Upraveno warden-apache.readme

8632cad4 · Michal Kostenec · b5c5a431 · 8632cad4 · 8632cad4 · 8632cad4
Commit 8632cad4 authored 13 years ago by Michal Kostenec
--- a/packages/TODO.zcu
+++ b/packages/TODO.zcu
 * sjednotit warden-client.conf a warden-server.conf 
 * ipv6
 * zrusit vsude licence a nahradit jedinym radkem s odkazem
-* generovani konfigutracnich souboru z template z balicku a ne primo ze shell skriptu
+* generovani konfiguracnich souboru z template z balicku a ne primo ze shell skriptu
 * verze klienta a serveru jsou mimo sync coz je osklive, proc mam pouzivat c1.1.1 a s0.1.1 ? to nedava smysl ...

--- a/packages/build-client.sh
+++ b/packages/build-client.sh
@@ -49,7 +49,7 @@ err()
 #-------------------------------------------------------------------------------

 # edit when you build new package
-version="1.1.0"
+version="1.1.1"

 package_name="warden-client"
 package="$package_name-$version"

--- a/src/warden-client/lib/WardenClientReceive.pm
+++ b/src/warden-client/lib/WardenClientReceive.pm
@@ -36,10 +36,11 @@ package WardenClientReceive;
 use strict;
 use SOAP::Lite;
 use IO::Socket::SSL qw(debug1);
-use SOAP::Transport::TCP;
+#use SOAP::Transport::TCP;
+use SOAP::Transport::HTTP;
 use FindBin;

-our $VERSION = "1.2";
+our $VERSION = "1.1";

 #-------------------------------------------------------------------------------
 # errMsg - print error message and die
@@ -54,6 +55,52 @@ sub errMsg
 #-------------------------------------------------------------------------------
 # c2s - connect to server, send request and receive response
 #-------------------------------------------------------------------------------
+#sub c2s 
+#{
+#  my $uri		= shift;
+#  my $ssl_key_file	= shift;
+#  my $ssl_cert_file	= shift;
+#  my $ssl_ca_file	= shift;
+#  my $method		= shift;
+#  my $data		= shift;
+#
+#  my $client;
+#  my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/;
+#  if (!($client = SOAP::Transport::TCP::Client->new(
+#    PeerAddr            => $server,
+#    PeerPort            => $port,
+#    Proto               => 'tcp',
+#    SSL_use_cert        => 1,
+#    SSL_verify_mode     => 0x02,
+#    SSL_key_file        => $ssl_key_file,
+#    SSL_cert_file       => $ssl_cert_file,
+#    SSL_ca_file         => $ssl_ca_file,
+#  ))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::TCP::Client::errstr)}
+#
+#  # setting of URI and serialize SOAP envelope and data object
+#  my $soap = SOAP::Lite->uri($uri);
+#  my $envelope;
+#  if (!defined $data) {
+#    $envelope = $soap->serializer->envelope(method => $method);
+#  } else {
+#    $envelope = $soap->serializer->envelope(method => $method, $data);
+#  }
+#
+#  # setting of TCP URI and send serialized SOAP envelope and data
+#  my $tcp_uri = "tcp://$server:$port/$service";
+#  my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri);
+#
+#  # check server response
+#  if (!defined $result) {
+#    errMsg("Error: server returned empty response." . "\n" . "Problem with used SSL ceritificates or Warden server at $server:$port is down.");
+#  } else {
+#    # deserialized response from server -> create SOAP envelope and data object
+#    my $response = $soap->deserializer->deserialize($result);
+#    # check SOAP fault status
+#    $response->fault ? errMsg("Server sent error message:: " . $response->faultstring) : return $response;
+#  }
+#}
+
 sub c2s 
 {
  my $uri		= shift;
@@ -65,19 +112,17 @@ sub c2s

  my $client;
  my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/;
-  if (!($client = SOAP::Transport::TCP::Client->new(
-    PeerAddr            => $server,
-    PeerPort            => $port,
-    Proto               => 'tcp',
-    SSL_use_cert        => 1,
-    SSL_verify_mode     => 0x02,
-    SSL_key_file        => $ssl_key_file,
-    SSL_cert_file       => $ssl_cert_file,
-    SSL_ca_file         => $ssl_ca_file,
-  ))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::TCP::Client::errstr)}
+  if (!($client = SOAP::Transport::HTTP::Client->new(
+))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::HTTP::Client::errstr)}
+  $client->ssl_opts( 	verify_hostname     => 1,
+        		SSL_use_cert        => 1,
+        		SSL_verify_mode     => 0x02,
+        		SSL_key_file        => $ssl_key_file,
+        		SSL_cert_file       => $ssl_cert_file,
+        		SSL_ca_file         => $ssl_ca_file);

