server config part-2: git and apache, fixed DB import bug for bugzilla and wiki .. TODO: Chuck (Jenkins)

9 files changed, 2451 insertions, 0 deletions

diff --git a/server/setup/05-service-settings/README.txt b/server/setup/05-service-settings/README.txt
index 2cf28cc..9703292 100644
--- a/server/setup/05-service-settings/README.txt
+++ b/server/setup/05-service-settings/README.txt
@@ -32,6 +32,12 @@ Debian 7.00 (Wheezy)
     - MySQL
         - old server: backup DB
           - run backup-mysql.sh on old server, result is e.g. backup-mysqldb-20130605162509.sql
+          - !!! strip all system-DB's (schema's) from the backup,
+            i.e. all which are not created for applications, e.g.: 
+            - mysql
+            - users
+            - test
+            - t_*
 
         - new server: import DB
           - get backup backup-mysqldb-20130605162509.sql
@@ -41,6 +47,11 @@ Debian 7.00 (Wheezy)
           - backup-2: backup-mysql.sh
           - mysqlcheck --user=root --password --all-databases
 
+        - if things go wrong: re-install mysql
+          dpkg -P mysql-server mysql-server-5.5 mysql-server-core-5.5
+          rm -rf /var/lib/mysql/*
+          apt-get install mysql-server mysql-server-5.5 mysql-server-core-5.5
+
     - Services
         - mv /data/backup/srv/* /srv/
 
@@ -106,3 +117,31 @@ Debian 7.00 (Wheezy)
 
     /etc/init.d/sendmail start
     
+10 GIT
+    xinetd for git
+        apt-get install xinetd
+        cp /etc/xinetd.d/git
+        /etc/init.d/xinetd restart
+
+    gitweb
+        We use deployed gitweb now, and simply deploy gitweb.conf
+        - ln -s /usr/share/gitweb DocumentRoot/git
+        - cp srv/scm/gitweb.conf
+
+11 apache2
+    - php
+        apt-get install php5-pgsql php5-ldap php5-imap php5-odbc php5-dev php5-common php5 php5-mysql php5-gd php5-xmlrpc \
+                        php5-xsl php5-cli php5-intl php5-pspell php5-snmp php5-sasl
+
+    - misc for perl/bugzilla
+        - Perl: redo init (find closest mirror ..)
+            - perl -MCPAN -e shell
+                - o conf init
+        - Packages
+            - apt-get install libgd-gd2-perl libgd-graph-perl libgd-tools libgdal-perl libgdal-dev libgdata-dev libgd2-xpm-dev
+
+    - Sync config files in /etc/apache2/ with: etc/apache2/apache2.diff
+        - see also etc/apache2/mods-enabled.lst, etc ..
+
+    /etc/init.d/apache2 start
+
diff --git a/server/setup/05-service-settings/etc/apache2/apache2.conf b/server/setup/05-service-settings/etc/apache2/apache2.conf
new file mode 100644
index 0000000..d1991c9
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/apache2.conf
@@ -0,0 +1,277 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.2/ for detailed information about
+# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
+# Debian specific hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#	/etc/apache2/
+#	|-- apache2.conf
+#	|	`--  ports.conf
+#	|-- mods-enabled
+#	|	|-- *.load
+#	|	`-- *.conf
+#	|-- conf.d
+#	|	`-- *
+# 	`-- sites-enabled
+#	 	`-- *
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+#   In order to avoid conflicts with backup files, the Include directive is
+#   adapted to ignore files that:
+#   - do not begin with a letter or number
+#   - contain a character that is neither letter nor number nor _-:.
+#   - contain .dpkg
+#
+#   Yet we strongly suggest that all configuration files either end with a
+#   .conf or .load suffix in the file name. The next Debian release will
+#   ignore files not ending with .conf (or .load for mods-enabled).
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections, and which
+#   of these ports are used for name based virtual hosts.
+#
+# * Configuration files in the mods-enabled/ and sites-enabled/ directories
+#   contain particular configuration snippets which manage modules or virtual
+#   host configurations, respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite. See
+#   their respective man pages for detailed information.
+#
+# * Configuration files in the conf.d directory are either provided by other
+#   packages or may be added by the local administrator. Local additions
+#   should start with local- or end with .local.conf to avoid name clashes. All
+#   files in conf.d are considered (excluding the exceptions noted above) by
+#   the Apache 2 web server.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+LockFile ${APACHE_LOCK_DIR}/accept.lock
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+# default: 5
+KeepAliveTimeout 10
+
+
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_prefork_module>
+    # defaults:
+    # StartServers          5
+    # MinSpareServers       5
+    # MaxSpareServers      10
+    # MaxClients          150
+    # MaxRequestsPerChild   0
+
+    StartServers          8
+    MinSpareServers       5
+    MaxSpareServers      20
+    MaxClients          256
+    MaxRequestsPerChild   0
+</IfModule>
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
+#              graceful restart. ThreadLimit can only be changed by stopping
+#              and starting Apache.
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_worker_module>
+    StartServers          2
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadLimit          64
+    ThreadsPerChild      25
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
+
+# event MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_event_module>
+    StartServers          2
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadLimit          64
+    ThreadsPerChild      25
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+    Satisfy all
+</Files>
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value.  If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+# It is also possible to omit any default MIME type and let the
+# client's browser guess an appropriate action instead. Typically the
+# browser will decide based on the file's extension then. In cases
+# where no good assumption can be made, letting the default MIME type
+# unset is suggested  instead of forcing the browser to accept
+# incorrect  metadata.
+#
+DefaultType None
+
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+# Include module configuration:
+Include mods-enabled/*.load
+Include mods-enabled/*.conf
+
+# Include list of ports to listen on and which to use for name based vhosts
+Include ports.conf
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see the comments above for details.
+
+# Include generic snippets of statements
+Include conf.d/
+
+# Include the virtual host configurations:
+Include sites-enabled/
diff --git a/server/setup/05-service-settings/etc/apache2/apache2.diff b/server/setup/05-service-settings/etc/apache2/apache2.diff
new file mode 100644
index 0000000..f4aa836
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/apache2.diff
@@ -0,0 +1,1528 @@
+diff -Nur apache2.orig/apache2.conf apache2/apache2.conf
+--- apache2.orig/apache2.conf	2013-03-04 22:00:37.000000000 +0100
++++ apache2/apache2.conf	2013-06-06 07:21:33.251843000 +0200
+@@ -117,7 +117,9 @@
+ # KeepAliveTimeout: Number of seconds to wait for the next request from the
+ # same client on the same connection.
+ #
+-KeepAliveTimeout 5
++# default: 5
++KeepAliveTimeout 10
++
+ 
+ ##
+ ## Server-Pool Size Regulation (MPM specific)
+@@ -130,10 +132,17 @@
+ # MaxClients: maximum number of server processes allowed to start
+ # MaxRequestsPerChild: maximum number of requests a server process serves
+ <IfModule mpm_prefork_module>
+-    StartServers          5
++    # defaults:
++    # StartServers          5
++    # MinSpareServers       5
++    # MaxSpareServers      10
++    # MaxClients          150
++    # MaxRequestsPerChild   0
++
++    StartServers          8
+     MinSpareServers       5
+-    MaxSpareServers      10
+-    MaxClients          150
++    MaxSpareServers      20
++    MaxClients          256
+     MaxRequestsPerChild   0
+ </IfModule>
+ 
+diff -Nur apache2.orig/mods-enabled/cgid.conf apache2/mods-enabled/cgid.conf
+--- apache2.orig/mods-enabled/cgid.conf	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/cgid.conf	2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,2 @@
++# Socket for cgid communication
++ScriptSock ${APACHE_RUN_DIR}/cgisock
+diff -Nur apache2.orig/mods-enabled/cgid.load apache2/mods-enabled/cgid.load
+--- apache2.orig/mods-enabled/cgid.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/cgid.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule cgid_module /usr/lib/apache2/modules/mod_cgid.so
+diff -Nur apache2.orig/mods-enabled/headers.load apache2/mods-enabled/headers.load
+--- apache2.orig/mods-enabled/headers.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/headers.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+diff -Nur apache2.orig/mods-enabled/proxy_ajp.load apache2/mods-enabled/proxy_ajp.load
+--- apache2.orig/mods-enabled/proxy_ajp.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_ajp.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so
+diff -Nur apache2.orig/mods-enabled/proxy_balancer.conf apache2/mods-enabled/proxy_balancer.conf
+--- apache2.orig/mods-enabled/proxy_balancer.conf	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_balancer.conf	2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,16 @@
++<IfModule mod_proxy_balancer.c>
++
++# Balancer manager enables dynamic update of balancer members
++# (needs mod_status). Uncomment to enable.
++#
++#<IfModule mod_status.c>
++#<Location /balancer-manager>
++#    SetHandler balancer-manager
++#    Order deny,allow
++#    Deny from all
++#    Allow from 127.0.0.1 ::1
++#    Satisfy all
++#</Location>
++#</IfModule>
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/proxy_balancer.load apache2/mods-enabled/proxy_balancer.load
+--- apache2.orig/mods-enabled/proxy_balancer.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_balancer.load	2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_balancer_module /usr/lib/apache2/modules/mod_proxy_balancer.so
+diff -Nur apache2.orig/mods-enabled/proxy.conf apache2/mods-enabled/proxy.conf
+--- apache2.orig/mods-enabled/proxy.conf	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy.conf	2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,26 @@
++<IfModule mod_proxy.c>
++
++# If you want to use apache2 as a forward proxy, uncomment the
++# 'ProxyRequests On' line and the <Proxy *> block below.
++# WARNING: Be careful to restrict access inside the <Proxy *> block.
++# Open proxy servers are dangerous both to your network and to the
++# Internet at large.
++#
++# If you only want to use apache2 as a reverse proxy/gateway in
++# front of some web application server, you DON'T need
++# 'ProxyRequests On'.
++
++#ProxyRequests On
++#<Proxy *>
++#        AddDefaultCharset off
++#        Order deny,allow
++#        Deny from all
++#        #Allow from .example.com
++#</Proxy>
++
++# Enable/disable the handling of HTTP/1.1 "Via:" headers.
++# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
++# Set to one of: Off | On | Full | Block
++#ProxyVia Off
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/proxy_connect.load apache2/mods-enabled/proxy_connect.load
+--- apache2.orig/mods-enabled/proxy_connect.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_connect.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so
+diff -Nur apache2.orig/mods-enabled/proxy_ftp.conf apache2/mods-enabled/proxy_ftp.conf
+--- apache2.orig/mods-enabled/proxy_ftp.conf	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_ftp.conf	2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,6 @@
++<IfModule mod_proxy_ftp.c>
++
++# Define the character set for proxied FTP listings. Default is ISO-8859-1
++ProxyFtpDirCharset UTF-8
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/proxy_ftp.load apache2/mods-enabled/proxy_ftp.load
+--- apache2.orig/mods-enabled/proxy_ftp.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_ftp.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_ftp_module /usr/lib/apache2/modules/mod_proxy_ftp.so
+diff -Nur apache2.orig/mods-enabled/proxy_http.load apache2/mods-enabled/proxy_http.load
+--- apache2.orig/mods-enabled/proxy_http.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_http.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
+diff -Nur apache2.orig/mods-enabled/proxy.load apache2/mods-enabled/proxy.load
+--- apache2.orig/mods-enabled/proxy.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
+diff -Nur apache2.orig/mods-enabled/proxy_scgi.load apache2/mods-enabled/proxy_scgi.load
+--- apache2.orig/mods-enabled/proxy_scgi.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_scgi.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_scgi_module /usr/lib/apache2/modules/mod_proxy_scgi.so
+diff -Nur apache2.orig/mods-enabled/rewrite.load apache2/mods-enabled/rewrite.load
+--- apache2.orig/mods-enabled/rewrite.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/rewrite.load	2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
+diff -Nur apache2.orig/mods-enabled/ssl.conf apache2/mods-enabled/ssl.conf
+--- apache2.orig/mods-enabled/ssl.conf	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/ssl.conf	2013-03-04 22:00:37.000000000 +0100
+@@ -0,0 +1,82 @@
++<IfModule mod_ssl.c>
++#
++# Pseudo Random Number Generator (PRNG):
++# Configure one or more sources to seed the PRNG of the SSL library.
++# The seed data should be of good random quality.
++# WARNING! On some platforms /dev/random blocks if not enough entropy
++# is available. This means you then cannot use the /dev/random device
++# because it would lead to very long connection times (as long as
++# it requires to make more entropy available). But usually those
++# platforms additionally provide a /dev/urandom device which doesn't
++# block. So, if available, use this one instead. Read the mod_ssl User
++# Manual for more details.
++#
++SSLRandomSeed startup builtin
++SSLRandomSeed startup file:/dev/urandom 512
++SSLRandomSeed connect builtin
++SSLRandomSeed connect file:/dev/urandom 512
++
++##
++##  SSL Global Context
++##
++##  All SSL configuration in this context applies both to
++##  the main server and all SSL-enabled virtual hosts.
++##
++
++#
++#   Some MIME-types for downloading Certificates and CRLs
++#
++AddType application/x-x509-ca-cert .crt
++AddType application/x-pkcs7-crl    .crl
++
++#   Pass Phrase Dialog:
++#   Configure the pass phrase gathering process.
++#   The filtering dialog program (`builtin' is a internal
++#   terminal dialog) has to provide the pass phrase on stdout.
++SSLPassPhraseDialog  builtin
++
++#   Inter-Process Session Cache:
++#   Configure the SSL Session Cache: First the mechanism 
++#   to use and second the expiring timeout (in seconds).
++#   (The mechanism dbm has known memory leaks and should not be used).
++#SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
++SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
++SSLSessionCacheTimeout  300
++
++#   Semaphore:
++#   Configure the path to the mutual exclusion semaphore the
++#   SSL engine uses internally for inter-process synchronization. 
++SSLMutex  file:${APACHE_RUN_DIR}/ssl_mutex
++
++#   SSL Cipher Suite:
++#   List the ciphers that the client is permitted to negotiate. See the
++#   ciphers(1) man page from the openssl package for list of all available
++#   options.
++#   Enable only secure ciphers:
++SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
++
++#   Speed-optimized SSL Cipher configuration:
++#   If speed is your main concern (on busy HTTPS servers e.g.),
++#   you might want to force clients to specific, performance
++#   optimized ciphers. In this case, prepend those ciphers
++#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
++#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
++#   (as in the example below), most connections will no longer
++#   have perfect forward secrecy - if the server's key is
++#   compromised, captures of past or future traffic must be
++#   considered compromised, too.
++#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
++#SSLHonorCipherOrder on
++
++# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
++SSLProtocol all -SSLv2
++
++# Allow insecure renegotiation with clients which do not yet support the
++# secure renegotiation protocol. Default: Off
++#SSLInsecureRenegotiation on
++
++# Whether to forbid non-SNI clients to access name based virtual hosts.
++# Default: Off
++#SSLStrictSNIVHostCheck On
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/ssl.load apache2/mods-enabled/ssl.load
+--- apache2.orig/mods-enabled/ssl.load	1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/ssl.load	2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1 @@
++LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+diff -Nur apache2.orig/ports.conf apache2/ports.conf
+--- apache2.orig/ports.conf	2013-03-03 12:14:45.000000000 +0100
++++ apache2/ports.conf	2013-06-06 07:46:07.326283000 +0200
+@@ -6,9 +6,11 @@
+ # README.Debian.gz
+ 
+ NameVirtualHost *:80
++# NameVirtualHost *
+ Listen 80
+ 
+ <IfModule mod_ssl.c>
++    NameVirtualHost *:443
+     # If you add NameVirtualHost *:443 here, you will also have to change
+     # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
+     # to <VirtualHost *:443>
+diff -Nur apache2.orig/sites-available/jausoft.com-ssl apache2/sites-available/jausoft.com-ssl
+--- apache2.orig/sites-available/jausoft.com-ssl	1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-available/jausoft.com-ssl	2013-06-06 07:36:27.650753118 +0200
+@@ -0,0 +1,204 @@
++<IfModule mod_ssl.c>
++<VirtualHost jausoft.com:443>
++
++    # General setup for the virtual host, inherited from global configuration
++    ServerName jausoft.com
++    ServerPath /jausoft.com/
++    RewriteEngine On
++    DocumentRoot /srv/www/jausoft.com
++
++    # Use separate log files for the SSL virtual host; note that LogLevel
++    # is not inherited from httpd.conf.
++    ErrorLog ${APACHE_LOG_DIR}/jausoft.com-ssl-error.log
++    TransferLog ${APACHE_LOG_DIR}/jausoft.com-ssl-access.log
++    LogLevel warn
++
++    #   SSL Engine Switch:
++    #   Enable/Disable SSL for this virtual host.
++    SSLEngine on
++
++    #   SSL Protocol support:
++    # List the enable protocol levels with which clients will be able to
++    # connect.  Disable SSLv2 access by default:
++    SSLProtocol all -SSLv2
++
++    #   SSL Cipher Suite:
++    # List the ciphers that the client is permitted to negotiate.
++    # See the mod_ssl documentation for a complete list.
++    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
++
++	#   A self-signed (snakeoil) certificate can be created by installing
++	#   the ssl-cert package. See
++	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
++	#   If both key and certificate are stored in the same file, only the
++	#   SSLCertificateFile directive is needed.
++	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
++	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++    SSLCertificateFile /etc/ssl/local/jausoft2013-hostcert.pem
++    SSLCertificateKeyFile /etc/ssl/local/jausoft2013-hostkey.apache.pem
++
++	#   Server Certificate Chain:
++	#   Point SSLCertificateChainFile at a file containing the
++	#   concatenation of PEM encoded CA certificates which form the
++	#   certificate chain for the server certificate. Alternatively
++	#   the referenced file can be the same as SSLCertificateFile
++	#   when the CA certificates are directly appended to the server
++	#   certificate for convinience.
++	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++    SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
++
++	#   Certificate Authority (CA):
++	#   Set the CA certificate verification path where to find CA
++	#   certificates for client authentication or alternatively one
++	#   huge file containing all of them (file must be PEM encoded)
++	#   Note: Inside SSLCACertificatePath you need hash symlinks
++	#         to point to the certificate files. Use the provided
++	#         Makefile to update the hash symlinks after changes.
++	#SSLCACertificatePath /etc/ssl/certs/
++	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++	#   Certificate Revocation Lists (CRL):
++	#   Set the CA revocation path where to find CA CRLs for client
++	#   authentication or alternatively one huge file containing all
++	#   of them (file must be PEM encoded)
++	#   Note: Inside SSLCARevocationPath you need hash symlinks
++	#         to point to the certificate files. Use the provided
++	#         Makefile to update the hash symlinks after changes.
++	#SSLCARevocationPath /etc/apache2/ssl.crl/
++	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++	#   Client Authentication (Type):
++	#   Client certificate verification type and depth.  Types are
++	#   none, optional, require and optional_no_ca.  Depth is a
++	#   number which specifies how deeply to verify the certificate
++	#   issuer chain before deciding the certificate is not valid.
++	#SSLVerifyClient require
++	#SSLVerifyDepth  10
++
++    #   Access Control:
++    #   With SSLRequire you can do per-directory access control based
++    #   on arbitrary complex boolean expressions containing server
++    #   variable checks and other lookup directives.  The syntax is a
++    #   mixture between C and Perl.  See the mod_ssl documentation
++    #   for more details.
++    #<Location />
++    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
++    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
++    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
++    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
++    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
++    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
++    #</Location>
++
++    #   SSL Engine Options:
++    #   Set various options for the SSL engine.
++    #   o FakeBasicAuth:
++    #     Translate the client X.509 into a Basic Authorisation.  This means that
++    #     the standard Auth/DBMAuth methods can be used for access control.  The
++    #     user name is the `one line' version of the client's X.509 certificate.
++    #     Note that no password is obtained from the user. Every entry in the user
++    #     file needs this password: `xxj31ZMTZzkVA'.
++    #   o ExportCertData:
++    #     This exports two additional environment variables: SSL_CLIENT_CERT and
++    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++    #     server (always existing) and the client (only existing when client
++    #     authentication is used). This can be used to import the certificates
++    #     into CGI scripts.
++    #   o StdEnvVars:
++    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
++    #     Per default this exportation is switched off for performance reasons,
++    #     because the extraction step is an expensive operation and is usually
++    #     useless for serving static content. So one usually enables the
++    #     exportation for CGI and SSI requests only.
++    #   o StrictRequire:
++    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
++    #     under a "Satisfy any" situation, i.e. when it applies access is denied
++    #     and no other module can change it.
++    #   o OptRenegotiate:
++    #     This enables optimized SSL connection renegotiation handling when SSL
++    #     directives are used in per-directory context. 
++    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
++        SSLOptions +StdEnvVars
++    </Files>
++
++	#   SSL Protocol Adjustments:
++	#   The safe and default but still SSL/TLS standard compliant shutdown
++	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
++	#   the close notify alert from client. When you need a different shutdown
++	#   approach you can use one of the following variables:
++	#   o ssl-unclean-shutdown:
++	#     This forces an unclean shutdown when the connection is closed, i.e. no
++	#     SSL close notify alert is send or allowed to received.  This violates
++	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
++	#     this when you receive I/O errors because of the standard approach where
++	#     mod_ssl sends the close notify alert.
++	#   o ssl-accurate-shutdown:
++	#     This forces an accurate shutdown when the connection is closed, i.e. a
++	#     SSL close notify alert is send and mod_ssl waits for the close notify
++	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
++	#     practice often causes hanging connections with brain-dead browsers. Use
++	#     this only for browsers where you know that their SSL implementation
++	#     works correctly.
++	#   Notice: Most problems of broken clients are also related to the HTTP
++	#   keep-alive facility, so you usually additionally want to disable
++	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
++	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
++	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++	#   "force-response-1.0" for this.
++	BrowserMatch "MSIE [2-6]" \
++		nokeepalive ssl-unclean-shutdown \
++		downgrade-1.0 force-response-1.0
++	# MSIE 7 and newer should be able to use keepalive
++	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++    #   Per-Server Logging:
++    #   The home of a custom SSL log file. Use this when you want a
++    #   compact non-error SSL logfile on a virtual host basis.
++    CustomLog /var/log/apache2/ssl_request_log \
++              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
++
++        ErrorLog ${APACHE_LOG_DIR}/jausoft.com-ssl-error.log
++        CustomLog ${APACHE_LOG_DIR}/jausoft.com-ssl-access.log common
++
++        # configures the footer on server-generated documents
++        ServerSignature On
++
++        <Directory "/srv/www/jausoft.com">
++            Options Indexes FollowSymLinks
++            AllowOverride All
++            Order allow,deny
++            Allow from all
++        </Directory>
++
++
++        SetEnv GIT_PROJECT_ROOT /srv/scm
++        SetEnv GIT_HTTP_EXPORT_ALL
++        ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++        <Directory "/srv/www/jausoft.com/git">
++           DirectoryIndex gitweb.cgi
++           Allow from all
++           AllowOverride all
++           Order allow,deny
++           Options ExecCGI
++           <Files gitweb.cgi>
++           SetHandler cgi-script
++           </Files>
++           SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
++        </Directory>
++
++        Alias /icons/ "/srv/www/jausoft.com/icons/"
++
++        <Directory "/srv/www/jausoft.com/icons">
++            Options Indexes MultiViews
++            AllowOverride None
++            Order allow,deny
++            Allow from all
++        </Directory>
++
++
++</VirtualHost>
++</IfModule>
++
+diff -Nur apache2.orig/sites-available/jogamp.org apache2/sites-available/jogamp.org
+--- apache2.orig/sites-available/jogamp.org	1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-available/jogamp.org	2013-06-06 07:29:00.470204000 +0200
+@@ -0,0 +1,247 @@
++#
++# Almost any Apache directive may go into a VirtualHost container.
