svn commit: r384686 - in head/www/mod_security: . files

Adam Weinberger adamw at FreeBSD.org
Fri Apr 24 21:19:41 UTC 2015 

Author: adamw
Date: Fri Apr 24 21:19:39 2015
New Revision: 384686
URL: https://svnweb.freebsd.org/changeset/ports/384686

Log:
  Update to 2.9.0.
  
  Changes:
  - update ModSecurity to 2.9.0 (released Feb 12, 2015)
  - add JSON parsing support via devel/yajl
  - add support for loading remote configuration, which depends on ftp/curl
  - add optional support for fuzzy hashes via security/ssdeep
  - fix: use lua51 only, ModSecurity does not support lua 5.2 yet
  - add FreeBSD specific README with installation and configuration hints
  - pkg-message: refer uses to README
  - install recommended modsecurity.conf using .sample config file convention
  - port skeleton cleanups
  
  PR:		197833
  Submitted by:	maintainer (Walter Hop)

Added:
  head/www/mod_security/files/README.in   (contents, props changed)
  head/www/mod_security/files/pkg-message.in   (contents, props changed)
  head/www/mod_security/pkg-plist   (contents, props changed)
Modified:
  head/www/mod_security/Makefile
  head/www/mod_security/distinfo

Modified: head/www/mod_security/Makefile
==============================================================================
--- head/www/mod_security/Makefile	Fri Apr 24 20:37:56 2015	(r384685)
+++ head/www/mod_security/Makefile	Fri Apr 24 21:19:39 2015	(r384686)
@@ -1,12 +1,11 @@
 # $FreeBSD$
 
 PORTNAME=	mod_security
-PORTVERSION=	2.7.7
-PORTREVISION=	3
+PORTVERSION=	2.9.0
 CATEGORIES=	www security
 MASTER_SITES=	http://www.modsecurity.org/tarball/${PORTVERSION}/
 PKGNAMEPREFIX=	${APACHE_PKGNAMEPREFIX}
-DISTNAME=	${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION}
+DISTNAME=	${PORTNAME:S/_//:S/2//}-${PORTVERSION}
 
 MAINTAINER=	walter at lifeforms.nl
 COMMENT=	Intrusion detection and prevention engine
@@ -14,49 +13,57 @@ COMMENT=	Intrusion detection and prevent
 LICENSE=	APACHE20
 
 LIB_DEPENDS+=	libpcre.so:${PORTSDIR}/devel/pcre \
-		libapr-1.so:${PORTSDIR}/devel/apr1
+		libapr-1.so:${PORTSDIR}/devel/apr1 \
+		libyajl.so:${PORTSDIR}/devel/yajl \
+		libcurl.so:${PORTSDIR}/ftp/curl
 
 USE_APACHE=	22+
 USE_GNOME=	libxml2
 GNU_CONFIGURE=	yes
-USES=		perl5
+USES=		perl5 pkgconfig shebangfix
+SHEBANG_FILES=	tools/rules-updater.pl.in mlogc/mlogc-batch-load.pl.in
+perl_OLD_CMD=	@PERL@
 
-AP_GENPLIST=	yes
-AP_INC=	${LOCALBASE}/include/libxml2
-AP_LIB=	${LOCALBASE}/lib
+AP_INC=		${LOCALBASE}/include/libxml2
+AP_LIB=		${LOCALBASE}/lib
 MODULENAME=	mod_security2
 SRC_FILE=	*.c
 
 PORTDOCS=	*
 DOCSDIR=	${PREFIX}/share/doc/${MODULENAME}
 
-SUB_FILES+=	mod_security2.conf
+SUB_FILES+=	pkg-message
+SUB_FILES+=	README
 SUB_LIST+=	APACHEETCDIR="${APACHEETCDIR}"
+SUB_LIST+=	APACHEMODDIR="${APACHEMODDIR}"
 
-PLIST_FILES=	etc/modsecurity.conf-example \
-		${APACHEMODDIR}/mod_security2.so \
-		bin/rules-updater.pl \
-		lib/mod_security2.so
+PLIST_SUB+=	APXS="${APXS}"
+PLIST_SUB+=	APACHEMODDIR="${APACHEMODDIR}"
 
-OPTIONS_DEFINE=	LUA MLOGC
+OPTIONS_DEFINE=	DOCS FUZZYHASH LUA MLOGC
+OPTIONS_SUB=	yes
 
 LUA_CONFIGURE_ON=	--with-lua=${LOCALBASE}
 LUA_CONFIGURE_OFF+=	--without-lua
-LUA_USES=		lua
+LUA_USES=		lua:51
 
 MLOGC_DESC=		Build ModSecurity Log Collector
-MLOGC_CONFIGURE_ON=	--with-curl=${LOCALBASE} --disable-errors
+MLOGC_CONFIGURE_ON=	--disable-errors
 MLOGC_CONFIGURE_OFF=	--disable-mlogc
-MLOGC_LIB_DEPENDS=	libcurl.so:${PORTSDIR}/ftp/curl
-MLOGC_PLIST_FILES=	bin/mlogc bin/mlogc-batch-load.pl
+
+FUZZYHASH_DESC=		Allow matching contents using fuzzy hashes with ssdeep
+FUZZYHASH_CONFIGURE_ON=	--with-ssdeep=${LOCALBASE}
+FUZZYHASH_CONFIGURE_OFF=--without-ssdeep
+FUZZYHASH_LIB_DEPENDS=	libfuzzy.so:${PORTSDIR}/security/ssdeep
+
+ETCDIR=		${PREFIX}/etc/modsecurity
 
