diff options
| author | Sven Gothel <[email protected]> | 2013-06-12 17:53:39 +0200 |
|---|---|---|
| committer | Sven Gothel <[email protected]> | 2013-06-12 17:53:39 +0200 |
| commit | f75bb70226a3394b9e0bb7501a9df8b32e347c44 (patch) | |
| tree | 3a4df3c58b57efe13bd251179c9c3137a026c8f5 /server/setup/05-service-settings | |
| parent | b010abc3b1b23bfad668f899b2d1e2dbe2e7f017 (diff) | |
server config: Fix apache log file names and logrotated ownership
Diffstat (limited to 'server/setup/05-service-settings')
3 files changed, 521 insertions, 0 deletions
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/000-jogamp.org b/server/setup/05-service-settings/etc/apache2/sites-available/000-jogamp.org new file mode 100644 index 0000000..4de7279 --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/sites-available/000-jogamp.org @@ -0,0 +1,247 @@ +# +# Almost any Apache directive may go into a VirtualHost container. +# The first VirtualHost section is used for requests without a known +# server name. +# +<VirtualHost *:80> + ServerAdmin [email protected] + ServerName jogamp.org + ServerAlias www.jogamp.org + ServerPath /jogamp.org/ + RewriteEngine On + + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + + DocumentRoot /srv/www/jogamp.org + + # don't loose time with IP address lookups + HostnameLookups Off + + # needed for named virtual hosts + UseCanonicalName Off + + # configures the footer on server-generated documents + ServerSignature On + + <Directory "/srv/www/jogamp.org"> + Options Indexes FollowSymLinks + AllowOverride All + Order allow,deny + Allow from all + </Directory> + + RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] + + #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] + + RewriteCond %{REQUEST_URI} ^/wiki/index.php$ + RewriteCond %{QUERY_STRING} ^title=Special:UserLogin + RewriteCond %{REQUEST_METHOD} ^GET$ + RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE] + + # + # Due to security concerns, session hijacking .. etc .. the whole + # bugzilla stream will go over https + # + RewriteCond %{REQUEST_URI} ^/bugzilla + RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE] + + SetEnv GIT_PROJECT_ROOT /srv/scm + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ + <Directory "/srv/www/jogamp.org/git"> + DirectoryIndex gitweb.cgi + Allow from all + AllowOverride all + Order allow,deny + Options ExecCGI + <Files gitweb.cgi> + SetHandler cgi-script + </Files> + SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf + </Directory> + + Alias /icons/ "/srv/www/jogamp.org/icons/" + + <Directory "/srv/www/jogamp.org/icons"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + </Directory> + + # + # Due to security concerns, session hijacking .. etc .. the whole + # hudson and bugzilla stream will go over https + # + RewriteCond %{REQUEST_URI} ^/chuck + RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] + + #RewriteCond %{REQUEST_URI} ^/chuck + #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE] + # + #RewriteCond %{REQUEST_URI} ^/chuck + #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR] + #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC] + #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] + # + # Cookies: + # wikidb_mw_LoggedOut / + # wikidb_mw__session / + # wikidb_mw_Token / + # wikidb_mw_UserID / + # wikidb_mw_UserName / + # + # Bugzilla_login /bugzilla + # Bugzilla_logincookie /bugzilla + # DEFAULTFORMAT /bugzilla + # + # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck + # JSESSIONID /chuck + # + + # + # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache + # + #ProxyRequests Off + #ProxyPreserveHost On + + # Local reverse proxy authorization override + # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) + #<Proxy http://localhost:8089/chuck*> + # Order deny,allow + # Allow from all + #</Proxy> + #ProxyPass /chuck http://localhost:8080/chuck + #ProxyPassReverse /chuck http://localhost:8080/chuck +</VirtualHost> + +<VirtualHost *:80> + ServerName blog.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName bugzilla.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName wiki.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName scm.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName jogl.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName jocl.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName joal.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName demos.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName chuck.