5 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
7 # Source debconf library.
8 . /usr/share/debconf/confmodule
15 abort-upgrade|abort-remove|abort-deconfigure)
20 echo "postinst called with unknown argument \`$1'" >&2
26 # Include CARNet functions.
27 . /usr/share/carnet-tools/functions.sh
31 CONFDIR="/etc/apache2"
32 CONF="$CONFDIR/apache2.conf"
33 PORTCONF="$CONFDIR/ports.conf"
34 A2CNDIR=/usr/share/apache2-cn
35 TMPLDIR=$A2CNDIR/templates
36 CERTDIR=/etc/ssl/certs
39 FQDN=$(hostname --fqdn)
40 WEBMASTER="webmaster@$FQDN"
42 BACKUPDIR="/var/backups/apache2-cn"
56 # Cleanup all temp files.
59 if [ -n "$temp_files" ]; then
60 for item in $temp_files; do
61 if [ -e "$item" ]; then
70 # Add CARNet package info lines to config's header.
76 if [ -e "$conf_file" ]; then
77 cat >> $conf_file <<EOF
78 ## Begin - Generated by CARNet package apache2-cn
80 # REMOVE this whole block if you DON'T WANT apache2-cn
81 # to edit or undo your changes to this configuration file.
83 ## End - Generated by CARNet package apache2-cn
90 # Check if configuration file has CARNet package info lines.
91 # return: $RET => 0 - tagged
92 # 1 - not tagged or file does not exists
93 # 2 - file exists, but it is not tagged
100 if [ -f "$conf_file" ]; then
101 if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" "$conf_file"; then
111 # Generate Apache2 web server SSL certificate.
114 generate_ssl_output=$($A2CNDIR/carnet-generate-ssl ignore "$FQDN" "$WEBMASTER" "$DOMAIN" 2> /dev/null)
115 cp_echo "$generate_ssl_output"
121 # Check if port 443 is configured in ports.conf file.
125 if [ ! -f "$PORTCONF" ] || ! egrep -iq "^[[:space:]]*Listen[[:space:]]+443$" "$PORTCONF"; then
127 cp_echo "CN: Enabling SSL port (443) for Apache2 web server."
129 out=$(mktemp ${PORTCONF}.XXXXXX)
130 temp_files="${temp_files} ${out}"
132 if [ -f "$PORTCONF" ]; then
136 echo "Listen 443" >> $out
146 # Install specified Apache2 configuration file.
149 conftmpl="$A2CNDIR/$1.conf"
150 conf="$CONFDIR/conf-available/$2.conf"
152 if [ ! -e "$conf" ]; then
153 cp_echo "CN: Generating CARNet specific configuration."
154 cp "$conftmpl" "$conf"
156 cp_echo "CN: $conf already exists, left untouched." 1>&2
159 cp_echo "CN: Enabling CARNet specific configuration."
166 # Install specified VirtualHost for Apache2 web server.
170 # install_vhost [-nvh] [-d] [-s docroot_symlink_dest] template site site-enabled-symlink
172 # -nvh - add NameVirtualHost
173 # -d - mkdir DocumentRoot
174 # -r - set DocumentRoot
175 # -n - set ServerName
176 # -s X - symlink DocumentRoot to X (all in /var/www)
178 # site - host part of ServerName unless -r or -n is used
179 # site-enabled-symlink - name of file/symlink in sites-available/sites-enabled
180 # (without .conf suffix)
189 while echo "x$1" | grep -q '^x-'; do
207 if ! echo "$docroot" | grep -q /; then
208 docroot="/var/www/$docroot"
220 vhosttmpl="$1.template"
224 [ -z "$vhostname" ] && vhostname=$(echo "$vhost"| awk -F. '{print $1}')
227 vhostdir=$CONFDIR/sites-available
228 venabledir=$CONFDIR/sites-enabled
230 if [ ! -e "$TMPLDIR/${vhosttmpl}" ]; then
231 echo "E: vhost template ${vhosttmpl} not found in $TMPLDIR!" 1>&2
235 [ -z "$docroot" ] && docroot="/var/www/$vhostname.$DOMAIN"
237 # if we were broken mid-installation, force
238 if [ ! -e "$docroot" -a \( -n "$mkdir_docroot" -o -n "$symlink_docroot" \) ]; then
242 # add vhost if either of these is true
243 # - adding is forced OR
246 if [ -n "$force_vhost" -o \( ! -e "$vhostdir/$venabled" -a ! -e "$venabledir/$venabled" \) ]; then
248 cp_echo "CN: Adding $vhost VirtualHost."
