Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2487 → Rev 2488

/conf/fail2ban.sh
108,8 → 108,7
backend = auto
filter = alcasar_mod-evasive
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/httpd/error_log
/var/log/httpd/ssl_error_log
logpath = /var/log/lighttpd/access.log
maxretry = 2
 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
130,8 → 129,8
backend = auto
filter = alcasar_acc
action = iptables-allports[name=alcasar_acc]
logpath = /var/log/httpd/ssl_error_log
maxretry = 5
logpath = /var/log/lighttpd/access.log
maxretry = 6
 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
[alcasar_intercept]
141,7 → 140,7
backend = auto
filter = alcasar_intercept
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/httpd/ssl_request_log
logpath = /var/log/lighttpd/access.log
maxretry = 5
 
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
153,7 → 152,7
backend = auto
filter = alcasar_change-pwd
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/httpd/ssl_request_log
logpath = /var/log/lighttpd/access.log
maxretry = 5
 
EOF
184,7 → 183,7
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[client <HOST>:[0-9]+\] .*client denied by server configuration
failregex = <HOST> .+\] "[^"]+" 403
 
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
211,7 → 210,7
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)
failregex = <HOST> .+\] "[^"]+" 401
 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 
240,7 → 239,7
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
 
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
268,7 → 267,7
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[<HOST>\] \"POST \/password\.php
failregex = <HOST> .* \"POST \/password\.php
 
 
# Option: ignoreregex
/conf/lighttpd/conf.d/fastcgi.conf
0,0 → 1,16
# FastCGI Module
# ---------------
#
# http://www.lighttpd.net/documentation/fastcgi.html
#
 
server.modules += ( "mod_fastcgi" )
 
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/var/lib/php-fpm/php-fpm.sock",
"broken-scriptfilename" => "enable"
)
)
)
/conf/lighttpd/vhosts.d/alcasar.conf
0,0 → 1,89
$HTTP["url"] =~ ".*" {
# Disabling directory listing as default setting
dir-listing.activate = "disable"
}
 
# If a wrong url is used, displaying homepage for unprivileged users
$HTTP["url"] !~ "^/(acc|save)/" {
server.error-handler-404 = "/"
}
 
# Error pages
server.errorfile-prefix = "/var/www/html/errors/error-"
 
$SERVER["socket"] == "alcasar.localdomain:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
 
var.server_name = "alcasar.localdomain"
server.name = server_name
 
server.document-root = "/var/www/html"
}
 
$HTTP["scheme"] == "https" {
 
alias.url = (
"/save" => "/var/Save"
)
 
# Digest authentication configuration
auth.backend = "htdigest"
auth.debug = 1
auth.require = (
"/acc/" =>
(
"method" => "digest",
"realm" => "ALCASAR Control Center (ACC)",
"require" => "valid-user"
),
"/save/" =>
(
"method" => "digest",
"realm" => "ALCASAR Control Center (ACC)",
"require" => "valid-user"
)
 
)
 
$HTTP["url"] =~ "^/(acc|save)/" {
# Setting digest files according access permissions
$HTTP["url"] =~ "^/acc/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_all"
 
$HTTP["url"] =~ "^/acc/admin" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_admin"
}
 
$HTTP["url"] =~ "^/acc/manager/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_manager"
}
 
$HTTP["url"] =~ "^/acc/backup/" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup"
}
}
 
$HTTP["url"] =~ "^/save" {
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup"
# Enabling directory listing
dir-listing.activate = "enable"
}
}
}
 
$HTTP["scheme"] == "http" {
# Force HTTPS for privileged users
$HTTP["url"] =~ "^/(acc|save|(intercept|password).php)" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}