Changes

From SME Server
Jump to navigationJump to search
3,004 bytes added ,  06:07, 25 July 2022
Line 19: Line 19:  
===Maintainer===
 
===Maintainer===
 
<!-- here you need to file your username and name -->
 
<!-- here you need to file your username and name -->
[[User:YOURUSERNAME|YOURNAME]]  
+
[[User:Unnilennium|Jean-Philippe Pialasse]]  
    
=== Version ===
 
=== Version ===
 
<!-- keep this first element as is, you can add some if needed -->
 
<!-- keep this first element as is, you can add some if needed -->
 
{{#smeversion: {{#var:smecontribname}} }}
 
{{#smeversion: {{#var:smecontribname}} }}
{{#smeversion: {{#var:contribname}} }}
+
{{#smeversion: mod_maxminddb }}
    
=== Description ===
 
=== Description ===
<!-- add a description here -->
+
This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db.
 +
 
 +
The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce.
      Line 35: Line 37:     
=== Configuration ===
 
=== Configuration ===
you can list the available configuration with the followinf command :
+
you can list the available configuration with the following command :
  config show {{#var:contribname}}
+
  config show modMaxminddb
    
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
 
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
 
{| class="wikitable"
 
{| class="wikitable"
 +
!db
 +
!key
 
!property
 
!property
 
!default
 
!default
 
!values
 
!values
!
+
!role
 
|-
 
|-
|DbName
+
|configuration
|nextcloud
+
|modMaxminddb
 +
|Path
 +
|/usr/share/GeoIP
 
|string
 
|string
|for mysql db
+
|
 +
|-
 +
|configuration
 +
|modMaxminddb
 +
|status
 +
|enabled
 +
|enabled,disabled
 
|-
 
|-
|DbPassword
+
|configuration
|GENERATED
+
|http-admin
|string
+
|ValidFromGeoIP
|for mysql db
+
|(empty)
 +
|country code coma separated
 +
|list of whitelisted country allowed to access, e.g.: CA,FR
 
|-
 
|-
|DbUser
+
|configuration
|nextcloud
+
|http-admin
|string
+
|GeoIPManager
|for mysql db
+
|
 +
|
 +
|enable geoip access to server-manager
 
|-
 
|-
|access
+
|configuration
|private
+
|http-admin
|private, public
+
|GeoIPUser
 +
|
 
|
 
|
 +
|enable geoip access to user-manager if installed
 
|-
 
|-
|status
+
|configuration
 +
|http-admin
 +
|GeoIPPassword
 
|enabled
 
|enabled
|enabled,disabled
+
|
 +
|enable geoip access to user-password
 
|}
 
|}
 +
==== Allow access to a specific country ====
 +
Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith,  has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk.
 +
This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists....
 +
 +
to add access to all IPs localized in Canada and France:
 +
config setprop httpd-admin ValidFromGeoIP CA,FR
 +
expand-template /etc/httpd/conf/httpd.conf
 +
systemctl restart httpd-e-smith
 +
 +
you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80):
 +
mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p
 +
printf '{
 +
  $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
 +
  if (($haveSSL eq 'yes') && ($port eq $httpsPort) )
 +
  $OUT ="
 +
    <Location /server-manager>
 +
        Require env AllowCountries
 +
    </Location>
 +
    <Location /server-common>
 +
        Require env AllowCountries
 +
    </Location>
 +
    <Location /user-manager>
 +
        Require env AllowCountries
 +
    </Location>
 +
    <Location /user-password>
 +
        Require env AllowCountries
 +
    </Location>\n";
 +
}' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow
 +
for directory:
 +
printf '
 +
<Directory /home/e-smith/files/ibays/Primary/html>
 +
      Require env AllowCountries
 +
</Directory>
 +
<Directory "/usr/share/nextcloud">
 +
      Require env AllowCountries
 +
</Directory>
 +
' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow
       +
then expand
 +
expand-template /etc/httpd/conf/httpd.conf
 +
httpd -t
 +
 +
if syntx OK then restart httpd
 +
systemctl restart httpd-e-smith
 +
 +
 +
To remove all access by Country
 +
config delprop httpd-admin ValidFromGeoIP
 +
expand-template /etc/httpd/conf/httpd.conf
 +
systemctl restart httpd-e-smith
    
=== Uninstall ===
 
=== Uninstall ===
 
  yum remove {{#var:smecontribname}}  {{#var:contribname}}
 
  yum remove {{#var:smecontribname}}  {{#var:contribname}}
 +
=== References ===
 +
* https://github.com/maxmind/mod_maxminddb/issues/42
    
=== Bugs ===
 
=== Bugs ===
Line 84: Line 156:  
Only released version in smecontrib are listed here.
 
Only released version in smecontrib are listed here.
   −
{{ #smechangelog: {{#var:smecontribname}} }}
+
{{#smechangelog: {{#var:smecontribname}} }}
       
<!-- list of category you want to see this page in -->
 
<!-- list of category you want to see this page in -->
 
[[Category: Contrib]]
 
[[Category: Contrib]]
   
<!-- Please keep there the template revision  number as is -->
 
<!-- Please keep there the template revision  number as is -->
[[contribtemplate::2| ]]
  −
[[contriblang:: {{#var:lang}} | ]]
 
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,254

edits

Navigation menu