commit a6994e7b4079b91a595b2bab0b0e85e17f542d8e Author: Daniel Berteaud Date: Tue Mar 13 12:50:08 2012 +0100 Initial import diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..61c8386 --- /dev/null +++ b/createlinks @@ -0,0 +1,15 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +my $event = 'webapps-update'; +templates2events("/etc/httpd/conf/httpd.conf", $event); +templates2events("/etc/php.ini", $event); +templates2events("/etc/my.cnf", $event); +templates2events("/etc/crontab", $event); + +safe_symlink("start", "root/etc/e-smith/events/$event/services2adjust/mysql.init"); +safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); + +event_link("webapps-update-crl", $event, "02"); +event_link("webapps-update-certs", $event, "03"); diff --git a/root/etc/e-smith/events/actions/webapps-update-certs b/root/etc/e-smith/events/actions/webapps-update-certs new file mode 100644 index 0000000..1ccf2bc --- /dev/null +++ b/root/etc/e-smith/events/actions/webapps-update-certs @@ -0,0 +1,35 @@ +#!/bin/bash + +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +#---------------------------------------------------------------------- + + +# This script provides basic integration with PHPki + +SRCCRT='/opt/phpki/phpki-store/CA/certs/cacert.pem' +DSTCRT='/etc/pki/tls/certs/cacert.pem' + +if [ -e $SRCCRT -a \! -e $DSTCRT ]; then + cp $SRCCRT $DSTCRT + chown root:root $DSTCRT + chmod 644 $DSTCRT + c_rehash /etc/pki/tls/certs/ +fi + diff --git a/root/etc/e-smith/events/actions/webapps-update-crl b/root/etc/e-smith/events/actions/webapps-update-crl new file mode 100644 index 0000000..03074cb --- /dev/null +++ b/root/etc/e-smith/events/actions/webapps-update-crl @@ -0,0 +1,33 @@ +#!/bin/bash + +URL=$(/sbin/e-smith/db configuration getprop httpd-e-smith CrlUrl) +DOMAIN=$(/sbin/e-smith/db configuration get DomainName) + +if [ "$URL" == "" ]; then + exit 0 +fi + +/usr/bin/wget $URL -O /tmp/httpcacrl.pem > /dev/null 2>&1 + +/usr/bin/openssl crl -inform PEM -in /tmp/httpcacrl.pem -text > /dev/null 2>&1 + +if [ "$?" -eq "0" ]; then + /bin/mv -f /tmp/httpcacrl.pem /etc/pki/tls/crl/cacrl.pem > /dev/null 2>&1 +else + cat > /tmp/httpcrlmail <> /tmp/crlmail + mail -s 'CRL update failed' admin@$DOMAIN < /tmp/httpcrlmail +fi + +rm -f /tmp/httpcacrl.pem +rm -f /tmp/httpcrlmail + diff --git a/root/etc/e-smith/templates/etc/crontab/httpd-update-crl b/root/etc/e-smith/templates/etc/crontab/httpd-update-crl new file mode 100644 index 0000000..295eb9a --- /dev/null +++ b/root/etc/e-smith/templates/etc/crontab/httpd-update-crl @@ -0,0 +1,8 @@ +{ +my $url = ${'httpd-e-smith'}{'CrlUrl'} || ''; +if ($url =~ /^http(s)?:\/\/.*$/){ + $OUT .= "# Update httpd-e-smith's CRL\n"; + $OUT .= "5 * * * * root /etc/e-smith/events/actions/webapps-update-crl 2>&1 /dev/null\n"; +} +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule98ExtraMod b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule98ExtraMod new file mode 100644 index 0000000..bb8d10d --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule98ExtraMod @@ -0,0 +1,27 @@ +{ + +# Load mod_authn_file if found +if ( -e '/usr/lib64/httpd/modules/mod_authn_file.so' || + -e '/usr/lib/httpd/modules/mod_authn_file.so'){ + $OUT .= "LoadModule authn_file_module modules/mod_authn_file.so\n"; +} + +# Load mod_auth_basic if found +if ( -e '/usr/lib64/httpd/modules/mod_auth_basic.so' || + -e '/usr/lib/httpd/modules/mod_auth_basic.so'){ + $OUT .= "LoadModule auth_basic_module modules/mod_auth_basic.so\n"; +} + +# Load module mod_ldap if found +if ( -e '/usr/lib64/httpd/modules/mod_ldap.so' || + -e '/usr/lib/httpd/modules/mod_ldap.so'){ + $OUT .= "LoadModule ldap_module modules/mod_ldap.so\n"; +} + +# Load module mod_authnz_ldap if found +if ( -e '/usr/lib64/httpd/modules/mod_authnz_ldap.so' || + -e '/usr/lib/httpd/modules/mod_authnz_ldap.so'){ + $OUT .