++# The first VirtualHost section is used for requests without a known
++# server name.
++#
++<VirtualHost *:80>
++    ServerAdmin [email protected]
++    ServerName jogamp.org
++    ServerAlias www.jogamp.org
++    ServerPath /jogamp.org/
++    RewriteEngine On
++
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++
++    DocumentRoot /srv/www/jogamp.org
++
++    # don't loose time with IP address lookups
++    HostnameLookups Off
++
++    # needed for named virtual hosts
++    UseCanonicalName Off
++
++    # configures the footer on server-generated documents
++    ServerSignature On
++
++	<Directory "/srv/www/jogamp.org">
++	    Options Indexes FollowSymLinks
++	    AllowOverride All
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++    RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++    #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++    RewriteCond %{REQUEST_URI} ^/wiki/index.php$
++    RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
++    RewriteCond %{REQUEST_METHOD} ^GET$
++    RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
++
++    #
++    # Due to security concerns, session hijacking .. etc .. the whole
++    # bugzilla stream will go over https
++    #
++    RewriteCond %{REQUEST_URI} ^/bugzilla
++    RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
++
++    SetEnv GIT_PROJECT_ROOT /srv/scm
++    SetEnv GIT_HTTP_EXPORT_ALL
++    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++	<Directory "/srv/www/jogamp.org/git">
++       DirectoryIndex gitweb.cgi
++       Allow from all
++       AllowOverride all
++       Order allow,deny
++       Options ExecCGI
++       <Files gitweb.cgi>
++       SetHandler cgi-script
++       </Files>
++       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
++    </Directory>
++
++	Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++	<Directory "/srv/www/jogamp.org/icons">
++	    Options Indexes MultiViews
++	    AllowOverride None
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++    #
++    # Due to security concerns, session hijacking .. etc .. the whole
++    # hudson and bugzilla stream will go over https
++    #
++    RewriteCond %{REQUEST_URI} ^/chuck
++    RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++
++    #RewriteCond %{REQUEST_URI} ^/chuck
++    #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
++    #
++    #RewriteCond %{REQUEST_URI} ^/chuck
++    #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
++    #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
++    #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++    #
++    # Cookies:
++    #   wikidb_mw_LoggedOut                       /
++    #   wikidb_mw__session                        /
++    #   wikidb_mw_Token                           /
++    #   wikidb_mw_UserID                          /
++    #   wikidb_mw_UserName                        /
++    #
++    #   Bugzilla_login                            /bugzilla
++    #   Bugzilla_logincookie                      /bugzilla
++    #   DEFAULTFORMAT                             /bugzilla
++    #
++    #   ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE  /chuck   
++    #   JSESSIONID                                /chuck
++    #
++
++	#
++	# http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++	#
++	#ProxyRequests     Off
++    #ProxyPreserveHost On
++
++	# Local reverse proxy authorization override
++	# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++	#<Proxy http://localhost:8089/chuck*>
++	#  Order deny,allow
++	#  Allow from all
++	#</Proxy>
++	#ProxyPass         /chuck  http://localhost:8080/chuck
++	#ProxyPassReverse  /chuck  http://localhost:8080/chuck
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName blog.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName bugzilla.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName wiki.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName scm.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName jogl.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName jocl.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName joal.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName demos.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName chuck.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName jogamp.com
++    ServerAlias *.jogamp.com
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
++
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
++#
++# Directives to allow use of AWStats as a CGI
++#
++#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
++#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
++#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
++#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
++
++#
++# This is to permit URL access to scripts/files in AWStats directory.
++#
++<Directory "/usr/local/awstats/wwwroot">
++    Options None
++    AllowOverride None
++    Order allow,deny
++    Allow from all
++</Directory>
++
+diff -Nur apache2.orig/sites-available/jogamp.org-ssl apache2/sites-available/jogamp.org-ssl
+--- apache2.orig/sites-available/jogamp.org-ssl	1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-available/jogamp.org-ssl	2013-06-06 07:53:58.298005000 +0200
+@@ -0,0 +1,256 @@
++<IfModule mod_ssl.c>
++<VirtualHost *:443>
++
++    # General setup for the virtual host, inherited from global configuration
++    ServerName jogamp.org
++    ServerPath /jogamp.org/
++    RewriteEngine On
++    DocumentRoot /srv/www/jogamp.org
++
++    # Use separate log files for the SSL virtual host; note that LogLevel
++    # is not inherited from httpd.conf.
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++    TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
++    LogLevel warn
++
++    #   SSL Engine Switch:
++    #   Enable/Disable SSL for this virtual host.
++    SSLEngine on
++
++    #   SSL Protocol support:
++    # List the enable protocol levels with which clients will be able to
++    # connect.  Disable SSLv2 access by default:
++    SSLProtocol all -SSLv2
++
++    #   SSL Cipher Suite:
++    # List the ciphers that the client is permitted to negotiate.
++    # See the mod_ssl documentation for a complete list.
++    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
++
++	#   A self-signed (snakeoil) certificate can be created by installing
++	#   the ssl-cert package. See
++	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
++	#   If both key and certificate are stored in the same file, only the
++	#   SSLCertificateFile directive is needed.
++	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
++	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++	#   Server Certificate Chain:
++	#   Point SSLCertificateChainFile at a file containing the
++	#   concatenation of PEM encoded CA certificates which form the
++	#   certificate chain for the server certificate. Alternatively
++	#   the referenced file can be the same as SSLCertificateFile
++	#   when the CA certificates are directly appended to the server
++	#   certificate for convinience.
++	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++    SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
++
++	#   Certificate Authority (CA):
++	#   Set the CA certificate verification path where to find CA
++	#   certificates for client authentication or alternatively one
++	#   huge file containing all of them (file must be PEM encoded)
++	#   Note: Inside SSLCACertificatePath you need hash symlinks
++	#         to point to the certificate files. Use the provided
++	#         Makefile to update the hash symlinks after changes.
++	#SSLCACertificatePath /etc/ssl/certs/
++	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++	#   Certificate Revocation Lists (CRL):
++	#   Set the CA revocation path where to find CA CRLs for client
++	#   authentication or alternatively one huge file containing all
++	#   of them (file must be PEM encoded)
++	#   Note: Inside SSLCARevocationPath you need hash symlinks
++	#         to point to the certificate files. Use the provided
++	#         Makefile to update the hash symlinks after changes.
++	#SSLCARevocationPath /etc/apache2/ssl.crl/
++	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++	#   Client Authentication (Type):
++	#   Client certificate verification type and depth.  Types are
++	#   none, optional, require and optional_no_ca.  Depth is a
++	#   number which specifies how deeply to verify the certificate
++	#   issuer chain before deciding the certificate is not valid.
++	#SSLVerifyClient require
++	#SSLVerifyDepth  10
++
++    #   Access Control:
++    #   With SSLRequire you can do per-directory access control based
++    #   on arbitrary complex boolean expressions containing server
++    #   variable checks and other lookup directives.  The syntax is a
++    #   mixture between C and Perl.  See the mod_ssl documentation
++    #   for more details.
++    #<Location />
++    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
++    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
++    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
++    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
++    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
++    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
++    #</Location>
++
++    #   SSL Engine Options:
++    #   Set various options for the SSL engine.
++    #   o FakeBasicAuth:
++    #     Translate the client X.509 into a Basic Authorisation.  This means that
++    #     the standard Auth/DBMAuth methods can be used for access control.  The
++    #     user name is the `one line' version of the client's X.509 certificate.
