diff options
-rw-r--r-- | config/apache_mod_security/apache_mod_security.inc | 658 | ||||
-rw-r--r-- | config/apache_mod_security/apache_mod_security.xml | 204 | ||||
-rw-r--r-- | config/apache_mod_security/apache_mod_security_settings.xml | 241 | ||||
-rw-r--r-- | config/apache_mod_security/apache_mod_security_view_logs.php | 139 | ||||
-rw-r--r-- | config/avahi/avahi.inc | 118 | ||||
-rw-r--r-- | config/avahi/avahi.xml | 211 | ||||
-rw-r--r-- | config/bacula-client/bacula-client.inc | 14 | ||||
-rw-r--r-- | config/bacula-client/bacula-client.xml | 5 | ||||
-rw-r--r-- | config/bacula-client/bacula-client_view_config.php | 8 | ||||
-rw-r--r-- | config/havp/havp.inc | 13 | ||||
-rw-r--r-- | config/havp/havp.xml | 4 | ||||
-rw-r--r-- | config/vhosts/vhosts.inc | 3 | ||||
-rw-r--r-- | pkg_config.10.xml | 10 | ||||
-rw-r--r-- | pkg_config.8.xml | 28 | ||||
-rw-r--r-- | pkg_config.8.xml.amd64 | 28 |
15 files changed, 990 insertions, 694 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 8bcf3ddd..69cc2126 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -1,8 +1,9 @@ <?php /* apache_mod_security.inc - part of apache_mod_security package (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2009, 2010 Scott Ullrich + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -26,64 +27,31 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once("/etc/inc/pkg-utils.inc"); -// Rules directory location -define("rules_directory", "/usr/local/apachemodsecurity/rules"); - -// Ensure NanoBSD can write. pkg_mgr will remount RO -conf_mount_rw(); - -// Needed mod_security directories -if(!is_dir("/usr/local/apachemodsecurity")) - safe_mkdir("/usr/local/apachemodsecurity"); -if(!is_dir("/usr/local/apachemodsecurity/rules")) - safe_mkdir("/usr/local/apachemodsecurity/rules"); - -// Startup function -function apache_mod_security_start() { - exec("/usr/local/sbin/httpd -k start"); -} - -// Shutdown function -function apache_mod_security_stop() { - exec("/usr/local/sbin/httpd -k stop"); +$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3); +if ($pf_version == "2.1" || $pf_version == "2.2") { + define('APACHEDIR', '/usr/pbi/proxy_mod_security-' . php_uname("m") . "/local"); +} else { + define('APACHEDIR', '/usr/local'); } +define('APACHEVERSION', 'apache22'); -// Restart function -function apache_mod_security_restart() { - if(is_process_running("httpd")) { - exec("/usr/local/sbin/httpd -k graceful"); - } else { - apache_mod_security_start(); - } -} +// Rules directory location +define('RULES_DIR', '/usr/local/apachemodsecurity/rules'); -// Install function +// Install package routines function apache_mod_security_install() { global $config, $g; - // We might be reinstalling and a configuration - // already exists. + safe_mkdir("/usr/local/apachemodsecurity/rules"); + // We might be reinstalling and a configuration already exists. generate_apache_configuration(); $filename = "apache_mod_security.sh"; + $start = APACHEDIR . "/sbin/httpd -k start"; + $stop = APACHEDIR . "/sbin/httpd -k stop"; - $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP - <?php - require_once(\"functions.inc\"); - require_once(\"/usr/local/pkg/apache_mod_security.inc\"); - apache_mod_security_start(); - ?> -ENDPHP\n"; - - $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP - <?php - require_once(\"functions.inc\"); - require_once(\"/usr/local/pkg/apache_mod_security.inc\"); - apache_mod_security_stop(); - ?> -ENDPHP\n"; - write_rcfile(array( "file" => $filename, "start" => $start, @@ -94,148 +62,93 @@ ENDPHP\n"; // Deinstall package routines function apache_mod_security_deinstall() { + if (is_dir("/usr/local/apachemodsecurity")) { + mwexec("/bin/rm -rf /usr/local/apachemodsecurity"); + } + if (is_dir("/var/db/apachemodsecuritycache")) { + mwexec("/bin/rm -rf /var/db/apachemodsecuritycache"); + } +} + +// Check Apache configuration syntax +function apache_mod_security_checkconfig() { global $config, $g; - apache_mod_security_stop(); - exec("/bin/rm -rf /usr/local/apachemodsecurity"); - exec("/bin/rm -f /usr/local/etc/rc.d/apache_mod_security.sh"); + $status = mwexec(APACHEDIR . "/sbin/httpd -t"); + if ($status) { + $input_errors[] = "[apache_mod_security]: There was an error parsing the Apache configuration: {$status}"; + log_error("[apache_mod_security]: There was an error parsing the Apache configuration: {$status}"); + } +} + +// Restart service function +function apache_mod_security_restart() { + if (is_process_running("httpd")) { + mwexec(APACHEDIR . "/sbin/httpd -k graceful"); + } else { + start_service("apache_mod_security"); + } } // Regenerate apache configuration and handle server restart function apache_mod_security_resync() { global $config, $g; - apache_mod_security_install(); - if(!file_exists(rules_directory . "/10_asl_rules.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/10_asl_rules.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/10_asl_rules.conf"); - if(!file_exists(rules_directory . "/a_exclude.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/a_exclude.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/a_exclude.conf"); - if(!file_exists(rules_directory . "/blacklist.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/blacklist.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/blacklist.conf"); - if(!file_exists(rules_directory . "/default.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/rules/default.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/default.conf"); - if(!file_exists(rules_directory . "/recons.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/recons.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/recons.conf"); - if(!file_exists(rules_directory . "/rootkits.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/rootkits.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/rootkits.conf"); - if(!file_exists(rules_directory . "/useragents.conf")) - exec("/usr/bin/fetch -q -o " . rules_directory . "/useragents.conf https://packages.pfsense.org/packages/config/apache_mod_security/rules/useragents.conf"); + generate_apache_configuration(); apache_mod_security_checkconfig(); apache_mod_security_restart(); } -function apache_mod_security_checkconfig() { - global $config, $g; - $status = mwexec("/usr/local/sbin/httpd -t"); - if($status) { - $input_error = "apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"; - log_error("apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"); - } -} - // Generate mod_proxy specific configuration function generate_apache_configuration() { - global $config, $g; - $mod_proxy = ""; + global $config, $g, $modsec_config; + $modsec_config =& $config['installedpackages']['apachemodsecuritysettings']['config'][0]; // Set global site e-mail - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']) { - $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']; - } else { - $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com"; - $global_site_email = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalsiteadminemail']; - // update configuration with default value in this case - write_config($pkg['addedit_string']); - log_error("WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address."); - } + $global_site_email = $modsec_config['globalsiteadminemail'] ?: "admin@example.com"; // Set ServerName - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']) { - $servername = "ServerName {$config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname']}\n"; + if ($modsec_config['hostname']) { + $servername = "ServerName {$modsec_config['hostname']}\n"; } else { - $servername = "ServerName " . `hostname` . "\n"; - $config['installedpackages']['apachemodsecuritysettings']['config'][0]['hostname'] = `hostname`; - // update configuration with default value in this case - write_config($pkg['addedit_string']); + $servername = "ServerName " . $config['system']['hostname'] . "\n"; } // Set global listening directive and ensure nothing is listening on this port already - $globalbind = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; - $socksstat = split("\n", `/usr/bin/sockstat | awk '{ print $6 }' | grep ":{$globalbind}" | cut -d ":" -f2`); - if(is_array($socksstat)) { - foreach($socksstat as $ss) { - if($ss == $globalbind) { - $already_binded = true; - $input_errors[] = "Sorry, there is a process already listening on port {$globalbind}"; - } - } + $global_listen = $modsec_config['globalbindtoipaddr'] ?: ""; + if ($modsec_config['globalbindtoport']) { + $global_listen .= ":" . $modsec_config['globalbindtoport']; + } else { + $global_listen .= ":80"; } -// if(!$already_binded) { - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']) { - $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) - $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; - else - $global_listen .= ":80"; - } else { - $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr'] = ""; - $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; - // update configuration with default value in this case - write_config($pkg['addedit_string']); - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) - $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; - else - $global_listen .= ":80"; - } -// } else { -// log_error("Could not start mod_security + mod_proxy on port {$global_listen}. Process is already bound to this port."); -// } - + // Setup mem_cache - if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) { - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache']) { - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size']) - $mcachesize = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size']; - else - $mcachesize = "100"; - //$mem_cache = "MCacheSize $mcachesize\n"; + if (file_exists(APACHEDIR . "/libexec/" . APACHEVERSION . "/mod_mem_cache.so")) { + if ($modsec_config['mod_mem_cache']) { + $mcachesize = $modsec_config['mod_mem_cache_size'] ?: "100"; + $mem_cache = "MCacheSize $mcachesize\n"; } } - // CacheRoot Directive - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_disk_cache']) { + // Setup mod_disk_cache + if ($modsec_config['mod_disk_cache']) { safe_mkdir("/var/db/apachemodsecuritycache"); $cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n"; + $dcachemaxfilesize = $modsec_config['mod_disk_cache_max_filesize'] ?: "1000000"; + $disk_cache = "CacheMaxFileSize $dcachemaxfilesize\n"; } // SecRequestBodyInMemoryLimit Directive - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit']) - $secrequestbodyinmemorylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit']; - else - $secrequestbodyinmemorylimit = "131072"; + $secrequestbodyinmemorylimit = $modsec_config['secrequestbodyinmemorylimit'] ?: "131072"; // SecRequestBodyLimit - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit']) - $secrequestbodylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit']; - else - $secrequestbodylimit = "10485760"; + $secrequestbodylimit = $modsec_config['secrequestbodylimit'] ?: "10485760"; // ErrorDocument - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['errordocument']) - $errordocument = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['errordocument']; - else - $errordocument = ""; + $errordocument = isset($modsec_config['errordocument_custom']) ? preg_replace("/\r\n/", "\n", base64_decode($modsec_config['errordocument_custom'])) : ""; // SecAuditEngine - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine']) - $secauditengine = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine']; - else - $secauditengine = "RelevantOnly"; - - // SecReadStateLimit - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['SecReadStateLimit']) - $secreadstatelimit = "SecReadStateLimit " . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['SecReadStateLimit'] ."\n"; - else - $secreadstatelimit = ""; + $secauditengine = $modsec_config['secauditengine'] ?: "RelevantOnly"; + $mod_proxy = ""; $mod_proxy .= <<<EOF # Off when using ProxyPass @@ -248,7 +161,7 @@ ProxyRequests off EOF; - /* + /* ##################################################### # Format for the Proxy servers: # Please do not delete these from the source file @@ -281,36 +194,37 @@ EOF; $configuredaliases = array(); // Read already configured addresses - if($config['installedpackages']['apachemodsecuritysettings']['config']['0']) { - foreach($config['installedpackages']['apachemodsecuritysettings']['config']['0']['row'] as $row) { + if ($modsec_config) { + foreach ($modsec_config['row'] as $row) { if ($row['ipaddress'] && $row['ipport']) { - $configuredaliases[] = $row; + $configuredaliases[] = $row; } } - } + } // clear list of bound addresses - $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'] = array(); + $modsec_config['row'] = array(); // Process proxy sites // Configure NameVirtualHost directives $aliases = ""; $processed = array(); - if($config['installedpackages']['apachemodsecurity']) { + if ($config['installedpackages']['apachemodsecurity']) { foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { - if($ams['ipaddress'] && $ams['port']) + if ($ams['ipaddress'] && $ams['port']) { $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else + } else { $local_ip_port = $global_listen; + } // Do not add entries twice. - if(!in_array($local_ip_port, $processed)) { + if (!in_array($local_ip_port, $processed)) { // explicit bind if not global ip:port if ($local_ip_port != $global_listen) { $aliases .= "Listen $local_ip_port\n"; // Automatically add this to configuration - $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); + $modsec_config['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); } $mod_proxy .= "NameVirtualHost $local_ip_port\n"; $processed[] = $local_ip_port; @@ -318,36 +232,34 @@ EOF; } } -//** Uncomment to allow adding ip/ports not used by any site proxies -//** Otherwise unused addresses/ports will be automatically deleted from the configuration -// foreach ($configuredaliases as $ams) { -// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; -// if(!in_array($local_ip_port, $processed)) { -// // explicit bind if not global ip:port -// if ($local_ip_port != $global_listen) { -// $aliases .= "Listen $local_ip_port\n"; -// // Automatically add this to configuration -// $config['installedpackages']['apachemodsecuritysettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); -// } -// } -// } - - // update configuration with actual ip bindings - write_config($pkg['addedit_string']); - +/* Uncomment to allow adding ip/ports not used by any site proxies */ +/* Otherwise unused addresses/ports will be automatically deleted from the configuration */ +/* + foreach ($configuredaliases as $ams) { + $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; + if (!in_array($local_ip_port, $processed)) { + // explicit bind if not global ip:port + if ($local_ip_port != $global_listen) { + $aliases .= "Listen $local_ip_port\n"; + // Automatically add this to configuration + $modsec_config['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); + } + } + } +*/ // Setup mod_proxy entries $mod_proxy - if($config['installedpackages']['apachemodsecurity']) { - foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + if ($config['installedpackages']['apachemodsecurity']) { + foreach ($config['installedpackages']['apachemodsecurity']['config'] as $ams) { // Set rowhelper used variables $additionalsitehostnames = ""; foreach($ams['row'] as $row) { if ($row['additionalsitehostnames']) { $additionalsitehostnames .= "{$row['additionalsitehostnames']} "; - } - } - $backend_sites = ""; - $sslproxyengine = ""; + } + } + $backend_sites = ""; + $sslproxyengine = ""; $backend_sites_count = 0; $balancer_members = ""; // not technically needed. foreach($ams['row'] as $row) { @@ -360,10 +272,10 @@ EOF; // Ensure leading http(s):// $normalised_ipaddr .= "http://"; } - $normalised_ipaddr .= trim($row['webserveripaddr']); + $normalised_ipaddr .= trim($row['webserveripaddr']); $balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n"; // Ensure trailing / - if(substr($normalised_ipaddr,-1) != "/") { + if (substr($normalised_ipaddr,-1) != "/") { $normalised_ipaddr .= "/"; } $backend_sites .= $normalised_ipaddr . " "; @@ -371,20 +283,23 @@ EOF; } } // Set general items - if($ams['siteemail']) + if ($ams['siteemail']) { $serveradmin = $ams['siteemail']; - else + } else { $serveradmin = $global_site_email; - if($ams['primarysitehostname']) + } + if ($ams['primarysitehostname']) { $primarysitehostname = $ams['primarysitehostname']; - $sitename = str_replace(" ", "", $ams['sitename']); + } + $sitename = str_replace(" ", "", $ams['sitename']); // Set local listening directive - if($ams['ipaddress'] && $ams['port']) + if ($ams['ipaddress'] && $ams['port']) { $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else + } else { $local_ip_port = $global_listen; + } // Is this item a load balancer - if($backend_sites_count>1) { + if ($backend_sites_count > 1) { $balancer = true; $mod_proxy .= "<Proxy balancer://{$sitename}>\n"; $mod_proxy .= $balancer_members; @@ -393,63 +308,76 @@ EOF; $sitename = ""; // we are not using sitename in this case } // Set SSL items - if($ams['siteurl']) + if ($ams['siteurl']) { $siteurl = $ams['siteurl']; - if($ams['certificatefile']) + } + if ($ams['certificatefile']) { $certificatefile = $ams['certificatefile']; - if($ams['certificatekeyfile']) + } + if ($ams['certificatekeyfile']) { $certificatekeyfile = $ams['certificatekeyfile']; - if($ams['certificatechainfile']) + } + if ($ams['certificatechainfile']) { $certificatechainfile = $ams['certificatechainfile']; + } // Begin VirtualHost $mod_proxy .= "\n<VirtualHost {$local_ip_port}>\n"; - if($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) { + if ($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) { $mod_proxy .= " SSLEngine on\n"; - if ($certificatefile) - $mod_proxy .= " SSLCertificateFile /usr/local/etc/apache22/$certificatefile\n"; - if ($certificatekeyfile) - $mod_proxy .= " SSLCertificateKeyFile /usr/local/etc/apache22/$certificatekeyfile\n"; - if ($certificatechainfile) - $mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n"; + if ($certificatefile) { + $mod_proxy .= " SSLCertificateFile " . APACHEDIR . "/etc/" . APACHEVERSION . "/{$certificatefile}\n"; + } + if ($certificatekeyfile) { + $mod_proxy .= " SSLCertificateKeyFile " . APACHEDIR . "/etc/" . APACHEVERSION . "/{$certificatekeyfile}\n"; + } + if ($certificatechainfile) { + $mod_proxy .= " SSLCertificateChainFile " . APACHEDIR . "/etc" . APACHEVERSION . "/{$certificatechainfile}\n"; + } } - if($sslproxyengine) + if ($sslproxyengine) { $mod_proxy .= " {$sslproxyengine}\n"; - if($additionalsitehostnames) - $mod_proxy .= " ServerAlias $additionalsitehostnames\n"; - if($serveradmin) - $mod_proxy .= " ServerAdmin $serveradmin\n"; - if($primarysitehostname) - $mod_proxy .= " ServerName $primarysitehostname \n"; - if($backend_sites) { + } + if ($additionalsitehostnames) { + $mod_proxy .= " ServerAlias {$additionalsitehostnames}\n"; + } + if ($serveradmin) { + $mod_proxy .= " ServerAdmin {$serveradmin}\n"; + } + if ($primarysitehostname) { + $mod_proxy .= " ServerName {$primarysitehostname} \n"; + } + if ($backend_sites) { $mod_proxy .= " ProxyPassReverse /{$sitename} {$backend_sites}\n"; $mod_proxy .= " ProxyPass / {$backend_sites}\n"; } - if($ams['preserveproxyhostname']) + if ($ams['preserveproxyhostname']) { $mod_proxy .= " ProxyPreserveHost on\n"; + } $mod_proxy .= "</VirtualHost>\n\n"; - // End VirtualHost + // End VirtualHost } } - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['modsecuritycustom']) - $mod_security_custom = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['modsecuritycustom']; - - // Process and include rules - if(is_dir(rules_directory)) { - $mod_security_rules = ""; - $files = return_dir_as_array(rules_directory); - foreach($files as $file) { - if(file_exists(rules_directory . "/" . $file)) { - // XXX: TODO integrate snorts rule on / off thingie - $file_txt = file_get_contents(rules_directory . "/" . $file); - $mod_security_rules .= $file_txt . "\n"; + + // Mod_security enabled? + if ($modsec_config['enablemodsecurity']) { + + // Process and include rules + if (is_dir(RULES_DIR)) { + $mod_security_rules = ""; + $files = return_dir_as_array(RULES_DIR); + foreach ($files as $file) { + if (file_exists(RULES_DIR . "/" . $file)) { + // XXX: TODO integrate snorts rule on / off thingie + $file_txt = file_get_contents(RULES_DIR . "/" . $file); + $mod_security_rules .= $file_txt . "\n"; + } } } - } - // Mod_security enabled? - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['enablemodsecurity']) { - $enable_mod_security = true; + // Custom mod_security rules + $mod_security_custom = isset($modsec_config['modsecuritycustom_adv']) ? preg_replace("/\r\n/", "\n", base64_decode($modsec_config['modsecuritycustom_adv'])) : ""; + $mod_security = <<< EOF <IfModule mod_security.c> @@ -490,9 +418,6 @@ EOF; # Only allow bytes from this range SecFilterForceByteRange 1 255 - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - # Cookie format checks. SecFilterCheckCookieFormat On @@ -511,9 +436,13 @@ EOF; } -if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) - $mod_mem_cacheLoad = "Module mem_cache_module libexec/apache22/mod_mem_cache.so\n"; - + // Cannot use constants to replace stuff in the template + $apache_dir = APACHEDIR; + $apache_version = APACHEVERSION; + if (file_exists(APACHEDIR . "/libexec/" . APACHEVERSION . "/mod_mem_cache.so")) { + $mod_mem_cache = "LoadModule mem_cache_module libexec/{$apache_version}/mod_mem_cache.so\n"; + } + $apache_config = <<<EOF ################################################################################## # NOTE: This file was generated by the pfSense package management system. # @@ -526,13 +455,13 @@ if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.2> for detailed information. -# In particular, see +# In particular, see # <URL:http://httpd.apache.org/docs/2.2/mod/directives.html> # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. +# consult the online docs. You have been warned. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the @@ -550,14 +479,14 @@ if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) # at a local disk. If you wish to share the same ServerRoot for multiple # httpd daemons, you will need to change at least LockFile and PidFile. # -ServerRoot "/usr/local" +ServerRoot "{$apache_dir}" # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # -# Change this to Listen on specific IP addresses as shown below to +# Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # Listen {$global_listen} @@ -577,67 +506,67 @@ Listen {$global_listen} # # have to place corresponding `LoadModule' lines at this location so the # LoadModule foo_module modules/mod_foo.so -LoadModule authn_file_module libexec/apache22/mod_authn_file.so -LoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.so -LoadModule authn_anon_module libexec/apache22/mod_authn_anon.so -LoadModule authn_default_module libexec/apache22/mod_authn_default.so -LoadModule authn_alias_module libexec/apache22/mod_authn_alias.so -LoadModule authz_host_module libexec/apache22/mod_authz_host.so -LoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.so -LoadModule authz_user_module libexec/apache22/mod_authz_user.so -LoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.so -LoadModule authz_owner_module libexec/apache22/mod_authz_owner.so -LoadModule authz_default_module libexec/apache22/mod_authz_default.so -LoadModule auth_basic_module libexec/apache22/mod_auth_basic.so -LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so -LoadModule file_cache_module libexec/apache22/mod_file_cache.so -LoadModule cache_module libexec/apache22/mod_cache.so -LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so -LoadModule dumpio_module libexec/apache22/mod_dumpio.so -LoadModule include_module libexec/apache22/mod_include.so -LoadModule filter_module libexec/apache22/mod_filter.so -LoadModule charset_lite_module libexec/apache22/mod_charset_lite.so -LoadModule deflate_module libexec/apache22/mod_deflate.so -LoadModule log_config_module libexec/apache22/mod_log_config.so -LoadModule logio_module libexec/apache22/mod_logio.so -LoadModule env_module libexec/apache22/mod_env.so -LoadModule mime_magic_module libexec/apache22/mod_mime_magic.so -LoadModule cern_meta_module libexec/apache22/mod_cern_meta.so -LoadModule expires_module libexec/apache22/mod_expires.so -LoadModule headers_module libexec/apache22/mod_headers.so -LoadModule usertrack_module libexec/apache22/mod_usertrack.so -LoadModule unique_id_module libexec/apache22/mod_unique_id.so -LoadModule setenvif_module libexec/apache22/mod_setenvif.so -LoadModule version_module libexec/apache22/mod_version.so -LoadModule proxy_module libexec/apache22/mod_proxy.so -LoadModule proxy_connect_module libexec/apache22/mod_proxy_connect.so -LoadModule proxy_ftp_module libexec/apache22/mod_proxy_ftp.so -LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so -LoadModule proxy_ajp_module libexec/apache22/mod_proxy_ajp.so -LoadModule proxy_balancer_module libexec/apache22/mod_proxy_balancer.so -LoadModule ssl_module libexec/apache22/mod_ssl.so -LoadModule mime_module libexec/apache22/mod_mime.so -LoadModule status_module libexec/apache22/mod_status.so -LoadModule autoindex_module libexec/apache22/mod_autoindex.so -LoadModule asis_module libexec/apache22/mod_asis.so -LoadModule info_module libexec/apache22/mod_info.so -LoadModule cgi_module libexec/apache22/mod_cgi.so -LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so -LoadModule negotiation_module libexec/apache22/mod_negotiation.so -LoadModule dir_module libexec/apache22/mod_dir.so -LoadModule imagemap_module libexec/apache22/mod_imagemap.so -LoadModule actions_module libexec/apache22/mod_actions.so -LoadModule speling_module libexec/apache22/mod_speling.so -LoadModule userdir_module libexec/apache22/mod_userdir.so -LoadModule alias_module libexec/apache22/mod_alias.so -LoadModule rewrite_module libexec/apache22/mod_rewrite.so +LoadModule authn_file_module libexec/{$apache_version}/mod_authn_file.so +LoadModule authn_dbm_module libexec/{$apache_version}/mod_authn_dbm.so +LoadModule authn_anon_module libexec/{$apache_version}/mod_authn_anon.so +LoadModule authn_default_module libexec/{$apache_version}/mod_authn_default.so +LoadModule authn_alias_module libexec/{$apache_version}/mod_authn_alias.so +LoadModule authz_host_module libexec/{$apache_version}/mod_authz_host.so +LoadModule authz_groupfile_module libexec/{$apache_version}/mod_authz_groupfile.so +LoadModule authz_user_module libexec/{$apache_version}/mod_authz_user.so +LoadModule authz_dbm_module libexec/{$apache_version}/mod_authz_dbm.so +LoadModule authz_owner_module libexec/{$apache_version}/mod_authz_owner.so +LoadModule authz_default_module libexec/{$apache_version}/mod_authz_default.so +LoadModule auth_basic_module libexec/{$apache_version}/mod_auth_basic.so +LoadModule auth_digest_module libexec/{$apache_version}/mod_auth_digest.so +LoadModule file_cache_module libexec/{$apache_version}/mod_file_cache.so +LoadModule cache_module libexec/{$apache_version}/mod_cache.so +LoadModule disk_cache_module libexec/{$apache_version}/mod_disk_cache.so +LoadModule dumpio_module libexec/{$apache_version}/mod_dumpio.so +LoadModule include_module libexec/{$apache_version}/mod_include.so +LoadModule filter_module libexec/{$apache_version}/mod_filter.so +LoadModule charset_lite_module libexec/{$apache_version}/mod_charset_lite.so +LoadModule deflate_module libexec/{$apache_version}/mod_deflate.so +LoadModule log_config_module libexec/{$apache_version}/mod_log_config.so +LoadModule logio_module libexec/{$apache_version}/mod_logio.so +LoadModule env_module libexec/{$apache_version}/mod_env.so +LoadModule mime_magic_module libexec/{$apache_version}/mod_mime_magic.so +LoadModule cern_meta_module libexec/{$apache_version}/mod_cern_meta.so +LoadModule expires_module libexec/{$apache_version}/mod_expires.so +LoadModule headers_module libexec/{$apache_version}/mod_headers.so +LoadModule usertrack_module libexec/{$apache_version}/mod_usertrack.so +LoadModule unique_id_module libexec/{$apache_version}/mod_unique_id.so +LoadModule setenvif_module libexec/{$apache_version}/mod_setenvif.so +LoadModule version_module libexec/{$apache_version}/mod_version.so +LoadModule proxy_module libexec/{$apache_version}/mod_proxy.so +LoadModule proxy_connect_module libexec/{$apache_version}/mod_proxy_connect.so +LoadModule proxy_ftp_module libexec/{$apache_version}/mod_proxy_ftp.so +LoadModule proxy_http_module libexec/{$apache_version}/mod_proxy_http.so +LoadModule proxy_ajp_module libexec/{$apache_version}/mod_proxy_ajp.so +LoadModule proxy_balancer_module libexec/{$apache_version}/mod_proxy_balancer.so +LoadModule ssl_module libexec/{$apache_version}/mod_ssl.so +LoadModule mime_module libexec/{$apache_version}/mod_mime.so +LoadModule status_module libexec/{$apache_version}/mod_status.so +LoadModule autoindex_module libexec/{$apache_version}/mod_autoindex.so +LoadModule asis_module libexec/{$apache_version}/mod_asis.so +LoadModule info_module libexec/{$apache_version}/mod_info.so +LoadModule cgi_module libexec/{$apache_version}/mod_cgi.so +LoadModule vhost_alias_module libexec/{$apache_version}/mod_vhost_alias.so +LoadModule negotiation_module libexec/{$apache_version}/mod_negotiation.so +LoadModule dir_module libexec/{$apache_version}/mod_dir.so +LoadModule imagemap_module libexec/{$apache_version}/mod_imagemap.so +LoadModule actions_module libexec/{$apache_version}/mod_actions.so +LoadModule speling_module libexec/{$apache_version}/mod_speling.so +LoadModule userdir_module libexec/{$apache_version}/mod_userdir.so +LoadModule alias_module libexec/{$apache_version}/mod_alias.so +LoadModule rewrite_module libexec/{$apache_version}/mod_rewrite.so {$mod_mem_cache} <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> # # If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. +# httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for @@ -682,15 +611,15 @@ ServerAdmin {$global_site_email} # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # -DocumentRoot "/usr/local/apachemodsecurity" +DocumentRoot "{$apache_dir}/www/{$apache_version}" # # Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that -# directory (and its subdirectories). +# directory (and its subdirectories). # -# First, we configure the "default" to be a very restrictive set of -# features. +# First, we configure the "default" to be a very restrictive set of +# features. # <Directory /> AllowOverride None @@ -708,7 +637,7 @@ DocumentRoot "/usr/local/apachemodsecurity" # # This should be changed to whatever you set DocumentRoot to. # -#<Directory "/usr/local/www/apachemodsecurity/"> +#<Directory "{$apache_dir}/www/apachemodsecurity/"> # # # # Possible values for the Options directive are "None", "All", # # or any combination of: @@ -747,8 +676,8 @@ DocumentRoot "/usr/local/apachemodsecurity" #</IfModule> # # -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. # #<FilesMatch "^\.ht"> # Order allow,deny @@ -803,8 +732,8 @@ LogLevel warn #<IfModule alias_module> # # -# # Redirect: Allows you to tell clients about documents that used to -# # exist in your server's namespace, but do not anymore. The client +# # Redirect: Allows you to tell clients about documents that used to +# # exist in your server's namespace, but do not anymore. The client # # will make a new request for the document at its new location. # # Example: # # Redirect permanent /foo http://www.example.com/bar @@ -821,14 +750,14 @@ LogLevel warn # # the filesystem path. # # # -# # ScriptAlias: This controls which directories contain server scripts. +# # ScriptAlias: This controls which directories contain server scripts. # # ScriptAliases are essentially the same as Aliases, except that # # documents in the target directory are treated as applications and # # run by the server when requested rather than as documents sent to the # # client. The same rules about trailing "/" apply to ScriptAlias # # directives as to Alias. # # -# ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" +# ScriptAlias /cgi-bin/ "{$apache_dir}/www/{$apache_version}/cgi-bin/" # #</IfModule> @@ -844,7 +773,7 @@ LogLevel warn # "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # -#<Directory "/usr/local/www/apache22/cgi-bin"> +#<Directory "{$apache_dir}/www/{$apache_version}/cgi-bin"> # AllowOverride None # Options None # Order allow,deny @@ -867,7 +796,7 @@ DefaultType text/plainm # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # - TypesConfig etc/apache22/mime.types + TypesConfig etc/{$apache_version}/mime.types # # AddType allows you to add to or override the MIME configuration @@ -915,7 +844,7 @@ DefaultType text/plainm # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # -#MIMEMagicFile etc/apache22/magic +#MIMEMagicFile etc/{$apache_version}/magic # # Customizable error responses come in three flavors: @@ -932,10 +861,10 @@ DefaultType text/plainm # # -# EnableMMAP and EnableSendfile: On systems that support it, +# EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall is used to deliver # files. This usually improves server performance, but must -# be turned off when serving from networked-mounted +# be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. # @@ -944,43 +873,43 @@ DefaultType text/plainm # Supplemental configuration # -# The configuration files in the etc/apache22/extra/ directory can be -# included to add extra features or to modify the default configuration of -# the server, or you may simply copy their contents here and change as +# The configuration files in the etc/{$apache_version}/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as # necessary. # Server-pool management (MPM specific) -#Include etc/apache22/extra/httpd-mpm.conf +#Include etc/{$apache_version}/extra/httpd-mpm.conf # Multi-language error messages -#Include etc/apache22/extra/httpd-multilang-errordoc.conf +#Include etc/{$apache_version}/extra/httpd-multilang-errordoc.conf # Fancy directory listings -#Include etc/apache22/extra/httpd-autoindex.conf +#Include etc/{$apache_version}/extra/httpd-autoindex.conf # Language settings -#Include etc/apache22/extra/httpd-languages.conf +#Include etc/{$apache_version}/extra/httpd-languages.conf # User home directories -#Include etc/apache22/extra/httpd-userdir.conf +#Include etc/{$apache_version}/extra/httpd-userdir.conf # Real-time info on requests and configuration -#Include etc/apache22/extra/httpd-info.conf +#Include etc/{$apache_version}/extra/httpd-info.conf # Virtual hosts -#Include etc/apache22/extra/httpd-vhosts.conf +#Include etc/{$apache_version}/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual -#Include etc/apache22/extra/httpd-manual.conf +#Include etc/{$apache_version}/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) -#Include etc/apache22/extra/httpd-dav.conf +#Include etc/{$apache_version}/extra/httpd-dav.conf # Various default settings -#Include etc/apache22/extra/httpd-default.conf +#Include etc/{$apache_version}/extra/httpd-default.conf # Secure (SSL/TLS) connections -#Include etc/apache22/extra/httpd-ssl.conf +#Include etc/{$apache_version}/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent @@ -993,6 +922,7 @@ SSLRandomSeed connect builtin # Cache settings {$mem_cache} +{$disk_cache} {$cache_root} # Mod security @@ -1002,16 +932,13 @@ SSLRandomSeed connect builtin {$mod_proxy} # Include anything else -Include etc/apache22/Includes/*.conf +Include etc/{$apache_version}/Includes/*.conf EOF; - if (!is_dir('/usr/local/etc/apache22')) { - mkdir('/usr/local/etc/apache22', 0775, true); - } - $fd = fopen("/usr/local/etc/apache22/httpd.conf", "w"); - if(!