= "LoadModule authnz_ldap_module modules/mod_authnz_ldap.so\n"; +} + +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateCAFile b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateCAFile new file mode 100644 index 0000000..d8d553b --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateCAFile @@ -0,0 +1,16 @@ +{ +if (-e '/etc/pki/tls/certs/cacert.pem'){ + $OUT .= "# CA Certificate used for client authentication\n"; + $OUT .= "SSLCACertificateFile /etc/pki/tls/certs/cacert.pem\n"; +} +else{ + $OUT .= ''; +} +if (-e '/etc/pki/tls/crl/cacrl.pem'){ + $OUT .= "# CA CRL to check revoked client certificates\n"; + $OUT .= "SSLCARevocationFile /etc/pki/tls/crl/cacrl.pem\n"; +} +else{ + $OUT .= ''; +} +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/00Setup b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/00Setup new file mode 100644 index 0000000..e5db207 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/00Setup @@ -0,0 +1,9 @@ +{ + use esmith::DomainsDB; + # Convert the passed hash for the domain object back into an object. + $domain = bless \%domain, 'esmith::DB::db::Record'; + + # Make scalars from some of the properties of the domain + $virtualHost = $domain->key; + $OUT = ""; +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/02ServerName b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/02ServerName new file mode 100644 index 0000000..38f4ddf --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/02ServerName @@ -0,0 +1 @@ + ServerName {$virtualHost} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/25SSLDirectives b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/25SSLDirectives new file mode 100644 index 0000000..2686ace --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/25SSLDirectives @@ -0,0 +1,27 @@ +{ + my $ssl = $domain->prop('RequireSSL') || 'disabled'; + my $lemon = $domain->prop('LemonLDAP') || 'disabled'; + + if (($modSSL{TCPPort} || "443") eq $port){ + $OUT .= " SSLEngine on\n"; + } + elsif (($ssl =~ m/^enabled|yes|on|1$/i) || ($lemon eq 'enabled')){ + $OUT .=<<'EOF'; + RewriteEngine on + RewriteRule ^/(.*|$) https://%{HTTP_HOST}/$1 [L,R] + +EOF + } + elsif ($ssl =~ m#/#){ + $OUT .= " RewriteEngine on\n"; + foreach my $loc (split(/[;,]/, $ssl)){ + $OUT .= " # Rewriting $loc to use SSL\n"; + $loc =~ s#^/##; + $OUT .= " RewriteRule ^/$loc(/.*|\$) https://%\{HTTP_HOST\}/$loc\$1 \[L,R\]\n"; + } + } + else{ + $OUT .= ''; + } +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/26RewriteTraceAndTrack b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/26RewriteTraceAndTrack new file mode 100644 index 0000000..2d3653d --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/26RewriteTraceAndTrack @@ -0,0 +1,8 @@ +{ + $OUT =<<'HERE'; + RewriteEngine on + RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) + RewriteRule .* - [F] +HERE +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/40ApacheIconAlias b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/40ApacheIconAlias new file mode 100644 index 0000000..980503c --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/40ApacheIconAlias @@ -0,0 +1,13 @@ +{ +my $alias = $domain->prop('IconAlias') || 'enabled'; +$OUT .= ''; + +unless ($alias =~ m/disabled|off|no|0/i){ + $OUT .=<<'EOF'; + + # alias for Apache icons + Alias /icons/ /var/www/icons/ + +EOF +} +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/50Content b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/50Content new file mode 100644 index 0000000..f07676c --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/50Content @@ -0,0 +1,40 @@ +{ + +my $target = $domain->prop('ProxyPassTarget') || ''; +my $allow = $domain->prop('AllowHosts') || ''; +my $preserve = $domain->prop('ProxyPreserveHost') || 'no'; +my $keepalive = $domain->prop('ProxyNoKeepAlive') || 'no'; + +if ($target =~ m|https?://[\d\w\.