Rewrite Geoblock (use new mmdb) (#2675)

enoch85 · web-flow · commit 4fba8c8f9e57 · 2024-09-19T18:31:57.000+02:00
diff --git a/lib.sh b/lib.sh
@@ -134,6 +134,10 @@ nc_update() {
     NCBAD=$((NCMAJOR-2))
     NCNEXT="$((${CURRENTVERSION%%.*}+1))"
 }
+maxmind_geoip() {
+    # shellcheck source=/dev/null
+    source <(curl -sL https://shortio.hanssonit.se/t3vm7ro4CP)
+}
 # Set the hour for automatic updates. This would be 18:00 as only the hour is configurable.
 AUT_UPDATES_TIME="18"
 # Keys
@@ -149,6 +153,9 @@ HTTP_CONF="nextcloud_http_domain_self_signed.conf"
 # Collabora App
 HTTPS_CONF="$SITES_AVAILABLE/$SUBDOMAIN.conf"
 HTTP2_CONF="/etc/apache2/mods-available/http2.conf"
+# GeoBlock
+GEOBLOCK_MOD_CONF="/etc/apache2/conf-available/geoblock.conf"
+GEOBLOCK_MOD="/etc/apache2/mods-available/maxminddb.load"
 # PHP-FPM
 PHPVER=8.3
 PHP_FPM_DIR=/etc/php/$PHPVER/fpm
@@ -394,55 +401,31 @@ curl "https://api.metadefender.com/v4/hash/$hash" -H "apikey: $apikey"
 }
 
 # Used in geoblock.sh
-download_geoip_dat() {
-# 1 = IP version 4 or 6
-# 2 = v4 or v6
-if site_200 https://dl.miyuru.lk/geoip/maxmind/country/maxmind"$1".dat.gz
-then
-    curl_to_dir https://dl.miyuru.lk/geoip/maxmind/country maxmind"$1".dat.gz /tmp
-    # Scan file for virus
-    if ! metadefender-scan /tmp/maxmind"$1".dat.gz | grep '"scan_all_result_a":"No Threat Detected","current_av_result_a":"No Threat Detected"'
+download_geoip_mmdb() {
+    maxmind_geoip
+    export MwKfcYATm43NMT
+    export i9HL69SLnp4ymy 
+    {
+    echo "GEOIPUPDATE_ACCOUNT_ID=$MwKfcYATm43NMT"
+    echo "GEOIPUPDATE_LICENSE_KEY=$i9HL69SLnp4ymy"
+    echo "GEOIPUPDATE_EDITION_IDS=GeoLite2-City GeoLite2-Country"
+    echo "GEOIPUPDATE_FREQUENCY=0"
+    echo "GEOIPUPDATE_PRESERVE_FILE_TIMES=1"
+    echo "GEOIPUPDATE_VERBOSE=1"
+    } > /tmp/dockerenv
+    unset MwKfcYATm43NMT
+    unset i9HL69SLnp4ymy 
+    install_docker
+    if docker run --name maxmind --env-file /tmp/dockerenv -v /usr/share/GeoIP:/usr/share/GeoIP ghcr.io/maxmind/geoipupdate
     then
-        msg_box "Potential threat found in /tmp/maxmind$1.dat.gz! Please report this to $ISSUES. We will now delete the file!"
-        rm -f /tmp/maxmind"$1".dat.gz
+        docker rm -f maxmind
+        rm -f /tmp/dockerenv
     else
-        install_if_not gzip
-        gzip -d /tmp/maxmind"$1".dat.gz
-        mv /tmp/maxmind"$1".dat /usr/share/GeoIP/GeoIP"$2".dat
-        chown root:root /usr/share/GeoIP/GeoIP"$2".dat
-        chmod 644 /usr/share/GeoIP/GeoIP"$2".dat
-        find "$SCRIPTS" -type f -regex "$SCRIPTS/202[0-9]-[01][0-9]-Maxmind-Country-IP$2\.dat" -delete
-        rm -f /usr/share/GeoIP/GeoIP.dat
-    fi
-fi
-}
-
-get_newest_dat_files() {
-# Check current month and year
-CURR_MONTH="$(date +%B)"
-# https://stackoverflow.com/a/12487455
-CURR_MONTH="${CURR_MONTH^}"
-CURR_YEAR="$(date +%Y)"
-
-# Check latest updated
-if site_200 https://www.miyuru.lk/geoiplegacy
-then
-    if curl -s https://www.miyuru.lk/geoiplegacy | grep -q "$CURR_MONTH $CURR_YEAR"
-    then
-        # DIFF local file with month from curl
-        # This is to know if the online file is the same month as the local file
-        LOCAL_FILE_TIMESTAMP=$(date -r /usr/share/GeoIP/GeoIPv4.dat "+%B %Y")
-        LOCAL_FILE_TIMESTAMP="${LOCAL_FILE_TIMESTAMP^}"
-        ONLINE_FILE_TIMESTAMP="$CURR_MONTH $CURR_YEAR"
-        if [ "$ONLINE_FILE_TIMESTAMP" != "$LOCAL_FILE_TIMESTAMP" ]
-        then
-            # IPv4
-            download_geoip_dat "4" "v4"
-            # IPv6
-            download_geoip_dat "6" "v6"
-        fi
+        docker rm -f maxmind
+        rm -f /tmp/dockerenv
+        msg_box "Update limit for Maxmind GeoDatabase reached! Please try again tomorrow."
+        return 1
     fi
-fi
 }
 
