Nacin aktivacije ModSecurity u debian/postinst.

[mod-security-cn.git] / debian / postinst

diff --git a/debian/postinst b/debian/postinst
index 634d107..fd77bf0 100644 (file)
--- a/debian/postinst
+++ b/debian/postinst
@@ -5,18 +5,18 @@ set -e
 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
 
 case "$1" in
-       configure)
-       # continue below
-       ;;
-
-       abort-upgrade|abort-remove|abort-deconfigure)
-       exit 0
-       ;;
-
-       *)
-       echo "postinst called with unknown argument \`$1'" >&2
-       exit 0
-       ;;
+    configure)
+    # continue below
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    exit 0
+    ;;
+
+    *)
+    echo "postinst called with unknown argument \`$1'" >&2
+    exit 0
+    ;;
 esac
 
 
@@ -28,32 +28,45 @@ esac
 
 PKG="mod-security-cn"
 A2DIR="/etc/apache2"
-CONFDIR="$A2DIR/conf.d"
-CONF="$CONFDIR/apache2.conf"
-A2MODEDIR="$A2DIR/mods-enabled"
+CONF="$A2DIR/apache2.conf"
+CONFDIR="$A2DIR/conf-available"
 MODSECDIR="$A2DIR/mod-security"
 MODSECCONF="$MODSECDIR/mod-security-cn.conf"
-MODSECTDIR="/usr/share/mod-security-cn"
+MODSECRBL="$MODSECDIR/rbl_lookup.conf"
+MODSECLNK="$CONFDIR/security2-cn.conf"
+MODSECTPL="/usr/share/mod-security-cn"
 
 temp_files=
-need_restart=0
 
 
+if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+    . /usr/share/apache2/apache2-maintscript-helper
+
+    modsecurity_enable() {
+        return 0
+    }
+else
+    cp_echo "CN: Could not load Apache 2.4 maintainer script helper."
+
+    modsecurity_enable() {
+        return 1
+    }
+fi
+
 # cleanup()
 #
 #   Cleanup all temp files or directories.
 #
 cleanup () {
+    local item
 
-        local item
-
-        if [ -n "$temp_files" ]; then
-            for item in $temp_files; do
-                if [ -e "$item" ]; then
-                    rm -rf $item
-                fi
-            done
-       fi
+    if [ -n "$temp_files" ]; then
+        for item in $temp_files; do
+            if [ -e "$item" ]; then
+                rm -rf $item
+            fi
+        done
+    fi
 }
 
 # chk_conf_tag ()
@@ -64,43 +77,17 @@ cleanup () {
 #                    2 - file exists, but it is not tagged
 #
 chk_conf_tag () {
+    local conf_file
+    conf_file="$1"
+    RET=1
 
-        local conf_file
-        conf_file="$1"
-        RET=1
-        
-        if [ -f "$conf_file" ]; then
-            if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
-                RET=0
-            else
-                RET=2
-            fi
-        fi
-}
-
-# install_conf()
-#
-#   Install specified ModSecurity configuration file.
-#
-install_conf () {
-
-        local conftmpl conf
-        conftmpl="$MODSECTDIR/$1"
-        conf="$MODSECDIR/$1"
-
-        if [ ! -e "$conf" ]; then
-            cp_echo "CN: Creating new configuration file $conf"
-            cp "$conftmpl" "$conf"
-            need_restart=1
+    if [ -f "$conf_file" ]; then
+        if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
+            RET=0
         else
-            if ! cmp -s "$conf" "$conftmpl"; then
-                cp_echo "CN: Updating configuration file $conf"
-                cp "$conftmpl" "$conf"
-                need_restart=1
-            else
-                cp_echo "CN: $conf already exists." 1>&2
-            fi
+            RET=2
         fi
+    fi
 }
 
 
@@ -111,106 +98,115 @@ trap cleanup 0 1 2 15
 
 # Enable ModSecurity and unique_id Apache2 modules.
 #
-if [ -e "$CONF" ]; then
+if modsecurity_enable; then
+    apache2_invoke enmod security2
+fi
 
-        # Enable mod-security.load
-        if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
-            cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
-            a2enmod mod-security >/dev/null || true
-            need_restart=1
-        fi
 
-        # Enable unique_id.load
-        if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
-            cp_echo "CN: Enabling unique_id module for Apache2 web server."
-            a2enmod unique_id >/dev/null || true
-            need_restart=1
-        fi
+# Remove obsolete symbolic link.
+#
+if [ "`readlink -q -m /etc/apache2/conf.d/$PKG.conf`" = "$MODSECCONF" ]; then
+    rm -f /etc/apache2/conf.d/$PKG.conf
 fi
 
 
-# Generate ModSecurity configuration file and activate RBL lookup
+# Generate ModSecurity configuration files and activate RBL lookup
 # for ModSecurity if needed.
 #
 chk_conf_tag "$MODSECCONF"
 if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
 
-        # Create /etc/apache2/conf.d/ directory if missing.
-        if [ ! -d "$CONFDIR" ]; then
-            cp_echo "CN: Creating configuration directory $CONFDIR/"
-            mkdir -p $CONFDIR/
-        fi
+    # Create /etc/apache2/conf-available/ directory if missing.
+    if [ ! -d "$CONFDIR" ]; then
+        cp_echo "CN: Creating configuration directory $CONFDIR/"
+        mkdir -p $CONFDIR/
+    fi
 
