diff options
Diffstat (limited to 'config/apache_mod_security-dev')
15 files changed, 806 insertions, 368 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 69ffb9c7..ab981a9e 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -4,69 +4,8 @@ if(file_exists( APACHEDIR ."/libexec/apache22/mod_memcache.so")) $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; } - -/* -<IfModule mod_security2.c> - - - # Turn the filtering engine On or Off - SecFilterEngine On - - # XXX Add knobs for these - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess On - - SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} - SecRequestBodyLimit {$secrequestbodylimit} - - {$mod_security_custom} - - SecResponseBodyMimeTypesClear - SecResponseBodyMimeType (null) text/plain text/html text/css text/xml - - # XXX Add knobs for these - SecUploadDir /var/spool/apache/private - SecUploadKeepFiles Off - - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine {$secauditengine} - - # XXX Add knobs for these - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # XXX Add knobs for these - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # XXX Add knobs for these - # Only allow bytes from this range - SecFilterForceByteRange 1 255 - - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log - - #http-guardian Anti-dos protection - {$SecGuardianLog} - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Include rules from rules/ directory - {$mod_security_rules} - -</IfModule> - -*/ + if($mods_settings['enablemodsecurity']=="on") + $mod_security_module= "LoadModule security2_module libexec/apache22/mod_security2.so\n"; $apache_dir=APACHEDIR; $apache_config = <<<EOF @@ -176,7 +115,7 @@ LoadModule status_module libexec/apache22/mod_status.so LoadModule autoindex_module libexec/apache22/mod_autoindex.so LoadModule asis_module libexec/apache22/mod_asis.so LoadModule info_module libexec/apache22/mod_info.so -LoadModule cgi_module libexec/apache22/mod_cgi.so +#LoadModule cgi_module libexec/apache22/mod_cgi.so LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so LoadModule negotiation_module libexec/apache22/mod_negotiation.so LoadModule dir_module libexec/apache22/mod_dir.so @@ -188,6 +127,7 @@ LoadModule alias_module libexec/apache22/mod_alias.so LoadModule rewrite_module libexec/apache22/mod_rewrite.so LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so {$mod_mem_cache} +{$mod_security_module} <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> @@ -564,9 +504,13 @@ AcceptFilter https none # Proxysettings {$mod_proxy} +# Mod status +{$mod_status} + + # Include anything else Include etc/apache22/Includes/*.conf EOF; -?>
\ No newline at end of file +?> diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml index b3acba57..5e02f9d4 100755 --- a/config/apache_mod_security-dev/apache_balancer.xml +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -75,7 +75,12 @@ <active/> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -103,23 +108,24 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> - <name>apache Reverse Peer Mappings</name> + <name>Apache Reverse Peer Mappings</name> <type>listtopic</type> </field> <field> <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> - <description>If this field is checked, then this server poll will be available for virtual hosts config.</description> + <description>If this field is checked, then this server pool will be available for Virtual Hosts configuration.</description> <type>checkbox</type> </field> <field> <fielddescr>Balancer name</fielddescr> <fieldname>name</fieldname> - <description><![CDATA[Name to identify this peer on apache conf<br> - example: www_site1]]></description> + <description><![CDATA[Name to identify this peer in Apache configuration<br> + Example: www_site1]]></description> <type>input</type> <size>20</size> </field> @@ -133,61 +139,66 @@ <field> <fielddescr>Protocol</fielddescr> <fieldname>proto</fieldname> - <description><![CDATA[Protocol listening on this internal server(s) port.]]></description> + <description><![CDATA[Protocol used on the internal server(s).]]></description> <type>select</type> - <options> - <option> <name>HTTP</name> <value>http</value> </option> - <option> <name>HTTPS</name> <value>https</value> </option> - </options> + <options> + <option> <name>HTTP</name> <value>http</value> </option> + <option> <name>HTTPS</name> <value>https</value> </option> + </options> </field> -<field> - <fielddescr> - <![CDATA[Internal Servers]]> - </fielddescr> + <field> + <name><![CDATA[Internal Server(s)]]></name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Internal Servers]]></fielddescr> <fieldname>additionalparameters</fieldname> - <type>rowhelper</type> - <rowhelper> + <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> + <rowhelper> <rowhelperfield> - <fielddescr>fqdn or ip</fielddescr> - <fieldname>host</fieldname> - <description>Internal site IP or Hostnamesite</description> - <type>input</type> - <size>20</size> + <fielddescr>FQDN or IP Address</fielddescr> + <fieldname>host</fieldname> + <description>Internal site IP or site hostname</description> + <type>input</type> + <size>27</size> </rowhelperfield> <rowhelperfield> - <fielddescr>port</fielddescr> - <fieldname>port</fieldname> - <description>Internal