$fd) { + + $fd = fopen(APACHEDIR . "/etc/". APACHEVERSION . "/httpd.conf", "w"); + if (!$fd) { $error_text = "Could not open httpd.conf for writing!"; - echo $error_text; log_error($error_text); exit; } @@ -1019,4 +946,65 @@ EOF; fclose($fd); } +function apache_mod_security_upgrade_config() { + global $config, $modsec_config; + $modsec_config =& $config['installedpackages']['apachemodsecuritysettings']['config'][0]; + $changes = 0; + if (!is_array($modsec_config)) { + $modsec_config = array(); + } + if (isset($modsec_config['modsecuritycustom'])) { + $modsec_config['modsecuritycustom_adv'] = base64_encode($modsec_config['modsecuritycustom']); + unset($modsec_config['modsecuritycustom']); + $changes++; + } + if (isset($modsec_config['errordocument'])) { + $modsec_config['errordocument_custom'] = base64_encode($modsec_config['errordocument']); + unset($modsec_config['errordocument']); + $changes++; + } + if ($changes > 0 ) { + write_config("[apache_mod_security] Upgraded old package configuration."); + } +} + +function apache_mod_security_validate_input($post, &$input_errors) { + if (!empty($post['hostname'])) { + if (!is_hostname($post['hostname'])) { + $input_errors[] = "'Server Hostname' must be either empty, or a valid hostname."; + } + } + if (!empty($post['globalbindtoipaddr'])) { + if (!is_ipaddr($post['globalbindtoipaddr'])) { + $input_errors[] = "'Default Bind to IP Address' must be either empty, or a valid IP address."; + } + } + if (!empty($post['globalbindtoport'])) { + if (!is_port($post['globalbindtoport'])) { + $input_errors[] = "'Default Bind to Port' must be either empty, or a valid port."; + } + } + if (!empty($post['mod_mem_cache_size'])) { + if (!is_numericint($post['mod_mem_cache_size'])) { + $input_errors[] = "'mod_mem_cache Memory Usage' must be either empty, or a non-negative integer."; + } + } + if (!empty($post['mod_disk_cache_max_filesize'])) { + if (!is_numericint($post['mod_disk_cache_max_filesize'])) { + $input_errors[] = "'mod_disk_cache CacheMaxFileSize' must be either empty, or a non-negative integer."; + } + } + if (!empty($post['SecRequestBodyInMemoryLimit'])) { + if (!is_numericint($post['SecRequestBodyInMemoryLimit'])) { + $input_errors[] = "'SecRequestBodyInMemoryLimit' must be either empty, or a non-negative integer."; + } + } + if (!empty($post['SecRequestBodyLimit'])) { + if (!is_numericint($post['SecRequestBodyLimit'])) { + $input_errors[] = "'SecRequestBodyLimit' must be either empty, or a non-negative integer."; + } + } + +} + ?> diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index 0b973689..ee8c7fbb 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -1,76 +1,111 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ - /* $Id$ */ - /* ========================================================================== */ - /* - apache_mod_security.xml - part of apache_mod_security package (http://www.pfSense.com) - Copyright (C)2009, 2010 Scott Ullrich - All rights reserved. - */ - /* ========================================================================== */ - /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + <copyright> +<![CDATA[ +/* $Id$ */ +/* ====================================================================================== */ +/* + apache_mod_security.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2009, 2010 Scott Ullrich + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - /* ========================================================================== */ - ]]> - </copyright> + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>apache_mod_security</name> - <version>1.0</version> + <version>0.1.8</version> <title>Services: Mod_Security+Apache+Proxy: Site Proxies</title> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> <menu> <name>Mod_Security+Apache+Proxy</name> <tooltiptext></tooltiptext> <section>Services</section> <configfile>apache_mod_security.xml</configfile> </menu> + <service> + <name>apache_mod_security</name> + <rcfile>apache_mod_security.sh</rcfile> + <executable>httpd</executable> + <description>HTTP Daemon with mod_security</description> + </service> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0644</chmod> <item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0644</chmod> <item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security_settings.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> - <chmod>0644</chmod> <item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security_view_logs.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/10_asl_rules.conf</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/a_exclude.conf</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/blacklist.conf</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/default.conf</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/recons.conf</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/rootkits.conf</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/apachemodsecurity/rules</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/rules/useragents.conf</item> + </additional_files_needed> <tabs> <tab> <text>Proxy Server Settings</text> - <url>/pkg_edit.php?xml=apache_mod_security_settings.xml&id=0</url> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> </tab> <tab> <text>Site Proxies</text> <url>/pkg.php?xml=apache_mod_security.xml</url> - <active/> + <active/> </tab> <tab> <text>Logs</text> @@ -79,7 +114,7 @@ </tabs> <adddeleteeditpagefields> <columnitem> - <fielddescr>Site name</fielddescr> + <fielddescr>Site Name</fielddescr> <fieldname>sitename</fieldname> </columnitem> <columnitem> @@ -89,21 +124,21 @@ </adddeleteeditpagefields> <fields> <field> - <fielddescr>Site name</fielddescr> + <fielddescr>Site Name</fielddescr> <fieldname>sitename</fieldname> <description> <![CDATA[ - Enter a short descriptive name for the site. (e.g. intranet) + Enter a short descriptive name for the site. (e.g. intranet) ]]> </description> <type>input</type> </field> <field> - <fielddescr>Site Webmaster E-Mail address</fielddescr> + <fielddescr>Site Webmaster E-Mail Address</fielddescr> <fieldname>siteemail</fieldname> <description> <![CDATA[ - Enter the Webmaster E-Mail address for this site. + Enter the Webmaster E-Mail address for this site. ]]> </description> <type>input</type> @@ -113,10 +148,10 @@ <fieldname>siteurl</fieldname> <description></description> <size>1</size> - <type>select</type> + <type>select</type> <options> - <option><name>HTTP</name><value>HTTP</value></option> - <option><name>HTTPS</name><value>HTTPS</value></option> + <option><name>HTTP</name><value>HTTP</value></option> + <option><name>HTTPS</name><value>HTTPS</value></option> </options> </field> <field> @@ -138,8 +173,8 @@ <fieldname>certificatefile</fieldname> <description> <![CDATA[ - Name of certificate file under /usr/local/apache22/etc/<br/> - (required if Protocol is https) + Name of certificate file under /usr/local/apache22/etc/<br /> + (Required if 'Protocol' is HTTPS.) ]]> </description> <size>40</size> @@ -150,8 +185,8 @@ <fieldname>certificatekeyfile</fieldname> <description> <![CDATA[ - Name of certificate key file under /usr/local/apache22/etc/<br/> - (required if Protocol is https) + Name of certificate key file under /usr/local/apache22/etc/<br /> + (Required if 'Protocol' is HTTPS.) ]]> </description> <size>40</size> @@ -162,30 +197,30 @@ <fieldname>certificatechainfile</fieldname> <description> <![CDATA[ - Name of certificate chain file under /usr/local/apache22/etc/<br/> - (not required) - ]]> + Name of certificate chain file under /usr/local/apache22/etc/<br /> + (Not required.) + ]]> </description> <size>40</size> <type>input</type> </field> <field> - <fielddescr>Preserve Proxy hostname</fielddescr> + <fielddescr>Preserve Proxy Hostname</fielddescr> <fieldname>preserveproxyhostname</fieldname> <description> <![CDATA[ - When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. + When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. ]]> </description> <type>checkbox</type> </field> <field> - <fielddescr>Primary site hostname</fielddescr> + <fielddescr>Primary Site Hostname</fielddescr> <fieldname>primarysitehostname</fieldname> <description> <![CDATA[ - Enter the primary hostname (FQDN) for this website (e.g. www.example.com)<br/> - Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy) + Enter the primary hostname (FQDN) for this website (e.g. www.example.com).<br /> + Leave blank and define the IP Address / Port above for IP site proxy (i.e. not named site proxy). ]]> </description> <size>40</size> @@ -194,37 +229,40 @@ <field> <fielddescr> <![CDATA[ - Backend Web Servers and Additional Site Hostnames + Backend Web Servers and Additional Site Hostnames ]]> </fielddescr> <fieldname>additionalparameters</fieldname> - <type>rowhelper</type> - <rowhelper> + <type>rowhelper</type> + <rowhelper> <rowhelperfield> - <fielddescr>Web server backend URLs</fielddescr> - <fieldname>webserveripaddr</fieldname> - <description>Add each web server IP address here.</description> - <type>input</type> - <size>40</size> + <fielddescr>Web Server Backend URLs</fielddescr> + <fieldname>webserveripaddr</fieldname> + <description>Add each web server IP address here.</description> + <type>input</type> + <size>40</size> </rowhelperfield> <rowhelperfield> - <fielddescr>Additional Site Hostnames (not required)</fielddescr> - <fieldname>additionalsitehostnames</fieldname> - <description>Add each webserver hostname address here.</description> - <type>input</type> - <size>40</size> + <fielddescr>Additional Site Hostnames (Optional)</fielddescr> + <fieldname>additionalsitehostnames</fieldname> + <description>Add each webserver hostname address here.