initial commit

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "paco_sako_server"]
+	path = app
+	url = ../paco_sako_server.git
+[submodule "httpd/paco_sako"]
+	path = httpd/paco_sako
+	url = ../paco_sako.git

app

@@ -0,0 +1 @@
+Subproject commit cb636d020173035dd51f4aa7fb4d48f511320d5e

docker-compose.yml

@@ -0,0 +1,33 @@
+services:
+  httpd:
+    build:
+      context: httpd
+      network: host
+    ports:
+      - "${HTTP_PORT:-80}:80"
+      - "${HTTPS_PORT:-443}:443"
+    networks:
+      - front-tier
+      - back-tier
+    environment:
+      SERVER_NAME: "${SERVER_NAME:-pacosako.jessemcdonald.info}"
+      API_SERVER: "app:80"
+
+  app:
+    build:
+      context: app
+      network: host
+    networks:
+      - back-tier
+    environment:
+      PACOSAKO_DB: "/data/pacosako.db"
+      PORT: "80"
+    volumes:
+      - "pacosako-db:/data"
+
+networks:
+  front-tier: {}
+  back-tier: {}
+
+volumes:
+  pacosako-db: {}

httpd/.dockerignore

@@ -0,0 +1,6 @@
+.git
+.dockerignore
+Dockerfile
+.*.swp
+.*.swo
+*~

httpd/Dockerfile

@@ -0,0 +1,16 @@
+# syntax=docker/dockerfile:1
+FROM node:16-bullseye AS builder
+MAINTAINER Jesse McDonald <nybble41@gmail.com>
+WORKDIR /app
+RUN git clone -b v0.8.5 --depth 1 https://jessemcdonald.info/gogs/nybble/paco_sako.git paco_sako
+WORKDIR /app/paco_sako
+RUN npm install
+RUN npm run build
+
+FROM httpd:2.4-alpine3.14
+MAINTAINER Jesse McDonald <nybble41@gmail.com>
+WORKDIR /usr/local/apache2
+COPY conf ./conf
+RUN mkdir -p ./www/pacosako
+COPY --from=builder /app/paco_sako/public ./www/pacosako
+CMD ["httpd", "-D", "FOREGROUND"]

httpd/conf/conf/other-vhosts-access-log.conf

@@ -0,0 +1,8 @@
+# Define an access log for VirtualHosts that don't define their own logfile
+<IfModule log_config_module>
+	<IfModule logio_module>
+		CustomLog /proc/self/fd/1 vhost_combined
+	</IfModule>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/conf/security.conf

@@ -0,0 +1,73 @@
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages.
+#
+#<Directory />
+#   AllowOverride None
+#   Require all denied
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#ServerTokens Minimal
+ServerTokens OS
+#ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#ServerSignature Off
+ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories. For example, for subversion:
+#
+#<DirectoryMatch "/\.svn">
+#   Require all denied
+#</DirectoryMatch>
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Frame-Options: "sameorigin"
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/conf/serve-cgi-bin.conf

@@ -0,0 +1,20 @@
+<IfModule mod_alias.c>
+	<IfModule mod_cgi.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfModule mod_cgid.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfDefine ENABLE_USR_LIB_CGI_BIN>
+		ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+		<Directory "/usr/lib/cgi-bin">
+			AllowOverride None
+			Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+			Require all granted
+		</Directory>
+	</IfDefine>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/httpd.conf

@@ -0,0 +1,60 @@
+ServerName ${SERVER_NAME}
+ServerRoot "/usr/local/apache2"
+Timeout 300
+KeepAlive On
+MaxKeepAliveRequests 100
+KeepAliveTimeout 5
+User daemon
+Group daemon
+HostnameLookups Off
+ErrorLog /proc/self/fd/2
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional conf/mods/*.load
+IncludeOptional conf/mods/*.conf
+
+# Include list of ports to listen on
+Include conf/ports.conf
+
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+<Directory /usr/share>
+	AllowOverride None
+	Require all granted
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks
+	AllowOverride None
+	Require all granted
+</Directory>
+
+AccessFileName .htaccess
+
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+
+<IfModule log_config_module>
+	<IfModule logio_module>
+		LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+		LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+		LogFormat "%h %l %u %t \"%r\" %>s %O" common
+	</IfModule>
+	LogFormat "%{Referer}i -> %U" referer
+	LogFormat "%{User-agent}i" agent
+	CustomLog /proc/self/fd/1 common
+</IfModule>
+
+# Include generic snippets of statements
+IncludeOptional conf/conf/*.conf
+
+# Include the virtual host configurations:
+IncludeOptional conf/sites/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/00-watchdog.load

@@ -0,0 +1 @@
+LoadModule watchdog_module /usr/local/apache2/modules/mod_watchdog.so

httpd/conf/mods/access_compat.load

@@ -0,0 +1,2 @@
+# Depends: authn_core
+LoadModule access_compat_module /usr/local/apache2/modules/mod_access_compat.so

httpd/conf/mods/alias.conf

@@ -0,0 +1,24 @@
+<IfModule alias_module>
+	# Aliases: Add here as many aliases as you need (with no limit). The format is
+	# Alias fakename realname
+	#
+	# Note that if you include a trailing / on fakename then the server will
+	# require it to be present in the URL.  So "/icons" isn't aliased in this
+	# example, only "/icons/".  If the fakename is slash-terminated, then the
+	# realname must also be slash terminated, and if the fakename omits the
+	# trailing slash, the realname must also omit it.
+	#
+	# We include the /icons/ alias for FancyIndexed directory listings.  If
+	# you do not use FancyIndexing, you may comment this out.
+
+	Alias /icons/ "/usr/share/apache2/icons/"
+
+	<Directory "/usr/share/apache2/icons">
+		Options FollowSymlinks
+		AllowOverride None
+		Require all granted
+	</Directory>
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/alias.load

