Directory = /var/run\n\tMaximum Concurrent Jobs = {$jobs}\n}\n";
}
// Write config file and start service
diff --git a/config/bacula-client/bacula-client.xml b/config/bacula-client/bacula-client.xml
index cbfe8757..fd1e744d 100644
--- a/config/bacula-client/bacula-client.xml
+++ b/config/bacula-client/bacula-client.xml
@@ -44,7 +44,7 @@
</copyright>
<requirements>Bacula Server Installed on your network.</requirements>
<name>baculaclient</name>
- <version>1.0.8</version>
+ <version>1.0.11</version>
<title>Bacula Client: Settings</title>
<aftersaveredirect>/pkg.php?xml=bacula-client.xml</aftersaveredirect>
<include_file>/usr/local/pkg/bacula-client.inc</include_file>
@@ -156,4 +156,7 @@
<custom_php_resync_config_command>
baculaclient_custom_php_write_config();
</custom_php_resync_config_command>
+ <custom_delete_php_command>
+ baculaclient_custom_php_write_config();
+ </custom_delete_php_command>
</packagegui>
diff --git a/config/bacula-client/bacula-client_view_config.php b/config/bacula-client/bacula-client_view_config.php
index c10a0cda..dacdc98c 100644
--- a/config/bacula-client/bacula-client_view_config.php
+++ b/config/bacula-client/bacula-client_view_config.php
@@ -29,7 +29,7 @@
*/
require("guiconfig.inc");
-$$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
+$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
if ($pf_version == "2.1" || $pf_version == "2.2") {
define('BACULA_LOCALBASE', '/usr/pbi/bacula-' . php_uname("m"));
} else {
@@ -62,12 +62,10 @@ include("head.inc");
<div id="mainarea">
<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="tabcont">
- <textarea id="varnishlogs" rows="50" cols="87%">
- <?php
+ <textarea rows="50" cols="87%"><?php
$config_file = file_get_contents(BACULA_LOCALBASE."/etc/bacula/bacula-fd.conf");
echo $config_file;
- ?>
- </textarea>
+ ?></textarea>
</td></tr>
</table>
</div>
diff --git a/config/havp/havp.inc b/config/havp/havp.inc
index 38412f31..9e931a95 100644
--- a/config/havp/havp.inc
+++ b/config/havp/havp.inc
@@ -87,9 +87,13 @@ define('HVDEF_PID_FILE', '/var/run/havp.pid');
$pf_version=substr(trim(file_get_contents("/etc/version")), 0, 3);
if ($pf_version == "2.1" || $pf_version == "2.2") {
- define("HVDEF_WORK_DIR", "/usr/pbi/havp-" . php_uname("m") . "/local/etc");
+ define("HVDEF_WORK_DIR", "/usr/pbi/havp-" . php_uname("m") . "/local/etc");
+ define('HVDEF_TEMPLATES', "/usr/pbi/havp-" . php_uname("m") . "/local/share/examples/havp/templates");
+ define('HVDEF_TEMPLATES_EX', HVDEF_TEMPLATES . '_ex');
} else {
- define("HVDEF_WORK_DIR", "/usr/local/etc/havp");
+ define("HVDEF_WORK_DIR", "/usr/local/etc/havp");
+ define('HVDEF_TEMPLATES', '/usr/local/share/examples/havp/templates');
+ define('HVDEF_TEMPLATES_EX', HVDEF_TEMPLATES . '_ex');
}
define('HVDEF_LOG_DIR', '/var/log/havp');
@@ -97,8 +101,6 @@ define('HVDEF_TEMP_DIR', '/var/tmp');
define('HVDEF_HAVPTEMP_DIR', HVDEF_TEMP_DIR . '/havp');
define('HVDEF_RAMTEMP_DIR', HVDEF_TEMP_DIR . '/havpRAM');
define('HVDEF_SCANTEMPFILE', '/havp-XXXXXX');
-define('HVDEF_TEMPLATES', '/usr/local/share/examples/havp/templates');
-define('HVDEF_TEMPLATES_EX', HVDEF_TEMPLATES . '_ex');
define('HVDEF_FILTER_RULES', '/tmp/rules.havp');
define('HVDEF_HAVP_CONFIG', HVDEF_WORK_DIR . '/havp.config');
define('HVDEF_HAVP_XMLCONF', HVDEF_WORK_DIR . '/havp_conf.xml');
@@ -238,6 +240,9 @@ function havp_deinstall() {
// unlink_if_exists(HVDEF_AVUPD_SCRIPT);
// unlink_if_exists(HVDEF_CLAM_PID);
// unlink_if_exists(HVDEF_CLAM_SOCKET);
+ if (is_dir("/usr/local/share/examples/havp/")) {
+ mwexec("/bin/rm -rf /usr/local/share/examples/havp/");
+ }
umountRAMDisk();
}
/*
diff --git a/config/havp/havp.xml b/config/havp/havp.xml
index c99bf8c4..a1484a59 100644
--- a/config/havp/havp.xml
+++ b/config/havp/havp.xml
@@ -212,9 +212,11 @@
<option><value>es</value><name>Spanish</name></option>
<option><value>fr</value><name>French</name></option>
<option><value>it</value><name>Italian</name></option>
- <option><value>nf</value><name>Norf'k</name></option>
+ <option><value>nl</value><name>Dutch</name></option>
+ <option><value>pf</value><name>Norf'k</name></option>
