diff --git a/.gitignore b/.gitignore
index 13f2924c..20708de3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
.kitchen/
+.kateproject.d
.vagrant/
diff --git a/apache/files/evolinux-ssl.conf b/apache/files/evolinux-ssl.conf
new file mode 100644
index 00000000..cde0f7ec
--- /dev/null
+++ b/apache/files/evolinux-ssl.conf
@@ -0,0 +1,11 @@
+# Strong security.
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLProtocol All -SSLv2 -SSLv3
+SSLHonorCipherOrder On
+SSLCompression off
+SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
+SSLSessionCacheTimeout 600
+
+# Stapling not activated by default. Need config.
+#SSLUseStapling on
+#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)
diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml
index 4df77dcf..dce83867 100644
--- a/apache/tasks/main.yml
+++ b/apache/tasks/main.yml
@@ -3,13 +3,35 @@
name: '{{ item }}'
state: present
with_items:
- - apache2-mpm-itk
+ - apache2
+ - apache2-mpm-prefork
- apachetop
- - libapache2-mod-evasive
- libwww-perl
tags:
- apache
+- name: manually disable mpm_event
+ command: a2dismod mpm_event
+ register: cmd_disable_event
+ changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
+
+- name: manually enable mpm_prefork
+ command: a2enmod mpm_prefork
+ register: cmd_disable_prefork
+ changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
+
+# With Ansible 2.2 the module check the config for conflicts
+# With 2.3 it can be disabled.
+# https://docs.ansible.com/ansible/apache2_module_module.html
+# - name: mpm_event modules is disabled
+# apache2_module:
+# name: '{{ item }}'
+# state: absent
+# with_items:
+# - mpm_event
+# tags:
+# - apache
+
- name: basic modules are enabled
apache2_module:
name: '{{ item }}'
@@ -18,8 +40,8 @@
- rewrite
- expires
- headers
- - rewrite
- cgi
+ - ssl
tags:
- apache
@@ -45,6 +67,17 @@
tags:
- apache
+- name: Copy Apache SSL (strong security) config file
+ copy:
+ src: evolinux-ssl.conf
+ dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
+ owner: root
+ group: root
+ mode: "0644"
+ force: no
+ tags:
+ - apache
+
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
register: command_result
@@ -52,6 +85,7 @@
with_items:
- z-evolinux-defaults.conf
- zzz-evolinux-custom.conf
+ - evolinux-ssl.conf
tags:
- apache
diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml
new file mode 100644
index 00000000..30ba8010
--- /dev/null
+++ b/evoadmin/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+general_alert_email: "root@localhost"
+evoadmin_contact_email: Null
+evoadmin_bounce_email: "{{ evoadmin_contact_email }}"
+
+evoadmin_home_dir: "/home/{{ evoadmin_username }}"
+evoadmin_document_root: "{{ evoadmin_home_dir }}/www"
+evoadmin_log_dir: "{{ evoadmin_home_dir }}/log"
+evoadmin_scripts_dir: /usr/share/scripts/evoadmin/
+evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
+evoadmin_username: evoadmin
+evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}"
+
+evoadmin_enable_vhost: True
diff --git a/evoadmin/files/evolinux.conf.diff b/evoadmin/files/evolinux.conf.diff
new file mode 100644
index 00000000..dd09e474
--- /dev/null
+++ b/evoadmin/files/evolinux.conf.diff
@@ -0,0 +1,12 @@
+--- evolinux.conf 2015-04-09 16:39:41.862242460 +0200
++++ evolinux.conf 2015-04-09 16:51:11.902241748 +0200
+@@ -23,7 +23,5 @@
+ # Allow RESUME (REST command)
+ AllowStoreRestart on
+
+-
+- AllowGroup ftpusers
+- DenyAll
+-
++AuthOrder mod_auth_file.c
