From b1d8d8a50fa6920ad9e38be0cd9f05a9df2e6d85 Mon Sep 17 00:00:00 2001 From: Pavel Loginov Date: Tue, 8 Dec 2020 11:05:39 +0600 Subject: [PATCH] v4.5.5.0 Changelog: https://haproxy-wi.org/changelog.py#4_5_5 --- app/scripts/install_haproxy_exporter.sh | 39 ++++++++++++--------- app/scripts/waf.sh | 46 ++++++++++++++----------- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/app/scripts/install_haproxy_exporter.sh b/app/scripts/install_haproxy_exporter.sh index 9d260d9e..66a1e0f6 100644 --- a/app/scripts/install_haproxy_exporter.sh +++ b/app/scripts/install_haproxy_exporter.sh @@ -1,44 +1,49 @@ #!/bin/bash for ARGUMENT in "$@" do - KEY=$(echo $ARGUMENT | cut -f1 -d=) - VALUE=$(echo $ARGUMENT | cut -f2 -d=) + KEY=$(echo "$ARGUMENT" | cut -f1 -d=) + VALUE=$(echo "$ARGUMENT" | cut -f2 -d=) case "$KEY" in - PROXY) PROXY=${VALUE} ;; - HOST) HOST=${VALUE} ;; - USER) USER=${VALUE} ;; - PASS) PASS=${VALUE} ;; - KEY) KEY=${VALUE} ;; + PROXY) PROXY=${VALUE} ;; + HOST) HOST=${VALUE} ;; + USER) USER=${VALUE} ;; + PASS) PASS=${VALUE} ;; + KEY) KEY=${VALUE} ;; STAT_PORT) STAT_PORT=${VALUE} ;; STAT_PAGE) STAT_PAGE=${VALUE} ;; - STATS_USER) STATS_USER=${VALUE} ;; - STATS_PASS) STATS_PASS=${VALUE} ;; - SSH_PORT) SSH_PORT=${VALUE} ;; - *) + STATS_USER) STATS_USER=${VALUE} ;; + STATS_PASS) STATS_PASS=${VALUE} ;; + SSH_PORT) SSH_PORT=${VALUE} ;; + *) esac done if [ ! -d "/var/www/haproxy-wi/app/scripts/ansible/roles/bdellegrazie.haproxy_exporter" ]; then - if [ ! -z $PROXY ];then + if [[ -n $PROXY ]];then export https_proxy="$PROXY" export http_proxy="$PROXY" fi ansible-galaxy install bdellegrazie.haproxy_exporter --roles-path /var/www/haproxy-wi/app/scripts/ansible/roles/ + bash -c cat << EOF >> /var/www/haproxy-wi/app/scripts/ansible/roles/bdellegrazie.ansible-role-prometheus_exporter/vars/vars-family-redhat-8.yml +--- +prometheus_exporter_ansible_packages: + - libselinux-python3 +EOF fi export ANSIBLE_HOST_KEY_CHECKING=False export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False export ACTION_WARNINGS=False export ANSIBLE_DEPRECATION_WARNINGS=False -PWD=`pwd` +PWD=$(pwd) PWD=$PWD/scripts/ansible/ -echo "$HOST ansible_port=$SSH_PORT" > $PWD/$HOST +echo "$HOST ansible_port=$SSH_PORT" > "$PWD"/"$HOST" if [[ $KEY == "" ]]; then - ansible-playbook $PWD/roles/haproxy_exporter.yml -e "ansible_user=$USER ansible_ssh_pass=$PASS variable_host=$HOST PROXY=$PROXY STAT_PAGE=$STAT_PAGE STAT_PORT=$STAT_PORT STATS_USER=$STATS_USER STATS_PASS=$STATS_PASS SSH_PORT=$SSH_PORT" -i $PWD/$HOST + ansible-playbook "$PWD"/roles/haproxy_exporter.yml -e "ansible_user=$USER ansible_ssh_pass=$PASS variable_host=$HOST PROXY=$PROXY STAT_PAGE=$STAT_PAGE STAT_PORT=$STAT_PORT STATS_USER=$STATS_USER STATS_PASS=$STATS_PASS SSH_PORT=$SSH_PORT" -i "$PWD"/"$HOST" else - ansible-playbook $PWD/roles/haproxy_exporter.yml --key-file $KEY -e "ansible_user=$USER variable_host=$HOST PROXY=$PROXY STAT_PAGE=$STAT_PAGE STAT_PORT=$STAT_PORT STATS_USER=$STATS_USER STATS_PASS=$STATS_PASS SSH_PORT=$SSH_PORT" -i $PWD/$HOST + ansible-playbook "$PWD"/roles/haproxy_exporter.yml --key-file "$KEY" -e "ansible_user=$USER variable_host=$HOST PROXY=$PROXY STAT_PAGE=$STAT_PAGE STAT_PORT=$STAT_PORT STATS_USER=$STATS_USER STATS_PASS=$STATS_PASS SSH_PORT=$SSH_PORT" -i "$PWD"/"$HOST" fi if [ $? -gt 0 ] @@ -52,4 +57,4 @@ if ! sudo grep -Fxq " - $HOST:9101" /etc/prometheus/prometheus.yml; then fi sudo systemctl reload prometheus -rm -f $PWD/$HOST +rm -f "$PWD"/"$HOST" diff --git a/app/scripts/waf.sh b/app/scripts/waf.sh index 1bff4422..32dc0427 100644 --- a/app/scripts/waf.sh +++ b/app/scripts/waf.sh @@ -2,8 +2,8 @@ for ARGUMENT in "$@" do - KEY=$(echo $ARGUMENT | cut -f1 -d=) - VALUE=$(echo $ARGUMENT | cut -f2 -d=) + KEY=$(echo "$ARGUMENT" | cut -f1 -d=) + VALUE=$(echo "$ARGUMENT" | cut -f2 -d=) case "$KEY" in PROXY) PROXY=${VALUE} ;; @@ -13,10 +13,10 @@ do esac done VERSION=$(echo 2.1.3| awk -F"-" '{print $1}') -VERSION_MAJ=$(echo $VERSION | awk -F"." '{print $1"."$2}') +VERSION_MAJ=$(echo "$VERSION" | awk -F"." '{print $1"."$2}') if (( $(awk 'BEGIN {print ("'$VERSION_MAJ'" < "'1.8'")}') )); then - echo 'error: Need HAProxy version 1.8 or later X' + echo 'error: Need HAProxy version 1.8 or later' exit 1 fi @@ -26,22 +26,26 @@ then export https_proxy="$PROXY" fi -if [ -f $HAPROXY_PATH/waf/modsecurity.conf ];then - echo -e 'Info: Haproxy WAF already installed.

' +if [ -f "$HAPROXY_PATH"/waf/modsecurity.conf ];then + echo -e 'info: Haproxy WAF has already installed.' exit 1 fi if hash apt-get 2>/dev/null; then sudo apt install libevent-dev apache2-dev libpcre3-dev libxml2-dev gcc pcre-devel wget -y else - sudo yum install -y http://rpmfind.net/linux/centos/7/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm >> /dev/null - sudo yum install -y http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm >> /dev/null - sudo yum install -y httpd-devel libxml2-devel gcc curl-devel pcre-devel wget -y >> /dev/null + if [[ $(cat /etc/*rele* |grep VERSION_ID |awk -F"\"" '{print $2}') -eq 7 ]]; then + sudo yum install -y http://rpmfind.net/linux/centos/7/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm >> /dev/null + sudo yum install -y http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm >> /dev/null + else + sudo rpm -ivh ftp://ftp.ntua.gr/pub/linux/centos/8.2.2004/PowerTools/x86_64/kickstart/Packages/yajl-devel-2.1.0-10.el8.x86_64.rpm + fi + sudo yum install -y httpd-devel libxml2-devel gcc curl-devel pcre-devel wget libevent-devel -y >> /dev/null fi wget -O /tmp/modsecurity.tar.gz https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz >> /dev/null if [ $? -eq 1 ]; then - echo -e "Can't download waf application. Check Internet connection" + echo -e "Can't