@@ -0,0 +1 @@
+LoadModule alias_module /usr/local/apache2/modules/mod_alias.so

httpd/conf/mods/auth_basic.load

@@ -0,0 +1,2 @@
+# Depends: authn_core
+LoadModule auth_basic_module /usr/local/apache2/modules/mod_auth_basic.so

httpd/conf/mods/authn_core.load

@@ -0,0 +1 @@
+LoadModule authn_core_module /usr/local/apache2/modules/mod_authn_core.so

httpd/conf/mods/authn_file.load

@@ -0,0 +1 @@
+LoadModule authn_file_module /usr/local/apache2/modules/mod_authn_file.so

httpd/conf/mods/authz_core.load

@@ -0,0 +1 @@
+LoadModule authz_core_module /usr/local/apache2/modules/mod_authz_core.so

httpd/conf/mods/authz_host.load

@@ -0,0 +1,2 @@
+# Depends: authz_core
+LoadModule authz_host_module /usr/local/apache2/modules/mod_authz_host.so

httpd/conf/mods/authz_user.load

@@ -0,0 +1,2 @@
+# Depends: authz_core
+LoadModule authz_user_module /usr/local/apache2/modules/mod_authz_user.so

httpd/conf/mods/autoindex.conf

@@ -0,0 +1,96 @@
+<IfModule mod_autoindex.c>
+	# Directives controlling the display of server-generated directory listings.
+
+	#
+	# IndexOptions: Controls the appearance of server-generated directory
+	# listings.
+	# Remove/replace the "Charset=UTF-8" if you don't use UTF-8 for your filenames.
+	IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8
+
+	#
+	# AddIcon* directives tell the server which icon to show for different
+	# files or filename extensions.  These are only displayed for
+	# FancyIndexed directories.
+	AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2
+
+	AddIconByType (TXT,/icons/text.gif) text/*
+	AddIconByType (IMG,/icons/image2.gif) image/*
+	AddIconByType (SND,/icons/sound2.gif) audio/*
+	AddIconByType (VID,/icons/movie.gif) video/*
+
+	AddIcon /icons/binary.gif .bin .exe
+	AddIcon /icons/binhex.gif .hqx
+	AddIcon /icons/tar.gif .tar
+	AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+	AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+	AddIcon /icons/a.gif .ps .ai .eps
+	AddIcon /icons/layout.gif .html .shtml .htm .pdf
+	AddIcon /icons/text.gif .txt
+	AddIcon /icons/c.gif .c
+	AddIcon /icons/p.gif .pl .py
+	AddIcon /icons/f.gif .for
+	AddIcon /icons/dvi.gif .dvi
+	AddIcon /icons/uuencoded.gif .uu
+	AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+	AddIcon /icons/tex.gif .tex
+	# It's a suffix rule, so simply matching "core" matches "score" as well !
+	AddIcon /icons/bomb.gif /core
+	AddIcon (SND,/icons/sound2.gif) .ogg
+	AddIcon (VID,/icons/movie.gif) .ogm
+
+	AddIcon /icons/back.gif ..
+	AddIcon /icons/hand.right.gif README
+	AddIcon /icons/folder.gif ^^DIRECTORY^^
+	AddIcon /icons/blank.gif ^^BLANKICON^^
+
+	# Default icons for OpenDocument format
+	AddIcon /icons/odf6odt-20x22.png .odt
+	AddIcon /icons/odf6ods-20x22.png .ods
+	AddIcon /icons/odf6odp-20x22.png .odp
+	AddIcon /icons/odf6odg-20x22.png .odg
+	AddIcon /icons/odf6odc-20x22.png .odc
+	AddIcon /icons/odf6odf-20x22.png .odf
+	AddIcon /icons/odf6odb-20x22.png .odb
+	AddIcon /icons/odf6odi-20x22.png .odi
+	AddIcon /icons/odf6odm-20x22.png .odm
+
+	AddIcon /icons/odf6ott-20x22.png .ott
+	AddIcon /icons/odf6ots-20x22.png .ots
+	AddIcon /icons/odf6otp-20x22.png .otp
+	AddIcon /icons/odf6otg-20x22.png .otg
+	AddIcon /icons/odf6otc-20x22.png .otc
+	AddIcon /icons/odf6otf-20x22.png .otf
+	AddIcon /icons/odf6oti-20x22.png .oti
+	AddIcon /icons/odf6oth-20x22.png .oth
+
+	#
+	# DefaultIcon is which icon to show for files which do not have an icon
+	# explicitly set.
+	DefaultIcon /icons/unknown.gif
+
+	#
+	# AddDescription allows you to place a short description after a file in
+	# server-generated indexes.  These are only displayed for FancyIndexed
+	# directories.
+	# Format: AddDescription "description" filename
+	#AddDescription "GZIP compressed document" .gz
+	#AddDescription "tar archive" .tar
+	#AddDescription "GZIP compressed tar archive" .tgz
+
+	#
+	# ReadmeName is the name of the README file the server will look for by
+	# default, and append to directory listings.
+	#
+	# HeaderName is the name of a file which should be prepended to
+	# directory indexes
+	ReadmeName README.html
+	HeaderName HEADER.html
+
+	#
+	# IndexIgnore is a set of filenames which directory indexing should ignore
+	# and not include in the listing.  Shell-style wildcarding is permitted.
+	IndexIgnore .??* *~ *# RCS CVS *,v *,t
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/autoindex.load

@@ -0,0 +1 @@
+LoadModule autoindex_module /usr/local/apache2/modules/mod_autoindex.so

httpd/conf/mods/deflate.conf

@@ -0,0 +1,10 @@
+<IfModule mod_deflate.c>
+	<IfModule mod_filter.c>
+		AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
+		AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
+		AddOutputFilterByType DEFLATE application/rss+xml
+		AddOutputFilterByType DEFLATE application/xml
+	</IfModule>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/deflate.load

@@ -0,0 +1,2 @@
+# Depends: filter
+LoadModule deflate_module /usr/local/apache2/modules/mod_deflate.so

httpd/conf/mods/dir.conf

@@ -0,0 +1,5 @@
+<IfModule mod_dir.c>
+	DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/dir.load

