Pooria
/
ols-docker-env
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add mod_secure

Browse Source
master
Cold-Egg 5 years ago
parent f1f8d1dae5
commit 1310d02c10
6 changed files with 186 additions and 16 deletions
Show Stats Download Patch File Download Diff File

4
bin/cert.sh
Unescape View File

@ -44,10 +44,10 @@ domain_verify(){
lecertapply(){ lecertapply(){
if [ ${TYPE} = 1 ]; then if [ ${TYPE} = 1 ]; then
docker-compose exec litespeed su -c "certbot certonly --agree-tos --register-unsafely-without-email \ docker-compose exec ${CONT_NAME} su -c "certbot certonly --agree-tos --register-unsafely-without-email \
--non-interactive --webroot -w /var/www/vhosts/${1}/html -d ${1}" --non-interactive --webroot -w /var/www/vhosts/${1}/html -d ${1}"
elif [ ${TYPE} = 2 ]; then elif [ ${TYPE} = 2 ]; then
docker-compose exec litespeed su -c "certbot certonly --agree-tos --register-unsafely-without-email \ docker-compose exec ${CONT_NAME} su -c "certbot certonly --agree-tos --register-unsafely-without-email \
--non-interactive --webroot -w /var/www/vhosts/${1}/html -d ${1} -d www.${1}" --non-interactive --webroot -w /var/www/vhosts/${1}/html -d ${1} -d www.${1}"
else else
echo 'unknown Type!' echo 'unknown Type!'

158
bin/container/owaspctl.sh
Unescape View File

@ -0,0 +1,158 @@
#!/bin/bash
LSDIR='/usr/local/lsws'
OWASP_DIR="${LSDIR}/conf/owasp"
RULE_FILE='modsec_includes.conf'
HTTPD_CONF="${LSDIR}/conf/httpd_config.conf"
help_message(){
echo 'Command [-enable|-disable]'
echo 'Example: owaspctl.sh -enable'
echo 'Enable mod_secure module with latest OWASP version of rules'
exit 0
}
check_input(){
if [ -z "${1}" ]; then
help_message
exit 1
fi
}
mk_owasp_dir(){
if [ -d ${OWASP_DIR} ] ; then
rm -rf ${OWASP_DIR}
fi
mkdir -p ${OWASP_DIR}
if [ ${?} -ne 0 ] ; then
echo "Unable to create directory: ${OWASP_DIR}, exit!"
exit 1
fi
}
fst_match_line(){
FIRST_LINE_NUM=$(grep -n -m 1 "${1}" ${2} | awk -F ':' '{print $1}')
}
fst_match_after(){
FIRST_NUM_AFTER=$(tail -n +${1} ${2} | grep -n -m 1 ${3} | awk -F ':' '{print $1}')
}
lst_match_line(){
fst_match_after ${1} ${2} '}'
LAST_LINE_NUM=$((${FIRST_LINE_NUM}+${FIRST_NUM_AFTER}-1))
}
enable_modsec(){
grep 'module mod_security {' ${HTTPD_CONF} >/dev/null 2>&1
if [ ${?} -eq 0 ] ; then
echo "Already configured for modsecurity."
else
echo 'Enable modsecurity'
sed -i "s=module cache=module mod_security {\nmodsecurity on\
\nmodsecurity_rules \`\nSecRuleEngine On\n\`\nmodsecurity_rules_file \
${OWASP_DIR}/${RULE_FILE}\n ls_enabled 1\n}\
\n\nmodule cache=" ${HTTPD_CONF}
fi
}
disable_modesec(){
grep 'module mod_security {' ${HTTPD_CONF} >/dev/null 2>&1
if [ ${?} -eq 0 ] ; then
echo 'Disable modsecurity'
fst_match_line 'module mod_security' ${HTTPD_CONF}
lst_match_line ${FIRST_LINE_NUM} ${HTTPD_CONF}
sed -i "${FIRST_LINE_NUM},${LAST_LINE_NUM}d" ${HTTPD_CONF}
else
echo 'Already disabled for modsecurity'
fi
}
install_git(){
if [ ! -f /usr/bin/git ]; then
echo 'Install git'
apt-get install git -y >/dev/null 2>&1
fi
}
install_owasp(){
cd ${OWASP_DIR}
echo 'Download OWASP rules'
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git >/dev/null 2>&1
}
configure_owasp(){
echo 'Config OWASP rules.'
cd ${OWASP_DIR}
echo "include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf">modsec_includes.conf
echo "SecRuleEngine On">modsecurity.conf
cd ${OWASP_DIR}/owasp-modsecurity-crs
if [ -f crs-setup.conf.example ]; then
mv crs-setup.conf.example crs-setup.conf
fi
cd ${OWASP_DIR}/owasp-modsecurity-crs/rules
if [ -f REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ]; then
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
fi
if [ -f RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ]; then
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
fi
}
main_owasp(){
mk_owasp_dir
install_git
install_owasp
configure_owasp
}
check_input ${1}
while [ ! -z "${1}" ]; do
case ${1} in
-[hH] | -help | --help)
help_message
;;
-enable | -e | -E)
main_owasp
enable_modsec
;;
-disable | -d | -D)
disable_modesec
;;
*)
help_message
;;
esac
shift
done

