modified: docs/install.example.json

Code-Egg · Code-Egg · commit 8221cd018f1c · 2026-04-09T14:52:24.000+08:00
diff --git a/README.md b/README.md
@@ -141,6 +141,8 @@ sudo cp docs/install.example.json /etc/ols-cli/install.json
 sudo ols install
 ```
 
+`install.json` also supports `owasp_crs_version` (for example, `"owasp_crs_version": "4.21.0"`), which is used when enabling OWASP via `site create/update --enable-owasp`.
+
 Override config values with flags when needed:
 
 ```bash
diff --git a/docs/install.example.json b/docs/install.example.json
@@ -5,5 +5,6 @@
   "http_port": 80,
   "https_port": 443,
   "ssl_cert_file": "/usr/local/lsws/admin/conf/webadmin.crt",
-  "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key"
+  "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key",
+  "owasp_crs_version": "4.21.0"
 }
diff --git a/internal/service/install_config.go b/internal/service/install_config.go
@@ -24,6 +24,7 @@ type RuntimeInstallConfig struct {
 	HTTPSPort          int    `json:"https_port"`
 	SSLCertFile        string `json:"ssl_cert_file"`
 	SSLKeyFile         string `json:"ssl_key_file"`
+	OWASPCRSVersion    string `json:"owasp_crs_version"`
 }
 
 type resolvedInstallPlan struct {
@@ -36,6 +37,7 @@ type resolvedInstallPlan struct {
 	HTTPSPort          int
 	SSLCertFile        string
 	SSLKeyFile         string
+	OWASPCRSVersion    string
 }
 
 func defaultRuntimeInstallConfig(lswsRoot string) RuntimeInstallConfig {
@@ -48,6 +50,7 @@ func defaultRuntimeInstallConfig(lswsRoot string) RuntimeInstallConfig {
 		HTTPSPort:          443,
 		SSLCertFile:        filepath.Join(lswsRoot, "admin", "conf", "webadmin.crt"),
 		SSLKeyFile:         filepath.Join(lswsRoot, "admin", "conf", "webadmin.key"),
+		OWASPCRSVersion:    defaultOWASPCRSVersion,
 	}
 }
 
@@ -106,6 +109,9 @@ func mergeRuntimeInstallConfig(base, override RuntimeInstallConfig) RuntimeInsta
 	if v := strings.TrimSpace(override.SSLKeyFile); v != "" {
 		base.SSLKeyFile = v
 	}
+	if v := strings.TrimSpace(override.OWASPCRSVersion); v != "" {
+		base.OWASPCRSVersion = v
+	}
 	return base
 }
 
@@ -162,6 +168,10 @@ func resolveInstallPlan(opts InstallOptions, info platform.Info, lswsRoot string
 	if v := strings.TrimSpace(opts.SSLKeyFile); v != "" {
 		sslKeyFile = v
 	}
+	owaspCRSVersion := strings.TrimSpace(cfg.OWASPCRSVersion)
+	if owaspCRSVersion == "" {
+		owaspCRSVersion = defaultOWASPCRSVersion
+	}
 
 	if err := validatePort(httpPort, "http_port"); err != nil {
 		return resolvedInstallPlan{}, err
@@ -194,6 +204,7 @@ func resolveInstallPlan(opts InstallOptions, info platform.Info, lswsRoot string
 		HTTPSPort:          httpsPort,
 		SSLCertFile:        sslCertFile,
 		SSLKeyFile:         sslKeyFile,
+		OWASPCRSVersion:    owaspCRSVersion,
 	}, nil
 }
 
diff --git a/internal/service/install_config_test.go b/internal/service/install_config_test.go
@@ -3,6 +3,7 @@ package service
 import (
 	"bytes"
 	"context"
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -35,6 +36,9 @@ func TestResolveInstallPlanDefaults(t *testing.T) {
 	if plan.HTTPPort != 80 || plan.HTTPSPort != 443 {
 		t.Fatalf("expected default ports 80/443, got %d/%d", plan.HTTPPort, plan.HTTPSPort)
 	}
+	if plan.OWASPCRSVersion != defaultOWASPCRSVersion {
+		t.Fatalf("expected default owasp crs version %s, got %s", defaultOWASPCRSVersion, plan.OWASPCRSVersion)
+	}
 }
 
 func TestResolveInstallPlanOverrides(t *testing.T) {
@@ -74,6 +78,31 @@ func TestResolveInstallPlanOverrides(t *testing.T) {
 	}
 }
 