@@ -0,0 +1 @@
+LoadModule dir_module /usr/local/apache2/modules/mod_dir.so

httpd/conf/mods/env.load

@@ -0,0 +1 @@
+LoadModule env_module /usr/local/apache2/modules/mod_env.so

httpd/conf/mods/filter.load

@@ -0,0 +1 @@
+LoadModule filter_module /usr/local/apache2/modules/mod_filter.so

httpd/conf/mods/md.load

@@ -0,0 +1 @@
+LoadModule md_module /usr/local/apache2/modules/mod_md.so

httpd/conf/mods/mime.conf

@@ -0,0 +1,251 @@
+<IfModule mod_mime.c>
+
+	#
+	# TypesConfig points to the file containing the list of mappings from
+	# filename extension to MIME-type.
+	#
+	TypesConfig /usr/local/apache2/conf/mime.types
+
+	#
+	# AddType allows you to add to or override the MIME configuration
+	# file mime.types for specific file types.
+	#
+	#AddType application/x-gzip .tgz
+	#
+	# AddEncoding allows you to have certain browsers uncompress
+	# information on the fly. Note: Not all browsers support this.
+	# Despite the name similarity, the following Add* directives have
+	# nothing to do with the FancyIndexing customization directives above.
+	#
+	#AddEncoding x-compress .Z
+	#AddEncoding x-gzip .gz .tgz
+	#AddEncoding x-bzip2 .bz2
+	#
+	# If the AddEncoding directives above are commented-out, then you
+	# probably should define those extensions to indicate media types:
+	#
+	AddType application/x-compress .Z
+	AddType application/x-gzip .gz .tgz
+	AddType application/x-bzip2 .bz2
+
+	#
+	# DefaultLanguage and AddLanguage allows you to specify the language of 
+	# a document. You can then use content negotiation to give a browser a 
+	# file in a language the user can understand.
+	#
+	# Specify a default language. This means that all data
+	# going out without a specific language tag (see below) will 
+	# be marked with this one. You probably do NOT want to set
+	# this unless you are sure it is correct for all cases.
+	#
+	# * It is generally better to not mark a page as 
+	# * being a certain language than marking it with the wrong
+	# * language!
+	#
+	# DefaultLanguage nl
+	#
+	# Note 1: The suffix does not have to be the same as the language
+	# keyword --- those with documents in Polish (whose net-standard
+	# language code is pl) may wish to use "AddLanguage pl .po" to
+	# avoid the ambiguity with the common suffix for perl scripts.
+	#
+	# Note 2: The example entries below illustrate that in some cases 
+	# the two character 'Language' abbreviation is not identical to 
+	# the two character 'Country' code for its country,
+	# E.g. 'Danmark/dk' versus 'Danish/da'.
+	#
+	# Note 3: In the case of 'ltz' we violate the RFC by using a three char
+	# specifier. There is 'work in progress' to fix this and get
+	# the reference data for rfc1766 cleaned up.
+	#
+	# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+	# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+	# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+	# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+	# Norwegian (no) - Polish (pl) - Portugese (pt)
+	# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+	# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+	#
+	AddLanguage am .amh
+	AddLanguage ar .ara
+	AddLanguage be .be
+	AddLanguage bg .bg
+	AddLanguage bn .bn
+	AddLanguage br .br
+	AddLanguage bs .bs
+	AddLanguage ca .ca
+	AddLanguage cs .cz .cs
+	AddLanguage cy .cy
+	AddLanguage da .dk
+	AddLanguage de .de
+	AddLanguage dz .dz
+	AddLanguage el .el
+	AddLanguage en .en
+	AddLanguage eo .eo
+	# es is ecmascript in /etc/mime.types
+	RemoveType  es
+	AddLanguage es .es
+	AddLanguage et .et
+	AddLanguage eu .eu
+	AddLanguage fa .fa
+	AddLanguage fi .fi
+	AddLanguage fr .fr
+	AddLanguage ga .ga
+	AddLanguage gl .glg
+	AddLanguage gu .gu
+	AddLanguage he .he
+	AddLanguage hi .hi
+	AddLanguage hr .hr
+	AddLanguage hu .hu
+	AddLanguage hy .hy
+	AddLanguage id .id
+	AddLanguage is .is
+	AddLanguage it .it
+	AddLanguage ja .ja
+	AddLanguage ka .ka
+	AddLanguage kk .kk
+	AddLanguage km .km
+	AddLanguage kn .kn
+	AddLanguage ko .ko
+	AddLanguage ku .ku
+	AddLanguage lo .lo
+	AddLanguage lt .lt
+	AddLanguage ltz .ltz
+	AddLanguage lv .lv
+	AddLanguage mg .mg
+	AddLanguage mk .mk
+	AddLanguage ml .ml
+	AddLanguage mr .mr
+	AddLanguage ms .msa
+	AddLanguage nb .nob
+	AddLanguage ne .ne
+	AddLanguage nl .nl
+	AddLanguage nn .nn
+	AddLanguage no .no
+	AddLanguage pa .pa
+	AddLanguage pl .po
+	AddLanguage pt-BR .pt-br
+	AddLanguage pt .pt
+	AddLanguage ro .ro
+	AddLanguage ru .ru
+	AddLanguage sa .sa
+	AddLanguage se .se
+	AddLanguage si .si
+	AddLanguage sk .sk
+	AddLanguage sl .sl
+	AddLanguage sq .sq
+	AddLanguage sr .sr
+	AddLanguage sv .sv
+	AddLanguage ta .ta
+	AddLanguage te .te
+	AddLanguage th .th
+	AddLanguage tl .tl
+	RemoveType  tr
+	# tr is troff in /etc/mime.types
+	AddLanguage tr .tr
+	AddLanguage uk .uk
+	AddLanguage ur .ur
+	AddLanguage vi .vi
+	AddLanguage wo .wo
+	AddLanguage xh .xh
+	AddLanguage zh-CN .zh-cn
+	AddLanguage zh-TW .zh-tw
+
+	#
+	# Commonly used filename extensions to character sets. You probably
+	# want to avoid clashes with the language extensions, unless you
+	# are good at carefully testing your setup after each change.
+	# See http://www.iana.org/assignments/character-sets for the
+	# official list of charset names and their respective RFCs.
+	#
+	AddCharset us-ascii	.ascii .us-ascii
+	AddCharset ISO-8859-1  .iso8859-1  .latin1
+	AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
+	AddCharset ISO-8859-3  .iso8859-3  .latin3
+	AddCharset ISO-8859-4  .iso8859-4  .latin4
+	AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
+	AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
+	AddCharset ISO-8859-7  .iso8859-7  .grk .greek
+	AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
+	AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
+	AddCharset ISO-8859-10  .iso8859-10  .latin6
+	AddCharset ISO-8859-13  .iso8859-13
+	AddCharset ISO-8859-14  .iso8859-14  .latin8
+	AddCharset ISO-8859-15  .iso8859-15  .latin9
+	AddCharset ISO-8859-16  .iso8859-16  .latin10
+	AddCharset ISO-2022-JP .iso2022-jp .jis
+	AddCharset ISO-2022-KR .iso2022-kr .kis
+	AddCharset ISO-2022-CN .iso2022-cn .cis
+	AddCharset Big5		.Big5	   .big5 .b5
+	AddCharset cn-Big5	 .cn-big5
+	# For russian, more than one charset is used (depends on client, mostly):
+	AddCharset WINDOWS-1251 .cp-1251   .win-1251
+	AddCharset CP866	   .cp866
+	AddCharset KOI8	  .koi8
+	AddCharset KOI8-E	  .koi8-e
+	AddCharset KOI8-r	  .koi8-r .koi8-ru
+	AddCharset KOI8-U	  .koi8-u
+	AddCharset KOI8-ru	 .koi8-uk .ua
+	AddCharset ISO-10646-UCS-2 .ucs2
+	AddCharset ISO-10646-UCS-4 .ucs4
+	AddCharset UTF-7	   .utf7
+	AddCharset UTF-8	   .utf8
+	AddCharset UTF-16	  .utf16
+	AddCharset UTF-16BE	.utf16be
+	AddCharset UTF-16LE	.utf16le
+	AddCharset UTF-32	  .utf32
+	AddCharset UTF-32BE	.utf32be
+	AddCharset UTF-32LE	.utf32le
+	AddCharset euc-cn	  .euc-cn
+	AddCharset euc-gb	  .euc-gb
+	AddCharset euc-jp	  .euc-jp
+	AddCharset euc-kr	  .euc-kr
+	#Not sure how euc-tw got in - IANA doesn't list it???
+	AddCharset EUC-TW	  .euc-tw
+	AddCharset gb2312	  .gb2312 .gb
+	AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
+	AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
+	AddCharset shift_jis   .shift_jis .sjis
+	AddCharset BRF		 .brf
+
+	#
+	# AddHandler allows you to map certain file extensions to "handlers":
+	# actions unrelated to filetype. These can be either built into the server
+	# or added with the Action directive (see below)
+	#
+	# To use CGI scripts outside of ScriptAliased directories:
+	# (You will also need to add "ExecCGI" to the "Options" directive.)
+	#
+	#AddHandler cgi-script .cgi
+
+	#
+	# For files that include their own HTTP headers:
+	#
+	#AddHandler send-as-is asis
+
+	#
+	# For server-parsed imagemap files:
+	#
+	#AddHandler imap-file map
+
+	#
+	# For type maps (negotiated resources):
+	# (This is enabled by default to allow the Apache "It Worked" page
+	#  to be distributed in multiple languages.)
+	#
+	AddHandler type-map var
+
+	#
+	# Filters allow you to process content before it is sent to the client.
+	#
+	# To parse .shtml files for server-side includes (SSI):
+	# (You will also need to add "Includes" to the "Options" directive.)
+	#
+	AddType text/html .shtml
+<IfModule mod_include.c>
+	AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/mime.load

