From 647a95be5cdff964b888828debf246b7a2524ce3 Mon Sep 17 00:00:00 2001 From: Jesse McDonald Date: Sat, 25 Sep 2021 00:07:02 -0500 Subject: [PATCH] initial commit --- .gitmodules | 6 + app | 1 + docker-compose.yml | 33 +++ httpd/.dockerignore | 6 + httpd/Dockerfile | 16 ++ httpd/conf/conf/other-vhosts-access-log.conf | 8 + httpd/conf/conf/security.conf | 73 ++++++ httpd/conf/conf/serve-cgi-bin.conf | 20 ++ httpd/conf/httpd.conf | 60 +++++ httpd/conf/mods/00-watchdog.load | 1 + httpd/conf/mods/access_compat.load | 2 + httpd/conf/mods/alias.conf | 24 ++ httpd/conf/mods/alias.load | 1 + httpd/conf/mods/auth_basic.load | 2 + httpd/conf/mods/authn_core.load | 1 + httpd/conf/mods/authn_file.load | 1 + httpd/conf/mods/authz_core.load | 1 + httpd/conf/mods/authz_host.load | 2 + httpd/conf/mods/authz_user.load | 2 + httpd/conf/mods/autoindex.conf | 96 +++++++ httpd/conf/mods/autoindex.load | 1 + httpd/conf/mods/deflate.conf | 10 + httpd/conf/mods/deflate.load | 2 + httpd/conf/mods/dir.conf | 5 + httpd/conf/mods/dir.load | 1 + httpd/conf/mods/env.load | 1 + httpd/conf/mods/filter.load | 1 + httpd/conf/mods/md.load | 1 + httpd/conf/mods/mime.conf | 251 +++++++++++++++++++ httpd/conf/mods/mime.load | 1 + httpd/conf/mods/mpm_event.conf | 18 ++ httpd/conf/mods/mpm_event.load | 2 + httpd/conf/mods/negotiation.conf | 20 ++ httpd/conf/mods/negotiation.load | 1 + httpd/conf/mods/proxy.conf | 27 ++ httpd/conf/mods/proxy.load | 1 + httpd/conf/mods/proxy_http.load | 2 + httpd/conf/mods/proxy_wstunnel.load | 2 + httpd/conf/mods/reqtimeout.conf | 27 ++ httpd/conf/mods/reqtimeout.load | 1 + httpd/conf/mods/rewrite.load | 1 + httpd/conf/mods/setenvif.conf | 32 +++ httpd/conf/mods/setenvif.load | 1 + httpd/conf/mods/socache_shmcb.load | 1 + httpd/conf/mods/ssl.conf | 85 +++++++ httpd/conf/mods/ssl.load | 2 + httpd/conf/mods/status.conf | 29 +++ httpd/conf/mods/status.load | 1 + httpd/conf/mods/unixd.load | 1 + httpd/conf/ports.conf | 15 ++ httpd/conf/sites/000-default.conf | 44 ++++ httpd/conf/sites/pacosako-ssl.conf | 181 +++++++++++++ httpd/conf/testing.crt | 32 +++ httpd/conf/testing.key | 52 ++++ httpd/paco_sako | 1 + 55 files changed, 1209 insertions(+) create mode 100644 .gitmodules create mode 160000 app create mode 100644 docker-compose.yml create mode 100644 httpd/.dockerignore create mode 100644 httpd/Dockerfile create mode 100644 httpd/conf/conf/other-vhosts-access-log.conf create mode 100644 httpd/conf/conf/security.conf create mode 100644 httpd/conf/conf/serve-cgi-bin.conf create mode 100644 httpd/conf/httpd.conf create mode 100644 httpd/conf/mods/00-watchdog.load create mode 100644 httpd/conf/mods/access_compat.load create mode 100644 httpd/conf/mods/alias.conf create mode 100644 httpd/conf/mods/alias.load create mode 100644 httpd/conf/mods/auth_basic.load create mode 100644 httpd/conf/mods/authn_core.load create mode 100644 httpd/conf/mods/authn_file.load create mode 100644 httpd/conf/mods/authz_core.load create mode 100644 httpd/conf/mods/authz_host.load create mode 100644 httpd/conf/mods/authz_user.load create mode 100644 httpd/conf/mods/autoindex.conf create mode 100644 httpd/conf/mods/autoindex.load create mode 100644 httpd/conf/mods/deflate.conf create mode 100644 httpd/conf/mods/deflate.load create mode 100644 httpd/conf/mods/dir.conf create mode 100644 httpd/conf/mods/dir.load create mode 100644 httpd/conf/mods/env.load create mode 100644 httpd/conf/mods/filter.load create mode 100644 httpd/conf/mods/md.load create mode 100644 httpd/conf/mods/mime.conf create mode 100644 httpd/conf/mods/mime.load create mode 100644 httpd/conf/mods/mpm_event.conf create mode 100644 httpd/conf/mods/mpm_event.load create mode 100644 httpd/conf/mods/negotiation.conf create mode 100644 httpd/conf/mods/negotiation.load create mode 100644 httpd/conf/mods/proxy.conf create mode 100644 httpd/conf/mods/proxy.load create mode 100644 httpd/conf/mods/proxy_http.load create mode 100644 httpd/conf/mods/proxy_wstunnel.load create mode 100644 httpd/conf/mods/reqtimeout.conf create mode 100644 httpd/conf/mods/reqtimeout.load create mode 100644 httpd/conf/mods/rewrite.load create mode 100644 httpd/conf/mods/setenvif.conf create mode 100644 httpd/conf/mods/setenvif.load create mode 100644 httpd/conf/mods/socache_shmcb.load create mode 100644 httpd/conf/mods/ssl.conf create mode 100644 httpd/conf/mods/ssl.load create mode 100644 httpd/conf/mods/status.conf create mode 100644 httpd/conf/mods/status.load create mode 100644 httpd/conf/mods/unixd.load create mode 100644 httpd/conf/ports.conf create mode 100644 httpd/conf/sites/000-default.conf create mode 100644 httpd/conf/sites/pacosako-ssl.conf create mode 100644 httpd/conf/testing.crt create mode 100644 httpd/conf/testing.key create mode 160000 httpd/paco_sako diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..08a3e14 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "paco_sako_server"] + path = app + url = ../paco_sako_server.git +[submodule "httpd/paco_sako"] + path = httpd/paco_sako + url = ../paco_sako.git diff --git a/app b/app new file mode 160000 index 0000000..cb636d0 --- /dev/null +++ b/app @@ -0,0 +1 @@ +Subproject commit cb636d020173035dd51f4aa7fb4d48f511320d5e diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..c23fc62 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,33 @@ +services: + httpd: + build: + context: httpd + network: host + ports: + - "${HTTP_PORT:-80}:80" + - "${HTTPS_PORT:-443}:443" + networks: + - front-tier + - back-tier + environment: + SERVER_NAME: "${SERVER_NAME:-pacosako.jessemcdonald.info}" + API_SERVER: "app:80" + + app: + build: + context: app + network: host + networks: + - back-tier + environment: + PACOSAKO_DB: "/data/pacosako.db" + PORT: "80" + volumes: + - "pacosako-db:/data" + +networks: + front-tier: {} + back-tier: {} + +volumes: + pacosako-db: {} diff --git a/httpd/.dockerignore b/httpd/.dockerignore new file mode 100644 index 0000000..3d60bc1 --- /dev/null +++ b/httpd/.dockerignore @@ -0,0 +1,6 @@ +.git +.dockerignore +Dockerfile +.