+#!/bin/sh
+
+set -e
+
+[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
+
+case "$1" in
+ configure)
+ # continue below
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ exit 0
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+
+# Load debconf
+. /usr/share/debconf/confmodule
+
+# Include CARNet functions
+. /usr/share/carnet-tools/functions.sh
+
+PKG="mod-security-cn"
+A2DIR="/etc/apache2"
+CONFDIR="$A2DIR/conf.d"
+A2MODEDIR="$A2DIR/mods-enabled"
+MODSECCONF="$CONFDIR/mod-security-cn.conf"
+MODSECCND="/usr/share/mod-security-cn"
+GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
+GEOLOOKUPDB_DIR="/usr/share/GeoIP"
+
+temp_files=
+need_restart=0
+
+
+# cleanup()
+#
+# Cleanup all temp files or directories.
+#
+cleanup () {
+
+ local item
+
+ if [ -n "$temp_files" ]; then
+ for item in $temp_files; do
+ if [ -e "$item" ]; then
+ rm -rf $item
+ fi
+ done
+ fi
+}
+
+# chk_conf_tag ()
+#
+# Check if configuration file has CARNet package info lines.
+# return: $RET => 0 - tagged
+# 1 - file does not exists
+# 2 - file exists, but it is not tagged
+#
+chk_conf_tag () {
+
+ local conf_file
+ conf_file="$1"
+ RET=1
+
+ if [ -f "$conf_file" ]; then
+ if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
+ RET=0
+ else
+ RET=2
+ fi
+ fi
+}
+
+# get_geolookupdb ()
+#
+# Download GeoLookup database from maxmind.com
+# Return: 0 - OK
+# 1 - ERROR
+#
+get_geolookupdb () {
+
+ local db db_tmp db_tmp_dir db_error
+
+ db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)
+ db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX)
+ temp_files="${temp_files} ${db_tmp_dir}"
+ db_error=0
+
+ echo -n "Attempting to download GeoLookup database for ModSecurity: "
+
+ if [ ! -d "$GEOLOOKUPDB_DIR" ]; then
+ mkdir -p $GEOLOOKUPDB_DIR/
+ fi
+
+ /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1
+
+ if [ $db_error -eq 1 ]; then
+ echo "ERROR"
+ else
+ db_tmp=$(mktemp ${db}.XXXXXX)
+ temp_files="${temp_files} ${db_tmp}"
+ gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp
+ cp_mv $db_tmp $db
+
+ echo "OK"
+ need_restart=1
+ if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi
+ fi
+
+ if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi
+
+ RET=$db_error
+}
+
+
+# Set trap for deleting all temp files.
+#
+trap cleanup 0 1 2 15
+
+
+# Enable ModSecurity and unique_id Apache2 modules.
+#
+if [ -e /etc/apache2/apache2.conf ]; then
+
+ # Enable mod-security.load
+ if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
+ cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
+ a2enmod mod-security >/dev/null || true
+ need_restart=1
+ fi
+
+ # Enable unique_id.load
+ if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
+ a2enmod unique_id >/dev/null || true
+ cp_echo "CN: Enabling unique_id module for Apache2 web server."
+ need_restart=1
+ fi
+fi
+
+
+# Generate ModSecurity configuration file and activate RBL lookup
+# for ModSecurity if needed.
+#
+chk_conf_tag "$MODSECCONF"
+if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+
+ # Create /etc/apache2/conf.d/ directory if missing.
+ if [ ! -d "$CONFDIR" ]; then
+ cp_echo "CN: Creating configuration directory $CONFDIR"
+ mkdir -p $CONFDIR/
+ fi
+
+ # Enable mod-security-cn.conf
+ if [ ! -e "$MODSECCONF" ]; then
+ cp_echo "CN: Enabling ModSecurity specific configuration."
+ need_restart=1
+ fi
+
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+ cp "$MODSECCND/mod-security-cn.conf" "$out"
+
+ # GeoLookup database.
+ if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then
+
+ get_geolookupdb
+ if [ $RET -eq 1 ]; then
+ db_set mod-security-cn/rbl false || true
+ db_fset mod-security-cn/rbl seen true
+ fi
+ fi
+
+ db_get mod-security-cn/rbl || true
+ if [ "$RET" = "true" ]; then
+
+ # Add RBL configuration.
+ cp_echo "CN: Enabling RBL lookup in $MODSECCONF."
+ cat $MODSECCND/rbl_lookup.conf >> $out
+ need_restart=1
+ else
+
+ # Remove RBL configuration.
+ cp_echo "CN: Disabling RBL lookup in $MODSECCONF."
+ need_restart=1
+ fi
+
+ # Update mod-security-cn.conf configuration file.
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_mv "$out" "$MODSECCONF"
+ need_restart=1
+ fi
+
+ if [ -f "$out" ]; then rm -f $out; fi
+fi
+
+db_stop || true
+
+
+# Restart Apache2 web server if needed.
+#
+if [ $need_restart -eq 1 ]; then
+
+ # Check Apache2 web server configuration.
+ if /usr/sbin/apache2ctl configtest 2>/dev/null; then
+
+ # Restart Apache2 web server.
+ if [ -x "/etc/init.d/apache2" ]; then
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+ invoke-rc.d apache2 restart || true
+ else
+ /etc/init.d/apache2 restart || true
+ fi
+ fi
+ else
+
+ # Something is broken.
+ cp_echo "CN: Your Apache2 configuration is broken."
+ cp_echo "CN: Please, check the service after the installation finishes!"
+ fi
+fi
+
+
+# Mail root
+#
+cp_mail "$PKG"
+
+exit 0