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access.log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName jogamp.com + ServerAlias *.jogamp.com + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.com-access.log combined + + RewriteEngine On + RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] +</VirtualHost> + +# +# Directives to allow use of AWStats as a CGI +# +#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/" +#Alias /awstatscss "/usr/local/awstats/wwwroot/css/" +#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/" +#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/" + +# +# This is to permit URL access to scripts/files in AWStats directory. +# +<Directory "/usr/local/awstats/wwwroot"> + Options None + AllowOverride None + Order allow,deny + Allow from all +</Directory> + diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/001-jogamp.org-ssl b/server/setup/05-service-settings/etc/apache2/sites-available/001-jogamp.org-ssl new file mode 100644 index 0000000..062d2d5 --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/sites-available/001-jogamp.org-ssl @@ -0,0 +1,256 @@ +<IfModule mod_ssl.c> +<VirtualHost *:443> + + # General setup for the virtual host, inherited from global configuration + ServerName jogamp.org + ServerPath /jogamp.org/ + RewriteEngine On + DocumentRoot /srv/www/jogamp.org + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log + TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log + LogLevel warn + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # SSL Protocol support: + # List the enable protocol levels with which clients will be able to + # connect. Disable SSLv2 access by default: + SSLProtocol all -SSLv2 + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem + SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + #<Location /> + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + #</Location> + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + <Files ~ "\.(cgi|shtml|phtml|php3?)$"> + SSLOptions +StdEnvVars + </Files> + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + # Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a + # compact non-error SSL logfile on a virtual host basis. + CustomLog /var/log/apache2/jogamp.org-ssl-request.log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined + + # configures the footer on server-generated documents + ServerSignature On + + <Directory "/srv/www/jogamp.org"> + Options Indexes FollowSymLinks + AllowOverride All + Order allow,deny + Allow from all + </Directory> + +# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla" + <Directory /srv/www/jogamp.org/bugzilla> + AddHandler cgi-script .cgi + Options +Indexes +ExecCGI -MultiViews +FollowSymLinks + DirectoryIndex index.cgi + AllowOverride Limit FileInfo Indexes + </Directory> + + SetEnv GIT_PROJECT_ROOT /srv/scm + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ + <Directory "/srv/www/jogamp.org/git"> + DirectoryIndex gitweb.cgi + Allow from all + AllowOverride all + Order allow,deny + Options ExecCGI + <Files gitweb.cgi> + SetHandler cgi-script + </Files> + SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf + </Directory> + + Alias /icons/ "/srv/www/jogamp.org/icons/" + + <Directory "/srv/www/jogamp.org/icons"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + </Directory> + + # + # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache + # + ProxyRequests Off + ProxyPreserveHost On + + # Local reverse proxy authorization override + # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) + <Proxy http://127.0.0.1:8080/chuck*> + Order deny,allow + Allow from all + </Proxy> + + ProxyPass /chuck http://127.0.0.1:8080/chuck + ProxyPassReverse /chuck http://127.0.0.1:8080/chuck + ProxyPassReverse /chuck http://jogamp.org/chuck + +# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/ +# <Location /chuck/> +# ProxyPassReverse / +# Order deny,allow +# Allow from all +# </Location> + Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/ + +</VirtualHost> + +<VirtualHost *:443> + ServerName jogamp.com + ServerAlias *.jogamp.com + ServerPath /jogamp.org/ + SSLEngine on + ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined + + SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem + SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem + + RewriteEngine On + RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] +</VirtualHost> + diff --git a/server/setup/05-service-settings/etc/logrotate.d/apache2 b/server/setup/05-service-settings/etc/logrotate.d/apache2 new file mode 100644 index 0000000..a1c3c0e --- /dev/null +++ b/server/setup/05-service-settings/etc/logrotate.d/apache2 @@ -0,0 +1,18 @@ +/var/log/apache2/*.log { + weekly + missingok + rotate 52 + compress + delaycompress + notifempty + create 640 root www-data + sharedscripts + postrotate + /etc/init.d/apache2 reload > /dev/null + endscript + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ + run-parts /etc/logrotate.d/httpd-prerotate; \ + fi; \ + endscript +} |