*.swp +.*.swo +*~ diff --git a/httpd/Dockerfile b/httpd/Dockerfile new file mode 100644 index 0000000..3ddd9c5 --- /dev/null +++ b/httpd/Dockerfile @@ -0,0 +1,16 @@ +# syntax=docker/dockerfile:1 +FROM node:16-bullseye AS builder +MAINTAINER Jesse McDonald +WORKDIR /app +RUN git clone -b v0.8.5 --depth 1 https://jessemcdonald.info/gogs/nybble/paco_sako.git paco_sako +WORKDIR /app/paco_sako +RUN npm install +RUN npm run build + +FROM httpd:2.4-alpine3.14 +MAINTAINER Jesse McDonald +WORKDIR /usr/local/apache2 +COPY conf ./conf +RUN mkdir -p ./www/pacosako +COPY --from=builder /app/paco_sako/public ./www/pacosako +CMD ["httpd", "-D", "FOREGROUND"] diff --git a/httpd/conf/conf/other-vhosts-access-log.conf b/httpd/conf/conf/other-vhosts-access-log.conf new file mode 100644 index 0000000..23e4158 --- /dev/null +++ b/httpd/conf/conf/other-vhosts-access-log.conf @@ -0,0 +1,8 @@ +# Define an access log for VirtualHosts that don't define their own logfile + + + CustomLog /proc/self/fd/1 vhost_combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/conf/security.conf b/httpd/conf/conf/security.conf new file mode 100644 index 0000000..f9f69d4 --- /dev/null +++ b/httpd/conf/conf/security.conf @@ -0,0 +1,73 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. +# +# +# AllowOverride None +# Require all denied +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens OS +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +#Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +#Header set X-Frame-Options: "sameorigin" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/conf/serve-cgi-bin.conf b/httpd/conf/conf/serve-cgi-bin.conf new file mode 100644 index 0000000..b02782d --- /dev/null +++ b/httpd/conf/conf/serve-cgi-bin.conf @@ -0,0 +1,20 @@ + + + Define ENABLE_USR_LIB_CGI_BIN + + + + Define ENABLE_USR_LIB_CGI_BIN + + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all granted + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/httpd.conf b/httpd/conf/httpd.conf new file mode 100644 index 0000000..1b86980 --- /dev/null +++ b/httpd/conf/httpd.conf @@ -0,0 +1,60 @@ +ServerName ${SERVER_NAME} +ServerRoot "/usr/local/apache2" +Timeout 300 +KeepAlive On +MaxKeepAliveRequests 100 +KeepAliveTimeout 5 +User daemon +Group daemon +HostnameLookups Off +ErrorLog /proc/self/fd/2 +LogLevel warn + +# Include module configuration: +IncludeOptional conf/mods/*.load +IncludeOptional conf/mods/*.conf + +# Include list of ports to listen on +Include conf/ports.conf + + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +AccessFileName .htaccess + + + Require all denied + + + + + LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined + LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %O" common + + LogFormat "%{Referer}i -> %U" referer + LogFormat "%{User-agent}i" agent + CustomLog /proc/self/fd/1 common + + +# Include generic snippets of statements +IncludeOptional conf/conf/*.conf + +# Include the virtual host configurations: +IncludeOptional conf/sites/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/00-watchdog.load b/httpd/conf/mods/00-watchdog.load new file mode 100644 index 0000000..2c69cbd --- /dev/null +++ b/httpd/conf/mods/00-watchdog.load @@ -0,0 +1 @@ +LoadModule watchdog_module /usr/local/apache2/modules/mod_watchdog.so diff --git a/httpd/conf/mods/access_compat.load b/httpd/conf/mods/access_compat.load new file mode 100644 index 0000000..2e457f8 --- /dev/null +++ b/httpd/conf/mods/access_compat.load @@ -0,0 +1,2 @@ +# Depends: authn_core +LoadModule access_compat_module /usr/local/apache2/modules/mod_access_compat.so diff --git a/httpd/conf/mods/alias.conf b/httpd/conf/mods/alias.conf new file mode 100644 index 0000000..3583d3b --- /dev/null +++ b/httpd/conf/mods/alias.conf @@ -0,0 +1,24 @@ + + # Aliases: Add here as many aliases as you need (with no limit). The format is + # Alias fakename realname + # + # Note that if you include a trailing / on fakename then the server will + # require it to be present in the URL. So "/icons" isn't aliased in this + # example, only "/icons/". If the fakename is slash-terminated, then the + # realname must also be slash terminated, and if the fakename omits the + # trailing slash, the realname must also omit it. + # + # We include the /icons/ alias for FancyIndexed directory listings. If + # you do not use FancyIndexing, you may comment this out. + + Alias /icons/ "/usr/share/apache2/icons/" + + + Options FollowSymlinks + AllowOverride None + Require all granted + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/alias.load b/httpd/conf/mods/alias.load new file mode 100644 index 0000000..5355f00 --- /dev/null +++ b/httpd/conf/mods/alias.load @@ -0,0 +1 @@ +LoadModule alias_module /usr/local/apache2/modules/mod_alias.so diff --git a/httpd/conf/mods/auth_basic.load b/httpd/conf/mods/auth_basic.load new file mode 100644 index 0000000..4d26721 --- /dev/null +++ b/httpd/conf/mods/auth_basic.load @@ -0,0 +1,2 @@ +# Depends: authn_core +LoadModule auth_basic_module /usr/local/apache2/modules/mod_auth_basic.so diff --git a/httpd/conf/mods/authn_core.load b/httpd/conf/mods/authn_core.load new file mode 100644 index 0000000..28b5cc0 --- /dev/null +++ b/httpd/conf/mods/authn_core.load @@ -0,0 +1 @@ +LoadModule authn_core_module /usr/local/apache2/modules/mod_authn_core.so diff --git a/httpd/conf/mods/authn_file.load