site port</description> - <type>input</type> - <size>4</size> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Internal site port</description> + <type>input</type> + <size>5</size> </rowhelperfield> <rowhelperfield> - <fielddescr>routeid</fielddescr> - <fieldname>routeid</fieldname> - <description>id to define stick connections</description> - <type>input</type> - <size>4</size> + <fielddescr>Route ID</fielddescr> + <fieldname>routeid</fieldname> + <description>ID to define sticky connections</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>weight</fielddescr> - <fieldname>loadfactor</fieldname> - <description>Server weight</description> - <type>input</type> - <size>4</size> + <fielddescr>Weight</fielddescr> + <fieldname>loadfactor</fieldname> + <description>Server weight</description> + <type>input</type> + <size>4</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ping</fielddescr> - <fieldname>ping</fieldname> - <description>Server ping test interval</description> - <type>input</type> - <size>4</size> + <fielddescr>Ping</fielddescr> + <fieldname>ping</fieldname> + <description>Server ping test interval</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ttl</fielddescr> - <fieldname>ttl</fieldname> - <description>Server pint ttl</description> - <type>input</type> - <size>4</size> + <fielddescr>TTL</fielddescr> + <fieldname>ttl</fieldname> + <description>Server ping TTL</description> + <type>input</type> + <size>6</size> </rowhelperfield> </rowhelper> </field> @@ -196,4 +207,4 @@ <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_location.xml b/config/apache_mod_security-dev/apache_location.xml new file mode 100644 index 00000000..ea957f43 --- /dev/null +++ b/config/apache_mod_security-dev/apache_location.xml @@ -0,0 +1,237 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_location.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> + </copyright> + <name>apachelocation</name> + <version>1.0</version> + <title>Apache reverse proxy: Locations</title> + + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <active/> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <adddeleteeditpagefields> + <movable>on</movable> + <columnitem> + <fielddescr>Identifier</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Compress</fielddescr> + <fieldname>compress</fieldname> + </columnitem> + <columnitem> + <fielddescr>Site Path</fielddescr> + <fieldname>sitepath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Balancer</fielddescr> + <fieldname>balancer</fieldname> + </columnitem> + <columnitem> + <fielddescr>LB Method</fielddescr> + <fieldname>lbmethod</fieldname> + </columnitem> + <columnitem> + <fielddescr>Backendpath</fielddescr> + <fieldname>backendpath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Modsecurity</fielddescr> + <fieldname>modsecgroup</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Rule Manipulation</fielddescr> + <fieldname>modsecmanipulation</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Location Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Identifier]]></fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Location name/identifier.]]></description> + <type>input</type> + <required/> + <size>20</size> + </field> + <field> + <fielddescr><![CDATA[gzip?]]></fielddescr> + <fieldname>compress</fieldname> + <description>Compress data to save bandwidth?</description> + <type>select</type> + <options> + <option><name>yes</name><value>yes</value></option> + <option><name>no</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr><![CDATA[Site Path]]></fielddescr> + <fieldname>sitepath</fieldname> + <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[Balancer]]></fielddescr> + <fieldname>balancer</fieldname> + <description>Server balancer / pool</description> + <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + <type>select_source</type> + <size>5</size> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LB Method</a>]]></fielddescr> + <fieldname>lbmethod</fieldname> + <description>Server balance method</description> + <type>select</type> + <options> + <option><name>byrequests</name><value>byrequests</value></option> + <option><name>bytraffic</name><value>bytraffic</value></option> + <option><name>bybusyness</name><value>bybusyness</value></option> + </options> + </field> + <field> + <fielddescr>Backend Path</fielddescr> + <fieldname>backendpath</fieldname> + <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[ModSecurity]]></fielddescr> + <fieldname>modsecgroup</fieldname> + <description>Choose ModSecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[Manipulations]]></fielddescr> + <fieldname>modsecmanipulation</fieldname> + <description>Choose Modsecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> + <fieldname>options</fieldname> + <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <name>Custom Location Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom</fieldname> + <description><![CDATA[Pass extra Apache config for this Location. This is useful for SSLRequire rules for example.]]