249 out=$(mktemp $vhostdir/$venabled.XXXXXX)
250 temp_files="${temp_files} ${out}"
255 if [ "$add_namevirthost" ]; then
256 nvh=$(awk -F'[ >]' '/^<VirtualHost/ {print $2}' $TMPLDIR/$vhosttmpl |\
257 sed "s/IPADDR/$MYIP/g")
258 echo "NameVirtualHost $nvh" >> $out
261 sed "s/HOST/$vhostname/g; s/DOMAIN/$DOMAIN/g;
262 s#DOCROOT#$docroot#g; s/IPADDR/$MYIP/g" < $TMPLDIR/$vhosttmpl >> $out
263 cp_mv $out $vhostdir/$venabled
264 chmod 644 $vhostdir/$venabled
265 a2ensite -m -q "$vsite"
267 if [ -n "$mkdir_docroot" -a ! -d "$docroot" ]; then
269 echo '<html><body><h1>Radi!</h1></body></html>' > "$docroot/index.html"
270 elif [ -n "$symlink_docroot" ]; then
271 ln -fs "$symlink_docroot" "$docroot"
280 # Backup configuration files located in specified directory.
283 local dir file backup_dir
287 if [ -d "${dir}" ] && [ -n "$(ls -A ${dir}/)" ]; then
288 cp_echo "CN: Doing backup for all files in $dir"
289 for file in ${dir}/*; do
290 if [ -f "$file" ]; then
291 if [ -z "$(echo "$file" | egrep '^/.*(~|(\.(old|staro|bkp|bak|swp|tmp|dpkg-.+|cn-.+)))$')" ]; then
292 backup_dir="$BACKUPDIR/$(basename $(dirname "$file"))"
293 cp_backup_conffile -d "$backup_dir" -p "$file"
302 # Move configuration files from one directory to another. The .conf suffix
303 # will be added. Will try to enable the configuration if -e is specified.
306 local toenable ctype dir newdir file newfile
308 if [ "$1" = "-e" ]; then
326 if [ -z "$newdir" ]; then
330 if [ -d "${dir}" ] && [ -n "$(ls -A ${dir}/)" ]; then
332 for file in ${dir}/*; do
333 [ -z "$(echo "$file" | egrep '^/.*(~|(\.(old|staro|bkp|bak|swp|tmp|dpkg-.+|cn-.+)))$')" ] || continue
334 newfile="${newdir}/$(basename "$file" .conf).conf"
335 if [ ! -e "$newfile" ]; then
336 cp_echo "CN: Preserving changes to $newfile (renamed from $file)."
337 cp_mv "$file" "$newfile"
338 if [ -n "$toenable" ]; then
339 cp_echo "CN: Enabling configuration $newfile"
340 a2en$ctype -m -q "$(basename "$newfile" .conf)" || true
350 # Append the .conf suffix to all configuration files located in specified
351 # available and enabled directories. Updated symlinks if necessary.
355 local ctype adir edir afile efile newfile
370 if [ -d "${edir}" ] && [ -n "$(ls -A ${edir}/)" ]; then
372 for efile in ${edir}/*; do
373 [ -z "$(echo "$efile" | egrep '^/.*(~|(\.(old|staro|bkp|bak|swp|tmp|dpkg-.+|cn-.+)))$')" ] || continue
375 [ ! -e "${edir}/$(basename "$efile" .conf).conf" ] || continue
377 afile="$(readlink -q -m "$efile")"
379 [ "$(dirname "$afile")" = "$adir" ] || continue
380 [ "$(basename "$afile" .conf)" = "$(basename "$efile" .conf)" ] || continue
382 newfile="${adir}/$(basename "$afile" .conf).conf"
383 [ ! -e "$newfile" ] || continue
385 cp_echo "CN: Preserving changes to $newfile (renamed from $afile)."
386 cp_mv "$afile" "$newfile"
388 cp_echo "CN: Removing obsolete symlink $efile"
391 cp_echo "CN: Enabling configuration $newfile"
392 a2en$ctype -m -q "$(basename "$newfile" .conf)" || true
400 # Recursively walks /etc/apache2/apache2.conf for Include and
401 # IncludeOptional directives.
402 # Prints all configfiles so defined.