 # ap2x- prefix OPTIONSFILE fix
 OPTIONSFILE=	${PORT_DBDIR}/www_mod_security/options
-.include <bsd.port.options.mk>
 
 REINPLACE_ARGS=	-i ""
 AP_EXTRAS+=	-DWITH_LIBXML2
-CONFIGURE_ARGS+=	--with-apxs=${APXS} --with-pcre=${LOCALBASE}
+CONFIGURE_ARGS+=--with-apxs=${APXS} --with-pcre=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE}
 
 post-patch:
 	@${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure
@@ -65,10 +72,14 @@ pre-install:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR}
 
 post-install:
+	@${MKDIR} ${STAGEDIR}${ETCDIR}
 	${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \
-		${STAGEDIR}${PREFIX}/etc/modsecurity.conf-example
+		${STAGEDIR}${ETCDIR}/modsecurity.conf.sample
+	${INSTALL_DATA} ${WRKSRC}/unicode.mapping \
+		${STAGEDIR}${ETCDIR}/unicode.mapping
 
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
-	(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${STAGEDIR}${DOCSDIR})
+	(cd ${WRKSRC} && ${COPYTREE_SHARE} doc ${STAGEDIR}${DOCSDIR})
+	${INSTALL_DATA} ${WRKDIR}/README ${STAGEDIR}${DOCSDIR}
 
 .include <bsd.port.mk>

Modified: head/www/mod_security/distinfo
==============================================================================
--- head/www/mod_security/distinfo	Fri Apr 24 20:37:56 2015	(r384685)
+++ head/www/mod_security/distinfo	Fri Apr 24 21:19:39 2015	(r384686)
@@ -1,2 +1,2 @@
-SHA256 (modsecurity-apache_2.7.7.tar.gz) = 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b
-SIZE (modsecurity-apache_2.7.7.tar.gz) = 1003835
+SHA256 (modsecurity-2.9.0.tar.gz) = e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434
+SIZE (modsecurity-2.9.0.tar.gz) = 4246467

Added: head/www/mod_security/files/README.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/mod_security/files/README.in	Fri Apr 24 21:19:39 2015	(r384686)
@@ -0,0 +1,83 @@
+Configuring ModSecurity on FreeBSD
+----------------------------------
+
+To enable ModSecurity in Apache, add the following to your httpd.conf:
+
+  LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so
+  Include etc/modsecurity/*.conf
+
+Getting the Core Rule Set
+-------------------------
+
+ModSecurity requires firewall rule definitions. Most people use the
+OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the
+OWASP CRS repository right now is to use Git. Let's make a directory
+for all our ModSecurity related stuff, and clone the CRS repository
+under it.
+
+  pkg install git
+  cd /usr/local/etc/modsecurity
+  git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+  cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \
+    crs.conf
+
+To activate the CRS base rules, add the following to your httpd.conf:
+
+  Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf
+
+You can also add custom configuration and CRS exceptions here.
+For instance, you might want to disable rules that generate false
+positives. Example:
+
+  SecRuleRemoveById 960015
+
+Starting ModSecurity
+--------------------
+
+When the configuration is all set, simply restart Apache and confirm
+that ModSecurity is loaded by checking Apache's log file:
+
+  apachectl restart
+  tail /var/log/httpd-error.log
+
+Configuring blocking mode
+-------------------------
+
+Now that ModSecurity is active, try making a suspicious request to
+your web server, for instance browse to a URL:
+http://www.example.com/?foo=/etc/passwd. The CRS has a rule against
+this type of request. After browsing to the URL, you should now see
+the request logged in /var/log/modsec_audit.log.
+
+You'll notice that the request succeeds, and the response is sent to
+the browser normally. The reason is that ModSecurity runs in
+"DetectionOnly" mode by default, in order to prevent downtime from
+misconfiguration or heavy-handed blocking. You can enable blocking
+mode simply by editing modsecurity.conf and changing the following
+line:
+
+  SecRuleEngine On
+
+Again, restart Apache. Now, make the same suspicious request to your
+web server. You should now see a "403 Forbidden" error!
+
+In practice, it's probably best to keep SecRuleEngine DetectionOnly
+for some time, while your users exercise the web applications.
+Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see
+what is being blocked. If there are any false positives, you need to
+mitigate this by writing custom exceptions.
+
+Maintenance
+-----------
+
+An essential resource for working with ModSecurity is the ModSecurity
+Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and
+it's good to scan this book before you start writing custom rules and
+exceptions.
+
+You probably want to keep the CRS updated from time to time. You can
+do this with Git:
+
+  cd /usr/local/etc/modsecurity/owasp-modsecurity-crs
+  git pull
+  apachectl restart

Added: head/www/mod_security/files/pkg-message.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/mod_security/files/pkg-message.in	Fri Apr 24 21:19:39 2015	(r384686)
@@ -0,0 +1,9 @@
+
+You have installed ModSecurity.
+To enable ModSecurity in Apache, add the following to your httpd.conf:
+
+  LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so
+  Include etc/modsecurity/*.conf
+
+Most users will use the signatures from the OWASP Core Rule Set (CRS).
+For configuration instructions, see %%DOCSDIR%%/README.

Added: head/www/mod_security/pkg-plist
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/mod_security/pkg-plist	Fri Apr 24 21:19:39 2015	(r384686)
@@ -0,0 +1,8 @@
+bin/rules-updater.pl
+lib/mod_security2.so
+%%APACHEMODDIR%%/mod_security2.so
+ at comment @exec %%APXS%% -e -n unique_id -a %%APACHEMODDIR%%/mod_unique_id.so
+ at sample %%ETCDIR%%/modsecurity.conf.sample
+%%ETCDIR%%/unicode.mapping
+%%MLOGC%%bin/mlogc
+%%MLOGC%%bin/mlogc-batch-load.pl

More information about the svn-ports-head mailing list