++AuthUserFile /etc/proftpd/vpasswd
diff --git a/evoadmin/handlers/main.yml b/evoadmin/handlers/main.yml
new file mode 100644
index 00000000..c4cdb576
--- /dev/null
+++ b/evoadmin/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: reload apache2
+ service:
+ name: apache2
+ state: reloaded
diff --git a/evoadmin/tasks/config.yml b/evoadmin/tasks/config.yml
new file mode 100644
index 00000000..b34b5ef0
--- /dev/null
+++ b/evoadmin/tasks/config.yml
@@ -0,0 +1,17 @@
+---
+
+- name: "Create /etc/evolinux"
+ file:
+ dest: "/etc/evolinux"
+ recurse: yes
+ state: directory
+
+- name: Configure web-add config file
+ template:
+ src: web-add.conf.j2
+ dest: /etc/evolinux/web-add.conf
+
+- name: Configure web-add template file for mail
+ template:
+ src: web-mail.tpl.j2
+ dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl"
diff --git a/evoadmin/tasks/ftp.yml b/evoadmin/tasks/ftp.yml
new file mode 100644
index 00000000..e4eacabf
--- /dev/null
+++ b/evoadmin/tasks/ftp.yml
@@ -0,0 +1,24 @@
+---
+
+- name: Verify if proftpd has evolinux config file
+ stat:
+ path: /etc/proftpd/conf.d/z-evolinux.conf
+ register: proftpd_config
+
+- block:
+ - name: Patch ProFTPd config file
+ patch:
+ remote_src: no
+ src: evolinux.conf.diff
+ dest: /etc/proftpd/conf.d/z-evolinux.conf
+ # Why 440? Because should be edited with ftpasswd.
+ # So, readonly when opened with vim.
+ # Then readable by group.
+ - name: Create /etc/proftpd/vpasswd file in 0440 mode
+ file:
+ state: touch
+ path: /etc/proftpd/vpasswd
+ mode: "0440"
+ owner: root
+ group: root
+ when: proftpd_config.stat.exists
diff --git a/evoadmin/tasks/main.yml b/evoadmin/tasks/main.yml
new file mode 100644
index 00000000..655aa81d
--- /dev/null
+++ b/evoadmin/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- include: packages.yml
+
+- include: user.yml
+
+- include: config.yml
+
+- include: ssl.yml
+
+- include: web.yml
+
+- include: ftp.yml
diff --git a/evoadmin/tasks/packages.yml b/evoadmin/tasks/packages.yml
new file mode 100644
index 00000000..f0dd16d3
--- /dev/null
+++ b/evoadmin/tasks/packages.yml
@@ -0,0 +1,17 @@
+---
+
+- include_role:
+ name: apt-repositories
+ tasks_from: evolix_public.yml
+
+- meta: flush_handlers
+
+- name: Install PHP packages
+ apt:
+ name: '{{ item }}'
+ state: present
+ allow_unauthenticated: yes
+ with_items:
+ - php-pear
+ - php-log
+ - php5-pam
diff --git a/evoadmin/tasks/ssl.yml b/evoadmin/tasks/ssl.yml
new file mode 100644
index 00000000..1eb354fc
--- /dev/null
+++ b/evoadmin/tasks/ssl.yml
@@ -0,0 +1,24 @@
+---
+
+
+- name: ssl-cert package is installed
+ apt:
+ name: ssl-cert
+ state: present
+
+- name: Create private key and csr for default site ({{ ansible_fqdn }})
+ command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}"
+ args:
+ creates: "/etc/ssl/private/{{ evoadmin_host }}.key"
+
+- name: Adjust rights on private key
+ file:
+ path: /etc/ssl/private/{{ evoadmin_host }}.key
+ owner: root
+ group: ssl-cert
+ mode: "0640"
+
+- name: Create certificate for default site
+ command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt
+ args:
+ creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt"
diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml
new file mode 100644
index 00000000..e3442cd1
--- /dev/null
+++ b/evoadmin/tasks/user.yml
@@ -0,0 +1,60 @@
+---
+
+- name: Create evoadmin account
+ user:
+ name: evoadmin
+ comment: "Evoadmin Web Account"
+ home: "{{ evoadmin_home_dir}}"
+ password: "!"