++    #     Note that no password is obtained from the user. Every entry in the user
++    #     file needs this password: `xxj31ZMTZzkVA'.
++    #   o ExportCertData:
++    #     This exports two additional environment variables: SSL_CLIENT_CERT and
++    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++    #     server (always existing) and the client (only existing when client
++    #     authentication is used). This can be used to import the certificates
++    #     into CGI scripts.
++    #   o StdEnvVars:
++    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
++    #     Per default this exportation is switched off for performance reasons,
++    #     because the extraction step is an expensive operation and is usually
++    #     useless for serving static content. So one usually enables the
++    #     exportation for CGI and SSI requests only.
++    #   o StrictRequire:
++    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
++    #     under a "Satisfy any" situation, i.e. when it applies access is denied
++    #     and no other module can change it.
++    #   o OptRenegotiate:
++    #     This enables optimized SSL connection renegotiation handling when SSL
++    #     directives are used in per-directory context. 
++    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
++        SSLOptions +StdEnvVars
++    </Files>
++
++	#   SSL Protocol Adjustments:
++	#   The safe and default but still SSL/TLS standard compliant shutdown
++	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
++	#   the close notify alert from client. When you need a different shutdown
++	#   approach you can use one of the following variables:
++	#   o ssl-unclean-shutdown:
++	#     This forces an unclean shutdown when the connection is closed, i.e. no
++	#     SSL close notify alert is send or allowed to received.  This violates
++	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
++	#     this when you receive I/O errors because of the standard approach where
++	#     mod_ssl sends the close notify alert.
++	#   o ssl-accurate-shutdown:
++	#     This forces an accurate shutdown when the connection is closed, i.e. a
++	#     SSL close notify alert is send and mod_ssl waits for the close notify
++	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
++	#     practice often causes hanging connections with brain-dead browsers. Use
++	#     this only for browsers where you know that their SSL implementation
++	#     works correctly.
++	#   Notice: Most problems of broken clients are also related to the HTTP
++	#   keep-alive facility, so you usually additionally want to disable
++	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
++	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
++	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++	#   "force-response-1.0" for this.
++	BrowserMatch "MSIE [2-6]" \
++		nokeepalive ssl-unclean-shutdown \
++		downgrade-1.0 force-response-1.0
++	# MSIE 7 and newer should be able to use keepalive
++	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++    #   Per-Server Logging:
++    #   The home of a custom SSL log file. Use this when you want a
++    #   compact non-error SSL logfile on a virtual host basis.
++    CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
++              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
++
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
++
++    # configures the footer on server-generated documents
++    ServerSignature On
++
++	<Directory "/srv/www/jogamp.org">
++	    Options Indexes FollowSymLinks
++	    AllowOverride All
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++#	ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
++	<Directory /srv/www/jogamp.org/bugzilla>
++	    AddHandler cgi-script .cgi
++	    Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
++	    DirectoryIndex index.cgi
++        AllowOverride Limit FileInfo Indexes
++    </Directory>
++
++    SetEnv GIT_PROJECT_ROOT /srv/scm
++    SetEnv GIT_HTTP_EXPORT_ALL
++    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++	<Directory "/srv/www/jogamp.org/git">
++       DirectoryIndex gitweb.cgi
++       Allow from all
++       AllowOverride all
++       Order allow,deny
++       Options ExecCGI
++       <Files gitweb.cgi>
++       SetHandler cgi-script
++       </Files>
++       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
++    </Directory>
++
++	Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++	<Directory "/srv/www/jogamp.org/icons">
++	    Options Indexes MultiViews
++	    AllowOverride None
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++    #
++    # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++    #
++    ProxyRequests     Off
++    ProxyPreserveHost On
++
++    # Local reverse proxy authorization override
++    # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++    <Proxy http://127.0.0.1:8080/chuck*>
++      Order deny,allow
++      Allow from all
++    </Proxy>
++
++    ProxyPass         /chuck  http://127.0.0.1:8080/chuck
++    ProxyPassReverse  /chuck  http://127.0.0.1:8080/chuck
++    ProxyPassReverse  /chuck  http://jogamp.org/chuck
++
++#   ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
++#   <Location /chuck/>
++#     ProxyPassReverse /
++#     Order deny,allow
++#     Allow from all
++#   </Location>
++    Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
++
++</VirtualHost>                                  
++
++<VirtualHost *:443>
++    ServerName jogamp.com
++    ServerAlias *.jogamp.com
++    ServerPath /jogamp.org/
++    SSLEngine on
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
++
++    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
+diff -Nur apache2.orig/sites-enabled/000-default apache2/sites-enabled/000-default
+--- apache2.orig/sites-enabled/000-default	2013-03-03 12:14:45.000000000 +0100
++++ apache2/sites-enabled/000-default	1970-01-01 01:00:00.000000000 +0100
+@@ -1,31 +0,0 @@
+-<VirtualHost *:80>
+-	ServerAdmin webmaster@localhost
+-
+-	DocumentRoot /var/www
+-	<Directory />
+-		Options FollowSymLinks
+-		AllowOverride None
+-	</Directory>
+-	<Directory /var/www/>
+-		Options Indexes FollowSymLinks MultiViews
+-		AllowOverride None
+-		Order allow,deny
+-		allow from all
+-	</Directory>
+-
+-	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+-	<Directory "/usr/lib/cgi-bin">
+-		AllowOverride None
+-		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+-		Order allow,deny
+-		Allow from all
+-	</Directory>
+-
+-	ErrorLog ${APACHE_LOG_DIR}/error.log
+-
+-	# Possible values include: debug, info, notice, warn, error, crit,
+-	# alert, emerg.
+-	LogLevel warn
+-
+-	CustomLog ${APACHE_LOG_DIR}/access.log combined
+-</VirtualHost>
+diff -Nur apache2.orig/sites-enabled/000-jogamp.org apache2/sites-enabled/000-jogamp.org
+--- apache2.orig/sites-enabled/000-jogamp.org	1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-enabled/000-jogamp.org	2013-06-06 07:29:00.470204000 +0200
+@@ -0,0 +1,247 @@
++#
++# Almost any Apache directive may go into a VirtualHost container.
++# The first VirtualHost section is used for requests without a known
++# server name.
++#
++<VirtualHost *:80>
++    ServerAdmin [email protected]
++    ServerName jogamp.org
++    ServerAlias www.jogamp.org
++    ServerPath /jogamp.org/
++    RewriteEngine On
++
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++
++    DocumentRoot /srv/www/jogamp.org
++
++    # don't loose time with IP address lookups
++    HostnameLookups Off
++
++    # needed for named virtual hosts
++    UseCanonicalName Off
++
++    # configures the footer on server-generated documents
++    ServerSignature On
++
++	<Directory "/srv/www/jogamp.org">
++	    Options Indexes FollowSymLinks
++	    AllowOverride All
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++    RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++    #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++    RewriteCond %{REQUEST_URI} ^/wiki/index.php$
++    RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
++    RewriteCond %{REQUEST_METHOD} ^GET$
++    RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
++
++    #
++    # Due to security concerns, session hijacking .. etc .. the whole
++    # bugzilla stream will go over https
++    #
++    RewriteCond %{REQUEST_URI} ^/bugzilla
++    RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
++
++    SetEnv GIT_PROJECT_ROOT /srv/scm
++    SetEnv GIT_HTTP_EXPORT_ALL
++    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++	<Directory "/srv/www/jogamp.org/git">
++       DirectoryIndex gitweb.cgi
++       Allow from all
++       AllowOverride all
++       Order allow,deny
++       Options ExecCGI
++       <Files gitweb.cgi>
++       SetHandler cgi-script
++       </Files>
++       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
++    </Directory>
++
++	Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++	<Directory "/srv/www/jogamp.org/icons">
++	    Options Indexes MultiViews
++	    AllowOverride None
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++    #
++    # Due to security concerns, session hijacking .. etc .. the whole
++    # hudson and bugzilla stream will go over https
++    #
++    RewriteCond %{REQUEST_URI} ^/chuck
++    RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++
++    #RewriteCond %{REQUEST_URI} ^/chuck
++    #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
++    #
++    #RewriteCond %{REQUEST_URI} ^/chuck
++    #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
++    #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
++    #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++    #
++    # Cookies:
++    #   wikidb_mw_LoggedOut                       /
++    #   wikidb_mw__session                        /
++    #   wikidb_mw_Token                           /
++    #   wikidb_mw_UserID                          /
++    #   wikidb_mw_UserName                        /
++    #
++    #   Bugzilla_login                            /bugzilla
++    #   Bugzilla_logincookie                      /bugzilla
++    #   DEFAULTFORMAT                             /bugzilla
++    #
++    #   ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE  /chuck   
++    #   JSESSIONID                                /chuck
++    #
++
++	#
++	# http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++	#
++	#ProxyRequests     Off
++    #ProxyPreserveHost On
++
++	# Local reverse proxy authorization override
++	# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++	#<Proxy http://localhost:8089/chuck*>
++	#  Order deny,allow
++	#  Allow from all
++	#</Proxy>
++	#ProxyPass         /chuck  http://localhost:8080/chuck
++	#ProxyPassReverse  /chuck  http://localhost:8080/chuck
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName blog.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName bugzilla.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName wiki.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName scm.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName jogl.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName jocl.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName joal.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName demos.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName chuck.jogamp.org
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++    ServerName jogamp.com
++    ServerAlias *.jogamp.com
++    ServerPath /jogamp.org/
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
++
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
++#
++# Directives to allow use of AWStats as a CGI
++#
++#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
++#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
++#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
++#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
++
++#
++# This is to permit URL access to scripts/files in AWStats directory.
++#
++<Directory "/usr/local/awstats/wwwroot">
++    Options None
++    AllowOverride None
++    Order allow,deny
++    Allow from all
++</Directory>
++
+diff -Nur apache2.orig/sites-enabled/001-jogamp.org-ssl apache2/sites-enabled/001-jogamp.org-ssl
+--- apache2.orig/sites-enabled/001-jogamp.org-ssl	1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-enabled/001-jogamp.org-ssl	2013-06-06 07:53:58.298005000 +0200
+@@ -0,0 +1,256 @@
++<IfModule mod_ssl.c>
++<VirtualHost *:443>
++
++    # General setup for the virtual host, inherited from global configuration
++    ServerName jogamp.org
++    ServerPath /jogamp.org/
++    RewriteEngine On
++    DocumentRoot /srv/www/jogamp.org
++
++    # Use separate log files for the SSL virtual host; note that LogLevel
++    # is not inherited from httpd.conf.
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++    TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
++    LogLevel warn
++
++    #   SSL Engine Switch:
++    #   Enable/Disable SSL for this virtual host.
++    SSLEngine on
++
++    #   SSL Protocol support:
++    # List the enable protocol levels with which clients will be able to
++    # connect.  Disable SSLv2 access by default:
++    SSLProtocol all -SSLv2
++
++    #   SSL Cipher Suite:
++    # List the ciphers that the client is permitted to negotiate.
++    # See the mod_ssl documentation for a complete list.
++    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
++
++	#   A self-signed (snakeoil) certificate can be created by installing
++	#   the ssl-cert package. See
++	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
++	#   If both key and certificate are stored in the same file, only the
++	#   SSLCertificateFile directive is needed.
++	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
++	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++	#   Server Certificate Chain:
++	#   Point SSLCertificateChainFile at a file containing the
++	#   concatenation of PEM encoded CA certificates which form the
++	#   certificate chain for the server certificate. Alternatively
++	#   the referenced file can be the same as SSLCertificateFile
++	#   when the CA certificates are directly appended to the server
++	#   certificate for convinience.
++	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++    SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
++
++	#   Certificate Authority (CA):
++	#   Set the CA certificate verification path where to find CA
++	#   certificates for client authentication or alternatively one
++	#   huge file containing all of them (file must be PEM encoded)
++	#   Note: Inside SSLCACertificatePath you need hash symlinks
++	#         to point to the certificate files. Use the provided
++	#         Makefile to update the hash symlinks after changes.
++	#SSLCACertificatePath /etc/ssl/certs/
++	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++	#   Certificate Revocation Lists (CRL):
++	#   Set the CA revocation path where to find CA CRLs for client
++	#   authentication or alternatively one huge file containing all
++	#   of them (file must be PEM encoded)
++	#   Note: Inside SSLCARevocationPath you need hash symlinks
++	#         to point to the certificate files. Use the provided
++	#         Makefile to update the hash symlinks after changes.
++	#SSLCARevocationPath /etc/apache2/ssl.crl/
++	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++	#   Client Authentication (Type):
++	#   Client certificate verification type and depth.  Types are
++	#   none, optional, require and optional_no_ca.  Depth is a
++	#   number which specifies how deeply to verify the certificate
++	#   issuer chain before deciding the certificate is not valid.
++	#SSLVerifyClient require
++	#SSLVerifyDepth  10
++
++    #   Access Control:
++    #   With SSLRequire you can do per-directory access control based
++    #   on arbitrary complex boolean expressions containing server
++    #   variable checks and other lookup directives.  The syntax is a
++    #   mixture between C and Perl.  See the mod_ssl documentation
++    #   for more details.
++    #<Location />
++    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
++    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
++    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
++    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
++    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
++    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
++    #</Location>
++
++    #   SSL Engine Options:
++    #   Set various options for the SSL engine.
++    #   o FakeBasicAuth:
++    #     Translate the client X.509 into a Basic Authorisation.  This means that
++    #     the standard Auth/DBMAuth methods can be used for access control.  The
++    #     user name is the `one line' version of the client's X.509 certificate.
++    #     Note that no password is obtained from the user. Every entry in the user
++    #     file needs this password: `xxj31ZMTZzkVA'.
++    #   o ExportCertData:
++    #     This exports two additional environment variables: SSL_CLIENT_CERT and
++    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++    #     server (always existing) and the client (only existing when client
++    #     authentication is used). This can be used to import the certificates
++    #     into CGI scripts.
++    #   o StdEnvVars:
++    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
++    #     Per default this exportation is switched off for performance reasons,
++    #     because the extraction step is an expensive operation and is usually
++    #     useless for serving static content. So one usually enables the
++    #     exportation for CGI and SSI requests only.
++    #   o StrictRequire:
++    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
++    #     under a "Satisfy any" situation, i.e. when it applies access is denied
++    #     and no other module can change it.
++    #   o OptRenegotiate:
++    #     This enables optimized SSL connection renegotiation handling when SSL
++    #     directives are used in per-directory context. 
++    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
++        SSLOptions +StdEnvVars
++    </Files>
++
++	#   SSL Protocol Adjustments:
++	#   The safe and default but still SSL/TLS standard compliant shutdown
++	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
++	#   the close notify alert from client. When you need a different shutdown
++	#   approach you can use one of the following variables:
++	#   o ssl-unclean-shutdown:
++	#     This forces an unclean shutdown when the connection is closed, i.e. no
++	#     SSL close notify alert is send or allowed to received.  This violates
++	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
++	#     this when you receive I/O errors because of the standard approach where
++	#     mod_ssl sends the close notify alert.
++	#   o ssl-accurate-shutdown:
++	#     This forces an accurate shutdown when the connection is closed, i.e. a
++	#     SSL close notify alert is send and mod_ssl waits for the close notify
++	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
++	#     practice often causes hanging connections with brain-dead browsers. Use
++	#     this only for browsers where you know that their SSL implementation
++	#     works correctly.
++	#   Notice: Most problems of broken clients are also related to the HTTP
++	#   keep-alive facility, so you usually additionally want to disable
++	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
++	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
++	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++	#   "force-response-1.0" for this.