  # setting of URI and serialize SOAP envelope and data object
-  my $soap = SOAP::Lite->uri($uri);
+  my $soap     = SOAP::Lite->uri($service)->proxy($uri);
  my $envelope;
  if (!defined $data) {
    $envelope = $soap->serializer->envelope(method => $method);
@@ -86,7 +131,7 @@ sub c2s
  }

  # setting of TCP URI and send serialized SOAP envelope and data
-  my $tcp_uri = "tcp://$server:$port/$service";
+  my $tcp_uri = "https://$server:$port/$service";
  my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri);

  # check server response
@@ -101,6 +146,8 @@ sub c2s
 }


+
+
 #-------------------------------------------------------------------------------
 # getNewEvents - get new events from warden server greater than last received ID
 #-------------------------------------------------------------------------------
@@ -145,19 +192,20 @@ sub getNewEvents

  # create SOAP data obejct
  my $request_data = SOAP::Data->name(request => \SOAP::Data->value(
-                     SOAP::Data->name(REQUESTED_TYPE => $requested_type),
-                     SOAP::Data->name(LAST_ID => $last_id)
+    SOAP::Data->name(REQUESTED_TYPE => $requested_type),
+    SOAP::Data->name(LAST_ID => $last_id)
  ));
-  # call server method getNewEvents 
  my $response = c2s($uri, $ssl_key_file, $ssl_cert_file, $ssl_ca_file, "getNewEvents", $request_data);

+  # match getNewEvents functions response
+  $response->match('/Envelope/Body/getNewEventsResponse/');
  my ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout);
  my @events;

  # parse returned SOAP data object
-  my @response_list = $response->valueof('/Envelope/Body/getNewEventsResponse/event/');
-  while (scalar @response_list) {
-    my $response_data = shift(@response_list);
+  my $i = 1;
+  my $response_data = $response->valueof("[$i]");
+  while (defined $response_data) {
    my @event;

    # parse items of one event
@@ -181,8 +229,12 @@ sub getNewEvents

    # set maximum received ID from current batch
    if ($id > $last_id) {
-      $last_id = $id;
+	    $last_id = $id;
    }
+
+    # go to the next received event
+    $i++;
+    $response_data = $response->valueof("[$i]");
  }

  # write last return ID
@@ -192,6 +244,7 @@ sub getNewEvents
    close ID;
  }

+  # return event array of arrays 
  return @events;
 } # End of getNewEvents


--- a/src/warden-client/lib/WardenClientSend.pm
+++ b/src/warden-client/lib/WardenClientSend.pm
@@ -35,12 +35,12 @@ package WardenClientSend;

 use strict;
 use SOAP::Lite;
+#use SOAP::Lite 'trace', 'debug';
 use IO::Socket::SSL qw(debug1);
-use SOAP::Transport::TCP;
-
+#use SOAP::Transport::TCP;
+use SOAP::Transport::HTTP;
 our $VERSION = "1.1";

-
 #-------------------------------------------------------------------------------
 # errMsg - print error message and die
 #-------------------------------------------------------------------------------
@@ -65,23 +65,21 @@ sub c2s

  my $client;
  my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/;
-  if (!($client = SOAP::Transport::TCP::Client->new(
-    PeerAddr            => $server,
-    PeerPort            => $port,
-    Proto               => 'tcp',
-    SSL_use_cert        => 1,
-    SSL_verify_mode     => 0x02,
-    SSL_key_file        => $ssl_key_file,
-    SSL_cert_file       => $ssl_cert_file,
-    SSL_ca_file         => $ssl_ca_file,
-  ))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::TCP::Client::errstr)}
+  if (!($client = SOAP::Transport::HTTP::Client->new(
+))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::HTTP::Client::errstr)}
+  $client->ssl_opts( 	verify_hostname     => 1,
+        		SSL_use_cert        => 1,
+        		SSL_verify_mode     => 0x02,
+        		SSL_key_file        => $ssl_key_file,
+        		SSL_cert_file       => $ssl_cert_file,
+        		SSL_ca_file         => $ssl_ca_file);

