summaryrefslogtreecommitdiffstats
path: root/server/setup/05-service-settings
diff options
context:
space:
mode:
authorSven Gothel <[email protected]>2023-01-23 01:24:34 +0100
committerSven Gothel <[email protected]>2023-01-23 01:24:34 +0100
commit8d9e318bf5be4578e018de1e5b78e792ddf8b8ea (patch)
tree369fc5f0bc27a9d367eaa96dd6d96a2d4e273f52 /server/setup/05-service-settings
parent33536d1ae923149a0b7113d57cf8a96e42ab7d16 (diff)
Bump server settings updates
Diffstat (limited to 'server/setup/05-service-settings')
-rw-r--r--server/setup/05-service-settings/02-SERVICES.txt33
-rw-r--r--server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf57
2 files changed, 64 insertions, 26 deletions
diff --git a/server/setup/05-service-settings/02-SERVICES.txt b/server/setup/05-service-settings/02-SERVICES.txt
index f832bea..4438c55 100644
--- a/server/setup/05-service-settings/02-SERVICES.txt
+++ b/server/setup/05-service-settings/02-SERVICES.txt
@@ -164,27 +164,40 @@ Debian 7.00 (Wheezy)
11.2 bugzilla
- Debian 7
- Squash that - DO NOT INSTALL SYSTEM WIDE modules:
- apt-get install libgd-gd2-perl libgd-graph-perl libgd-tools libgdal-perl libgdal-dev libgdata-dev libgd2-xpm-dev
- apt-get install libappconfig-perl libdate-calc-perl libtemplate-perl libmime-perl libdatetime-timezone-perl libdatetime-perl libemail-sender-perl libemail-mime-perl libemail-mime-modifier-perl libdbi-perl libdbd-mysql-perl libcgi-pm-perl libmath-random-isaac-perl libmath-random-isaac-xs-perl apache2-mpm-prefork libapache2-mod-perl2 libapache2-mod-perl2-dev libchart-perl libxml-perl libxml-twig-perl perlmagick libgd-graph-perl libtemplate-plugin-gd-perl libsoap-lite-perl libhtml-scrubber-perl libjson-rpc-perl libtheschwartz-perl libtest-taint-perl libauthen-radius-perl libfile-slurp-perl libencode-detect-perl libmodule-build-perl libnet-ldap-perl libauthen-sasl-perl libtemplate-perl-doc libfile-mimeinfo-perl libhtml-formattext-withlinks-perl libmysqlclient-dev lynx-cur graphviz python-sphinx libgd2-xpm-dev
- Ensure the following are NOT installed:
- dpkg -P libjson-any-perl libcgi-application-plugin-json-perl libcgi-application-extra-plugin-bundle-perl libjson-perl
-
- I had to remove system wide perl modules .. collision .. why o why
- i.e. how to enforce bugzilla to use bugzilla/lib installed modules only?
-
- - misc for perl/bugzilla
+ Install
+ apt-get install libapache2-mod-perl2-dev libapache2-mod-perl2
+ apt-get install libgd-dev libgd3
+ apt install libgdbm-dev libgdbm6
+ apt-get install libdbd-mysql-perl
+ libcgi-pm-perl libcgi-fast-perl libcgi-session-perl libfcgi-perl
+ libemail-mime-perl libemail-sender-perl
+ libtemplate-perl libhtml-template-perl
+ libjson-perl libjson-xs-perl
+ libmath-bigint-perl libmath-random-isaac-perl libmath-random-isaac-xs-perl
+
+ - As User: misc for perl/bugzilla
- Perl: redo init (find closest mirror ..)
- perl -MCPAN -e shell
- o conf init
+ a2enmod rewrite
+ a2enmod expires
+
+ As User:
See https://bugzilla.readthedocs.org/en/5.0/installing/linux.html#perl-modules
./checksetup.pl --check-modules
+ /usr/bin/perl install-module.pl --all
/usr/bin/perl install-module.pl --upgrade-all
./checksetup.pl --check-modules
./checksetup.pl
+ # bugzilla folder must be owned by webrunner (suexec)
+ chown -R webrunner:webrunner .
+
+ systemctl restart apache2
+ /etc/init.d/apache2 restart
+
- https://www.bugzilla.org/download/#stable
11.3 mediawiki
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
index cc27035..be36970 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
@@ -1,6 +1,9 @@
<IfModule mod_ssl.c>
-<VirtualHost *:443>
+SSLSessionCache shmcb:/var/run/apache/sslcache(512000)
+SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+
+<VirtualHost *:443>
# General setup for the virtual host, inherited from global configuration
ServerName jogamp.org
ServerAlias www.jogamp.org
@@ -9,11 +12,33 @@
RewriteEngine On
DocumentRoot /srv/www/jogamp.org
+ UseCanonicalName Off
+
+ # Guarantee HTTPS for 1 Year including Sub Domains
+ # Not OK: Header always set Strict-Transport-Security "max-age=31536000;includeSubDomains"
+ Header always set Strict-Transport-Security "max-age=31536000"
+
+ Header always set Content-Security-Policy "frame-ancestors 'self'"
+ Header always set X-Frame-Options "SAMEORIGIN"
+ Header always set X-XSS-Protection "1; mode=block"
+ # Prevent browsers from incorrectly detecting non-scripts as scripts
+ Header always set X-Content-Type-Options "nosniff"
+
+ ##Header always set Content-Security-Policy "default-src https:"
+ ##Header always set Content-Security-Policy "default-src 'self'; img-src 'self'; script-src 'self'; object-src 'self'"
+
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
- ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
- TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
LogLevel warn
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
+ #TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
+
+ # Per-Server Logging:
+ # The home of a custom SSL log file. Use this when you want a
+ # compact non-error SSL logfile on a virtual host basis.
+ CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
@@ -30,13 +55,19 @@
# LOW: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+ #SSLCipherSuite HIGH:!ECDHE:!aNULL:!MD5
+ #SSLCipherSuite HIGH:!aNULL:!MD5
+ SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+ # 2017: https://weakdh.org/sysadmin.html
+ #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
#SSLCipherSuite DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
- SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+ #SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
- SetEnv no-gzip
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/local/dhparams-4096.pem"
# Add content to the 1st file of SSLCertificateFile
# /etc/ssl/local/DH-1024.pem
@@ -50,8 +81,8 @@
# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
- SSLCertificateFile /etc/ssl/local/jogamp2020a.org.crt.pem
- SSLCertificateKeyFile /etc/ssl/local/jogamp2020a.org.key.apache.pem
+ SSLCertificateFile /etc/ssl/local/jogamp2022a.org.crt.pem
+ SSLCertificateKeyFile /etc/ssl/local/jogamp2022a.org.key.apache.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@@ -171,14 +202,9 @@
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
- # Per-Server Logging:
- # The home of a custom SSL log file. Use this when you want a
- # compact non-error SSL logfile on a virtual host basis.
- CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+ SSLUseStapling on
- ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
- CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
+ SetEnv no-gzip
# configures the footer on server-generated documents
ServerSignature On
@@ -223,7 +249,6 @@
#</Directory>
ScriptAlias /cgit/ "/srv/www/cgit/cgit.cgi/"
- #RedirectMatch ^/cgit$ /cgit/
Alias /cgit-css "/usr/share/cgit/"
<Directory "/srv/www/cgit/">
AllowOverride None
@@ -276,7 +301,7 @@
RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
RewriteCond %{HTTP_HOST} ^scm\.jogamp\.org$ [NC]
- RewriteRule ^/(.*)$ https://jogamp.org/git/$1 [R=301,L,NE]
+ RewriteRule ^/(.*)$ https://jogamp.org/cgit/$1 [R=301,L,NE]
RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]