Dirty commit

README.org

@@ -0,0 +1,13 @@
+#+TITLE: Readme
+
+* Usage
+
+#+begin_src shell
+inventory.sh
+#+end_src
+
+* Notes
+
+- inventory: Contains the files with directives before the migration
+- to-convert:
+- result: Result of the inventory after the migration

convert.awk

@@ -0,0 +1,11 @@
+#!/usr/bin/env awk -f
+
+
+newline = "\n[[:blank:]]";
+
+/Order deny,allow\n[[:blank:]]*Deny from all/
+
+
+/Allow from all/ { s/ }
+
+s/Allow from all/Require all granted/

convert.pl

@@ -0,0 +1,63 @@
+#!/usr/bin/env perl
+#
+# Replace apache's mod_access_compat directives to mod_authz_host ones, to
+# securly migrate to apache 2.2 to 2.4. This script only migrate most
+# common pattern.
+
+#use re "debug";
+use strict;
+use warnings;
+
+# TODO Maybe use a redo in of clauses to avoid missing substitutions
+
+# our $^I = '.bak';
+
+# our @ARGV = ($ARGV[0]); # We don't want to use STDIN when eof get called
+
+# open(my $fh, "+<", $ARGV[0])
+#     or die "Can't open ARGv[0]!";
+
+# Regex for spaces bettwen word (including comment character)
+my $s = '[#\s]*';
+
+while (<ARGV>) {
+    # ** Order
+    # Default of mod_access_compat
+    next if /Order${s}deny,allow/i;
+
+    if (/(Order${s}Allow,Deny)/i) {
+        $_ .= <ARGV>;
+        s/${1}${s}(Deny${s}from${s}all)/$1/i;
+    };
+
+    # ** Satisfy
+    # Correspond to the new default, from mod_authz_host, to have an implicit <RequireAny>
+    next if /Satisfy${s}any/i;
+
+    # ** Misc
+    if (/(Require${s}valid-user)/i) {
+        $_ .= <ARGV>.<ARGV>.<ARGV>;
+        s/(${1})${s}Order${s}Deny,Allow${s}Deny${s}from${s}all/$1/i;
+    };
+
+    # ** Deny
+    if (/(Deny${s}from${s}all)/i) {
+        # unless (eof(ARGV)) {
+            $_ .= <ARGV>;
+        # };
+        s/${1}${s}Allow${s}from/Require ip/i;
+        s/Deny${s}from${s}all/Require all denied/i;
+    };
+
+    s/Deny${s}from${s}env=/Require not env /i;
+
+    # ** Allow
+    s/Allow${s}from${s}all/Require all granted/i;
+    s/Allow${s}from/Require ip/i;
+
+    print ARGV;
+}
+
+# close $fh;
+
+# print 'END THIS SHIT!!!!\n';

convert.sed

@@ -0,0 +1,28 @@
+# This script dumbly migrate from Apache's configuration 2.2 to 2.4.
+#
+# Here are it's current quirk:
+# - it will modify config even if it's written to be cross compatible between thoses version
+# - it assume "Allow from" only specifies IPs
+
+# Order
+/Order[[:blank:]]*deny,allow/Id
+
+# * Deny
+# s/Deny[[:blank:]]*from[[:blank:]]*all/Require all denied/I
+
+/Deny[[:blank:]]*from[[:blank:]]*all/I {
+    N
+    s/.?\([[:blank:]]*\)Allow[[:blank:]]*from/\1Require ip/I
+    s/Deny[[:blank:]]*from[[:blank:]]*all/Require all denied/I
+}
+
+s/Deny from env=/Require not env /I
+
+# * Allow
+s/Allow[[:blank:]]*from[[:blank:]]*all/Require all granted/I
+s/Allow[[:blank:]]*from/Require ip/I
+
+# * Satisfy
+
+# It's the default value
+/Satisfy[[:blank:]]*any/Id

convert.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+newline="\n[[:blank:]]"
+
+# 2.2 Directives
+all_denied="s/Order deny,allow${newline}Deny from all/Require all denied/"
+## Last
+deny_from_env="s/Deny from env=/Require not env /"
+allow_all="s/Allow from all/Require all granted/"
+
+# Mixed directives
+mix_allow_all_require_all="s/Allow from all${newline}Require all granted/Require all granted/"

filter.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Types: V S H T
+type=$1
+result=/tmp/apache-require/result
+
+awk --assign type="$type" '{ if ($NF == type) print $0; }' "$result"

inventory.sh

@@ -1,6 +1,9 @@
 #!/bin/sh
 
 # TODO Use \0 as a seprator
+# TODO replace realpath as it isn't POSIX
+# TODO Categorize mixed directives, thoses need to be manualy modified
+# We may need a different file that list files with non mixed directives
 
 set -e
 
@@ -14,7 +17,7 @@ confs_vhost=$tmp_dir/confs_vhost
 confs_system=$tmp_dir/confs_system
 confs_htaccess=$tmp_dir/confs_htaccess
 confs_template=$tmp_dir/confs_template
-result=$tmp_dir/result
+result=$tmp_dir/inventory
 summary=$tmp_dir/summary
 
 module_loaded() {
@@ -34,7 +37,7 @@ get_confs() {
         for conf_file in $(cat "$confs"); do
             # XXX: Expand the filenames
             for glob in $(awk '/^[[:space:]]*Include/ {print $2}' "$conf_file"); do
-                realpath --canonicalize-existing --no-symlinks --quiet $glob >> "$confs" || true
+                realpath --canonicalize-existing --quiet $glob >> "$confs" || true
             done
         done
         sort "$confs" | uniq > "$confs"_tmp && mv "$confs"_tmp "$confs"
@@ -64,10 +67,12 @@ get_template() {
 categorize_confs() {
     get_template > "$confs_template"
     get_htaccess > "$confs_htaccess"
-    grep -E "^${apache_dir}/sites-enabled/.*\\.conf" "$confs" > "$confs_vhost"
-    grep -Ev "^${apache_dir}/sites-enabled/.*\\.conf" "$confs" > "$confs_system"
+    grep -E "^${apache_dir}/sites-available/.*\\.conf" "$confs" > "$confs_vhost"
+    grep -Ev "^${apache_dir}/sites-available/.*\\.conf" "$confs" > "$confs_system"
 }
 
+
+# Count directives and return files only containing some directives
 # Takes argument: file type
 count_directives() {
     directives="Allow Order Deny Satisfy"

migrate.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+newline="\n[[:blank:]]"
+
+# 2.2 Directives
+all_denied="s/Order deny,allow${newline}Deny from all/Require all denied/"
+-
+## Last
+deny_from_env="s/Deny from env=/Require not env /"
+allow_all="s/Allow from all/Require all granted/"
+
+# Mixed directives
+mix_allow_all_require_all="s/Allow from all${newline}Require all granted/Require all granted/"

notes.org

@@ -0,0 +1,7 @@
+#+TITLE: Notes
+
+* hosting05
+- /etc/apache2/sites-enabled/acelem.conf
+-  /etc/apache2/mods-enabled/status.conf
+- /home/labri/www/zp-data/.htaccess
+- /home/oldwiki/www/bleuroy/.htaccess

snippets

@@ -0,0 +1,4 @@
+    Order deny,allow
+    Deny from all
+    Allow from 127.0.0.1
+    Include /etc/apache2/ipaddr_whitelist.conf