+
+- name: Create www-evoadmin group
+ group:
+ name: www-evoadmin
+ state: present
+
+- name: Install Git
+ apt:
+ name: git
+ state: present
+
+- name: Clone evoadmin repository
+ git:
+ repo: https://forge.evolix.org/evoadmin-web.git
+ dest: "{{ evoadmin_document_root}}"
+ update: no
+ # Warning: Need sudo!
+ become_user: "{{ evoadmin_username }}"
+
+- name: "Create {{ evoadmin_scripts_dir }}"
+ file:
+ dest: "{{ evoadmin_scripts_dir }}"
+ # recurse: yes
+ mode: "0700"
+ state: directory
+
+- name: Install scripts like web-add.sh
+ shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
+ args:
+ creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
+
+# we use a shell command to have a "changed" thet really reflects the result.
+- name: Fix permissions
+ shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
+ register: command_result
+ changed_when: "'changed' in command_result.stdout"
+ # failed_when: False
+ with_items:
+ - "{{ evoadmin_home_dir}}/www"
+
+- name: Add www-evoadmin to group shadow
+ user:
+ name: www-evoadmin
+ groups: shadow
+ append: yes
+
+- name: Add evoadmin sudoers file
+ template:
+ src: sudoers.j2
+ dest: /etc/sudoers.d/evoadmin
+ mode: "0600"
+ validate: "visudo -cf %s"
diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml
new file mode 100644
index 00000000..7bbc67be
--- /dev/null
+++ b/evoadmin/tasks/web.yml
@@ -0,0 +1,42 @@
+---
+
+- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ ini_file:
+ dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ section: PHP
+ option: "disable_functions"
+ value: "shell-exec,system,passthru,putenv,popen"
+ notify: reload apache
+
+
+- name: Install evoadmin VHost
+ template:
+ src: evoadmin.conf.j2
+ dest: /etc/apache2/sites-available/evoadmin.conf
+ notify: reload apache2
+
+- name: Enable evoadmin vhost
+ command: "a2ensite evoadmin.conf"
+ register: cmd_a2ensite
+ changed_when: "'Enabling site' in cmd_a2ensite.stdout"
+ notify: reload apache2
+ when: evoadmin_enable_vhost
+
+- name: Disable evoadmin vhost
+ command: "a2dissite evoadmin.conf"
+ register: cmd_a2dissite
+ changed_when: "'Disabling site' in cmd_a2dissite.stdout"
+ notify: reload apache2
+ when: not evoadmin_enable_vhost
+
+- name: Copy config file for evoadmin
+ template:
+ src: config.local.php.j2
+ dest: "{{ evoadmin_document_root}}/conf/config.local.php"
+ mode: "0644"
+ force: no
+
+- name: add www-evoadmin to shadow group
+ user:
+ name: www-evoadmin
+ groups: shadow
diff --git a/evoadmin/templates/config.local.php.j2 b/evoadmin/templates/config.local.php.j2
new file mode 100644
index 00000000..3e159bcd
--- /dev/null
+++ b/evoadmin/templates/config.local.php.j2
@@ -0,0 +1,8 @@
+
+ ServerName {{ evoadmin_host }}
+ Redirect permanent / https://{{ evoadmin_host }}/
+
+
+
+
+ # FQDN principal
+ ServerName {{ evoadmin_host }}
+ #ServerAlias {{ evoadmin_host }}
+
+ # Repertoire principal
+ DocumentRoot {{ evoadmin_document_root }}/htdocs/
+
+ # SSL
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/{{ evoadmin_host }}.crt
+ SSLCertificateKeyFile /etc/ssl/private/{{ evoadmin_host }}.key
+ SSLProtocol all -SSLv2 -SSLv3
+
+ # Propriete du repertoire
+
+ #Options Indexes SymLinksIfOwnerMatch
+ Options SymLinksIfOwnerMatch
+ AllowOverride AuthConfig Limit FileInfo
+ Require all granted
+
+
+ # user - group (thanks to sesse@debian.org)
+ AssignUserID www-evoadmin evoadmin
+
+ # LOG
+ CustomLog /var/log/apache2/access.log combined
+ CustomLog {{ evoadmin_log_dir }}/access.log combined
+ ErrorLog {{ evoadmin_log_dir }}/error.log
+
+ # AWSTATS
+ SetEnv AWSTATS_FORCE_CONFIG evoadmin
+
+ # REWRITE
+ UseCanonicalName On
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} !^{{ evoadmin_host }}$
+ RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
+
+ # PHP
