Commit f45cfd8e authored by Till Brehm's avatar Till Brehm

Implemented #4872 Extend Apache and Nginx Excludes list

parent b0f89e56
......@@ -141,6 +141,44 @@ class validate_domain {
}
}
/* Check nginx directives */
function web_nginx_directives($field_name, $field_value, $validator) {
global $app;
if(trim($field_value) != '') {
$security_config = $app->getconf->get_security_config('ids');
if($security_config['nginx_directives_scan_enabled'] == 'yes') {
// Get blacklist
$blacklist_path = '/usr/local/ispconfig/security/nginx_directives.blacklist';
if(is_file('/usr/local/ispconfig/security/nginx_directives.blacklist.custom')) $blacklist_path = '/usr/local/ispconfig/security/nginx_directives.blacklist.custom';
if(!is_file($blacklist_path)) $blacklist_path = realpath(ISPC_ROOT_PATH.'/../security/nginx_directives.blacklist');
$directives = explode("\n",$field_value);
$regex = explode("\n",file_get_contents($blacklist_path));
$blocked = false;
$blocked_line = '';
if(is_array($directives) && is_array($regex)) {
foreach($directives as $directive) {
$directive = trim($directive);
foreach($regex as $r) {
if(preg_match(trim($r),$directive)) {
$blocked = true;
$blocked_line .= $directive.'<br />';
};
}
}
}
}
}
if($blocked === true) {
return $this->get_error('nginx_directive_blocked_error').' '.$blocked_line;
}
}
/* internal validator function to match regexp */
function _regex_validate($domain_name, $allow_wildcard = false) {
......
......@@ -859,6 +859,13 @@ if($_SESSION["s"]["user"]["typ"] == 'admin'
'nginx_directives' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXT',
'validators' => array ( 0 => array(
'type' => 'CUSTOM',
'class' => 'validate_domain',
'function' => 'web_nginx_directives',
'errmsg' => 'nginx_directive_blockd_error'
),
),
'default' => '',
'value' => '',
'width' => '30',
......
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'Porta HTTP';
$wb['https_port_txt'] = 'Porta HTTPS';
$wb['http_port_error_regex'] = 'Porta HTTP inválida.';
$wb['https_port_error_regex'] = 'Porta HTTPS inválida.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
\ No newline at end of file
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'Порт HTTP';
$wb['https_port_txt'] = 'Порт HTTPS';
$wb['http_port_error_regex'] = 'Некорректный порт HTTP.';
$wb['https_port_error_regex'] = 'Некорректный порт HTTPS.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
......@@ -133,4 +133,5 @@ $wb['http_port_txt'] = 'HTTP Port';
$wb['https_port_txt'] = 'HTTPS Port';
$wb['http_port_error_regex'] = 'HTTP Port invalid.';
$wb['https_port_error_regex'] = 'HTTPS Port invalid.';
$wb['nginx_directive_blocked_error'] = 'Nginx directive blocked by security settings:';
?>
/^\s*(LoadModule|LoadFile|Include)(\s+|[\\\\])/mi
/^\s*(LoadModule|LoadFile|Include|IncludeOptional)(\s+|[\\\\])/mi
/^\s*(SuexecUserGroup|suPHP_UserGroup|suPHP_PHPPath|suPHP_ConfigPath)(\s+|[\\\\])/mi
/^\s*(FCGIWrapper|FastCgiExternalServer)(\s+|[\\\\])/mi
\ No newline at end of file
/^\s*(load_module)(\s+|[\\\\])/mi
\ No newline at end of file
......@@ -26,6 +26,7 @@ ids_block_level=100
sql_scan_enabled=yes
sql_scan_action=warn
apache_directives_scan_enabled=yes
nginx_directives_scan_enabled=yes
[systemcheck]
security_admin_email=root@localhost
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment