#!/bin/sh set -e [ "$1" = "configure" ] || exit 0 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx # Load Debconf . /usr/share/debconf/confmodule # Load CARNET Tools . /usr/share/carnet-tools/functions.sh PKG="apache2-cn" VERSION="2.4.10+1" CONFDIR="/etc/apache2" CONF="$CONFDIR/apache2.conf" PORTCONF="$CONFDIR/ports.conf" A2CNDIR=/usr/share/apache2-cn TMPLDIR=$A2CNDIR/templates CERTDIR=/etc/ssl/certs HOST=$(hostname) FQDN=$(hostname --fqdn) WEBMASTER="webmaster@$FQDN" DOMAIN=$(hostname -d) BACKUPDIR="/var/backups/apache2-cn" need_restart=0 apache2_sslcf= apache2_sslckf= apache2_sslccf= has_vhosts=0 temp_files= has_listen_ssl=0 listen_ssl_mask= # cleanup() # # Cleanup all temp files. # cleanup () { if [ -n "$temp_files" ]; then for item in $temp_files; do if [ -e "$item" ]; then rm -f $item fi done fi } # tag_conf() # # Add CARNET package info lines to config's header. # tag_conf () { local conf_file conf_file="$1" if [ -e "$conf_file" ]; then cat >> $conf_file < 0 - tagged # 1 - not tagged or file does not exists # 2 - file exists, but it is not tagged # chk_conf_tag () { local conf_file conf_file="$1" RET=1 if [ -f "$conf_file" ]; then if egrep -q "^## Begin - Generated by CARNET package apache2-cn$" "$conf_file"; then RET=0 else RET=2 fi fi } # generate_ssl() # # Generate Apache2 web server SSL certificate. # generate_ssl () { generate_ssl_output=$($A2CNDIR/carnet-generate-ssl ignore "$FQDN" "$WEBMASTER" "$DOMAIN" 2> /dev/null) cp_echo "$generate_ssl_output" need_restart=1 } # listen_ssl() # # Check if port 443 is configured in ports.conf file. # listen_ssl() { if [ ! -f "$PORTCONF" ] || ! egrep -iq "^[[:space:]]*Listen[[:space:]]+443$" "$PORTCONF"; then cp_echo "CN: Enabling SSL port (443) for Apache2 web server." out=$(mktemp ${PORTCONF}.XXXXXX) temp_files="${temp_files} ${out}" if [ -f "$PORTCONF" ]; then cp $PORTCONF $out fi echo "Listen 443" >> $out cp_mv $out $PORTCONF chmod 644 $PORTCONF need_restart=1 fi } # install_conf() # # Install specified Apache2 configuration file. # install_conf() { conftmpl="$A2CNDIR/$1.conf" conf="$CONFDIR/conf-available/$2.conf" if [ ! -e "$conf" ]; then cp_echo "CN: Generating CARNET specific configuration." cp "$conftmpl" "$conf" else cp_echo "CN: $conf already exists, left untouched." 1>&2 fi cp_echo "CN: Enabling CARNET specific configuration." a2enconf -m -q "$2" need_restart=1 } # install_vhost() # # Install specified VirtualHost for Apache2 web server. # # Invocation: # # install_vhost [-nvh] [-d] [-s docroot_symlink_dest] template site site-enabled-symlink # # -nvh - add NameVirtualHost # -d - mkdir DocumentRoot # -r - set DocumentRoot # -n - set ServerName # -s X - symlink DocumentRoot to X (all in /var/www) # # site - host part of ServerName unless -r or -n is used # site-enabled-symlink - name of file/symlink in sites-available/sites-enabled # (without .conf suffix) # install_vhost() { add_namevirthost= mkdir_docroot= symlink_docroot= docroot= vhostname= while echo "x$1" | grep -q '^x-'; do case "$1" in -nvh) add_namevirthost=1 shift ;; -d) mkdir_docroot=1 shift ;; -s) shift symlink_docroot="$1" shift ;; -r) shift docroot="$1" if ! echo "$docroot" | grep -q /; then docroot="/var/www/$docroot" fi shift ;; -n) shift vhostname="$1" shift ;; esac done vhosttmpl="$1.template" vhost="$2" vsite="$3" venabled="$3.conf" [ -z "$vhostname" ] && vhostname=$(echo "$vhost"| awk -F. '{print $1}') force_vhost= vhostdir=$CONFDIR/sites-available venabledir=$CONFDIR/sites-enabled if [ ! -e "$TMPLDIR/${vhosttmpl}" ]; then echo "E: vhost template ${vhosttmpl} not found in $TMPLDIR!" 1>&2 exit 2 fi [ -z "$docroot" ] && docroot="/var/www/$vhostname.$DOMAIN" # if we were broken mid-installation, force if [ ! -e "$docroot" -a \( -n "$mkdir_docroot" -o -n "$symlink_docroot" \) ]; then force_vhost=1 fi # add vhost if either of these is true # - adding is forced OR # - it doesn't exist # if [ -n "$force_vhost" -o \( ! -e "$vhostdir/$venabled" -a ! -e "$venabledir/$venabled" \) ]; then cp_echo "CN: Adding $vhost VirtualHost." out=$(mktemp $vhostdir/$venabled.XXXXXX) temp_files="${temp_files} ${out}" # CARNET header. tag_conf "$out" if [ "$add_namevirthost" ]; then nvh=$(awk -F'[ >]' '/^> $out fi sed "s/HOST/$vhostname/g; s/DOMAIN/$DOMAIN/g; s#DOCROOT#$docroot#g; s/IPADDR/$MYIP/g" < $TMPLDIR/$vhosttmpl >> $out cp_mv $out $vhostdir/$venabled chmod 644 $vhostdir/$venabled a2ensite -m -q "$vsite" if [ -n "$mkdir_docroot" -a ! -d "$docroot" ]; then mkdir "$docroot" echo '

Radi!

' > "$docroot/index.html" elif [ -n "$symlink_docroot" ]; then ln -fs "$symlink_docroot" "$docroot" fi need_restart=1 fi } # backup_conf() # # Backup configuration files located in specified directory. # backup_conf () { local dir file backup_dir dir="$1" if [ -d "${dir}" ] && [ -n "$(ls -A ${dir}/)" ]; then cp_echo "CN: Doing backup for all files in $dir" for file in ${dir}/*; do if [ -f "$file" ]; then if [ -z "$(echo "$file" | egrep '^/.*(~|(\.(old|staro|bkp|bak|swp|tmp|dpkg-.+|cn-.+)))$')" ]; then backup_dir="$BACKUPDIR/$(basename $(dirname "$file"))" cp_backup_conffile -d "$backup_dir" -p "$file" fi fi done fi } # move_conf() # # Move configuration files from one directory to another. The .conf suffix # will be added. Will try to enable the configuration if -e is specified. # move_conf () { local toenable ctype dir newdir file newfile if [ "$1" = "-e" ]; then toenable="$1" shift fi ctype="$1" dir="$2" newdir="$3" case "$ctype" in site|conf) # continue below ;; *) return 1 ;; esac if [ -z "$newdir" ]; then newdir="$dir" fi if [ -d "${dir}" ] && [ -n "$(ls -A ${dir}/)" ]; then mkdir -p "$newdir" for file in ${dir}/*; do [ -z "$(echo "$file" | egrep '^/.*(~|(\.(old|staro|bkp|bak|swp|tmp|dpkg-.+|cn-.+)))$')" ] || continue newfile="${newdir}/$(basename "$file" .conf).conf" if [ ! -e "$newfile" ]; then cp_echo "CN: Preserving changes to $newfile (renamed from $file)." cp_mv "$file" "$newfile" if [ -n "$toenable" ]; then cp_echo "CN: Enabling configuration $newfile" a2en$ctype -m -q "$(basename "$newfile" .conf)" || true fi need_restart=1 fi done fi } # rename_conf() # # Append the .conf suffix to all configuration files located in specified # available and enabled directories. Updated symlinks if necessary. # # rename_conf () { local ctype adir edir afile efile newfile ctype="$1" adir="$2" edir="$3" case "$ctype" in site|conf) # continue below ;; *) return 1 ;; esac if [ -d "${edir}" ] && [ -n "$(ls -A ${edir}/)" ]; then mkdir -p "$adir" for efile in ${edir}/*; do [ -z "$(echo "$efile" | egrep '^/.*(~|(\.(old|staro|bkp|bak|swp|tmp|dpkg-.+|cn-.+)))$')" ] || continue [ ! -e "${edir}/$(basename "$efile" .conf).conf" ] || continue afile="$(readlink -q -m "$efile")" [ "$(dirname "$afile")" = "$adir" ] || continue [ "$(basename "$afile" .conf)" = "$(basename "$efile" .conf)" ] || continue newfile="${adir}/$(basename "$afile" .conf).conf" [ ! -e "$newfile" ] || continue cp_echo "CN: Preserving changes to $newfile (renamed from $afile)." cp_mv "$afile" "$newfile" cp_echo "CN: Removing obsolete symlink $efile" rm -f "$efile" cp_echo "CN: Enabling configuration $newfile" a2en$ctype -m -q "$(basename "$newfile" .conf)" || true need_restart=1 done fi } # listconffiles() # # Recursively walks /etc/apache2/apache2.conf for Include and # IncludeOptional directives. # Prints all configfiles so defined. # listconffiles () { local i incs local base_dir="`dirname $1`" incs=`awk 'tolower($1) ~ /include(optional)?/ { sub("/$","/*",$2); print $2; }' $1` incs=`echo "$incs" | sed -r "s#^([^/])#${base_dir}/\1#"` if [ -n "$incs" ]; then for i in $incs; do if [ -e "$i" ]; then echo "`readlink -m -q $i`"; listconffiles "$i"; fi done fi } # Set trap for deleting all temp files. # trap cleanup 0 1 2 15 # Backup all configuration located in /etc/apache2/conf.d/, # /etc/apache2/conf-available/ and /etc/apache2/sites-available/ # directories. # if [ -e "$CONF" ]; then cp_echo "CN: Doing backup for $CONF" cp_backup_conffile -d $BACKUPDIR -p $CONF fi backup_conf $CONFDIR/conf.d backup_conf $CONFDIR/conf-available backup_conf $CONFDIR/sites-available cp_echo "CN: Backup is located in directory: $BACKUPDIR/" # Enable Apache2 web server modules (mpm_prefork, cgi, rewrite, userdir, suexec, php7.3, ssl). # if [ -e "$CONF" ]; then cp_echo "CN: Enabling the prefork Apache2 MPM." if [ "$(a2query -M || true)" != "prefork" ]; then a2dismod -m -q "mpm_$(a2query -M || true)" a2enmod -m -q mpm_prefork fi cp_echo "CN: Enabling required Apache2 web server modules." a2enmod -m -q access_compat a2enmod -m -q cgi a2enmod -m -q rewrite a2enmod -m -q userdir a2enmod -m -q suexec a2enmod -m -q php7.3 a2enmod -m -q ssl fi # Make sure configuration files have the .conf suffix. Move them # to appropriate locations. # if [ -d "$CONFDIR/conf.d" ]; then cp_echo "CN: Obsolete configuration directory $CONFDIR/conf.d/ found." move_conf -e conf $CONFDIR/conf.d $CONFDIR/conf-available fi rename_conf site $CONFDIR/sites-available $CONFDIR/sites-enabled # Check and add IncludeOptional lines to /etc/apache2/apache2.conf: # # IncludeOptional conf-enabled/*.conf # IncludeOptional sites-enabled/*.conf # if [ -e "$CONF" ]; then cp_echo "CN: Checking IncludeOptional lines in $CONF" CONFTMP=`mktemp $CONF.tmp.XXXXXX` temp_files="${temp_files} ${CONFTMP}" cp "$CONF" "$CONFTMP" sed -r -i 's#^[[:space:]]*Include(Optional)?[[:space:]]+(/etc/apache2/)?conf\.d(/)?$#IncludeOptional conf-enabled/\*\.conf#I' \ "$CONFTMP" sed -r -i 's#^[[:space:]]*Include(Optional)?[[:space:]]+(/etc/apache2/)?sites-enabled(/)?$#IncludeOptional sites-enabled/\*\.conf#I' \ "$CONFTMP" if ! egrep -iq "^[[:space:]]*IncludeOptional[[:space:]]+conf-enabled/\*\.conf$" "$CONFTMP"; then echo 'IncludeOptional conf-enabled/*.conf' >> "$CONFTMP" fi if ! egrep -iq "^[[:space:]]*IncludeOptional[[:space:]]+sites-enabled/\*\.conf$" "$CONFTMP"; then echo 'IncludeOptional sites-enabled/*.conf' >> "$CONFTMP" fi if ! cmp -s "$CONFTMP" "$CONF"; then cp_mv "$CONFTMP" "$CONF" need_restart=1 fi rm -f "$CONFTMP" fi # Remove deprecated directives. Add default Mutex if not defined. # if [ -e "$CONF" ]; then ( listconffiles "$CONF"; echo "$CONF" ) | while read -r a2cfile; do a2cfiletmp=`mktemp $a2cfile.tmp.XXXXXX` temp_files="${temp_files} ${a2cfiletmp}" cp "$a2cfile" "$a2cfiletmp" if egrep -iq "^[[:space:]]*NameVirtualHost[[:space:]]+" "$a2cfiletmp"; then cp_echo "CN: Removing deprecated NameVirtualHost from $a2cfile" sed -r -i '/^[[:space:]]*NameVirtualHost[[:space:]]+/Id' \ "$a2cfiletmp" fi if egrep -iq "^[[:space:]]*SSLMutex[[:space:]]+" "$a2cfiletmp"; then cp_echo "CN: Removing deprecated SSLMutex from $a2cfile" sed -r -i '/^[[:space:]]*SSLMutex[[:space:]]+/Id' \ "$a2cfiletmp" fi if [ "$a2cfile" = "$CONF" ]; then if ! egrep -iq "^[[:space:]]*Mutex[[:space:]]+" "$a2cfiletmp"; then cp_echo "CN: Adding default Mutex to $a2cfile" echo 'Mutex file:${APACHE_LOCK_DIR} default' >> "$a2cfiletmp" fi fi if ! cmp -s "$a2cfiletmp" "$a2cfile"; then cp_mv "$a2cfiletmp" "$a2cfile" need_restart=1 fi rm -f "$a2cfiletmp" done fi # Install CARNET specific configuration file. # install_conf carnet 000-carnet # Enable SSL port (443). # listen_ssl # Disable default site configuration. # if [ -e "$CONF" ]; then cp_echo "CN: Disabling default site configuration." a2dissite -m -f -q 000-default || true need_restart=1 fi # Apache2 SSL certificate. # if [ -d "$CONFDIR/conf-enabled" ] && [ -n "$(ls -A $CONFDIR/conf-enabled/)" ]; then listen_ssl_mask=$CONFDIR/conf-enabled/*.conf fi if [ -d "$CONFDIR/sites-enabled" ] && [ -n "$(ls -A $CONFDIR/sites-enabled/)" ]; then listen_ssl_mask=$listen_ssl_mask" "$CONFDIR/sites-enabled/*.conf fi for file in $CONF $listen_ssl_mask; do if [ -f "$file" ]; then if egrep -iq '^[[:space:]]*' $file; then has_listen_ssl=1 break fi fi done if [ $has_listen_ssl -eq 0 ]; then db_get apache2-cn/sslcf || true apache2_sslcf="$RET" if [ -n "$apache2_sslcf" ]; then db_get apache2-cn/sslckf || true apache2_sslckf="$RET" db_get apache2-cn/sslccf || true apache2_sslccf="$RET" need_restart=1 else # Generate new SSL certificate files. generate_ssl apache2_sslcf= apache2_sslckf= apache2_sslccf= fi fi # Add VirtualHosts. # - on fresh install # if [ -z "$2" ]; then db_get apache2-cn/wwwhost || true if [ "$RET" = "true" ]; then # Add WWW VirtualHost. if [ -f "$CONFDIR/sites-available/000-$FQDN.conf" ]; then cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/000-$FQDN.conf fi if [ -f "$CONFDIR/sites-available/www.$DOMAIN.conf" ]; then cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/www.$DOMAIN.conf fi chk_conf_tag "$CONFDIR/sites-available/000-$FQDN.conf" if [ ! -f "$CONFDIR/sites-available/000-$FQDN.conf" ] || [ $RET -eq 0 ]; then if egrep -qi "^[[:space:]]*NameVirtualHost[[:space:]]+\*:80$" "$PORTCONF"; then install_vhost -d -r www.$DOMAIN default $FQDN 000-$FQDN else install_vhost -nvh -d -r www.$DOMAIN default $FQDN 000-$FQDN fi need_restart=1 fi chk_conf_tag "$CONFDIR/sites-available/www.$DOMAIN.conf" if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN.conf" ] || [ $RET -eq 0 ]; then install_vhost default www.$DOMAIN www.$DOMAIN need_restart=1 fi else # No WWW VirtualHost. if [ -f "$CONFDIR/sites-available/000-$FQDN.conf" ]; then cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/000-$FQDN.conf fi chk_conf_tag "$CONFDIR/sites-available/000-$FQDN.conf" if [ ! -f "$CONFDIR/sites-available/000-$FQDN.conf" ] || [ $RET -eq 0 ]; then if egrep -qi "^[[:space:]]*NameVirtualHost[[:space:]]+\*:80$" "$PORTCONF"; then install_vhost -d -r $FQDN default $FQDN 000-$FQDN else install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN fi need_restart=1 fi fi fi # Add VirtualHost for SSL? # if [ $has_listen_ssl -eq 0 ]; then if [ -f "$CONFDIR/sites-available/001-ssl.conf" ]; then cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/001-ssl.conf fi # No active SSL VirtualHosts found - add new one. chk_conf_tag "$CONFDIR/sites-available/001-ssl.conf" if [ ! -f "$CONFDIR/sites-available/001-ssl.conf" ] || [ $RET -eq 0 ]; then db_get apache2-cn/wwwhost || true if [ "$RET" = "true" ]; then install_vhost -r www.