Commit e83ceb46 authored by Paul Cammish's avatar Paul Cammish
Browse files

Tweaks to order of operation

parent 0d7f88df
......@@ -62,25 +62,28 @@ function secure_domain_dir()
find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
setfacl -R -d -m u::rwx -m g::rwx -m o::rx "${domain}/public/"
find "${domain}/public" ! -type l \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)
fi
# Lock down the public/htdocs/logs directory, if it exists and contains webalizer html
# By default this is left unprotected, and includes IP addresses which are classified
# under GDPR as personally identifiable
# Lock down the public/htdocs/logs directory, if it exists and contains webalizer html
# By default this is left unprotected, and includes IP addresses which are classified
# under GDPR as personally identifiable
if [ ! -f "${domain}/public/htdocs/stats/.htaccess" ]; then
if [ $( grep -c 'webalizer' "${domain}/public/htdocs/stats/index.html" 2> /dev/null ) != 0 ]; then
echo "# Prevent unauthorized access to stats
if [ ! -f "${domain}/public/htdocs/stats/.htaccess" ]; then
if [ -d "${domain}/public/htdocs/stats/" ] && [ $( grep -c 'webalizer' "${domain}/public/htdocs/stats/index.html" ) != 0 ]; then
echo "# Prevent unauthorized access to stats and enforce HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
AuthType Basic
AuthName \"Access Restricted\"
AuthUserFile ${domain}/config/stats-htaccess
Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
fi
fi
fi
fi
fi
# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment