#!/bin/sh set -e [ "$1" = "configure" ] || exit 0 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx # Load Debconf . /usr/share/debconf/confmodule # Load CARNET Tools . /usr/share/carnet-tools/functions.sh PKG="mod-security-cn" A2DIR="/etc/apache2" CONF="$A2DIR/apache2.conf" CONFDIR="$A2DIR/conf-available" MODSECDIR="$A2DIR/mod-security" MODSECCONF="$MODSECDIR/mod-security-cn.conf" MODSECRBL="$MODSECDIR/rbl_lookup.conf" MODSECLNK="$CONFDIR/security2-cn.conf" MODSECTPL="/usr/share/mod-security-cn" temp_files= if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then . /usr/share/apache2/apache2-maintscript-helper modsecurity_enable() { return 0 } else cp_echo "CN: Could not load Apache 2.4 maintainer script helper." modsecurity_enable() { return 1 } fi # cleanup() # # Cleanup all temp files or directories. # cleanup () { local item if [ -n "$temp_files" ]; then for item in $temp_files; do if [ -e "$item" ]; then rm -rf $item fi done fi } # chk_conf_tag () # # Check if configuration file has CARNET package info lines. # return: $RET => 0 - tagged # 1 - file does not exists # 2 - file exists, but it is not tagged # chk_conf_tag () { local conf_file conf_file="$1" RET=1 if [ -f "$conf_file" ]; then if egrep -q "^## Begin - Generated by CARNET package mod-security-cn$" "$conf_file"; then RET=0 else RET=2 fi fi } # Set trap for deleting all temp files. # trap cleanup 0 1 2 15 # Enable ModSecurity and unique_id Apache2 modules. # if modsecurity_enable; then apache2_invoke enmod security2 fi # Remove obsolete symbolic link. # if [ "`readlink -q -m /etc/apache2/conf.d/$PKG.conf`" = "$MODSECCONF" ]; then rm -f /etc/apache2/conf.d/$PKG.conf fi # Generate ModSecurity configuration files and activate RBL lookup # for ModSecurity if needed. # chk_conf_tag "$MODSECCONF" if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then # Create /etc/apache2/conf-available/ directory if missing. if [ ! -d "$CONFDIR" ]; then cp_echo "CN: Creating configuration directory $CONFDIR/" mkdir -p $CONFDIR/ fi # Create /etc/apache2/mod-security/ directory if missing. if [ ! -d "$MODSECDIR" ]; then cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/" mkdir -p $MODSECDIR/ fi out=$(mktemp $MODSECCONF.XXXXXX) temp_files="${temp_files} ${out}" db_get mod-security-cn/rbl || true if [ "$RET" = "true" ]; then # Add RBL configuration. chk_conf_tag "$MODSECRBL" if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then if [ $RET -eq 1 ]; then cp_echo "CN: Creating configuration file $MODSECRBL" cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" else if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then cp_echo "CN: Updating configuration file $MODSECRBL" cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" fi fi fi sed "s,#RBLLOOKUP#,Include $MODSECRBL,g" \ "$MODSECTPL/$(basename $MODSECCONF)" > "$out" if [ -e "$MODSECCONF" ]; then if ! cmp -s "$MODSECCONF" "$out"; then cp_echo "CN: Updating configuration file $MODSECCONF" mv -f "$out" "$MODSECCONF" cp_echo "CN: Enabled ModSecurity RBL lookup." fi else cp_echo "CN: Creating configuration file $MODSECCONF" mv "$out" "$MODSECCONF" cp_echo "CN: Enabled ModSecurity RBL lookup." fi else # Remove RBL configuration. sed "s,#RBLLOOKUP#,# DISABLED,g" \ "$MODSECTPL/$(basename $MODSECCONF)" > "$out" if [ -e "$MODSECCONF" ]; then if ! cmp -s "$MODSECCONF" "$out"; then cp_echo "CN: Updating configuration file $MODSECCONF" mv -f "$out" "$MODSECCONF" cp_echo "CN: Disabled ModSecurity RBL lookup." fi else cp_echo "CN: Creating configuration file $MODSECCONF" mv "$out" "$MODSECCONF" cp_echo "CN: Disabled ModSecurity RBL lookup." fi chk_conf_tag "$MODSECRBL" if [ $RET -eq 0 ]; then cp_echo "CN: Removing configuration file $MODSECRBL" rm -f "$MODSECRBL" fi fi if [ -f "$out" ]; then rm -f $out; fi fi # Enable ModSecurity configuration. # if [ ! -e "$MODSECLNK" ]; then ln -fs "$MODSECCONF" "$MODSECLNK" fi if modsecurity_enable; then cp_echo "CN: Enabling $PKG configuration for Apache2." apache2_invoke enconf security2-cn fi db_stop || true if ! apache2ctl configtest >/dev/null 2>&1; then cp_echo "CN: Your Apache2 configuration seems to be broken." cp_echo "CN: Please, check the service after the installation finishes!" fi # Mail root # cp_mail "$PKG" #DEBHELPER# exit 0