b/httpd/conf/mods/authn_file.load new file mode 100644 index 0000000..b57853f --- /dev/null +++ b/httpd/conf/mods/authn_file.load @@ -0,0 +1 @@ +LoadModule authn_file_module /usr/local/apache2/modules/mod_authn_file.so diff --git a/httpd/conf/mods/authz_core.load b/httpd/conf/mods/authz_core.load new file mode 100644 index 0000000..08a86e4 --- /dev/null +++ b/httpd/conf/mods/authz_core.load @@ -0,0 +1 @@ +LoadModule authz_core_module /usr/local/apache2/modules/mod_authz_core.so diff --git a/httpd/conf/mods/authz_host.load b/httpd/conf/mods/authz_host.load new file mode 100644 index 0000000..86071ec --- /dev/null +++ b/httpd/conf/mods/authz_host.load @@ -0,0 +1,2 @@ +# Depends: authz_core +LoadModule authz_host_module /usr/local/apache2/modules/mod_authz_host.so diff --git a/httpd/conf/mods/authz_user.load b/httpd/conf/mods/authz_user.load new file mode 100644 index 0000000..6f5acf4 --- /dev/null +++ b/httpd/conf/mods/authz_user.load @@ -0,0 +1,2 @@ +# Depends: authz_core +LoadModule authz_user_module /usr/local/apache2/modules/mod_authz_user.so diff --git a/httpd/conf/mods/autoindex.conf b/httpd/conf/mods/autoindex.conf new file mode 100644 index 0000000..f6cf45f --- /dev/null +++ b/httpd/conf/mods/autoindex.conf @@ -0,0 +1,96 @@ + + # Directives controlling the display of server-generated directory listings. + + # + # IndexOptions: Controls the appearance of server-generated directory + # listings. + # Remove/replace the "Charset=UTF-8" if you don't use UTF-8 for your filenames. + IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 + + # + # AddIcon* directives tell the server which icon to show for different + # files or filename extensions. These are only displayed for + # FancyIndexed directories. + AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2 + + AddIconByType (TXT,/icons/text.gif) text/* + AddIconByType (IMG,/icons/image2.gif) image/* + AddIconByType (SND,/icons/sound2.gif) audio/* + AddIconByType (VID,/icons/movie.gif) video/* + + AddIcon /icons/binary.gif .bin .exe + AddIcon /icons/binhex.gif .hqx + AddIcon /icons/tar.gif .tar + AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv + AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip + AddIcon /icons/a.gif .ps .ai .eps + AddIcon /icons/layout.gif .html .shtml .htm .pdf + AddIcon /icons/text.gif .txt + AddIcon /icons/c.gif .c + AddIcon /icons/p.gif .pl .py + AddIcon /icons/f.gif .for + AddIcon /icons/dvi.gif .dvi + AddIcon /icons/uuencoded.gif .uu + AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl + AddIcon /icons/tex.gif .tex + # It's a suffix rule, so simply matching "core" matches "score" as well ! + AddIcon /icons/bomb.gif /core + AddIcon (SND,/icons/sound2.gif) .ogg + AddIcon (VID,/icons/movie.gif) .ogm + + AddIcon /icons/back.gif .. + AddIcon /icons/hand.right.gif README + AddIcon /icons/folder.gif ^^DIRECTORY^^ + AddIcon /icons/blank.gif ^^BLANKICON^^ + + # Default icons for OpenDocument format + AddIcon /icons/odf6odt-20x22.png .odt + AddIcon /icons/odf6ods-20x22.png .ods + AddIcon /icons/odf6odp-20x22.png .odp + AddIcon /icons/odf6odg-20x22.png .odg + AddIcon /icons/odf6odc-20x22.png .odc + AddIcon /icons/odf6odf-20x22.png .odf + AddIcon /icons/odf6odb-20x22.png .odb + AddIcon /icons/odf6odi-20x22.png .odi + AddIcon /icons/odf6odm-20x22.png .odm + + AddIcon /icons/odf6ott-20x22.png .ott + AddIcon /icons/odf6ots-20x22.png .ots + AddIcon /icons/odf6otp-20x22.png .otp + AddIcon /icons/odf6otg-20x22.png .otg + AddIcon /icons/odf6otc-20x22.png .otc + AddIcon /icons/odf6otf-20x22.png .otf + AddIcon /icons/odf6oti-20x22.png .oti + AddIcon /icons/odf6oth-20x22.png .oth + + # + # DefaultIcon is which icon to show for files which do not have an icon + # explicitly set. + DefaultIcon /icons/unknown.gif + + # + # AddDescription allows you to place a short description after a file in + # server-generated indexes. These are only displayed for FancyIndexed + # directories. + # Format: AddDescription "description" filename + #AddDescription "GZIP compressed document" .gz + #AddDescription "tar archive" .tar + #AddDescription "GZIP compressed tar archive" .tgz + + # + # ReadmeName is the name of the README file the server will look for by + # default, and append to directory listings. + # + # HeaderName is the name of a file which should be prepended to + # directory indexes + ReadmeName README.html + HeaderName HEADER.html + + # + # IndexIgnore is a set of filenames which directory indexing should ignore + # and not include in the listing. Shell-style wildcarding is permitted. + IndexIgnore .??* *~ *# RCS CVS *,v *,t + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/autoindex.load b/httpd/conf/mods/autoindex.load new file mode 100644 index 0000000..169f8cf --- /dev/null +++ b/httpd/conf/mods/autoindex.load @@ -0,0 +1 @@ +LoadModule autoindex_module /usr/local/apache2/modules/mod_autoindex.so diff --git a/httpd/conf/mods/deflate.conf b/httpd/conf/mods/deflate.conf new file mode 100644 index 0000000..db48f92 --- /dev/null +++ b/httpd/conf/mods/deflate.conf @@ -0,0 +1,10 @@ + + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css + AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript + AddOutputFilterByType DEFLATE application/rss+xml + AddOutputFilterByType DEFLATE application/xml + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/deflate.load b/httpd/conf/mods/deflate.load new file mode 100644 index 0000000..0652ce2 --- /dev/null +++ b/httpd/conf/mods/deflate.load @@ -0,0 +1,2 @@ +# Depends: filter +LoadModule deflate_module /usr/local/apache2/modules/mod_deflate.so diff --git a/httpd/conf/mods/dir.conf b/httpd/conf/mods/dir.conf new file mode 100644 index 0000000..21a0e8b --- /dev/null +++ b/httpd/conf/mods/dir.conf @@ -0,0 +1,5 @@ + + DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/dir.load b/httpd/conf/mods/dir.load new file mode 100644 index 0000000..0584468 --- /dev/null +++ b/httpd/conf/mods/dir.load @@ -0,0 +1 @@ +LoadModule dir_module /usr/local/apache2/modules/mod_dir.so diff --git a/httpd/conf/mods/env.load b/httpd/conf/mods/env.load new file mode 100644 index 0000000..0a6d095 --- /dev/null +++ b/httpd/conf/mods/env.load @@ -0,0 +1 @@ +LoadModule env_module /usr/local/apache2/modules/mod_env.so diff --git a/httpd/conf/mods/filter.load b/httpd/conf/mods/filter.load new file mode 100644 index 0000000..5452fa3 --- /dev/null +++ b/httpd/conf/mods/filter.load @@ -0,0 +1 @@ +LoadModule filter_module /usr/local/apache2/modules/mod_filter.so diff --git a/httpd/conf/mods/md.load b/httpd/conf/mods/md.load new file mode 100644 index 0000000..b6488aa --- /dev/null +++ b/httpd/conf/mods/md.load @@ -0,0 +1 @@ +LoadModule md_module /usr/local/apache2/modules/mod_md.so diff --git a/httpd/conf/mods/mime.conf b/httpd/conf/mods/mime.conf new file mode 100644 index 0000000..af67971 --- /dev/null +++ b/httpd/conf/mods/mime.conf @@ -0,0 +1,251 @@ + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig /usr/local/apache2/conf/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file mime.types for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # Despite the name similarity, the following Add* directives have + # nothing to do with the FancyIndexing customization directives above. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + #AddEncoding x-bzip2 .bz2 + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + AddType application/x-bzip2 .bz2 + + # + # DefaultLanguage and AddLanguage allows you to specify the language of + # a document. You can then use content negotiation to give a browser a + # file in a language the user can understand. + # + # Specify a default language. This means that all data + # going out without a specific language tag (see below) will + # be marked with this one. You probably do NOT want to set + # this unless you are sure it is correct for all cases. + # + # * It is generally better to not mark a page as + # * being a certain language than marking it with the wrong + # * language! + # + # DefaultLanguage nl + # + # Note 1: The suffix does not have to be the same as the language + # keyword --- those with documents in Polish (whose net-standard + # language code is pl) may wish to use "AddLanguage pl .po" to + # avoid the ambiguity with the common suffix for perl scripts. + # + # Note 2: The example entries below illustrate that in some cases + # the two character 'Language' abbreviation is not identical to + # the two character 'Country' code for its country, + # E.g. 'Danmark/dk' versus 'Danish/da'. + # + # Note 3: In the case of 'ltz' we violate the RFC by using a three char + # specifier. There is 'work in progress' to fix this and get + # the reference data for rfc1766 cleaned up. + # + # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) + # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) + # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) + # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) + # Norwegian (no) - Polish (pl) - Portugese (pt) + # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) + # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) + # + AddLanguage am .amh + AddLanguage ar .ara + AddLanguage be .be + AddLanguage bg .bg + AddLanguage bn .bn + AddLanguage br .br + AddLanguage bs .bs + AddLanguage ca .ca + AddLanguage cs .cz .cs + AddLanguage cy .cy + AddLanguage da .dk + AddLanguage de .de + AddLanguage dz .dz + AddLanguage el .el + AddLanguage en .en + AddLanguage eo .eo + # es is ecmascript in /etc/mime.types + RemoveType es + AddLanguage es .es + AddLanguage et .et + AddLanguage eu .eu + AddLanguage fa .fa + AddLanguage fi .fi + AddLanguage fr .fr + AddLanguage ga .ga + AddLanguage gl .glg + AddLanguage gu .gu + AddLanguage he .he + AddLanguage hi .hi + AddLanguage hr .hr + AddLanguage hu .hu + AddLanguage hy .hy + AddLanguage id .id + AddLanguage is .is + AddLanguage it .it + AddLanguage ja .ja + AddLanguage ka .ka + AddLanguage kk .kk + AddLanguage km .km + AddLanguage kn .kn + AddLanguage ko .ko + AddLanguage ku .ku + AddLanguage lo .lo + AddLanguage lt .lt + AddLanguage ltz .ltz + AddLanguage lv .lv + AddLanguage mg .mg + AddLanguage mk .mk + AddLanguage ml .ml + AddLanguage mr .mr + AddLanguage ms .msa + AddLanguage nb .nob + AddLanguage ne .ne + AddLanguage nl .nl + AddLanguage nn .nn + AddLanguage no .no + AddLanguage pa .pa + AddLanguage pl .po + AddLanguage pt-BR .pt-br + AddLanguage pt .pt + AddLanguage ro .ro + AddLanguage ru .ru + AddLanguage sa .sa + AddLanguage se .se + AddLanguage si .si + AddLanguage sk .sk + AddLanguage sl .sl + AddLanguage sq .sq + AddLanguage sr .sr + AddLanguage sv .sv + AddLanguage ta .ta + AddLanguage te .te + AddLanguage th .th + AddLanguage tl .tl + RemoveType tr + # tr is troff in /etc/mime.types + AddLanguage tr .tr + AddLanguage uk .uk + AddLanguage ur .ur + AddLanguage vi .vi + AddLanguage wo .wo + AddLanguage xh .xh + AddLanguage zh-CN .zh-cn + AddLanguage zh-TW .zh-tw + + # + # Commonly used filename extensions to character sets. You probably + # want to avoid clashes with the language extensions, unless you + # are good at carefully testing your setup after each change. + # See http://www.iana.org/assignments/character-sets for the + # official list of charset names and their respective RFCs. + # + AddCharset us-ascii .ascii .us-ascii + AddCharset ISO-8859-1 .iso8859-1 .latin1 + AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen + AddCharset