diff options
9 files changed, 2451 insertions, 0 deletions
diff --git a/server/setup/05-service-settings/README.txt b/server/setup/05-service-settings/README.txt index 2cf28cc..9703292 100644 --- a/server/setup/05-service-settings/README.txt +++ b/server/setup/05-service-settings/README.txt @@ -32,6 +32,12 @@ Debian 7.00 (Wheezy) - MySQL - old server: backup DB - run backup-mysql.sh on old server, result is e.g. backup-mysqldb-20130605162509.sql + - !!! strip all system-DB's (schema's) from the backup, + i.e. all which are not created for applications, e.g.: + - mysql + - users + - test + - t_* - new server: import DB - get backup backup-mysqldb-20130605162509.sql @@ -41,6 +47,11 @@ Debian 7.00 (Wheezy) - backup-2: backup-mysql.sh - mysqlcheck --user=root --password --all-databases + - if things go wrong: re-install mysql + dpkg -P mysql-server mysql-server-5.5 mysql-server-core-5.5 + rm -rf /var/lib/mysql/* + apt-get install mysql-server mysql-server-5.5 mysql-server-core-5.5 + - Services - mv /data/backup/srv/* /srv/ @@ -106,3 +117,31 @@ Debian 7.00 (Wheezy) /etc/init.d/sendmail start +10 GIT + xinetd for git + apt-get install xinetd + cp /etc/xinetd.d/git + /etc/init.d/xinetd restart + + gitweb + We use deployed gitweb now, and simply deploy gitweb.conf + - ln -s /usr/share/gitweb DocumentRoot/git + - cp srv/scm/gitweb.conf + +11 apache2 + - php + apt-get install php5-pgsql php5-ldap php5-imap php5-odbc php5-dev php5-common php5 php5-mysql php5-gd php5-xmlrpc \ + php5-xsl php5-cli php5-intl php5-pspell php5-snmp php5-sasl + + - misc for perl/bugzilla + - Perl: redo init (find closest mirror ..) + - perl -MCPAN -e shell + - o conf init + - Packages + - apt-get install libgd-gd2-perl libgd-graph-perl libgd-tools libgdal-perl libgdal-dev libgdata-dev libgd2-xpm-dev + + - Sync config files in /etc/apache2/ with: etc/apache2/apache2.diff + - see also etc/apache2/mods-enabled.lst, etc .. + + /etc/init.d/apache2 start + diff --git a/server/setup/05-service-settings/etc/apache2/apache2.conf b/server/setup/05-service-settings/etc/apache2/apache2.conf new file mode 100644 index 0000000..d1991c9 --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/apache2.conf @@ -0,0 +1,277 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.2/ for detailed information about +# the directives and /usr/share/doc/apache2-common/README.Debian.gz about +# Debian specific hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf.d +# | `-- * +# `-- sites-enabled +# `-- * +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# In order to avoid conflicts with backup files, the Include directive is +# adapted to ignore files that: +# - do not begin with a letter or number +# - contain a character that is neither letter nor number nor _-:. +# - contain .dpkg +# +# Yet we strongly suggest that all configuration files either end with a +# .conf or .load suffix in the file name. The next Debian release will +# ignore files not ending with .conf (or .load for mods-enabled). +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections, and which +# of these ports are used for name based virtual hosts. +# +# * Configuration files in the mods-enabled/ and sites-enabled/ directories +# contain particular configuration snippets which manage modules or virtual +# host configurations, respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite. See +# their respective man pages for detailed information. +# +# * Configuration files in the conf.d directory are either provided by other +# packages or may be added by the local administrator. Local additions +# should start with local- or end with .local.conf to avoid name clashes. All +# files in conf.d are considered (excluding the exceptions noted above) by +# the Apache 2 web server. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the LockFile documentation (available +# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +LockFile ${APACHE_LOCK_DIR}/accept.lock + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +# default: 5 +KeepAliveTimeout 10 + + +## +## Server-Pool Size Regulation (MPM specific) +## + +# prefork MPM +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# MaxClients: maximum number of server processes allowed to start +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_prefork_module> + # defaults: + # StartServers 5 + # MinSpareServers 5 + # MaxSpareServers 10 + # MaxClients 150 + # MaxRequestsPerChild 0 + + StartServers 8 + MinSpareServers 5 + MaxSpareServers 20 + MaxClients 256 + MaxRequestsPerChild 0 +</IfModule> + +# worker MPM +# StartServers: initial number of server processes to start +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a +# graceful restart. ThreadLimit can only be changed by stopping +# and starting Apache. +# ThreadsPerChild: constant number of worker threads in each server process +# MaxClients: maximum number of simultaneous client connections +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_worker_module> + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 0 +</IfModule> + +# event MPM +# StartServers: initial number of server processes to start +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxClients: maximum number of simultaneous client connections +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_event_module> + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 0 +</IfModule> + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# + +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# +<Files ~ "^\.ht"> + Order allow,deny + Deny from all + Satisfy all +</Files> + +# +# DefaultType is the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +# It is also possible to omit any default MIME type and let the +# client's browser guess an appropriate action instead. Typically the +# browser will decide based on the file's extension then. In cases +# where no good assumption can be made, letting the default MIME type +# unset is suggested instead of forcing the browser to accept +# incorrect metadata. +# +DefaultType None + + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a <VirtualHost> +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a <VirtualHost> +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + +# Include module configuration: +Include mods-enabled/*.load +Include mods-enabled/*.conf + +# Include list of ports to listen on and which to use for name based vhosts +Include ports.conf + +# +# The following directives define some format nicknames for use with +# a CustomLog directive (see below). +# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# Include of directories ignores editors' and dpkg's backup files, +# see the comments above for details. + +# Include generic snippets of statements +Include conf.d/ + +# Include the virtual host configurations: +Include sites-enabled/ diff --git a/server/setup/05-service-settings/etc/apache2/apache2.diff b/server/setup/05-service-settings/etc/apache2/apache2.diff new file mode 100644 index 0000000..f4aa836 --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/apache2.diff @@ -0,0 +1,1528 @@ +diff -Nur apache2.orig/apache2.conf apache2/apache2.conf +--- apache2.orig/apache2.conf 2013-03-04 22:00:37.000000000 +0100 ++++ apache2/apache2.conf 2013-06-06 07:21:33.251843000 +0200 +@@ -117,7 +117,9 @@ + # KeepAliveTimeout: Number of seconds to wait for the next request from the + # same client on the same connection. + # +-KeepAliveTimeout 5 ++# default: 5 ++KeepAliveTimeout 10 ++ + + ## + ## Server-Pool Size Regulation (MPM specific) +@@ -130,10 +132,17 @@ + # MaxClients: maximum number of server processes allowed to start + # MaxRequestsPerChild: maximum number of requests a server process serves + <IfModule mpm_prefork_module> +- StartServers 5 ++ # defaults: ++ # StartServers 5 ++ # MinSpareServers 5 ++ # MaxSpareServers 10 ++ # MaxClients 150 ++ # MaxRequestsPerChild 0 ++ ++ StartServers 8 + MinSpareServers 5 +- MaxSpareServers 10 +- MaxClients 150 ++ MaxSpareServers 20 ++ MaxClients 256 + MaxRequestsPerChild 0 + </IfModule> + +diff -Nur apache2.orig/mods-enabled/cgid.conf apache2/mods-enabled/cgid.conf +--- apache2.orig/mods-enabled/cgid.conf 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/cgid.conf 2013-03-03 12:14:45.000000000 +0100 +@@ -0,0 +1,2 @@ ++# Socket for cgid communication ++ScriptSock ${APACHE_RUN_DIR}/cgisock +diff -Nur apache2.orig/mods-enabled/cgid.load apache2/mods-enabled/cgid.load +--- apache2.orig/mods-enabled/cgid.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/cgid.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1 @@ ++LoadModule cgid_module /usr/lib/apache2/modules/mod_cgid.so +diff -Nur apache2.orig/mods-enabled/headers.load apache2/mods-enabled/headers.load +--- apache2.orig/mods-enabled/headers.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/headers.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1 @@ ++LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so +diff -Nur apache2.orig/mods-enabled/proxy_ajp.load apache2/mods-enabled/proxy_ajp.load +--- apache2.orig/mods-enabled/proxy_ajp.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_ajp.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1,2 @@ ++# Depends: proxy ++LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so +diff -Nur apache2.orig/mods-enabled/proxy_balancer.conf apache2/mods-enabled/proxy_balancer.conf +--- apache2.orig/mods-enabled/proxy_balancer.conf 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_balancer.conf 2013-03-03 12:14:45.000000000 +0100 +@@ -0,0 +1,16 @@ ++<IfModule mod_proxy_balancer.c> ++ ++# Balancer manager enables dynamic update of balancer members ++# (needs mod_status). Uncomment to enable. ++# ++#<IfModule mod_status.c> ++#<Location /balancer-manager> ++# SetHandler balancer-manager ++# Order deny,allow ++# Deny from all ++# Allow from 127.0.0.1 ::1 ++# Satisfy all ++#</Location> ++#</IfModule> ++ ++</IfModule> +diff -Nur apache2.orig/mods-enabled/proxy_balancer.load apache2/mods-enabled/proxy_balancer.load +--- apache2.orig/mods-enabled/proxy_balancer.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_balancer.load 2013-03-03 12:14:45.000000000 +0100 +@@ -0,0 +1,2 @@ ++# Depends: proxy ++LoadModule proxy_balancer_module /usr/lib/apache2/modules/mod_proxy_balancer.so +diff -Nur apache2.orig/mods-enabled/proxy.conf apache2/mods-enabled/proxy.conf +--- apache2.orig/mods-enabled/proxy.conf 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy.conf 2013-03-03 12:14:45.000000000 +0100 +@@ -0,0 +1,26 @@ ++<IfModule mod_proxy.c> ++ ++# If you want to use apache2 as a forward proxy, uncomment the ++# 'ProxyRequests On' line and the <Proxy *> block below. ++# WARNING: Be careful to restrict access inside the <Proxy *> block. ++# Open proxy servers are dangerous both to your network and to the ++# Internet at large. ++# ++# If you only want to use apache2 as a reverse proxy/gateway in ++# front of some web application server, you DON'T need ++# 'ProxyRequests On'. ++ ++#ProxyRequests On ++#<Proxy *> ++# AddDefaultCharset off ++# Order deny,allow ++# Deny from all ++# #Allow from .example.com ++#</Proxy> ++ ++# Enable/disable the handling of HTTP/1.1 "Via:" headers. ++# ("Full" adds the server version; "Block" removes all outgoing Via: headers) ++# Set to one of: Off | On | Full | Block ++#ProxyVia Off ++ ++</IfModule> +diff -Nur apache2.orig/mods-enabled/proxy_connect.load apache2/mods-enabled/proxy_connect.load +--- apache2.orig/mods-enabled/proxy_connect.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_connect.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1,2 @@ ++# Depends: proxy ++LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so +diff -Nur apache2.orig/mods-enabled/proxy_ftp.conf apache2/mods-enabled/proxy_ftp.conf +--- apache2.orig/mods-enabled/proxy_ftp.conf 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_ftp.conf 2013-03-03 12:14:45.000000000 +0100 +@@ -0,0 +1,6 @@ ++<IfModule mod_proxy_ftp.c> ++ ++# Define the character set for proxied FTP listings. Default is ISO-8859-1 ++ProxyFtpDirCharset UTF-8 ++ ++</IfModule> +diff -Nur apache2.orig/mods-enabled/proxy_ftp.load apache2/mods-enabled/proxy_ftp.load +--- apache2.orig/mods-enabled/proxy_ftp.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_ftp.