diff --git a/README.org b/README.org new file mode 100644 index 0000000..1ad48d9 --- /dev/null +++ b/README.org @@ -0,0 +1,13 @@ +#+TITLE: Readme + +* Usage + +#+begin_src shell +inventory.sh +#+end_src + +* Notes + +- inventory: Contains the files with directives before the migration +- to-convert: +- result: Result of the inventory after the migration diff --git a/convert.awk b/convert.awk new file mode 100644 index 0000000..70f656d --- /dev/null +++ b/convert.awk @@ -0,0 +1,11 @@ +#!/usr/bin/env awk -f + + +newline = "\n[[:blank:]]"; + +/Order deny,allow\n[[:blank:]]*Deny from all/ + + +/Allow from all/ { s/ } + +s/Allow from all/Require all granted/ diff --git a/convert.pl b/convert.pl new file mode 100644 index 0000000..8afdeaf --- /dev/null +++ b/convert.pl @@ -0,0 +1,63 @@ +#!/usr/bin/env perl +# +# Replace apache's mod_access_compat directives to mod_authz_host ones, to +# securly migrate to apache 2.2 to 2.4. This script only migrate most +# common pattern. + +#use re "debug"; +use strict; +use warnings; + +# TODO Maybe use a redo in of clauses to avoid missing substitutions + +# our $^I = '.bak'; + +# our @ARGV = ($ARGV[0]); # We don't want to use STDIN when eof get called + +# open(my $fh, "+<", $ARGV[0]) +# or die "Can't open ARGv[0]!"; + +# Regex for spaces bettwen word (including comment character) +my $s = '[#\s]*'; + +while () { + # ** Order + # Default of mod_access_compat + next if /Order${s}deny,allow/i; + + if (/(Order${s}Allow,Deny)/i) { + $_ .= ; + s/${1}${s}(Deny${s}from${s}all)/$1/i; + }; + + # ** Satisfy + # Correspond to the new default, from mod_authz_host, to have an implicit + next if /Satisfy${s}any/i; + + # ** Misc + if (/(Require${s}valid-user)/i) { + $_ .= ..; + s/(${1})${s}Order${s}Deny,Allow${s}Deny${s}from${s}all/$1/i; + }; + + # ** Deny + if (/(Deny${s}from${s}all)/i) { + # unless (eof(ARGV)) { + $_ .= ; + # }; + s/${1}${s}Allow${s}from/Require ip/i; + s/Deny${s}from${s}all/Require all denied/i; + }; + + s/Deny${s}from${s}env=/Require not env /i; + + # ** Allow + s/Allow${s}from${s}all/Require all granted/i; + s/Allow${s}from/Require ip/i; + + print ARGV; +} + +# close $fh; + +# print 'END THIS SHIT!!!!\n'; diff --git a/convert.sed b/convert.sed new file mode 100644 index 0000000..5b4567a --- /dev/null +++ b/convert.sed @@ -0,0 +1,28 @@ +# This script dumbly migrate from Apache's configuration 2.2 to 2.4. +# +# Here are it's current quirk: +# - it will modify config even if it's written to be cross compatible between thoses version +# - it assume "Allow from" only specifies IPs + +# Order +/Order[[:blank:]]*deny,allow/Id + +# * Deny +# s/Deny[[:blank:]]*from[[:blank:]]*all/Require all denied/I + +/Deny[[:blank:]]*from[[:blank:]]*all/I { + N + s/.?\([[:blank:]]*\)Allow[[:blank:]]*from/\1Require ip/I + s/Deny[[:blank:]]*from[[:blank:]]*all/Require all denied/I +} + +s/Deny from env=/Require not env /I + +# * Allow +s/Allow[[:blank:]]*from[[:blank:]]*all/Require all granted/I +s/Allow[[:blank:]]*from/Require ip/I + +# * Satisfy + +# It's the default value +/Satisfy[[:blank:]]*any/Id diff --git a/convert.sh b/convert.sh new file mode 100644 index 0000000..3f135f2 --- /dev/null +++ b/convert.