PKG="mod-security-cn"
A2DIR="/etc/apache2"
CONFDIR="$A2DIR/conf.d"
+CONF="$CONFDIR/apache2.conf"
A2MODEDIR="$A2DIR/mods-enabled"
-MODSECCONF="$CONFDIR/mod-security-cn.conf"
-MODSECCND="/usr/share/mod-security-cn"
-GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
-GEOLOOKUPDB_DIR="/usr/share/GeoIP"
+MODSECDIR="$A2DIR/mod-security"
+MODSECCONF="$MODSECDIR/mod-security-cn.conf"
+MODSECTDIR="/usr/share/mod-security-cn"
temp_files=
need_restart=0
fi
}
-# get_geolookupdb ()
+# install_conf()
#
-# Download GeoLookup database from maxmind.com
-# Return: 0 - OK
-# 1 - ERROR
+# Install specified ModSecurity configuration file.
#
-get_geolookupdb () {
+install_conf () {
- local db db_tmp db_tmp_dir db_error
+ local conftmpl conf
+ conftmpl="$MODSECTDIR/$1"
+ conf="$MODSECDIR/$1"
- db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)
- db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX)
- temp_files="${temp_files} ${db_tmp_dir}"
- db_error=0
-
- echo -n "Attempting to download GeoLookup database for ModSecurity: "
-
- if [ ! -d "$GEOLOOKUPDB_DIR" ]; then
- mkdir -p $GEOLOOKUPDB_DIR/
- fi
-
- /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1
-
- if [ $db_error -eq 1 ]; then
- echo "ERROR"
- else
- db_tmp=$(mktemp ${db}.XXXXXX)
- temp_files="${temp_files} ${db_tmp}"
- gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp
- cp_mv $db_tmp $db
-
- echo "OK"
+ if [ ! -e "$conf" ]; then
+ cp_echo "CN: Creating new configuration file $conf"
+ cp "$conftmpl" "$conf"
need_restart=1
- if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi
+ else
+ if ! cmp -s "$conf" "$conftmpl"; then
+ cp_echo "CN: Updating configuration file $conf"
+ cp "$conftmpl" "$conf"
+ need_restart=1
+ else
+ cp_echo "CN: $conf already exists." 1>&2
+ fi
fi
-
- if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi
-
- RET=$db_error
}
# Enable ModSecurity and unique_id Apache2 modules.
#
-if [ -e /etc/apache2/apache2.conf ]; then
+if [ -e "$CONF" ]; then
# Enable mod-security.load
if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
# Enable unique_id.load
if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
- a2enmod unique_id >/dev/null || true
cp_echo "CN: Enabling unique_id module for Apache2 web server."
+ a2enmod unique_id >/dev/null || true
need_restart=1
fi
fi
# Create /etc/apache2/conf.d/ directory if missing.
if [ ! -d "$CONFDIR" ]; then
- cp_echo "CN: Creating configuration directory $CONFDIR"
+ cp_echo "CN: Creating configuration directory $CONFDIR/"
mkdir -p $CONFDIR/
fi
- # Enable mod-security-cn.conf
- if [ ! -e "$MODSECCONF" ]; then
- cp_echo "CN: Enabling ModSecurity specific configuration."
- need_restart=1
+ # Create /etc/apache2/mod-security/ directory if missing.
+ if [ ! -d "$MODSECDIR" ]; then
+ cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
+ mkdir -p $MODSECDIR/
fi
- out=$(mktemp $MODSECCONF.XXXXXX)
- temp_files="${temp_files} ${out}"
- cp "$MODSECCND/mod-security-cn.conf" "$out"
-
- # GeoLookup database.
- if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then
-
- get_geolookupdb
- if [ $RET -eq 1 ]; then
- db_set mod-security-cn/rbl false || true
- db_fset mod-security-cn/rbl seen true
- fi
- fi
+ install_conf "mod-security-cn.conf"
db_get mod-security-cn/rbl || true
if [ "$RET" = "true" ]; then
+ cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF"
+
# Add RBL configuration.
- cp_echo "CN: Enabling RBL lookup in $MODSECCONF."
- cat $MODSECCND/rbl_lookup.conf >> $out
- need_restart=1
+ chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
+ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+ install_conf "rbl_lookup.conf"
+ fi
else
+ cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF"
+
# Remove RBL configuration.
- cp_echo "CN: Disabling RBL lookup in $MODSECCONF."
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+ sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \
+ "$MODSECCONF" > "$out"
+ mv -f "$out" "$MODSECCONF"
+ if [ -f "$out" ]; then rm -f $out; fi
+
+ chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
+ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+ rm -f "$MODSECDIR/rbl_lookup.conf"
+ fi
+
need_restart=1
fi
- # Update mod-security-cn.conf configuration file.
- if ! cmp -s "$MODSECCONF" "$out"; then
- cp_mv "$out" "$MODSECCONF"
+ # Enable ModSecurity configuration.
+ if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then
+ cp_echo "CN: Enabling ModSecurity configuration."
+ ln -fs "$MODSECCONF" "$CONFDIR/."
need_restart=1
fi
-
- if [ -f "$out" ]; then rm -f $out; fi
fi
db_stop || true
projects / mod-security-cn.git / blobdiff