@@ -0,0 +1 @@
+LoadModule mime_module /usr/local/apache2/modules/mod_mime.so

httpd/conf/mods/mpm_event.conf

@@ -0,0 +1,18 @@
+# event MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestWorkers: maximum number of worker threads
+# MaxConnectionsPerChild: maximum number of requests a server process serves
+<IfModule mpm_event_module>
+	StartServers			 2
+	MinSpareThreads		 25
+	MaxSpareThreads		 75
+	ThreadLimit			 64
+	ThreadsPerChild		 25
+	MaxRequestWorkers	  150
+	MaxConnectionsPerChild   0
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/mpm_event.load

@@ -0,0 +1,2 @@
+# Conflicts: mpm_worker mpm_prefork
+LoadModule mpm_event_module /usr/local/apache2/modules/mod_mpm_event.so

httpd/conf/mods/negotiation.conf

@@ -0,0 +1,20 @@
+<IfModule mod_negotiation.c>
+
+	# LanguagePriority allows you to give precedence to some languages
+	# in case of a tie during content negotiation.
+	#
+	# Just list the languages in decreasing order of preference. We have
+	# more or less alphabetized them here. You probably want to change this.
+	#
+	LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW
+
+	#
+	# ForceLanguagePriority allows you to serve a result page rather than
+	# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+	# [in case no accepted languages matched the available variants]
+	#
+	ForceLanguagePriority Prefer Fallback
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/negotiation.load

@@ -0,0 +1 @@
+LoadModule negotiation_module /usr/local/apache2/modules/mod_negotiation.so

httpd/conf/mods/proxy.conf

@@ -0,0 +1,27 @@
+<IfModule mod_proxy.c>
+
+	# If you want to use apache2 as a forward proxy, uncomment the
+	# 'ProxyRequests On' line and the <Proxy *> block below.
+	# WARNING: Be careful to restrict access inside the <Proxy *> block.
+	# Open proxy servers are dangerous both to your network and to the
+	# Internet at large.
+	#
+	# If you only want to use apache2 as a reverse proxy/gateway in
+	# front of some web application server, you DON'T need
+	# 'ProxyRequests On'.
+
+	#ProxyRequests On
+	#<Proxy *>
+	#   AddDefaultCharset off
+	#   Require all denied
+	#   #Require local
+	#</Proxy>
+
+	# Enable/disable the handling of HTTP/1.1 "Via:" headers.
+	# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
+	# Set to one of: Off | On | Full | Block
+	#ProxyVia Off
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/proxy.load