406 local base_dir="`dirname $1`"
408 incs=`awk 'tolower($1) ~ /include(optional)?/ { sub("/$","/*",$2); print $2; }' $1`
409 incs=`echo "$incs" | sed -r "s#^([^/])#${base_dir}/\1#"`
410 if [ -n "$incs" ]; then
412 if [ -e "$i" ]; then echo "`readlink -m -q $i`"; listconffiles "$i"; fi
418 # Set trap for deleting all temp files.
420 trap cleanup 0 1 2 15
423 # Backup all configuration located in /etc/apache2/conf.d/,
424 # /etc/apache2/conf-available/ and /etc/apache2/sites-available/
427 if [ -e "$CONF" ]; then
428 cp_echo "CN: Doing backup for $CONF"
429 cp_backup_conffile -d $BACKUPDIR -p $CONF
432 backup_conf $CONFDIR/conf.d
433 backup_conf $CONFDIR/conf-available
434 backup_conf $CONFDIR/sites-available
436 cp_echo "CN: Backup is located in directory: $BACKUPDIR/"
439 # Enable Apache2 web server modules (mpm_prefork, cgi, rewrite, userdir, suexec, php7.0, ssl).
441 if [ -e "$CONF" ]; then
442 cp_echo "CN: Enabling the prefork Apache2 MPM."
443 if [ "$(a2query -M || true)" != "prefork" ]; then
444 a2dismod -m -q "mpm_$(a2query -M || true)"
445 a2enmod -m -q mpm_prefork
448 cp_echo "CN: Enabling required Apache2 web server modules."
449 a2enmod -m -q access_compat
451 a2enmod -m -q rewrite
452 a2enmod -m -q userdir
459 # Make sure configuration files have the .conf suffix. Move them
460 # to appropriate locations.
462 if [ -d "$CONFDIR/conf.d" ]; then
463 cp_echo "CN: Obsolete configuration directory $CONFDIR/conf.d/ found."
464 move_conf -e conf $CONFDIR/conf.d $CONFDIR/conf-available
467 rename_conf site $CONFDIR/sites-available $CONFDIR/sites-enabled
470 # Check and add IncludeOptional lines to /etc/apache2/apache2.conf:
472 # IncludeOptional conf-enabled/*.conf
473 # IncludeOptional sites-enabled/*.conf
475 if [ -e "$CONF" ]; then
477 cp_echo "CN: Checking IncludeOptional lines in $CONF"
479 CONFTMP=`mktemp $CONF.tmp.XXXXXX`
480 temp_files="${temp_files} ${CONFTMP}"
481 cp "$CONF" "$CONFTMP"
483 sed -r -i 's#^[[:space:]]*Include(Optional)?[[:space:]]+(/etc/apache2/)?conf\.d(/)?$#IncludeOptional conf-enabled/\*\.conf#I' \
485 sed -r -i 's#^[[:space:]]*Include(Optional)?[[:space:]]+(/etc/apache2/)?sites-enabled(/)?$#IncludeOptional sites-enabled/\*\.conf#I' \
488 if ! egrep -iq "^[[:space:]]*IncludeOptional[[:space:]]+conf-enabled/\*\.conf$" "$CONFTMP"; then
489 echo 'IncludeOptional conf-enabled/*.conf' >> "$CONFTMP"
491 if ! egrep -iq "^[[:space:]]*IncludeOptional[[:space:]]+sites-enabled/\*\.conf$" "$CONFTMP"; then
492 echo 'IncludeOptional sites-enabled/*.conf' >> "$CONFTMP"
495 if ! cmp -s "$CONFTMP" "$CONF"; then
496 cp_mv "$CONFTMP" "$CONF"
502 # Remove deprecated directives. Add default Mutex if not defined.
504 if [ -e "$CONF" ]; then
506 ( listconffiles "$CONF"; echo "$CONF" ) | while read -r a2cfile; do
508 a2cfiletmp=`mktemp $a2cfile.tmp.XXXXXX`
509 temp_files="${temp_files} ${a2cfiletmp}"
510 cp "$a2cfile" "$a2cfiletmp"
512 if egrep -iq "^[[:space:]]*NameVirtualHost[[:space:]]+" "$a2cfiletmp"; then
513 cp_echo "CN: Removing deprecated NameVirtualHost from $a2cfile"
514 sed -r -i '/^[[:space:]]*NameVirtualHost[[:space:]]+/Id' \
518 if egrep -iq "^[[:space:]]*SSLMutex[[:space:]]+" "$a2cfiletmp"; then
519 cp_echo "CN: Removing deprecated SSLMutex from $a2cfile"
520 sed -r -i '/^[[:space:]]*SSLMutex[[:space:]]+/Id' \
524 if [ "$a2cfile" = "$CONF" ]; then
525 if ! egrep -iq "^[[:space:]]*Mutex[[:space:]]+" "$a2cfiletmp"; then
526 cp_echo "CN: Adding default Mutex to $a2cfile"
527 echo 'Mutex file:${APACHE_LOCK_DIR} default' >> "$a2cfiletmp"
531 if ! cmp -s "$a2cfiletmp" "$a2cfile"; then
532 cp_mv "$a2cfiletmp" "$a2cfile"
540 # Install CARNet specific configuration file.