</description> + <type>input</type> + <size>40</size> </rowhelperfield> - </rowhelper> + </rowhelper> </field> </fields> - <service> - <name>apache_mod_security</name> - <rcfile>apache_mod_security.sh</rcfile> - <executable>httpd</executable> - <description>HTTP Daemon with mod_security</description> - </service> + <custom_php_install_command> + apache_mod_security_install(); + apache_mod_security_upgrade_config(); + </custom_php_install_command> + <custom_php_deinstall_command> + apache_mod_security_deinstall(); + </custom_php_deinstall_command> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> - <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file + <custom_php_validation_command> + apache_mod_security_validate_input($_POST, $input_errors); + </custom_php_validation_command> +</packagegui> diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 479e7509..c5f1da5c 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -1,52 +1,57 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - apache_mod_security_settings.xml - part of apache_mod_security package (http://www.pfSense.com) - Copyright (C) 2008, 2009, 2010 Scott Ullrich - All rights reserved. - */ -/* ========================================================================== */ + apache_mod_security_settings.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2008-2010 Scott Ullrich + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>apache_mod_security_settings</name> - <version>1.0</version> + <version>0.1.8</version> <title>Services: Mod_Security+Apache+Proxy: Settings</title> - <aftersaveredirect>pkg_edit.php?xml=apache_mod_security_settings.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> + <aftersaveredirect>pkg_edit.php?xml=apache_mod_security_settings.xml</aftersaveredirect> + <advanced_options>enabled</advanced_options> <tabs> <tab> <text>Proxy Server Settings</text> - <url>/pkg_edit.php?xml=apache_mod_security_settings.xml&id=0</url> - <active/> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + <active/> </tab> <tab> <text>Site Proxies</text> @@ -59,19 +64,23 @@ </tabs> <fields> <field> - <fielddescr>Global site E-mail administrator</fielddescr> + <name>General Proxy Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Global Site Administrator E-Mail Address</fielddescr> <fieldname>globalsiteadminemail</fieldname> - <description>Enter the site administrators e-mail address</description> + <description>Enter the e-mail address of the global site administrator.</description> <type>input</type> + <default_value>admin@example.com</default_value> </field> <field> - <fielddescr>Server hostname</fielddescr> + <fielddescr>Server Hostname</fielddescr> <fieldname>hostname</fieldname> <description> <![CDATA[ - Enter the servers hostname - <br/> - NOTE: Leave blank to use this devices hostname. + Enter the server's hostname.<br /> + NOTE: Leave blank to use the hostname of this device. ]]> </description> <type>input</type> @@ -81,47 +90,43 @@ <fieldname>globalbindtoipaddr</fieldname> <description> <![CDATA[ - This is the IP address the Proxy Server will listen on. - <br/> - NOTE: Leave blank to bind to * + This is the IP address the Proxy Server will listen on.<br /> + NOTE: Leave blank to bind to * (any). ]]> </description> <type>input</type> </field> <field> - <fielddescr>Default Bind to port</fielddescr> + <fielddescr>Default Bind to Port</fielddescr> <fieldname>globalbindtoport</fieldname> <description> <![CDATA[ - This is the port the Proxy Server will listen on. - <br/> - NOTE: Leave blank to bind to 80 - ]]> + This is the port the Proxy Server will listen on.<br /> + NOTE: Leaving this blank will bind to default port 80. + ]]> </description> <type>input</type> + <default_value>80</default_value> </field> <field> <fielddescr> <![CDATA[ - Additional Addresses<br/> - Do not edit. This field will be automatically populated from Site Proxies settings. + Additional Addresses<br /> + <strong>DO NOT EDIT!</strong> This field will be automatically populated from Site Proxies settings. ]]> </fielddescr> <fieldname>additionaladdresses</fieldname> - <description></description> <type>rowhelper</type> <rowhelper> <rowhelperfield> <fielddescr>IP Address</fielddescr> <fieldname>ipaddress</fieldname> - <description></description> <type>input</type> <size>45</size> </rowhelperfield> <rowhelperfield> <fielddescr>Port</fielddescr> <fieldname>ipport</fieldname> - <description></description> <type>input</type> <size>10</size> </rowhelperfield> @@ -132,99 +137,133 @@ <fieldname>mod_mem_cache</fieldname> <description> <![CDATA[ - Enables mod_mem_cache which stores cached documents in memory. - ]]> + Enables mod_mem_cache which stores cached documents in memory. + ]]> </description> <type>checkbox</type> + <enablefields>mod_mem_cache_size</enablefields> </field> <field> - <fielddescr>mod_mem_cache memory usage</fielddescr> + <fielddescr>mod_mem_cache Memory Usage</fielddescr> <fieldname>mod_mem_cache_size</fieldname> <description> <![CDATA[ - Sets the memory usage in megabytes. - ]]> + The maximum amount of memory used by mod_mem_cache in KBytes. (Default: 100) + ]]> </description> <type>input</type> + <default_value>100</default_value> </field> <field> <fielddescr>Use mod_disk_cache</fielddescr> <fieldname>mod_disk_cache</fieldname> <description> <![CDATA[ - mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache. - ]]> + mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache. + ]]> </description> <type>checkbox</type> + <enablefields>mod_disk_cache_max_filesize</enablefields> </field> <field> - <fielddescr>mod_disk_cache memory usage</fielddescr> - <fieldname>mod_disk_cache_size</fieldname> + <fielddescr>mod_disk_cache CacheMaxFileSize</fielddescr> + <fieldname>mod_disk_cache_max_filesize</fieldname> <description> <![CDATA[ - Sets the memory usage in Kbytes. - ]]> + The maximum size (in bytes) of a document to be placed in the cache. (Default: 1000000) + ]]> </description> <type>input</type> + <default_value>1000000</default_value> </field> <field> - <fielddescr>Limits number of POSTS accepted from same IP address</fielddescr> - <fieldname>SecReadStateLimit</fieldname> - <description> - <![CDATA[ - Help prevent the effects of a Slowloris-type of attack. More information about this attack can be found here: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html - ]]> - </description> - <type>input</type> + <name>mod_security Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable mod_security Protection</fielddescr> + <fieldname>enablemodsecurity</fieldname> + <description>Enables mod_security protection for all sites being proxied.</description> + <type>checkbox</type> + <enablefields>secrequestbodyinmemorylimit,secrequestbodylimit</enablefields> </field> <field> - <fielddescr>Configures the maximum request body size ModSecurity will store in memory.</fielddescr> + <fielddescr>SecRequestBodyInMemoryLimit</fielddescr> <fieldname>secrequestbodyinmemorylimit</fieldname> - <description>Configures the maximum request body size ModSecurity will store in memory.</description> + <description> + <![CDATA[ + Configures the maximum request body size (in bytes) ModSecurity will store in memory. (Default: 131072) + ]]> + </description> <type>input</type> + <default_value>131072</default_value> </field> <field> - <fielddescr>Configures the maximum request body size ModSecurity will accept for buffering.</fielddescr> + <fielddescr>SecRequestBodyLimit</fielddescr> <fieldname>secrequestbodylimit</fieldname> - <description>Configures the maximum request body size ModSecurity will accept for buffering.</description> + <description> + <![CDATA[ + Configures the maximum request body size (in bytes) ModSecurity will accept for buffering. Default: 10485760) + ]]> + </description> <type>input</type> + <default_value>10485760</default_value> </field> <field> - <fielddescr>Enable mod_security protection</fielddescr> - <fieldname>enablemodsecurity</fieldname> - <description>Enables mod_security protection for all sites being proxied</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Configures the audit logging engine.</fielddescr> + <fielddescr>SecAuditEngine</fielddescr> <fieldname>secauditengine</fieldname> - <description>Configures the audit logging engine.</description> - <type>select</type> + <description> + <![CDATA[ + Configures the audit logging engine.<br /><br /> + <strong>On:</strong> Log all transactions.<br /> + <strong>Off:</strong> Do not log any transactions.<br /> + <strong>RelevantOnly:</strong> Only the log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant. + ]]> + </description> + <type>select</type> <options> - <option><name>RelevantOnly</name><value>RelevantOnly</value></option> - <option><name>All</name><value>On</value></option> - <option><name>Off</name><value>Off</value></option> + <option><name>RelevantOnly</name><value>RelevantOnly</value></option> + <option><name>All</name><value>On</value></option> + <option><name>Off</name><value>Off</value></option> </options> </field> <field> <fielddescr>Custom mod_security ErrorDocument</fielddescr> - <fieldname>errordocument</fieldname> - <description></description> + <fieldname>errordocument_custom</fieldname> <type>textarea</type> - <rows>10</rows> - <cols>75</cols> + <rows>10</rows> + <cols>75</cols> + <description> + <![CDATA[ + See <a href="http://httpd.apache.org/docs/2.2/mod/core.html#errordocument">Apache Core Features - ErrorDocument Directive</a> for documentation.<br /><br /> + Example:<br /> + ErrorDocument 403 "Sorry, can't allow you access today"<br /> + ErrorDocument 404 http://banned.example.com/notfound.php<br /> + ErrorDocument 500 /denied.html + ]]> + </description> + <encoding>base64</encoding> </field> <field> - <fielddescr>Custom mod_security rules</fielddescr> - <fieldname>modsecuritycustom</fieldname> - <description>Paste any custom mod_security rules that you would like to use</description> + <fielddescr>Custom mod_security Rules</fielddescr> + <fieldname>modsecuritycustom_adv</fieldname> + <description> + <![CDATA[ + Paste any custom mod_security rules that you would like to use.