\-/]*|){ + $OUT .= " SetEnv proxy-nokeepalive 1\n" if ($keepalive eq 'yes'); + $OUT .= " ProxyPass / $target\n"; + $OUT .= " ProxyPassReverse / $target\n"; + $OUT .= " ProxyPreserveHost on\n" if ($preserve eq 'yes'); +} +else{ + my $root = $domain->prop('DocumentRoot') || + '/home/e-smith/files/ibays/Primary/html'; + + $OUT .= " DocumentRoot $root\n"; +} + +if ($allow ne ''){ + if ($allow eq 'local'){ + $allow = "$localAccess $externalSSLAccess"; + } + else{ + $allow =~ s/[,;]/ /; + } + $OUT .=<<"EOF" + + + Order deny,allow + Deny from all + Allow from $allow + + +EOF +} + +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/template-begin b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/template-begin new file mode 100644 index 0000000..b050035 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/template-begin @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/template-end b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/template-end new file mode 100644 index 0000000..50d3d92 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/template-end @@ -0,0 +1,2 @@ + + diff --git a/smeserver-webapps-common.spec b/smeserver-webapps-common.spec new file mode 100644 index 0000000..3edde13 --- /dev/null +++ b/smeserver-webapps-common.spec @@ -0,0 +1,91 @@ +# $Id: smeserver-webapps-common.spec,v 1.0 2009/09/30 16:20:28 slords Exp $ +# Authority: VIP-ire +# Name: Daniel B. + +Summary: Common WebApps Framework for SME Server +%define name smeserver-webapps-common +Name: %{name} +%define version 0.2.0 +%define release 1.beta0 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: SMEServer/addon + +Source: %{name}-%{version}.tar.gz + +URL: http://www.firewall-services.com/ +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +BuildArchitectures: noarch +Requires: e-smith-base +Requires: httpd +Requires: mysql +Requires: php +Requires: openssl-perl +BuildRequires: e-smith-devtools + +%description +This package provide common files and events for Web Applications integration +on SME Server + +%changelog +* Tue Mar 13 2012 Daniel Berteaud 0.2.0-1.sme +- Migrate to git + +* Fri Jul 22 2011 Daniel Berteaud 0.1-11.sme +- Add an prop to disable the default /icons alias + +* Wed Jun 29 2011 Daniel Berteaud 0.1-10.sme +- Allow values enabled, yes on or 1 for RequireSSL +- Implement access restriction with AllowHosts + +* Tue Mar 8 2011 Daniel Berteaud 0.1-9.sme +- Integration with PHPki +- Stop restarting mysqld service + +* Mon Mar 7 2011 Daniel Berteaud 0.1-8.sme +- Add SSLCACertificateFile directive + +* Tue Jan 25 2011 Daniel Berteaud 0.1-7.sme +- Fix httpd template syntax + +* Tue Jan 25 2011 Daniel Berteaud 0.1-6.sme +- Load some additional modules for apache if they are found + +* Thu Dec 30 2010 Daniel Berteaud 0.1-5.sme +- RequireSSL can take a list of location to rewrite + +* Thu Dec 30 2010 Daniel Berteaud 0.1-4.sme +- Only load authn_file if the module exists + +* Sun Dec 25 2010 Daniel Berteaud 0.1-3.sme +- Load mod_authn_file + +* Thu Dec 16 2010 Daniel Berteaud 0.1-2.sme +- Provide alternative WebAppVirtualHost templates + +* Fri Dec 10 2010 Daniel Berteaud 0.1-1.sme +- Add DocumentRoot prop for domains + +* Wed Sep 30 2009 Daniel B. 0.1-0 +- Initial rpm + +%prep +%setup + +%build +perl createlinks +%{__mkdir_p} root/etc/pki/tls/crl + +%install +/bin/rm -rf $RPM_BUILD_ROOT +(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) +/bin/rm -f %{name}-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT > %{name}-%{version}-filelist + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) + +%clean +rm -rf $RPM_BUILD_ROOT +