From d3ff95f426054f64222e919f22f89a1e3066bb6e Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Tue, 18 Sep 2012 00:58:45 -0300 Subject: apache2+modsecurity - new package gui devel version need pbi to be rebuild to get apache worker options working --- config/apache_mod_security-dev/apache.template | 572 ++++++++++++++++++ .../apache_balancer.template | 40 ++ config/apache_mod_security-dev/apache_balancer.xml | 199 +++++++ .../apache_mod_security-dev/apache_logs_data.php | 195 ++++++ .../apache_logs_data.teste.php | 186 ++++++ .../apache_mod_security.inc | 653 +++++++++++++++++++++ .../apache_mod_security.template | 210 +++++++ .../apache_mod_security_groups.xml | 211 +++++++ .../apache_mod_security_manipulation.xml | 144 +++++ .../apache_mod_security_settings.xml | 167 ++++++ .../apache_mod_security_sync.xml | 99 ++++ .../apache_mod_security_view_logs.php | 182 ++++++ config/apache_mod_security-dev/apache_settings.xml | 286 +++++++++ .../apache_mod_security-dev/apache_view_logs.php | 222 +++++++ .../apache_mod_security-dev/apache_virtualhost.xml | 402 +++++++++++++ 15 files changed, 3768 insertions(+) create mode 100644 config/apache_mod_security-dev/apache.template create mode 100644 config/apache_mod_security-dev/apache_balancer.template create mode 100755 config/apache_mod_security-dev/apache_balancer.xml create mode 100644 config/apache_mod_security-dev/apache_logs_data.php create mode 100644 config/apache_mod_security-dev/apache_logs_data.teste.php create mode 100644 config/apache_mod_security-dev/apache_mod_security.inc create mode 100644 config/apache_mod_security-dev/apache_mod_security.template create mode 100644 config/apache_mod_security-dev/apache_mod_security_groups.xml create mode 100644 config/apache_mod_security-dev/apache_mod_security_manipulation.xml create mode 100644 config/apache_mod_security-dev/apache_mod_security_settings.xml create mode 100755 config/apache_mod_security-dev/apache_mod_security_sync.xml create mode 100755 config/apache_mod_security-dev/apache_mod_security_view_logs.php create mode 100644 config/apache_mod_security-dev/apache_settings.xml create mode 100644 config/apache_mod_security-dev/apache_view_logs.php create mode 100644 config/apache_mod_security-dev/apache_virtualhost.xml (limited to 'config/apache_mod_security-dev') diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template new file mode 100644 index 00000000..69ffb9c7 --- /dev/null +++ b/config/apache_mod_security-dev/apache.template @@ -0,0 +1,572 @@ + + + + # Turn the filtering engine On or Off + SecFilterEngine On + + # XXX Add knobs for these + SecRuleEngine On + SecRequestBodyAccess On + SecResponseBodyAccess On + + SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} + SecRequestBodyLimit {$secrequestbodylimit} + + {$mod_security_custom} + + SecResponseBodyMimeTypesClear + SecResponseBodyMimeType (null) text/plain text/html text/css text/xml + + # XXX Add knobs for these + SecUploadDir /var/spool/apache/private + SecUploadKeepFiles Off + + # The audit engine works independently and + # can be turned On of Off on the per-server or + # on the per-directory basis + SecAuditEngine {$secauditengine} + + # XXX Add knobs for these + # Make sure that URL encoding is valid + SecFilterCheckURLEncoding On + + # XXX Add knobs for these + # Unicode encoding check + SecFilterCheckUnicodeEncoding On + + # XXX Add knobs for these + # Only allow bytes from this range + SecFilterForceByteRange 1 255 + + # Help prevent the effects of a Slowloris-type of attack + # $secreadstatelimit + + # Cookie format checks. + SecFilterCheckCookieFormat On + + # The name of the audit log file + SecAuditLog logs/audit_log + + #http-guardian Anti-dos protection + {$SecGuardianLog} + + # Should mod_security inspect POST payloads + SecFilterScanPOST On + + # Include rules from rules/ directory + {$mod_security_rules} + + + +*/ + +$apache_dir=APACHEDIR; + $apache_config = << for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log" +# with ServerRoot set to "/usr/local" will be interpreted by the +# server as "/usr/local//var/log/foo_log". + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to point the LockFile directive +# at a local disk. If you wish to share the same ServerRoot for multiple +# httpd daemons, you will need to change at least LockFile and PidFile. +# +ServerRoot "{$apache_dir}" + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +Listen {$global_listen} +{$aliases} + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +# have to place corresponding `LoadModule' lines at this location so the +# LoadModule foo_module modules/mod_foo.so +LoadModule authn_file_module libexec/apache22/mod_authn_file.so +LoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.so +LoadModule authn_anon_module libexec/apache22/mod_authn_anon.so +LoadModule authn_default_module libexec/apache22/mod_authn_default.so +LoadModule authn_alias_module libexec/apache22/mod_authn_alias.so +LoadModule authz_host_module libexec/apache22/mod_authz_host.so +LoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.so +LoadModule authz_user_module libexec/apache22/mod_authz_user.so +LoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.so +LoadModule authz_owner_module libexec/apache22/mod_authz_owner.so +LoadModule authz_default_module libexec/apache22/mod_authz_default.so +LoadModule auth_basic_module libexec/apache22/mod_auth_basic.so +LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so +LoadModule file_cache_module libexec/apache22/mod_file_cache.so +LoadModule cache_module libexec/apache22/mod_cache.so +LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so +LoadModule dumpio_module libexec/apache22/mod_dumpio.so +LoadModule include_module libexec/apache22/mod_include.so +LoadModule filter_module libexec/apache22/mod_filter.so +LoadModule charset_lite_module libexec/apache22/mod_charset_lite.so +LoadModule deflate_module libexec/apache22/mod_deflate.so +LoadModule log_config_module libexec/apache22/mod_log_config.so +LoadModule logio_module libexec/apache22/mod_logio.so +LoadModule env_module libexec/apache22/mod_env.so +LoadModule mime_magic_module libexec/apache22/mod_mime_magic.so +LoadModule cern_meta_module libexec/apache22/mod_cern_meta.so +LoadModule expires_module libexec/apache22/mod_expires.so +LoadModule headers_module libexec/apache22/mod_headers.so +LoadModule usertrack_module libexec/apache22/mod_usertrack.so +LoadModule unique_id_module libexec/apache22/mod_unique_id.so +LoadModule setenvif_module libexec/apache22/mod_setenvif.so +LoadModule version_module libexec/apache22/mod_version.so +LoadModule proxy_module libexec/apache22/mod_proxy.so +LoadModule proxy_connect_module libexec/apache22/mod_proxy_connect.so +LoadModule proxy_ftp_module libexec/apache22/mod_proxy_ftp.so +LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so +LoadModule proxy_ajp_module libexec/apache22/mod_proxy_ajp.so +LoadModule proxy_balancer_module libexec/apache22/mod_proxy_balancer.so +LoadModule ssl_module libexec/apache22/mod_ssl.so +LoadModule mime_module libexec/apache22/mod_mime.so +LoadModule status_module libexec/apache22/mod_status.so +LoadModule autoindex_module libexec/apache22/mod_autoindex.so +LoadModule asis_module libexec/apache22/mod_asis.so +LoadModule info_module