@@ -0,0 +1 @@
+LoadModule proxy_module /usr/local/apache2/modules/mod_proxy.so

httpd/conf/mods/proxy_http.load

@@ -0,0 +1,2 @@
+# Depends: proxy
+LoadModule proxy_http_module /usr/local/apache2/modules/mod_proxy_http.so

httpd/conf/mods/proxy_wstunnel.load

@@ -0,0 +1,2 @@
+# Depends: proxy
+LoadModule proxy_wstunnel_module /usr/local/apache2/modules/mod_proxy_wstunnel.so

httpd/conf/mods/reqtimeout.conf

@@ -0,0 +1,27 @@
+<IfModule reqtimeout_module>
+
+	# mod_reqtimeout limits the time waiting on the client to prevent an
+	# attacker from causing a denial of service by opening many connections
+	# but not sending requests. This file tries to give a sensible default
+	# configuration, but it may be necessary to tune the timeout values to
+	# the actual situation. Note that it is also possible to configure
+	# mod_reqtimeout per virtual host.
+
+
+	# Wait max 20 seconds for the first byte of the request line+headers
+	# From then, require a minimum data rate of 500 bytes/s, but don't
+	# wait longer than 40 seconds in total.
+	# Note: Lower timeouts may make sense on non-ssl virtual hosts but can
+	# cause problem with ssl enabled virtual hosts: This timeout includes
+	# the time a browser may need to fetch the CRL for the certificate. If
+	# the CRL server is not reachable, it may take more than 10 seconds
+	# until the browser gives up.
+	RequestReadTimeout header=20-40,minrate=500
+
+	# Wait max 10 seconds for the first byte of the request body (if any)
+	# From then, require a minimum data rate of 500 bytes/s
+	RequestReadTimeout body=10,minrate=500
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/reqtimeout.load

@@ -0,0 +1 @@
+LoadModule reqtimeout_module /usr/local/apache2/modules/mod_reqtimeout.so

httpd/conf/mods/rewrite.load

@@ -0,0 +1 @@
+LoadModule rewrite_module /usr/local/apache2/modules/mod_rewrite.so

httpd/conf/mods/setenvif.conf

@@ -0,0 +1,32 @@
+<IfModule mod_setenvif.c>
+
+	#
+	# The following directives modify normal HTTP response behavior to
+	# handle known problems with browser implementations.
+	#
+	BrowserMatch "Mozilla/2" nokeepalive
+	BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+	BrowserMatch "RealPlayer 4\.0" force-response-1.0
+	BrowserMatch "Java/1\.0" force-response-1.0
+	BrowserMatch "JDK/1\.0" force-response-1.0
+
+	#
+	# The following directive disables redirects on non-GET requests for
+	# a directory that does not include the trailing slash.  This fixes a
+	# problem with Microsoft WebFolders which does not appropriately handle
+	# redirects for folders with DAV methods.
+	# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+	#
+	BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+	BrowserMatch "MS FrontPage" redirect-carefully
+	BrowserMatch "^WebDrive" redirect-carefully
+	BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+	BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+	BrowserMatch "^gvfs/1" redirect-carefully
+	BrowserMatch "^XML Spy" redirect-carefully
+	BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+	BrowserMatch " Konqueror/4" redirect-carefully
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/setenvif.load

@@ -0,0 +1 @@
+LoadModule setenvif_module /usr/local/apache2/modules/mod_setenvif.so

httpd/conf/mods/socache_shmcb.load

@@ -0,0 +1 @@
+LoadModule socache_shmcb_module /usr/local/apache2/modules/mod_socache_shmcb.so

httpd/conf/mods/ssl.conf

@@ -0,0 +1,85 @@
+<IfModule mod_ssl.c>
+
+	# Pseudo Random Number Generator (PRNG):
+	# Configure one or more sources to seed the PRNG of the SSL library.
+	# The seed data should be of good random quality.
+	# WARNING! On some platforms /dev/random blocks if not enough entropy
+	# is available. This means you then cannot use the /dev/random device
+	# because it would lead to very long connection times (as long as
+	# it requires to make more entropy available). But usually those
+	# platforms additionally provide a /dev/urandom device which doesn't
+	# block. So, if available, use this one instead. Read the mod_ssl User
+	# Manual for more details.
+	#
+	SSLRandomSeed startup builtin
+	SSLRandomSeed startup file:/dev/urandom 512
+	SSLRandomSeed connect builtin
+	SSLRandomSeed connect file:/dev/urandom 512
+
+	##
+	##  SSL Global Context
+	##
+	##  All SSL configuration in this context applies both to
+	##  the main server and all SSL-enabled virtual hosts.
+	##
+
+	#
+	#   Some MIME-types for downloading Certificates and CRLs
+	#
+	AddType application/x-x509-ca-cert .crt
+	AddType application/x-pkcs7-crl	.crl
+
+	#   Pass Phrase Dialog:
+	#   Configure the pass phrase gathering process.
+	#   The filtering dialog program (`builtin' is a internal
+	#   terminal dialog) has to provide the pass phrase on stdout.
+	#SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
+
+	#   Inter-Process Session Cache:
+	#   Configure the SSL Session Cache: First the mechanism 
+	#   to use and second the expiring timeout (in seconds).
+	#   (The mechanism dbm has known memory leaks and should not be used).
+	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
+	#SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+	SSLSessionCacheTimeout  300
+
+	#   Semaphore:
+	#   Configure the path to the mutual exclusion semaphore the
+	#   SSL engine uses internally for inter-process synchronization. 
+	#   (Disabled by default, the global Mutex directive consolidates by default
+	#   this)
+	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+	#   SSL Cipher Suite:
+	#   List the ciphers that the client is permitted to negotiate. See the
+	#   ciphers(1) man page from the openssl package for list of all available
+	#   options.
+	#   Enable only secure ciphers:
+	SSLCipherSuite HIGH:!aNULL
+
+	# SSL server cipher order preference:
+	# Use server priorities for cipher algorithm choice.
+	# Clients may prefer lower grade encryption.  You should enable this
+	# option if you want to enforce stronger encryption, and can afford
+	# the CPU cost, and did not override SSLCipherSuite in a way that puts
+	# insecure ciphers first.
+	# Default: Off
+	#SSLHonorCipherOrder on
+
+	#   The protocols to enable.
+	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+	#   SSL v2  is no longer supported
+	SSLProtocol all -SSLv3
+
+	#   Allow insecure renegotiation with clients which do not yet support the
+	#   secure renegotiation protocol. Default: Off
+	#SSLInsecureRenegotiation on
+
+	#   Whether to forbid non-SNI clients to access name based virtual hosts.
+	#   Default: Off
+	#SSLStrictSNIVHostCheck On
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/ssl.load