  # setting of URI and serialize SOAP envelope and data object
-  my $soap     = SOAP::Lite->uri($uri);
+  my $soap     = SOAP::Lite->uri($service)->proxy($uri);
  my $envelope = $soap->serializer->envelope(method => $method, $data);
-
-  # setting of TCP URI and send serialized SOAP envelope and data
-  my $tcp_uri = "tcp://$server:$port/$service";
+  
+# setting of TCP URI and send serialized SOAP envelope and data
+  my $tcp_uri = "https://$server:$port/$service";
  my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri);

  # check server response

--- a/src/warden-client/sh/install.sh
+++ b/src/warden-client/sh/install.sh
@@ -156,7 +156,8 @@ old_client_chck()
 perl_chck()
 {
 	echo -n "Checking Perl interpreter ... "
-	if which perl 1> /dev/null; then
+	which perl 1>/dev/null; ret_val=`echo $?`
+	if [ $ret_val -eq 0 ]; then
 		echo "OK"
 	else
 		echo "FAILED!"
@@ -171,7 +172,8 @@ modules_chck()
 	for module in ${modules[@]};
 	do
 		echo -n "Checking $module module ... "
-		if perl -e "use $module" 2> $err; then
+		perl -e "use $module" 2> $err; ret_val=`echo $?`
+		if [ $ret_val -eq 0 ]; then
 			echo "OK"
 		else
 			err
@@ -183,7 +185,8 @@ modules_chck()
 make_warden_dir()
 {
 	echo -n "Creating warden client directory ... "
-	if cp -R ${dirname}/warden-client $prefix 2> $err; then
+	cp -R $dirname/warden-client $prefix 2> $err; ret_val=`echo $?`
+	if [ $ret_val -eq 0 ]; then
 		echo "OK"
 	else
 		err_clean
@@ -192,16 +195,17 @@ make_warden_dir()
 	files=(CHANGELOG INSTALL LICENSE README README.cesnet)
 	for file in ${files[@]};
 	do
-		cp ${dirname}/$file "${client_path}/doc"
+		cp $dirname/$file "$client_path/doc"
 	done
-	cp ${dirname}/uninstall.sh "$client_path"
+	cp $dirname/uninstall.sh "$client_path"
 }


 copy_key()
 {
 	echo -n "Copying certificate key file ... "
-	if cp $key $etc 2> $err; then
+	cp $key $etc 2> $err; ret_val=`echo $?`
+	if [ $ret_val -eq 0 ]; then
 		echo "OK"
 	else
 		err_clean
@@ -212,7 +216,8 @@ copy_key()
 copy_cert()
 {
 	echo -n "Copying certificate file ... "
-	if cp $cert $etc 2> $err; then
+	cp $cert $etc 2> $err; ret_val=`echo $?`
+	if [ $ret_val -eq 0 ]; then
 		echo "OK"
 	else
 		err_clean
@@ -235,17 +240,17 @@ make_conf_file()
 #-------------------------------------------------------------------------------
 # SSL_KEY_FILE - path to client SSL certificate key file
 #-------------------------------------------------------------------------------
-\$SSL_KEY_FILE = \"${etc}/${key_file}\";
+\$SSL_KEY_FILE = \"$etc/$key_file\";

 #-------------------------------------------------------------------------------
 # SSL_CERT_FILE - path to client SSL certificate file
 #-------------------------------------------------------------------------------
-\$SSL_CERT_FILE = \"${etc}/${cert_file}\";
+\$SSL_CERT_FILE = \"$etc/$cert_file\";

 #-------------------------------------------------------------------------------
 # SSL_CA_FILE - path to CA certificate file
 #-------------------------------------------------------------------------------
-\$SSL_CA_FILE = \"${ca_file}\";
+\$SSL_CA_FILE = \"$ca_file\";
 " > $conf_file 2> $err; ret_val=`echo $?`

 	if [ $ret_val -eq 0 ]; then
@@ -259,10 +264,8 @@ make_conf_file()
 change_permissions()
 {
 	echo -n "Changing permissions to installed package ... "
-	chown -R $user: $client_path 2> $err || err_clean
-	chmod 400 ${etc}/$key_file ${etc}/$cert_file || err_clean
-	chmod 644 ${etc}/package_version || err_clean
-	if chmod 600 $conf_file; then
+	chown -R $user: $client_path 2>$err; ret_val=`echo $?`
+	if [ $ret_val -eq 0 ]; then
 		echo "OK"
 	else
 		err_clean
@@ -306,13 +309,13 @@ params_chck