></description> + <type>textarea</type> + <cols>90</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <service> + <name>apache_mod_security</name> + <rcfile>apache_mod_security.sh</rcfile> + <executable>httpd</executable> + </service> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui> diff --git a/config/apache_mod_security-dev/apache_logs_data.php b/config/apache_mod_security-dev/apache_logs_data.php index 256ff144..fdcc04b0 100644 --- a/config/apache_mod_security-dev/apache_logs_data.php +++ b/config/apache_mod_security-dev/apache_logs_data.php @@ -92,7 +92,7 @@ if ($_GET) { // Apply filter and color if ($filter != "") $line = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$line); - $agent_info="onmouseover=\"jQuery('#bowserinfo').empty().html('{$line[13]}');\"\n"; + $agent_info="onmouseover=\"jQuery('#browserinfo').empty().html('{$line[13]}');\"\n"; echo "<tr valign=\"top\" $agent_info>\n"; echo "<td class=\"listlr\" align=\"center\" nowrap>{$line[5]}({$line[6]})</td>\n"; echo "<td class=\"listr\" align=\"center\">{$line[1]}</td>\n"; diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index fb83f9a6..31be95cf 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -3,7 +3,8 @@ apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2013 Stephane Lapie <stephane.lapie@asahinet.com> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "apache"; // Check to find out on which system the package is running $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) @@ -35,9 +37,9 @@ if ($pf_version > 2.0) else define('APACHEDIR', '/usr/local'); // End of system check -define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +define ('MODSECURITY_DIR','crs'); // Rules directory location -define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ return preg_replace("/\r\n/","\n",base64_decode($base64)); } @@ -57,10 +59,6 @@ function apache_get_real_interface_address($iface) { // Ensure NanoBSD can write. pkg_mgr will remount RO conf_mount_rw(); -// Needed mod_security directories -if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) - safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); - // Startup function function apache_mod_security_start() { exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); @@ -127,24 +125,179 @@ function apache_mod_security_resync() { global $config, $g; apache_mod_security_install(); $dirs=array("base", "experimental","optional", "slr"); - if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) - exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + log_error("apache_mod_security_package: configuration resync is starting."); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")){ + exec ("/usr/local/bin/git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git ".APACHEDIR."/".MODSECURITY_DIR); + //chdir (APACHEDIR."/".MODSECURITY_DIR); + //exec ("/usr/local/bin/git checkout -q 2.2.8"); + } $write_config=0; foreach ($dirs as $dir){ if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { - $write_config++; - $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); - while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) - $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); - } - closedir($handle); + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf$/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); } } if ($write_config > 0) write_config(); apache_mod_security_checkconfig(); apache_mod_security_restart(); + log_error("apache_mod_security_package: configuration resync is ending."); + + if (is_array($config['installedpackages']['apachesync']['config'])){ + $apache_sync = $config['installedpackages']['apachesync']['config'][0]; + $synconchanges = $apache_sync['synconchanges']; + $synctimeout = $apache_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($apache_sync[row])){ + $rs = $apache_sync[row]; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no hosts to push on apache config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ // pfSense 2.0.x + $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else if (is_array($config['hasync'])) { // pfSense 2.1 + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no system backup hosts to push apache config."); + return; + } + break; + default: + return; + break; + } + } + if (is_array($rs)){ + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if ($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if ($password && $sync_to_ip) + apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + } + } +} + +// Do the actual XMLRPC Sync +function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['apachesettings'] = $config['installedpackages']['apachesettings']; + $xml['apachemodsecurity'] = $config['installedpackages']['apachemodsecurity']; + $xml['apachemodsecuritysettings'] = $config['installedpackages']['apachemodsecuritysettings']; + $xml['apachebalancer'] = $config['installedpackages']['apachebalancer']; + $xml['apachevirtualhost'] = $config['installedpackages']['apachevirtualhost']; + $xml['apachelisten'] = $config['installedpackages']['apachelisten']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("apache_mod_security_package: Beginning apache_mod_security XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security_package: XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell apache_mod_security to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/apache_mod_security.inc');\n"; + $execcmd .