++	BrowserMatch "MSIE [2-6]" \
++		nokeepalive ssl-unclean-shutdown \
++		downgrade-1.0 force-response-1.0
++	# MSIE 7 and newer should be able to use keepalive
++	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++    #   Per-Server Logging:
++    #   The home of a custom SSL log file. Use this when you want a
++    #   compact non-error SSL logfile on a virtual host basis.
++    CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
++              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
++
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
++
++    # configures the footer on server-generated documents
++    ServerSignature On
++
++	<Directory "/srv/www/jogamp.org">
++	    Options Indexes FollowSymLinks
++	    AllowOverride All
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++#	ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
++	<Directory /srv/www/jogamp.org/bugzilla>
++	    AddHandler cgi-script .cgi
++	    Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
++	    DirectoryIndex index.cgi
++        AllowOverride Limit FileInfo Indexes
++    </Directory>
++
++    SetEnv GIT_PROJECT_ROOT /srv/scm
++    SetEnv GIT_HTTP_EXPORT_ALL
++    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++	<Directory "/srv/www/jogamp.org/git">
++       DirectoryIndex gitweb.cgi
++       Allow from all
++       AllowOverride all
++       Order allow,deny
++       Options ExecCGI
++       <Files gitweb.cgi>
++       SetHandler cgi-script
++       </Files>
++       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
++    </Directory>
++
++	Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++	<Directory "/srv/www/jogamp.org/icons">
++	    Options Indexes MultiViews
++	    AllowOverride None
++	    Order allow,deny
++	    Allow from all
++	</Directory>
++
++    #
++    # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++    #
++    ProxyRequests     Off
++    ProxyPreserveHost On
++
++    # Local reverse proxy authorization override
++    # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++    <Proxy http://127.0.0.1:8080/chuck*>
++      Order deny,allow
++      Allow from all
++    </Proxy>
++
++    ProxyPass         /chuck  http://127.0.0.1:8080/chuck
++    ProxyPassReverse  /chuck  http://127.0.0.1:8080/chuck
++    ProxyPassReverse  /chuck  http://jogamp.org/chuck
++
++#   ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
++#   <Location /chuck/>
++#     ProxyPassReverse /
++#     Order deny,allow
++#     Allow from all
++#   </Location>
++    Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
++
++</VirtualHost>                                  
++
++<VirtualHost *:443>
++    ServerName jogamp.com
++    ServerAlias *.jogamp.com
++    ServerPath /jogamp.org/
++    SSLEngine on
++    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
++    CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
++
++    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++    RewriteEngine On
++    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++
++    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
diff --git a/server/setup/05-service-settings/etc/apache2/mods-enabled.lst b/server/setup/05-service-settings/etc/apache2/mods-enabled.lst
new file mode 100644
index 0000000..c2df5c0
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/mods-enabled.lst
@@ -0,0 +1,44 @@
+alias.conf
+alias.load
+auth_basic.load
+authn_file.load
+authz_default.load
+authz_groupfile.load
+authz_host.load
+authz_user.load
+autoindex.conf
+autoindex.load
+cgid.conf
+cgid.load
+cgi.load
+deflate.conf
+deflate.load
+dir.conf
+dir.load
+env.load
+headers.load
+mime.conf
+mime.load
+negotiation.conf
+negotiation.load
+php5.conf
+php5.load
+proxy_ajp.load
+proxy_balancer.conf
+proxy_balancer.load
+proxy.conf
+proxy_connect.load
+proxy_ftp.conf
+proxy_ftp.load
+proxy_http.load
+proxy.load
+proxy_scgi.load
+reqtimeout.conf
+reqtimeout.load
+rewrite.load
+setenvif.conf
+setenvif.load
+ssl.conf
+ssl.load
+status.conf
+status.load
diff --git a/server/setup/05-service-settings/etc/apache2/ports.conf b/server/setup/05-service-settings/etc/apache2/ports.conf
new file mode 100644
index 0000000..a319afa
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/ports.conf
@@ -0,0 +1,25 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default
+# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
+# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
+# README.Debian.gz
+
+NameVirtualHost *:80
+# NameVirtualHost *
+Listen 80
+
+<IfModule mod_ssl.c>
+    NameVirtualHost *:443
+    # If you add NameVirtualHost *:443 here, you will also have to change
+    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
+    # to <VirtualHost *:443>
+    # Server Name Indication for SSL named virtual hosts is currently not
+    # supported by MSIE on Windows XP.
+    Listen 443
+</IfModule>
+
+<IfModule mod_gnutls.c>
+    Listen 443
+</IfModule>
+
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org
new file mode 100644
index 0000000..f9101fa
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org
@@ -0,0 +1,247 @@
+#
+# Almost any Apache directive may go into a VirtualHost container.
+# The first VirtualHost section is used for requests without a known
+# server name.
+#
+<VirtualHost *:80>
+    ServerAdmin [email protected]
+    ServerName jogamp.org
+    ServerAlias www.jogamp.org
+    ServerPath /jogamp.org/
+    RewriteEngine On
+
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+
+    DocumentRoot /srv/www/jogamp.org
+
+    # don't loose time with IP address lookups
+    HostnameLookups Off
+
+    # needed for named virtual hosts
+    UseCanonicalName Off
+
+    # configures the footer on server-generated documents
+    ServerSignature On
+
+	<Directory "/srv/www/jogamp.org">
+	    Options Indexes FollowSymLinks
+	    AllowOverride All
+	    Order allow,deny
+	    Allow from all
+	</Directory>
+
+    RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
+
+    #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+
+    RewriteCond %{REQUEST_URI} ^/wiki/index.php$
+    RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
+    RewriteCond %{REQUEST_METHOD} ^GET$
+    RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
+
+    #
+    # Due to security concerns, session hijacking .. etc .. the whole
+    # bugzilla stream will go over https
+    #
+    RewriteCond %{REQUEST_URI} ^/bugzilla
+    RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
+
+    SetEnv GIT_PROJECT_ROOT /srv/scm
+    SetEnv GIT_HTTP_EXPORT_ALL
+    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
+	<Directory "/srv/www/jogamp.org/git">
+       DirectoryIndex gitweb.cgi
+       Allow from all
+       AllowOverride all
+       Order allow,deny
+       Options ExecCGI
+       <Files gitweb.cgi>
+       SetHandler cgi-script
+       </Files>
+       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
+    </Directory>
+
+	Alias /icons/ "/srv/www/jogamp.org/icons/"
+
+	<Directory "/srv/www/jogamp.org/icons">
+	    Options Indexes MultiViews
+	    AllowOverride None
+	    Order allow,deny
+	    Allow from all
+	</Directory>
+
+    #
+    # Due to security concerns, session hijacking .. etc .. the whole
+    # hudson and bugzilla stream will go over https
+    #
+    RewriteCond %{REQUEST_URI} ^/chuck
+    RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
+
+    #RewriteCond %{REQUEST_URI} ^/chuck
+    #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
+    #
+    #RewriteCond %{REQUEST_URI} ^/chuck
+    #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
+    #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
+    #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
+    #
+    # Cookies:
+    #   wikidb_mw_LoggedOut                       /
+    #   wikidb_mw__session                        /
+    #   wikidb_mw_Token                           /
+    #   wikidb_mw_UserID                          /
+    #   wikidb_mw_UserName                        /
+    #
+    #   Bugzilla_login                            /bugzilla
+    #   Bugzilla_logincookie                      /bugzilla
+    #   DEFAULTFORMAT                             /bugzilla
+    #
+    #   ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE  /chuck   
+    #   JSESSIONID                                /chuck
+    #
+
+	#
+	# http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
+	#
+	#ProxyRequests     Off
+    #ProxyPreserveHost On
+
+	# Local reverse proxy authorization override
+	# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
+	#<Proxy http://localhost:8089/chuck*>
+	#  Order deny,allow
+	#  Allow from all
+	#</Proxy>
+	#ProxyPass         /chuck  http://localhost:8080/chuck
+	#ProxyPassReverse  /chuck  http://localhost:8080/chuck
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName blog.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName bugzilla.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName wiki.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName scm.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName jogl.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName jocl.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName joal.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName demos.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName chuck.jogamp.org
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName jogamp.com
+    ServerAlias *.jogamp.com
+    ServerPath /jogamp.org/
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
+
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
+
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+
+    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
+    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
+</VirtualHost>
+
+#
+# Directives to allow use of AWStats as a CGI
+#
+#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
+#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
+#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
+#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
+
+#
+# This is to permit URL access to scripts/files in AWStats directory.