libexec/apache22/mod_info.so +LoadModule cgi_module libexec/apache22/mod_cgi.so +LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so +LoadModule negotiation_module libexec/apache22/mod_negotiation.so +LoadModule dir_module libexec/apache22/mod_dir.so +LoadModule imagemap_module libexec/apache22/mod_imagemap.so +LoadModule actions_module libexec/apache22/mod_actions.so +LoadModule speling_module libexec/apache22/mod_speling.so +LoadModule userdir_module libexec/apache22/mod_userdir.so +LoadModule alias_module libexec/apache22/mod_alias.so +LoadModule rewrite_module libexec/apache22/mod_rewrite.so +LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so +{$mod_mem_cache} + + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User www +Group www + + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# +# worker MPM + +{$performance_settings} + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin {$global_site_email} + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +ServerName {$servername} + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "{$apache_dir}/www/apache22" + +# +# Each directory to which Apache has access can be configured with respect +# to which services and features are allowed and/or disabled in that +# directory (and its subdirectories). +# +# First, we configure the "default" to be a very restrictive set of +# features. +# + + AllowOverride None + Order deny,allow + Deny from all + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# This should be changed to whatever you set DocumentRoot to. +# +# +# # +# # Possible values for the Options directive are "None", "All", +# # or any combination of: +# # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews +# # +# # Note that "MultiViews" must be named *explicitly* --- "Options All" +# # doesn't give it to you. +# # +# # The Options directive is both complicated and important. Please see +# # http://httpd.apache.org/docs/2.2/mod/core.html#options +# # for more information. +# # +# Options Indexes FollowSymLinks +# +# # +# # AllowOverride controls what directives may be placed in .htaccess files. +# # It can be "All", "None", or any combination of the keywords: +# # Options FileInfo AuthConfig Limit +# # +# AllowOverride None +# +# # +# # Controls who can get stuff from this server. +# # +# Order allow,deny +# Allow from all +# +# +# +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# +# DirectoryIndex index.html +# +# +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# +# +# Order allow,deny +# Deny from all +# Satisfy All +# +# +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "/var/log/httpd-error.log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "/var/log/httpd-access.log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + CustomLog "/var/log/httpd-access.log" combined + + +# +# # +# # Redirect: Allows you to tell clients about documents that used to +# # exist in your server's namespace, but do not anymore. The client +# # will make a new request for the document at its new location. +# # Example: +# # Redirect permanent /foo http://www.example.com/bar +# +# # +# # Alias: Maps web paths into filesystem paths and is used to +# # access content that does not live under the DocumentRoot. +# # Example: +# # Alias /webpath /full/filesystem/path +# # +# # If you include a trailing / on /webpath then the server will +# # require it to be present in the URL. You will also likely +# # need to provide a section to allow access to +# # the filesystem path. +# +# # +# # ScriptAlias: This controls which directories contain server scripts. +# # ScriptAliases are essentially the same as Aliases, except that +# # documents in the target directory are treated as applications and +# # run by the server when requested rather than as documents sent to the +# # client. The same rules about trailing "/" apply to ScriptAlias +# # directives as to Alias. +# # +# ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" +# +# + +# +# # +# # ScriptSock: On threaded servers, designate the path to the UNIX +# # socket used to communicate with the CGI daemon of mod_cgid. +# # +# #Scriptsock /var/run/cgisock +# + +# +# "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# +# +# AllowOverride None +# Options None +# Order allow,deny +# Allow from all +# + +# +# DefaultType: the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +DefaultType text/plainm + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig etc/apache22/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile etc/apache22/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: + +{$errordocument} + +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# +#EnableMMAP off +#EnableSendfile off + +# Supplemental configuration +# +# The configuration files in the etc/apache22/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +#Include etc/apache22/extra/httpd-mpm.conf + +# Multi-language error messages +#Include etc/apache22/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +#Include etc/apache22/extra/httpd-autoindex.conf + +# Language settings +#Include etc/apache22/extra/httpd-languages.conf + +# User home directories +#Include etc/apache22/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include etc/apache22/extra/httpd-info.conf + +# Virtual hosts +#Include etc/apache22/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include etc/apache22/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include etc/apache22/extra/httpd-dav.conf + +# Various default settings +#Include etc/apache22/extra/httpd-default.conf + +# Secure (SSL/TLS) connections +#Include etc/apache22/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + +# Cache settings +{$mem_cache} +{$cache_root} + +#accf_http are not present on current build +AcceptFilter http none +AcceptFilter https none + +# Mod security +{$mod_security} + +# Proxysettings +{$mod_proxy} + +# Include anything else +Include etc/apache22/Includes/*.conf + +EOF; + +?> \ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_balancer.template b/config/apache_mod_security-dev/apache_balancer.template new file mode 100644 index 00000000..361a5ed4 --- /dev/null +++ b/config/apache_mod_security-dev/apache_balancer.template @@ -0,0 +1,40 @@ + + Order Deny,Allow + Allow from all + + + + Order allow,deny + deny from all + + +Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED + + +EOF; +?