<br /> + See <a href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual">ModSecurity Reference Manual</a>. + ]]> + </description> <type>textarea</type> - <rows>10</rows> - <cols>75</cols> + <rows>10</rows> + <cols>75</cols> + <encoding>base64</encoding> + <advancedfield/> </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> - <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file + <custom_php_validation_command> + apache_mod_security_validate_input($_POST, $input_errors); + </custom_php_validation_command> +</packagegui> diff --git a/config/apache_mod_security/apache_mod_security_view_logs.php b/config/apache_mod_security/apache_mod_security_view_logs.php index b2e60320..2fbcdcaa 100644 --- a/config/apache_mod_security/apache_mod_security_view_logs.php +++ b/config/apache_mod_security/apache_mod_security_view_logs.php @@ -1,9 +1,9 @@ <?php -/* $Id$ */ /* apache_mod_security_view_logs.php - part of pfSense (https://www.pfsense.org/) - Copyright (C) 2009, 2010 Scott Ullrich <sullrich@gmail.com> + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2009, 2010 Scott Ullrich + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -27,31 +27,33 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -require("guiconfig.inc"); +require_once("guiconfig.inc"); +require_once("util.inc"); +require_once("/usr/local/pkg/apache_mod_security.inc"); if($_REQUEST['getactivity']) { - if($_REQUEST['logtype'] == "error") - $apachelogs = `cat /var/log/httpd-error.log`; - else - $apachelogs = `cat /var/log/httpd-access.log`; - echo "</pre><h1>Apache+Mod_Security_Proxy Server logs as of " . date("D M j G:i:s T Y") . "</h1><pre>\n\n"; + if ($_REQUEST['logtype'] == "error") { + $apachelogs = shell_exec("/bin/cat /var/log/httpd-error.log"); + $logtype = "Error"; + } else { + $apachelogs = shell_exec("/bin/cat /var/log/httpd-access.log"); + $logtype = "Access"; + } + echo "</pre><h2>Apache+Mod_Security_Proxy Server {$logtype} Logs as of " . date("D M j G:i:s T Y") . "</h2><pre>\n\n"; echo $apachelogs; exit; } -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; +if ($_POST['clear']) { + unlink_if_exists("/var/log/httpd-error.log"); + unlink_if_exists("/var/log/httpd-access.log"); + apache_mod_security_restart(); +} +$closehead = false; $pgtitle = "Services: Mod_Security+Apache+Proxy: Logs"; include("head.inc"); - -/* XXX */ -if ($_POST['clear']) { } - ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <style type='text/css'> pre { overflow-x: auto; /* Use horizontal scroller if needed; for Firefox 2, not needed in Firefox 3 */ @@ -64,65 +66,76 @@ pre { } </style> <script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> - <script type="text/javascript"> - function getlogactivity() { - var url = "/apache_mod_security_view_logs.php"; - var pars = 'getactivity=yes'; - var myAjax = new Ajax.Request( - url, - { - method: 'post', - parameters: pars, - onComplete: activitycallback - }); - } - function activitycallback(transport) { - $('apachelogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>'; - setTimeout('getlogactivity()', 2500); - } - setTimeout('getlogactivity()', 1000); - </script> +<script type="text/javascript"> +//<![CDATA[ + function getlogactivity() { +<?php + if ($_REQUEST['logtype'] != "error") { + $viewurl = "/apache_mod_security_view_logs.php"; + } else { + $viewurl = "/apache_mod_security_view_logs.php?logtype=error"; + } +?> + var url = "<? echo $viewurl ?>"; + var pars = 'getactivity=yes'; + var myAjax = new Ajax.Request( + url, + { + method: 'post', + parameters: pars, + onComplete: activitycallback + }); + } + function activitycallback(transport) { + $('apachelogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>'; + setTimeout('getlogactivity()', 2500); + } + setTimeout('getlogactivity()', 1000); +//]]> +</script> +</head> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> - -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></font></p> -<?php endif; ?> - <?php if ($savemsg) print_info_box($savemsg); ?> <div id="mainlevel"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> <?php $tab_array = array(); $tab_array[] = array(gettext("Proxy Server Settings"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml&id=0"); - $tab_array[] = array(gettext("Site Proxies"), false, "/pkg.php?xml=apache_mod_security.xml"); + $tab_array[] = array(gettext("Site Proxies"), false, "/pkg.php?xml=apache_mod_security.xml"); $tab_array[] = array(gettext("Logs"), true, "/apache_mod_security_view_logs.php"); display_top_tabs($tab_array); ?> -</table> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont" > - <form action="apache_mod_security_view_logs.php" method="post"> - <br> - <div id="apachelogs"> - <pre>One moment please, loading Apache logs...</pre> + </td></tr> + <tr><td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabcont" > + <form action="apache_mod_security_view_logs.php" method="post"> + <br /> + <div id="apachelogs"> + <pre>One moment please, loading Apache logs...</pre> + </div> + </form> + </td></tr> + </table> </div> - </td> - </tr> -</table> -<td align="left" valign="top"> - <form id="filterform" name="filterform" action="apache_mod_security_view_logs.php" method="post" style="margin-top: 14px;"> - <p/> - <input id="submit" name="clear" type="submit" class="formbtn" value="<?=gettext("Clear log");?>" /> - </form> -</td> + </td></tr> + <tr><td align="left" valign="top"> + <form id="filterform" name="filterform" action="apache_mod_security_view_logs.php" method="post" style="margin-top: 14px;"> + <p /> + <input id="submit" name="clear" type="submit" class="formbtn" value="<?=gettext("Clear log");?>" /> + </form> + </td></tr> + </table> </div> <?php - if($_REQUEST['logtype'] = "error") { - echo "<br/>View <a href='apache_mod_security_view_logs.php?logtype=error'>error</a> logs"; + if ($_REQUEST['logtype'] != "error") { + echo "<br /><a href='apache_mod_security_view_logs.php?logtype=error'>View Error Logs</a>"; } else { - echo "<br/>View <a href='apache_mod_security_view_logs.php'>access</a> logs"; + echo "<br /><a href='apache_mod_security_view_logs.php'>View Access Logs</a>"; } ?> <?php include("fend.inc"); ?> diff --git a/config/avahi/avahi.inc b/config/avahi/avahi.inc index 4c824e71..ba89676f 100644 --- a/config/avahi/avahi.inc +++ b/config/avahi/avahi.inc @@ -63,23 +63,36 @@ function avahi_deinstall() { } function avahi_write_config() { - global $config; + global $config, $avahi_config; conf_mount_rw(); // Pull some various values out of config.xml + if (isset($config['installedpackages']['avahi']['config'][0])) { + $avahi_config = $config['installedpackages']['avahi']['config'][0]; + } + // Server Options $hostname = $config['system']['hostname']; $domain = $config['system']['domain']; - $enable = $config['installedpackages']['avahi']['config'][0]['enable']; - $browsedomains = $config['installedpackages']['avahi']['config'][0]['browsedomains']; - $denyif = $config['installedpackages']['avahi']['config'][0]['denyinterfaces']; - $useipv4 = ($config['installedpackages']['avahi']['config'][0]['disable_ipv4']) ? "no" : "yes"; - $useipv6 = ($config['installedpackages']['avahi']['config'][0]['disable_ipv6']) ? "no" : "yes"; - $usedbus = ($config['installedpackages']['avahi']['config'][0]['disable_dbus']) ? "no" : "yes"; - - // No supplied domains? Use the defaults. - if (!$browsedomains) { - $browsedomains = "local, 0pointer.de, zeroconf.org"; - } + $enable = $avahi_config['enable']; + $browsedomains = $avahi_config['browsedomains'] ?: "local"; + $denyif = $avahi_config['denyinterfaces']; + $useipv4 = ($avahi_config['enable_ipv4']) ? "yes" : "no"; + $useipv6 = ($avahi_config['enable_ipv6']) ? "yes" : "no"; + $usedbus = ($avahi_config['disable_dbus']) ? "no" : "yes"; + // Wide Area + $widearea = ($avahi_config['enable_wide_area']) ? "yes" : "no"; + // Publishing Options + $publish = ($avahi_config['disable_publishing']) ? "no" : "yes"; + $userpublish = ($avahi_config['disable_user_service_publishing']) ? "no" : "yes"; + $addresspublish = ($avahi_config['publish_addresses']) ? "yes" : "no"; + $cookie = ($avahi_config['add_service_cookie']) ? "yes" : "no"; + $hinfopublish = ($avahi_config['publish_hinfo']) ? "yes" : "no"; + $wspublish = ($avahi_config['publish_workstation']) ? "yes" : "no"; + $aaaaonv4 = ($avahi_config['publish_aaaa_on_ipv4']) ? "yes" : "no"; + $aonv6 = ($avahi_config['publish_a_on_ipv6']) ? "yes" : "no"; + // Reflector Options + $reflect = ($avahi_config['enable_reflector']) ? "yes" : "no"; + $reflectipv = ($avahi_config['reflect_ipv']) ? "yes" : "no"; // Never pass along WAN. Bad. $denyinterfaces = $config['interfaces']['wan']['if']; @@ -94,6 +107,15 @@ function avahi_write_config() { } } } + + // Process DNS servers and omit localhost if present in /etc/resolv.conf + $publishdns = ''; + $dns = implode(" ", get_dns_servers()); + $dns = trim(str_replace('127.0.0.1', '', $dns)); + $dns = str_replace(' ', ', ', $dns); + if ($dns) { + $publishdns = "publish-dns-servers={$dns}"; + } // Construct the avahi configuration $avahiconfig = <<<EOF @@ -116,24 +138,24 @@ enable-dbus={$usedbus} allow-point-to-point=yes [wide-area] -enable-wide-area=yes +enable-wide-area={$widearea} [publish] -#disable-publishing=no -#disable-user-service-publishing=no -#add-service-cookie=no -#publish-addresses=yes -#publish-hinfo=yes -#publish-workstation=yes +disable-publishing={$publish} +disable-user-service-publishing={$userpublish} +add-service-cookie={$cookie} +publish-addresses={$addresspublish} +publish-hinfo={$hinfopublish} +publish-workstation={$wspublish} #publish-domain=yes -#publish-dns-servers=192.168.50.1, 192.168.50.2 +{$publishdns} #publish-resolv-conf-dns-servers=yes -#publish-aaaa-on-ipv4=yes -#publish-a-on-ipv6=no +publish-aaaa-on-ipv4={$aaaaonv4} +publish-a-on-ipv6={$aonv6} [reflector] -enable-reflector=yes -#reflect-ipv=no +enable-reflector={$reflect} +reflect-ipv={$reflectipv} [rlimits] rlimit-core=0 @@ -162,7 +184,7 @@ EOF; $start .= " /bin/ln -sf " . AVAHI_BASE . "/etc/gnome.subr /usr/local/etc/gnome.subr\n"; $start .= "fi\n"; $start .= "/usr/bin/killall avahi-daemon >/dev/null 2>&1\n"; - if (!$config['installedpackages']['avahi']['config'][0]['disable_dbus']) { + if (!$avahi_config['disable_dbus']) { $start .= "if [ ! -d /var/run/dbus ]; then\n"; $start .= " /bin/mkdir /var/run/dbus\n"; $start .= " /usr/sbin/chown messagebus:messagebus /var/run/dbus\n"; @@ -178,7 +200,7 @@ EOF; $start .= "/etc/rc.conf_mount_ro\n"; $stop = "/usr/bin/killall avahi-daemon >/dev/null 2>&1\n"; - if (!$config['installedpackages']['avahi']['config'][0]['disable_dbus']) { + if (!$avahi_config['disable_dbus']) { if (file_exists(AVAHI_BASE . "/etc/rc.d/dbus")) { $stop .= AVAHI_BASE . "/etc/rc.d/dbus onestop\n"; $stop .= "/bin/rm /var/run/dbus/dbus.pid >/dev/null 2>&1\n"; @@ -203,9 +225,51 @@ function avahi_sync() { } avahi_write_config(); // Is package enabled? - if (($config['installedpackages']['avahi']['config'][0]['enable']) && file_exists("/usr/local/etc/rc.d/avahi-daemon.sh")) { + if ($config['installedpackages']['avahi']['config'][0]['enable']) { start_service("avahi"); } } +function avahi_upgrade_config() { + global $config, $avahi_config; + + $avahi_config =& $config['installedpackages']['avahi']['config'][0]; + if (!is_array($avahi_config)) { + $avahi_config = array(); + } + $changes = 0; + // Convert previous disable values to enable ones + // If broken settings were configured due to lack of validation, just set to defaults + if (isset($avahi_config['disable_ipv4']) && isset($avahi_config['disable_ipv6']) && $avahi_config['disable_ipv4'] == "on" && $avahi_config['disable_ipv6'] == "on") { + $avahi_config['enable_ipv4'] = "on"; + $avahi_config['enable_ipv6'] = "on"; + unset($avahi_config['disable_ipv4']); + unset($avahi_config['disable_ipv6']); + $changes++; + } elseif (isset($avahi_config['disable_ipv4']) && $avahi_config['disable_ipv4'] != "on") { + $avahi_config['enable_ipv4'] = "on"; + unset($avahi_config['disable_ipv4']); + $changes++; + } elseif (isset($avahi_config['disable_ipv6']) && $avahi_config['disable_ipv6'] != "on") { + $avahi_config['enable_ipv6'] = "on"; + unset($avahi_config['disable_ipv6']); + $changes++; + } + if ($changes > 0 ) { + write_config("[avahi] Upgraded old package configuration."); + } +} + +function avahi_validate_input($post, &$input_errors) { + if (($post['enable_ipv4'] != "on" ) && ($post['enable_ipv6'] != "on" )) { + $input_errors[] = gettext("You cannot disable both IPv4 and IPv6!"); + } + if (($post['enable_ipv4'] != "on" ) && ($post['publish_aaaa_on_ipv4'] == "on" )) { + $input_errors[] = gettext("'Publish AAAA records on IPv4' makes no sense with IPv4 disabled."); + } + if (($post['enable_ipv6'] != "on" ) && ($post['publish_a_on_ipv6'] == "on" )) { + $input_errors[] = gettext("'Publish A records on IPv6' makes no sense with IPv6 disabled."); + } +} + ?