From eb7ad1a0241d049f10c9e62a8eb4d9e1dd3000a9 Mon Sep 17 00:00:00 2001 From: jsdelfino Date: Mon, 13 Jun 2011 07:57:06 +0000 Subject: Add configuration and script to enable mod-security 2.6.0. git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1135046 13f79535-47bb-0310-9956-ffa450edef68 --- sca-cpp/trunk/configure.ac | 35 ++++- sca-cpp/trunk/modules/edit/ssl-start | 4 + sca-cpp/trunk/modules/http/Makefile.am | 13 +- sca-cpp/trunk/modules/http/httpd-conf | 9 ++ sca-cpp/trunk/modules/http/httpd-ssl-conf | 5 + sca-cpp/trunk/modules/http/mod-security-conf | 190 +++++++++++++++++++++++++++ sca-cpp/trunk/ubuntu/ubuntu-bin-all-image | 9 +- sca-cpp/trunk/ubuntu/ubuntu-bin-image | 75 +++++++++++ sca-cpp/trunk/ubuntu/ubuntu-dev-image | 41 ++++++ sca-cpp/trunk/ubuntu/ubuntu-install | 29 +++- sca-cpp/trunk/ubuntu/ubuntu-install-all | 30 ++++- sca-cpp/trunk/ubuntu/uec2-bin-image | 23 ++++ sca-cpp/trunk/ubuntu/uec2-dev-image | 23 ++++ 13 files changed, 466 insertions(+), 20 deletions(-) create mode 100755 sca-cpp/trunk/modules/http/mod-security-conf create mode 100755 sca-cpp/trunk/ubuntu/ubuntu-bin-image create mode 100755 sca-cpp/trunk/ubuntu/ubuntu-dev-image create mode 100755 sca-cpp/trunk/ubuntu/uec2-bin-image create mode 100755 sca-cpp/trunk/ubuntu/uec2-dev-image (limited to 'sca-cpp') diff --git a/sca-cpp/trunk/configure.ac b/sca-cpp/trunk/configure.ac index 4d713a5c93..49c7c3e663 100644 --- a/sca-cpp/trunk/configure.ac +++ b/sca-cpp/trunk/configure.ac @@ -507,7 +507,7 @@ if test "${want_openid}" = "true"; then # Configure path to mod-auth-openid AC_MSG_CHECKING([for mod-auth-openid]) - AC_ARG_WITH([mod-auth-openid], [AC_HELP_STRING([--with-mod-auth-openid=PATH], [path to installed mod-auth-openid [default=/usr]])], [ + AC_ARG_WITH([mod-auth-openid], [AC_HELP_STRING([--with-mod-auth-openid=PATH], [path to installed mod-auth-openid [default=/usr/local]])], [ MODAUTHOPENID_PREFIX="${withval}" AC_MSG_RESULT("${withval}") ], [ @@ -561,6 +561,39 @@ else AM_CONDITIONAL([WANT_OAUTH], false) fi +# Enable support for modsecurity. +AC_MSG_CHECKING([whether to enable mod-security support]) +AC_ARG_ENABLE(mod-security, [AS_HELP_STRING([--enable-mod-security], [enable mod-security support [default=no]])], +[ case "${enableval}" in + no) + AC_MSG_RESULT(no) + ;; + *) + AC_MSG_RESULT(yes) + want_modsecurity=true + ;; + esac ], +[ AC_MSG_RESULT(no)]) +if test "${want_modsecurity}" = "true"; then + + # Configure path to mod-security + AC_MSG_CHECKING([for mod-security]) + AC_ARG_WITH([mod-security], [AC_HELP_STRING([--with-mod-security=PATH], [path to installed mod-security [default=/usr/local]])], [ + MODSECURITY_PREFIX="${withval}" + AC_MSG_RESULT("${withval}") + ], [ + MODSECURITY_PREFIX="/usr/local/" + AC_MSG_RESULT(/usr/local) + ]) + AC_SUBST(MODSECURITY_PREFIX) + + AM_CONDITIONAL([WANT_MODSECURITY], true) + AC_DEFINE([WANT_MODSECURITY], 1, [enable mod-security support]) + +else + AM_CONDITIONAL([WANT_MODSECURITY], false) +fi + # Enable support for Google AppEngine. AC_MSG_CHECKING([whether to enable Google AppEngine support]) AC_ARG_ENABLE(gae, [AS_HELP_STRING([--enable-gae], [enable Google AppEngine support [default=no]])], diff --git a/sca-cpp/trunk/modules/edit/ssl-start b/sca-cpp/trunk/modules/edit/ssl-start index 1c85c74b5b..5b982f45ff 100755 --- a/sca-cpp/trunk/modules/edit/ssl-start +++ b/sca-cpp/trunk/modules/edit/ssl-start @@ -38,6 +38,10 @@ jsprefix=`readlink -f $here/../js` ../../modules/http/open-auth-conf tmp ../../modules/http/passwd-auth-conf tmp john john ../../modules/http/passwd-auth-conf tmp jane jane +../../modules/http/passwd-auth-conf tmp admin admin + +# Configure mod-security +../../modules/http/mod-security-conf tmp # Configure Python component support ../../modules/server/server-conf tmp diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index a47b83fbf0..f6e95b3996 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -21,7 +21,7 @@ incl_HEADERS = *.hpp incldir = $(prefix)/include/modules/http dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf -moddir=$(prefix)/modules/http +moddir = $(prefix)/modules/http curl_test_SOURCES = curl-test.cpp curl_test_LDFLAGS = -lxml2 -lcurl -lmozjs @@ -59,6 +59,17 @@ httpd-modules.prefix: $(top_builddir)/config.status curl.prefix: $(top_builddir)/config.status echo ${CURL_PREFIX} >curl.prefix +if WANT_MODSECURITY + +modsecurity.prefix: $(top_builddir)/config.status + echo ${MODSECURITY_PREFIX} >modsecurity.prefix + +dist_modsecurity_SCRIPTS = mod-security-conf +modsecurity_DATA = modsecurity.prefix +modsecuritydir = $(prefix)/modules/http + +endif + dist_noinst_SCRIPTS = httpd-test http-test proxy-test noinst_PROGRAMS = curl-test curl-get curl-connect TESTS = httpd-test http-test proxy-test diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 7c9190d08c..199eec8301 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -61,6 +61,7 @@ Group $group ServerSignature Off ServerTokens Prod Timeout 45 +RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 LimitRequestBody 1048576 HostNameLookups Off @@ -132,6 +133,12 @@ SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary +# Enable per client bandwidth rate limt + +SetOutputFilter RATE_LIMIT +SetEnv rate-limit 400 + + # Listen on HTTP port Listen $listen @@ -200,10 +207,12 @@ LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so LoadModule mime_module ${modules_prefix}/modules/mod_mime.so LoadModule status_module ${modules_prefix}/modules/mod_status.so +LoadModule info_module ${modules_prefix}/modules/mod_info.so LoadModule asis_module ${modules_prefix}/modules/mod_asis.so LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so LoadModule dir_module ${modules_prefix}/modules/mod_dir.so LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so +LoadModule env_module ${modules_prefix}/modules/mod_env.so LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index 5882a18cb4..9933d1c7d9 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -69,6 +69,11 @@ HostnameLookups on Require user admin + +SetHandler server-info +HostnameLookups on +Require user admin + EOF diff --git a/sca-cpp/trunk/modules/http/mod-security-conf b/sca-cpp/trunk/modules/http/mod-security-conf new file mode 100755 index 0000000000..f988163cf4 --- /dev/null +++ b/sca-cpp/trunk/modules/http/mod-security-conf @@ -0,0 +1,190 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal mod-security configuration. +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +modules_prefix=`cat $here/httpd-modules.prefix` +modsecurity_prefix=`cat $here/modsecurity.prefix` + +mkdir -p $root/tmp + +cat >>$root/conf/modules.conf <>$root/conf/httpd.conf <$root/conf/mod-security.conf <