+ #php_admin_flag engine off
+ #AddType text/html .html
+ #php_admin_flag display_errors On
+ #php_flag short_open_tag On
+ #php_flag register_globals On
+ #php_admin_value memory_limit 256M
+ #php_admin_value max_execution_time 60
+ #php_admin_value upload_max_filesize 8M
+ #php_admin_flag allow_url_fopen Off
+ php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin"
+ php_admin_value error_log "{{ evoadmin_home_dir }}/log/php.log"
+ php_admin_value open_basedir "none"
+
diff --git a/evoadmin/templates/sudoers.j2 b/evoadmin/templates/sudoers.j2
new file mode 100644
index 00000000..4dfd71c1
--- /dev/null
+++ b/evoadmin/templates/sudoers.j2
@@ -0,0 +1,3 @@
+User_Alias EVOADMIN = www-evoadmin
+Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
+EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
diff --git a/evoadmin/templates/web-add.conf.j2 b/evoadmin/templates/web-add.conf.j2
new file mode 100644
index 00000000..86eabd29
--- /dev/null
+++ b/evoadmin/templates/web-add.conf.j2
@@ -0,0 +1,2 @@
+CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
+WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
diff --git a/evoadmin/templates/web-mail.tpl.j2 b/evoadmin/templates/web-mail.tpl.j2
new file mode 100644
index 00000000..82d4f67d
--- /dev/null
+++ b/evoadmin/templates/web-mail.tpl.j2
@@ -0,0 +1,86 @@
+From: %MAIL_FROM%
+To: RCPTTO
+Bcc: %MAIL_BCC%
+Subject: Parametres hebergement web : LOGIN
+
+Bonjour,
+
+Votre compte d'hebergement web a ete cree.
+
+**********************************
+* CONNEXION SFTP/SSH
+**********************************
+
+NOM DU SERVEUR : %SERVER_NAME%
+USER : LOGIN
+PASSWORD : PASSE1
+
+*****************************************
+* Details sur l'environnement Apache/PHP
+*****************************************
+
+URL du site :
+http://SERVERNAME
+
+URL des stats :
+http://SERVERNAME/cgi-RANDOM/awstats.pl
+(acces par IP ou login a demander !)
+
+Repertoire de connexion : HOME_DIR/LOGIN/
+Repertoire pour site web : HOME_DIR/LOGIN/www/
+
+Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
+uniquement *en lecture* aux differents fichiers/repertoires
+(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
+fichiers ce qui est le comportement par defaut).
+
+Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
+fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
+
+***********************************
+* MySQL
+***********************************
+
+SERVEUR : 127.0.0.1
+PORT DU SERVEUR : 3306
+USER : LOGIN
+PASSWORD : PASSE2
+NOM BASE : DBNAME
+URL interface d'admin :
+%PMA_URL%
+
+***********************************
+* Rappels divers
+***********************************
+
+Votre nom de domaine doit etre configure pour pointer
+sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A)
+ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME).
+
+Si vous avez besoin de faire des tests, vous devez
+ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
+ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
+%SERVER_ADDR% SERVERNAME
+
+Attention, par defaut, toutes les connexions vers l'exterieur
+sont bloquees. Si vous avez besoin de recuperer des donnees
+a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
+afin de mettre en oeuvre les autorisations necessaires.
+
+Afin de securiser au maximum le serveur, certaines URL
+particulieres sont non autorisees pour eviter diverses
+attaques (XSS, robots, trojans, injections, etc.).
+Exemple d'URL refusee :
+http://SERVERNAME/cmd32.exe
+En cas de soucis avec votre application, prevenez-nous.
+
+Si vous desirez mettre en place des parametres particuliers
+pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
+etc.), n'hesitez pas a nous contacter a l'adresse
+%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est
+urgente).
