modified: internal/service/install_config.go

Author: Code-Egg

README.md

@@ -141,7 +141,13 @@ sudo cp docs/install.example.json /etc/ols-cli/install.json
 sudo ols install
 ```
 
-`install.json` also supports `owasp_crs_version` (for example, `"owasp_crs_version": "4.21.0"`), which is used when enabling OWASP via `site create/update --enable-owasp`.
+`install.json` also supports:
+- `owasp_crs_version` (for example, `"4.21.0"`) for OWASP CRS setup during `ols install`
+- `vh_recaptcha_type` and `vh_recaptcha_reg_conn_limit` (defaults: `1` and `500`) used when enabling vhost reCAPTCHA via `site create/update --enable-recaptcha`
+
+By default, `ols install` prepares server-level security blocks as:
+- `module mod_security` with `ls_enabled 0`
+- `lsrecaptcha` with `enabled 1` and `type 0`
 
 Override config values with flags when needed:
 

docs/install.example.json

@@ -6,5 +6,7 @@
   "https_port": 443,
   "ssl_cert_file": "/usr/local/lsws/admin/conf/webadmin.crt",
   "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key",
-  "owasp_crs_version": "4.21.0"
+  "owasp_crs_version": "4.21.0",
+  "vh_recaptcha_type": 1,
+  "vh_recaptcha_reg_conn_limit": 500
 }

internal/service/install_config.go

@@ -17,40 +17,46 @@ import (
 const defaultInstallConfigPath = "/etc/ols-cli/install.json"
 
 type RuntimeInstallConfig struct {
-	PHPVersion         string `json:"php_version"`
-	DatabaseEngine     string `json:"database"`
-	ConfigureListeners *bool  `json:"configure_listeners,omitempty"`
-	HTTPPort           int    `json:"http_port"`
-	HTTPSPort          int    `json:"https_port"`
-	SSLCertFile        string `json:"ssl_cert_file"`
-	SSLKeyFile         string `json:"ssl_key_file"`
-	OWASPCRSVersion    string `json:"owasp_crs_version"`
+	PHPVersion          string `json:"php_version"`
+	DatabaseEngine      string `json:"database"`
+	ConfigureListeners  *bool  `json:"configure_listeners,omitempty"`
+	HTTPPort            int    `json:"http_port"`
+	HTTPSPort           int    `json:"https_port"`
+	SSLCertFile         string `json:"ssl_cert_file"`
+	SSLKeyFile          string `json:"ssl_key_file"`
+	OWASPCRSVersion     string `json:"owasp_crs_version"`
+	VHRecaptchaType     int    `json:"vh_recaptcha_type"`
+	VHRecaptchaReqLimit int    `json:"vh_recaptcha_reg_conn_limit"`
 }
 
 type resolvedInstallPlan struct {
-	ConfigPath         string
-	PHPVersion         string
-	DatabaseEngine     string
-	DatabasePackage    string
-	ConfigureListeners bool
-	HTTPPort           int
-	HTTPSPort          int
-	SSLCertFile        string
-	SSLKeyFile         string
-	OWASPCRSVersion    string
+	ConfigPath          string
+	PHPVersion          string
+	DatabaseEngine      string
+	DatabasePackage     string
+	ConfigureListeners  bool
+	HTTPPort            int
+	HTTPSPort           int
+	SSLCertFile         string
+	SSLKeyFile          string
+	OWASPCRSVersion     string
+	VHRecaptchaType     int
+	VHRecaptchaReqLimit int
 }
 
 func defaultRuntimeInstallConfig(lswsRoot string) RuntimeInstallConfig {
 	enabled := true
 	return RuntimeInstallConfig{
-		PHPVersion:         "85",
-		DatabaseEngine:     "mariadb",
-		ConfigureListeners: &enabled,
-		HTTPPort:           80,
-		HTTPSPort:          443,
-		SSLCertFile:        filepath.Join(lswsRoot, "admin", "conf", "webadmin.crt"),
-		SSLKeyFile:         filepath.Join(lswsRoot, "admin", "conf", "webadmin.key"),
-		OWASPCRSVersion:    defaultOWASPCRSVersion,
+		PHPVersion:          "85",
+		DatabaseEngine:      "mariadb",
+		ConfigureListeners:  &enabled,
+		HTTPPort:            80,
+		HTTPSPort:           443,
+		SSLCertFile:         filepath.Join(lswsRoot, "admin", "conf", "webadmin.crt"),
+		SSLKeyFile:          filepath.Join(lswsRoot, "admin", "conf", "webadmin.key"),