ISO-8859-3 .iso8859-3 .latin3 + AddCharset ISO-8859-4 .iso8859-4 .latin4 + AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru + AddCharset ISO-8859-6 .iso8859-6 .arb .arabic + AddCharset ISO-8859-7 .iso8859-7 .grk .greek + AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew + AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk + AddCharset ISO-8859-10 .iso8859-10 .latin6 + AddCharset ISO-8859-13 .iso8859-13 + AddCharset ISO-8859-14 .iso8859-14 .latin8 + AddCharset ISO-8859-15 .iso8859-15 .latin9 + AddCharset ISO-8859-16 .iso8859-16 .latin10 + AddCharset ISO-2022-JP .iso2022-jp .jis + AddCharset ISO-2022-KR .iso2022-kr .kis + AddCharset ISO-2022-CN .iso2022-cn .cis + AddCharset Big5 .Big5 .big5 .b5 + AddCharset cn-Big5 .cn-big5 + # For russian, more than one charset is used (depends on client, mostly): + AddCharset WINDOWS-1251 .cp-1251 .win-1251 + AddCharset CP866 .cp866 + AddCharset KOI8 .koi8 + AddCharset KOI8-E .koi8-e + AddCharset KOI8-r .koi8-r .koi8-ru + AddCharset KOI8-U .koi8-u + AddCharset KOI8-ru .koi8-uk .ua + AddCharset ISO-10646-UCS-2 .ucs2 + AddCharset ISO-10646-UCS-4 .ucs4 + AddCharset UTF-7 .utf7 + AddCharset UTF-8 .utf8 + AddCharset UTF-16 .utf16 + AddCharset UTF-16BE .utf16be + AddCharset UTF-16LE .utf16le + AddCharset UTF-32 .utf32 + AddCharset UTF-32BE .utf32be + AddCharset UTF-32LE .utf32le + AddCharset euc-cn .euc-cn + AddCharset euc-gb .euc-gb + AddCharset euc-jp .euc-jp + AddCharset euc-kr .euc-kr + #Not sure how euc-tw got in - IANA doesn't list it??? + AddCharset EUC-TW .euc-tw + AddCharset gb2312 .gb2312 .gb + AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 + AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 + AddCharset shift_jis .shift_jis .sjis + AddCharset BRF .brf + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # + # For files that include their own HTTP headers: + # + #AddHandler send-as-is asis + + # + # For server-parsed imagemap files: + # + #AddHandler imap-file map + + # + # For type maps (negotiated resources): + # (This is enabled by default to allow the Apache "It Worked" page + # to be distributed in multiple languages.) + # + AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + AddType text/html .shtml + + AddOutputFilter INCLUDES .shtml + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/mime.load b/httpd/conf/mods/mime.load new file mode 100644 index 0000000..9bda5dd --- /dev/null +++ b/httpd/conf/mods/mime.load @@ -0,0 +1 @@ +LoadModule mime_module /usr/local/apache2/modules/mod_mime.so diff --git a/httpd/conf/mods/mpm_event.conf b/httpd/conf/mods/mpm_event.conf new file mode 100644 index 0000000..2003d07 --- /dev/null +++ b/httpd/conf/mods/mpm_event.conf @@ -0,0 +1,18 @@ +# event MPM +# StartServers: initial number of server processes to start +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxRequestWorkers: maximum number of worker threads +# MaxConnectionsPerChild: maximum number of requests a server process serves + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxRequestWorkers 150 + MaxConnectionsPerChild 0 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/mpm_event.load b/httpd/conf/mods/mpm_event.load new file mode 100644 index 0000000..5a38fc7 --- /dev/null +++ b/httpd/conf/mods/mpm_event.load @@ -0,0 +1,2 @@ +# Conflicts: mpm_worker mpm_prefork +LoadModule mpm_event_module /usr/local/apache2/modules/mod_mpm_event.so diff --git a/httpd/conf/mods/negotiation.conf b/httpd/conf/mods/negotiation.conf new file mode 100644 index 0000000..409b3bf --- /dev/null +++ b/httpd/conf/mods/negotiation.conf @@ -0,0 +1,20 @@ + + + # LanguagePriority allows you to give precedence to some languages + # in case of a tie during content negotiation. + # + # Just list the languages in decreasing order of preference. We have + # more or less alphabetized them here. You probably want to change this. + # + LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW + + # + # ForceLanguagePriority allows you to serve a result page rather than + # MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) + # [in case no accepted languages matched the available variants] + # + ForceLanguagePriority Prefer Fallback + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/negotiation.load b/httpd/conf/mods/negotiation.load new file mode 100644 index 0000000..d3cc190 --- /dev/null +++ b/httpd/conf/mods/negotiation.load @@ -0,0 +1 @@ +LoadModule negotiation_module /usr/local/apache2/modules/mod_negotiation.so diff --git a/httpd/conf/mods/proxy.conf b/httpd/conf/mods/proxy.conf new file mode 100644 index 0000000..cf4a9fb --- /dev/null +++ b/httpd/conf/mods/proxy.conf @@ -0,0 +1,27 @@ + + + # If you want to use apache2 as a forward proxy, uncomment the + # 'ProxyRequests On' line and the block below. + # WARNING: Be careful to restrict access inside the block. + # Open proxy servers are dangerous both to your network and to the + # Internet at large. + # + # If you only want to use apache2 as a reverse proxy/gateway in + # front of some web application server, you DON'T need + # 'ProxyRequests On'. + + #ProxyRequests On + # + # AddDefaultCharset off + # Require all denied + # #Require local + # + + # Enable/disable the handling of HTTP/1.1 "Via:" headers. + # ("Full" adds the server version; "Block" removes all outgoing Via: headers) + # Set to one of: Off | On | Full | Block + #ProxyVia Off + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/proxy.load b/httpd/conf/mods/proxy.load new file mode 100644 index 0000000..19c75a4 --- /dev/null +++ b/httpd/conf/mods/proxy.load @@ -0,0 +1 @@ +LoadModule proxy_module /usr/local/apache2/modules/mod_proxy.so diff --git a/httpd/conf/mods/proxy_http.load b/httpd/conf/mods/proxy_http.load