+
+
+Cordialement,
+--
+%FOOTER%
\ No newline at end of file
diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml
index 750d2200..0fdf03f9 100644
--- a/evolinux-base/tasks/default_www.yml
+++ b/evolinux-base/tasks/default_www.yml
@@ -92,7 +92,7 @@
- name: Apache vhost is installed
template:
src: default_www/apache_default_site.j2
- dest: /etc/apache2/sites-available/000-default
+ dest: /etc/apache2/sites-available/000-default.conf
mode: "0640"
# force: yes
notify: reload apache
@@ -101,8 +101,8 @@
- name: Apache vhost is enabled
file:
- src: /etc/apache2/sites-available/000-default
- dest: /etc/apache2/sites-enabled/000-default
+ src: /etc/apache2/sites-available/000-default.conf
+ dest: /etc/apache2/sites-enabled/000-default.conf
state: link
notify: reload apache
when: evolinux_default_www_apache_enabled
diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml
index c56afd59..101330b8 100644
--- a/evolinux-base/tasks/logs.yml
+++ b/evolinux-base/tasks/logs.yml
@@ -27,7 +27,7 @@
- name: Configure logrotate.conf
replace:
dest: /etc/logrotate.conf
- regexp: "rotate [0-9]*"
+ regexp: "rotate [0-9]+"
replace: "rotate 12"
when: evolinux_logs_default_rotate
diff --git a/packweb-apache/README.md b/packweb-apache/README.md
new file mode 100644
index 00000000..a8bae5f0
--- /dev/null
+++ b/packweb-apache/README.md
@@ -0,0 +1,15 @@
+# packweb-apache
+
+Install the web pack, with Apache.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file for now.
+
+## Available variables
+
+Main variables are :
+
+* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml
new file mode 100644
index 00000000..0301183f
--- /dev/null
+++ b/packweb-apache/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+# defaults file for packweb-apache
+general_alert_email: "root@localhost"
+log2mail_alert_email: Null
+packweb_enable_evoadmin_vhost: True
diff --git a/packweb-apache/files/evolinux-evasive.conf b/packweb-apache/files/evolinux-evasive.conf
new file mode 100644
index 00000000..15be182f
--- /dev/null
+++ b/packweb-apache/files/evolinux-evasive.conf
@@ -0,0 +1,8 @@
+
+DOSHashTableSize 3097
+DOSPageCount 5
+DOSSiteCount 30
+DOSPageInterval 3
+DOSSiteInterval 1
+DOSBlockingPeriod 60
+
diff --git a/packweb-apache/files/evolinux-itk.conf b/packweb-apache/files/evolinux-itk.conf
new file mode 100644
index 00000000..4e25d84b
--- /dev/null
+++ b/packweb-apache/files/evolinux-itk.conf
@@ -0,0 +1,10 @@
+
+StartServers 50
+MinSpareServers 20
+MaxSpareServers 30
+ServerLimit 250
+MaxClients 250
+MaxRequestsPerChild 0
+LimitUIDRange 0 6000
+LimitGIDRange 0 6000
+
diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf
new file mode 100644
index 00000000..d78c0d9f
--- /dev/null
+++ b/packweb-apache/files/evolinux-modsec.conf
@@ -0,0 +1,48 @@
+
+
+# enable mod_security
+SecRuleEngine On
+# access to request bodies
+SecRequestBodyAccess On
+#SecRequestBodyLimit 134217728
+#SecRequestBodyInMemoryLimit 131072
+# access to response bodies
+SecResponseBodyAccess Off
+#SecResponseBodyLimit 524288
+SecResponseBodyMimeType (null) text/html text/plain text/xml
+#SecServerSignature "Apache/2.2.0 (Fedora)"
+
+SecUploadDir /tmp
+SecUploadKeepFiles Off
+
+# default action
+SecDefaultAction "log,auditlog,deny,status:406,phase:2"
+
+SecAuditEngine RelevantOnly
+#SecAuditLogRelevantStatus "^[45]"
+# use only one log file
+SecAuditLogType Serial
+# audit log file
+SecAuditLog /var/log/apache2/modsec_audit.log
+# what is logged
+SecAuditLogParts "ABIFHZ"
+
+#SecArgumentSeparator "&"
+SecCookieFormat 0
+SecDebugLog /var/log/apache2/modsec_debug.log
+SecDebugLogLevel 0
+
+SecDataDir /tmp
+SecTmpDir /tmp
+
+#########
