aboutsummaryrefslogtreecommitdiffstats
path: root/config/apache_mod_security-dev
diff options
context:
space:
mode:
Diffstat (limited to 'config/apache_mod_security-dev')
-rw-r--r--config/apache_mod_security-dev/apache_mod_security.inc74
-rw-r--r--config/apache_mod_security-dev/apache_virtualhost.xml87
2 files changed, 93 insertions, 68 deletions
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc
index 5d1e51bb..1ef78819 100644
--- a/config/apache_mod_security-dev/apache_mod_security.inc
+++ b/config/apache_mod_security-dev/apache_mod_security.inc
@@ -450,30 +450,6 @@ function generate_apache_configuration() {
#load conf template
include("/usr/local/pkg/apache_balancer.template");
- if (APACHEVERSION == 'apache22') { # Only define this here for apache22
- #check balancer members
- foreach ($config['installedpackages']['apachebalancer']['config'] as $balancer){
- if (is_array($balancer['row']) && $balancer['enable'] == 'on'){
- $balancer_config.="# {$balancer['description']}\n";
- $balancer_config.="<Proxy balancer://{$balancer['name']}>\n";
- foreach($balancer['row'] as $server){
- $options =($server['port'] ? ":{$server['port']}" : "");
- $options.=($server['routeid'] ? " route={$server['routeid']}" : "");
- $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : "");
- if (isset($server['ping']) && $server['ping']!=""){
- $options.= " ping={$server['ping']}";
- $options.=($server['ttl'] ? " ttl={$server['ttl']}" : "");
- }
- $balancer_config.=" BalancerMember {$balancer['proto']}://{$server['host']}{$options}\n";
- }
- #check if stick connections are set
- if ($balancer['row'][0]['routeid'] !="")
- $balancer_config.=" ProxySet stickysession=ROUTEID\n";
- $balancer_config.="</Proxy>\n\n";
- }
- }
- }
-
//write balancer conf
file_put_contents(APACHEDIR."/etc/" . APACHEVERSION . "/Includes/balancers.conf",$balancer_config,LOCK_EX);
}
@@ -565,10 +541,14 @@ EOF;
#check ssl
if(isset($virtualhost["ssl_cert"]) && $virtualhost["ssl_cert"] !="none" && $virtualhost["proto"] == "https") {
- $vh_config.= " SSLEngine on\n SSLProtocol all -SSLv2\n SSLProxyEngine on\n SSLProxyVerify none\n";
- $vh_config.= " SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\n";
+ $vh_config.= " SSLEngine on\n";
+ $vh_config.= " SSLProtocol ". ($virtualhost['ssl_protocol'] ? $virtualhost['ssl_protocol'] : "all -SSLv2") ."\n";
+ $vh_config.= " SSLProxyEngine ". ($virtualhost['ssl_proxy_engine'] ? "on" : "off") ."\n";
+ $vh_config.= " SSLProxyVerify ". ($virtualhost['ssl_proxy_verify'] ? $virtualhost['ssl_proxy_verify'] : "none") ."\n";
+ $vh_config.= " SSLCipherSuite ". ($virtualhost['ssl_cipher_suite'] ? $virtualhost['ssl_cipher_suite'] : "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL") ."\n";
+ $vh_config.= " SSLHonorCipherOrder ". ($virtualhost['ssl_honor_cipher_order'] ? "on" : "off") ."\n";
- $svr_cert = lookup_cert($virtualhost["ssl_cert"]);
+ $svr_cert = lookup_cert($virtualhost["ssl_cert"]);
if ($svr_cert != false) {
if(base64_decode($svr_cert['crt'])) {
file_put_contents(APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["ssl_cert"]}.crt",apache_textarea_decode($svr_cert['crt']),LOCK_EX);
@@ -589,7 +569,7 @@ EOF;
file_put_contents(APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($cli_ca['crt']),LOCK_EX);
$vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["reverse_int_ca"]}.crt\n";
}
- }
+ }
#Custom Options
$vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n";
@@ -599,28 +579,26 @@ EOF;
$backend=$apache_location[$be['location']];
$vh_config.="# {$backend['name']}\n";
- if (APACHEVERSION == 'apache24') { # Only define this here for apache24
- foreach ($config['installedpackages']['apachebalancer']['config'] as $balancer){
- if (is_array($balancer['row']) && $balancer['enable'] == 'on' && $balancer['name'] == $backend['balancer']){
- $vh_config.="# {$balancer['description']}\n";
- $vh_config.=" <Proxy balancer://{$balancer['name']}>\n";
- foreach($balancer['row'] as $balancer_server){
- $balancer_options =($balancer_server['port'] ? ":{$balancer_server['port']}" : "");
-
- $balancer_options.=($balancer_server['routeid'] ? " route={$balancer_server['routeid']}" : "");
- $balancer_options.=($balancer_server['loadfactor'] ? " loadfactor={$balancer_server['loadfactor']}" : "");
- if (isset($balancer_server['ping']) && $balancer_server['ping']!=""){
- $balancer_options.= " ping={$balancer_server['ping']}";
- $balancer_options.=($server['ttl'] ? " ttl={$balancer_server['ttl']}" : "");
- }
- $vh_config.=" BalancerMember {$balancer['proto']}://{$balancer_server['host']}{$balancer_options}\n";
+ foreach ($config['installedpackages']['apachebalancer']['config'] as $balancer){
+ if (is_array($balancer['row']) && $balancer['enable'] == 'on' && $balancer['name'] == $backend['balancer']){
+ $vh_config.="# {$balancer['description']}\n";
+ $vh_config.=" <Proxy balancer://{$balancer['name']}>\n";
+ foreach($balancer['row'] as $balancer_server){
+ $balancer_options =($balancer_server['port'] ? ":{$balancer_server['port']}" : "");
