Inicijalna verzija paketa.

[mod-security-cn.git] / debian / postinst

#!/bin/sh

set -e

[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx

case "$1" in
        configure)
        # continue below
        ;;

        abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
        ;;

        *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 0
        ;;
esac


# Load debconf
. /usr/share/debconf/confmodule

# Include CARNet functions
. /usr/share/carnet-tools/functions.sh

PKG="mod-security-cn"
A2DIR="/etc/apache2"
CONFDIR="$A2DIR/conf.d"
A2MODEDIR="$A2DIR/mods-enabled"
MODSECCONF="$CONFDIR/mod-security-cn.conf"
MODSECCND="/usr/share/mod-security-cn"
GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
GEOLOOKUPDB_DIR="/usr/share/GeoIP"

temp_files=
need_restart=0


# cleanup()
#
#   Cleanup all temp files or directories.
#
cleanup () {

        local item

        if [ -n "$temp_files" ]; then
            for item in $temp_files; do
                if [ -e "$item" ]; then
                    rm -rf $item
                fi
            done
        fi
}

# chk_conf_tag ()
#
#   Check if configuration file has CARNet package info lines.
#   return:  $RET => 0 - tagged
#                    1 - file does not exists
#                    2 - file exists, but it is not tagged
#
chk_conf_tag () {

        local conf_file
        conf_file="$1"
        RET=1
        
        if [ -f "$conf_file" ]; then
            if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
                RET=0
            else
                RET=2
            fi
        fi
}

# get_geolookupdb ()
#
#   Download GeoLookup database from maxmind.com
#   Return:  0 - OK
#            1 - ERROR
#
get_geolookupdb () {

        local db db_tmp db_tmp_dir db_error

        db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)
        db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX)
        temp_files="${temp_files} ${db_tmp_dir}"
        db_error=0

        echo -n "Attempting to download GeoLookup database for ModSecurity:  "

        if [ ! -d "$GEOLOOKUPDB_DIR" ]; then
            mkdir -p $GEOLOOKUPDB_DIR/
        fi

        /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1

        if [ $db_error -eq 1 ]; then
            echo "ERROR"
        else
            db_tmp=$(mktemp ${db}.XXXXXX)
            temp_files="${temp_files} ${db_tmp}"
            gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp
            cp_mv $db_tmp $db

            echo "OK"
            need_restart=1
            if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi
        fi

        if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi

        RET=$db_error
}


# Set trap for deleting all temp files.
#
trap cleanup 0 1 2 15


# Enable ModSecurity and unique_id Apache2 modules.
#
if [ -e /etc/apache2/apache2.conf ]; then

        # Enable mod-security.load
        if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
            cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
            a2enmod mod-security >/dev/null || true
            need_restart=1
        fi

        # Enable unique_id.load
        if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
            a2enmod unique_id >/dev/null || true
            cp_echo "CN: Enabling unique_id module for Apache2 web server."
            need_restart=1
        fi
fi


# Generate ModSecurity configuration file and activate RBL lookup
# for ModSecurity if needed.
#
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then

        # Create /etc/apache2/conf.d/ directory if missing.
        if [ ! -d "$CONFDIR" ]; then
            cp_echo "CN: Creating configuration directory $CONFDIR"
            mkdir -p $CONFDIR/
        fi

        # Enable mod-security-cn.conf
        if [ ! -e "$MODSECCONF" ]; then
            cp_echo "CN: Enabling ModSecurity specific configuration."
            need_restart=1
        fi

        out=$(mktemp $MODSECCONF.XXXXXX)
        temp_files="${temp_files} ${out}"
        cp "$MODSECCND/mod-security-cn.conf" "$out"

        # GeoLookup database.
        if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then

            get_geolookupdb
            if [ $RET -eq 1 ]; then
                db_set mod-security-cn/rbl false || true
                db_fset mod-security-cn/rbl seen true
            fi
        fi

        db_get mod-security-cn/rbl || true
        if [ "$RET" = "true" ]; then

            # Add RBL configuration.
            cp_echo "CN: Enabling RBL lookup in $MODSECCONF."
            cat $MODSECCND/rbl_lookup.conf >> $out
            need_restart=1
        else

            # Remove RBL configuration.
            cp_echo "CN: Disabling RBL lookup in $MODSECCONF."
            need_restart=1
        fi

        # Update mod-security-cn.conf configuration file.
        if ! cmp -s "$MODSECCONF" "$out"; then
            cp_mv "$out" "$MODSECCONF"
            need_restart=1
        fi

        if [ -f "$out" ]; then rm -f $out; fi
fi

db_stop || true


# Restart Apache2 web server if needed.
#
if [ $need_restart -eq 1 ]; then

        # Check Apache2 web server configuration.
        if /usr/sbin/apache2ctl configtest 2>/dev/null; then

            # Restart Apache2 web server.
            if [ -x "/etc/init.d/apache2" ]; then
                if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
                    invoke-rc.d apache2 restart || true
                else
                    /etc/init.d/apache2 restart || true
                fi
            fi
        else

            # Something is broken.
            cp_echo "CN: Your Apache2 configuration is broken."
            cp_echo "CN: Please, check the service after the installation finishes!"
        fi
fi


# Mail root
#
cp_mail "$PKG"

exit 0