@@ -0,0 +1,2 @@
+# Depends: setenvif mime socache_shmcb
+LoadModule ssl_module /usr/local/apache2/modules/mod_ssl.so

httpd/conf/mods/status.conf

@@ -0,0 +1,29 @@
+<IfModule mod_status.c>
+	# Allow server status reports generated by mod_status,
+	# with the URL of http://servername/server-status
+	# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
+
+	<Location /server-status>
+		SetHandler server-status
+		Require local
+		#Require ip 192.0.2.0/24
+	</Location>
+
+	# Keep track of extended status information for each request
+	ExtendedStatus On
+
+	# Determine if mod_status displays the first 63 characters of a request or
+	# the last 63, assuming the request itself is greater than 63 chars.
+	# Default: Off
+	#SeeRequestTail On
+
+
+	<IfModule mod_proxy.c>
+		# Show Proxy LoadBalancer status in mod_status
+		ProxyStatus On
+	</IfModule>
+
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/mods/status.load

@@ -0,0 +1 @@
+LoadModule status_module /usr/local/apache2/modules/mod_status.so

httpd/conf/mods/unixd.load

@@ -0,0 +1 @@
+LoadModule unixd_module /usr/local/apache2/modules/mod_unixd.so

httpd/conf/ports.conf

@@ -0,0 +1,15 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default.conf
+
+Listen 80
+
+<IfModule ssl_module>
+	Listen 443
+</IfModule>
+
+<IfModule mod_gnutls.c>
+	Listen 443
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/sites/000-default.conf

@@ -0,0 +1,44 @@
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	ServerName pacosako.jessemcdonald.info
+	ServerAdmin nybble41@gmail.com
+
+	DocumentRoot /usr/local/apache2/www
+
+	<Directory />
+		AllowOverride None
+		Require all denied
+	</Directory>
+
+	#<Location /server-status>
+	#	SetHandler server-status
+	#</Location>
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog /proc/self/fd/2
+	<IfModule log_config_module>
+		<IfModule logio_module>
+			CustomLog /proc/self/fd/1 combined
+		</IfModule>
+	</IfModule>
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/sites/pacosako-ssl.conf

@@ -0,0 +1,181 @@
+<IfModule mod_ssl.c>
+<IfModule mod_md.c>
+<MDomainSet ${SERVER_NAME}>
+	#MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
+	MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
+	MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+	MDRequireHttps temporary
+	MDCertificateFile /usr/local/apache2/conf/testing.crt
+	MDCertificateKeyFile /usr/local/apache2/conf/testing.key
+</MDomainSet>
+
+<VirtualHost *:443>
+	ServerAdmin nybble41@gmail.com
+	ServerName ${SERVER_NAME}
+	Protocols http/1.1 acme-tls/1
+
+	DocumentRoot /usr/local/apache2/www/pacosako
+
+	<Directory />
+		AllowOverride None
+	</Directory>
+
+	<Directory /usr/local/apache2/www/pacosako>
+		Require all granted
+	</Directory>
+
+	RewriteEngine on
+	
+	RewriteCond "%{HTTP:UPGRADE}" "\bWebSocket\b" [NC]
+	RewriteCond "%{HTTP:CONNECTION}" "\bUpgrade\b" [NC]
+	RewriteRule "^/api(|/.*)" "ws://${API_SERVER}/api$1" [P,L]
+
+	ProxyVia on
+	ProxyRequests off
+	# ProxyPreserveHost on
+
+	<Proxy *>
+		Require all granted
+	</Proxy>
+
+	<Location /api>
+		# Long timeout for polling interfaces
+		ProxyPass        http://${API_SERVER}/api acquire=5000 connectiontimeout=5 timeout=3600 keepalive=On ping=1
+		ProxyPassReverse http://${API_SERVER}/api
+		ProxyPreserveHost on
+	</Location>
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog /proc/self/fd/2
+	<IfModule log_config_module>
+		<IfModule logio_module>
+			CustomLog /proc/self/fd/1 combined
+		</IfModule>
+	</IfModule>
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+	SSLProxyEngine on
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	#SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
+	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   the referenced file can be the same as SSLCertificateFile
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#		 to point to the certificate files. Use the provided
+	#		 Makefile to update the hash symlinks after changes.
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#		 to point to the certificate files. Use the provided
+	#		 Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#	 Translate the client X.509 into a Basic Authorisation.  This means that
+	#	 the standard Auth/DBMAuth methods can be used for access control.  The
+	#	 user name is the `one line' version of the client's X.509 certificate.
+	#	 Note that no password is obtained from the user. Every entry in the user
+	#	 file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#	 This exports two additional environment variables: SSL_CLIENT_CERT and
+	#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#	 server (always existing) and the client (only existing when client
+	#	 authentication is used). This can be used to import the certificates
+	#	 into CGI scripts.
+	#   o StdEnvVars:
+	#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#	 Per default this exportation is switched off for performance reasons,
+	#	 because the extraction step is an expensive operation and is usually
+	#	 useless for serving static content. So one usually enables the
+	#	 exportation for CGI and SSI requests only.
+	#   o OptRenegotiate:
+	#	 This enables optimized SSL connection renegotiation handling when SSL
+	#	 directives are used in per-directory context.
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#	 This forces an unclean shutdown when the connection is closed, i.e. no
+	#	 SSL close notify alert is send or allowed to received.  This violates
+	#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#	 this when you receive I/O errors because of the standard approach where
+	#	 mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#	 This forces an accurate shutdown when the connection is closed, i.e. a
+	#	 SSL close notify alert is send and mod_ssl waits for the close notify
+	#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#	 practice often causes hanging connections with brain-dead browsers. Use
+	#	 this only for browsers where you know that their SSL implementation
+	#	 works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	# BrowserMatch "MSIE [2-6]" \
+	#		nokeepalive ssl-unclean-shutdown \
+	#		downgrade-1.0 force-response-1.0
+
+	</VirtualHost>
+</IfModule>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