new file mode 100644 index 0000000..01c7c55 --- /dev/null +++ b/httpd/conf/mods/proxy_http.load @@ -0,0 +1,2 @@ +# Depends: proxy +LoadModule proxy_http_module /usr/local/apache2/modules/mod_proxy_http.so diff --git a/httpd/conf/mods/proxy_wstunnel.load b/httpd/conf/mods/proxy_wstunnel.load new file mode 100644 index 0000000..06d9390 --- /dev/null +++ b/httpd/conf/mods/proxy_wstunnel.load @@ -0,0 +1,2 @@ +# Depends: proxy +LoadModule proxy_wstunnel_module /usr/local/apache2/modules/mod_proxy_wstunnel.so diff --git a/httpd/conf/mods/reqtimeout.conf b/httpd/conf/mods/reqtimeout.conf new file mode 100644 index 0000000..534cd88 --- /dev/null +++ b/httpd/conf/mods/reqtimeout.conf @@ -0,0 +1,27 @@ + + + # mod_reqtimeout limits the time waiting on the client to prevent an + # attacker from causing a denial of service by opening many connections + # but not sending requests. This file tries to give a sensible default + # configuration, but it may be necessary to tune the timeout values to + # the actual situation. Note that it is also possible to configure + # mod_reqtimeout per virtual host. + + + # Wait max 20 seconds for the first byte of the request line+headers + # From then, require a minimum data rate of 500 bytes/s, but don't + # wait longer than 40 seconds in total. + # Note: Lower timeouts may make sense on non-ssl virtual hosts but can + # cause problem with ssl enabled virtual hosts: This timeout includes + # the time a browser may need to fetch the CRL for the certificate. If + # the CRL server is not reachable, it may take more than 10 seconds + # until the browser gives up. + RequestReadTimeout header=20-40,minrate=500 + + # Wait max 10 seconds for the first byte of the request body (if any) + # From then, require a minimum data rate of 500 bytes/s + RequestReadTimeout body=10,minrate=500 + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/reqtimeout.load b/httpd/conf/mods/reqtimeout.load new file mode 100644 index 0000000..210477d --- /dev/null +++ b/httpd/conf/mods/reqtimeout.load @@ -0,0 +1 @@ +LoadModule reqtimeout_module /usr/local/apache2/modules/mod_reqtimeout.so diff --git a/httpd/conf/mods/rewrite.load b/httpd/conf/mods/rewrite.load new file mode 100644 index 0000000..f3298f9 --- /dev/null +++ b/httpd/conf/mods/rewrite.load @@ -0,0 +1 @@ +LoadModule rewrite_module /usr/local/apache2/modules/mod_rewrite.so diff --git a/httpd/conf/mods/setenvif.conf b/httpd/conf/mods/setenvif.conf new file mode 100644 index 0000000..b6c4cc4 --- /dev/null +++ b/httpd/conf/mods/setenvif.conf @@ -0,0 +1,32 @@ + + + # + # The following directives modify normal HTTP response behavior to + # handle known problems with browser implementations. + # + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + + # + # The following directive disables redirects on non-GET requests for + # a directory that does not include the trailing slash. This fixes a + # problem with Microsoft WebFolders which does not appropriately handle + # redirects for folders with DAV methods. + # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. + # + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "MS FrontPage" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs/1.0" redirect-carefully + BrowserMatch "^gvfs/1" redirect-carefully + BrowserMatch "^XML Spy" redirect-carefully + BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully + BrowserMatch " Konqueror/4" redirect-carefully + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/setenvif.load b/httpd/conf/mods/setenvif.load new file mode 100644 index 0000000..49ea2d1 --- /dev/null +++ b/httpd/conf/mods/setenvif.load @@ -0,0 +1 @@ +LoadModule setenvif_module /usr/local/apache2/modules/mod_setenvif.so diff --git a/httpd/conf/mods/socache_shmcb.load b/httpd/conf/mods/socache_shmcb.load new file mode 100644 index 0000000..79f7e05 --- /dev/null +++ b/httpd/conf/mods/socache_shmcb.load @@ -0,0 +1 @@ +LoadModule socache_shmcb_module /usr/local/apache2/modules/mod_socache_shmcb.so diff --git a/httpd/conf/mods/ssl.conf b/httpd/conf/mods/ssl.conf new file mode 100644 index 0000000..7413985 --- /dev/null +++ b/httpd/conf/mods/ssl.conf @@ -0,0 +1,85 @@ + + + # Pseudo Random Number Generator (PRNG): + # Configure one or more sources to seed the PRNG of the SSL library. + # The seed data should be of good random quality. + # WARNING! On some platforms /dev/random blocks if not enough entropy + # is available. This means you then cannot use the /dev/random device + # because it would lead to very long connection times (as long as + # it requires to make more entropy available). But usually those + # platforms additionally provide a /dev/urandom device which doesn't + # block. So, if available, use this one instead. Read the mod_ssl User + # Manual for more details. + # + SSLRandomSeed startup builtin + SSLRandomSeed startup file:/dev/urandom 512 + SSLRandomSeed connect builtin + SSLRandomSeed connect file:/dev/urandom 512 + + ## + ## SSL Global Context + ## + ## All SSL configuration in this context applies both to + ## the main server and all SSL-enabled virtual hosts. + ## + + # + # Some MIME-types for downloading Certificates and CRLs + # + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + + # Pass Phrase Dialog: + # Configure the pass phrase gathering process. + # The filtering dialog program (`builtin' is a internal + # terminal dialog) has to provide the pass phrase on stdout. + #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase + + # Inter-Process Session Cache: + # Configure the SSL Session Cache: First the mechanism + # to use and second the expiring timeout (in seconds). + # (The mechanism dbm has known memory leaks and should not