 # create variables
 dirname=`dirname $0`
-package_version=`cat ${dirname}/warden-client/etc/package_version`
+package_version=`cat $dirname/warden-client/etc/package_version`
 key_file=`basename $key`
 cert_file=`basename $cert`
 [[ $prefix == */ ]] && prefix="${prefix%?}" # remove last char (slash) from prefix
-client_path="${prefix}/warden-client"
-etc="${client_path}/etc"
-conf_file="${etc}/warden-client.conf"
+client_path="$prefix/warden-client"
+etc="$client_path/etc"
+conf_file="$etc/warden-client.conf"
 err="/tmp/warden-err"

 # check if warden-client is installed
@@ -349,8 +352,6 @@ change_permissions
 echo
 echo "Please check configuration file in $conf_file!"
 echo
-echo "Warden client directory: $client_path"
-echo
 echo "Installation of $package_version package was SUCCESSFUL!!!"

 # cleanup section

--- a/src/warden-server/doc/warden-apache.readme
+++ b/src/warden-server/doc/warden-apache.readme
-apache2
-mysql-server
-a2enmod ssl
-libapache2-mod-perl2
-mysql -u root -p < warden.sql
-libcrypt-x509-perl
-libmime-base64-perl
-apache2-mpm-prefork
-
-<IfModule mpm_prefork_module>
-    StartServers          2
-    MinSpareServers       4
-    MaxSpareServers       8
-    ServerLimit           700
-    MaxClients            700
-    MaxRequestsPerChild   0
-</IfModule>
-Timeout 10
-KeepAlive Off
-
-
-Instalace Apache
-Povoleni SSL
-Instalace mod_perl
-Apache - Virtual Host <*:443> - pro jine jeste povolit port
-Include cesty do Apache
-Nastaveni spravnych Adres - klient, server
-Nastaveni db na serveru
-Pouziti jineho cert server/client
-Instalace 2 balicku
-Instalace prefork
-nastavni apache2.conf
-================
-Instalace DB
-restore db z adr. etc/warden.sql 
-
-====
-Instalace serveru do jine cesty nez /opt -> nevytvari adresar, nemaze pri odinstalaci
+Strucny technicky navod pro preklopeni Warden serveru pod Apache a mod_perl
+===========================================================================

+INSTALACE
+=========

+1) Instalace Apache a MySQL DB
+	
+	aptitude install apache2 mysql-server

+2) Povoleni mod_ssl

+	an2enmod ssl

+3) Instalace knihovny mod_perl
+
+	libapache2-mod-perl2
+
+4) Instalace podpory metody prefork pro Apache
+
+	apache2-mpm-prefork
+
+5) Instalace nove pridanych modulu
+
+	aptitude install libcrypt-x509-perl libmime-base64-perl
+
+
+Konfigurace
+===========
+
+1) Nastaveni APACHE 
+
+	a) /etc/apache2/sites-enables/default
+		- konfigurace sekce <VirtualHost *:443>
+		- includovani potrebnych parametru ze souboru {warden-server}/etc/warden-apache.conf
+			Include /opt/warden-server/etc/warden-apache.conf
+	
+	b) Nastaveni vykonovych parametru Apache (/etc/apache2/apache2.conf)
+		- modul prefork (nastavujte dle vykonu vaseho serveru)
+		= pro 12C, 16GB RAM funguje dobre
+
+			<IfModule mpm_prefork_module>
+			    StartServers          2
+			    MinSpareServers       4
+			    MaxSpareServers       8
+			    ServerLimit           700
+			    MaxClients            700
+			    MaxRequestsPerChild   0
+			</IfModule>
+
+
+		- parametry spojeni
+			
+			Timeout 10
+			KeepAlive Off
+
+
+	c) restartovani Apache po kazde zmene Warden.pm (serverova cast)
+
+
+2) Nastaveni DB
+
+	a) (volitelne) Vytvoreni noveho uzivatele
+	b) Vytvoreni databazove struktury
+
+		mysql -u uzivatel -p heslo < {warden-server}/doc/warden.mysql
+
+3) Nastaveni warden-server.conf, warden-client.conf, {warden-server}/etc/warden-apache.conf
+
+	a) Zkontrolovat spravnost IP adres, portu a hlavne cest k certifikatum + nove udaje pro pripojeni do DB
+	b) Pro klienta a server na jednom stroji jsou zrejme treba 2 ruzne certifikaty (me to jinak nejde, zkuste;))