+func TestLoadRuntimeInstallConfigIncludesOWASPCRSVersion(t *testing.T) {
+	configPath := filepath.Join(t.TempDir(), "install.json")
+	content := `{
+  "php_version": "85",
+  "database": "mariadb",
+  "configure_listeners": true,
+  "http_port": 80,
+  "https_port": 443,
+  "ssl_cert_file": "/usr/local/lsws/admin/conf/webadmin.crt",
+  "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key",
+  "owasp_crs_version": "4.22.0"
+}`
+	if err := os.WriteFile(configPath, []byte(content), 0o644); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	cfg, _, err := loadRuntimeInstallConfig(configPath, "/usr/local/lsws")
+	if err != nil {
+		t.Fatalf("unexpected load error: %v", err)
+	}
+	if cfg.OWASPCRSVersion != "4.22.0" {
+		t.Fatalf("expected owasp_crs_version 4.22.0, got %s", cfg.OWASPCRSVersion)
+	}
+}
+
 func TestResolveInstallPlanDatabaseNone(t *testing.T) {
 	plan, err := resolveInstallPlan(
 		InstallOptions{ConfigPath: filepath.Join(t.TempDir(), "install.json"), DatabaseEngine: "none"},
@@ -102,12 +131,12 @@ func TestResolveInstallPlanInvalidDatabase(t *testing.T) {
 func TestResolveInstallPlanRejectsUnsafeSSLPaths(t *testing.T) {
 	_, err := resolveInstallPlan(
 		InstallOptions{
-			ConfigPath:   filepath.Join(t.TempDir(), "install.json"),
-			SSLCertFile:  "/etc/ssl/certs/server.crt\nmalicious 1",
-			SSLKeyFile:   "/etc/ssl/private/server.key",
-			HTTPPort:     80,
-			HTTPSPort:    443,
-			PHPVersion:   "85",
+			ConfigPath:     filepath.Join(t.TempDir(), "install.json"),
+			SSLCertFile:    "/etc/ssl/certs/server.crt\nmalicious 1",
+			SSLKeyFile:     "/etc/ssl/private/server.key",
+			HTTPPort:       80,
+			HTTPSPort:      443,
+			PHPVersion:     "85",
 			DatabaseEngine: "mariadb",
 		},
 		platform.Info{PackageManager: platform.PackageManagerAPT},
@@ -134,4 +163,3 @@ func TestInstallRuntimeDryRunIncludesResolvedPlan(t *testing.T) {
 		t.Fatalf("expected no runner calls in dry-run, got %d", len(r.calls))
 	}
 }
-
diff --git a/internal/service/site.go b/internal/service/site.go

Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,6 @@`
`5`	`5`	`"http_port": 80,`
`6`	`6`	`"https_port": 443,`
`7`	`7`	`"ssl_cert_file": "/usr/local/lsws/admin/conf/webadmin.crt",`
`8`		`- "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key"`
	`8`	`+ "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key",`
	`9`	`+ "owasp_crs_version": "4.21.0"`
`9`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ type RuntimeInstallConfig struct {`
`24`	`24`	HTTPSPort int `json:"https_port"`
`25`	`25`	SSLCertFile string `json:"ssl_cert_file"`
`26`	`26`	SSLKeyFile string `json:"ssl_key_file"`
	`27`	+ OWASPCRSVersion string `json:"owasp_crs_version"`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`type resolvedInstallPlan struct {`
`@@ -36,6 +37,7 @@ type resolvedInstallPlan struct {`
`36`	`37`	`HTTPSPort int`
`37`	`38`	`SSLCertFile string`
`38`	`39`	`SSLKeyFile string`
	`40`	`+ OWASPCRSVersion string`
`39`	`41`	`}`
`40`	`42`
`41`	`43`	`func defaultRuntimeInstallConfig(lswsRoot string) RuntimeInstallConfig {`
`@@ -48,6 +50,7 @@ func defaultRuntimeInstallConfig(lswsRoot string) RuntimeInstallConfig {`
`48`	`50`	`HTTPSPort: 443,`
`49`	`51`	`SSLCertFile: filepath.Join(lswsRoot, "admin", "conf", "webadmin.crt"),`
`50`	`52`	`SSLKeyFile: filepath.Join(lswsRoot, "admin", "conf", "webadmin.key"),`
	`53`	`+ OWASPCRSVersion: defaultOWASPCRSVersion,`
`51`	`54`	`}`
`52`	`55`	`}`
`53`	`56`
`@@ -106,6 +109,9 @@ func mergeRuntimeInstallConfig(base, override RuntimeInstallConfig) RuntimeInsta`
`106`	`109`	`if v := strings.TrimSpace(override.SSLKeyFile); v != "" {`
`107`	`110`	`base.SSLKeyFile = v`
`108`	`111`	`}`
	`112`	`+ if v := strings.TrimSpace(override.OWASPCRSVersion); v != "" {`
	`113`	`+ base.OWASPCRSVersion = v`
	`114`	`+ }`
`109`	`115`	`return base`
`110`	`116`	`}`
`111`	`117`
`@@ -162,6 +168,10 @@ func resolveInstallPlan(opts InstallOptions, info platform.Info, lswsRoot string`
`162`	`168`	`if v := strings.TrimSpace(opts.SSLKeyFile); v != "" {`
`163`	`169`	`sslKeyFile = v`
`164`	`170`	`}`
	`171`	`+ owaspCRSVersion := strings.TrimSpace(cfg.OWASPCRSVersion)`
	`172`	`+ if owaspCRSVersion == "" {`
	`173`	`+ owaspCRSVersion = defaultOWASPCRSVersion`
	`174`	`+ }`
`165`	`175`
`166`	`176`	`if err := validatePort(httpPort, "http_port"); err != nil {`
`167`	`177`	`return resolvedInstallPlan{}, err`
`@@ -194,6 +204,7 @@ func resolveInstallPlan(opts InstallOptions, info platform.Info, lswsRoot string`
`194`	`204`	`HTTPSPort: httpsPort,`
`195`	`205`	`SSLCertFile: sslCertFile,`
`196`	`206`	`SSLKeyFile: sslKeyFile,`
	`207`	`+ OWASPCRSVersion: owaspCRSVersion,`
`197`	`208`	`}, nil`
`198`	`209`	`}`
`199`	`210`