From ca18a45319564bc5c82e1865b3c2cea46742b02b Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Tue, 12 Jan 2021 15:01:55 +0100 Subject: [PATCH] Dirty commit --- README.org | 13 +++++++++++ convert.awk | 11 +++++++++ convert.pl | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++ convert.sed | 28 +++++++++++++++++++++++ convert.sh | 12 ++++++++++ filter.sh | 7 ++++++ inventory.sh | 13 +++++++---- migrate.sh | 13 +++++++++++ notes.org | 7 ++++++ snippets | 4 ++++ 10 files changed, 167 insertions(+), 4 deletions(-) create mode 100644 README.org create mode 100644 convert.awk create mode 100644 convert.pl create mode 100644 convert.sed create mode 100644 convert.sh create mode 100644 filter.sh create mode 100644 migrate.sh create mode 100644 notes.org create mode 100644 snippets diff --git a/README.org b/README.org new file mode 100644 index 0000000..1ad48d9 --- /dev/null +++ b/README.org @@ -0,0 +1,13 @@ +#+TITLE: Readme + +* Usage + +#+begin_src shell +inventory.sh +#+end_src + +* Notes + +- inventory: Contains the files with directives before the migration +- to-convert: +- result: Result of the inventory after the migration diff --git a/convert.awk b/convert.awk new file mode 100644 index 0000000..70f656d --- /dev/null +++ b/convert.awk @@ -0,0 +1,11 @@ +#!/usr/bin/env awk -f + + +newline = "\n[[:blank:]]"; + +/Order deny,allow\n[[:blank:]]*Deny from all/ + + +/Allow from all/ { s/ } + +s/Allow from all/Require all granted/ diff --git a/convert.pl b/convert.pl new file mode 100644 index 0000000..8afdeaf --- /dev/null +++ b/convert.pl @@ -0,0 +1,63 @@ +#!/usr/bin/env perl +# +# Replace apache's mod_access_compat directives to mod_authz_host ones, to +# securly migrate to apache 2.2 to 2.4. This script only migrate most +# common pattern. + +#use re "debug"; +use strict; +use warnings; + +# TODO Maybe use a redo in of clauses to avoid missing substitutions + +# our $^I = '.bak'; + +# our @ARGV = ($ARGV[0]); # We don't want to use STDIN when eof get called + +# open(my $fh, "+<", $ARGV[0]) +# or die "Can't open ARGv[0]!"; + +# Regex for spaces bettwen word (including comment character) +my $s = '[#\s]*'; + +while () { + # ** Order + # Default of mod_access_compat + next if /Order${s}deny,allow/i; + + if (/(Order${s}Allow,Deny)/i) { + $_ .= ; + s/${1}${s}(Deny${s}from${s}all)/$1/i; + }; + + # ** Satisfy + # Correspond to the new default, from mod_authz_host, to have an implicit + next if /Satisfy${s}any/i; + + # ** Misc + if (/(Require${s}valid-user)/i) { + $_ .= ..; + s/(${1})${s}Order${s}Deny,Allow${s}Deny${s}from${s}all/$1/i; + }; + + # ** Deny + if (/(Deny${s}from${s}all)/i) { + # unless (eof(ARGV)) { + $_ .= ; + # }; + s/${1}${s}Allow${s}from/Require ip/i; + s/Deny${s}from${s}all/Require all denied/i; + }; + + s/Deny${s}from${s}env=/Require not env /i; + + # ** Allow + s/Allow${s}from${s}all/Require all granted/i; + s/Allow${s}from/Require ip/i; + + print ARGV; +} + +# close $fh; + +# print 'END THIS SHIT!!!!\n'; diff --git a/convert.sed b/convert.sed new file mode 100644 index 0000000..5b4567a --- /dev/null +++ b/convert.sed @@ -0,0 +1,28 @@ +# This script dumbly migrate from Apache's configuration 2.2 to 2.4. +# +# Here are it's current quirk: +# - it will modify config even if it's written to be cross compatible between thoses version +# - it assume "Allow from" only specifies IPs + +# Order +/Order[[:blank:]]*deny,allow/Id + +# * Deny +# s/Deny[[:blank:]]*from[[:blank:]]*all/Require all denied/I + +/Deny[[:blank:]]*from[[:blank:]]*all/I { + N + s/.?