X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fpostinst;h=24ab87487209fac6bb7fbc991abe07b6dea35473;hb=HEAD;hp=2a84610c6b501a27c09fa950ab9e908d6fc0a0e7;hpb=d898c4a3e286e07ee0f5d379dcdb055795209add;p=mod-security-cn.git diff --git a/debian/postinst b/debian/postinst index 2a84610..3a21ffd 100644 --- a/debian/postinst +++ b/debian/postinst @@ -2,121 +2,77 @@ set -e +[ "$1" = "configure" ] || exit 0 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx -case "$1" in - configure) - # continue below - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - exit 0 - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac - - -# Load debconf +# Load Debconf . /usr/share/debconf/confmodule -# Include CARNet functions +# Load CARNET Tools . /usr/share/carnet-tools/functions.sh PKG="mod-security-cn" A2DIR="/etc/apache2" -CONFDIR="$A2DIR/conf.d" -A2MODEDIR="$A2DIR/mods-enabled" -MODSECCONF="$CONFDIR/mod-security-cn.conf" -MODSECCND="/usr/share/mod-security-cn" -GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" -GEOLOOKUPDB_DIR="/usr/share/GeoIP" +CONF="$A2DIR/apache2.conf" +CONFDIR="$A2DIR/conf-available" +MODSECDIR="$A2DIR/mod-security" +MODSECCONF="$MODSECDIR/mod-security-cn.conf" +MODSECRBL="$MODSECDIR/rbl_lookup.conf" +MODSECLNK="$CONFDIR/security2-cn.conf" +MODSECTPL="/usr/share/mod-security-cn" temp_files= -need_restart=0 +if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then + . /usr/share/apache2/apache2-maintscript-helper + + modsecurity_enable() { + return 0 + } +else + cp_echo "CN: Could not load Apache 2.4 maintainer script helper." + + modsecurity_enable() { + return 1 + } +fi + # cleanup() # # Cleanup all temp files or directories. # cleanup () { - - local item - - if [ -n "$temp_files" ]; then - for item in $temp_files; do - if [ -e "$item" ]; then - rm -rf $item - fi - done - fi + local item + + if [ -n "$temp_files" ]; then + for item in $temp_files; do + if [ -e "$item" ]; then + rm -rf $item + fi + done + fi } # chk_conf_tag () # -# Check if configuration file has CARNet package info lines. +# Check if configuration file has CARNET package info lines. # return: $RET => 0 - tagged # 1 - file does not exists # 2 - file exists, but it is not tagged # chk_conf_tag () { - - local conf_file - conf_file="$1" - RET=1 - - if [ -f "$conf_file" ]; then - if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then - RET=0 - else - RET=2 - fi - fi -} - -# get_geolookupdb () -# -# Download GeoLookup database from maxmind.com -# Return: 0 - OK -# 1 - ERROR -# -get_geolookupdb () { - - local db db_tmp db_tmp_dir db_error - - db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz) - db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX) - temp_files="${temp_files} ${db_tmp_dir}" - db_error=0 - - echo -n "Attempting to download GeoLookup database for ModSecurity: " - - if [ ! -d "$GEOLOOKUPDB_DIR" ]; then - mkdir -p $GEOLOOKUPDB_DIR/ - fi - - /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1 - - if [ $db_error -eq 1 ]; then - echo "ERROR" - else - db_tmp=$(mktemp ${db}.XXXXXX) - temp_files="${temp_files} ${db_tmp}" - gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp - cp_mv $db_tmp $db - - echo "OK" - need_restart=1 - if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi - fi - - if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi - - RET=$db_error + local conf_file + conf_file="$1" + RET=1 + + if [ -f "$conf_file" ]; then + if egrep -q "^## Begin - Generated by CARNET package mod-security-cn$" "$conf_file"; then + RET=0 + else + RET=2 + fi + fi } @@ -127,103 +83,115 @@ trap cleanup 0 1 2 15 # Enable ModSecurity and unique_id Apache2 modules. # -if [ -e /etc/apache2/apache2.conf ]; then +if modsecurity_enable; then + apache2_invoke enmod security2 +fi - # Enable mod-security.load - if [ ! -e "$A2MODEDIR/mod-security.load" ]; then - cp_echo "CN: Enabling ModSecurity module for Apache2 web server." - a2enmod mod-security >/dev/null || true - need_restart=1 - fi - # Enable unique_id.load - if [ ! -e "$A2MODEDIR/unique_id.load" ]; then - a2enmod unique_id >/dev/null || true - cp_echo "CN: Enabling unique_id module for Apache2 web server." - need_restart=1 - fi +# Remove obsolete symbolic link. +# +if [ "`readlink -q -m /etc/apache2/conf.d/$PKG.conf`" = "$MODSECCONF" ]; then + rm -f /etc/apache2/conf.d/$PKG.conf fi -# Generate ModSecurity configuration file and activate RBL lookup +# Generate ModSecurity configuration files and activate RBL