-        # Create /etc/apache2/mod-security/ directory if missing.
-        if [ ! -d "$MODSECDIR" ]; then
-            cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
-            mkdir -p $MODSECDIR/
-        fi
+    # Create /etc/apache2/mod-security/ directory if missing.
+    if [ ! -d "$MODSECDIR" ]; then
+        cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
+        mkdir -p $MODSECDIR/
+    fi
 
-        install_conf "mod-security-cn.conf"
+    out=$(mktemp $MODSECCONF.XXXXXX)
+    temp_files="${temp_files} ${out}"
 
-        db_get mod-security-cn/rbl || true
-        if [ "$RET" = "true" ]; then
+    db_get mod-security-cn/rbl || true
+    if [ "$RET" = "true" ]; then
 
-            cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF"
+        # Add RBL configuration.
+        chk_conf_tag "$MODSECRBL"
+        if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
 
-            # Add RBL configuration.
-            chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
-            if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
-                install_conf "rbl_lookup.conf"
+            if [ $RET -eq 1 ]; then
+                cp_echo "CN: Creating configuration file $MODSECRBL"
+                cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+            else
+                if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
+                    cp_echo "CN: Updating configuration file $MODSECRBL"
+                    cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+                fi
             fi
-        else
-
-            cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF"
+        fi
 
-            # Remove RBL configuration.
-            out=$(mktemp $MODSECCONF.XXXXXX)
-            temp_files="${temp_files} ${out}"
-            sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \
-                "$MODSECCONF" > "$out"
-            mv -f "$out" "$MODSECCONF"
-            if [ -f "$out" ]; then rm -f $out; fi
+        sed "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
+            "$MODSECTPL/$(basename $MODSECCONF)" > "$out"
 
-            chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
-            if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
-                rm -f "$MODSECDIR/rbl_lookup.conf"
+        if [ -e "$MODSECCONF" ]; then
+            if ! cmp -s "$MODSECCONF" "$out"; then
+                cp_echo "CN: Updating configuration file $MODSECCONF"
+                mv -f "$out" "$MODSECCONF"
+                cp_echo "CN: Enabled ModSecurity RBL lookup."
             fi
+        else
+            cp_echo "CN: Creating configuration file $MODSECCONF"
+            mv "$out" "$MODSECCONF"
+            cp_echo "CN: Enabled ModSecurity RBL lookup."
+        fi
+    else
 
-            need_restart=1
+        # Remove RBL configuration.
+        sed "s,#RBLLOOKUP#,# DISABLED,g" \
+            "$MODSECTPL/$(basename $MODSECCONF)" > "$out"
+
+        if [ -e "$MODSECCONF" ]; then
+            if ! cmp -s "$MODSECCONF" "$out"; then
+                cp_echo "CN: Updating configuration file $MODSECCONF"
+                mv -f "$out" "$MODSECCONF"
+                cp_echo "CN: Disabled ModSecurity RBL lookup."
+            fi
+        else
+            cp_echo "CN: Creating configuration file $MODSECCONF"
+            mv "$out" "$MODSECCONF"
+            cp_echo "CN: Disabled ModSecurity RBL lookup."
         fi
 
-        # Enable ModSecurity configuration.
-        if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then
-            cp_echo "CN: Enabling ModSecurity configuration."
-            ln -fs "$MODSECCONF" "$CONFDIR/."
-            need_restart=1
+        chk_conf_tag "$MODSECRBL"
+        if [ $RET -eq 0 ]; then
+            cp_echo "CN: Removing configuration file $MODSECRBL"
+            rm -f "$MODSECRBL"
         fi
-fi
+    fi
 
-db_stop || true
+    if [ -f "$out" ]; then rm -f $out; fi
+fi
 
 
-# Restart Apache2 web server if needed.
+# Enable ModSecurity configuration.
 #
-if [ $need_restart -eq 1 ]; then
-
-       # Check Apache2 web server configuration.
-       if /usr/sbin/apache2ctl configtest 2>/dev/null; then
+if [ ! -e "$MODSECLNK" ]; then
+    ln -fs "$MODSECCONF" "$MODSECLNK"
+fi
+if modsecurity_enable; then
+    cp_echo "CN: Enabling $PKG configuration for Apache2."
+    apache2_invoke enconf security2-cn
+fi
 
-            # Restart Apache2 web server.
-            if [ -x "/etc/init.d/apache2" ]; then
-                if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
-                    invoke-rc.d apache2 restart || true
-                else
-                    /etc/init.d/apache2 restart || true
-                fi
-            fi
-       else
+db_stop || true
 
-            # Something is broken.
-            cp_echo "CN: Your Apache2 configuration is broken."
-            cp_echo "CN: Please, check the service after the installation finishes!"
-       fi
+if ! apache2ctl configtest >/dev/null 2>&1; then
+    cp_echo "CN: Your Apache2 configuration seems to be broken."
+    cp_echo "CN: Please, check the service after the installation finishes!"
 fi
 
 
@@ -218,4 +214,6 @@ fi
 #
 cp_mail "$PKG"
 
+#DEBHELPER#
+
 exit 0