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1,2 @@ ++# Depends: proxy ++LoadModule proxy_ftp_module /usr/lib/apache2/modules/mod_proxy_ftp.so +diff -Nur apache2.orig/mods-enabled/proxy_http.load apache2/mods-enabled/proxy_http.load +--- apache2.orig/mods-enabled/proxy_http.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_http.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1,2 @@ ++# Depends: proxy ++LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so +diff -Nur apache2.orig/mods-enabled/proxy.load apache2/mods-enabled/proxy.load +--- apache2.orig/mods-enabled/proxy.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1 @@ ++LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so +diff -Nur apache2.orig/mods-enabled/proxy_scgi.load apache2/mods-enabled/proxy_scgi.load +--- apache2.orig/mods-enabled/proxy_scgi.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/proxy_scgi.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1,2 @@ ++# Depends: proxy ++LoadModule proxy_scgi_module /usr/lib/apache2/modules/mod_proxy_scgi.so +diff -Nur apache2.orig/mods-enabled/rewrite.load apache2/mods-enabled/rewrite.load +--- apache2.orig/mods-enabled/rewrite.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/rewrite.load 2012-10-21 20:41:12.000000000 +0200 +@@ -0,0 +1 @@ ++LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so +diff -Nur apache2.orig/mods-enabled/ssl.conf apache2/mods-enabled/ssl.conf +--- apache2.orig/mods-enabled/ssl.conf 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/ssl.conf 2013-03-04 22:00:37.000000000 +0100 +@@ -0,0 +1,82 @@ ++<IfModule mod_ssl.c> ++# ++# Pseudo Random Number Generator (PRNG): ++# Configure one or more sources to seed the PRNG of the SSL library. ++# The seed data should be of good random quality. ++# WARNING! On some platforms /dev/random blocks if not enough entropy ++# is available. This means you then cannot use the /dev/random device ++# because it would lead to very long connection times (as long as ++# it requires to make more entropy available). But usually those ++# platforms additionally provide a /dev/urandom device which doesn't ++# block. So, if available, use this one instead. Read the mod_ssl User ++# Manual for more details. ++# ++SSLRandomSeed startup builtin ++SSLRandomSeed startup file:/dev/urandom 512 ++SSLRandomSeed connect builtin ++SSLRandomSeed connect file:/dev/urandom 512 ++ ++## ++## SSL Global Context ++## ++## All SSL configuration in this context applies both to ++## the main server and all SSL-enabled virtual hosts. ++## ++ ++# ++# Some MIME-types for downloading Certificates and CRLs ++# ++AddType application/x-x509-ca-cert .crt ++AddType application/x-pkcs7-crl .crl ++ ++# Pass Phrase Dialog: ++# Configure the pass phrase gathering process. ++# The filtering dialog program (`builtin' is a internal ++# terminal dialog) has to provide the pass phrase on stdout. ++SSLPassPhraseDialog builtin ++ ++# Inter-Process Session Cache: ++# Configure the SSL Session Cache: First the mechanism ++# to use and second the expiring timeout (in seconds). ++# (The mechanism dbm has known memory leaks and should not be used). ++#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache ++SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) ++SSLSessionCacheTimeout 300 ++ ++# Semaphore: ++# Configure the path to the mutual exclusion semaphore the ++# SSL engine uses internally for inter-process synchronization. ++SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex ++ ++# SSL Cipher Suite: ++# List the ciphers that the client is permitted to negotiate. See the ++# ciphers(1) man page from the openssl package for list of all available ++# options. ++# Enable only secure ciphers: ++SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 ++ ++# Speed-optimized SSL Cipher configuration: ++# If speed is your main concern (on busy HTTPS servers e.g.), ++# you might want to force clients to specific, performance ++# optimized ciphers. In this case, prepend those ciphers ++# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. ++# Caveat: by giving precedence to RC4-SHA and AES128-SHA ++# (as in the example below), most connections will no longer ++# have perfect forward secrecy - if the server's key is ++# compromised, captures of past or future traffic must be ++# considered compromised, too. ++#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 ++#SSLHonorCipherOrder on ++ ++# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 ++SSLProtocol all -SSLv2 ++ ++# Allow insecure renegotiation with clients which do not yet support the ++# secure renegotiation protocol. Default: Off ++#SSLInsecureRenegotiation on ++ ++# Whether to forbid non-SNI clients to access name based virtual hosts. ++# Default: Off ++#SSLStrictSNIVHostCheck On ++ ++</IfModule> +diff -Nur apache2.orig/mods-enabled/ssl.load apache2/mods-enabled/ssl.load +--- apache2.orig/mods-enabled/ssl.load 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/mods-enabled/ssl.load 2013-03-03 12:14:45.000000000 +0100 +@@ -0,0 +1 @@ ++LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +diff -Nur apache2.orig/ports.conf apache2/ports.conf +--- apache2.orig/ports.conf 2013-03-03 12:14:45.000000000 +0100 ++++ apache2/ports.conf 2013-06-06 07:46:07.326283000 +0200 +@@ -6,9 +6,11 @@ + # README.Debian.gz + + NameVirtualHost *:80 ++# NameVirtualHost * + Listen 80 + + <IfModule mod_ssl.c> ++ NameVirtualHost *:443 + # If you add NameVirtualHost *:443 here, you will also have to change + # the VirtualHost statement in /etc/apache2/sites-available/default-ssl + # to <VirtualHost *:443> +diff -Nur apache2.orig/sites-available/jausoft.com-ssl apache2/sites-available/jausoft.com-ssl +--- apache2.orig/sites-available/jausoft.com-ssl 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/sites-available/jausoft.com-ssl 2013-06-06 07:36:27.650753118 +0200 +@@ -0,0 +1,204 @@ ++<IfModule mod_ssl.c> ++<VirtualHost jausoft.com:443> ++ ++ # General setup for the virtual host, inherited from global configuration ++ ServerName jausoft.com ++ ServerPath /jausoft.com/ ++ RewriteEngine On ++ DocumentRoot /srv/www/jausoft.com ++ ++ # Use separate log