> diff --git a/config/avahi/avahi.xml b/config/avahi/avahi.xml index 0b49fea3..0c18e097 100644 --- a/config/avahi/avahi.xml +++ b/config/avahi/avahi.xml @@ -51,7 +51,7 @@ <name>Avahi</name> <tooltiptext>Modify avahi settings.</tooltiptext> <section>Services</section> - <url>pkg_edit.php?xml=avahi.xml&id=0</url> + <url>pkg_edit.php?xml=avahi.xml</url> </menu> <service> <name>avahi</name> @@ -73,61 +73,242 @@ </additional_files_needed> <fields> <field> + <name>Server Options</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> <description>Enable Avahi Bonjour/Zeroconf proxy.</description> <type>checkbox</type> </field> <field> - <fielddescr>Browse domains (comma separated)</fielddescr> + <fielddescr>Browse Domains</fielddescr> <fieldname>browsedomains</fieldname> <description> <![CDATA[ - Enter the domains that you would like proxied.<br /> - (Example: local, pfsense.org, mydomain.com) + Enter the (comma separated) list of domains that you would like proxied. (Example: local, pfsense.org, mydomain.com)<br /> + (Default: local) ]]> </description> <type>input</type> + <default_value>local</default_value> </field> <field> <fielddescr>Deny interfaces</fielddescr> <fieldname>denyinterfaces</fieldname> <description> <![CDATA[ - Interfaces that you do NOT want Avahi to listen on. - <strong>NOTE: WAN is always disabled (so it is not shown here).</strong> + Interfaces that you do NOT want Avahi to listen on.<br /> + <strong>Note: WAN is always disabled (so it is not shown here).</strong> ]]> </description> <type>interfaces_selection</type> - <hideinterfaceregex>wan</hideinterfaceregex> + <hideinterfaceregex>(wan|loopback)</hideinterfaceregex> <multiple>true</multiple> </field> <field> - <fielddescr>Disable IPv6</fielddescr> - <fieldname>disable_ipv6</fieldname> - <description>Disable IPv6 support in Avahi.</description> + <fielddescr>Enable IPv4</fielddescr> + <fieldname>enable_ipv4</fieldname> + <description>Enable IPv4 support in Avahi. (Default: enabled)</description> <type>checkbox</type> + <default_value>on</default_value> + <enablefields>publish_aaaa_on_ipv4</enablefields> </field> <field> - <fielddescr>Disable IPv4</fielddescr> - <fieldname>disable_ipv4</fieldname> - <description>Disable IPv4 support in Avahi.</description> + <fielddescr>Enable IPv6</fielddescr> + <fieldname>enable_ipv6</fieldname> + <description>Enable IPv6 support in Avahi. (Default: enabled)</description> <type>checkbox</type> + <default_value>on</default_value> + <enablefields>publish_a_on_ipv6</enablefields> </field> <field> - <fielddescr>Disable D-BUS</fielddescr> + <fielddescr>Disable D-Bus</fielddescr> <fieldname>disable_dbus</fieldname> - <description>Disable D-BUS client API support in Avahi.</description> + <description>Disable D-Bus client API support in Avahi. (Default: no)</description> + <type>checkbox</type> + </field> + <field> + <name>Wide Area</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Wide-Area DNS-SD</fielddescr> + <fieldname>enable_wide_area</fieldname> + <description> + <![CDATA[ + Enable wide-area DNS-SD, aka DNS-SD over unicast DNS. If this is enabled only + domains ending in .local will be resolved on mDNS, all other domains are resolved via unicast DNS.<br /> + If you want to maintain multiple different multicast DNS domains even with this option enabled, + use subdomains of .local, such as "kitchen.local".<br /> + (Default: enabled) + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Publishing Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Disable Publishing</fielddescr> + <fieldname>disable_publishing</fieldname> + <description> + <![CDATA[ + If checked, no record will be published by Avahi, not even address records for the local host. Avahi will be started in a querying-only mode.<br /> + You can use this is a security measure. <strong>Warning: Do NOT disable publishing unless you know what you are doing!</strong><br /> + (Default: no) + ]]> + </description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Disable User Service Publishing</fielddescr> + <fieldname>disable_user_service_publishing</fieldname> + <description> + <![CDATA[ + If checked, Avahi will still publish address records and suchlike but will not allow user applications to publish services. + You can use this is a security measure.<br /> + (Default: no) + ]]> + </description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Add Service Cookie</fielddescr> + <fieldname>add_service_cookie</fieldname> + <description> + <![CDATA[ + If enabled, an implicit TXT entry will be added to all locally registered services. + This can be used to detect if two services on two different interfaces/protocols are actually identical.<br /> + (Default: disabled) + ]]> + </description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Publish Addresses</fielddescr> + <fieldname>publish_addresses</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will register mDNS address records for all local IP addresses. Unless you want to use Avahi exclusively + for browsing it’s recommended to enable this. If you want to register local services you need to enable this option.<br /> + (Default: enabled) + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Publish HINFO</fielddescr> + <fieldname>publish_hinfo</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will register an mDNS HINFO record on all interfaces which contains information about the local operating system and CPU.<br /> + This is recommended by the mDNS specification but not required. For the sake of privacy you might choose to disable this feature.<br /> + (Default: enabled) + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Publish Workstation</fielddescr> + <fieldname>publish_workstation</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will register will register a service of type "_workstation._tcp" on the local LAN. + This might be useful for administrative purposes (i.e. browse for all PCs on the LAN).<br /> + (Default: enabled) + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Publish DNS Servers</fielddescr> + <fieldname>publish_resolv_conf_dns_servers</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will publish the unicast DNS servers configured in System - General settings. + You can use this to announce unicast DNS servers via mDNS.<br /> + When used in conjunction with avahi-dnsconfd on the client side this allows DHCP-like configuration of unicast DNS servers.<br /> + (Default: disabled) + ]]> + </description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Publish AAAA records on IPv4</fielddescr> + <fieldname>publish_aaaa_on_ipv4</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will publish an IPv6 AAAA record via IPv4, i.e. the local IPv6 addresses can be resolved using an IPv4 transport.<br /> + (Default: enabled) + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Publish A records on IPv6</fielddescr> + <fieldname>publish_a_on_ipv6</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will publish an IPv4 A record via IPv6, i.e. the local IPv4 addresses can be resolved using an IPv6 transport.<br /> + (Default: disabled) + ]]> + </description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <name>Reflector Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Reflector</fielddescr> + <fieldname>enable_reflector</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will reflect incoming mDNS requests to all local network interfaces, + effectively allowing clients to browse mDNS/DNS-SD services on all networks connected to the gateway.<br /> + (Default: enabled) + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Reflect IPv</fielddescr> + <fieldname>reflect_ipv</fieldname> + <description> + <![CDATA[ + If enabled, Avahi will forward mDNS traffic between IPv4 and IPv6, which is usually not recommended.<br /> + (Default: disabled) + ]]> + </description> <type>checkbox</type> + <default_value>off</default_value> </field> </fields> <custom_php_resync_config_command> avahi_sync(); </custom_php_resync_config_command> <custom_php_install_command> + avahi_upgrade_config(); avahi_install(); </custom_php_install_command> <custom_php_deinstall_command> avahi_deinstall(); </custom_php_deinstall_command> + <custom_php_validation_command> + avahi_validate_input($_POST, $input_errors); + </custom_php_validation_command> </packagegui> diff --git a/config/bacula-client/bacula-client.inc b/config/bacula-client/bacula-client.inc index 397cf7a4..a251baae 100644 --- a/config/bacula-client/bacula-client.inc +++ b/config/bacula-client/bacula-client.inc @@ -50,6 +50,7 @@ function baculaclient_custom_php_deinstall_command(){ function baculaclient_custom_php_write_config(){ global $config, $LocalDirector; + $RemoteDirector = ""; conf_mount_rw(); // Check config_file @@ -72,21 +73,22 @@ function baculaclient_custom_php_write_config(){ switch ($bc['type']) { case "Director": $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-dir #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n}\n"; + $RemoteDirector = $bc['director']; break; case "Monitor": $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-mon #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n\tMonitor = yes\n}\n"; break; case "Local": - $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-dir #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n}\n"; - $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-mon #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n\tMonitor = yes\n}\n"; + $baculaclient_conf .= "Director { \n\tName = {$bc['director']}-fd #{$bc['description']}\n\tPassword = \"{$bc['password']}\"\n}\n"; $LocalDirector = $bc['director']; } } - // Create Messages - if (!empty($LocalDirector)) { - $baculaclient_conf .= "Messages { \n\tName = Standard \n\tdirector = {$LocalDirector}-dir = all, !skipped, !restored\n}\n"; + // Create Messages. + // Messages should be sent to the master Director + if (!empty($RemoteDirector)) { + $baculaclient_conf .= "Messages { \n\tName = Standard #send messages here\n\tdirector = {$RemoteDirector}-dir = all, !skipped, !restored\n}\n"; } // Create FileDaemon if (is_array($config['installedpackages']['baculaclientfd']['config'])) { @@ -94,7 +96,7 @@ function baculaclient_custom_php_write_config(){ $jobs = $config['installedpackages']['baculaclientfd']['config'][0]['jobs'] ?: '20'; } if (!empty($LocalDirector)) { - $baculaclient_conf .= "FileDaemon { \n\tName = {$LocalDirector}-fd #\n\tFDport = {$port}\n\tWorkingDirectory = /var/db/bacula\n\tPid Directory = /var/run\n\tMaximum Concurrent Jobs = {$jobs}\n}\n"; + $baculaclient_conf .= "FileDaemon { \n\tName = {$LocalDirector}-fd #this is the local pfSense Director\n\tFDport = {$port}\n\tWorkingDirectory = /var/db/bacula\n\tPid Directory = /var/run\n\tMaximum Concurrent Jobs = {$jobs}\n}\n"; } // Write config file and start service diff --git a/config/bacula-client/bacula-client.xml b/config/bacula-client/bacula-client.xml index cbfe8757..fd1e744d 100644 --- a/config/bacula-client/bacula-client.xml +++ b/config/bacula-client/bacula-client.xml @@ -44,7 +44,7 @@ </copyright> <requirements>Bacula Server Installed on your network.