3
bin/demosite.sh
Unescape View File

@ -2,6 +2,7 @@
source .env source .env
DEMO_VH='localhost' DEMO_VH='localhost'
APP_NAME='wordpress' APP_NAME='wordpress'
CONT_NAME='litespeed'
DEMO_PATH="/var/www/${DEMO_VH}" DEMO_PATH="/var/www/${DEMO_VH}"
help_message(){ help_message(){
@ -31,7 +32,7 @@ EOT
} }
app_download(){ app_download(){
docker-compose exec litespeed su -c "appinstallctl.sh -app ${1} -domain ${2} -vhname ${DEMO_VH}" docker-compose exec ${CONT_NAME} su -c "appinstallctl.sh -app ${1} -domain ${2} -vhname ${DEMO_VH}"
} }
main(){ main(){

28
bin/webadmin.sh
Unescape View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
CONT_NAME='litespeed'
help_message(){ help_message(){
echo 'Command [PASSWORD]' echo 'Command [PASSWORD]'
@ -6,6 +7,8 @@ help_message(){
echo 'Command [-r]' echo 'Command [-r]'
echo 'Example: webadmin.sh -r' echo 'Example: webadmin.sh -r'
echo 'Will restart LiteSpeed Web Server' echo 'Will restart LiteSpeed Web Server'
echo 'Command [-modsec] [enable|disable]'
echo 'Example: webadmin -modsec enable'
exit 0 exit 0
} }
@ -16,13 +19,25 @@ check_input(){
fi fi
} }
set_web_admin(){ lsws_restart(){
docker-compose exec litespeed su -s /bin/bash lsadm -c \ docker-compose exec ${CONT_NAME} su -c '/usr/local/lsws/bin/lswsctrl restart >/dev/null'
'echo "admin:$(/usr/local/lsws/admin/fcgi-bin/admin_php* -q /usr/local/lsws/admin/misc/htpasswd.php '${1}')" > /usr/local/lsws/admin/conf/htpasswd';
} }
lsws_restart(){ mod_secure(){
docker-compose exec litespeed su -c '/usr/local/lsws/bin/lswsctrl restart >/dev/null' if [ "${1}" = 'enable' ] || [ "${1}" = 'Enable' ]; then
docker-compose exec ${CONT_NAME} su -s /bin/bash lsadm -c "owaspctl.sh -enable"
lsws_restart
elif [ "${1}" = 'disable' ] || [ "${1}" = 'Disable' ]; then
docker-compose exec ${CONT_NAME} su -s /bin/bash lsadm -c "owaspctl.sh -disable"
lsws_restart
else
help_message
fi
}
set_web_admin(){
docker-compose exec ${CONT_NAME} su -s /bin/bash lsadm -c \
'echo "admin:$(/usr/local/lsws/admin/fcgi-bin/admin_php* -q /usr/local/lsws/admin/misc/htpasswd.php '${1}')" > /usr/local/lsws/admin/conf/htpasswd';
} }
main(){ main(){
@ -38,6 +53,9 @@ while [ ! -z "${1}" ]; do
-[rR] | -restart | --restart) -[rR] | -restart | --restart)
lsws_restart lsws_restart
;; ;;
-modsec | -sec| --sec) shift
mod_secure ${1}
;;
*) *)
main ${1} main ${1}
;; ;;

4
lsws/conf/httpd_config.conf
Unescape View File

@ -235,10 +235,6 @@ listener HTTPS {
vhTemplate centralConfigLog { vhTemplate centralConfigLog {
templateFile conf/templates/ccl.conf templateFile conf/templates/ccl.conf
listeners Default, HTTP, HTTPS listeners Default, HTTP, HTTPS
member example3.com {
vhDomain example3.com,www.example3.com
}
member localhost { member localhost {
vhDomain localhost, * vhDomain localhost, *
} }

3
lsws/conf/httpd_config.conf.bak
Unescape View File

@ -235,9 +235,6 @@ listener HTTPS {
vhTemplate centralConfigLog { vhTemplate centralConfigLog {
templateFile conf/templates/ccl.conf templateFile conf/templates/ccl.conf
listeners Default, HTTP, HTTPS listeners Default, HTTP, HTTPS
member larshagen.net {
vhDomain larshagen.net
}
member localhost { member localhost {
vhDomain localhost vhDomain localhost
} }

Write Preview
Loading…
Cancel
Save