542 install_conf carnet 000-carnet
544 # Enable SSL port (443).
548 # Disable default site configuration.
550 if [ -e "$CONF" ]; then
551 cp_echo "CN: Disabling default site configuration."
552 a2dissite -m -f -q 000-default || true
557 # Apache2 SSL certificate.
559 if [ -d "$CONFDIR/conf-enabled" ] && [ -n "$(ls -A $CONFDIR/conf-enabled/)" ]; then
560 listen_ssl_mask=$CONFDIR/conf-enabled/*.conf
562 if [ -d "$CONFDIR/sites-enabled" ] && [ -n "$(ls -A $CONFDIR/sites-enabled/)" ]; then
563 listen_ssl_mask=$listen_ssl_mask" "$CONFDIR/sites-enabled/*.conf
566 for file in $CONF $listen_ssl_mask; do
567 if [ -f "$file" ]; then
568 if egrep -iq '^[[:space:]]*<VirtualHost .*443[[:space:]]*>' $file; then
575 if [ $has_listen_ssl -eq 0 ]; then
577 db_get apache2-cn/sslcf || true
580 if [ -n "$apache2_sslcf" ]; then
582 db_get apache2-cn/sslckf || true
583 apache2_sslckf="$RET"
585 db_get apache2-cn/sslccf || true
586 apache2_sslccf="$RET"
591 # Generate new SSL certificate files.
606 db_get apache2-cn/wwwhost || true
607 if [ "$RET" = "true" ]; then
609 # Add WWW VirtualHost.
610 if [ -f "$CONFDIR/sites-available/000-$FQDN.conf" ]; then
611 cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/000-$FQDN.conf
613 if [ -f "$CONFDIR/sites-available/www.$DOMAIN.conf" ]; then
614 cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/www.$DOMAIN.conf
617 chk_conf_tag "$CONFDIR/sites-available/000-$FQDN.conf"
618 if [ ! -f "$CONFDIR/sites-available/000-$FQDN.conf" ] || [ $RET -eq 0 ]; then
619 if egrep -qi "^[[:space:]]*NameVirtualHost[[:space:]]+\*:80$" "$PORTCONF"; then
620 install_vhost -d -r www.$DOMAIN default $FQDN 000-$FQDN
622 install_vhost -nvh -d -r www.$DOMAIN default $FQDN 000-$FQDN
627 chk_conf_tag "$CONFDIR/sites-available/www.$DOMAIN.conf"
628 if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN.conf" ] || [ $RET -eq 0 ]; then
629 install_vhost default www.$DOMAIN www.$DOMAIN
634 # No WWW VirtualHost.
635 if [ -f "$CONFDIR/sites-available/000-$FQDN.conf" ]; then
636 cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/000-$FQDN.conf
639 chk_conf_tag "$CONFDIR/sites-available/000-$FQDN.conf"
640 if [ ! -f "$CONFDIR/sites-available/000-$FQDN.conf" ] || [ $RET -eq 0 ]; then
641 if egrep -qi "^[[:space:]]*NameVirtualHost[[:space:]]+\*:80$" "$PORTCONF"; then
642 install_vhost -d -r $FQDN default $FQDN 000-$FQDN
644 install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN
652 # Add VirtualHost for SSL?
654 if [ $has_listen_ssl -eq 0 ]; then
656 if [ -f "$CONFDIR/sites-available/001-ssl.conf" ]; then
657 cp_backup_conffile -d $BACKUPDIR/sites-available -p $CONFDIR/sites-available/001-ssl.conf
660 # No active SSL VirtualHosts found - add new one.
661 chk_conf_tag "$CONFDIR/sites-available/001-ssl.conf"
662 if [ ! -f "$CONFDIR/sites-available/001-ssl.conf" ] || [ $RET -eq 0 ]; then
664 db_get apache2-cn/wwwhost || true
665 if [ "$RET" = "true" ]; then
666 install_vhost -r www.$DOMAIN -n $HOST ssl ssl 001-ssl
668 install_vhost -r $FQDN -n $HOST ssl ssl 001-ssl
675 # Check SSL certificates location for VirtualHosts.