</requirements> <name>baculaclient</name> - <version>1.0.8</version> + <version>1.0.11</version> <title>Bacula Client: Settings</title> <aftersaveredirect>/pkg.php?xml=bacula-client.xml</aftersaveredirect> <include_file>/usr/local/pkg/bacula-client.inc</include_file> @@ -156,4 +156,7 @@ <custom_php_resync_config_command> baculaclient_custom_php_write_config(); </custom_php_resync_config_command> + <custom_delete_php_command> + baculaclient_custom_php_write_config(); + </custom_delete_php_command> </packagegui> diff --git a/config/bacula-client/bacula-client_view_config.php b/config/bacula-client/bacula-client_view_config.php index c10a0cda..dacdc98c 100644 --- a/config/bacula-client/bacula-client_view_config.php +++ b/config/bacula-client/bacula-client_view_config.php @@ -29,7 +29,7 @@ */ require("guiconfig.inc"); -$$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3); +$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3); if ($pf_version == "2.1" || $pf_version == "2.2") { define('BACULA_LOCALBASE', '/usr/pbi/bacula-' . php_uname("m")); } else { @@ -62,12 +62,10 @@ include("head.inc"); <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabcont"> - <textarea id="varnishlogs" rows="50" cols="87%"> - <?php + <textarea rows="50" cols="87%"><?php $config_file = file_get_contents(BACULA_LOCALBASE."/etc/bacula/bacula-fd.conf"); echo $config_file; - ?> - </textarea> + ?></textarea> </td></tr> </table> </div> diff --git a/config/havp/havp.inc b/config/havp/havp.inc index 38412f31..9e931a95 100644 --- a/config/havp/havp.inc +++ b/config/havp/havp.inc @@ -87,9 +87,13 @@ define('HVDEF_PID_FILE', '/var/run/havp.pid'); $pf_version=substr(trim(file_get_contents("/etc/version")), 0, 3); if ($pf_version == "2.1" || $pf_version == "2.2") { - define("HVDEF_WORK_DIR", "/usr/pbi/havp-" . php_uname("m") . "/local/etc"); + define("HVDEF_WORK_DIR", "/usr/pbi/havp-" . php_uname("m") . "/local/etc"); + define('HVDEF_TEMPLATES', "/usr/pbi/havp-" . php_uname("m") . "/local/share/examples/havp/templates"); + define('HVDEF_TEMPLATES_EX', HVDEF_TEMPLATES . '_ex'); } else { - define("HVDEF_WORK_DIR", "/usr/local/etc/havp"); + define("HVDEF_WORK_DIR", "/usr/local/etc/havp"); + define('HVDEF_TEMPLATES', '/usr/local/share/examples/havp/templates'); + define('HVDEF_TEMPLATES_EX', HVDEF_TEMPLATES . '_ex'); } define('HVDEF_LOG_DIR', '/var/log/havp'); @@ -97,8 +101,6 @@ define('HVDEF_TEMP_DIR', '/var/tmp'); define('HVDEF_HAVPTEMP_DIR', HVDEF_TEMP_DIR . '/havp'); define('HVDEF_RAMTEMP_DIR', HVDEF_TEMP_DIR . '/havpRAM'); define('HVDEF_SCANTEMPFILE', '/havp-XXXXXX'); -define('HVDEF_TEMPLATES', '/usr/local/share/examples/havp/templates'); -define('HVDEF_TEMPLATES_EX', HVDEF_TEMPLATES . '_ex'); define('HVDEF_FILTER_RULES', '/tmp/rules.havp'); define('HVDEF_HAVP_CONFIG', HVDEF_WORK_DIR . '/havp.config'); define('HVDEF_HAVP_XMLCONF', HVDEF_WORK_DIR . '/havp_conf.xml'); @@ -238,6 +240,9 @@ function havp_deinstall() { // unlink_if_exists(HVDEF_AVUPD_SCRIPT); // unlink_if_exists(HVDEF_CLAM_PID); // unlink_if_exists(HVDEF_CLAM_SOCKET); + if (is_dir("/usr/local/share/examples/havp/")) { + mwexec("/bin/rm -rf /usr/local/share/examples/havp/"); + } umountRAMDisk(); } /* diff --git a/config/havp/havp.xml b/config/havp/havp.xml index c99bf8c4..a1484a59 100644 --- a/config/havp/havp.xml +++ b/config/havp/havp.xml @@ -212,9 +212,11 @@ <option><value>es</value><name>Spanish</name></option> <option><value>fr</value><name>French</name></option> <option><value>it</value><name>Italian</name></option> - <option><value>nf</value><name>Norf'k</name></option> + <option><value>nl</value><name>Dutch</name></option> + <option><value>pf</value><name>Norf'k</name></option> <option><value>pl</value><name>Polish</name></option> <option><value>ru</value><name>Russian</name></option> + <option><value>sv</value><name>Swedish</name></option> </options> </field> <field> diff --git a/config/vhosts/vhosts.inc b/config/vhosts/vhosts.inc index 7ac027b9..b0e2db45 100644 --- a/config/vhosts/vhosts.inc +++ b/config/vhosts/vhosts.inc @@ -27,6 +27,9 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +require_once('service-utils.inc'); + //sort array function sort_host($a, $b) { return strcmp($a["host"], $b["host"]); diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 6eceaa45..bf6a4a44 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -227,7 +227,7 @@ <website>http://www.modsecurity.org/</website> <descr>ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.</descr> <category>Network Management</category> - <version>0.1.7</version> + <version>0.1.8</version> <status>ALPHA</status> <required_version>2.2</required_version> <maximum_version>2.2.999</maximum_version> @@ -261,7 +261,7 @@ <ports_after>net/avahi-app devel/dbus</ports_after> </build_pbi> <depends_on_package_pbi>avahi-0.6.31-##ARCH##.pbi</depends_on_package_pbi> - <version>1.10.1</version> + <version>1.10.2</version> <status>BETA</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file> @@ -373,7 +373,7 @@ <port_category>www</port_category> <pkginfolink>https://doc.pfsense.org/index.php/vhosts</pkginfolink> <config_file>https://packages.pfsense.org/packages/config/vhosts/vhosts.xml</config_file> - <version>0.8.1</version> + <version>0.8.2</version> <status>ALPHA</status> <required_version>2.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -1201,7 +1201,7 @@ <ports_after>security/clamav</ports_after> </build_pbi> <build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options> - <version>1.08</version> + <version>1.09</version> <status>BETA</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/havp/havp.xml</config_file> @@ -1397,7 +1397,7 @@ <descr>Bacula is a set of Open Source computer programs that permit managings backups, recovery, and verification of computer data across a network of computers of different kinds.</descr> <website>http://www.bacula.org/</website> <category>Services</category> - <version>1.0.9</version> + <version>1.0.11</version> <status>Stable</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/bacula-client/bacula-client.xml</config_file> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 9cd53084..382155a8 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -261,7 +261,7 @@ <website>http://www.modsecurity.org/</website> <descr>ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.</descr> <category>Network Management</category> - <version>0.1.6</version> + <version>0.1.8</version> <status>ALPHA</status> <required_version>2.0</required_version> <config_file>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.xml</config_file> @@ -316,7 +316,7 @@ </build_pbi> <depends_on_package>avahi-app-0.6.29_1.tbz</depends_on_package> <depends_on_package_pbi>avahi-0.6.31-i386.pbi</depends_on_package_pbi> - <version>0.6.31 pkg v1.08</version> + <version>0.6.31 pkg v1.10.2</version> <status>ALPHA</status> <required_version>1.2.3</required_version> <config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file> @@ -459,26 +459,6 @@ <configurationfile>vhosts.xml</configurationfile> </package> <package> - <name>snort</name> - <pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink> - <website>http://www.snort.org</website> - <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> - <category>Security</category> - <depends_on_package_base_url>https://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>snort-2.9.7.2-i386.pbi</depends_on_package_pbi> - <build_pbi> - <port>security/snort</port> - <ports_after>security/barnyard2</ports_after> - </build_pbi> - <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options> - <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file> - <version>2.9.7.2 pkg v3.2.5</version> - <required_version>2.1</required_version> - <status>Stable</status> - <configurationfile>/snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info> - </package> - <package> <name>olsrd</name> <website>http://www.olsr.org/</website> <descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr> @@ -1397,7 +1377,7 @@ <depends_on_package_pbi>havp-0.91_1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/havp</build_port_path> <build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options> - <version>0.91_1 pkg v1.05</version> + <version>0.91_1 pkg v1.09</version> <status>BETA</status> <required_version>1.2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/havp/havp.xml</config_file> @@ -1614,7 +1594,7 @@ <descr><![CDATA[Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds.]]></descr> <website>http://www.bacula.org/</website> <category>Services</category> - <version>5.2.12_3 pkg v 1.0.7</version> + <version>5.2.12_3 pkg v 1.0.11</version> <status>Stable</status> <required_version>2.0</required_version> <config_file>https://packages.pfsense.org/packages/config/bacula-client/bacula-client.xml</config_file> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 348f9ef6..88608bff 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -248,7 +248,7 @@ <website>http://www.modsecurity.org/</website> <descr>ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.</descr> <category>Network Management</category> - <version>0.1.6</version> + <version>0.1.8</version> <status>ALPHA</status> <required_version>2.0</required_version> <config_file>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.xml</config_file> @@ -303,7 +303,7 @@ </build_pbi> <depends_on_package>avahi-0.6.29.tbz</depends_on_package> <depends_on_package_pbi>avahi-0.6.31-amd64.pbi</depends_on_package_pbi> - <version>0.6.31 pkg v1.08</version> + <version>0.6.31 pkg v1.10.2</version> <status>ALPHA</status> <required_version>1.2.3</required_version> <config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file> @@ -446,26 +446,6 @@ <configurationfile>vhosts.xml</configurationfile> </package> <package> - <name>snort</name> - <pkginfolink>https://doc.pfsense.org/index.php/Setup_Snort_Package</pkginfolink> - <website>http://www.snort.org</website> - <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> - <category>Security</category> - <depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>snort-2.9.7.2-amd64.pbi</depends_on_package_pbi> - <build_pbi> - <port>security/snort</port> - <ports_after>security/barnyard2</ports_after> - </build_pbi> - <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET=PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET=PULLEDPORK FILEINSPECT HA;perl_SET=THREADS</build_options> - <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file> - <version>2.9.7.2 pkg v3.2.5</version> - <required_version>2.1</required_version> - <status>Stable</status> - <configurationfile>/snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab first and select your desired rules. Afterwards visit the update rules tab to download your configured rules.</after_install_info> - </package> - <package> <name>olsrd</name> <website>http://www.olsr.org/</website> <descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr> @@ -1384,7 +1364,7 @@ <depends_on_package_pbi>havp-0.91_1-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/havp</build_port_path> <build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options> - <version>0.91_1 pkg v1.05</version> + <version>0.91_1 pkg v1.09</version> <status>BETA</status> <required_version>1.2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/havp/havp.xml</config_file> @@ -1601,7 +1581,7 @@ <descr><![CDATA[Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds.]]></descr> <website>http://www.bacula.org/</website> <category>Services</category> - <version>5.2.12_3 pkg v 1.0.7</version> + <version>5.2.12_3 pkg v 1.0.11</version> <status>Stable</status> <required_version>2.0</required_version> <config_file>https://packages.pfsense.org/packages/config/bacula-client/bacula-client.xml</config_file> |