files for the SSL virtual host; note that LogLevel ++ # is not inherited from httpd.conf. ++ ErrorLog ${APACHE_LOG_DIR}/jausoft.com-ssl-error.log ++ TransferLog ${APACHE_LOG_DIR}/jausoft.com-ssl-access.log ++ LogLevel warn ++ ++ # SSL Engine Switch: ++ # Enable/Disable SSL for this virtual host. ++ SSLEngine on ++ ++ # SSL Protocol support: ++ # List the enable protocol levels with which clients will be able to ++ # connect. Disable SSLv2 access by default: ++ SSLProtocol all -SSLv2 ++ ++ # SSL Cipher Suite: ++ # List the ciphers that the client is permitted to negotiate. ++ # See the mod_ssl documentation for a complete list. ++ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW ++ ++ # A self-signed (snakeoil) certificate can be created by installing ++ # the ssl-cert package. See ++ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. ++ # If both key and certificate are stored in the same file, only the ++ # SSLCertificateFile directive is needed. ++ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem ++ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key ++ ++ SSLCertificateFile /etc/ssl/local/jausoft2013-hostcert.pem ++ SSLCertificateKeyFile /etc/ssl/local/jausoft2013-hostkey.apache.pem ++ ++ # Server Certificate Chain: ++ # Point SSLCertificateChainFile at a file containing the ++ # concatenation of PEM encoded CA certificates which form the ++ # certificate chain for the server certificate. Alternatively ++ # the referenced file can be the same as SSLCertificateFile ++ # when the CA certificates are directly appended to the server ++ # certificate for convinience. ++ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt ++ ++ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem ++ ++ # Certificate Authority (CA): ++ # Set the CA certificate verification path where to find CA ++ # certificates for client authentication or alternatively one ++ # huge file containing all of them (file must be PEM encoded) ++ # Note: Inside SSLCACertificatePath you need hash symlinks ++ # to point to the certificate files. Use the provided ++ # Makefile to update the hash symlinks after changes. ++ #SSLCACertificatePath /etc/ssl/certs/ ++ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt ++ ++ # Certificate Revocation Lists (CRL): ++ # Set the CA revocation path where to find CA CRLs for client ++ # authentication or alternatively one huge file containing all ++ # of them (file must be PEM encoded) ++ # Note: Inside SSLCARevocationPath you need hash symlinks ++ # to point to the certificate files. Use the provided ++ # Makefile to update the hash symlinks after changes. ++ #SSLCARevocationPath /etc/apache2/ssl.crl/ ++ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl ++ ++ # Client Authentication (Type): ++ # Client certificate verification type and depth. Types are ++ # none, optional, require and optional_no_ca. Depth is a ++ # number which specifies how deeply to verify the certificate ++ # issuer chain before deciding the certificate is not valid. ++ #SSLVerifyClient require ++ #SSLVerifyDepth 10 ++ ++ # Access Control: ++ # With SSLRequire you can do per-directory access control based ++ # on arbitrary complex boolean expressions containing server ++ # variable checks and other lookup directives. The syntax is a ++ # mixture between C and Perl. See the mod_ssl documentation ++ # for more details. ++ #<Location /> ++ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ ++ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ ++ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ ++ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ ++ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ ++ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ ++ #</Location> ++ ++ # SSL Engine Options: ++ # Set various options for the SSL engine. ++ # o FakeBasicAuth: ++ # Translate the client X.509 into a Basic Authorisation. This means that ++ # the standard Auth/DBMAuth methods can be used for access control. The ++ # user name is the `one line' version of the client's X.509 certificate. ++ # Note that no password is obtained from the user. Every entry in the user ++ # file needs this password: `xxj31ZMTZzkVA'. ++ # o ExportCertData: ++ # This exports two additional environment variables: SSL_CLIENT_CERT and ++ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the ++ # server (always existing) and the client (only existing when client ++ # authentication is used). This can be used to import the certificates ++ # into CGI scripts. ++ # o StdEnvVars: ++ # This exports the standard SSL/TLS related `SSL_*' environment variables. ++ # Per default this exportation is switched off for performance reasons, ++ # because the extraction step is an expensive operation and is usually ++ # useless for serving static content. So one usually enables the ++ # exportation for CGI and SSI requests only. ++ # o StrictRequire: ++ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even ++ # under a "Satisfy any" situation, i.e. when it applies access is denied ++ # and no other module can change it. ++ # o OptRenegotiate: ++ # This enables optimized SSL connection renegotiation handling when SSL ++ # directives are used in per-directory context. ++ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire ++ <Files ~ "\.(cgi|shtml|phtml|php3?)