X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fpostinst;h=634d1077426fe841ca174dafde2c55ea26d2cc34;hb=65bbe42036b53f52e0ada10269e4f81bb79591c0;hp=2a84610c6b501a27c09fa950ab9e908d6fc0a0e7;hpb=d898c4a3e286e07ee0f5d379dcdb055795209add;p=mod-security-cn.git diff --git a/debian/postinst b/debian/postinst index 2a84610..634d107 100644 --- a/debian/postinst +++ b/debian/postinst @@ -29,11 +29,11 @@ esac PKG="mod-security-cn" A2DIR="/etc/apache2" CONFDIR="$A2DIR/conf.d" +CONF="$CONFDIR/apache2.conf" A2MODEDIR="$A2DIR/mods-enabled" -MODSECCONF="$CONFDIR/mod-security-cn.conf" -MODSECCND="/usr/share/mod-security-cn" -GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" -GEOLOOKUPDB_DIR="/usr/share/GeoIP" +MODSECDIR="$A2DIR/mod-security" +MODSECCONF="$MODSECDIR/mod-security-cn.conf" +MODSECTDIR="/usr/share/mod-security-cn" temp_files= need_restart=0 @@ -78,45 +78,29 @@ chk_conf_tag () { fi } -# get_geolookupdb () +# install_conf() # -# Download GeoLookup database from maxmind.com -# Return: 0 - OK -# 1 - ERROR +# Install specified ModSecurity configuration file. # -get_geolookupdb () { +install_conf () { - local db db_tmp db_tmp_dir db_error + local conftmpl conf + conftmpl="$MODSECTDIR/$1" + conf="$MODSECDIR/$1" - db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz) - db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX) - temp_files="${temp_files} ${db_tmp_dir}" - db_error=0 - - echo -n "Attempting to download GeoLookup database for ModSecurity: " - - if [ ! -d "$GEOLOOKUPDB_DIR" ]; then - mkdir -p $GEOLOOKUPDB_DIR/ - fi - - /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1 - - if [ $db_error -eq 1 ]; then - echo "ERROR" - else - db_tmp=$(mktemp ${db}.XXXXXX) - temp_files="${temp_files} ${db_tmp}" - gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp - cp_mv $db_tmp $db - - echo "OK" + if [ ! -e "$conf" ]; then + cp_echo "CN: Creating new configuration file $conf" + cp "$conftmpl" "$conf" need_restart=1 - if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi + else + if ! cmp -s "$conf" "$conftmpl"; then + cp_echo "CN: Updating configuration file $conf" + cp "$conftmpl" "$conf" + need_restart=1 + else + cp_echo "CN: $conf already exists." 1>&2 + fi fi - - if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi - - RET=$db_error } @@ -127,7 +111,7 @@ trap cleanup 0 1 2 15 # Enable ModSecurity and unique_id Apache2 modules. # -if [ -e /etc/apache2/apache2.conf ]; then +if [ -e "$CONF" ]; then # Enable mod-security.load if [ ! -e "$A2MODEDIR/mod-security.load" ]; then @@ -138,8 +122,8 @@ if [ -e /etc/apache2/apache2.conf ]; then # Enable unique_id.load if [ ! -e "$A2MODEDIR/unique_id.load" ]; then - a2enmod unique_id >/dev/null || true cp_echo "CN: Enabling unique_id module for Apache2 web server." + a2enmod unique_id >/dev/null || true need_restart=1 fi fi @@ -153,51 +137,54 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then # Create /etc/apache2/conf.d/ directory if missing. if [ ! -d "$CONFDIR" ]; then - cp_echo "CN: Creating configuration directory $CONFDIR" + cp_echo "CN: Creating configuration directory $CONFDIR/" mkdir -p $CONFDIR/ fi - # Enable mod-security-cn.conf - if [ ! -e "$MODSECCONF" ]; then - cp_echo "CN: Enabling ModSecurity specific configuration." - need_restart=1 + # Create /etc/apache2/mod-security/ directory if missing. + if [ ! -d "$MODSECDIR" ]; then + cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/" + mkdir -p $MODSECDIR/ fi - out=$(mktemp $MODSECCONF.XXXXXX) - temp_files="${temp_files} ${out}" - cp "$MODSECCND/mod-security-cn.conf" "$out" - - # GeoLookup database. - if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then - - get_geolookupdb - if [ $RET -eq 1 ]; then - db_set mod-security-cn/rbl false || true - db_fset mod-security-cn/rbl seen true - fi - fi + install_conf "mod-security-cn.conf" db_get mod-security-cn/rbl || true if [ "$RET" = "true" ]; then + cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF" + # Add RBL configuration. - cp_echo "CN: Enabling RBL lookup in $MODSECCONF." - cat $MODSECCND/rbl_lookup.conf >> $out - need_restart=1 + chk_conf_tag "$MODSECDIR/rbl_lookup.conf" + if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + install_conf "rbl_lookup.conf" + fi else + cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF" + # Remove RBL configuration. - cp_echo "CN: Disabling RBL lookup in $MODSECCONF." + out=$(mktemp $MODSECCONF.XXXXXX) + temp_files="${temp_files} ${out}" + sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \ + "$MODSECCONF" > "$out" + mv -f "$out" "$MODSECCONF" + if [ -f "$out" ]; then rm -f $out; fi + + chk_conf_tag "$MODSECDIR/rbl_lookup.conf" + if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + rm -f "$MODSECDIR/rbl_lookup.conf" + fi + need_restart=1 fi - # Update mod-security-cn.conf configuration file. - if ! cmp -s "$MODSECCONF" "$out"; then - cp_mv "$out" "$MODSECCONF" + # Enable ModSecurity configuration. + if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then + cp_echo "CN: Enabling ModSecurity configuration." + ln -fs "$MODSECCONF" "$CONFDIR/." need_restart=1 fi - - if [ -f "$out" ]; then rm -f $out; fi fi db_stop || true