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +newline="\n[[:blank:]]" + +# 2.2 Directives +all_denied="s/Order deny,allow${newline}Deny from all/Require all denied/" +## Last +deny_from_env="s/Deny from env=/Require not env /" +allow_all="s/Allow from all/Require all granted/" + +# Mixed directives +mix_allow_all_require_all="s/Allow from all${newline}Require all granted/Require all granted/" diff --git a/filter.sh b/filter.sh new file mode 100644 index 0000000..5eedbc8 --- /dev/null +++ b/filter.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +# Types: V S H T +type=$1 +result=/tmp/apache-require/result + +awk --assign type="$type" '{ if ($NF == type) print $0; }' "$result" diff --git a/inventory.sh b/inventory.sh index 8e01ab7..d66d872 100755 --- a/inventory.sh +++ b/inventory.sh @@ -1,6 +1,9 @@ #!/bin/sh # TODO Use \0 as a seprator +# TODO replace realpath as it isn't POSIX +# TODO Categorize mixed directives, thoses need to be manualy modified +# We may need a different file that list files with non mixed directives set -e @@ -14,7 +17,7 @@ confs_vhost=$tmp_dir/confs_vhost confs_system=$tmp_dir/confs_system confs_htaccess=$tmp_dir/confs_htaccess confs_template=$tmp_dir/confs_template -result=$tmp_dir/result +result=$tmp_dir/inventory summary=$tmp_dir/summary module_loaded() { @@ -34,7 +37,7 @@ get_confs() { for conf_file in $(cat "$confs"); do # XXX: Expand the filenames for glob in $(awk '/^[[:space:]]*Include/ {print $2}' "$conf_file"); do - realpath --canonicalize-existing --no-symlinks --quiet $glob >> "$confs" || true + realpath --canonicalize-existing --quiet $glob >> "$confs" || true done done sort "$confs" | uniq > "$confs"_tmp && mv "$confs"_tmp "$confs" @@ -64,10 +67,12 @@ get_template() { categorize_confs() { get_template > "$confs_template" get_htaccess > "$confs_htaccess" - grep -E "^${apache_dir}/sites-enabled/.*\\.conf" "$confs" > "$confs_vhost" - grep -Ev "^${apache_dir}/sites-enabled/.*\\.conf" "$confs" > "$confs_system" + grep -E "^${apache_dir}/sites-available/.*\\.conf" "$confs" > "$confs_vhost" + grep -Ev "^${apache_dir}/sites-available/.*\\.conf" "$confs" > "$confs_system" } + +# Count directives and return files only containing some directives # Takes argument: file type count_directives() { directives="Allow Order Deny Satisfy" diff --git a/migrate.sh b/migrate.sh new file mode 100644 index 0000000..e8a40eb --- /dev/null +++ b/migrate.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +newline="\n[[:blank:]]" + +# 2.2 Directives +all_denied="s/Order deny,allow${newline}Deny from all/Require all denied/" +- +## Last +deny_from_env="s/Deny from env=/Require not env /" +allow_all="s/Allow from all/Require all granted/" + +# Mixed directives +mix_allow_all_require_all="s/Allow from all${newline}Require all granted/Require all granted/" diff --git a/notes.org b/notes.org new file mode 100644 index 0000000..183c377 --- /dev/null +++ b/notes.org @@ -0,0 +1,7 @@ +#+TITLE: Notes + +* hosting05 +- /etc/apache2/sites-enabled/acelem.conf +- /etc/apache2/mods-enabled/status.conf +- /home/labri/www/zp-data/.htaccess +- /home/oldwiki/www/bleuroy/.htaccess diff --git a/snippets b/snippets new file mode 100644 index 0000000..14d3ba4 --- /dev/null +++ b/snippets @@ -0,0 +1,4 @@ + Order deny,allow + Deny from all + Allow from 127.0.0.1 + Include /etc/apache2/ipaddr_whitelist.conf