download waf application. Check the Internet connection" exit 1 fi cd /tmp @@ -67,7 +71,7 @@ mv /tmp/modsecurity/INSTALL/include/standalone/* /tmp/modsecurity/INSTALL/includ wget -O /tmp/haproxy-$VERSION.tar.gz http://www.haproxy.org/download/$VERSION_MAJ/src/haproxy-$VERSION.tar.gz if [ $? -eq 1 ]; then - echo -e "error: Can't download Haproxy application. Check Internet connection" + echo -e "error: Can't download Haproxy application. Check the Internet connection" exit 1 fi cd /tmp @@ -131,17 +135,17 @@ Include $HAPROXY_PATH/waf/rules/modsecurity_crs_59_outbound_blocking.conf Include $HAPROXY_PATH/waf/rules/modsecurity_crs_60_correlation.conf EOF -sudo mv /tmp/modsecurity.conf $HAPROXY_PATH/waf/modsecurity.conf +sudo mv /tmp/modsecurity.conf "$HAPROXY_PATH"/waf/modsecurity.conf wget -O /tmp/unicode.mapping https://github.com/SpiderLabs/ModSecurity/raw/v2/master/unicode.mapping -sudo mv /tmp/unicode.mapping $HAPROXY_PATH/waf/unicode.mapping +sudo mv /tmp/unicode.mapping "$HAPROXY_PATH"/waf/unicode.mapping wget -O /tmp/owasp.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz cd /tmp/ sudo tar xf /tmp/owasp.tar.gz sudo mv /tmp/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf -sudo mv /tmp/owasp-modsecurity-crs-2.2.9/*rules/* $HAPROXY_PATH/waf/rules/ -sudo sed -i 's/#SecAction/SecAction/' $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf -sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' $HAPROXY_PATH/waf/modsecurity.conf -sudo sed -i 's/SecAuditLogParts ABIJDEFHZ/SecAuditLogParts ABIJDEH/' $HAPROXY_PATH/waf/modsecurity.conf +sudo mv /tmp/owasp-modsecurity-crs-2.2.9/*rules/* "$HAPROXY_PATH"/waf/rules/ +sudo sed -i 's/#SecAction/SecAction/' "$HAPROXY_PATH"/waf/rules/modsecurity_crs_10_setup.conf +sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' "$HAPROXY_PATH"/waf/modsecurity.conf +sudo sed -i 's/SecAuditLogParts ABIJDEFHZ/SecAuditLogParts ABIJDEH/' "$HAPROXY_PATH"/waf/modsecurity.conf sudo rm -f /tmp/owasp.tar.gz sudo rm -f /tmp/owasp-modsecurity-crs-2.2.9 sudo rm -f /tmp/haproxy-$VERSION @@ -184,8 +188,8 @@ spoe-message check-request event on-frontend-http-request EOF -sudo mv /tmp/waf.conf $HAPROXY_PATH/waf.conf -if sudo grep -q "backend waf" $HAPROXY_PATH/haproxy.cfg; then +sudo mv /tmp/waf.conf "$HAPROXY_PATH"/waf.conf +if sudo grep -q "backend waf" "$HAPROXY_PATH"/haproxy.cfg; then echo -e "Backend for WAF exists" else sudo bash -c 'cat << EOF >> /etc/haproxy/haproxy.cfg @@ -199,14 +203,14 @@ EOF' fi sudo rm -f /tmp/modsecurity.tar.gz -sudo rm -rf /tmp/haproxy-$VERSION.tar.gz +sudo rm -rf /tmp/haproxy-"$VERSION".tar.gz sudo systemctl daemon-reload sudo systemctl enable waf sudo systemctl restart waf if [ $? -eq 1 ]; then - echo "error: Can't start Haproxy WAF service

" + echo "error: Can't start Haproxy WAF service" exit 1 fi echo "success" \ No newline at end of file