= "apache_mod_security_resync();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("apache_mod_security_package: XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + } function apache_mod_security_checkconfig() { @@ -198,7 +351,9 @@ function generate_apache_configuration() { file_notice("apache_mod_security", $error, "apache_mod_security", ""); } // Set global listening directive and ensure nothing is listening on this port already - $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $iface_address = apache_get_real_interface_address($settings['globalbindtoipaddr']); + $ip=$iface_address[0]; + $globalbind_ip = ($ip ? $ip : "*"); $globalbind_port = $settings['globalbindtoport']; if ($globalbind_port == ""){ $globalbind_port ="80"; @@ -230,7 +385,8 @@ function generate_apache_configuration() { //performance settings //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html - $performance_settings="KeepAlive {$settings['keepalive']}\n"; + $keepalive=($settings['keepalive']?$settings['keepalive']:"on"); + $performance_settings="KeepAlive {$keepalive}\n"; if ($settings['maxkeepalivereq']) $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; if ($settings['keepalivetimeout']) @@ -296,7 +452,7 @@ function generate_apache_configuration() { $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); - if (isset($server['ping'])){ + if (isset($server['ping']) && $server['ping']!=""){ $options.= " ping={$server['ping']}"; $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); } @@ -311,8 +467,50 @@ function generate_apache_configuration() { //write balancer conf file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); } - + + // configure modsecurity group options + //chroot apache http://forums.freebsd.org/showthread.php?t=6858 + if (is_array($config['installedpackages']['apachemodsecuritygroups'])){ + unset($mods_group); + foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){ + //RULES_DIRECTORY + foreach (split(",",$mods_groups['baserules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['optionalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['slrrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['experimentalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n"; + } + } + } + //print "<PRE>"; + //var_dump($mods_group); + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + + if ($mods_settings['crs10']=="" && file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){ + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')); + write_config("modsecurity - Load crs 10 default setup file."); + } + + $cr10_setup="Include ".RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf\n"; + file_put_contents(RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][0]['crs10']),LOCK_EX); + } + // create location(s) array + if (is_array($config['installedpackages']['apachelocation'])){ + foreach ($config['installedpackages']['apachelocation']['config'] as $location) + $apache_location[$location['name']]=$location; + } //configure virtual hosts + $namevirtualhosts=array(); + $namevirtualhosts[0]=$global_listen; if (is_array($config['installedpackages']['apachevirtualhost'])){ $vh_config= <<<EOF ################################################################################## @@ -332,6 +530,9 @@ EOF; $iface_address = apache_get_real_interface_address($virtualhost['interface']); $ip=$iface_address[0]; $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + if (!in_array("{$ip}:{$port}",$namevirtualhosts)) + $namevirtualhosts[]="{$ip}:{$port}"; + $vh_config.="# {$virtualhost['description']}\n"; $vh_config.="<VirtualHost {$ip}:{$port}>\n"; $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; @@ -378,23 +579,31 @@ EOF; $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; #Check virtualhost locations - foreach ($virtualhost['row'] as $backend){ - $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; - $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - if ($backend['compress']== "no") - $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; - if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ - foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ - if ($backend['modsecmanipulation'] == $manipulation['name']){ - if (is_array($manipulation['row'])) - foreach ($manipulation['row'] as $secrule) - $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + foreach ($virtualhost['row'] as $be){ + if ($be['location'] != "none"){ + $backend=$apache_location[$be['location']]; + $vh_config.="# {$backend['name']}\n"; + $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){ + $vh_config.=$mods_group[$backend['modsecgroup']]; + } + if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } } } - } - $vh_config.=" </Location>\n\n"; + $vh_config.= apache_textarea_decode($backend['custom'])."\n\n"; + $vh_config.=" </Location>\n\n"; } + } $vh_config.="</VirtualHost>\n"; } } @@ -404,7 +613,7 @@ EOF; // check/fix perl version on mod_security util files $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); foreach ($perl_files as $perl_file){ - $file_path=rules_directory."/util/"; + $file_path=RULES_DIRECTORY."/util/"; if (file_exists($file_path.$perl_file)){ $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); file_put_contents($file_path.