$DOMAIN -n $HOST ssl ssl 001-ssl else install_vhost -r $FQDN -n $HOST ssl ssl 001-ssl fi need_restart=1 fi fi # Check SSL certificates location for VirtualHosts. # if [ $has_listen_ssl -eq 0 ]; then chk_conf_tag "${CONFDIR}/sites-available/001-ssl.conf" if [ $RET -eq 0 ] && [ -n "$apache2_sslcf" ]; then SSLTMP=$(mktemp ${CONFDIR}/ssltmp.XXXXXX) temp_files="${temp_files} ${SSLTMP} ${SSLTMP}.cn-old" cp ${CONFDIR}/sites-available/001-ssl.conf $SSLTMP # SSLCertificateFile cp_check_and_sed "^[[:space:]]*SSLCertificateFile \/etc\/ssl\/certs\/apache2\.pem" \ "s#SSLCertificateFile /etc/ssl/certs/apache2.pem#SSLCertificateFile $apache2_sslcf #g" \ $SSLTMP || true # SSLCertificateKeyFile cp_check_and_sed "^[[:space:]]*SSLCertificateKeyFile \/etc\/ssl\/private\/apache2\.key" \ "s#SSLCertificateKeyFile /etc/ssl/private/apache2.key#SSLCertificateKeyFile $apache2_sslckf #g" \ $SSLTMP || true # SSLCertificateChainFile if [ -n "$apache2_sslccf" ]; then cp_check_and_sed "^[[:space:]]*# SSLCertificateChainFile \/etc\/ssl\/certs\/(sureserverEDU|cert-chain)\.pem" \ "s#\# SSLCertificateChainFile /etc/ssl/certs/\(sureserverEDU\|cert-chain\).pem#SSLCertificateChainFile $apache2_sslccf #g" \ $SSLTMP || true fi cp_mv $SSLTMP ${CONFDIR}/sites-available/001-ssl.conf need_restart=1 # Just to be sure. [ -e "${SSLTMP}" ] && rm -f ${SSLTMP} [ -e "${SSLTMP}.cn-old" ] && rm -f ${SSLTMP}.cn-old fi fi # Check file access permissions for SSL certificates. # cp_echo "CN: Checking file access permissions for Apache2 SSL certificates." sslkey=/etc/ssl/private sslcerts="${sslkey}/ca.key ${sslkey}/apache2-ca.key ${sslkey}/apache2.key" for certf in $sslcerts; do if [ -f "$certf" ]; then chmod 600 $certf fi done # Check and remove obsolete "Include /etc/apache2/sites-enabled/[^.#]*" from # /etc/apache2/apache2.conf. # if egrep -iq "^[[:space:]]*Include[[:space:]]+\/etc\/apache2\/sites-enabled\/\[\^\.\#\]\*$" "$CONF"; then cp_echo "CN: Fixing obsolete Include line in $CONF." CONFTMP=`mktemp $CONF.tmp.XXXXXX` temp_files="${temp_files} ${CONFTMP}" sed -r "/^[[:space:]]*Include[[:space:]]+\/etc\/apache2\/sites-enabled\/\[\^\.\#\]\*$/Id" \ "$CONF" > "$CONFTMP" if ! egrep -iq "^[[:space:]]*Include[[:space:]]+\/etc\/apache2\/sites-enabled\/$" "$CONFTMP"; then echo "Include /etc/apache2/sites-enabled/" >> "$CONFTMP" fi cp_mv "$CONFTMP" "$CONF" need_restart=1 fi db_stop || true # Remove old AOSI configuration for Apache: aosi-www.conf, aosi.conf. # if [ -e "$CONFDIR/conf.d/aosi-www.conf" ] || [ -e "$CONFDIR/conf.d/aosi.conf" ]; then cp_echo "CN: Removing old AOSI configuration files for Apache2." rm -f $CONFDIR/conf.d/aosi-www.conf rm -f $CONFDIR/conf.d/aosi.conf need_restart=1 fi # Restart Apache2 web server if needed. # if [ $need_restart -eq 1 ]; then # Check Apache2 web server configuration. if apache2ctl configtest 2>/dev/null; then # Restart Apache2 web server. service apache2 reload || true else # Something is broken. cp_echo "CN: Your Apache2 configuration seems to be broken." cp_echo "CN: Please, check the service after the installation finishes!" fi fi # Mail root # cp_mail "$PKG" # (re)generate monit.d files if monit-cn is installed. # if [ -x "/usr/sbin/update-monit.d" ]; then cp_echo "CN: Updating monit configuration..." update-monit.d || true fi #DEBHELPER# exit 0