677 if [ $has_listen_ssl -eq 0 ]; then
679 chk_conf_tag "${CONFDIR}/sites-available/001-ssl.conf"
680 if [ $RET -eq 0 ] && [ -n "$apache2_sslcf" ]; then
682 SSLTMP=$(mktemp ${CONFDIR}/ssltmp.XXXXXX)
683 temp_files="${temp_files} ${SSLTMP} ${SSLTMP}.cn-old"
684 cp ${CONFDIR}/sites-available/001-ssl.conf $SSLTMP
687 cp_check_and_sed "^[[:space:]]*SSLCertificateFile \/etc\/ssl\/certs\/apache2\.pem" \
688 "s#SSLCertificateFile /etc/ssl/certs/apache2.pem#SSLCertificateFile $apache2_sslcf #g" \
691 # SSLCertificateKeyFile
692 cp_check_and_sed "^[[:space:]]*SSLCertificateKeyFile \/etc\/ssl\/private\/apache2\.key" \
693 "s#SSLCertificateKeyFile /etc/ssl/private/apache2.key#SSLCertificateKeyFile $apache2_sslckf #g" \
696 # SSLCertificateChainFile
697 if [ -n "$apache2_sslccf" ]; then
698 cp_check_and_sed "^[[:space:]]*# SSLCertificateChainFile \/etc\/ssl\/certs\/(sureserverEDU|cert-chain)\.pem" \
699 "s#\# SSLCertificateChainFile /etc/ssl/certs/\(sureserverEDU\|cert-chain\).pem#SSLCertificateChainFile $apache2_sslccf #g" \
703 cp_mv $SSLTMP ${CONFDIR}/sites-available/001-ssl.conf
708 [ -e "${SSLTMP}" ] && rm -f ${SSLTMP}
709 [ -e "${SSLTMP}.cn-old" ] && rm -f ${SSLTMP}.cn-old
714 # Check file access permissions for SSL certificates.
716 cp_echo "CN: Checking file access permissions for Apache2 SSL certificates."
717 sslkey=/etc/ssl/private
718 sslcerts="${sslkey}/ca.key ${sslkey}/apache2-ca.key ${sslkey}/apache2.key"
719 for certf in $sslcerts; do
720 if [ -f "$certf" ]; then
726 # Check and remove obsolete "Include /etc/apache2/sites-enabled/[^.#]*" from
727 # /etc/apache2/apache2.conf.
729 if egrep -iq "^[[:space:]]*Include[[:space:]]+\/etc\/apache2\/sites-enabled\/\[\^\.\#\]\*$" "$CONF"; then
731 cp_echo "CN: Fixing obsolete Include line in $CONF."
732 CONFTMP=`mktemp $CONF.tmp.XXXXXX`
733 temp_files="${temp_files} ${CONFTMP}"
735 sed -r "/^[[:space:]]*Include[[:space:]]+\/etc\/apache2\/sites-enabled\/\[\^\.\#\]\*$/Id" \
738 if ! egrep -iq "^[[:space:]]*Include[[:space:]]+\/etc\/apache2\/sites-enabled\/$" "$CONFTMP"; then
739 echo "Include /etc/apache2/sites-enabled/" >> "$CONFTMP"
742 cp_mv "$CONFTMP" "$CONF"
750 # Remove old AOSI configuration for Apache: aosi-www.conf, aosi.conf.
752 if [ -e "$CONFDIR/conf.d/aosi-www.conf" ] || [ -e "$CONFDIR/conf.d/aosi.conf" ]; then
753 cp_echo "CN: Removing old AOSI configuration files for Apache2."
754 rm -f $CONFDIR/conf.d/aosi-www.conf
755 rm -f $CONFDIR/conf.d/aosi.conf
760 # Restart Apache2 web server if needed.
762 if [ $need_restart -eq 1 ]; then
764 # Check Apache2 web server configuration.
765 if apache2ctl configtest 2>/dev/null; then
767 # Restart Apache2 web server.
768 service apache2 reload || true
771 # Something is broken.
772 cp_echo "CN: Your Apache2 configuration seems to be broken."
773 cp_echo "CN: Please, check the service after the installation finishes!"
783 # (re)generate monit.d files if monit-cn is installed.
785 if [ -x "/usr/sbin/update-monit.d" ]; then
786 cp_echo "CN: Updating monit configuration..."
787 update-monit.d || true