be used). + #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache + #SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) + SSLSessionCacheTimeout 300 + + # Semaphore: + # Configure the path to the mutual exclusion semaphore the + # SSL engine uses internally for inter-process synchronization. + # (Disabled by default, the global Mutex directive consolidates by default + # this) + #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache + + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. See the + # ciphers(1) man page from the openssl package for list of all available + # options. + # Enable only secure ciphers: + SSLCipherSuite HIGH:!aNULL + + # SSL server cipher order preference: + # Use server priorities for cipher algorithm choice. + # Clients may prefer lower grade encryption. You should enable this + # option if you want to enforce stronger encryption, and can afford + # the CPU cost, and did not override SSLCipherSuite in a way that puts + # insecure ciphers first. + # Default: Off + #SSLHonorCipherOrder on + + # The protocols to enable. + # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 + # SSL v2 is no longer supported + SSLProtocol all -SSLv3 + + # Allow insecure renegotiation with clients which do not yet support the + # secure renegotiation protocol. Default: Off + #SSLInsecureRenegotiation on + + # Whether to forbid non-SNI clients to access name based virtual hosts. + # Default: Off + #SSLStrictSNIVHostCheck On + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/ssl.load b/httpd/conf/mods/ssl.load new file mode 100644 index 0000000..203e7fc --- /dev/null +++ b/httpd/conf/mods/ssl.load @@ -0,0 +1,2 @@ +# Depends: setenvif mime socache_shmcb +LoadModule ssl_module /usr/local/apache2/modules/mod_ssl.so diff --git a/httpd/conf/mods/status.conf b/httpd/conf/mods/status.conf new file mode 100644 index 0000000..5f53ba7 --- /dev/null +++ b/httpd/conf/mods/status.conf @@ -0,0 +1,29 @@ + + # Allow server status reports generated by mod_status, + # with the URL of http://servername/server-status + # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. + + + SetHandler server-status + Require local + #Require ip 192.0.2.0/24 + + + # Keep track of extended status information for each request + ExtendedStatus On + + # Determine if mod_status displays the first 63 characters of a request or + # the last 63, assuming the request itself is greater than 63 chars. + # Default: Off + #SeeRequestTail On + + + + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On + + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/mods/status.load b/httpd/conf/mods/status.load new file mode 100644 index 0000000..438cb5d --- /dev/null +++ b/httpd/conf/mods/status.load @@ -0,0 +1 @@ +LoadModule status_module /usr/local/apache2/modules/mod_status.so diff --git a/httpd/conf/mods/unixd.load b/httpd/conf/mods/unixd.load new file mode 100644 index 0000000..f562708 --- /dev/null +++ b/httpd/conf/mods/unixd.load @@ -0,0 +1 @@ +LoadModule unixd_module /usr/local/apache2/modules/mod_unixd.so diff --git a/httpd/conf/ports.conf b/httpd/conf/ports.conf new file mode 100644 index 0000000..5daec58 --- /dev/null +++ b/httpd/conf/ports.conf @@ -0,0 +1,15 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 80 + + + Listen 443 + + + + Listen 443 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/sites/000-default.conf b/httpd/conf/sites/000-default.conf new file mode 100644 index 0000000..80aa4ca --- /dev/null +++ b/httpd/conf/sites/000-default.conf @@ -0,0 +1,44 @@ + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + ServerName pacosako.jessemcdonald.info + ServerAdmin nybble41@gmail.com + + DocumentRoot /usr/local/apache2/www + + + AllowOverride None + Require all denied + + + # + # SetHandler server-status + # + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog /proc/self/fd/2 + + + CustomLog /proc/self/fd/1 combined + + + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/sites/pacosako-ssl.conf b/httpd/conf/sites/pacosako-ssl.conf new file mode 100644 index 0000000..c57b821 --- /dev/null +++ b/httpd/conf/sites/pacosako-ssl.conf @@ -0,0 +1,181 @@ + + + + #MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory + MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory + MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf + MDRequireHttps temporary + MDCertificateFile /usr/local/apache2/conf/testing.crt + MDCertificateKeyFile /usr/local/apache2/conf/testing.key + + + + ServerAdmin nybble41@gmail.com + ServerName ${SERVER_NAME} + Protocols http/1.1 acme-tls/1 + + DocumentRoot /usr/local/apache2/www/pacosako + + + AllowOverride None + + + + Require all granted + + + RewriteEngine on + + RewriteCond "%{HTTP:UPGRADE}" "\bWebSocket\b" [NC] + RewriteCond "%{HTTP:CONNECTION}" "\bUpgrade\b" [NC] + RewriteRule "^/api(|/.*)" "ws://${API_SERVER}/api$1" [P,L] + + ProxyVia on + ProxyRequests off + # ProxyPreserveHost on + + + Require all granted + + + + # Long timeout for polling interfaces + ProxyPass http://${API_SERVER}/api acquire=5000 connectiontimeout=5 timeout=3600 keepalive=On ping=1 + ProxyPassReverse http://${API_SERVER}/api + ProxyPreserveHost on + + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog /proc/self/fd/2 + + + CustomLog /proc/self/fd/1 combined + + + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + SSLProxyEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + # BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 + + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/httpd/conf/testing.crt b/httpd/conf/testing.crt new file mode 100644 index 0000000..2ee2b63 --- /dev/null +++ b/httpd/conf/testing.