+
+ $balancer_options.=($balancer_server['routeid'] ? " route={$balancer_server['routeid']}" : "");
+ $balancer_options.=($balancer_server['loadfactor'] ? " loadfactor={$balancer_server['loadfactor']}" : "");
+ if (isset($balancer_server['ping']) && $balancer_server['ping']!=""){
+ $balancer_options.= " ping={$balancer_server['ping']}";
+ $balancer_options.=($server['ttl'] ? " ttl={$balancer_server['ttl']}" : "");
}
- #check if stick connections are set
- if ($balancer['row'][0]['routeid'] !="")
- $vh_config.=" ProxySet stickysession=ROUTEID\n";
- $vh_config.=" </Proxy>\n\n";
- break;
+ $vh_config.=" BalancerMember {$balancer['proto']}://{$balancer_server['host']}{$balancer_options}\n";
}
+ #check if stick connections are set
+ if ($balancer['row'][0]['routeid'] !="")
+ $vh_config.=" ProxySet stickysession=ROUTEID\n";
+ $vh_config.=" </Proxy>\n\n";
+ break;
}
}
diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml
index 8558c490..ca448cd2 100644
--- a/config/apache_mod_security-dev/apache_virtualhost.xml
+++ b/config/apache_mod_security-dev/apache_virtualhost.xml
@@ -257,6 +257,72 @@
<type>input</type>
</field>
<field>
+ <fielddescr>
+ <![CDATA[Location(s)]]>
+ </fielddescr>
+ <fieldname>locations</fieldname>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr><![CDATA[Location]]></fielddescr>
+ <fieldname>location</fieldname>
+ <description>Server Location</description>
+ <source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source>
+ <source_name>name</source_name>
+ <source_value>name</source_value>
+ <show_disable_value>none</show_disable_value>
+ <type>select_source</type>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ <field>
+ <name>SSL Environment</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>SSL Protocol</fielddescr>
+ <fieldname>ssl_protocol</fieldname>
+ <size>50</size>
+ <description><![CDATA[Enter the SSL protocol versions allowed (default: all -SSLv2)]]></description>
+ <type>input</type>
+ <default_value>all -SSLv2</default_value>
+ </field>
+ <field>
+ <fielddescr>SSL Cipher Suite</fielddescr>
+ <fieldname>ssl_cipher_suite</fieldname>
+ <size>50</size>
+ <description><![CDATA[Configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. (default: ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL)]]></description>
+ <type>input</type>
+ <default_value>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL</default_value>
+ </field>
+ <field>
+ <fielddescr>SSL Honor Cipher Order</fielddescr>
+ <fieldname>ssl_honor_cipher_order</fieldname>
+ <description><![CDATA[Forces the server's preferences to be used in a SSLv3/TLSv1 handshake (default: off)]]></description>
+ <default_value>off</default_value>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>SSL Proxy Engine</fielddescr>
+ <fieldname>ssl_proxy_engine</fieldname>
+ <description><![CDATA[Enables the SSL proxy engine for the current virtualhost (default: on)]]></description>
+ <default_value>on</default_value>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>SSL Proxy Verify</fielddescr>
+ <fieldname>ssl_proxy_verify</fieldname>
+ <description><![CDATA[When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification of the remote server. ]]></description>
+ <type>select</type>
+ <options>
+ <option><name>None</name><value>none</value></option>
+ <option><name>Optional (remote server MAY present a valid certificate)</name><value>optional</value></option>
+ <option><name>Require (remote server HAS to present a valid certificate)</name><value>require</value></option>
+ <option><name>Optional, without CA (remote server may present a valid certificate, but it need not be (successfully) verifiable)</name><value>optional_no_ca</value></option>
+ </options>
+ <default_value>none</default_value>
+ </field>
+ <field>
<fielddescr>HTTPS SSL certificate</fielddescr>
<fieldname>ssl_cert</fieldname>
<description>Choose the SSL Server Certificate here.</description>
@@ -287,25 +353,6 @@
<show_disable_value>none</show_disable_value>
</field>
<field>
- <fielddescr>
- <![CDATA[Location(s)]]>
- </fielddescr>
- <fieldname>locations</fieldname>
- <type>rowhelper</type>
- <rowhelper>
- <rowhelperfield>
- <fielddescr><![CDATA[Location]]></fielddescr>
- <fieldname>location</fieldname>
- <description>Server Location</description>
- <source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source>
- <source_name>name</source_name>
- <source_value>name</source_value>
- <show_disable_value>none</show_disable_value>
- <type>select_source</type>
- </rowhelperfield>
- </rowhelper>
- </field>
- <field>
<name>Logging</name>
<type>listtopic</type>
</field>
@@ -315,7 +362,7 @@
<description><![CDATA[When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.]]></description>
<type>checkbox</type>
</field>
- <field>
+ <field>
<fielddescr>Log file</fielddescr>
<fieldname>logfile</fieldname>
<description><![CDATA[Enable access and error log for this virtual host.]]></description>