Mod maxminddb

From SME Server
Revision as of 06:07, 25 July 2022 by Unnilennium (talk | contribs) (→‎Uninstall)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search




smeserver-mod_maxminddb
NeedImage.svg
smeserver-mod_maxminddb logo
MaintainerUnnilennium
Urlhttps://wiki.contribs.org
Category

security geoip

Tags securitygeoipaccesapachehttpd


Maintainer

Jean-Philippe Pialasse

Version

Contrib 10:
Contrib 9:
smeserver-mod_maxminddb
The latest version of smeserver-mod_maxminddb is available in the SME repository, click on the version number(s) for more information.


Contrib 10:
Contrib 9:
mod_maxminddb
The latest version of mod_maxminddb is available in the SME repository, click on the version number(s) for more information.


Description

This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db.

The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce.


Installation

yum --enablerepo=smecontribs install smeserver-mod_maxminddb


Configuration

you can list the available configuration with the following command :

config show modMaxminddb

Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :

db key property default values role
configuration modMaxminddb Path /usr/share/GeoIP string
configuration modMaxminddb status enabled enabled,disabled
configuration http-admin ValidFromGeoIP (empty) country code coma separated list of whitelisted country allowed to access, e.g.: CA,FR
configuration http-admin GeoIPManager enable geoip access to server-manager
configuration http-admin GeoIPUser enable geoip access to user-manager if installed
configuration http-admin GeoIPPassword enabled enable geoip access to user-password

Allow access to a specific country

Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith, has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk. This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists....

to add access to all IPs localized in Canada and France:

config setprop httpd-admin ValidFromGeoIP CA,FR
expand-template /etc/httpd/conf/httpd.conf
systemctl restart httpd-e-smith

you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80):

mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p
printf '{
  $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
 if (($haveSSL eq 'yes') && ($port eq $httpsPort) )
 $OUT ="
   <Location /server-manager>
        Require env AllowCountries
   </Location>
   <Location /server-common>
        Require env AllowCountries
   </Location>
   <Location /user-manager>
        Require env AllowCountries
   </Location>
   <Location /user-password>
        Require env AllowCountries
   </Location>\n";
}' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow

for directory:

printf '
<Directory /home/e-smith/files/ibays/Primary/html>
     Require env AllowCountries
</Directory>
<Directory "/usr/share/nextcloud">
     Require env AllowCountries
</Directory>
' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow


then expand

expand-template /etc/httpd/conf/httpd.conf
httpd -t

if syntx OK then restart httpd

systemctl restart httpd-e-smith


To remove all access by Country

config delprop httpd-admin ValidFromGeoIP 
expand-template /etc/httpd/conf/httpd.conf
systemctl restart httpd-e-smith

Uninstall

yum remove smeserver-mod_maxminddb  smeserver-mod_maxminddb

References

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-mod_maxminddb component or use this link


Below is an overview of the current issues for this contrib:

IDProductVersionStatusSummary (2 tasks)
10769SME Contribs9.2CONFIRMEDNFR: allow to choose language instead of english default
10768SME Contribs9.2IN_PROGRESSNFR: block|allow panels by country

Changelog

Only released version in smecontrib are listed here.

smeserver-mod_maxminddb Changelog: SME 10 (smecontribs)
2022/07/25 Jean-Philippe Pialasse 1.1.0-14.sme
- make compatible with httpd24 access [SME: 12052]

2021/04/02 Jean-Philippe Pialasse 1.1.0-11.sme
- add option to allow countries to external access to manager [SME: 10768]

 ValidFromGeoIP will add access to listed countries to managers and all
ressources using the usual list from httpd-admin Validfrom (local ibays, contribs...)

2021/04/02 Jean-Philippe Pialasse 1.1.0-10.sme
- initial import to SME 10 [SME: 11521]

- update event created
2019/04/11 Jean-Philipe Pialasse 1.1.0-7.sme
- fix missing db on installation [SME: 10770]
2019/03/14 Jean-Philipe Pialasse 1.1.0-6.sme
- configure necessary variables [SME: 10759]