<option><value>pl</value><name>Polish</name></option>
<option><value>ru</value><name>Russian</name></option>
+ <option><value>sv</value><name>Swedish</name></option>
</options>
</field>
<field>
diff --git a/config/vhosts/vhosts.inc b/config/vhosts/vhosts.inc
index 7ac027b9..b0e2db45 100644
--- a/config/vhosts/vhosts.inc
+++ b/config/vhosts/vhosts.inc
@@ -27,6 +27,9 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
+
+require_once('service-utils.inc');
+
//sort array
function sort_host($a, $b) {
return strcmp($a["host"], $b["host"]);
diff --git a/pkg_config.10.xml b/pkg_config.10.xml
index 6eceaa45..bf6a4a44 100644
--- a/pkg_config.10.xml
+++ b/pkg_config.10.xml
@@ -227,7 +227,7 @@
<website>http://www.modsecurity.org/</website>
<descr>ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.</descr>
<category>Network Management</category>
- <version>0.1.7</version>
+ <version>0.1.8</version>
<status>ALPHA</status>
<required_version>2.2</required_version>
<maximum_version>2.2.999</maximum_version>
@@ -261,7 +261,7 @@
<ports_after>net/avahi-app devel/dbus</ports_after>
</build_pbi>
<depends_on_package_pbi>avahi-0.6.31-##ARCH##.pbi</depends_on_package_pbi>
- <version>1.10.1</version>
+ <version>1.10.2</version>
<status>BETA</status>
<required_version>2.2</required_version>
<config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file>
@@ -373,7 +373,7 @@
<port_category>www</port_category>
<pkginfolink>https://doc.pfsense.org/index.php/vhosts</pkginfolink>
<config_file>https://packages.pfsense.org/packages/config/vhosts/vhosts.xml</config_file>
- <version>0.8.1</version>
+ <version>0.8.2</version>
<status>ALPHA</status>
<required_version>2.2</required_version>
<maintainer>markjcrane@gmail.com</maintainer>
@@ -1201,7 +1201,7 @@
<ports_after>security/clamav</ports_after>
</build_pbi>
<build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options>
- <version>1.08</version>
+ <version>1.09</version>
<status>BETA</status>
<required_version>2.2</required_version>
<config_file>https://packages.pfsense.org/packages/config/havp/havp.xml</config_file>
@@ -1397,7 +1397,7 @@
<descr>Bacula is a set of Open Source computer programs that permit managings backups, recovery, and verification of computer data across a network of computers of different kinds.</descr>
<website>http://www.bacula.org/</website>
<category>Services</category>
- <version>1.0.9</version>
+ <version>1.0.11</version>
<status>Stable</status>
<required_version>2.2</required_version>
<config_file>https://packages.pfsense.org/packages/config/bacula-client/bacula-client.xml</config_file>
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index 9cd53084..382155a8 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -261,7 +261,7 @@
<website>http://www.modsecurity.org/</website>
<descr>ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.</descr>
<category>Network Management</category>
- <version>0.1.6</version>
+ <version>0.1.8</version>
<status>ALPHA</status>
<required_version>2.0</required_version>
<config_file>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.xml</config_file>
@@ -316,7 +316,7 @@
</build_pbi>
<depends_on_package>avahi-app-0.6.29_1.tbz</depends_on_package>
<depends_on_package_pbi>avahi-0.6.31-i386.pbi</depends_on_package_pbi>
- <version>0.6.31 pkg v1.08</version>
+ <version>0.6.31 pkg v1.10.2</version>
<status>ALPHA</status>
<required_version>1.2.3</required_version>
<config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file>
@@ -459,26 +459,6 @@
<configurationfile>vhosts.xml</configurationfile>
</package>
<package>
- <name>snort</name>
- <pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink>
- <website>http://www.snort.org</website>
- <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr>
- <category>Security</category>
- <depends_on_package_base_url>https://files.pfsense.org/packages/8/All/</depends_on_package_base_url>
- <depends_on_package_pbi>snort-2.9.7.2-i386.pbi</depends_on_package_pbi>
- <build_pbi>
- <port>security/snort</port>
- <ports_after>security/barnyard2</ports_after>
- </build_pbi>
- <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options>