+#
+<Directory "/usr/local/awstats/wwwroot">
+    Options None
+    AllowOverride None
+    Order allow,deny
+    Allow from all
+</Directory>
+
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl
new file mode 100644
index 0000000..062d2d5
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl
@@ -0,0 +1,256 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+
+    # General setup for the virtual host, inherited from global configuration
+    ServerName jogamp.org
+    ServerPath /jogamp.org/
+    RewriteEngine On
+    DocumentRoot /srv/www/jogamp.org
+
+    # Use separate log files for the SSL virtual host; note that LogLevel
+    # is not inherited from httpd.conf.
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
+    TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
+    LogLevel warn
+
+    #   SSL Engine Switch:
+    #   Enable/Disable SSL for this virtual host.
+    SSLEngine on
+
+    #   SSL Protocol support:
+    # List the enable protocol levels with which clients will be able to
+    # connect.  Disable SSLv2 access by default:
+    SSLProtocol all -SSLv2
+
+    #   SSL Cipher Suite:
+    # List the ciphers that the client is permitted to negotiate.
+    # See the mod_ssl documentation for a complete list.
+    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
+    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   the referenced file can be the same as SSLCertificateFile
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+    SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+    #   Access Control:
+    #   With SSLRequire you can do per-directory access control based
+    #   on arbitrary complex boolean expressions containing server
+    #   variable checks and other lookup directives.  The syntax is a
+    #   mixture between C and Perl.  See the mod_ssl documentation
+    #   for more details.
+    #<Location />
+    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+    #</Location>
+
+    #   SSL Engine Options:
+    #   Set various options for the SSL engine.
+    #   o FakeBasicAuth:
+    #     Translate the client X.509 into a Basic Authorisation.  This means that
+    #     the standard Auth/DBMAuth methods can be used for access control.  The
+    #     user name is the `one line' version of the client's X.509 certificate.
+    #     Note that no password is obtained from the user. Every entry in the user
+    #     file needs this password: `xxj31ZMTZzkVA'.
+    #   o ExportCertData:
+    #     This exports two additional environment variables: SSL_CLIENT_CERT and
+    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+    #     server (always existing) and the client (only existing when client
+    #     authentication is used). This can be used to import the certificates
+    #     into CGI scripts.
+    #   o StdEnvVars:
+    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
+    #     Per default this exportation is switched off for performance reasons,
+    #     because the extraction step is an expensive operation and is usually
+    #     useless for serving static content. So one usually enables the
+    #     exportation for CGI and SSI requests only.
+    #   o StrictRequire:
+    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+    #     under a "Satisfy any" situation, i.e. when it applies access is denied
+    #     and no other module can change it.
+    #   o OptRenegotiate:
+    #     This enables optimized SSL connection renegotiation handling when SSL
+    #     directives are used in per-directory context. 
+    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+        SSLOptions +StdEnvVars
+    </Files>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+    #   Per-Server Logging:
+    #   The home of a custom SSL log file. Use this when you want a
+    #   compact non-error SSL logfile on a virtual host basis.
+    CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
+              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
+
+    # configures the footer on server-generated documents
+    ServerSignature On
+
+	<Directory "/srv/www/jogamp.org">
+	    Options Indexes FollowSymLinks
+	    AllowOverride All
+	    Order allow,deny
+	    Allow from all
+	</Directory>
+
+#	ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
+	<Directory /srv/www/jogamp.org/bugzilla>
+	    AddHandler cgi-script .cgi
+	    Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
+	    DirectoryIndex index.cgi
+        AllowOverride Limit FileInfo Indexes
+    </Directory>
+
+    SetEnv GIT_PROJECT_ROOT /srv/scm
+    SetEnv GIT_HTTP_EXPORT_ALL
+    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
+	<Directory "/srv/www/jogamp.org/git">
+       DirectoryIndex gitweb.cgi
+       Allow from all
+       AllowOverride all
+       Order allow,deny
+       Options ExecCGI
+       <Files gitweb.cgi>
+       SetHandler cgi-script
+       </Files>
+       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
+    </Directory>
+
+	Alias /icons/ "/srv/www/jogamp.org/icons/"
+
+	<Directory "/srv/www/jogamp.org/icons">
+	    Options Indexes MultiViews
+	    AllowOverride None
+	    Order allow,deny
+	    Allow from all
+	</Directory>
+
+    #
+    # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
+    #
+    ProxyRequests     Off
+    ProxyPreserveHost On
+
+    # Local reverse proxy authorization override
+    # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
+    <Proxy http://127.0.0.1:8080/chuck*>
+      Order deny,allow
+      Allow from all
+    </Proxy>
+
+    ProxyPass         /chuck  http://127.0.0.1:8080/chuck
+    ProxyPassReverse  /chuck  http://127.0.0.1:8080/chuck
+    ProxyPassReverse  /chuck  http://jogamp.org/chuck
+
+#   ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
+#   <Location /chuck/>
+#     ProxyPassReverse /
+#     Order deny,allow
+#     Allow from all
+#   </Location>
+    Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
+
+</VirtualHost>                                  
+
+<VirtualHost *:443>
+    ServerName jogamp.com
+    ServerAlias *.jogamp.com
+    ServerPath /jogamp.org/
+    SSLEngine on
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
+
+    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
+    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
+
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
+    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
+
+    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
+    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
+
+    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
+    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
+</VirtualHost>
+
diff --git a/server/setup/05-service-settings/etc/xinetd.d/git b/server/setup/05-service-settings/etc/xinetd.d/git
new file mode 100644
index 0000000..fed3461
--- /dev/null
+++ b/server/setup/05-service-settings/etc/xinetd.d/git
@@ -0,0 +1,15 @@
+# default: off
+# description: The rsync server is a good addition to an ftp server, as it \
+#       allows crc checksumming etc.
+service git
+{
+        disable = no
+        socket_type     = stream
+        port            = 9418
+        wait            = no
+        user            = nobody
+        server          = /usr/bin/git
+        server_args     = daemon --inetd --syslog --verbose --export-all /srv/scm
+        log_on_failure  += USERID
+}
+
diff --git a/server/setup/05-service-settings/srv/scm/gitweb.conf b/server/setup/05-service-settings/srv/scm/gitweb.conf
new file mode 100644
index 0000000..36056e0
--- /dev/null
+++ b/server/setup/05-service-settings/srv/scm/gitweb.conf
@@ -0,0 +1,20 @@
+
+$git_temp = "/tmp";
+
+# The directories where your projects are. Must not end with a slash.
+$projectroot = "/srv/scm"; 
+
+# Base URLs for links displayed in the web interface.
+our @git_base_url_list = qw(git://jausoft.com/srv/scm http://jausoft.com/srv/scm); 
+
+$feature{'blame'}{'default'} = [1];
+$feature{'blame'}{'override'} = 1;
+
+$feature{'pickaxe'}{'default'} = [1];
+$feature{'pickaxe'}{'override'} = 1;
+
+$feature{'snapshot'}{'default'} = [''];
+#$feature{'snapshot'}{'default'} = ['tbz2'];
+#$feature{'snapshot'}{'default'} = ['tbz2', 'tgz', 'zip', 't7z'];
+#$feature{'snapshot'}{'override'} = 2;
+