Difference between revisions of "Mod maxminddb"
Unnilennium (talk | contribs) (Created page with "{{Languages}} <!-- here we define the contrib name variable --> <!-- we get the page title, remove suffix for translated version; if needed you can define there with the value...") |
Unnilennium (talk | contribs) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
<!-- here we define the contrib name variable --> | <!-- here we define the contrib name variable --> | ||
<!-- we get the page title, remove suffix for translated version; if needed you can define there with the value you want--> | <!-- we get the page title, remove suffix for translated version; if needed you can define there with the value you want--> | ||
− | {{#vardefine:contribname| | + | {{#vardefine:contribname| smeserver-mod_maxminddb }} |
− | {{#vardefine:smecontribname| smeserver- | + | {{#vardefine:smecontribname| smeserver-mod_maxminddb }} |
<!-- we define the language --> | <!-- we define the language --> | ||
{{#vardefine:lang| {{lc: {{#titleparts: {{PAGENAME}} | | -1}} }} |en }} | {{#vardefine:lang| {{lc: {{#titleparts: {{PAGENAME}} | | -1}} }} |en }} | ||
Line 19: | Line 19: | ||
===Maintainer=== | ===Maintainer=== | ||
<!-- here you need to file your username and name --> | <!-- here you need to file your username and name --> | ||
− | [[User: | + | [[User:Unnilennium|Jean-Philippe Pialasse]] |
=== Version === | === Version === | ||
<!-- keep this first element as is, you can add some if needed --> | <!-- keep this first element as is, you can add some if needed --> | ||
{{#smeversion: {{#var:smecontribname}} }} | {{#smeversion: {{#var:smecontribname}} }} | ||
− | {{#smeversion: | + | {{#smeversion: mod_maxminddb }} |
=== Description === | === Description === | ||
− | + | This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db. | |
+ | |||
+ | The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce. | ||
Line 35: | Line 37: | ||
=== Configuration === | === Configuration === | ||
− | you can list the available configuration with the | + | you can list the available configuration with the following command : |
− | config show | + | config show modMaxminddb |
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | ||
{| class="wikitable" | {| class="wikitable" | ||
+ | !db | ||
+ | !key | ||
!property | !property | ||
!default | !default | ||
!values | !values | ||
− | ! | + | !role |
|- | |- | ||
− | | | + | |configuration |
− | | | + | |modMaxminddb |
+ | |Path | ||
+ | |/usr/share/GeoIP | ||
|string | |string | ||
− | | | + | | |
+ | |- | ||
+ | |configuration | ||
+ | |modMaxminddb | ||
+ | |status | ||
+ | |enabled | ||
+ | |enabled,disabled | ||
|- | |- | ||
− | | | + | |configuration |
− | | | + | |http-admin |
− | | | + | |ValidFromGeoIP |
− | | | + | |(empty) |
+ | |country code coma separated | ||
+ | |list of whitelisted country allowed to access, e.g.: CA,FR | ||
|- | |- | ||
− | | | + | |configuration |
− | | | + | |http-admin |
− | | | + | |GeoIPManager |
− | | | + | | |
+ | | | ||
+ | |enable geoip access to server-manager | ||
|- | |- | ||
− | | | + | |configuration |
− | | | + | |http-admin |
− | | | + | |GeoIPUser |
+ | | | ||
| | | | ||
+ | |enable geoip access to user-manager if installed | ||
|- | |- | ||
− | | | + | |configuration |
+ | |http-admin | ||
+ | |GeoIPPassword | ||
|enabled | |enabled | ||
− | | | + | | |
+ | |enable geoip access to user-password | ||
|} | |} | ||
+ | ==== Allow access to a specific country ==== | ||
+ | Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith, has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk. | ||
+ | This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists.... | ||
+ | |||
+ | to add access to all IPs localized in Canada and France: | ||
+ | config setprop httpd-admin ValidFromGeoIP CA,FR | ||
+ | expand-template /etc/httpd/conf/httpd.conf | ||
+ | systemctl restart httpd-e-smith | ||
+ | |||
+ | you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80): | ||
+ | mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p | ||
+ | printf '{ | ||
+ | $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; | ||
+ | if (($haveSSL eq 'yes') && ($port eq $httpsPort) ) | ||
+ | $OUT =" | ||
+ | <Location /server-manager> | ||
+ | Require env AllowCountries | ||
+ | </Location> | ||
+ | <Location /server-common> | ||
+ | Require env AllowCountries | ||
+ | </Location> | ||
+ | <Location /user-manager> | ||
+ | Require env AllowCountries | ||
+ | </Location> | ||
+ | <Location /user-password> | ||
+ | Require env AllowCountries | ||
+ | </Location>\n"; | ||
+ | }' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow | ||
+ | for directory: | ||
+ | printf ' | ||
+ | <Directory /home/e-smith/files/ibays/Primary/html> | ||
+ | Require env AllowCountries | ||
+ | </Directory> | ||
+ | <Directory "/usr/share/nextcloud"> | ||
+ | Require env AllowCountries | ||
+ | </Directory> | ||
+ | ' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow | ||
+ | then expand | ||
+ | expand-template /etc/httpd/conf/httpd.conf | ||
+ | httpd -t | ||
+ | |||
+ | if syntx OK then restart httpd | ||
+ | systemctl restart httpd-e-smith | ||
+ | |||
+ | |||
+ | To remove all access by Country | ||
+ | config delprop httpd-admin ValidFromGeoIP | ||
+ | expand-template /etc/httpd/conf/httpd.conf | ||
+ | systemctl restart httpd-e-smith | ||
=== Uninstall === | === Uninstall === | ||
yum remove {{#var:smecontribname}} {{#var:contribname}} | yum remove {{#var:smecontribname}} {{#var:contribname}} | ||
+ | === References === | ||
+ | * https://github.com/maxmind/mod_maxminddb/issues/42 | ||
=== Bugs === | === Bugs === | ||
Line 84: | Line 156: | ||
Only released version in smecontrib are listed here. | Only released version in smecontrib are listed here. | ||
− | {{ #smechangelog: {{#var:smecontribname}} }} | + | {{#smechangelog: {{#var:smecontribname}} }} |
<!-- list of category you want to see this page in --> | <!-- list of category you want to see this page in --> | ||
[[Category: Contrib]] | [[Category: Contrib]] | ||
− | |||
<!-- Please keep there the template revision number as is --> | <!-- Please keep there the template revision number as is --> | ||
− | |||
− |
Latest revision as of 06:07, 25 July 2022
smeserver-mod_maxminddb logo | |
Maintainer | Unnilennium |
---|---|
Url | https://wiki.contribs.org |
Category | |
Tags | security, geoip, acces, apache, httpd |
Maintainer
Version
Description
This contrib enable the new Geoip2 plugin from Maxmind in order to let your apache server to get full capacity of geoip with recent db.