> \ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml new file mode 100755 index 00000000..b3acba57 --- /dev/null +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -0,0 +1,199 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + apachebalancer + none + Apache reverse proxy: Internal Web Servers Pool + /usr/local/pkg/apache_mod_security.inc + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + Daemon Options + /pkg_edit.php?xml=apache_settings.xml + 2 + + + Backends / Balancers + /pkg.php?xml=apache_balancer.xml + 2 + + + + Virutal Hosts + /pkg.php?xml=apache_virtualhost.xml + 2 + + + Logs + /apache_view_logs.php + 2 + + + + + + Status + enable + + + Alias + name + + + Protocol + Proto + + + Description + description + + + + + apache Reverse Peer Mappings + listtopic + + + Enable + enable + If this field is checked, then this server poll will be available for virtual hosts config. + checkbox + + + Balancer name + name + + example: www_site1]]> + input + 20 + + + Description + description + + input + 60 + + + Protocol + proto + + select + + + + + + + + + + additionalparameters + rowhelper + + + fqdn or ip + host + Internal site IP or Hostnamesite + input + 20 + + + port + port + Internal site port + input + 4 + + + routeid + routeid + id to define stick connections + input + 4 + + + weight + loadfactor + Server weight + input + 4 + + + ping + ping + Server ping test interval + input + 4 + + + ttl + ttl + Server pint ttl + input + 4 + + + + + + + apache_mod_security_resync(); + + \ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_logs_data.php b/config/apache_mod_security-dev/apache_logs_data.php new file mode 100644 index 00000000..256ff144 --- /dev/null +++ b/config/apache_mod_security-dev/apache_logs_data.php @@ -0,0 +1,195 @@ +|<)/',"",htmlspecialchars($_REQUEST['strfilter'])); + $logtype = strtolower($_REQUEST['logtype']); + + // Get log type (access or error) + if ($logtype == "error") + $error="-error"; + + // Define log file name + $logfile ='/var/log/httpd-'. preg_replace("/(\s|'|\"|;)/","",$_REQUEST['logfile']) . $error.'.log'; + + if ($logfile == '/var/log/httpd-access-error.log') + $logfile = '/var/log/httpd-error.log'; + + //debug + echo "\n"; + echo "$logfile\n"; + if (file_exists($logfile)){ + + switch ($logtype) { + + case 'access': + //show table headers + show_tds(array("Time","Host","Response","Method","Request")); + + //fetch lines + $logarr=fetch_log($logfile); + + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + /* + field 1: 189.29.36.26 + field 2: - + field 3: - + field 4: 04/Jul/2012 + field 5: 10:54:39 + field 6: -0300 + field 7: GET + field 8: / + field 9: HTTP/1.1 + field 10: 303 + field 11: - + field 12: - + field 13: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19 + */ + $regex = '/^(\S+) (\S+) (\S+) \[([^:]+):(\d+:\d+:\d+) ([^\]]+)\] \"(\S+) (.*?) (\S+)\" (\S+) (\S+) "([^"]*)" "([^"]*)"$/'; + if (preg_match($regex, $logline[0],$line)) { + // Apply filter and color + if ($filter != "") + $line = preg_replace("@($filter)@i","$1",$line); + $agent_info="onmouseover=\"jQuery('#bowserinfo').empty().html('{$line[13]}');\"\n"; + echo "\n"; + echo "{$line[5]}({$line[6]})\n"; + echo "{$line[1]}\n"; + echo "{$line[10]}\n"; + echo "{$line[7]}\n"; + //echo "{$line[8]}\n"; + echo "{$line[8]}\n"; + echo "\n"; + } + } + break; + + case 'error': + //show table headers + show_tds(array("DateTime","Severity","Message")); + + //fetch lines + $logarr=fetch_log($logfile); + + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + /* + field 1: Wed Jul 04 20:22:28 2012 + field 2: error + field 3: 187.10.53.87 + field 4: proxy: DNS lookup failure for: 192.168.15.272 returned by / + */ + $regex = '/^\[([^\]]+)\] \[([^\]]+)\] (?:\[client ([^\]]+)\])?\s*(.*)$/i'; + if (preg_match($regex, $logline[0],$line)) { + // Apply filter and color + if ($filter != "") + $line = preg_replace("@($filter)@i","$1",$line); + + if ($line[3]) + $line[3] = gettext("Client address:") . " [{$line[3]}]"; + + echo "\n"; + echo "{$line[1]}\n"; + echo "{$line[2]}\n"; + echo "{$line[3]} {$line[4]}\n"; + echo "\n"; + } + } + break; + } + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +// From SquidGuard Package +function html_autowrap($cont) +{ + # split strings + $p = 0; + $pstep = 25; + $str = $cont; + $cont = ''; + for ( $p = 0; $p < strlen($str); $p += $pstep ) { + $s = substr( $str, $p, $pstep ); + if ( !$s ) break; + $cont .= $s . ""; + } + return $cont; +} + +// Show Logs +function fetch_log($log){ + global $filter; + // Get Data from form post + $lines = $_REQUEST['maxlines']; + if (preg_match("/!/",htmlspecialchars($_REQUEST['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines}" , $logarr); + } + else { + exec("tail -r -n {$lines} {$log}", $logarr); + } + // return logs + return $logarr; +} + +function show_tds($tds){ + echo "\n"; + foreach ($tds as $td){ + echo "".gettext($td)."\n"; + } + echo "\n"; +} + +?> diff --git a/config/apache_mod_security-dev/apache_logs_data.teste.php b/config/apache_mod_security-dev/apache_logs_data.teste.php new file mode 100644 index 00000000..c3f270bf --- /dev/null +++ b/config/apache_mod_security-dev/apache_logs_data.teste.php @@ -0,0 +1,186 @@ +|<)/',"",htmlspecialchars($_GET['strfilter'])); + $logtype = strtolower($_GET['logtype']); + switch ($logtype) { + case 'access': + //192.168.15.227 - - [02/Jul/2012:19:57:29 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.22 (FreeBSD) mod_ssl/2.2.22 OpenSSL/0.9.8q (internal dummy connection)" + $regex = '/^(\S+) (\S+) (\S+) \[([^:]+):(\d+:\d+:\d+) ([^\]]+)\] \"(\S+) (.*?) (\S+)\" (\S+) (\S+) "([^"]*)" "([^"]*)"$/i'; + + // Define log file + $log='/var/log/httpd-access.log'; + + //fetch lines + $logarr=fetch_log($log); + + /* + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","$1",$logline); + + echo $logline[0]."\n
"; + } + */ + $x=1; + foreach ($logarr as $logent) { + + $logline = preg_split("/\n/", $logent); + if (preg_match($regex, $logline[0],$line)) { + echo "campo 1: $line[1]
"; + echo "campo 2: $line[2]
"; + echo "campo 3: $line[3]
"; + echo "campo 4: $line[4]
"; + echo "campo 5: $line[5]
"; + echo "campo 6: $line[6]
"; + echo "campo 7: $line[7]
"; + echo "campo 8: $line[8]
"; + echo "campo 9: $line[9]
"; + echo "campo 10: $line[10]
"; + echo "campo 11: $line[11]
"; + echo "campo 12: $line[12]
"; + echo "campo 13: $line[13]
"; + } + echo "$x ===================
"; + $x++; + } + + + break; + + case 'error': + //[Wed Jul 04 20:22:28 2012] [error] [client 187.10.53.87] proxy: DNS lookup failure for: 192.168.15.272 returned by / + $regex = $regex = '/^\[([^\]]+)\] \[([^\]]+)\] (?:\[client ([^\]]+)\])?\s*(.*)$/i'; + + // Define log file + $log='/var/log/httpd-error.log'; + + //fetch lines + $logarr=fetch_log($log); + + /* + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\n/", $logent); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","$1",$logline); + + echo $logline[0]."\n
"; + } + */ + $x=1; + foreach ($logarr as $logent) { + + $logline = preg_split("/\n/", $logent); + if (preg_match($regex, $logline[0],$line)) { + echo "campo 1: $line[1]
"; + echo "campo 2: $line[2]
"; + echo "campo 3: $line[3]
"; + echo "campo 4: $line[4]
"; + echo "campo 5: $line[5]
"; + echo "campo 6: $line[6]
"; + echo "campo 7: $line[7]
"; + echo "campo 8: $line[8]
"; + echo "campo 9: $line[9]
"; + echo "campo 10: $line[10]
"; + echo "campo 11: $line[11]
"; + echo "campo 12: $line[12]
"; + echo "campo 13: $line[13]
"; + } + echo "$x ===================
"; + $x++; + } + + + break; + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + + + +// Show Squid Logs +function fetch_log($log){ + global $filter; + // Get Data from form post + $lines = $_GET['maxlines']; + if (preg_match("/!/",htmlspecialchars($_GET['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines}" , $logarr); + } + else { + exec("tail -r -n {$lines} {$log}", $logarr); + } + // return logs + return $logarr; +} + + + +foreach ($config['installedpackages']['apachevirtualhost']['config'] as $virtualhost){ + if (is_array($virtualhost['row']) && $virtualhost['enable'] == 'on'){ + if (preg_match("/(\S+)/",base64_decode($virtualhost['primarysitehostname']),$matches)) { + echo $matches[1]."