\([[:blank:]]*\)Allow[[:blank:]]*from/\1Require ip/I + s/Deny[[:blank:]]*from[[:blank:]]*all/Require all denied/I +} + +s/Deny from env=/Require not env /I + +# * Allow +s/Allow[[:blank:]]*from[[:blank:]]*all/Require all granted/I +s/Allow[[:blank:]]*from/Require ip/I + +# * Satisfy + +# It's the default value +/Satisfy[[:blank:]]*any/Id diff --git a/convert.sh b/convert.sh new file mode 100644 index 0000000..3f135f2 --- /dev/null +++ b/convert.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +newline="\n[[:blank:]]" + +# 2.2 Directives +all_denied="s/Order deny,allow${newline}Deny from all/Require all denied/" +## Last +deny_from_env="s/Deny from env=/Require not env /" +allow_all="s/Allow from all/Require all granted/" + +# Mixed directives +mix_allow_all_require_all="s/Allow from all${newline}Require all granted/Require all granted/" diff --git a/filter.sh b/filter.sh new file mode 100644 index 0000000..5eedbc8 --- /dev/null +++ b/filter.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +# Types: V S H T +type=$1 +result=/tmp/apache-require/result + +awk --assign type="$type" '{ if ($NF == type) print $0; }' "$result" diff --git a/inventory.sh b/inventory.sh index 8e01ab7..d66d872 100755 --- a/inventory.sh +++ b/inventory.sh @@ -1,6 +1,9 @@ #!/bin/sh # TODO Use \0 as a seprator +# TODO replace realpath as it isn't POSIX +# TODO Categorize mixed directives, thoses need to be manualy modified +# We may need a different file that list files with non mixed directives set -e @@ -14,7 +17,7 @@ confs_vhost=$tmp_dir/confs_vhost confs_system=$tmp_dir/confs_system confs_htaccess=$tmp_dir/confs_htaccess confs_template=$tmp_dir/confs_template -result=$tmp_dir/result +result=$tmp_dir/inventory summary=$tmp_dir/summary module_loaded() { @@ -34,7 +37,7 @@ get_confs() { for conf_file in $(cat "$confs"); do # XXX: Expand the filenames for glob in $(awk '/^[[:space:]]*Include/ {print $2}' "$conf_file"); do - realpath --canonicalize-existing --no-symlinks --quiet $glob >> "$confs" || true + realpath --canonicalize-existing --quiet $glob >> "$confs" || true done done sort "$confs" | uniq > "$confs"_tmp && mv "$confs"_tmp "$confs" @@ -64,10 +67,12 @@ get_template() { categorize_confs() { get_template > "$confs_template" get_htaccess > "$confs_htaccess" - grep -E "^${apache_dir}/sites-enabled/.*\\.conf" "$confs" > "$confs_vhost" - grep -Ev "^${apache_dir}/sites-enabled/.*\\.conf" "$confs" > "$confs_system" + grep -E "^${apache_dir}/sites-available/.*\\.conf" "$confs" > "$confs_vhost" + grep -Ev "^${apache_dir}/sites-available/.*\\.conf" "$confs" > "$confs_system" } + +# Count directives and return files only containing some directives # Takes argument: file type count_directives() { directives="Allow Order Deny Satisfy" diff --git a/migrate.sh b/migrate.sh new file mode 100644 index 0000000..e8a40eb --- /dev/null +++ b/migrate.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +newline="\n[[:blank:]]" + +# 2.2 Directives +all_denied="s/Order deny,allow${newline}Deny from all/Require all denied/" +- +## Last +deny_from_env="s/Deny from env=/Require not env /" +allow_all="s/Allow from all/Require all granted/" + +# Mixed directives +mix_allow_all_require_all="s/Allow from all${newline}Require all granted/Require all granted/" diff --git a/notes.org b/notes.org new file mode 100644 index 0000000..183c377 --- /dev/null +++ b/notes.org @@ -0,0 +1,7 @@ +#+TITLE: Notes + +* hosting05 +- /etc/apache2/sites-enabled/acelem.conf +- /etc/apache2/mods-enabled/status.conf +- /home/labri/www/zp-data/.htaccess +- /home/oldwiki/www/bleuroy/.htaccess diff --git a/snippets b/snippets new file mode 100644 index 0000000..14d3ba4 --- /dev/null +++ b/snippets @@ -0,0 +1,4 @@ + Order deny,allow + Deny from all + Allow from 127.0.0.1 + Include /etc/apache2/ipaddr_whitelist.conf