PKG="mod-security-cn"
A2DIR="/etc/apache2"
+CONF="$A2DIR/apache2.conf"
CONFDIR="$A2DIR/conf.d"
A2MODEDIR="$A2DIR/mods-enabled"
-MODSECCONF="$CONFDIR/mod-security-cn.conf"
-MODSECCND="/usr/share/mod-security-cn"
-GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
-GEOLOOKUPDB_DIR="/usr/share/GeoIP"
+MODSECDIR="$A2DIR/mod-security"
+MODSECCONF="$MODSECDIR/mod-security-cn.conf"
+MODSECRBL="$MODSECDIR/rbl_lookup.conf"
+MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
+MODSECTPL="/usr/share/mod-security-cn"
temp_files=
need_restart=0
fi
}
-# get_geolookupdb ()
-#
-# Download GeoLookup database from maxmind.com
-# Return: 0 - OK
-# 1 - ERROR
-#
-get_geolookupdb () {
-
- local db db_tmp db_tmp_dir db_error
-
- db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)
- db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX)
- temp_files="${temp_files} ${db_tmp_dir}"
- db_error=0
-
- echo -n "Attempting to download GeoLookup database for ModSecurity: "
-
- if [ ! -d "$GEOLOOKUPDB_DIR" ]; then
- mkdir -p $GEOLOOKUPDB_DIR/
- fi
-
- /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1
-
- if [ $db_error -eq 1 ]; then
- echo "ERROR"
- else
- db_tmp=$(mktemp ${db}.XXXXXX)
- temp_files="${temp_files} ${db_tmp}"
- gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp
- cp_mv $db_tmp $db
-
- echo "OK"
- need_restart=1
- if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi
- fi
-
- if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi
-
- RET=$db_error
-}
-
# Set trap for deleting all temp files.
#
# Enable ModSecurity and unique_id Apache2 modules.
#
-if [ -e /etc/apache2/apache2.conf ]; then
+if [ -e "$CONF" ]; then
# Enable mod-security.load
if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
# Enable unique_id.load
if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
- a2enmod unique_id >/dev/null || true
cp_echo "CN: Enabling unique_id module for Apache2 web server."
+ a2enmod unique_id >/dev/null || true
need_restart=1
fi
fi
-# Generate ModSecurity configuration file and activate RBL lookup
+# Generate ModSecurity configuration files and activate RBL lookup
# for ModSecurity if needed.
#
chk_conf_tag "$MODSECCONF"
# Create /etc/apache2/conf.d/ directory if missing.
if [ ! -d "$CONFDIR" ]; then
- cp_echo "CN: Creating configuration directory $CONFDIR"
+ cp_echo "CN: Creating configuration directory $CONFDIR/"
mkdir -p $CONFDIR/
fi
- # Enable mod-security-cn.conf
- if [ ! -e "$MODSECCONF" ]; then
- cp_echo "CN: Enabling ModSecurity specific configuration."
- need_restart=1
+ # Create /etc/apache2/mod-security/ directory if missing.
+ if [ ! -d "$MODSECDIR" ]; then
+ cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
+ mkdir -p $MODSECDIR/
fi
out=$(mktemp $MODSECCONF.XXXXXX)
temp_files="${temp_files} ${out}"
- cp "$MODSECCND/mod-security-cn.conf" "$out"
-
- # GeoLookup database.
- if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then
-
- get_geolookupdb
- if [ $RET -eq 1 ]; then
- db_set mod-security-cn/rbl false || true
- db_fset mod-security-cn/rbl seen true
- fi
- fi
db_get mod-security-cn/rbl || true
if [ "$RET" = "true" ]; then
# Add RBL configuration.
- cp_echo "CN: Enabling RBL lookup in $MODSECCONF."
- cat $MODSECCND/rbl_lookup.conf >> $out
- need_restart=1
+ chk_conf_tag "$MODSECRBL"
+ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+
+ if [ $RET -eq 1 ]; then
+ cp_echo "CN: Creating configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ need_restart=1
+ else
+ if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
+ cp_echo "CN: Updating configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ need_restart=1
+ fi
+ fi
+ fi
+
+ sed "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
+ "$MODSECTPL/$(basename $MODSECCONF)" > "$out"
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
+ cp_echo "CN: Creating configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
else
# Remove RBL configuration.
- cp_echo "CN: Disabling RBL lookup in $MODSECCONF."
- need_restart=1
- fi
+ sed "s,#RBLLOOKUP#,# DISABLED,g" \
+ "$MODSECTPL/$(basename $MODSECCONF)" > "$out"
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
+ cp_echo "CN: Creating configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
- # Update mod-security-cn.conf configuration file.
- if ! cmp -s "$MODSECCONF" "$out"; then
- cp_mv "$out" "$MODSECCONF"
- need_restart=1
+ chk_conf_tag "$MODSECRBL"
+ if [ $RET -eq 0 ]; then
+ cp_echo "CN: Removing configuration file $MODSECRBL"
+ rm -f "$MODSECRBL"
+ need_restart=1
+ fi
fi
if [ -f "$out" ]; then rm -f $out; fi
+
+ # Enable ModSecurity configuration.
+ if [ ! -e "$MODSECLNK" ]; then
+ cp_echo "CN: Enabling ModSecurity configuration."
+ ln -fs "$MODSECCONF" "$MODSECLNK"
+ need_restart=1
+ fi
fi
db_stop || true