- <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file>
- <version>2.9.7.2 pkg v3.2.5</version>
- <required_version>2.1</required_version>
- <status>Stable</status>
- <configurationfile>/snort.xml</configurationfile>
- <after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info>
- </package>
- <package>
<name>olsrd</name>
<website>http://www.olsr.org/</website>
<descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr>
@@ -1397,7 +1377,7 @@
<depends_on_package_pbi>havp-0.91_1-i386.pbi</depends_on_package_pbi>
<build_port_path>/usr/ports/www/havp</build_port_path>
<build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options>
- <version>0.91_1 pkg v1.05</version>
+ <version>0.91_1 pkg v1.09</version>
<status>BETA</status>
<required_version>1.2.2</required_version>
<config_file>https://packages.pfsense.org/packages/config/havp/havp.xml</config_file>
@@ -1614,7 +1594,7 @@
<descr><![CDATA[Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds.]]></descr>
<website>http://www.bacula.org/</website>
<category>Services</category>
- <version>5.2.12_3 pkg v 1.0.7</version>
+ <version>5.2.12_3 pkg v 1.0.11</version>
<status>Stable</status>
<required_version>2.0</required_version>
<config_file>https://packages.pfsense.org/packages/config/bacula-client/bacula-client.xml</config_file>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 348f9ef6..88608bff 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -248,7 +248,7 @@
<website>http://www.modsecurity.org/</website>
<descr>ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.</descr>
<category>Network Management</category>
- <version>0.1.6</version>
+ <version>0.1.8</version>
<status>ALPHA</status>
<required_version>2.0</required_version>
<config_file>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.xml</config_file>
@@ -303,7 +303,7 @@
</build_pbi>
<depends_on_package>avahi-0.6.29.tbz</depends_on_package>
<depends_on_package_pbi>avahi-0.6.31-amd64.pbi</depends_on_package_pbi>
- <version>0.6.31 pkg v1.08</version>
+ <version>0.6.31 pkg v1.10.2</version>
<status>ALPHA</status>
<required_version>1.2.3</required_version>
<config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file>
@@ -446,26 +446,6 @@
<configurationfile>vhosts.xml</configurationfile>
</package>
<package>
- <name>snort</name>
- <pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink>
- <website>http://www.snort.org</website>
- <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr>
- <category>Security</category>
- <depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url>
- <depends_on_package_pbi>snort-2.9.7.2-amd64.pbi</depends_on_package_pbi>
- <build_pbi>
- <port>security/snort</port>
- <ports_after>security/barnyard2</ports_after>
- </build_pbi>
- <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options>
- <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file>
- <version>2.9.7.2 pkg v3.2.5</version>
- <required_version>2.1</required_version>
- <status>Stable</status>
- <configurationfile>/snort.xml</configurationfile>
- <after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info>
- </package>
- <package>
<name>olsrd</name>
<website>http://www.olsr.org/</website>
<descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr>
@@ -1384,7 +1364,7 @@
<depends_on_package_pbi>havp-0.91_1-amd64.pbi</depends_on_package_pbi>
<build_port_path>/usr/ports/www/havp</build_port_path>
<build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options>
- <version>0.91_1 pkg v1.05</version>
+ <version>0.91_1 pkg v1.09</version>
<status>BETA</status>
<required_version>1.2.2</required_version>
<config_file>https://packages.pfsense.org/packages/config/havp/havp.xml</config_file>
@@ -1601,7 +1581,7 @@
<descr><![CDATA[Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds.]]></descr>
<website>http://www.bacula.org/</website>
<category>Services</category>
- <version>5.2.12_3 pkg v 1.0.7</version>
+ <version>5.2.12_3 pkg v 1.0.11</version>
<status>Stable</status>
<required_version>2.0</required_version>
<config_file>https://packages.pfsense.org/packages/config/bacula-client/bacula-client.xml</config_file>