diff --git a/bin/vhost-cgi-wrap.sh b/bin/vhost-cgi-wrap.sh new file mode 100755 index 0000000..d77ce10 --- /dev/null +++ b/bin/vhost-cgi-wrap.sh @@ -0,0 +1,88 @@ +#!/bin/bash +# +# vhost-stack +# https://git.stack-source.com/msb/vhost-stack +# MIT License Copyright (c) 2022 Matthew Saunders Brown + +# load include file +source $(dirname $0)/vhost.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Create CGI Wrapper for virtualhost." + echo "" + echo "usage: $thisfilename --d [-h]" + echo "" + echo " -h Print this help." + echo " -d Domain name of VirtualHost to create cgi-wrapper for." + exit +} + +vhost:getoptions "$@" + +# check for domain (virtualhost) +if [[ -z $domain ]]; then + echo "domain is required" + exit +fi + +if [[ -d "/srv/www/$domain" ]]; then + # get and set $username + username=$(stat -c '%U' /srv/www/$domain) +else + echo "VirtualHost dir for $domain does not exist." + exit 1 +fi + +if [[ -f /usr/local/lib/cgi-wrap/$domain/cgiwrap ]]; then + echo "cgi-wrapper for $domain already exists" + exit 1 +fi + +if ! grep -q ":/usr/jails/$username/./home/$username:" /etc/passwd; then + echo "$username must be jailed before creating cgi-wrapper." + exit 1 +fi + +if [[ -d /usr/jails/$username ]]; then + if [[ ! -d /usr/jails/$username/usr/jails/$username/ ]]; then + mkdir -p /usr/jails/$username/usr/jails/$username/ + cd /usr/jails/$username/usr/jails/$username/ + ln -s /home ./home + fi +else + echo "Jail dir for $username does not exist." + exit 1 +fi + +if [[ ! -d /usr/local/lib/cgi-wrap/$domain ]]; then + mkdir -p /usr/local/lib/cgi-wrap/$domain +fi + +cd /usr/local/src + +if [[ -d cgiwrap-4.1 ]]; then + rm -r cgiwrap-4.1 +fi + +if [[ ! -f cgiwrap-4.1.tar.gz ]]; then + wget --quiet https://github.com/cgiwrap/cgiwrap/releases/download/cgiwrap-4.1/cgiwrap-4.1.tar.gz +fi + +if [[ -f cgiwrap-4.1.tar.gz ]]; then + tar zxf cgiwrap-4.1.tar.gz +else + echo "cgiwrap-4.1.tar.gz does not exist and failed to download" + exit 1 +fi + +cd cgiwrap-4.1 +./configure --with-chroot=/usr/jails/$username --with-rlimit-core=0 --with-rlimit-cpu=60 --without-redirect-stderr --without-logging-file --with-httpd-user=www-data --with-cgi-dir=$domain/cgi-bin --with-install-dir=/usr/local/lib/cgi-wrap/$domain --with-wall --with-local-contact-email=webmaster@$domain +make +make install + +echo "Make sure the desired scripting languages are installed in the $username jail. e.g.:" +echo "jk_init -k -j /usr/jails/$username perl" +echo "jk_init -k -j /usr/jails/$username python3" +echo "jk_init -k -j /usr/jails/$username ruby" diff --git a/etc/apache2/mods-available/macro.conf b/etc/apache2/mods-available/macro.conf index fd0af94..2bc6aba 100644 --- a/etc/apache2/mods-available/macro.conf +++ b/etc/apache2/mods-available/macro.conf @@ -24,7 +24,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$vhost/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$vhost/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" @@ -36,7 +39,6 @@ ServerName $subdomain.$vhost ServerAlias $subdomain.$vhost.example.com DocumentRoot /srv/www/$vhost/$subdomain - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" @@ -50,7 +52,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$vhost/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$vhost/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] ## ## ## Redirect 301 "https://%{HTTP_HOST}%{REQUEST_URI}" @@ -65,7 +70,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$vhost/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$vhost/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" @@ -108,7 +116,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$vhost/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$vhost/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" @@ -132,7 +143,6 @@ ServerName $subdomain.$vhost ServerAlias $subdomain.$vhost.example.com DocumentRoot /srv/www/$vhost/$subdomain - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" @@ -211,7 +221,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$alias/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$alias/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" @@ -224,7 +237,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$alias/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$alias/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] ## ## ## Redirect 301 "https://%{HTTP_HOST}%{REQUEST_URI}" @@ -239,7 +255,10 @@ ServerAlias www.$vhost ServerAlias $vhost.example.com DocumentRoot /srv/www/$alias/html - ScriptAlias /cgi-bin/ /srv/www/$vhost/cgi-bin/ + ScriptAlias /cgi-wrap/ "/usr/local/lib/cgi-wrap/$alias/" + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/cgi-bin/.* + RewriteRule ^/cgi-bin/(.*) /cgi-wrap/cgiwrap/$username/$1 [PT] SetHandler "proxy:unix:/run/php/php7.4-fpm-$username.sock|fcgi://localhost" diff --git a/install.sh b/install.sh index a972050..5821a9a 100755 --- a/install.sh +++ b/install.sh @@ -82,10 +82,10 @@ echo ' AllowOverride All' >> /etc/apache2/conf-available/security.conf echo ' Options Includes FollowSymLinks' >> /etc/apache2/conf-available/security.conf echo ' Require all granted' >> /etc/apache2/conf-available/security.conf echo '' >> /etc/apache2/conf-available/security.conf -echo '' >> /etc/apache2/conf-available/security.conf -echo ' AllowOverride None' >> /etc/apache2/conf-available/security.conf -echo ' Options none' >> /etc/apache2/conf-available/security.conf -echo ' Require all granted' >> /etc/apache2/conf-available/security.conf +echo '' >> /etc/apache2/conf-available/security.conf +echo ' AllowOverride None' >> /etc/apache2/conf-available/security.conf +echo ' Options None' >> /etc/apache2/conf-available/security.conf +echo ' Require all granted' >> /etc/apache2/conf-available/security.conf echo '' >> /etc/apache2/conf-available/security.conf # configure php