"; + } + } +} +?> diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc new file mode 100644 index 00000000..cdee4f6b --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -0,0 +1,653 @@ + 2.0) + define('APACHEDIR', '/usr/pbi/proxy_mod_security-' . php_uname("m")); +else + define('APACHEDIR', '/usr/local'); +// End of system check +define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +// Rules directory location +define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +function apache_textarea_decode($base64){ + return preg_replace("/\r\n/","\n",base64_decode($base64)); +} + +function apache_get_real_interface_address($iface) { + global $config; + if ($iface == "All") + return array("*", ""); + if (preg_match("/\d+\.\d+/",$iface)) + return array($iface, ""); + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + return array($ip, long2ip(hexdec($netmask))); +} + +// Ensure NanoBSD can write. pkg_mgr will remount RO +conf_mount_rw(); + +// Needed mod_security directories +if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) + safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); + +// Startup function +function apache_mod_security_start() { + exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); +} + +// Shutdown function +function apache_mod_security_stop() { + exec(APACHEDIR . "/sbin/httpd -k stop"); +} + +// Restart function +function apache_mod_security_restart() { + if(is_process_running("httpd")) { + exec(APACHEDIR . "/sbin/httpd -k graceful"); + } else { + apache_mod_security_start(); + } +} + +// Install function +function apache_mod_security_install() { + global $config, $g; + + // We might be reinstalling and a configuration + // already exists. + generate_apache_configuration(); + + $filename = "apache_mod_security.sh"; + + $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc < +ENDPHP\n"; + + $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc < +ENDPHP\n"; + + write_rcfile(array( + "file" => $filename, + "start" => $start, + "stop" => $stop + ) + ); +} + +// Deinstall package routines +function apache_mod_security_deinstall() { + global $config, $g; + apache_mod_security_stop(); + exec("/bin/rm -rf " . APACHEDIR . "/". MODSECURITY_DIR); + exec("/bin/rm -f /usr/local/etc/rc.d/apache_mod_security.sh"); +} + +// Regenerate apache configuration and handle server restart +function apache_mod_security_resync() { + global $config, $g; + apache_mod_security_install(); + $dirs=array("base", "experimental","optional", "slr"); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) + exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + $write_config=0; + foreach ($dirs as $dir){ + if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); + } + } + if ($write_config > 0) + write_config(); + apache_mod_security_checkconfig(); + apache_mod_security_restart(); +} + +function apache_mod_security_checkconfig() { + global $config, $g; + $status = mwexec(APACHEDIR ."/sbin/httpd -t"); + if($status) { + $input_error = "apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"; + log_error("apache_mod_security_package: There was an error parsing the Apache configuration: {$status}"); + } +} + +// Generate mod_proxy specific configuration +function generate_apache_configuration() { + global $config, $g; + $mod_proxy = ""; + $write_config=0; + // check current config + if (is_array($config['installedpackages']['apachesettings'])) + $settings=$config['installedpackages']['apachesettings']['config'][0]; + else + $setting=sarray(); + + // Set global site e-mail + if ($settings['globalsiteadminemail']){ + $global_site_email = $settings['globalsiteadminemail']; + } + else { + $global_site_email = "admin@admin.com"; + $config['installedpackages']['apachesettings']['config'][0]['globalsiteadminemail'] = "admin@admin.com"; + // update configuration with default value in this case + log_error("apache_mod_security_package: WARNING! Global site Administrator E-Mail address has not been set. Defaulting to bogus e-mail address."); + $write_config ++; + } + + // Set ServerName + if($settings['hostname'] != ""){ + $servername = $settings['hostname']; + } + else { + $servername = php_uname('n'); + $config['installedpackages']['apachesettings']['config'][0]['hostname'] = `hostname`; + // update configuration with default value in this case + $write_config ++; + } + + //check if servername has an valid ip + $ip=gethostbyname(php_uname('n')); + if ($ip==php_uname('n')){ + $error='apache_mod_security_package: Apache cannot start, hostname does not resolv. You can workaround this if you add a dns entry for '.php_uname('n').' or add a Host Overrides entry on services -> Dns Forwarder pointing '.php_uname('n').' to 127.0.0.1.'; + log_error($error); + file_notice("apache_mod_security", $error, "apache_mod_security", ""); + } + // Set global listening directive and ensure nothing is listening on this port already + $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $globalbind_port = $settings['globalbindtoport']; + if ($globalbind_port == ""){ + $globalbind_port ="80"; + $config['installedpackages']['apachesettings']['config'][0]['globalbindtoipport'] = $globalbind_port; + $write_config ++; + } + $global_listen ="{$globalbind_ip}:{$globalbind_port}"; + // update configuration with default value in this case + if ($write_config > 0) + write_config(); + + // check if any daemon is using apache ip/port + exec("/usr/bin/sockstat | grep -v ' httpd ' | awk '{ print $6 }' | grep ':{$globalbind_port}'",$socksstat); + unset ($already_binded); + if(is_array($socksstat)) { + foreach($socksstat as $ss) { + list($ss_ip,$ss_port)=explode(":",$ss); + #check if port is in use + if($ss_port == $globalbind_port) { + #check if it's the same ip or any ip + if ($globalbind_ip = "*" || $globalbind_ip == $ss_ip) + $already_binded = true; + $input_errors[] = "Sorry, there is a process already listening on port {$globalbind}"; + } + } + } + if(isset($already_binded)) + log_error("apache_mod_security_package: Could not start daemon on port {$global_listen}. Another process is already bound to this port."); + + //performance settings + //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html + $performance_settings="KeepAlive {$settings['keepalive']}\n"; + if ($settings['maxkeepalivereq']) + $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; + if ($settings['keepalivetimeout']) + $performance_settings .= "KeepAliveTimeout {$settings['keepalivetimeout']}\n"; + if ($settings['serverlimit']) + $performance_settings .= "ServerLimit {$settings['serverlimit']}\n"; + if ($settings['startservers']) + $performance_settings .= "StartServers {$settings['startservers']}\n"; + if ($settings['minsparethreads']) + $performance_settings .= "MinSpareThreads {$settings['minsparethreads']}\n"; + if ($settings['maxsparethreads']) + $performance_settings .= "MaxSpareThreads {$settings['maxsparethreads']}\n"; + if ($settings['threadslimit']) + $performance_settings .= "ThreadsLimit {$settings['threadslimit']}\n"; + if ($settings['threadstacksize']) + $performance_settings .