 # Check if process is runnnig: is_process_running dpkg
diff --git a/network/geoblock.sh b/network/geoblock.sh
@@ -11,6 +11,7 @@ Geoblock can break the certificate renewal via \"Let's encrypt!\" if done too st
 If you have problems with \"Let's encrypt!\", please uninstall geoblock first to see if that fixes those issues!"
 # shellcheck source=lib.sh
 source /var/scripts/fetch_lib.sh
+# source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/geoblock-v2/lib.sh) # TODO, remove after testing
 
 # Check for errors + debug code and abort if something isn't right
 # 1 = ON
@@ -22,41 +23,89 @@ debug_mode
 root_check
 
 # Check if it is already configured
-if ! grep -q "^#Geoip-block" /etc/apache2/apache2.conf
+if [ ! -f "$GEOBLOCK_MOD_CONF" ] || [ ! -f "$GEOBLOCK_MOD" ]
 then
     # Ask for installing
     install_popup "$SCRIPT_NAME"
 else
     # Ask for removal or reinstallation
     reinstall_remove_menu "$SCRIPT_NAME"
-    # Removal
+    # Remove Apache mod config
+    rm -f "$GEOBLOCK_MOD_CONF"
+    # Remove old database files
     find /var/scripts -type f -regex \
 "$SCRIPTS/202[0-9]-[01][0-9]-Maxmind-Country-IPv[46]\.dat" -delete
+    # Remove Apache2 mod
+    if [ -f "$GEOBLOCK_MOD" ]
+    then
+        a2dismod maxminddb
+        rm -f "$GEOBLOCK_MOD"
+        rm -f /usr/lib/apache2/modules/mod_maxminddb.so
+    fi
     if is_this_installed libapache2-mod-geoip
     then
         a2dismod geoip
         apt-get purge libapache2-mod-geoip -y
-        rm -rf /usr/share/GeoIP
     fi
-    apt-get autoremove -y
-    sed -i "/^#Geoip-block-start/,/^#Geoip-block-end/d" /etc/apache2/apache2.conf
-    check_command systemctl restart apache2
+    # Remove PPA
+    if grep ^ /etc/apt/sources.list /etc/apt/sources.list.d/* | grep maxmind-ubuntu-ppa
+    then
+        install_if_not ppa-purge
+        yes | ppa-purge maxmind/ppa
+        rm -f /etc/apt/sources.list.d/maxmind*
+    fi
+    # Remove  Apache config
+    if grep "Geoip-block-start" /etc/apache2/apache2.conf
+    then
+        sed -i "/^#Geoip-block-start/,/^#Geoip-block-end/d" /etc/apache2/apache2.conf
+    fi
+    if [ -f "$GEOBLOCK_MOD_CONF" ]
+    then
+        a2disconf geoblock
+        rm -f "$GEOBLOCK_MOD_CONF"
+    fi
     # Show successful uninstall if applicable
     removal_popup "$SCRIPT_NAME"
+    # Make sure it's clean from unused packages and files
+    apt purge libmaxminddb0* libmaxminddb-dev* mmdb-bin* apache2-dev* -y
+    apt autoremove -y
+    #rm -rf /usr/share/GeoIP keep these to save downloads...
+    check_command systemctl restart apache2
 fi
 