$"> ++ SSLOptions +StdEnvVars ++ </Files> ++ ++ # SSL Protocol Adjustments: ++ # The safe and default but still SSL/TLS standard compliant shutdown ++ # approach is that mod_ssl sends the close notify alert but doesn't wait for ++ # the close notify alert from client. When you need a different shutdown ++ # approach you can use one of the following variables: ++ # o ssl-unclean-shutdown: ++ # This forces an unclean shutdown when the connection is closed, i.e. no ++ # SSL close notify alert is send or allowed to received. This violates ++ # the SSL/TLS standard but is needed for some brain-dead browsers. Use ++ # this when you receive I/O errors because of the standard approach where ++ # mod_ssl sends the close notify alert. ++ # o ssl-accurate-shutdown: ++ # This forces an accurate shutdown when the connection is closed, i.e. a ++ # SSL close notify alert is send and mod_ssl waits for the close notify ++ # alert of the client. This is 100% SSL/TLS standard compliant, but in ++ # practice often causes hanging connections with brain-dead browsers. Use ++ # this only for browsers where you know that their SSL implementation ++ # works correctly. ++ # Notice: Most problems of broken clients are also related to the HTTP ++ # keep-alive facility, so you usually additionally want to disable ++ # keep-alive for those clients, too. Use variable "nokeepalive" for this. ++ # Similarly, one has to force some clients to use HTTP/1.0 to workaround ++ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and ++ # "force-response-1.0" for this. ++ BrowserMatch "MSIE [2-6]" \ ++ nokeepalive ssl-unclean-shutdown \ ++ downgrade-1.0 force-response-1.0 ++ # MSIE 7 and newer should be able to use keepalive ++ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown ++ ++ # Per-Server Logging: ++ # The home of a custom SSL log file. Use this when you want a ++ # compact non-error SSL logfile on a virtual host basis. ++ CustomLog /var/log/apache2/ssl_request_log \ ++ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ++ ++ ErrorLog ${APACHE_LOG_DIR}/jausoft.com-ssl-error.log ++ CustomLog ${APACHE_LOG_DIR}/jausoft.com-ssl-access.log common ++ ++ # configures the footer on server-generated documents ++ ServerSignature On ++ ++ <Directory "/srv/www/jausoft.com"> ++ Options Indexes FollowSymLinks ++ AllowOverride All ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ ++ SetEnv GIT_PROJECT_ROOT /srv/scm ++ SetEnv GIT_HTTP_EXPORT_ALL ++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ ++ <Directory "/srv/www/jausoft.com/git"> ++ DirectoryIndex gitweb.cgi ++ Allow from all ++ AllowOverride all ++ Order allow,deny ++ Options ExecCGI ++ <Files gitweb.cgi> ++ SetHandler cgi-script ++ </Files> ++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf ++ </Directory> ++ ++ Alias /icons/ "/srv/www/jausoft.com/icons/" ++ ++ <Directory "/srv/www/jausoft.com/icons"> ++ Options Indexes MultiViews ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ ++</VirtualHost> ++</IfModule> ++ +diff -Nur apache2.orig/sites-available/jogamp.org apache2/sites-available/jogamp.org +--- apache2.orig/sites-available/jogamp.org 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/sites-available/jogamp.org 2013-06-06 07:29:00.470204000 +0200 +@@ -0,0 +1,247 @@ ++# ++# Almost any Apache directive may go into a VirtualHost container. ++# The first VirtualHost section is used for requests without a known ++# server name. ++# ++<VirtualHost *:80> ++ ServerAdmin [email protected] ++ ServerName jogamp.org ++ ServerAlias www.jogamp.org ++ ServerPath /jogamp.org/ ++ RewriteEngine On ++ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ ++ DocumentRoot /srv/www/jogamp.org ++ ++ # don't loose time with IP address lookups ++ HostnameLookups Off ++ ++ # needed for named virtual hosts ++ UseCanonicalName Off ++ ++ # configures the footer on server-generated documents ++ ServerSignature On ++ ++ <Directory "/srv/www/jogamp.org"> ++ Options Indexes FollowSymLinks ++ AllowOverride All ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] ++ ++ #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++ ++ RewriteCond %{REQUEST_URI} ^/wiki/index.php$ ++ RewriteCond %{QUERY_STRING} ^title=Special:UserLogin ++ RewriteCond %{REQUEST_METHOD} ^GET$ ++ RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE] ++ ++ # ++ # Due to security concerns, session hijacking .. etc .. the whole ++ # bugzilla stream will go over https ++ # ++ RewriteCond %{REQUEST_URI} ^/bugzilla ++ RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE] ++ ++ SetEnv GIT_PROJECT_ROOT /srv/scm ++ SetEnv GIT_HTTP_EXPORT_ALL ++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ ++ <Directory "/srv/www/jogamp.org/git"> ++ DirectoryIndex gitweb.cgi ++ Allow from all ++ AllowOverride all ++ Order allow,deny ++ Options ExecCGI ++ <Files gitweb.cgi> ++ SetHandler cgi-script ++ </Files> ++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf ++ </Directory> ++ ++ Alias /icons/ "/srv/www/jogamp.org/icons/" ++ ++ <Directory "/srv/www/jogamp.org/icons"> ++ Options Indexes MultiViews ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ # ++ # Due to security concerns, session hijacking .. etc .. the whole ++ # hudson and bugzilla stream will go over https ++ # ++ RewriteCond %{REQUEST_URI} ^/chuck ++ RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] ++ ++ #RewriteCond %{REQUEST_URI} ^/chuck ++ #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE] ++ # ++ #RewriteCond %{REQUEST_URI} ^/chuck ++ #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR] ++ #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC] ++ #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] ++ # ++ # Cookies: ++ # wikidb_mw_LoggedOut / ++ # wikidb_mw__session / ++ # wikidb_mw_Token / ++ # wikidb_mw_UserID / ++ # wikidb_mw_UserName / ++ # ++ # Bugzilla_login /bugzilla ++ # Bugzilla_logincookie /bugzilla ++ # DEFAULTFORMAT /bugzilla ++ # ++ # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck ++ # JSESSIONID /chuck ++ # ++ ++ # ++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache ++ # ++ #ProxyRequests Off ++ #ProxyPreserveHost On ++ ++ # Local reverse proxy authorization override ++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) ++ #<Proxy http://localhost:8089/chuck*> ++ # Order deny,allow ++ # Allow from all ++ #</Proxy> ++ #ProxyPass /chuck http://localhost:8080/chuck ++ #ProxyPassReverse /chuck http://localhost:8080/chuck ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName blog.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName bugzilla.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName wiki.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName scm.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName jogl.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName jocl.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName joal.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName demos.