set -e
+[ "$1" = "configure" ] || exit 0
[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
-case "$1" in
- configure)
- # continue below
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
- exit 0
- ;;
-
- *)
- echo "postinst called with unknown argument \`$1'" >&2
- exit 0
- ;;
-esac
-
-
-# Load debconf
+# Load Debconf
. /usr/share/debconf/confmodule
-# Include CARNet functions
+# Load CARNET Tools
. /usr/share/carnet-tools/functions.sh
PKG="mod-security-cn"
A2DIR="/etc/apache2"
CONF="$A2DIR/apache2.conf"
-CONFDIR="$A2DIR/conf.d"
-A2MODEDIR="$A2DIR/mods-enabled"
+CONFDIR="$A2DIR/conf-available"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
MODSECRBL="$MODSECDIR/rbl_lookup.conf"
-MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
+MODSECLNK="$CONFDIR/security2-cn.conf"
MODSECTPL="/usr/share/mod-security-cn"
temp_files=
-need_restart=0
+if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+ . /usr/share/apache2/apache2-maintscript-helper
+
+ modsecurity_enable() {
+ return 0
+ }
+else
+ cp_echo "CN: Could not load Apache 2.4 maintainer script helper."
+
+ modsecurity_enable() {
+ return 1
+ }
+fi
+
# cleanup()
#
# Cleanup all temp files or directories.
#
cleanup () {
-
- local item
-
- if [ -n "$temp_files" ]; then
- for item in $temp_files; do
- if [ -e "$item" ]; then
- rm -rf $item
- fi
- done
- fi
+ local item
+
+ if [ -n "$temp_files" ]; then
+ for item in $temp_files; do
+ if [ -e "$item" ]; then
+ rm -rf $item
+ fi
+ done
+ fi
}
# chk_conf_tag ()
#
-# Check if configuration file has CARNet package info lines.
+# Check if configuration file has CARNET package info lines.
# return: $RET => 0 - tagged
# 1 - file does not exists
# 2 - file exists, but it is not tagged
#
chk_conf_tag () {
-
- local conf_file
- conf_file="$1"
- RET=1
-
- if [ -f "$conf_file" ]; then
- if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
- RET=0
- else
- RET=2
- fi
- fi
+ local conf_file
+ conf_file="$1"
+ RET=1
+
+ if [ -f "$conf_file" ]; then
+ if egrep -q "^## Begin - Generated by CARNET package mod-security-cn$" "$conf_file"; then
+ RET=0
+ else
+ RET=2
+ fi
+ fi
}
# Enable ModSecurity and unique_id Apache2 modules.
#
-if [ -e "$CONF" ]; then
+if modsecurity_enable; then
+ apache2_invoke enmod security2
+fi
- # Enable mod-security.load
- if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
- cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
- a2enmod mod-security >/dev/null || true
- need_restart=1
- fi
- # Enable unique_id.load
- if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
- cp_echo "CN: Enabling unique_id module for Apache2 web server."
- a2enmod unique_id >/dev/null || true
- need_restart=1
- fi
+# Remove obsolete symbolic link.
+#
+if [ "`readlink -q -m /etc/apache2/conf.d/$PKG.conf`" = "$MODSECCONF" ]; then
+ rm -f /etc/apache2/conf.d/$PKG.conf
fi
-# Generate ModSecurity configuration file and activate RBL lookup
+# Generate ModSecurity configuration files and activate RBL lookup
# for ModSecurity if needed.
#
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
- # Create /etc/apache2/conf.d/ directory if missing.
- if [ ! -d "$CONFDIR" ]; then
- cp_echo "CN: Creating configuration directory $CONFDIR/"
- mkdir -p $CONFDIR/
- fi
-
- # Create /etc/apache2/mod-security/ directory if missing.
- if [ ! -d "$MODSECDIR" ]; then
- cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
- mkdir -p $MODSECDIR/
- fi
-
- out=$(mktemp $MODSECCONF.XXXXXX)
- temp_files="${temp_files} ${out}"
- cp "$MODSECTPL/$(basename $MODSECCONF)" "$out"
-
- db_get mod-security-cn/rbl || true
- if [ "$RET" = "true" ]; then
-
- # Add RBL configuration.
- chk_conf_tag "$MODSECRBL"
- if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
-
- if [ $RET -eq 1 ]; then
- cp_echo "CN: Creating new configuration file $MODSECRBL"
- cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
- need_restart=1
- else
- if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
- cp_echo "CN: Updating configuration file $MODSECRBL"
- cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
- need_restart=1
- fi
- fi
- fi
-
- cp_check_and_sed '#RBLLOOKUP#' \
- "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
- "$out" || true
-
- if [ -e "$MODSECCONF" ]; then
- if ! cmp -s "$MODSECCONF" "$out"; then
- cp_echo "CN: Updating configuration file $MODSECCONF"
- mv -f "$out" "$MODSECCONF"
- cp_echo "CN: Enabled ModSecurity RBL lookup."
- need_restart=1
- fi
- else
- cp_echo "CN: Creating new configuration file $MODSECCONF"
- mv "$out" "$MODSECCONF"
- cp_echo "CN: Enabled ModSecurity RBL lookup."
- need_restart=1
- fi
- else
-
- # Remove RBL configuration.
- cp_check_and_sed '#RBLLOOKUP#' \
- "s,#RBLLOOKUP#,# DISABLED,g" \
- "$out" || true
-
- if [ -e "$MODSECCONF" ]; then
- if ! cmp -s "$MODSECCONF" "$out"; then
- cp_echo "CN: Updating configuration file $MODSECCONF"
- mv -f "$out" "$MODSECCONF"
- cp_echo "CN: Disabled ModSecurity RBL lookup."
- need_restart=1
- fi
- else
- cp_echo "CN: Creating new configuration file $MODSECCONF"
- mv "$out" "$MODSECCONF"
- cp_echo "CN: Disabled ModSecurity RBL lookup."
- need_restart=1
- fi
-
- chk_conf_tag "$MODSECRBL"
- if [ $RET -eq 0 ]; then
- cp_echo "CN: Removing configuration file $MODSECRBL"
- rm -f "$MODSECRBL"
- need_restart=1
- fi
+ # Create /etc/apache2/conf-available/ directory if missing.
+ if [ ! -d "$CONFDIR" ]; then
+ cp_echo "CN: Creating configuration directory $CONFDIR/"
+ mkdir -p $CONFDIR/
+ fi
+
+ # Create /etc/apache2/mod-security/ directory if missing.
+ if [ ! -d "$MODSECDIR" ]; then
+ cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
+ mkdir -p $MODSECDIR/
+ fi
+
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+
+ db_get mod-security-cn/rbl || true
+ if [ "$RET" = "true" ]; then
+
+ # Add RBL configuration.
+ chk_conf_tag "$MODSECRBL"
+ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+
+ if [ $RET -eq 1 ]; then
+ cp_echo "CN: Creating configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ else
+ if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
+ cp_echo "CN: Updating configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
fi
+ fi
+ fi
+
+ sed "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
+ "$MODSECTPL/$(basename $MODSECCONF)" > "$out"
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ fi
+ else
+ cp_echo "CN: Creating configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ fi
+ else
+
+ # Remove RBL configuration.
+ sed "s,#RBLLOOKUP#,# DISABLED,g" \
+ "$MODSECTPL/$(basename $MODSECCONF)" > "$out"
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ fi
+ else
+ cp_echo "CN: Creating configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ fi
+
+ chk_conf_tag "$MODSECRBL"
+ if [ $RET -eq 0 ]; then
+ cp_echo "CN: Removing configuration file $MODSECRBL"
+ rm -f "$MODSECRBL"
+ fi
+ fi
+
+ if [ -f "$out" ]; then rm -f $out; fi
+fi
- if [ -f "$out" ]; then rm -f $out; fi
- # Enable ModSecurity configuration.
- if [ ! -e "$MODSECLNK" ]; then
- cp_echo "CN: Enabling ModSecurity configuration."
- ln -fs "$MODSECCONF" "$MODSECLNK"
- need_restart=1
- fi
+# Enable ModSecurity configuration.
+#
+if [ ! -e "$MODSECLNK" ]; then
+ ln -fs "$MODSECCONF" "$MODSECLNK"
+fi
+if modsecurity_enable; then
+ cp_echo "CN: Enabling $PKG configuration for Apache2."
+ apache2_invoke enconf security2-cn
fi
db_stop || true
-
-# Restart Apache2 web server if needed.
-#
-if [ $need_restart -eq 1 ]; then
-
- # Check Apache2 web server configuration.
- if /usr/sbin/apache2ctl configtest 2>/dev/null; then
-
- # Restart Apache2 web server.
- if [ -x "/etc/init.d/apache2" ]; then
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
- invoke-rc.d apache2 restart || true
- else
- /etc/init.d/apache2 restart || true
- fi
- fi
- else
-
- # Something is broken.
- cp_echo "CN: Your Apache2 configuration is broken."
- cp_echo "CN: Please, check the service after the installation finishes!"
- fi
+if ! apache2ctl configtest >/dev/null 2>&1; then
+ cp_echo "CN: Your Apache2 configuration seems to be broken."
+ cp_echo "CN: Please, check the service after the installation finishes!"
fi
#
cp_mail "$PKG"
+#DEBHELPER#
+
exit 0
projects / mod-security-cn.git / blobdiff