Difference between revisions of "Mod maxminddb"

From SME Server
Jump to navigationJump to search
 
(7 intermediate revisions by the same user not shown)
Line 24: Line 24:
 
<!-- keep this first element as is, you can add some if needed -->
 
<!-- keep this first element as is, you can add some if needed -->
 
{{#smeversion: {{#var:smecontribname}} }}
 
{{#smeversion: {{#var:smecontribname}} }}
{{#smeversion: {{#var:contribname}} }}
+
{{#smeversion: mod_maxminddb }}
  
 
=== Description ===
 
=== Description ===
Line 37: Line 37:
  
 
=== Configuration ===
 
=== Configuration ===
you can list the available configuration with the followinf command :
+
you can list the available configuration with the following command :
  config show {{#var:contribname}}
+
  config show modMaxminddb
  
 
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
 
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
 
{| class="wikitable"
 
{| class="wikitable"
 +
!db
 +
!key
 
!property
 
!property
 
!default
 
!default
 
!values
 
!values
!
+
!role
 
|-
 
|-
|DbName
+
|configuration
|nextcloud
+
|modMaxminddb
 +
|Path
 +
|/usr/share/GeoIP
 
|string
 
|string
|for mysql db
+
|
 +
|-
 +
|configuration
 +
|modMaxminddb
 +
|status
 +
|enabled
 +
|enabled,disabled
 
|-
 
|-
|DbPassword
+
|configuration
|GENERATED
+
|http-admin
|string
+
|ValidFromGeoIP
|for mysql db
+
|(empty)
 +
|country code coma separated
 +
|list of whitelisted country allowed to access, e.g.: CA,FR
 
|-
 
|-
|DbUser
+
|configuration
|nextcloud
+
|http-admin
|string
+
|GeoIPManager
|for mysql db
+
|
 +
|
 +
|enable geoip access to server-manager
 
|-
 
|-
|access
+
|configuration
|private
+
|http-admin
|private, public
+
|GeoIPUser
 +
|
 
|
 
|
 +
|enable geoip access to user-manager if installed
 
|-
 
|-
|status
+
|configuration
 +
|http-admin
 +
|GeoIPPassword
 
|enabled
 
|enabled
|enabled,disabled
+
|
 +
|enable geoip access to user-password
 
|}
 
|}
 +
==== Allow access to a specific country ====
 +
Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith,  has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk.
 +
This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists....
 +
 +
to add access to all IPs localized in Canada and France:
 +
config setprop httpd-admin ValidFromGeoIP CA,FR
 +
expand-template /etc/httpd/conf/httpd.conf
 +
systemctl restart httpd-e-smith
 +
 +
you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80):
 +
mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p
 +
printf '{
 +
  $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
 +
  if (($haveSSL eq 'yes') && ($port eq $httpsPort) )
 +
  $OUT ="
 +
    <Location /server-manager>
 +
        Require env AllowCountries
 +
    </Location>
 +
    <Location /server-common>
 +
        Require env AllowCountries
 +
    </Location>
 +
    <Location /user-manager>
 +
        Require env AllowCountries
 +
    </Location>
 +
    <Location /user-password>
 +
        Require env AllowCountries
 +
    </Location>\n";
 +
}' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow
 +
for directory:
 +
printf '
 +
<Directory /home/e-smith/files/ibays/Primary/html>
 +
      Require env AllowCountries
 +
</Directory>
 +
<Directory "/usr/share/nextcloud">
 +
      Require env AllowCountries
 +
</Directory>
 +
' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow
 +
 +
 +
then expand
 +
expand-template /etc/httpd/conf/httpd.conf
 +
httpd -t
 +
 +
if syntx OK then restart httpd
 +
systemctl restart httpd-e-smith
 +
 +
 +
To remove all access by Country
 +
config delprop httpd-admin ValidFromGeoIP
 +
expand-template /etc/httpd/conf/httpd.conf
 +
systemctl restart httpd-e-smith
  
 
=== Uninstall ===
 
=== Uninstall ===
 
  yum remove {{#var:smecontribname}}  {{#var:contribname}}
 
  yum remove {{#var:smecontribname}}  {{#var:contribname}}
 +
=== References ===
 +
* https://github.com/maxmind/mod_maxminddb/issues/42
  