= "ThreadStackSize {$settings['threadstacksize']}\n"; + if ($settings['threadsperchild']) + $performance_settings .= "ThreadsPerChild {$settings['threadsperchild']}\n"; + if ($settings['maxclients']) + $performance_settings .= "MaxClients {$settings['maxclients']}\n"; + if ($settings['maxrequestsperchild']) + $performance_settings .= "MaxRequestsPerChild {$settings['maxrequestsperchild']}\n"; + + // Setup mem_cache + if(file_exists(APACHEDIR ."/libexec/apache22/mod_memcache.so") && $settings['memcachesize'] != "0") { + //$mem_cache = "MCacheSize ".( $settings['memcachesize'] ? $settings['memcachesize'] : "100")."\n"; + } + + // CacheRoot Directive + if($settings['diskcachesize'] != "0") { + safe_mkdir("/var/db/apachemodsecuritycache"); + $cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n"; + $cache_root .= "CacheMaxFileSize ".($settings['diskcachesize'] ? $settings['diskcachesize'] : "1000000")."\n"; + } + + // SecRequestBodyInMemoryLimit Directive + $secrequestbodyinmemorylimit = ($settings['secrequestbodyinmemorylimit'] ? $settings['secrequestbodyinmemorylimit'] : "131072"); + + // SecRequestBodyLimit + $secrequestbodylimit = ($settings['secrequestbodylimit'] ? $settings['secrequestbodylimit'] :"10485760"); + + // ErrorDocument + $errordocument = ($settings['errordocument'] ? $settings['errordocument'] : ""); + + // SecAuditEngine + $secauditengine = ($settings['secauditengine'] ? $settings['secauditengine'] : "RelevantOnly"); + + // SecReadStateLimit + $secreadstatelimit = ($settings['SecReadStateLimit'] ? $settings['SecReadStateLimit'] :""); + + //Configure balancers/backends + if (is_array($config['installedpackages']['apachebalancer'])){ + #load conf template + include("/usr/local/pkg/apache_balancer.template"); + + #check balancer members + foreach ($config['installedpackages']['apachebalancer']['config'] as $balancer){ + if (is_array($balancer['row']) && $balancer['enable'] == 'on'){ + $balancer_config.="# {$balancer['description']}\n"; + $balancer_config.="\n"; + foreach($balancer['row'] as $server){ + $options =($server['port'] ? ":{$server['port']}" : ""); + + $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); + $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); + if (isset($server['ping'])){ + $options.= " ping={$server['ping']}"; + $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); + } + $balancer_config.=" BalancerMember {$balancer['proto']}://{$server['host']}{$options}\n"; + } + #check if stick connections are set + if ($balancer['row'][0]['routeid'] !="") + $balancer_config.=" ProxySet stickysession=ROUTEID\n"; + $balancer_config.="\n\n"; + } + } + //write balancer conf + file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); + } + + //configure virtual hosts + if (is_array($config['installedpackages']['apachevirtualhost'])){ + $vh_config= <<'80', 'https'=> '443'); + foreach ($config['installedpackages']['apachevirtualhost']['config'] as $virtualhost){ + if (is_array($virtualhost['row']) && $virtualhost['enable'] == 'on'){ + $iface_address = apache_get_real_interface_address($virtualhost['interface']); + $ip=$iface_address[0]; + $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + $vh_config.="# {$virtualhost['description']}\n"; + $vh_config.="\n"; + $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; + $vh_config.=" ServerAdmin ".($virtualhost['siteemail'] ? $virtualhost['siteemail'] : $settings['globalsiteadminemail'])."\n"; + #check log + switch ($virtualhost['logfile']){ + case "default": + $vh_config.=" ErrorLog /var/log/httpd-error.log\n"; + $vh_config.=" CustomLog /var/log/httpd.log combined\n"; + break; + case "create": + if(preg_match("/(\S+)/",base64_decode($virtualhost['primarysitehostname']),$matches)) + $vh_config.=" ErrorLog /var/log/httpd-{$matches[1]}-error.log\n"; + $vh_config.=" CustomLog /var/log/httpd-{$matches[1]}.log combined\n"; + break; + } + + if($virtualhost['preserveproxyhostname']) + $vh_config .= " ProxyPreserveHost on\n"; + + #check ssl + if(isset($virtualhost["ssl_cert"]) && $virtualhost["ssl_cert"] !="none" && $virtualhost["proto"] == "https") { + $vh_config.= " SSLEngine on\n SSLProtocol all -SSLv2\n SSLProxyEngine on\n SSLProxyVerify none\n"; + $vh_config.= " SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\n"; + + $svr_cert = lookup_cert($virtualhost["ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.crt",apache_textarea_decode($svr_cert['crt']),LOCK_EX); + $vh_config.= " SSLCertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.crt\n"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key",apache_textarea_decode($svr_cert['prv']),LOCK_EX); + $vh_config.= " SSLCertificateKeyFile ". APACHEDIR . "/etc/apache22/{$virtualhost["ssl_cert"]}.key\n"; + } + } + $svr_ca =lookup_ca($virtualhost["reverse_int_ca"]); + if ($svr_ca != false) { + file_put_contents(APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($svr_ca['crt']),LOCK_EX); + $vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/apache22/{$virtualhost["reverse_int_ca"]}.crt\n"; + } + } + #Custom Options + $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; + + #Check virtualhost locations + foreach ($virtualhost['row'] as $backend){ + $vh_config.=" \n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } + } + } + $vh_config.=" \n\n"; + } + $vh_config.="\n"; + } + } + //write balancer conf + file_put_contents(APACHEDIR."/etc/apache22/Includes/virtualhosts.conf",$vh_config,LOCK_EX); + } + // check/fix perl version on mod_security util files + $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); + foreach ($perl_files as $perl_file){ + $file_path=rules_directory."/util/"; + if (file_exists($file_path.$perl_file)){ + $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); + file_put_contents($file_path.$perl_file,$script,LOCK_EX); + } + } + // check/fix spread libs location + $perl_libs= array("libspread.a","libspread.so.1"); + foreach ($perl_libs as $perl_lib){ + $file_path=APACHEDIR."/lib/"; + if (!file_exists("/lib/".$perl_lib) && file_exists("{$file_path}{$perl_lib}")){ + copy("{$file_path}{$perl_lib}","/lib/{$perl_lib}"); + if ($perl_lib == "libspread.so.1") + copy("{$file_path}{$perl_lib}","/lib/libspread.so"); + } + } + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; + } + + //fix http-guardian.pl block bins + //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; + //if (file_exists("/lib/".$perl_lib) && file_exists($file_path.$perl_lib)){ + + //old code + $mod_proxy .