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName chuck.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName jogamp.com ++ ServerAlias *.jogamp.com ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined ++ ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] ++</VirtualHost> ++ ++# ++# Directives to allow use of AWStats as a CGI ++# ++#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/" ++#Alias /awstatscss "/usr/local/awstats/wwwroot/css/" ++#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/" ++#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/" ++ ++# ++# This is to permit URL access to scripts/files in AWStats directory. ++# ++<Directory "/usr/local/awstats/wwwroot"> ++ Options None ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++</Directory> ++ +diff -Nur apache2.orig/sites-available/jogamp.org-ssl apache2/sites-available/jogamp.org-ssl +--- apache2.orig/sites-available/jogamp.org-ssl 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/sites-available/jogamp.org-ssl 2013-06-06 07:53:58.298005000 +0200 +@@ -0,0 +1,256 @@ ++<IfModule mod_ssl.c> ++<VirtualHost *:443> ++ ++ # General setup for the virtual host, inherited from global configuration ++ ServerName jogamp.org ++ ServerPath /jogamp.org/ ++ RewriteEngine On ++ DocumentRoot /srv/www/jogamp.org ++ ++ # Use separate log files for the SSL virtual host; note that LogLevel ++ # is not inherited from httpd.conf. ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log ++ TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log ++ LogLevel warn ++ ++ # SSL Engine Switch: ++ # Enable/Disable SSL for this virtual host. ++ SSLEngine on ++ ++ # SSL Protocol support: ++ # List the enable protocol levels with which clients will be able to ++ # connect. Disable SSLv2 access by default: ++ SSLProtocol all -SSLv2 ++ ++ # SSL Cipher Suite: ++ # List the ciphers that the client is permitted to negotiate. ++ # See the mod_ssl documentation for a complete list. ++ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW ++ ++ # A self-signed (snakeoil) certificate can be created by installing ++ # the ssl-cert package. See ++ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. ++ # If both key and certificate are stored in the same file, only the ++ # SSLCertificateFile directive is needed. ++ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem ++ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key ++ ++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem ++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem ++ ++ # Server Certificate Chain: ++ # Point SSLCertificateChainFile at a file containing the ++ # concatenation of PEM encoded CA certificates which form the ++ # certificate chain for the server certificate. Alternatively ++ # the referenced file can be the same as SSLCertificateFile ++ # when the CA certificates are directly appended to the server ++ # certificate for convinience. ++ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt ++ ++ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem ++ ++ # Certificate Authority (CA): ++ # Set the CA certificate verification path where to find CA ++ # certificates for client authentication or alternatively one ++ # huge file containing all of them (file must be PEM encoded) ++ # Note: Inside SSLCACertificatePath you need hash symlinks ++ # to point to the certificate files. Use the provided ++ # Makefile to update the hash symlinks after changes. ++ #SSLCACertificatePath /etc/ssl/certs/ ++ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt ++ ++ # Certificate Revocation Lists (CRL): ++ # Set the CA revocation path where to find CA CRLs for client ++ # authentication or alternatively one huge file containing all ++ # of them (file must be PEM encoded) ++ # Note: Inside SSLCARevocationPath you need hash symlinks ++ # to point to the certificate files. Use the provided ++ # Makefile to update the hash symlinks after changes. ++ #SSLCARevocationPath /etc/apache2/ssl.crl/ ++ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl ++ ++ # Client Authentication (Type): ++ # Client certificate verification type and depth. Types are ++ # none, optional, require and optional_no_ca. Depth is a ++ # number which specifies how deeply to verify the certificate ++ # issuer chain before deciding the certificate is not valid. ++ #SSLVerifyClient require ++ #SSLVerifyDepth 10 ++ ++ # Access Control: ++ # With SSLRequire you can do per-directory access control based ++ # on arbitrary complex boolean expressions containing server ++ # variable checks and other lookup directives. The syntax is a ++ # mixture between C and Perl. See the mod_ssl documentation ++ # for more details. ++ #<Location /> ++ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ ++ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ ++ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ ++ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ ++ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ ++ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ ++ #</Location> ++ ++ # SSL Engine Options: ++ # Set various options for the SSL engine. ++ # o FakeBasicAuth: ++ # Translate the client X.509 into a Basic Authorisation. This means that ++ # the standard Auth/DBMAuth methods can be used for access control. The ++ # user name is the `one line' version of the client's X.509 certificate. ++ # Note that no password is obtained from the user. Every entry in the user ++ # file needs this password: `xxj31ZMTZzkVA'. ++ # o ExportCertData: ++ # This exports two additional environment variables: SSL_CLIENT_CERT and ++ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the ++ # server (always existing) and the client (only existing when client ++ # authentication is used). This can be used to import the certificates ++ # into CGI scripts. ++ # o StdEnvVars: ++ # This exports the standard SSL/TLS related `SSL_*' environment variables. ++ # Per default this exportation is switched off for performance reasons, ++ # because the extraction step is an expensive operation and is usually ++ # useless for serving static content. So one usually enables the ++ # exportation for CGI and SSI requests only. ++ # o StrictRequire: ++ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even ++ # under a "Satisfy any" situation, i.e. when it applies access is denied ++ # and no other module can change it. ++ # o OptRenegotiate: ++ # This enables optimized SSL connection renegotiation handling when SSL ++ # directives are used in per-directory context. ++ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire ++ <Files ~ "\.