 
=== Bugs ===
 
=== Bugs ===

Latest revision as of 06:07, 25 July 2022




smeserver-mod_maxminddb
NeedImage.svg
smeserver-mod_maxminddb logo
MaintainerUnnilennium
Urlhttps://wiki.contribs.org
Category

security geoip

Tags securitygeoipaccesapachehttpd


Maintainer

Jean-Philippe Pialasse

Version

Contrib 10:
Contrib 9:
smeserver-mod_maxminddb
The latest version of smeserver-mod_maxminddb is available in the SME repository, click on the version number(s) for more information.


Contrib 10:
Contrib 9:
mod_maxminddb
The latest version of mod_maxminddb is available in the SME repository, click on the version number(s) for more information.


Description

This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db.

The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce.


Installation

yum --enablerepo=smecontribs install smeserver-mod_maxminddb


Configuration

you can list the available configuration with the following command :

config show modMaxminddb

Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :

db key property default values role
configuration modMaxminddb Path /usr/share/GeoIP string
configuration modMaxminddb status enabled enabled,disabled
configuration http-admin ValidFromGeoIP (empty) country code coma separated list of whitelisted country allowed to access, e.g.: CA,FR
configuration http-admin GeoIPManager enable geoip access to server-manager
configuration http-admin GeoIPUser enable geoip access to user-manager if installed
configuration http-admin GeoIPPassword enabled enable geoip access to user-password

Allow access to a specific country

Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith, has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk. This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists....

to add access to all IPs localized in Canada and France:

config setprop httpd-admin ValidFromGeoIP CA,FR
expand-template /etc/httpd/conf/httpd.conf
systemctl restart httpd-e-smith

you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80):

mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p
printf '{
  $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
 if (($haveSSL eq 'yes') && ($port eq $httpsPort) )
 $OUT ="
   <Location /server-manager>
        Require env AllowCountries
   </Location>
   <Location /server-common>
        Require env AllowCountries
   </Location>
   <Location /user-manager>
        Require env AllowCountries
   </Location>
   <Location /user-password>
        Require env AllowCountries
   </Location>\n";
}' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow

for directory:

printf '
<Directory /home/e-smith/files/ibays/Primary/html>
     Require env AllowCountries
</Directory>
<Directory "/usr/share/nextcloud">
     Require env AllowCountries
</Directory>
' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow


then expand

expand-template /etc/httpd/conf/httpd.conf
httpd -t

if syntx OK then restart httpd

systemctl restart httpd-e-smith


To remove all access by Country

config delprop httpd-admin ValidFromGeoIP 
expand-template /etc/httpd/conf/httpd.conf
systemctl restart httpd-e-smith

Uninstall

yum remove smeserver-mod_maxminddb  smeserver-mod_maxminddb

References

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-mod_maxminddb component or use this link


Below is an overview of the current issues for this contrib:

IDProductVersionStatusSummary (2 tasks)
10769SME Contribs9.2CONFIRMEDNFR: allow to choose language instead of english default
10768SME Contribs9.2IN_PROGRESSNFR: block|allow panels by country

Changelog

Only released version in smecontrib are listed here.

smeserver-mod_maxminddb Changelog: SME 10 (smecontribs)
2022/07/25 Jean-Philippe Pialasse 1.1.0-14.sme
- make compatible with httpd24 access [SME: 12052]

2021/04/02 Jean-Philippe Pialasse 1.1.0-11.sme
- add option to allow countries to external access to manager [SME: 10768]

 ValidFromGeoIP will add access to listed countries to managers and all
ressources using the usual list from httpd-admin Validfrom (local ibays, contribs...)

2021/04/02 Jean-Philippe Pialasse 1.1.0-10.sme
- initial import to SME 10 [SME: 11521]

- update event created
2019/04/11 Jean-Philipe Pialasse 1.1.0-7.sme
- fix missing db on installation [SME: 10770]
2019/03/14 Jean-Philipe Pialasse 1.1.0-6.sme
- configure necessary variables [SME: 10759]