+		OWASPCRSVersion:     defaultOWASPCRSVersion,
+		VHRecaptchaType:     defaultVHRecaptchaType,
+		VHRecaptchaReqLimit: defaultVHRecaptchaReqLimit,
 	}
 }
 
@@ -112,6 +118,12 @@ func mergeRuntimeInstallConfig(base, override RuntimeInstallConfig) RuntimeInsta
 	if v := strings.TrimSpace(override.OWASPCRSVersion); v != "" {
 		base.OWASPCRSVersion = v
 	}
+	if override.VHRecaptchaType > 0 {
+		base.VHRecaptchaType = override.VHRecaptchaType
+	}
+	if override.VHRecaptchaReqLimit > 0 {
+		base.VHRecaptchaReqLimit = override.VHRecaptchaReqLimit
+	}
 	return base
 }
 
@@ -172,6 +184,14 @@ func resolveInstallPlan(opts InstallOptions, info platform.Info, lswsRoot string
 	if owaspCRSVersion == "" {
 		owaspCRSVersion = defaultOWASPCRSVersion
 	}
+	vhRecaptchaType := cfg.VHRecaptchaType
+	if vhRecaptchaType <= 0 {
+		vhRecaptchaType = defaultVHRecaptchaType
+	}
+	vhRecaptchaReqLimit := cfg.VHRecaptchaReqLimit
+	if vhRecaptchaReqLimit <= 0 {
+		vhRecaptchaReqLimit = defaultVHRecaptchaReqLimit
+	}
 
 	if err := validatePort(httpPort, "http_port"); err != nil {
 		return resolvedInstallPlan{}, err
@@ -195,16 +215,18 @@ func resolveInstallPlan(opts InstallOptions, info platform.Info, lswsRoot string
 	}
 
 	return resolvedInstallPlan{
-		ConfigPath:         cfgPath,
-		PHPVersion:         phpVersion,
-		DatabaseEngine:     dbEngine,
-		DatabasePackage:    dbPackage,
-		ConfigureListeners: configureListeners,
-		HTTPPort:           httpPort,
-		HTTPSPort:          httpsPort,
-		SSLCertFile:        sslCertFile,
-		SSLKeyFile:         sslKeyFile,
-		OWASPCRSVersion:    owaspCRSVersion,
+		ConfigPath:          cfgPath,
+		PHPVersion:          phpVersion,
+		DatabaseEngine:      dbEngine,
+		DatabasePackage:     dbPackage,
+		ConfigureListeners:  configureListeners,
+		HTTPPort:            httpPort,
+		HTTPSPort:           httpsPort,
+		SSLCertFile:         sslCertFile,
+		SSLKeyFile:          sslKeyFile,
+		OWASPCRSVersion:     owaspCRSVersion,
+		VHRecaptchaType:     vhRecaptchaType,
+		VHRecaptchaReqLimit: vhRecaptchaReqLimit,
 	}, nil
 }
 

internal/service/install_config_test.go

@@ -39,6 +39,12 @@ func TestResolveInstallPlanDefaults(t *testing.T) {
 	if plan.OWASPCRSVersion != defaultOWASPCRSVersion {
 		t.Fatalf("expected default owasp crs version %s, got %s", defaultOWASPCRSVersion, plan.OWASPCRSVersion)
 	}
+	if plan.VHRecaptchaType != defaultVHRecaptchaType {
+		t.Fatalf("expected default vh recaptcha type %d, got %d", defaultVHRecaptchaType, plan.VHRecaptchaType)
+	}
+	if plan.VHRecaptchaReqLimit != defaultVHRecaptchaReqLimit {
+		t.Fatalf("expected default vh recaptcha request limit %d, got %d", defaultVHRecaptchaReqLimit, plan.VHRecaptchaReqLimit)
+	}
 }
 
 func TestResolveInstallPlanOverrides(t *testing.T) {
@@ -88,7 +94,9 @@ func TestLoadRuntimeInstallConfigIncludesOWASPCRSVersion(t *testing.T) {
   "https_port": 443,
   "ssl_cert_file": "/usr/local/lsws/admin/conf/webadmin.crt",
   "ssl_key_file": "/usr/local/lsws/admin/conf/webadmin.key",
-  "owasp_crs_version": "4.22.0"
+  "owasp_crs_version": "4.22.0",
+  "vh_recaptcha_type": 2,
+  "vh_recaptcha_reg_conn_limit": 650
 }`
 	if err := os.WriteFile(configPath, []byte(content), 0o644); err != nil {
 		t.Fatalf("write config: %v", err)
@@ -101,6 +109,12 @@ func TestLoadRuntimeInstallConfigIncludesOWASPCRSVersion(t *testing.T) {
 	if cfg.OWASPCRSVersion != "4.22.0" {
 		t.Fatalf("expected owasp_crs_version 4.22.0, got %s", cfg.OWASPCRSVersion)
 	}
+	if cfg.VHRecaptchaType != 2 {
+		t.Fatalf("expected vh_recaptcha_type 2, got %d", cfg.VHRecaptchaType)
+	}
+	if cfg.VHRecaptchaReqLimit != 650 {
+		t.Fatalf("expected vh_recaptcha_reg_conn_limit 650, got %d", cfg.VHRecaptchaReqLimit)
+	}
 }
 
 func TestResolveInstallPlanDatabaseNone(t *testing.T) {