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFlzCCA3+gAwIBAgIUcLUe7fQHwyi8xdyQDGxxl/gsgQswDQYJKoZIhvcNAQEL +BQAwWzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBElvd2ExFzAVBgNVBAoMDkplc3Nl +IE1jRG9uYWxkMSQwIgYDVQQDDBtwYWNvc2Frby5qZXNzZW1jZG9uYWxkLmluZm8w +HhcNMjEwOTI1MDM0MzI1WhcNMjIwOTI1MDM0MzI1WjBbMQswCQYDVQQGEwJVUzEN +MAsGA1UECAwESW93YTEXMBUGA1UECgwOSmVzc2UgTWNEb25hbGQxJDAiBgNVBAMM +G3BhY29zYWtvLmplc3NlbWNkb25hbGQuaW5mbzCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAM+jV3WRVPOXfV8RzqkZ9q8YB6sbULFK8f4mFlSaTBCq8iNt +B6JL4K184WrcHMz6oiZwPxGp53L+WYc57E6w4PvSU2xD3F/xemtroIFcQo2fbYWh +qSBXPF8VnBky5V6DpOTE4dI4CKKI4Lcn5HLaYTo5cdAsvETw2ALKqux1puqQpCJx +8bYT8Q4irQRpoZT/1ussD0TGwlwP3lHYucGIGCpdDVpXus3HSqJ8Sgb+zgqGDOIh +QlUbJrV0gy0xIGQPl1wWwKTE9EMtSMf4j+HlPmMaBWXJzbTKpL0+oEPcDWdxf/yd +6K2Dkwk+M3x/t51RXhWU/x4QfN4QtgR6iw+cg0+f+NBKrLHnSWtlqFcUKjDySVcp +N93lb/5kHWovguJWhLXHp7UySflErlZu49hxafVnmlLK4UYN1XdeEV4qTef3f1hr +l5+8vw8alPDGev4g4jIxkUID93UN0v/wcgSfBqYLi8+XOw0wUeNJGd2WgmAhJZy8 +YXcP7taux8rDSVCHJCqI0fYd/2Lo621nIEbbluM/1W1TqQUrXjbDC1D3FL9P4OZD +cRYFfKwB4Ehd/mVJwK3Z3sYtLndMwvN96gWGTJqkIXUkV4H939NyttvR4JHpgTuN +99OYNu1IlpqhcCIEjuc00YsI+xooizEumf51g8heN04nVZq650XpYpUuriyhAgMB +AAGjUzBRMB0GA1UdDgQWBBSS1rkDhWmvJqKXsuINmRGaGykOozAfBgNVHSMEGDAW +gBSS1rkDhWmvJqKXsuINmRGaGykOozAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4ICAQCnr6nXIuoauQsJMvK/S4nGBapCZUlr4CF2QJoi2+Oa7YUiyAKs +vaAXYT335VCeNHMoVr9deBqrT3Rve21lr6ZsdW5ldt4PLOzHHgyjdA2UI7TjUe3q +0UEgTHn4nfssCW6XCLXkJiILbTRAf7c8fcYiB9PMpVHV4hoe1qslWHPJgVh+OzB9 +mQ/r+hlaWDVE/vhVdAUOVUTgki/1ALt7cauiVgSMtYtWKg/XILKaU9zRXDSiJmeM +IyZBPq7QpIP8EBFB6rlxt+T8vzbFvdw/5OABJDM4WQHZ+hWGT/Y/FsMjokpqE+Sf +Inb+zG8XjCu/Pcfhi3awtsgGyrIp6XY+alMvlwCyScTWEHYB1RLy4uY9Znq+DUeL +k0P3Ae5HlBROKHDZo244PYxViIEsjsCoO7nKYcdQGhZBNFqgNYpV2foTZ0o75lmt +tk8GiSTH5AO3c7B+A321yd6I1kzHvjF+/gJWFw/zPYku9IXW+cevS9oqiPNKGq68 +0j8C8c2i10pEKhglU6jCvtsqKCwLFQepdQebivguFMl2PpfpEYysH3Z6wEfVkfWi +go4SIakhc7NDDUEWo8GKtJf6TCFbOyV8qbEGYPotIW/qgbyzD2zTkschByemSXH1 +h+LDB3NpjLw7p0aHVYep2Lrg9hJZs1XqtZ3thvUqYvDCrmynnmx7JKxRDg== +-----END CERTIFICATE----- diff --git a/httpd/conf/testing.key b/httpd/conf/testing.key new file mode 100644 index 0000000..583259e --- /dev/null +++ b/httpd/conf/testing.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDPo1d1kVTzl31f +Ec6pGfavGAerG1CxSvH+JhZUmkwQqvIjbQeiS+CtfOFq3BzM+qImcD8Rqedy/lmH +OexOsOD70lNsQ9xf8Xpra6CBXEKNn22FoakgVzxfFZwZMuVeg6TkxOHSOAiiiOC3 +J+Ry2mE6OXHQLLxE8NgCyqrsdabqkKQicfG2E/EOIq0EaaGU/9brLA9ExsJcD95R +2LnBiBgqXQ1aV7rNx0qifEoG/s4KhgziIUJVGya1dIMtMSBkD5dcFsCkxPRDLUjH ++I/h5T5jGgVlyc20yqS9PqBD3A1ncX/8neitg5MJPjN8f7edUV4VlP8eEHzeELYE +eosPnINPn/jQSqyx50lrZahXFCow8klXKTfd5W/+ZB1qL4LiVoS1x6e1Mkn5RK5W +buPYcWn1Z5pSyuFGDdV3XhFeKk3n939Ya5efvL8PGpTwxnr+IOIyMZFCA/d1DdL/ +8HIEnwamC4vPlzsNMFHjSRndloJgISWcvGF3D+7WrsfKw0lQhyQqiNH2Hf9i6Ott +ZyBG25bjP9VtU6kFK142wwtQ9xS/T+DmQ3EWBXysAeBIXf5lScCt2d7GLS53TMLz +feoFhkyapCF1JFeB/d/Tcrbb0eCR6YE7jffTmDbtSJaaoXAiBI7nNNGLCPsaKIsx +Lpn+dYPIXjdOJ1WauudF6WKVLq4soQIDAQABAoICAQCbO17TgoekZYlRXhrGyaZn +WOvCvHUjVwh8HTVsor5jZ6oHWifu6hNbIJXWMiFGDcrUOe6s4f0rN4TvWBqW6h4J +pkDAHCvRftMrJBenHraS8rIKycWLbCyyWZGONULN2lWYwqihZUrvWK3HwIdGZoVx +5ih0nj1SvUyBKcuHZJ4Zl3FeXxl6KoZ5Luty9RXcMzkWMKZpoL8F3Mc1IXYefgSz +B0ZIWHZMCcZ+m7UsbarUq0tOc9cHkXjrB+RaEPRKWm2qZ0g25xhGcMCM4AORurVd +mcKXSrwDgcyPvxZKJWXQBEbPMa8WqdtveZU8aq93abGRKQdiDqmLy6qIxqTYUwbH +Uwr24A/UaDUOq1mQmlVmlBfNSfe2rRMW5qbFZt6nJ6kf6XxlG6bwkZ5QOLhlwqPb +L+x2ofpyVfqFT5+QzyBokyNcWeBya+HAYXRGbQ6U5x5e+C6cmLwKFwyhq0G5RBSo +QkEqYs73ayjwS59MeSZO6kMGc6Rn7+yxN6yEHFW71N+diBQCYAVElPEKddl/nlrH +2JsJO7wwKJFBYn16NPPvj1eCp1vMePJuVG658wCvZHZAsSdiIeyyBKQ8ETUHVOSY +aeOCwnoOZh9bOtMLm1No14FtmPiIhdZFaV8UdciPpNqRavTKAB2peJqGdsVNgbcE +TjopEJoRBqqTYxlw+FOPkQKCAQEA99jx0hB5Z9qkI7GrUxFcVr4ZKBDPX2lsFen1 +ukjLscxI8Y0Yrn1sGSwz1x/AXJHYwlg993Wig43eIOHZknS/ooEYxohmOFUKFAZT +rvSvV3HhStqmF/DB04lgCmTq5lUVItOPcClNe8FMfMKAHrDxg37gLiH5qlkQnlua +ZfG1T6WJJU7KLh9A4hobh6CZU8DENtiVnUYp5g1QNKHfeLLHgYQ14ZSexqcSr0Fn +FovcLzZa09qvs40UQl9BrmPwZhe1RlnhP/xHNMjmm9V5PgLP2Rzdh3WMwO6oxBYx +cI+8dnsfyAZxafvOQM4Pg2EB+T5fzinym+GIFJ3lpkFH4lQ4BwKCAQEA1nfOBzcl +wCa+OhVKBynBJGdEQ+FE9opNXokqBpAZ1DlQy9cySBajvRnrdu3sF7hLBeZm7YoW +hyPn2jNBuJd4sY7ggMYC96dr5d3YSy7v2glv3HbXEkpGXbgeDLKk3Kw8H/M54gKA +WOr7otuIul52c0G0Lo3tsGG051Mm+emxsPIL9SzNKCkBxFPMr24CjRyKppO1K/XS +0sdJeco0hEPkBJSl2tDN/v3a/tQOpKrDmIkrNnYD/jP/knST6qVTIATXPv6qdAmM +lfsPD8c/btD3covB5HPDuZcVjtLPB82pw5xTVxvfTmjvnxIX8ZfOfYsTzt0ana61 +dEFBl/p4Uki8FwKCAQAJodnMEy3Utm+Yn4gMA2m2SU8K+pREngFAXMZbBgc8krbn +BFfIOEGiPNCK9MXyEwz8iJdn7Z9yQ2o1lvFwuq7T7vZ6iMSIPe3VV2WbMBE8ccWS +tiqsVYQC55ze6osihn36y4QQlNpZC+sgEiMOjkvkk2K9CD7+utVlgiPfAGTOgp1w +4L4EytwnrWIShFBRK/W0N/igkyB/u1a5pOzdcP1F8FBzwuXkzItyWjVab/cPsqoW +/7HCZaI67h7MWz/1h8hYwpd5eCGAUKp9te8vVMalJnUJlazxtpTCgiZLvJpTdHeI +u49e0hVy+U8rCPMdr6njhkfSfRJf0r8hFfpoNmOzAoIBACOOLyDxGpgVlDnq55/y +YyvW1vFt+lHpMdR3Zvk5kJ6ndealYZej8Tdbgbbw0NBJ5F4xCWVeHEgBQuHg14dz +zTWam0ueCEXogrHUKpSkTm1WXS4uoY9Nswa8jHbMcxqGj104pKL8iSy0oE0qmitT +l82Z2fZR31L7j9M97NtHzAaqyiK2b7i1u65BulBnK5MbZT0ihcmo8m+xTFQdmsFG +xBmiTzDMpyocCd9vZpIUIWM7cmeP/y94jWlJXHBtQi+vvcOa0sV0A9OlkKSsAq8r +g6qA0v891fgBvTg1aM9BYGCmnQZ2/3lvWjKD/GY4JaqYkQsditkTas/ANdCtXJ8/ +obcCggEABBAQzsYvpfVHz6zBgtwRhnDecvTGEPrileMSqF2EGC7g9lr2tJcrd8e/ +yaBw5sBjgkVJAkEGRy+vyk7e/1JLSWAUN1HtuTjkm6lKsEIREbMrzSOX7VngYM7B +QdVxs9H0vomSF/GuIksMwglTIaaJvgh5EsaQgS9z1pXicOR8UUiYbGaRGUm3b8Mp +XzHJuogqZEVFcukli56+nXQkGpb8q9lUvKQ2vePc+b/LMTEr2NhygUJ53o8Z7A+1 +dzCxuHTZvVeo29fcGfWjRaBVQRKJI9moR0pH2F+vjpjvnmjxI7FbP1t8kyegcDr6 +JnIkNa1NoSQnKlAnWTktE+3EFGuUUg== +-----END PRIVATE KEY----- diff --git a/httpd/paco_sako b/httpd/paco_sako new file mode 160000 index 0000000..4f72d75 --- /dev/null +++ b/httpd/paco_sako @@ -0,0 +1 @@ +Subproject commit 4f72d756422acc2aa9e1e57e94d5aafa7a0ccc63