httpd/conf/testing.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFlzCCA3+gAwIBAgIUcLUe7fQHwyi8xdyQDGxxl/gsgQswDQYJKoZIhvcNAQEL
+BQAwWzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBElvd2ExFzAVBgNVBAoMDkplc3Nl
+IE1jRG9uYWxkMSQwIgYDVQQDDBtwYWNvc2Frby5qZXNzZW1jZG9uYWxkLmluZm8w
+HhcNMjEwOTI1MDM0MzI1WhcNMjIwOTI1MDM0MzI1WjBbMQswCQYDVQQGEwJVUzEN
+MAsGA1UECAwESW93YTEXMBUGA1UECgwOSmVzc2UgTWNEb25hbGQxJDAiBgNVBAMM
+G3BhY29zYWtvLmplc3NlbWNkb25hbGQuaW5mbzCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAM+jV3WRVPOXfV8RzqkZ9q8YB6sbULFK8f4mFlSaTBCq8iNt
+B6JL4K184WrcHMz6oiZwPxGp53L+WYc57E6w4PvSU2xD3F/xemtroIFcQo2fbYWh
+qSBXPF8VnBky5V6DpOTE4dI4CKKI4Lcn5HLaYTo5cdAsvETw2ALKqux1puqQpCJx
+8bYT8Q4irQRpoZT/1ussD0TGwlwP3lHYucGIGCpdDVpXus3HSqJ8Sgb+zgqGDOIh
+QlUbJrV0gy0xIGQPl1wWwKTE9EMtSMf4j+HlPmMaBWXJzbTKpL0+oEPcDWdxf/yd
+6K2Dkwk+M3x/t51RXhWU/x4QfN4QtgR6iw+cg0+f+NBKrLHnSWtlqFcUKjDySVcp
+N93lb/5kHWovguJWhLXHp7UySflErlZu49hxafVnmlLK4UYN1XdeEV4qTef3f1hr
+l5+8vw8alPDGev4g4jIxkUID93UN0v/wcgSfBqYLi8+XOw0wUeNJGd2WgmAhJZy8
+YXcP7taux8rDSVCHJCqI0fYd/2Lo621nIEbbluM/1W1TqQUrXjbDC1D3FL9P4OZD
+cRYFfKwB4Ehd/mVJwK3Z3sYtLndMwvN96gWGTJqkIXUkV4H939NyttvR4JHpgTuN
+99OYNu1IlpqhcCIEjuc00YsI+xooizEumf51g8heN04nVZq650XpYpUuriyhAgMB
+AAGjUzBRMB0GA1UdDgQWBBSS1rkDhWmvJqKXsuINmRGaGykOozAfBgNVHSMEGDAW
+gBSS1rkDhWmvJqKXsuINmRGaGykOozAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4ICAQCnr6nXIuoauQsJMvK/S4nGBapCZUlr4CF2QJoi2+Oa7YUiyAKs
+vaAXYT335VCeNHMoVr9deBqrT3Rve21lr6ZsdW5ldt4PLOzHHgyjdA2UI7TjUe3q
+0UEgTHn4nfssCW6XCLXkJiILbTRAf7c8fcYiB9PMpVHV4hoe1qslWHPJgVh+OzB9
+mQ/r+hlaWDVE/vhVdAUOVUTgki/1ALt7cauiVgSMtYtWKg/XILKaU9zRXDSiJmeM
+IyZBPq7QpIP8EBFB6rlxt+T8vzbFvdw/5OABJDM4WQHZ+hWGT/Y/FsMjokpqE+Sf
+Inb+zG8XjCu/Pcfhi3awtsgGyrIp6XY+alMvlwCyScTWEHYB1RLy4uY9Znq+DUeL
+k0P3Ae5HlBROKHDZo244PYxViIEsjsCoO7nKYcdQGhZBNFqgNYpV2foTZ0o75lmt
+tk8GiSTH5AO3c7B+A321yd6I1kzHvjF+/gJWFw/zPYku9IXW+cevS9oqiPNKGq68
+0j8C8c2i10pEKhglU6jCvtsqKCwLFQepdQebivguFMl2PpfpEYysH3Z6wEfVkfWi
+go4SIakhc7NDDUEWo8GKtJf6TCFbOyV8qbEGYPotIW/qgbyzD2zTkschByemSXH1
+h+LDB3NpjLw7p0aHVYep2Lrg9hJZs1XqtZ3thvUqYvDCrmynnmx7JKxRDg==
+-----END CERTIFICATE-----