-# Install needed tools
-install_if_not libapache2-mod-geoip
+# Download GeoIP Databases
+if ! download_geoip_mmdb
+then
+   exit 1
+fi
 
-# Enable apache mod
-check_command a2enmod geoip rewrite
-check_command systemctl restart apache2
+##### GeoIP script (Apache Setup)
+# Install  requirements
+yes | add-apt-repository ppa:maxmind/ppa
+install_if_not libmaxminddb0
+install_if_not libmaxminddb-dev
+install_if_not mmdb-bin
+install_if_not apache2-dev
 
-# Download newest dat files
-# IPv4
-download_geoip_dat "4" "v4"
-# IPv6
-download_geoip_dat "6" "v6"
+# maxminddb_module https://github.com/maxmind/mod_maxminddb
+cd /tmp
+curl_to_dir https://github.com/maxmind/mod_maxminddb/releases/download/1.2.0/ mod_maxminddb-1.2.0.tar.gz /tmp
+tar -xzf mod_maxminddb-1.2.0.tar.gz
+cd mod_maxminddb-1.2.0
+if ./configure
+then
+    make install
+    if ! apachectl -M | grep -i "maxminddb"
+    then
+       msg_box "Couldn't install the Apache module for MaxMind. Please report this to $ISSUES"
+       exit 1
+    fi
+    # Cleanup
+    rm -rf mod_maxminddb-1.2.0 mod_maxminddb-1.2.0.tar.gz
+fi
+
+check_command a2enmod rewrite remoteip maxminddb
+check_command systemctl restart apache2
 
 # Restrict to countries and/or continents
 choice=$(whiptail --title "$TITLE"  --checklist \
@@ -160,24 +209,35 @@ then
     mapfile -t choice <<< "$choice"
 fi
 