= << + Order deny,allow + Allow from all + + +EOF; + + /* + ##################################################### + # Format for the Proxy servers: + # Please do not delete these from the source file + # in any "cleanups" that you feel you are performing. + # They are here for sanity checking the code. + #----------------1 backend ip--------------------- + # + # ServerAdmin $serveradmin + # ServerName $primarysitehostname + # ServerAlias $additionalsitehostnames + # ProxyPass / $backendwebserverURL + # ProxyPassReverse / $backendwebserverURL + # + #where serveralias will be a space-separated list of "additional site hostnames" + #i.e. if you have www1.example.com and www2.example.com there, it's "ServerAlias www1.example.com www2.example.com" + #------------------------------------------------- + #------------mutliple backend ips----------------- + # Add: + # + # BalancerMember $backend1 + # BalancerMember $backend2 + # + # Change: + # ProxyPass / balancer://$sitename/ + # ProxyPassReverse / balancer://$sitename/ + #------------------------------------------------- + ##################################################### + */ + $mod_proxy .= "\n"; + + $configuredaliases = array(); + // Read already configured addresses + if (is_array($settings['row'])){ + foreach($settings['row'] as $row) { + if ($row['ipaddress'] && $row['ipport']) + $configuredaliases[] = $row; + } + } + + // clear list of bound addresses before updating + $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); + + // Process proxy sites + // Configure NameVirtualHost directives + $aliases = ""; + $processed = array(); + if(is_array($config['installedpackages']['apachemodsecurity'])) { + foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + if($ams['ipaddress'] && $ams['port']) + $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; + else + $local_ip_port = $global_listen; + // Do not add entries twice. + if(!in_array($local_ip_port, $processed)) { + // explicit bind if not global ip:port + if ($local_ip_port != $global_listen) { + $aliases .= "Listen $local_ip_port\n"; + // Automatically add this to configuration + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); + } + $mod_proxy .= "NameVirtualHost $local_ip_port\n"; + $processed[] = $local_ip_port; + } + } + } + +//** Uncomment to allow adding ip/ports not used by any site proxies +//** Otherwise unused addresses/ports will be automatically deleted from the configuration +// foreach ($configuredaliases as $ams) { +// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; +// if(!in_array($local_ip_port, $processed)) { +// // explicit bind if not global ip:port +// if ($local_ip_port != $global_listen) { +// $aliases .= "Listen $local_ip_port\n"; +// // Automatically add this to configuration +// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); +// } +// } +// } + + // update configuration with actual ip bindings + write_config($pkg['addedit_string']); + + + // Setup mod_proxy entries $mod_proxy + if($config['installedpackages']['apachemodsecurity']) { + foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { + // Set rowhelper used variables + $additionalsitehostnames = ""; + if (is_array($ams['row'])){ + foreach($ams['row'] as $row) { + if ($row['additionalsitehostnames']) + $additionalsitehostnames .= "{$row['additionalsitehostnames']} "; + } + } + $backend_sites = ""; + $sslproxyengine = ""; + $backend_sites_count = 0; + $balancer_members = ""; // not technically needed. + if (is_array($ams['row'])){ + foreach($ams['row'] as $row) { + if ($row['webserveripaddr']) { + $normalised_ipaddr = ""; + if (substr(trim($row['webserveripaddr']), 0, strlen("https:")) == "https:") { + // if backend is https, then enable SSLProxyEngine + $sslproxyengine = "SSLProxyEngine on"; + } else if (substr(trim($row['webserveripaddr']), 0, strlen("http:")) != "http:") { + // Ensure leading http(s):// + $normalised_ipaddr .= "http://"; + } + $normalised_ipaddr .= trim($row['webserveripaddr']); + $balancer_members .= " BalancerMember " . $normalised_ipaddr . "\n"; + // Ensure trailing / + if(substr($normalised_ipaddr,-1) != "/") { + $normalised_ipaddr .= "/"; + } + $backend_sites .= $normalised_ipaddr . " "; + $backend_sites_count++; + } + } + } + // Set general items + if($ams['siteemail']) + $serveradmin = $ams['siteemail']; + else + $serveradmin = $global_site_email; + if($ams['primarysitehostname']) + $primarysitehostname = $ams['primarysitehostname']; + $sitename = str_replace(" ", "", $ams['sitename']); + // Set local listening directive + if($ams['ipaddress'] && $ams['port']) + $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; + else + $local_ip_port = $global_listen; + // Is this item a load balancer + if($backend_sites_count>1) { + $balancer = true; + $mod_proxy .= "\n"; + $mod_proxy .= $balancer_members; + $mod_proxy .= "\n"; + $backend_sites = " balancer://{$sitename}/"; + $sitename = ""; // we are not using sitename in this case + } + // Set SSL items + if($ams['siteurl']) + $siteurl = $ams['siteurl']; + if($ams['certificatefile']) + $certificatefile = $ams['certificatefile']; + if($ams['certificatekeyfile']) + $certificatekeyfile = $ams['certificatekeyfile']; + if($ams['certificatechainfile']) + $certificatechainfile = $ams['certificatechainfile']; + // Begin VirtualHost + $mod_proxy .= "\n\n"; + if($siteurl == "HTTPS" && $certificatefile && $certificatekeyfile) { + $mod_proxy .= " SSLEngine on\n"; + if ($certificatefile) + $mod_proxy .= " SSLCertificateFile /usr/local/etc/apache22/$certificatefile\n"; + if ($certificatekeyfile) + $mod_proxy .= " SSLCertificateKeyFile /usr/local/etc/apache22/$certificatekeyfile\n"; + if ($certificatechainfile) + $mod_proxy .= " SSLCertificateChainFile /usr/local/etc/apache22/$certificatechainfile\n"; + } + if($sslproxyengine) + $mod_proxy .= " {$sslproxyengine}\n"; + if($additionalsitehostnames) + $mod_proxy .= " ServerAlias $additionalsitehostnames\n"; + if($serveradmin) + $mod_proxy .= " ServerAdmin $serveradmin\n"; + if($primarysitehostname) + $mod_proxy .= " ServerName $primarysitehostname \n"; + if($backend_sites) { + $mod_proxy .= " ProxyPassReverse /{$sitename} {$backend_sites}\n"; + $mod_proxy .= " ProxyPass / {$backend_sites}\n"; + } + if($ams['preserveproxyhostname']) + $mod_proxy .= " ProxyPreserveHost on\n"; + $mod_proxy .= "\n\n"; + // End VirtualHost + } + } + + if($config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']) + $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; + + // Process and include rules + if(is_dir(rules_directory)) { + $mod_security_rules = ""; + $files = return_dir_as_array(rules_directory); + foreach($files as $file) { + if(file_exists(rules_directory . "/" . $file)) { + // XXX: TODO integrate snorts rule on / off thingie + $file_txt = file_get_contents(rules_directory . "/" . $file); + $mod_security_rules .= $file_txt . "\n"; + } + } + } + + #include file templates + include ("/usr/local/pkg/apache.template"); + + file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); +} + +?> diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template new file mode 100644 index 00000000..e5a2c864 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -0,0 +1,210 @@ + + + + + + + + apachemodsecuritygroups + 1.0 + Services: Mod_Security+Apache+Proxy: Settings + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + Module options + /pkg_edit.php?xml=apache_mod_security_settings.xml + 2 + + + Rule Groups + /pkg.php?xml=apache_mod_security_groups.xml + 2 + + + + Rule Manipulation + /pkg.php?xml=apache_mod_security_manipulation.xml + 2 + + + + + Name + name + + + Description + description + + + + + Modsecurity group options + listtopic + + + Name + name + Enter group name + input + 25 + + + Description + description + Enter group description + input + 45 + + + Base Rules + baserules + + Use CTRL + click to select.]]> + select_source + + file + file + + 10 + + + Optional Rules + optionalrules + + Use CTRL + click to select.]]> + select_source + + file + file + + 10 + + + SLR Rules + slrrules + + Use CTRL + click to select.]]> + select_source + + file + file + + 10 + + + Experimental Rules + experimentalrules + + Use CTRL + click to select.]]> + select_source + + file + file + + 10 + + + Modsecurity Logging options + listtopic + + + Logging engine. + secauditengine + Configures ModSecurity audit logging engine. + select + + + + + + + + Debug log file. + SecDebugLogLevel + + High logging levels are not recommended in production as it affects performance.]]> + + select + + + + + + + + + + + + + Custom options + listtopic + + + Custom mod_security ErrorDocument + errordocument + + textarea + 10 + 75 + + + Custom mod_security rules + modsecuritycustom + Paste any custom mod_security rules that you would like to use + textarea + 10 + 75 + + + + apache_mod_security_resync(); + + /usr/local/pkg/apache_mod_security.inc + \ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml new file mode 100644 index 00000000..54738d83 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -0,0 +1,144 @@ + + + + + + + + apachemodsecuritymanipulation + 1.0 + Services: Mod_Security+Apache+Proxy: Settings + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + Module options + /pkg_edit.php?xml=apache_mod_security_settings.xml + 2 + + + Rule Groups + /pkg.php?xml=apache_mod_security_groups.xml + 2 + + + Rule Manipulation + /pkg.php?xml=apache_mod_security_manipulation.xml + 2 + + + + + + Name + name + + + Description + description + + + + + Modsecurity group options + listtopic + + + Name + name + Enter group name + input + 25 + + + Description + description + Enter group description + input + 45 + + + + + + locations + Rule Manipulation Samples:

+ SecRuleRemoveById 125
+ SecRuleRemoveById 125-128
+ SecRuleRemoveByMsg "Client error occurred"
+ SecRuleUpdateActionById 125 pass
+ SecRuleUpdateTargetsById 125 "!ARGS:username"]]>
+ rowhelper + + + + type + + select + + + + + + + + + + value + + input + 30 + + +
+
+ + apache_mod_security_resync(); + + /usr/local/pkg/apache_mod_security.inc +
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_settings.xml b/config/apache_mod_security-dev/apache_mod_security_settings.xml new file mode 100644 index 00000000..985f6bcc --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_settings.xml @@ -0,0 +1,167 @@ + + + + + + + + apachemodsecuritysettings + 1.0 + Services: Mod_Security+Apache+Proxy: Settings + pkg_edit.php?xml=apache_mod_security_settings.xml&id=0 + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + Module options + /pkg_edit.php?xml=apache_mod_security_settings.xml + + 2 + + + Rule Groups + /pkg.php?xml=apache_mod_security_groups.xml + 2 + + + Rule Manipulation + /pkg.php?xml=apache_mod_security_manipulation.xml + 2 + + + + + Security options + listtopic + + + ModSecurity protection + enablemodsecurity + + More info about ModSecurity can be found here: http://www.modsecurity.org/]]> + checkbox + + + Disable Backend Compression + secbackendcompression + + This directive is mandatory in reverse proxy mode to ModSecurity be able to inspect response bodies.]]> + select + + + + + + + Max request per IP + SecReadStateLimit + + //274 + + More info about this attack can be found here: http://en.wikipedia.org/wiki/Slowloris + ]]> + + input + 10 + + + Maximum request body size in memory. + secrequestbodyinmemorylimit + Configures the maximum request body size ModSecurity will store in memory. + input + 10 + + + Maximum request body size for buffering. + secrequestbodylimit + Configures the maximum request body size ModSecurity will accept for buffering. + input + 10 + + + Modsecurity addons + listtopic + + + Http-guardian.pl + enablehttpdguardian + + NOTE: In order for this script to be effective it must be able to see all requests coming to the web server, so no per-virtual host option for this script.]]> + select + + + + + + + + Threshold 1min + threshold1min + + + + input + 5 + + + Threshold 5min + threshold5min + + + + input + 5 + + + + apache_mod_security_resync(); + + /usr/local/pkg/apache_mod_security.inc + \ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml new file mode 100755 index 00000000..0d8d8c8f --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -0,0 +1,99 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + apachesync + 1.0 + Proxy server: XMLRPC Sync + /usr/local/pkg/apache_mod_security.inc + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + + + + XMLRPC Sync + listtopic + + + Automatically sync apache configuration changes + synconchanges + Automatically sync apache changes to the hosts defined below. + checkbox + + + Remote Server + none + rowhelper + + + IP Address + ipaddress + IP Address of remote server + input + 20 + + + Password + password + Password for remote server. + password + 20 + + + + + + apache_mod_security_resync(); + + diff --git a/config/apache_mod_security-dev/apache_mod_security_view_logs.php b/config/apache_mod_security-dev/apache_mod_security_view_logs.php new file mode 100755 index 00000000..1956a217 --- /dev/null +++ b/config/apache_mod_security-dev/apache_mod_security_view_logs.php @@ -0,0 +1,182 @@ + + + + + + + + +

+ + + + + + + +
+ + + + + +
+ +
+
+
+ + + + + + + + + + + + + + + +
+ +
+ + + +
+ +
+ + + +
+ +
+ +
+
+ ! to invert the sense of matching, to select non-matching lines.");?> +
+
+
+ + + + + + + + +
+ + + + + + + +
+
+ + + + + + + +
+ + + + + + + +
+
+
+
+
+ + + + + + diff --git a/config/apache_mod_security-dev/apache_settings.xml b/config/apache_mod_security-dev/apache_settings.xml new file mode 100644 index 00000000..20ba59c2 --- /dev/null +++ b/config/apache_mod_security-dev/apache_settings.xml @@ -0,0 +1,286 @@ + + + + + + + + apachesettings + 1.0 + Apache reverse proxy: Settings + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + Daemon Options + /pkg_edit.php?xml=apache_settings.xml + 2 + + + + Backends / Balancers + /pkg.php?xml=apache_balancer.xml + 2 + + + Virutal Hosts + /pkg.php?xml=apache_virtualhost.xml + 2 + + + Logs + /apache_view_logs.php + 2 + + + + + General + listtopic + + + Global site E-mail administrator + globalsiteadminemail + Enter the site administrators e-mail address + input + + + Server hostname + hostname + + + + input + + + Default Bind to IP Address + globalbindtoipaddr + + + NOTE: Leave blank to bind to * + ]]> + + input + + + Default Bind to port + globalbindtoport + + + NOTE: Leave blank to bind to 80 + ]]> + + input + 5 + + + Performance + listtopic + + + Keep alive + keepalive + + + + select + + + + + + + Max keep alive Requests + maxkeepalivereq + + + It's recommend to leave this number high, for maximum performance.