+# RULES
+#########
+
+# File name
+SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
+# Complete URI
+SecRule REQUEST_URI "modsecuritytest2" "id:2"
+SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
+
+
diff --git a/packweb-apache/files/log/access.log b/packweb-apache/files/log/access.log
new file mode 100644
index 00000000..e69de29b
diff --git a/packweb-apache/files/log/error.log b/packweb-apache/files/log/error.log
new file mode 100644
index 00000000..e69de29b
diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate
new file mode 100644
index 00000000..339101a9
--- /dev/null
+++ b/packweb-apache/files/userlogrotate
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+DATE=`/bin/date +"%d-%m-%Y"`
+HOMEPREFIX="/home"
+
+rotate () {
+ mv $1 $1.$DATE
+ gzip $1.$DATE
+ touch $1
+ chown $2 $1
+ chmod g+r $1
+}
+
+user_for() {
+ homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"`
+ stat -L -c '%G' $homedir
+}
+
+for log in access.log access-*.log error.log; do
+ for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
+ USER=`user_for $i`
+ rotate $i root:$USER
+ done
+done
+
+for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do
+ USER=`user_for $i`
+ rotate $i www-$USER:$USER
+done
+
+for log in production.log delayed_job.log development.log test.log; do
+ for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
+ USER=`user_for $i`
+ rotate $i $USER:$USER
+ done
+done
+
+apache2ctl restart > /dev/null
diff --git a/packweb-apache/handlers/main.yml b/packweb-apache/handlers/main.yml
new file mode 100644
index 00000000..af4d94d2
--- /dev/null
+++ b/packweb-apache/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart apache
+ service:
+ name: apache2
+ state: restarted
+
+- name: reload apache
+ service:
+ name: apache2
+ state: reloaded
diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml
new file mode 100644
index 00000000..76756d10
--- /dev/null
+++ b/packweb-apache/tasks/apache.yml
@@ -0,0 +1,67 @@
+---
+
+- name: Check if Apache envvars have a PATH
+ command: "grep -E '^export PATH ' /etc/apache2/envvars"
+ failed_when: False
+ changed_when: False
+ register: envvar_grep_path
+ check_mode: no
+
+- name: Add a PATH envvar for Apache
+ blockinfile:
+ dest: /etc/apache2/envvars
+ marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH"
+ block: |
+ # Used for Evoadmin-web
+ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ when: envvar_grep_path.rc != 0
+
+- name: Additional packages are installed
+ apt:
+ name: '{{ item }}'
+ state: present
+ with_items:
+ - apache2-mpm-itk
+ - libapache2-mod-evasive
+ - libapache2-mod-security2
+
+- name: Copy Apache settings for modules
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/apache2/conf-available/{{ item }}"
+ owner: root
+ group: root
+ mode: "0644"
+ force: no
+ with_items:
+ - evolinux-itk.conf
+ - evolinux-evasive.conf
+ - evolinux-modsec.conf
+
+- name: Ensure Apache modules configs are enabled
+ command: "a2enconf {{ item }}"
+ register: command_result
+ changed_when: "'Enabling' in command_result.stderr"
+ with_items:
+ - evolinux-itk
+ - evolinux-evasive
+ - evolinux-modsec
+
+- name: Check if log2mail is installed
+ command: "apt list --installed log2mail"
+ register: command_result
+ changed_when: False
+
+- debug:
+ var: command_result
+ verbosity: 1
+
+- name: Add log2mail config for Apache segfaults
+ template:
+ src: log2mail-apache.j2
+ dest: "/etc/log2mail/config/apache"
+ owner: root
+ group: root
+ mode: "0644"
+ force: no
+ when: "'log2mail' in command_result.stdout"
diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml
new file mode 100644
index 00000000..1919b17d
