Mod maxminddb
smeserver-mod_maxminddb logo | |
Maintainer | Unnilennium |
---|---|
Url | https://wiki.contribs.org |
Category | |
Tags | security, geoip, acces, apache, httpd |
Maintainer
Version
Description
This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db.
The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce.
Installation
yum --enablerepo=smecontribs install smeserver-mod_maxminddb
Configuration
you can list the available configuration with the following command :
config show modMaxminddb
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
db | key | property | default | values | role |
---|---|---|---|---|---|
configuration | modMaxminddb | Path | /usr/share/GeoIP | string | |
configuration | modMaxminddb | status | enabled | enabled,disabled | |
configuration | http-admin | ValidFromGeoIP | (empty) | country code coma separated | list of whitelisted country allowed to access, e.g.: CA,FR |
configuration | http-admin | GeoIPManager | enable geoip access to server-manager | ||
configuration | http-admin | GeoIPUser | enable geoip access to user-manager if installed | ||
configuration | http-admin | GeoIPPassword | enabled | enable geoip access to user-password |
Allow access to a specific country
Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith, has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk. This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists....
to add access to all IPs localized in Canada and France:
config setprop httpd-admin ValidFromGeoIP CA,FR expand-template /etc/httpd/conf/httpd.conf systemctl restart httpd-e-smith
you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80):
mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p printf '{ $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; if (($haveSSL eq 'yes') && ($port eq $httpsPort) ) $OUT =" <Location /server-manager> Require env AllowCountries </Location> <Location /server-common> Require env AllowCountries </Location> <Location /user-manager> Require env AllowCountries </Location> <Location /user-password> Require env AllowCountries </Location>\n"; }' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow
for directory:
printf ' <Directory /home/e-smith/files/ibays/Primary/html> Require env AllowCountries </Directory> <Directory "/usr/share/nextcloud"> Require env AllowCountries </Directory> ' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow
then expand
expand-template /etc/httpd/conf/httpd.conf httpd -t
if syntx OK then restart httpd
systemctl restart httpd-e-smith
To remove all access by Country
config delprop httpd-admin ValidFromGeoIP expand-template /etc/httpd/conf/httpd.conf systemctl restart httpd-e-smith
Uninstall
yum remove smeserver-mod_maxminddb smeserver-mod_maxminddb
References
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-mod_maxminddb component or use this link
Below is an overview of the current issues for this contrib:
ID | Product | Version | Status | Summary (2 tasks) ⇒ |
---|---|---|---|---|
10769 | SME Contribs | 9.2 | CONFIRMED | NFR: allow to choose language instead of english default |
10768 | SME Contribs | 9.2 | IN_PROGRESS | NFR: block|allow panels by country |
Changelog
Only released version in smecontrib are listed here.
- make compatible with httpd24 access [SME: 12052]
2021/04/02 Jean-Philippe Pialasse 1.1.0-11.sme
- add option to allow countries to external access to manager [SME: 10768]
ValidFromGeoIP will add access to listed countries to managers and allressources using the usual list from httpd-admin Validfrom (local ibays, contribs...)
2021/04/02 Jean-Philippe Pialasse 1.1.0-10.sme
- initial import to SME 10 [SME: 11521]
- fix missing db on installation [SME: 10770]
- configure necessary variables [SME: 10759]