Leave empty to use apache defaults.]]> +
+ input + 5 +
+ + keep alive timeout + keepalivetimeout + Leave empty to use apache defaults.]]> + input + 5 + + + Servers Limit + serverlimit + Leave empty to use apache defaults.]]> + input + 5 + + + Start Servers + startservers + Leave empty to use apache defaults.]]> + input + 5 + + + Min Spare Threads + minsparethreads + + input + 5 + + + Max Spare Threads + maxsparethreads + + input + 5 + + + Threads Limit + threadslimit + Leave empty to use apache defaults.]]> + input + 5 + + + Thread Stack Size + threadstacksize + Leave empty to use apache defaults.]]> + input + 5 + + + threadsperchild + threadsperchild + Leave empty to use apache defaults.]]> + input + 5 + + + MaxClients + maxclients + Leave empty to use apache defaults.]]> + input + 5 + + + MaxRequestsPerChild + maxrequestsperchild + Leave empty to use apache defaults.]]> + input + 5 + + + Cache settings + listtopic + + + Memory cache size + memcachesize + + Leave empty to use default value or 0 to disable memory cache.
+ Enables mod_mem_cache which stores cached documents in memory.]]> +
+ input + 10 +
+ + Disk Cache Max File Size + diskcachesize + + Leave empty to use default value or 0 to disable disk cache.
+ mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache.]]> +
+ input + 10 +
+ + Connection limits (DoS protection) + listtopic + + + header + header_time_out + + + Sample: To allow at least 10 seconds to receive the request including the headers and increase the timeout by 1 second for every 500 bytes received but do not allow more than 30 seconds for the request including the headers:
+ 10,30,500]]> +
+ input + 10 +
+ + body + body_time_out + + + Sample: To allow at least 10 seconds to receive the request body and if the client sends data, increase the timeout by 1 second for every 1000 bytes received, with no upper limit for the timeout (exept for the limit given indirectly by LimitRequestBody):
+ 10,1000]]> +
+ input + 10 +
+ + Limit Request Body + LimitRequestBody + + + The LimitRequestBody directive allows the user to set a limit on the allowed size of an HTTP request message body within the context in which the directive is given (server, per-directory, per-file or per-location). If the client request exceeds that limit, the server will return an error response instead of servicing the request.]]> + + input + 10 + +
+ + apache_mod_security_resync(); + + /usr/local/pkg/apache_mod_security.inc +
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php new file mode 100644 index 00000000..da82baaa --- /dev/null +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -0,0 +1,222 @@ + + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("/etc/inc/util.inc"); +require_once("/etc/inc/functions.inc"); +require_once("/etc/inc/pkg-utils.inc"); +require_once("/etc/inc/globals.inc"); +require_once("guiconfig.inc"); +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Status: Apache Vhosts Logs"; +include("head.inc"); +?> + + + + + + + +

+ + + + + + + +
+ + + + + + +
+ +
+ +
+
+
+ + + + + + + + + + + + + + + +
+ +
+ + + +
+ +
+ + + +
+ +
+ +
+
+ ! to invert the sense of matching, to select non-matching lines.");?> +
+
+
+
+ +
+ + + + + + + +
+ + + + + + +
+
+ + + + + + + +
+ + + + + + + +
+
+
+
+
+ + + + + + diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml new file mode 100644 index 00000000..9ac23dd6 --- /dev/null +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -0,0 +1,402 @@ + + + + + + + + apachevirtualhost + 1.0 + Apache reverse proxy: Site Proxies + + Mod_Security+Apache+Proxy + +
Services
+ apache_virtualhost.xml +
+ + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security.inc + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security.template + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_groups.xml + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_settings.xml + + + /usr/local/www/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_view_logs.php + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache.tempalte + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_balancer.tempalte + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_balancer.xml + + + /usr/local/www/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_logs_data.php + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_manipulator.xml + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_mod_security_sync.xml + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_settings.xml + + + /usr/local/www/ + 0644 + http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php + + + + Apache + /pkg_edit.php?xml=apache_settings.xml&id=0 + + + + ModSecurity + /pkg_edit.php?xml=apache_mod_security_settings.xml + + + Sync + /pkg_edit.php?xml=apache_mod_security_sync.xml + + + Daemon Options + /pkg_edit.php?xml=apache_settings.xml + 2 + + + Backends / Balancers + /pkg.php?xml=apache_balancer.xml + 2 + + + Virutal Hosts + /pkg.php?xml=apache_virtualhost.xml + 2 + + + + Logs + /apache_view_logs.php + 2 + + + + + Status + enable + + + Iface + interface + + + protocol + proto + + + Server name(s) + primarysitehostname + base64 + + + port + port + + + Description + description + + + + + Listening Options + listtopic + + + Enable + enable + Enable this virtual host + checkbox + + + Protocol(s) + proto + Select protocols that this virtual host will accept connections + select + + + + + + + Server Name(s) + primarysitehostname + + + Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]> + + 40 + 2 + textarea + base64 + + + Inbound Interface(s) + interface + WAN
Select interface(s) that this virtualhost will listen on.]]>
+ interfaces_selection + + + + +
+ + Port + port + Leave blank to use the default global port. + 10 + input + + + Site Webmaster E-Mail address + siteemail + 50 + + + + input + + + Site description + description + 50 + + + + input + + + HTTPS SSL certificate + ssl_cert + Choose the SSL Server Certificate here. + select_source + + descr + refid + none + + + intermediate CA certificate(optional) + reverse_int_ca + Select intermediate CA assigned to certificate. Not all certificates require this. + select_source + + descr + refid + none + + + + + + locations + rowhelper + + + + compress + Compress data to save bandwidth? + select + + + + + + + + sitepath + leave blank to use /]]> + input + 5 + + + + balancer + Server balancer / pool + + name + name + none + select_source + 5 + + + LbMethod]]> + lbmethod + Server balance method + select + + + + + + + + Backend path + backendpath + Leave blank to use /]]> + input + 5 + + + + modsecgroup + Choose Modsecurity group to use on this virtual host. + select_source + + name + name + none + + + + modsecmanipulation + Choose Modsecurity group to use on this virtual host. + select_source + + name + name + none + + +   Balancer options]]> + options + ex: ttl=60 stickysession='JSESSIONID']]> + input + 5 + + + + + Logging + listtopic + + + Preserve Proxy hostname + preserveproxyhostname + + + + checkbox + + + Log file + logfile + + + + select + + + + + + + + Custom Options + listtopic + + + Custom Options + custom + Paste extra apache config for this virtualhost. This is usefull for rewrite rules for example. + textarea + 65 + 10 + base64 + + +
+ + apache_mod_security + /usr/local/etc/rc.d/apache_mod_security.sh + httpd + + + apache_mod_security_resync(); + + /usr/local/pkg/apache_mod_security.inc +
\ No newline at end of file -- cgit v1.2.3