--- /dev/null
+++ b/packweb-apache/tasks/awstats.yml
@@ -0,0 +1,48 @@
+---
+- name: Install awstats
+ apt:
+ name: awstats
+ state: present
+
+- name: Configure awstats
+ blockinfile:
+ dest: /etc/awstats/awstats.conf.local
+ marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB"
+ block: |
+ LogFile="/var/log/apache2/access.log"
+ SiteDomain="{{ ansible_hostname }}"
+ DirData="/var/lib/awstats"
+ ShowHostsStats=0
+ ShowOriginStats=0
+ ShowPagesStats=0
+ ShowKeyphrasesStats=0
+ ShowKeywordsStats=0
+ ShowHTTPErrorsStats=0
+ LogFormat=1
+ AllowFullYearView=3
+ ErrorMessages="An error occured. Contact your Administrator"
+ mode: "0644"
+
+- name: Create conf-available/awstats-icon.conf file
+ copy:
+ dest: /etc/apache2/conf-available/awstats-icon.conf
+ content: |
+ Alias /awstats-icon/ /usr/share/awstats/icon/
+
+ Require all granted
+
+ force: no
+ mode: "0644"
+
+- name: Enable apache awstats-icon configuration
+ command: "a2enconf awstats-icon"
+ register: command_result
+ changed_when: "'Enabling' in command_result.stderr"
+ notify: reload apache
+
+- name: Create awstats cron
+ lineinfile:
+ dest: /etc/cron.d/awstats
+ create: yes
+ regexp: '-config=awstats'
+ line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null"
diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml
new file mode 100644
index 00000000..8aa0f26c
--- /dev/null
+++ b/packweb-apache/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+
+- name: Include apache role
+ include_role:
+ name: "apache"
+
+- name: Add elements to user account template
+ file:
+ path: "/etc/skel/{{ item.path }}"
+ state: "{{ item.state }}"
+ mode: "{{ item.mode }}"
+ with_items:
+ - { path: log, mode: "0750", state: directory }
+ - { path: awstats, mode: "0750", state: directory }
+ - { path: www, mode: "0750", state: directory }
+
+- name: Copy apache empty log files if missing
+ copy:
+ src: "log/{{ item }}"
+ dest: "/etc/skel/log/{{ item }}"
+ mode: "0644"
+ force: no
+ with_items:
+ - access.log
+ - error.log
+
+- name: Install userlogrotate
+ copy:
+ src: userlogrotate
+ dest: /etc/cron.weekly/userlogrotate
+ mode: "0755"
+
+- name: Force DIR_MODE to 0750 in /etc/adduser.conf
+ lineinfile:
+ dest: /etc/adduser.conf
+ regexp: '^DIR_MODE='
+ line: 'DIR_MODE=0750'
+
+- include: apache.yml
+
+- include: php.yml
+
+- include: phpmyadmin.yml
+
+- include: awstats.yml
+
+- name: Remove read permission on some folders (/, /etc, ...)
+ shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}"
+ register: command_result
+ changed_when: "'changed' in command_result.stdout"
+ failed_when: False
+ with_items:
+ - /
+ - /etc
+ - /usr
+ - /usr/bin
+ - /var
+ - /var/log
+ - /home
+ - /bin
+ - /sbin
+ - /lib
+ - /usr/lib
+ - /usr/include
+ - /usr/bin
+ - /usr/sbin
+ - /usr/share
+ - /usr/share/doc
+ - /etc/default
+
+- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
+ shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
+ register: command_result
+ changed_when: "'changed' in command_result.stdout"
+ failed_when: False
+ with_items:
+ - /var/log/apt
+ - /var/lib/dpkg
+ - /var/log/munin
+ - /var/backups
+ - /var/cache/apt
+ - /etc/init.d
+ - /etc/apt
+ - /etc/apache2
+ - /etc/network
+ - /etc/phpmyadmin
+ - /var/log/installer
+
+- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
+ shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
+ register: command_result
+ changed_when: "'changed' in command_result.stdout"
+ failed_when: False
+ with_items:
+ - /bin/ping
+ - /bin/ping6
+ - /usr/bin/fping
+ - /usr/bin/fping6
+ - /usr/bin/mtr
+
+- name: Set 640 permission on some files (/var/log/evolix.log, ...)
+ shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
+ register: command_result
+ changed_when: "'changed' in command_result.stdout"
+ failed_when: False
+ with_items:
+ - /var/log/evolix.log
+ - /etc/warnquota.conf
+
+- name: Remove some log files (/var/log/mail.err, ...)
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /var/log/debug
+ - /var/log/mail.err
+ - /var/log/mail.warn
+
+- name: Install Evoadmin
+ include_role:
+ name: evoadmin
+ vars:
+ evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}"
diff --git a/packweb-apache/tasks/php.yml b/packweb-apache/tasks/php.yml
new file mode 100644
index 00000000..ee65fd2f
--- /dev/null
+++ b/packweb-apache/tasks/php.yml
@@ -0,0 +1,64 @@
+---
+
+- name: Install PHP5 packages
+ apt:
+ name: '{{ item }}'
+ state: present
+ with_items:
+ - libapache2-mod-php5
+ - php5
+ - php5-gd
+ - php5-imap
+ - php5-ldap
+ - php5-mcrypt
+ - php5-mysql
+ - php5-pgsql
+ - php-gettext
+ - php5-curl
+ - libssh2-php
+ tags:
+ - apache
+
+- name: Set variables for php config files
+ set_fact:
+ php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
+
+- name: Set default values for PHP
+ ini_file:
+ dest: "{{ php5_apache5_defaults_file }}"
+ section: PHP
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ mode: "0644"
+ create: yes
+ with_items:
+ - { option: "short_open_tag", value: "Off" }
+ - { option: "expose_php", value: "Off" }
+ - { option: "display_errors", value: "Off" }
+ - { option: "log_errors", value: "On" }
+ - { option: "allow_url_fopen", value: "Off" }
+ notify: reload apache
+
+- name: Disable PHP exec function without evoadmin
+ ini_file:
+ dest: "{{ php5_apache5_defaults_file }}"
+ section: PHP
+ option: disable_functions
+ value: "exec,shell-exec,system,passthru,putenv,popen"
+ when: not packweb_enable_evoadmin_vhost
+
+- name: Don't disable PHP exec function with evoadmin
+ ini_file:
+ dest: "{{ php5_apache5_defaults_file }}"
+ section: PHP
+ option: disable_functions
+ value: "shell-exec,system,passthru,putenv,popen"
+ when: packweb_enable_evoadmin_vhost
+
+- name: Custom php.ini
+ copy:
+ dest: "{{ php5_apache5_custom_file }}"
+ content: |
+ # Put customized values here.
+ force: no
diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml
new file mode 100644
index 00000000..cc34067e
--- /dev/null
+++ b/packweb-apache/tasks/phpmyadmin.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Install phpmyadmin
+ apt:
+ name: phpmyadmin
+ state: present
+
+- name: Check if phpmyadmin default configuration is present
+ stat:
+ path: /etc/apache2/conf-enabled/phpmyadmin.conf
+ register: pma_default_config
+
+- debug:
+ var: pma_default_config
+ verbosity: 1
+
+- name: Disable phpmyadmin default configuration
+ command: "a2disconf phpmyadmin"
+ register: command_result
+ changed_when: "'Disabling' in command_result.stderr"
+ when: pma_default_config.stat.exists
+
+- name: Change group to www-data for /etc/phpmyadmin/
+ file:
+ dest: /etc/phpmyadmin/
+ group: www-data
diff --git a/packweb-apache/tasks/web-add.yml b/packweb-apache/tasks/web-add.yml
new file mode 100644
index 00000000..60bc20a8
--- /dev/null
+++ b/packweb-apache/tasks/web-add.yml
@@ -0,0 +1,3 @@
+---
+
+# TODO: ...
diff --git a/packweb-apache/templates/log2mail-apache.j2 b/packweb-apache/templates/log2mail-apache.j2
new file mode 100644
index 00000000..ff08f04f
--- /dev/null
+++ b/packweb-apache/templates/log2mail-apache.j2
@@ -0,0 +1,4 @@
+file = /var/log/apache2/error.log
+pattern = "Segmentation fault"
+mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
+template = /etc/log2mail/mail