-GEOIP_CONF="#Geoip-block-start - Please don't remove or change this line
-<IfModule mod_geoip.c>
-  GeoIPEnable On
-  GeoIPDBFile /usr/share/GeoIP/GeoIPv4.dat
-  GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat
+# Create conff
+cat << GEOBLOCKCONF_CREATE > "$GEOBLOCK_MOD_CONF"
+<IfModule mod_maxminddb.c>
+  MaxMindDBEnable On
+  MaxMindDBFile DB /usr/share/GeoIP/GeoLite2-Country.mmdb
+
+  MaxMindDBEnv MM_CONTINENT_CODE DB/continent/code
+  MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
 </IfModule>
-<Location />\n"
+
+  # Geoblock rules
+GEOBLOCKCONF_CREATE
+
+# Add <Location> parameters to maxmind conf
+echo "<Location />" >> "$GEOBLOCK_MOD_CONF"
 for continent in "${choice[@]}"
 do
-    GEOIP_CONF+="  SetEnvIf GEOIP_CONTINENT_CODE    $continent AllowCountryOrContinent\n"
-    GEOIP_CONF+="  SetEnvIf GEOIP_CONTINENT_CODE_V6 $continent AllowCountryOrContinent\n"
+    echo "  SetEnvIf MM_CONTINENT_CODE    $continent AllowCountryOrContinent" >> "$GEOBLOCK_MOD_CONF"
 done
 for country in "${selected_options[@]}"
 do
-    GEOIP_CONF+="  SetEnvIf GEOIP_COUNTRY_CODE    $country AllowCountryOrContinent\n"
-    GEOIP_CONF+="  SetEnvIf GEOIP_COUNTRY_CODE_V6 $country AllowCountryOrContinent\n"
+    echo "  SetEnvIf MM_COUNTRY_CODE    $country AllowCountryOrContinent" >> "$GEOBLOCK_MOD_CONF"
 done
-GEOIP_CONF+="  Allow from env=AllowCountryOrContinent
+echo "  Allow from env=AllowCountryOrContinent" >> "$GEOBLOCK_MOD_CONF"
+
+# Add allow rules to maxmind conf
+cat << GEOBLOCKALLOW_CREATE >> "$GEOBLOCK_MOD_CONF"
+
+  # Specifically allow this
   Allow from 127.0.0.1/8
   Allow from 192.168.0.0/16
   Allow from 172.16.0.0/12
@@ -188,13 +248,18 @@ GEOIP_CONF+="  Allow from env=AllowCountryOrContinent
   Order Deny,Allow
   Deny from all
 </Location>
-#Geoip-block-end - Please don't remove or change this line"
 
-# Write everything to the file
-echo -e "$GEOIP_CONF" >> /etc/apache2/apache2.conf
-
-check_command systemctl restart apache2
+  # Logs
+  LogLevel info
+  CustomLog "$VMLOGS/geoblock_access.log" common
+GEOBLOCKALLOW_CREATE
 
-msg_box "GeoBlock was successfully configured"
+# Enable config
+check_command a2enconf geoblock
 
-exit
+if check_command systemctl restart apache2
+then
+    msg_box "GeoBlock was successfully configured"
+else
+    msg_box "Something went wrong, please check Apache error logs."
+fi
diff --git a/nextcloud_update.sh b/nextcloud_update.sh
@@ -579,22 +579,24 @@ then
     mv "$ADMINERDIR"/adminer-pgsql.php "$ADMINERDIR"/adminer.php
 fi
 
-# Get newest dat files for geoblock.sh
+# Get latest Maxmind databse for Geoblock
 if grep -q "^#Geoip-block" /etc/apache2/apache2.conf
 then
-    if get_newest_dat_files
+    if grep -c GeoIPDBFile /etc/apache2/apache2.conf
     then
-        if grep -c GeoIP.dat /etc/apache2/apache2.conf
-        then
-            if [ ! -f /usr/share/GeoIP/GeoIPv4.dat ]
-            then
-                if download_geoip_dat 4 v4
-                then
-                    sed -i "s|GeoIPDBFile /usr/share/GeoIP/GeoIP.dat|GeoIPDBFile /usr/share/GeoIP/GeoIPv4.dat|g" /etc/apache2/apache2.conf
-                fi
-            fi
-        fi
-        check_command systemctl restart apache2
+        msg_box "We have updated GeoBlock to a new version which isn't compatible with the old one. Please reinstall with the menu script to get the latest version."
+        notify_admin_gui \
+"GeoBlock needs to be reinstalled!" \
+"We have updated GeoBlock to a new version which isn't compatible with the old one.
+Please reinstall with the menu script to get the latest version.
+
+sudo bash /ar/scripts/menu.sh --> Server Configuration --> GeoBlock"
+    fi
+elif [ -f "$GEOBLOCK_MOD" ]
+then
+    if download_geoip_mmdb
+    then
+        print_text_in_color "IGreen" "MaxMind database updated!"
     fi
 fi
 
