Line 19: |
Line 19: |
| ===Maintainer=== | | ===Maintainer=== |
| <!-- here you need to file your username and name --> | | <!-- here you need to file your username and name --> |
− | [[User:YOURUSERNAME|YOURNAME]] | + | [[User:Unnilennium|Jean-Philippe Pialasse]] |
| | | |
| === Version === | | === Version === |
| <!-- keep this first element as is, you can add some if needed --> | | <!-- keep this first element as is, you can add some if needed --> |
| {{#smeversion: {{#var:smecontribname}} }} | | {{#smeversion: {{#var:smecontribname}} }} |
− | {{#smeversion: {{#var:contribname}} }} | + | {{#smeversion: mod_maxminddb }} |
| | | |
| === Description === | | === Description === |
− | <!-- add a description here -->
| + | This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db. |
| + | |
| + | The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce. |
| | | |
| | | |
Line 35: |
Line 37: |
| | | |
| === Configuration === | | === Configuration === |
− | you can list the available configuration with the followinf command : | + | you can list the available configuration with the following command : |
− | config show {{#var:contribname}} | + | config show modMaxminddb |
| | | |
| Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | | Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : |
| {| class="wikitable" | | {| class="wikitable" |
| + | !db |
| + | !key |
| !property | | !property |
| !default | | !default |
| !values | | !values |
− | ! | + | !role |
| |- | | |- |
− | |DbName | + | |configuration |
− | |nextcloud | + | |modMaxminddb |
| + | |Path |
| + | |/usr/share/GeoIP |
| |string | | |string |
− | |for mysql db | + | | |
| + | |- |
| + | |configuration |
| + | |modMaxminddb |
| + | |status |
| + | |enabled |
| + | |enabled,disabled |
| |- | | |- |
− | |DbPassword | + | |configuration |
− | |GENERATED | + | |http-admin |
− | |string | + | |ValidFromGeoIP |
− | |for mysql db | + | |(empty) |
| + | |country code coma separated |
| + | |list of whitelisted country allowed to access, e.g.: CA,FR |
| |- | | |- |
− | |DbUser | + | |configuration |
− | |nextcloud | + | |http-admin |
− | |string | + | |GeoIPManager |
− | |for mysql db | + | | |
| + | | |
| + | |enable geoip access to server-manager |
| |- | | |- |
− | |access | + | |configuration |
− | |private | + | |http-admin |
− | |private, public | + | |GeoIPUser |
| + | | |
| | | | | |
| + | |enable geoip access to user-manager if installed |
| |- | | |- |
− | |status | + | |configuration |
| + | |http-admin |
| + | |GeoIPPassword |
| |enabled | | |enabled |
− | |enabled,disabled | + | | |
| + | |enable geoip access to user-password |
| |} | | |} |
| + | ==== Allow access to a specific country ==== |
| + | Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith, has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk. |
| + | This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists.... |
| + | |
| + | to add access to all IPs localized in Canada and France: |
| + | config setprop httpd-admin ValidFromGeoIP CA,FR |
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | systemctl restart httpd-e-smith |
| + | |
| + | you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80): |
| + | mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p |
| + | printf '{ |
| + | $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; |
| + | if (($haveSSL eq 'yes') && ($port eq $httpsPort) ) |
| + | $OUT =" |
| + | <Location /server-manager> |
| + | Require env AllowCountries |
| + | </Location> |
| + | <Location /server-common> |
| + | Require env AllowCountries |
| + | </Location> |
| + | <Location /user-manager> |
| + | Require env AllowCountries |
| + | </Location> |
| + | <Location /user-password> |
| + | Require env AllowCountries |
| + | </Location>\n"; |
| + | }' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow |
| + | for directory: |
| + | printf ' |
| + | <Directory /home/e-smith/files/ibays/Primary/html> |
| + | Require env AllowCountries |
| + | </Directory> |
| + | <Directory "/usr/share/nextcloud"> |
| + | Require env AllowCountries |
| + | </Directory> |
| + | ' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow |
| | | |
| | | |
| + | then expand |
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | httpd -t |
| + | |
| + | if syntx OK then restart httpd |
| + | systemctl restart httpd-e-smith |
| + | |
| + | |
| + | To remove all access by Country |
| + | config delprop httpd-admin ValidFromGeoIP |
| + | expand-template /etc/httpd/conf/httpd.conf |
| + | systemctl restart httpd-e-smith |
| | | |
| === Uninstall === | | === Uninstall === |
| yum remove {{#var:smecontribname}} {{#var:contribname}} | | yum remove {{#var:smecontribname}} {{#var:contribname}} |
| + | === References === |
| + | * https://github.com/maxmind/mod_maxminddb/issues/42 |
| | | |
| === Bugs === | | === Bugs === |
Line 84: |
Line 156: |
| Only released version in smecontrib are listed here. | | Only released version in smecontrib are listed here. |
| | | |
− | {{ #smechangelog: {{#var:smecontribname}} }} | + | {{#smechangelog: {{#var:smecontribname}} }} |
| | | |
| | | |
| <!-- list of category you want to see this page in --> | | <!-- list of category you want to see this page in --> |
| [[Category: Contrib]] | | [[Category: Contrib]] |
− |
| |
| <!-- Please keep there the template revision number as is --> | | <!-- Please keep there the template revision number as is --> |
− | [[contribtemplate::2| ]]
| |
− | [[contriblang:: {{#var:lang}} | ]]
| |