$perl_file,$script,LOCK_EX); @@ -421,12 +630,8 @@ EOF; } } - //mod_security settings - if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ - $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; - if ($mods_settings!="") - $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; - } + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\""; //fix http-guardian.pl block bins //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; @@ -480,51 +685,44 @@ EOF; // Read already configured addresses if (is_array($settings['row'])){ foreach($settings['row'] as $row) { - if ($row['ipaddress'] && $row['ipport']) + if ($row['interface'] && $row['ipport']) $configuredaliases[] = $row; } } // clear list of bound addresses before updating $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); - // Process proxy sites // Configure NameVirtualHost directives $aliases = ""; - $processed = array(); - if(is_array($config['installedpackages']['apachemodsecurity'])) { - foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { - if($ams['ipaddress'] && $ams['port']) - $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else - $local_ip_port = $global_listen; - // Do not add entries twice. - if(!in_array($local_ip_port, $processed)) { - // explicit bind if not global ip:port - if ($local_ip_port != $global_listen) { - $aliases .= "Listen $local_ip_port\n"; - // Automatically add this to configuration - $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); - } - $mod_proxy .= "NameVirtualHost $local_ip_port\n"; - $processed[] = $local_ip_port; - } + //add NameVirtualHost and listening entries to configured virtualhosts + foreach ($namevirtualhosts as $namevirtualhost){ + // explicit bind if not global ip:port + if ($namevirtualhost != $global_listen) { + $mod_proxy .= "NameVirtualHost {$namevirtualhost}\n"; + $aliases .= "Listen $namevirtualhost\n"; + // Automatically add this to configuration + $aplisten=split(":",$namevirtualhost); + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $aplisten[0], 'ipport' => $aplisten[1]); } } + // Process Status Page + $mod_status = ""; + if ($settings['statuspage'] == "on") { + if($settings['extendedstatuspage']== "on"){ + $extendedstatus="ExtendedStatus On"; + } + $mod_status .= <<<EOF +{$extendedstatus} +<Location /server-status> + SetHandler server-status + Order Deny,Allow + Deny from all -//** Uncomment to allow adding ip/ports not used by any site proxies -//** Otherwise unused addresses/ports will be automatically deleted from the configuration -// foreach ($configuredaliases as $ams) { -// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; -// if(!in_array($local_ip_port, $processed)) { -// // explicit bind if not global ip:port -// if ($local_ip_port != $global_listen) { -// $aliases .= "Listen $local_ip_port\n"; -// // Automatically add this to configuration -// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); -// } -// } -// } +EOF; + $mod_status .= "Allow from ".($settings['netaccessstatus'] ? $settings['netaccessstatus'] : "All")."\n"; + $mod_status .= "</Location>\n"; + } // update configuration with actual ip bindings write_config($pkg['addedit_string']); @@ -632,19 +830,20 @@ EOF; $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; // Process and include rules - if(is_dir(rules_directory)) { + if(is_dir(RULES_DIRECTORY)) { $mod_security_rules = ""; - $files = return_dir_as_array(rules_directory); + $files = return_dir_as_array(RULES_DIRECTORY); foreach($files as $file) { - if(file_exists(rules_directory . "/" . $file)) { + if(file_exists(RULES_DIRECTORY . "/" . $file)) { // XXX: TODO integrate snorts rule on / off thingie - $file_txt = file_get_contents(rules_directory . "/" . $file); + $file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file); $mod_security_rules .= $file_txt . "\n"; } } } #include file templates + include ("/usr/local/pkg/apache_mod_security.template"); include ("/usr/local/pkg/apache.template"); file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template index e5a2c864..d004a9ae 100644 --- a/config/apache_mod_security-dev/apache_mod_security.template +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -1,8 +1,8 @@ <?php - // Mod_security enabled? - if($modsec_settings['enablemodsecurity']) { - $enable_mod_security = true; - $mod_security = <<< EOF +// Mod_security enabled? +if($mods_settings['enablemodsecurity']=="on") { + $enable_mod_security = true; + $mod_security = <<< EOF # -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection @@ -208,3 +208,5 @@ SecArgumentSeparator & # SecCookieFormat 0 +EOF; +} diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml index 92b41243..4775fb3c 100644 --- a/config/apache_mod_security-dev/apache_mod_security_groups.xml +++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml @@ -73,15 +73,21 @@ <tab_level>2</tab_level> </tab> </tabs> - <adddeleteeditpagefields> + <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> </columnitem> <columnitem> + <fielddescr>Logging</fielddescr> + <fieldname>secauditengine</fieldname> + </columnitem> + <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + </adddeleteeditpagefields> <fields> <field> @@ -94,6 +100,7 @@ <description>Enter group name</description> <type>input</type> <size>25</size> + <required/> </field> <field> <fielddescr>Description</fielddescr> @@ -102,6 +109,7 @@ <type>input</type> <size>45</size> </field> + <field> <fielddescr>Base Rules</fielddescr> <fieldname>baserules</fieldname> @@ -182,30 +190,24 @@ <option><name>log everything, including very detailed debugging information</name><value>9</value></option> </options> </field> - <field> - <name>Custom options</name> + <name>Custom mod_security rules</name> <type>listtopic</type> </field> <field> - <fielddescr>Custom mod_security ErrorDocument</fielddescr> - <fieldname>errordocument</fieldname> - <description></description> - <type>textarea</type> - <rows>10</rows> - <cols>75</cols> - </field> - <field> <fielddescr>Custom mod_security rules</fielddescr> <fieldname>modsecuritycustom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste any custom mod_security rules that you would like to use</description> <type>textarea</type> - <rows>10</rows> - <cols>75</cols> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml index 54738d83..7477e540 100644 --- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -82,6 +82,7 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -141,4 +142,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_settings.xml b/config/apache_mod_security-dev/apache_mod_security_settings.xml index 985f6bcc..bbc7da4a 100644 --- a/config/apache_mod_security-dev/apache_mod_security_settings.xml +++ b/config/apache_mod_security-dev/apache_mod_security_settings.xml @@ -101,7 +101,6 @@ <fielddescr>Max request per IP</fielddescr> <fieldname>SecReadStateLimit</fieldname> <description> - //274 <![CDATA[This option limits number of POSTS accepted from same IP address and help prevent the effects of a Slowloris-type of attack.<br> More info about this attack can be found here: http://en.wikipedia.org/wiki/Slowloris ]]> @@ -124,6 +123,36 @@ <size>10</size> </field> <field> + <name>mod_security crs 10 setup</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>mod_security crs 10 setup</fielddescr> + <fieldname>crs10</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>15</rows> + <cols>90</cols> + </field> + <field> + <name>Custom mod_security ErrorDocument</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom mod_security ErrorDocument</fielddescr> + <fieldname>errordocument</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description>Custom mod_security ErrorDocument.</description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> + </field> + <field> <name>Modsecurity addons</name> <type>listtopic</type> </field> @@ -164,4 +193,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml index 0d8d8c8f..7ecfb68e 100755 --- a/config/apache_mod_security-dev/apache_mod_security_sync.xml +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -68,8 +68,30 @@ <field> <fielddescr>Automatically sync apache configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync apache changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for Apache + ModSecurity.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>250 seconds</name><value>250</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/apache_mod_security-dev/apache_mod_security_view_logs.php b/config/apache_mod_security-dev/apache_mod_security_view_logs.php index 1956a217..669c71f4 100755 --- a/config/apache_mod_security-dev/apache_mod_security_view_logs.php +++ b/config/apache_mod_security-dev/apache_mod_security_view_logs.php @@ -68,7 +68,7 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), false, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); $tab_array[] = array(gettext("Backends"), false, "/pkg.php?xml=apache_mod_security_backends.xml",2); $tab_array[] = array(gettext("VirtualHosts"), false, "/pkg.php?xml=apache_mod_security.xml",2); diff --git a/config/apache_mod_security-dev/apache_settings.xml b/config/apache_mod_security-dev/apache_settings.xml index 20ba59c2..1dd4bc78 100644 --- a/config/apache_mod_security-dev/apache_settings.xml +++ b/config/apache_mod_security-dev/apache_settings.xml @@ -10,7 +10,7 @@ apache_mod_security_settings.xml part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2008, 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -68,7 +68,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -88,36 +93,35 @@ <fieldname>globalsiteadminemail</fieldname> <description>Enter the site administrators e-mail address</description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Server hostname</fielddescr> <fieldname>hostname</fieldname> <description> - <![CDATA[Enter the servers hostname<br/ + <![CDATA[Enter the servers hostname<br> NOTE: Leave blank to use this devices hostname.]]> </description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Default Bind to IP Address</fielddescr> <fieldname>globalbindtoipaddr</fieldname> <description> - <![CDATA[ - This is the IP address the Proxy Server will listen on. - <br/> - NOTE: Leave blank to bind to * - ]]> + <![CDATA[This is the IP address the Proxy Server will listen on.]]> </description> - <type>input</type> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <showips/> </field> <field> <fielddescr>Default Bind to port</fielddescr> <fieldname>globalbindtoport</fieldname> <description> - <![CDATA[ - This is the port the Proxy Server will listen on.<br> - NOTE: Leave blank to bind to 80 - ]]> + <![CDATA[This is the port the Proxy Server will listen on.