The contrib also plan to help you restrict usage of server-manager, user-manager, or any other contrib depending on your client localisation. This is not miraculous, as a good vpn could override this protection and some ip might be incorrectly localized, but would at least stop a huge amount of scan and bruteforce.
Installation
yum --enablerepo=smecontribs install smeserver-mod_maxminddb
Configuration
you can list the available configuration with the following command :
config show modMaxminddb
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
db | key | property | default | values | role |
---|---|---|---|---|---|
configuration | modMaxminddb | Path | /usr/share/GeoIP | string | |
configuration | modMaxminddb | status | enabled | enabled,disabled | |
configuration | http-admin | ValidFromGeoIP | (empty) | country code coma separated | list of whitelisted country allowed to access, e.g.: CA,FR |
configuration | http-admin | GeoIPManager | enable geoip access to server-manager | ||
configuration | http-admin | GeoIPUser | enable geoip access to user-manager if installed | ||
configuration | http-admin | GeoIPPassword | enabled | enable geoip access to user-password |
Allow access to a specific country
Starting SME10 you can use this mod to allow access to server-manager, user-manager, local ibays, local contributions. In other words, anything that uses httpd-e-smith, has access = local and would have been accessible to an IP if you added this to httpd-admin ValidFrom (or added this Ip or subnet of IPs in the Remote access panel of the server-manager), will be allow any IP considered to this country / countries to access the ressources. THis is powerfull, so use it only if you know the risk. This is still a bit more secure than adding 0.0.0./0.0.0.0 to ValidFrom but ... you known vpn and proxies exists....
to add access to all IPs localized in Canada and France:
config setprop httpd-admin ValidFromGeoIP CA,FR expand-template /etc/httpd/conf/httpd.conf systemctl restart httpd-e-smith
you will then need to add sections manually in a template-custom, first for manager related things that should never have access to http (80):
mkdir /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost -p printf '{ $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; if (($haveSSL eq 'yes') && ($port eq $httpsPort) ) $OUT =" <Location /server-manager> Require env AllowCountries </Location> <Location /server-common> Require env AllowCountries </Location> <Location /user-manager> Require env AllowCountries </Location> <Location /user-password> Require env AllowCountries </Location>\n"; }' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHost/98geoipallow
for directory:
printf ' <Directory /home/e-smith/files/ibays/Primary/html> Require env AllowCountries </Directory> <Directory "/usr/share/nextcloud"> Require env AllowCountries </Directory> ' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98geoipallow
then expand
expand-template /etc/httpd/conf/httpd.conf httpd -t
if syntx OK then restart httpd
systemctl restart httpd-e-smith
To remove all access by Country
config delprop httpd-admin ValidFromGeoIP expand-template /etc/httpd/conf/httpd.conf systemctl restart httpd-e-smith
Uninstall
yum remove smeserver-mod_maxminddb smeserver-mod_maxminddb
References
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-mod_maxminddb component or use this link
Below is an overview of the current issues for this contrib:
ID | Product | Version | Status | Summary (2 tasks) ⇒ |
---|---|---|---|---|
10769 | SME Contribs | 9.2 | CONFIRMED | NFR: allow to choose language instead of english default |
10768 | SME Contribs | 9.2 | IN_PROGRESS | NFR: block|allow panels by country |
Changelog
Only released version in smecontrib are listed here.
- make compatible with httpd24 access [SME: 12052]
2021/04/02 Jean-Philippe Pialasse 1.1.0-11.sme
- add option to allow countries to external access to manager [SME: 10768]
ValidFromGeoIP will add access to listed countries to managers and allressources using the usual list from httpd-admin Validfrom (local ibays, contribs...)
2021/04/02 Jean-Philippe Pialasse 1.1.0-10.sme
- initial import to SME 10 [SME: 11521]
- fix missing db on installation [SME: 10770]
- configure necessary variables [SME: 10759]