#!/bin/sh
# www.daily v1.1  (c) 29.8.97 by Andreas Ley  (u) 11.11.2003
# Daily www maintenance jobs, requiring root priviledge

ServerRoot=${1:-/usr/local/etc/httpd}
Logs="access_log error_log script_log rewrite_log suexec_log ssl_access_log ssl_error_log ssl_script_log ssl_request_log ssl_engine_log ssl_log ssl_rewrite_log"

if id | grep '^uid=0' >/dev/null; then :; else
	echo "Must be root." >&2
	exit 1
fi

if cd ${ServerRoot}/logs; then :; else
	echo "Can't change to ${ServerRoot}/logs" >&2
	exit 1
fi

if test ! -s httpd.pid; then
	echo "Can't find pid in httpd.pid" >&2
	exit 1
fi

# IRIX has hostname in /usr/bsd ...
PATH=${ServerRoot}/bin:/usr/machine/bin:/bin:/usr/bin:/usr/bsd:/usr/segment/bin
export PATH

test -f /etc/rc.values && \
	eval `shstrings -f /etc/rc.values RZADMIN HTTPD_RENEW_CERT HTTPD_KEEP_LOGS`

unset SSH_AUTH_SOCK

umask 022

################################################################################
#
# Cycle the logfiles
#

# Current directory and vhost directories
find . -type d \( -name . -o -name \*.\*.\* \) -print | \
while read dir; do
	(cd ${dir} && cycle -c 1 -u www -g www ${Logs} 2>/dev/null)
done

# Check wether the server is so idle that gracefully restarted servers are
# still around - in this case, we can sighup the server without fearing to
# interrupt too many ongoing transfers.

port=`grep '^Listen' ${ServerRoot}/conf/httpd.conf ${ServerRoot}/conf/srm.conf 2>/dev/null | \
	awk '{print$2;exit}'`
case "${port}" in
	*:*)	host=`echo ${port} | cut -d: -f1`
		port=`echo ${port} | cut -d: -f2`;;
esac
(echo "GET /server-status HTTP/1.0"; echo) | \
socket ${host:-localhost} ${port:-80} | \
sed -n '/<PRE>/,/<\/PRE>/p;/<\/PRE>/q' | \
grep 'G' >/dev/null && signal=HUP

kill -${signal:-USR1} `cat httpd.pid`

suffix=`date +%Y%m%d`

# Current directory and vhost directories
find . -type d \( -name . -o -name \*.\*.\* \) -print | \
while read dir; do
	# Create Old directory if needed
	if test ! -d ${dir}/Old; then
		mkdir ${dir}/Old
		chown www ${dir}/Old
		chgrp www ${dir}/Old
	fi
	# Link logs to Old directory
	for log in ${Logs}; do
		test -f ${dir}/${log} && ln ${dir}/${log} ${dir}/Old/${log}.${suffix}
		# Don't do this! Gracefully restarted clients may still
		# write to the old logs for some ten or twenty minutes.
		# rm ${dir}/${log}.[0-9]
	done
	# Remove very old error logs
	find ${dir}/Old -type f -links 1 -mtime +${HTTPD_KEEP_LOGS:-31} -name \*error_log\* -print | gxargs -r rm -f
	# Compress old logs
	find ${dir}/Old -type f -links 1 ! -name \*.gz -print | gxargs -r gzip -9
done


################################################################################
#
# Check certificate expiry date
#

mail=`awk '$1=="ServerAdmin"{print$2;exit}' ${ServerRoot}/conf/httpd.conf ${ServerRoot}/conf/srm.conf`
test \( ${RZADMIN:-0} -ne 0 -o ${HTTPD_RENEW_CERT:-0} -ne 0 \) -a `date '+%w'` -eq 0 && r="-r"
# FIXME: ssl-check and openssl should be in /usr/machine
test -x /usr/segment/bin/ssl-check && /usr/segment/bin/ssl-check ${r} -v -m "${mail:-apache@rz.uni-karlsruhe.de}" /etc/ssl/host.crt ${ServerRoot}/conf/server.crt


################################################################################
#
# Restart server if new certificate installed
#

if test -s loop.pid; then
	if test -n "`find /etc/ssl/host.crt ${ServerRoot}/conf/server.crt -newer loop.pid -print 2>/dev/null`"; then
		kill `cat httpd.pid` && touch loop.pid
	fi
else
	test -f .timestamp || touch -t 01010000 .timestamp
	if test -n "`find /etc/ssl/host.crt ${ServerRoot}/conf/server.crt -newer .timestamp -print 2>/dev/null`"; then
		(echo "Subject: `hostname`: new certificate"
		echo
		echo "A new certificate has been installed on `hostname`"
		echo
		echo "You should restart the web server (httpd) and touch"
		echo `pwd`/.timestamp) | \
		/usr/lib/sendmail -i "${mail:-apache@rz.uni-karlsruhe.de}"
	fi
fi


################################################################################
#
# Send mail about new server in use
#

(echo "Subject: New Common SSL WWW-Server"
echo
echo "Hostname: `hostname`"
echo "Systemtype: `cat /etc/SYSTEMTYPE`") | \
/usr/lib/sendmail -i andy@rz.uni-karlsruhe.de


################################################################################
#
# Analyze logs
#

# Current directory and vhost directories
find . -type d \( -name . -o -name \*.\*.\* \) -print | \
while read dir; do
	egrep '^(129\.13\.|141\.3\.|141\.52\.|193\.196\.([35][2-9]|4[0-7]|6[0-3])\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.).*(/scripts/root.exe|/MSADC/root.exe|/winnt/system32/cmd.exe)' ${dir}/access_log.1 | \
	grep -v "Mozilla/4\.75 \[en\] (X11, U; Nessus)"
done >.nimda
if test -s .nimda; then
	egrep '^(129\.13\.(6[89]|7[6-9]|21[67]|22[01]|24[0-7])|172\.21\.(1[2-5]|212))\..*(/scripts/root.exe|/MSADC/root.exe|/winnt/system32/cmd.exe)' .nimda >.dialin
	(echo "Subject: Nimda on `hostname`"
	echo
	echo "Nimda scans seen from these hosts:"
	echo
	echo "  Count	IP		Name"
	cut -d\  -f1 .nimda | sort | uniq -c | sort -n | while read cnt ip; do
		name=`getfqdn ${ip}`
		if test "${ip}" = "${name}"; then
			printf "%7d\t%s\n" ${cnt} ${ip}
		else
			printf "%7d\t%s\t%s\n" ${cnt} ${ip} ${name}
		fi
	done
	if test -s .dialin; then
		echo
		echo "Log entries for dynamically assigned IPs:"
		echo
		cat .dialin
	else
		rm -f .dialin
	fi
	) | /usr/lib/sendmail -i abuse@uni-karlsruhe.de
else
	rm -f .nimda
fi


################################################################################
#
# Archive very old logs on RZ hosts
#

if test ${RZADMIN:-0} -ne 0; then
	# Current directory and vhost directories
	find . -type d \( -name . -o -name \*.\*.\* \) -print | \
	while read dir; do
		find ${dir}/Old -type f -links 1 -mtime +${HTTPD_KEEP_LOGS:-31} -print | \
		while read log; do
			sleep 600
			delay -900 /usr/machine/bin/scp1 -i /usr/common/machine/etc/logserv.identity "${log}" "logserv@logserv.rz.uni-karlsruhe.de:${ServerRoot}/logs/${log}!`startdate ${log}`!`stat -m ${log}`" && rm -f "${log}"
		done
	done
fi

exit 0