<br> + NOTE: Leave blank to bind to 80]]> </description> <type>input</type> <size>5</size> @@ -278,9 +282,42 @@ <type>input</type> <size>10</size> </field> + <field> + <name>Status Page</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Status Page</fielddescr> + <fieldname>statuspage</fieldname> + <description> + <![CDATA[Enable a status page for Apache and Mod_proxy. Access http://DefaultBindIP:DefaultBindPort/status-server]]> + </description> + <type>select</type> + <options> + <option><name>Disabled (Default)</name><value>off</value></option> + <option><name>Enabled</name><value>on</value></option> + </options> + </field> + <field> + <fielddescr>Extended Status</fielddescr> + <fieldname>extendedstatuspage</fieldname> + <description> + <![CDATA[Keep track of extended status information for each request]]> + </description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Status Page ACL</fielddescr> + <fieldname>netaccessstatus</fieldname> + <description> + <![CDATA[Networks that can access apache status page. Ex: 172.16.1.0/24<br> + NOTE: Leave blank to allow access from any ip.(Not recommended for security reasons)]]> + </description> + <type>input</type> + </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php index da82baaa..10bb1db6 100644 --- a/config/apache_mod_security-dev/apache_view_logs.php +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -42,7 +42,7 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "Status: Apache Vhosts Logs"; +$pgtitle = "Status: Apache VirtualHost Logs"; include("head.inc"); ?> @@ -96,7 +96,7 @@ function showLog(content,url,logtype) <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); display_top_tabs($tab_array); ?> @@ -106,6 +106,7 @@ function showLog(content,url,logtype) unset ($tab_array); $tab_array[] = array(gettext("Daemon Options"), false, "pkg_edit.php?xml=apache_settings.xml"); $tab_array[] = array(gettext("Backends / Balancers"), false, "/pkg.php?xml=apache_balancer.xml"); + $tab_array[] = array(gettext("Location(s)"), false, "/pkg.php?xml=apache_location.xml"); $tab_array[] = array(gettext("Virtual Hosts"), false, "/pkg.php?xml=apache_virtualhost.xml"); $tab_array[] = array(gettext("Logs"), true, "/apache_view_logs.php"); display_top_tabs($tab_array); @@ -171,8 +172,8 @@ function showLog(content,url,logtype) </tbody> </table> </form> - <div id="bowserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> - <span><span> + <div id="browserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> + <span></span> </div> <!-- Squid Table --> <table width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml index f971b570..747ef975 100644 --- a/config/apache_mod_security-dev/apache_virtualhost.xml +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -4,40 +4,41 @@ <packagegui> <copyright> <![CDATA[ - /* $Id$ */ - /* ========================================================================== */ - /* - apache_virtualhost.xml - part of apache_mod_security package (http://www.pfSense.com) - Copyright (C)2009, 2010 Scott Ullrich - Copyright (C)2012 Marcello Coutinho - All rights reserved. - */ - /* ========================================================================== */ - /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: +/* $Id$ */ +/* ========================================================================== */ +/* + apache_virtualhost.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2009, 2010 Scott Ullrich + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - /* ========================================================================== */ - ]]> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> </copyright> <name>apachevirtualhost</name> <version>1.0</version> @@ -113,6 +114,16 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/pkg_apache.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/apache_location.xml</item> + </additional_files_needed> <tabs> <tab> <text>Apache</text> @@ -138,7 +149,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> <active/> @@ -150,9 +166,12 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Status</fielddescr> <fieldname>enable</fieldname> + <listmodeon>Enabled</listmodeon> + <listmodeoff>Disabled</listmodeoff> </columnitem> <columnitem> <fielddescr>Iface</fielddescr> @@ -193,17 +212,14 @@ <description>Select protocols that this virtual host will accept connections</description> <type>select</type> <options> - <option><name>HTTP</name><value>http</value></option> - <option><name>HTTPS</name><value>https</value></option> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> </options> </field> <field> <fielddescr>Server Name(s)</fielddescr> <fieldname>primarysitehostname</fieldname> - <description> - <![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/> - Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]> - </description> + <description><![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/>Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]></description> <cols>40</cols> <rows>2</rows> <type>textarea</type> @@ -230,34 +246,28 @@ <fielddescr>Site Webmaster E-Mail address</fielddescr> <fieldname>siteemail</fieldname> <size>50</size> - <description> - <![CDATA[ - Enter the Webmaster E-Mail address for this site. - ]]> - </description> + <description><![CDATA[Enter the Webmaster E-Mail address for this site.]]