Bump server settings updates

2 files changed, 64 insertions, 26 deletions

diff --git a/server/setup/05-service-settings/02-SERVICES.txt b/server/setup/05-service-settings/02-SERVICES.txt
index f832bea..4438c55 100644
--- a/server/setup/05-service-settings/02-SERVICES.txt
+++ b/server/setup/05-service-settings/02-SERVICES.txt
@@ -164,27 +164,40 @@ Debian 7.00 (Wheezy)
 
 11.2 bugzilla
     - Debian 7
-        Squash that - DO NOT INSTALL SYSTEM WIDE modules:
-            apt-get install libgd-gd2-perl libgd-graph-perl libgd-tools libgdal-perl libgdal-dev libgdata-dev libgd2-xpm-dev
-            apt-get install libappconfig-perl libdate-calc-perl libtemplate-perl libmime-perl libdatetime-timezone-perl libdatetime-perl libemail-sender-perl libemail-mime-perl libemail-mime-modifier-perl libdbi-perl libdbd-mysql-perl libcgi-pm-perl libmath-random-isaac-perl libmath-random-isaac-xs-perl apache2-mpm-prefork libapache2-mod-perl2 libapache2-mod-perl2-dev libchart-perl libxml-perl libxml-twig-perl perlmagick libgd-graph-perl libtemplate-plugin-gd-perl libsoap-lite-perl libhtml-scrubber-perl libjson-rpc-perl libtheschwartz-perl libtest-taint-perl libauthen-radius-perl libfile-slurp-perl libencode-detect-perl libmodule-build-perl libnet-ldap-perl libauthen-sasl-perl libtemplate-perl-doc libfile-mimeinfo-perl libhtml-formattext-withlinks-perl libmysqlclient-dev lynx-cur graphviz python-sphinx libgd2-xpm-dev
 
-        Ensure the following are NOT installed:
-            dpkg -P libjson-any-perl libcgi-application-plugin-json-perl libcgi-application-extra-plugin-bundle-perl libjson-perl
-
-        I had to remove system wide perl modules .. collision .. why o why
-        i.e. how to enforce bugzilla to use bugzilla/lib installed modules only?
-
-    - misc for perl/bugzilla
+      Install
+        apt-get install libapache2-mod-perl2-dev libapache2-mod-perl2
+        apt-get install libgd-dev libgd3
+        apt install libgdbm-dev libgdbm6
+        apt-get install libdbd-mysql-perl
+        libcgi-pm-perl libcgi-fast-perl libcgi-session-perl libfcgi-perl
+        libemail-mime-perl libemail-sender-perl
+        libtemplate-perl libhtml-template-perl
+        libjson-perl libjson-xs-perl
+        libmath-bigint-perl libmath-random-isaac-perl libmath-random-isaac-xs-perl
+
+    - As User: misc for perl/bugzilla
         - Perl: redo init (find closest mirror ..)
             - perl -MCPAN -e shell
                 - o conf init
 
+      a2enmod rewrite
+      a2enmod expires
+
+      As User:
       See https://bugzilla.readthedocs.org/en/5.0/installing/linux.html#perl-modules
       ./checksetup.pl --check-modules
+      /usr/bin/perl install-module.pl --all
       /usr/bin/perl install-module.pl --upgrade-all
       ./checksetup.pl --check-modules
       ./checksetup.pl
 
+      # bugzilla folder must be owned by webrunner (suexec)
+      chown -R webrunner:webrunner .
+
+      systemctl restart apache2
+      /etc/init.d/apache2 restart
+
     - https://www.bugzilla.org/download/#stable
 
 11.3 mediawiki
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
index cc27035..be36970 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
@@ -1,6 +1,9 @@
 <IfModule mod_ssl.c>
-<VirtualHost *:443>
 
+SSLSessionCache shmcb:/var/run/apache/sslcache(512000)
+SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
+
+<VirtualHost *:443>
     # General setup for the virtual host, inherited from global configuration
     ServerName jogamp.org
     ServerAlias www.jogamp.org
@@ -9,11 +12,33 @@
     RewriteEngine On
     DocumentRoot /srv/www/jogamp.org
 
+    UseCanonicalName Off
+
+    # Guarantee HTTPS for 1 Year including Sub Domains
+    # Not OK: Header always set Strict-Transport-Security "max-age=31536000;includeSubDomains"
+    Header always set Strict-Transport-Security "max-age=31536000"
+
+    Header always set Content-Security-Policy "frame-ancestors 'self'"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set X-XSS-Protection "1; mode=block"
+    # Prevent browsers from incorrectly detecting non-scripts as scripts
+    Header always set X-Content-Type-Options "nosniff"
+        
+    ##Header always set Content-Security-Policy "default-src https:"
+    ##Header always set Content-Security-Policy "default-src 'self'; img-src 'self'; script-src 'self'; object-src 'self'"
+
     # Use separate log files for the SSL virtual host; note that LogLevel
     # is not inherited from httpd.conf.
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
-    TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
     LogLevel warn
+    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
+    #TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
+    CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
+
+    #   Per-Server Logging:
+    #   The home of a custom SSL log file. Use this when you want a
+    #   compact non-error SSL logfile on a virtual host basis.
+    CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
+              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
     #   SSL Engine Switch:
     #   Enable/Disable SSL for this virtual host.
@@ -30,13 +55,19 @@
     # LOW: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
     # Enable only secure ciphers:
     #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+    #SSLCipherSuite HIGH:!ECDHE:!aNULL:!MD5
+    #SSLCipherSuite HIGH:!aNULL:!MD5
+    SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+    # 2017: https://weakdh.org/sysadmin.html
+    #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
     #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
     #SSLCipherSuite DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
-    SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    #SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
     SSLHonorCipherOrder on
 
-    SetEnv no-gzip
+    SSLOpenSSLConfCmd DHParameters "/etc/ssl/local/dhparams-4096.pem"
 
     # Add content to the 1st file of SSLCertificateFile
     #    /etc/ssl/local/DH-1024.pem
@@ -50,8 +81,8 @@
 	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
-    SSLCertificateFile /etc/ssl/local/jogamp2020a.org.crt.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2020a.org.key.apache.pem
+    SSLCertificateFile /etc/ssl/local/jogamp2022a.org.crt.pem
+    SSLCertificateKeyFile /etc/ssl/local/jogamp2022a.org.key.apache.pem
 
 	#   Server Certificate Chain:
 	#   Point SSLCertificateChainFile at a file containing the
@@ -171,14 +202,9 @@
 	# MSIE 7 and newer should be able to use keepalive
 	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
-    #   Per-Server Logging:
-    #   The home of a custom SSL log file. Use this when you want a
-    #   compact non-error SSL logfile on a virtual host basis.
-    CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
-              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+    SSLUseStapling on
 
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
+    SetEnv no-gzip
 
     # configures the footer on server-generated documents
     ServerSignature On
@@ -223,7 +249,6 @@
     #</Directory>
 
     ScriptAlias /cgit/ "/srv/www/cgit/cgit.cgi/"
-    #RedirectMatch ^/cgit$ /cgit/
     Alias /cgit-css "/usr/share/cgit/"
     <Directory "/srv/www/cgit/">
        AllowOverride None
@@ -276,7 +301,7 @@
     RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
 
     RewriteCond %{HTTP_HOST} ^scm\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ https://jogamp.org/git/$1 [R=301,L,NE]
+    RewriteRule ^/(.*)$ https://jogamp.org/cgit/$1 [R=301,L,NE]
 
     RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
     RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]