httpd/conf/testing.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDPo1d1kVTzl31f
+Ec6pGfavGAerG1CxSvH+JhZUmkwQqvIjbQeiS+CtfOFq3BzM+qImcD8Rqedy/lmH
+OexOsOD70lNsQ9xf8Xpra6CBXEKNn22FoakgVzxfFZwZMuVeg6TkxOHSOAiiiOC3
+J+Ry2mE6OXHQLLxE8NgCyqrsdabqkKQicfG2E/EOIq0EaaGU/9brLA9ExsJcD95R
+2LnBiBgqXQ1aV7rNx0qifEoG/s4KhgziIUJVGya1dIMtMSBkD5dcFsCkxPRDLUjH
++I/h5T5jGgVlyc20yqS9PqBD3A1ncX/8neitg5MJPjN8f7edUV4VlP8eEHzeELYE
+eosPnINPn/jQSqyx50lrZahXFCow8klXKTfd5W/+ZB1qL4LiVoS1x6e1Mkn5RK5W
+buPYcWn1Z5pSyuFGDdV3XhFeKk3n939Ya5efvL8PGpTwxnr+IOIyMZFCA/d1DdL/
+8HIEnwamC4vPlzsNMFHjSRndloJgISWcvGF3D+7WrsfKw0lQhyQqiNH2Hf9i6Ott
+ZyBG25bjP9VtU6kFK142wwtQ9xS/T+DmQ3EWBXysAeBIXf5lScCt2d7GLS53TMLz
+feoFhkyapCF1JFeB/d/Tcrbb0eCR6YE7jffTmDbtSJaaoXAiBI7nNNGLCPsaKIsx
+Lpn+dYPIXjdOJ1WauudF6WKVLq4soQIDAQABAoICAQCbO17TgoekZYlRXhrGyaZn
+WOvCvHUjVwh8HTVsor5jZ6oHWifu6hNbIJXWMiFGDcrUOe6s4f0rN4TvWBqW6h4J
+pkDAHCvRftMrJBenHraS8rIKycWLbCyyWZGONULN2lWYwqihZUrvWK3HwIdGZoVx
+5ih0nj1SvUyBKcuHZJ4Zl3FeXxl6KoZ5Luty9RXcMzkWMKZpoL8F3Mc1IXYefgSz
+B0ZIWHZMCcZ+m7UsbarUq0tOc9cHkXjrB+RaEPRKWm2qZ0g25xhGcMCM4AORurVd
+mcKXSrwDgcyPvxZKJWXQBEbPMa8WqdtveZU8aq93abGRKQdiDqmLy6qIxqTYUwbH
+Uwr24A/UaDUOq1mQmlVmlBfNSfe2rRMW5qbFZt6nJ6kf6XxlG6bwkZ5QOLhlwqPb
+L+x2ofpyVfqFT5+QzyBokyNcWeBya+HAYXRGbQ6U5x5e+C6cmLwKFwyhq0G5RBSo
+QkEqYs73ayjwS59MeSZO6kMGc6Rn7+yxN6yEHFW71N+diBQCYAVElPEKddl/nlrH
+2JsJO7wwKJFBYn16NPPvj1eCp1vMePJuVG658wCvZHZAsSdiIeyyBKQ8ETUHVOSY
+aeOCwnoOZh9bOtMLm1No14FtmPiIhdZFaV8UdciPpNqRavTKAB2peJqGdsVNgbcE
+TjopEJoRBqqTYxlw+FOPkQKCAQEA99jx0hB5Z9qkI7GrUxFcVr4ZKBDPX2lsFen1
+ukjLscxI8Y0Yrn1sGSwz1x/AXJHYwlg993Wig43eIOHZknS/ooEYxohmOFUKFAZT
+rvSvV3HhStqmF/DB04lgCmTq5lUVItOPcClNe8FMfMKAHrDxg37gLiH5qlkQnlua
+ZfG1T6WJJU7KLh9A4hobh6CZU8DENtiVnUYp5g1QNKHfeLLHgYQ14ZSexqcSr0Fn
+FovcLzZa09qvs40UQl9BrmPwZhe1RlnhP/xHNMjmm9V5PgLP2Rzdh3WMwO6oxBYx
+cI+8dnsfyAZxafvOQM4Pg2EB+T5fzinym+GIFJ3lpkFH4lQ4BwKCAQEA1nfOBzcl
+wCa+OhVKBynBJGdEQ+FE9opNXokqBpAZ1DlQy9cySBajvRnrdu3sF7hLBeZm7YoW
+hyPn2jNBuJd4sY7ggMYC96dr5d3YSy7v2glv3HbXEkpGXbgeDLKk3Kw8H/M54gKA
+WOr7otuIul52c0G0Lo3tsGG051Mm+emxsPIL9SzNKCkBxFPMr24CjRyKppO1K/XS
+0sdJeco0hEPkBJSl2tDN/v3a/tQOpKrDmIkrNnYD/jP/knST6qVTIATXPv6qdAmM
+lfsPD8c/btD3covB5HPDuZcVjtLPB82pw5xTVxvfTmjvnxIX8ZfOfYsTzt0ana61
+dEFBl/p4Uki8FwKCAQAJodnMEy3Utm+Yn4gMA2m2SU8K+pREngFAXMZbBgc8krbn
+BFfIOEGiPNCK9MXyEwz8iJdn7Z9yQ2o1lvFwuq7T7vZ6iMSIPe3VV2WbMBE8ccWS
+tiqsVYQC55ze6osihn36y4QQlNpZC+sgEiMOjkvkk2K9CD7+utVlgiPfAGTOgp1w
+4L4EytwnrWIShFBRK/W0N/igkyB/u1a5pOzdcP1F8FBzwuXkzItyWjVab/cPsqoW
+/7HCZaI67h7MWz/1h8hYwpd5eCGAUKp9te8vVMalJnUJlazxtpTCgiZLvJpTdHeI
+u49e0hVy+U8rCPMdr6njhkfSfRJf0r8hFfpoNmOzAoIBACOOLyDxGpgVlDnq55/y
+YyvW1vFt+lHpMdR3Zvk5kJ6ndealYZej8Tdbgbbw0NBJ5F4xCWVeHEgBQuHg14dz
+zTWam0ueCEXogrHUKpSkTm1WXS4uoY9Nswa8jHbMcxqGj104pKL8iSy0oE0qmitT
+l82Z2fZR31L7j9M97NtHzAaqyiK2b7i1u65BulBnK5MbZT0ihcmo8m+xTFQdmsFG
+xBmiTzDMpyocCd9vZpIUIWM7cmeP/y94jWlJXHBtQi+vvcOa0sV0A9OlkKSsAq8r
+g6qA0v891fgBvTg1aM9BYGCmnQZ2/3lvWjKD/GY4JaqYkQsditkTas/ANdCtXJ8/
+obcCggEABBAQzsYvpfVHz6zBgtwRhnDecvTGEPrileMSqF2EGC7g9lr2tJcrd8e/
+yaBw5sBjgkVJAkEGRy+vyk7e/1JLSWAUN1HtuTjkm6lKsEIREbMrzSOX7VngYM7B
+QdVxs9H0vomSF/GuIksMwglTIaaJvgh5EsaQgS9z1pXicOR8UUiYbGaRGUm3b8Mp
+XzHJuogqZEVFcukli56+nXQkGpb8q9lUvKQ2vePc+b/LMTEr2NhygUJ53o8Z7A+1
+dzCxuHTZvVeo29fcGfWjRaBVQRKJI9moR0pH2F+vjpjvnmjxI7FbP1t8kyegcDr6
+JnIkNa1NoSQnKlAnWTktE+3EFGuUUg==
+-----END PRIVATE KEY-----

httpd/paco_sako

@@ -0,0 +1 @@
+Subproject commit 4f72d756422acc2aa9e1e57e94d5aafa7a0ccc63