></description> <type>input</type> </field> <field> <fielddescr>Site description</fielddescr> <fieldname>description</fieldname> <size>50</size> - <description> - <![CDATA[Enter a site description]]> - </description> + <description><![CDATA[Enter a site description]]></description> <type>input</type> </field> <field> <fielddescr>HTTPS SSL certificate</fielddescr> <fieldname>ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> + <type>select_source</type> <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> <show_disable_value>none</show_disable_value> </field> <field> - <fielddescr>intermediate CA certificate(optional)</fielddescr> + <fielddescr>Intermediate CA certificate (optional)</fielddescr> <fieldname>reverse_int_ca</fieldname> <description>Select intermediate CA assigned to certificate. Not all certificates require this.</description> <type>select_source</type> @@ -271,82 +281,19 @@ <![CDATA[Location(s)]]> </fielddescr> <fieldname>locations</fieldname> - <type>rowhelper</type> - <rowhelper> - <rowhelperfield> - <fielddescr><![CDATA[gzip?]]></fielddescr> - <fieldname>compress</fieldname> - <description>Compress data to save bandwidth?</description> - <type>select</type> - <options> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[site path]]></fielddescr> - <fieldname>sitepath</fieldname> - <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> + <type>rowhelper</type> + <rowhelper> <rowhelperfield> - <fielddescr><![CDATA[Balancer]]></fielddescr> - <fieldname>balancer</fieldname> - <description>Server balancer / pool</description> - <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <fielddescr><![CDATA[Location]]></fielddescr> + <fieldname>location</fieldname> + <description>Server Location</description> + <source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source> <source_name>name</source_name> <source_value>name</source_value> <show_disable_value>none</show_disable_value> <type>select_source</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LbMethod</a>]]></fielddescr> - <fieldname>lbmethod</fieldname> - <description>Server balance method</description> - <type>select</type> - <options> - <option><name>byrequests</name><value>byrequests</value></option> - <option><name>bytraffic</name><value>bytraffic</value></option> - <option><name>bybusyness</name><value>bybusyness</value></option> - </options> </rowhelperfield> - <rowhelperfield> - <fielddescr>Backend path</fielddescr> - <fieldname>backendpath</fieldname> - <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[ModSecurity]]></fielddescr> - <fieldname>modsecgroup</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[Manipulations]]></fielddescr> - <fieldname>modsecmanipulation</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> - <fieldname>options</fieldname> - <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - </rowhelper> + </rowhelper> </field> <field> <name>Logging</name> @@ -355,25 +302,19 @@ <field> <fielddescr>Preserve Proxy hostname</fielddescr> <fieldname>preserveproxyhostname</fieldname> - <description> - <![CDATA[ - When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. - ]]> - </description> + <description><![CDATA[When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Log file</fielddescr> <fieldname>logfile</fieldname> - <description> - <![CDATA[Enable access and error log for this virtual host.]]> - </description> + <description><![CDATA[Enable access and error log for this virtual host.]]></description> <type>select</type> - <options> - <option><name>Log to default apache log file</name><value>default</value></option> - <option><name>Create a log file for this site</name><value>create</value></option> - <option><name>Do not not this website</name><value>disabled</value></option> - </options> + <options> + <option><name>Log to default apache log file</name><value>default</value></option> + <option><name>Create a log file for this site</name><value>create</value></option> + <option><name>Do not log this website</name><value>disabled</value></option> + </options> </field> <field> <name>Custom Options</name> @@ -382,13 +323,14 @@ <field> <fielddescr>Custom Options</fielddescr> <fieldname>custom</fieldname> - <description>Paste extra apache config for this virtualhost. This is usefull for rewrite rules for example.</description> + <description>Pass extra Apache config for this VirtualHost. This is useful for Rewrite rules for example.</description> <type>textarea</type> - <cols>65</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> </field> - </fields> <service> <name>apache_mod_security</name> @@ -399,4 +341,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/pkg_apache.inc b/config/apache_mod_security-dev/pkg_apache.inc new file mode 100755 index 00000000..97fb2417 --- /dev/null +++ b/config/apache_mod_security-dev/pkg_apache.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['apache'] = array(); +$shortcuts['apache']['main'] = "pkg_edit.php?xml=apache_virtualhost.xml"; +$shortcuts['apache']['log'] = "diag_logs.php"; +$shortcuts['apache']['status'] = "status_services.php"; +$shortcuts['apache']['service'] = "apache_mod_security"; + +?> |