lookup # for ModSecurity if needed. # chk_conf_tag "$MODSECCONF" if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then - # Create /etc/apache2/conf.d/ directory if missing. - if [ ! -d "$CONFDIR" ]; then - cp_echo "CN: Creating configuration directory $CONFDIR" - mkdir -p $CONFDIR/ - fi - - # Enable mod-security-cn.conf - if [ ! -e "$MODSECCONF" ]; then - cp_echo "CN: Enabling ModSecurity specific configuration." - need_restart=1 - fi - - out=$(mktemp $MODSECCONF.XXXXXX) - temp_files="${temp_files} ${out}" - cp "$MODSECCND/mod-security-cn.conf" "$out" - - # GeoLookup database. - if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then - - get_geolookupdb - if [ $RET -eq 1 ]; then - db_set mod-security-cn/rbl false || true - db_fset mod-security-cn/rbl seen true - fi - fi - - db_get mod-security-cn/rbl || true - if [ "$RET" = "true" ]; then - - # Add RBL configuration. - cp_echo "CN: Enabling RBL lookup in $MODSECCONF." - cat $MODSECCND/rbl_lookup.conf >> $out - need_restart=1 - else - - # Remove RBL configuration. - cp_echo "CN: Disabling RBL lookup in $MODSECCONF." - need_restart=1 + # Create /etc/apache2/conf-available/ directory if missing. + if [ ! -d "$CONFDIR" ]; then + cp_echo "CN: Creating configuration directory $CONFDIR/" + mkdir -p $CONFDIR/ + fi + + # Create /etc/apache2/mod-security/ directory if missing. + if [ ! -d "$MODSECDIR" ]; then + cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/" + mkdir -p $MODSECDIR/ + fi + + out=$(mktemp $MODSECCONF.XXXXXX) + temp_files="${temp_files} ${out}" + + db_get mod-security-cn/rbl || true + if [ "$RET" = "true" ]; then + + # Add RBL configuration. + chk_conf_tag "$MODSECRBL" + if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + + if [ $RET -eq 1 ]; then + cp_echo "CN: Creating configuration file $MODSECRBL" + cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" + else + if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then + cp_echo "CN: Updating configuration file $MODSECRBL" + cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" fi + fi + fi + + sed "s,#RBLLOOKUP#,Include $MODSECRBL,g" \ + "$MODSECTPL/$(basename $MODSECCONF)" > "$out" + + if [ -e "$MODSECCONF" ]; then + if ! cmp -s "$MODSECCONF" "$out"; then + cp_echo "CN: Updating configuration file $MODSECCONF" + mv -f "$out" "$MODSECCONF" + cp_echo "CN: Enabled ModSecurity RBL lookup." + fi + else + cp_echo "CN: Creating configuration file $MODSECCONF" + mv "$out" "$MODSECCONF" + cp_echo "CN: Enabled ModSecurity RBL lookup." + fi + else + + # Remove RBL configuration. + sed "s,#RBLLOOKUP#,# DISABLED,g" \ + "$MODSECTPL/$(basename $MODSECCONF)" > "$out" + + if [ -e "$MODSECCONF" ]; then + if ! cmp -s "$MODSECCONF" "$out"; then + cp_echo "CN: Updating configuration file $MODSECCONF" + mv -f "$out" "$MODSECCONF" + cp_echo "CN: Disabled ModSecurity RBL lookup." + fi + else + cp_echo "CN: Creating configuration file $MODSECCONF" + mv "$out" "$MODSECCONF" + cp_echo "CN: Disabled ModSecurity RBL lookup." + fi + + chk_conf_tag "$MODSECRBL" + if [ $RET -eq 0 ]; then + cp_echo "CN: Removing configuration file $MODSECRBL" + rm -f "$MODSECRBL" + fi + fi + + if [ -f "$out" ]; then rm -f $out; fi +fi - # Update mod-security-cn.conf configuration file. - if ! cmp -s "$MODSECCONF" "$out"; then - cp_mv "$out" "$MODSECCONF" - need_restart=1 - fi - if [ -f "$out" ]; then rm -f $out; fi +# Enable ModSecurity configuration. +# +if [ ! -e "$MODSECLNK" ]; then + ln -fs "$MODSECCONF" "$MODSECLNK" +fi +if modsecurity_enable; then + cp_echo "CN: Enabling $PKG configuration for Apache2." + apache2_invoke enconf security2-cn fi db_stop || true - -# Restart Apache2 web server if needed. -# -if [ $need_restart -eq 1 ]; then - - # Check Apache2 web server configuration. - if /usr/sbin/apache2ctl configtest 2>/dev/null; then - - # Restart Apache2 web server. - if [ -x "/etc/init.d/apache2" ]; then - if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then - invoke-rc.d apache2 restart || true - else - /etc/init.d/apache2 restart || true - fi - fi - else - - # Something is broken. - cp_echo "CN: Your Apache2 configuration is broken." - cp_echo "CN: Please, check the service after the installation finishes!" - fi +if ! apache2ctl configtest >/dev/null 2>&1; then + cp_echo "CN: Your Apache2 configuration seems to be broken." + cp_echo "CN: Please, check the service after the installation finishes!" fi @@ -231,4 +199,6 @@ fi # cp_mail "$PKG" +#DEBHELPER# + exit 0