(cgi|shtml|phtml|php3?)$"> ++ SSLOptions +StdEnvVars ++ </Files> ++ ++ # SSL Protocol Adjustments: ++ # The safe and default but still SSL/TLS standard compliant shutdown ++ # approach is that mod_ssl sends the close notify alert but doesn't wait for ++ # the close notify alert from client. When you need a different shutdown ++ # approach you can use one of the following variables: ++ # o ssl-unclean-shutdown: ++ # This forces an unclean shutdown when the connection is closed, i.e. no ++ # SSL close notify alert is send or allowed to received. This violates ++ # the SSL/TLS standard but is needed for some brain-dead browsers. Use ++ # this when you receive I/O errors because of the standard approach where ++ # mod_ssl sends the close notify alert. ++ # o ssl-accurate-shutdown: ++ # This forces an accurate shutdown when the connection is closed, i.e. a ++ # SSL close notify alert is send and mod_ssl waits for the close notify ++ # alert of the client. This is 100% SSL/TLS standard compliant, but in ++ # practice often causes hanging connections with brain-dead browsers. Use ++ # this only for browsers where you know that their SSL implementation ++ # works correctly. ++ # Notice: Most problems of broken clients are also related to the HTTP ++ # keep-alive facility, so you usually additionally want to disable ++ # keep-alive for those clients, too. Use variable "nokeepalive" for this. ++ # Similarly, one has to force some clients to use HTTP/1.0 to workaround ++ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and ++ # "force-response-1.0" for this. ++ BrowserMatch "MSIE [2-6]" \ ++ nokeepalive ssl-unclean-shutdown \ ++ downgrade-1.0 force-response-1.0 ++ # MSIE 7 and newer should be able to use keepalive ++ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown ++ ++ # Per-Server Logging: ++ # The home of a custom SSL log file. Use this when you want a ++ # compact non-error SSL logfile on a virtual host basis. ++ CustomLog /var/log/apache2/jogamp.org-ssl-request.log \ ++ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ++ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined ++ ++ # configures the footer on server-generated documents ++ ServerSignature On ++ ++ <Directory "/srv/www/jogamp.org"> ++ Options Indexes FollowSymLinks ++ AllowOverride All ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla" ++ <Directory /srv/www/jogamp.org/bugzilla> ++ AddHandler cgi-script .cgi ++ Options +Indexes +ExecCGI -MultiViews +FollowSymLinks ++ DirectoryIndex index.cgi ++ AllowOverride Limit FileInfo Indexes ++ </Directory> ++ ++ SetEnv GIT_PROJECT_ROOT /srv/scm ++ SetEnv GIT_HTTP_EXPORT_ALL ++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ ++ <Directory "/srv/www/jogamp.org/git"> ++ DirectoryIndex gitweb.cgi ++ Allow from all ++ AllowOverride all ++ Order allow,deny ++ Options ExecCGI ++ <Files gitweb.cgi> ++ SetHandler cgi-script ++ </Files> ++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf ++ </Directory> ++ ++ Alias /icons/ "/srv/www/jogamp.org/icons/" ++ ++ <Directory "/srv/www/jogamp.org/icons"> ++ Options Indexes MultiViews ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ # ++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache ++ # ++ ProxyRequests Off ++ ProxyPreserveHost On ++ ++ # Local reverse proxy authorization override ++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) ++ <Proxy http://127.0.0.1:8080/chuck*> ++ Order deny,allow ++ Allow from all ++ </Proxy> ++ ++ ProxyPass /chuck http://127.0.0.1:8080/chuck ++ ProxyPassReverse /chuck http://127.0.0.1:8080/chuck ++ ProxyPassReverse /chuck http://jogamp.org/chuck ++ ++# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/ ++# <Location /chuck/> ++# ProxyPassReverse / ++# Order deny,allow ++# Allow from all ++# </Location> ++ Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/ ++ ++</VirtualHost> ++ ++<VirtualHost *:443> ++ ServerName jogamp.com ++ ServerAlias *.jogamp.com ++ ServerPath /jogamp.org/ ++ SSLEngine on ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined ++ ++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem ++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem ++ ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] ++</VirtualHost> ++ +diff -Nur apache2.orig/sites-enabled/000-default apache2/sites-enabled/000-default +--- apache2.orig/sites-enabled/000-default 2013-03-03 12:14:45.000000000 +0100 ++++ apache2/sites-enabled/000-default 1970-01-01 01:00:00.000000000 +0100 +@@ -1,31 +0,0 @@ +-<VirtualHost *:80> +- ServerAdmin webmaster@localhost +- +- DocumentRoot /var/www +- <Directory /> +- Options FollowSymLinks +- AllowOverride None +- </Directory> +- <Directory /var/www/> +- Options Indexes FollowSymLinks MultiViews +- AllowOverride None +- Order allow,deny +- allow from all +- </Directory> +- +- ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ +- <Directory "/usr/lib/cgi-bin"> +- AllowOverride None +- Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +- Order allow,deny +- Allow from all +- </Directory> +- +- ErrorLog ${APACHE_LOG_DIR}/error.log +- +- # Possible values include: debug, info, notice, warn, error, crit, +- # alert, emerg. +- LogLevel warn +- +- CustomLog ${APACHE_LOG_DIR}/access.log combined +-</VirtualHost> +diff -Nur apache2.orig/sites-enabled/000-jogamp.org apache2/sites-enabled/000-jogamp.org +--- apache2.orig/sites-enabled/000-jogamp.org 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/sites-enabled/000-jogamp.org 2013-06-06 07:29:00.470204000 +0200 +@@ -0,0 +1,247 @@ ++# ++# Almost any Apache directive may go into a VirtualHost container. ++# The first VirtualHost section is used for requests without a known ++# server name. ++# ++<VirtualHost *:80> ++ ServerAdmin [email protected] ++ ServerName jogamp.org ++ ServerAlias www.jogamp.org ++ ServerPath /jogamp.org/ ++ RewriteEngine On ++ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ ++ DocumentRoot /srv/www/jogamp.org ++ ++ # don't loose time with IP address lookups ++ HostnameLookups Off ++ ++ # needed for named virtual hosts ++ UseCanonicalName Off ++ ++ # configures the footer on server-generated documents ++ ServerSignature On ++ ++ <Directory "/srv/www/jogamp.org"> ++ Options Indexes FollowSymLinks ++ AllowOverride All ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] ++ ++ #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++ ++ RewriteCond %{REQUEST_URI} ^/wiki/index.php$ ++ RewriteCond %{QUERY_STRING} ^title=Special:UserLogin ++ RewriteCond %{REQUEST_METHOD} ^GET$ ++ RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE] ++ ++ # ++ # Due to security concerns, session hijacking .. etc .. the whole ++ # bugzilla stream will go over https ++ # ++ RewriteCond %{REQUEST_URI} ^/bugzilla ++ RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE] ++ ++ SetEnv GIT_PROJECT_ROOT /srv/scm ++ SetEnv GIT_HTTP_EXPORT_ALL ++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ ++ <Directory "/srv/www/jogamp.org/git"> ++ DirectoryIndex gitweb.cgi ++ Allow from all ++ AllowOverride all ++ Order allow,deny ++ Options ExecCGI ++ <Files gitweb.cgi> ++ SetHandler cgi-script ++ </Files> ++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf ++ </Directory> ++ ++ Alias /icons/ "/srv/www/jogamp.org/icons/" ++ ++ <Directory "/srv/www/jogamp.org/icons"> ++ Options Indexes MultiViews ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ # ++ # Due to security concerns, session hijacking .. etc .. the whole ++ # hudson and bugzilla stream will go over https ++ # ++ RewriteCond %{REQUEST_URI} ^/chuck ++ RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] ++ ++ #RewriteCond %{REQUEST_URI} ^/chuck ++ #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE] ++ # ++ #RewriteCond %{REQUEST_URI} ^/chuck ++ #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR] ++ #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC] ++ #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] ++ # ++ # Cookies: ++ # wikidb_mw_LoggedOut / ++ # wikidb_mw__session / ++ # wikidb_mw_Token / ++ # wikidb_mw_UserID / ++ # wikidb_mw_UserName / ++ # ++ # Bugzilla_login /bugzilla ++ # Bugzilla_logincookie /bugzilla ++ # DEFAULTFORMAT /bugzilla ++ # ++ # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck ++ # JSESSIONID /chuck ++ # ++ ++ # ++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache ++ # ++ #ProxyRequests Off ++ #ProxyPreserveHost On ++ ++ # Local reverse proxy authorization override ++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) ++ #<Proxy http://localhost:8089/chuck*> ++ # Order deny,allow ++ # Allow from all ++ #</Proxy> ++ #ProxyPass /chuck http://localhost:8080/chuck ++ #ProxyPassReverse /chuck http://localhost:8080/chuck ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName blog.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName bugzilla.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName wiki.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName scm.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName jogl.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName jocl.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName joal.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName demos.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName chuck.jogamp.org ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] ++</VirtualHost> ++ ++<VirtualHost *:80> ++ ServerName jogamp.com ++ ServerAlias *.jogamp.com ++ ServerPath /jogamp.org/ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined ++ ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] ++</VirtualHost> ++ ++# ++# Directives to allow use of AWStats as a CGI ++# ++#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/" ++#Alias /awstatscss "/usr/local/awstats/wwwroot/css/" ++#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/" ++#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/" ++ ++# ++# This is to permit URL access to scripts/files in AWStats directory. ++# ++<Directory "/usr/local/awstats/wwwroot"> ++ Options None ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++</Directory> ++ +diff -Nur apache2.orig/sites-enabled/001-jogamp.org-ssl apache2/sites-enabled/001-jogamp.org-ssl +--- apache2.orig/sites-enabled/001-jogamp.org-ssl 1970-01-01 01:00:00.000000000 +0100 ++++ apache2/sites-enabled/001-jogamp.org-ssl 2013-06-06 07:53:58.298005000 +0200 +@@ -0,0 +1,256 @@ ++<IfModule mod_ssl.c> ++<VirtualHost *:443> ++ ++ # General setup for the virtual host, inherited from global configuration ++ ServerName jogamp.org ++ ServerPath /jogamp.org/ ++ RewriteEngine On ++ DocumentRoot /srv/www/jogamp.org ++ ++ # Use separate log files for the SSL virtual host; note that LogLevel ++ # is not inherited from httpd.conf. ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log ++ TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log ++ LogLevel warn ++ ++ # SSL Engine Switch: ++ # Enable/Disable SSL for this virtual host. ++ SSLEngine on ++ ++ # SSL Protocol support: ++ # List the enable protocol levels with which clients will be able to ++ # connect. Disable SSLv2 access by default: ++ SSLProtocol all -SSLv2 ++ ++ # SSL Cipher Suite: ++ # List the ciphers that the client is permitted to negotiate. ++ # See the mod_ssl documentation for a complete list. ++ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW ++ ++ # A self-signed (snakeoil) certificate can be created by installing ++ # the ssl-cert package. See ++ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. ++ # If both key and certificate are stored in the same file, only the ++ # SSLCertificateFile directive is needed. ++ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem ++ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key ++ ++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem ++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem ++ ++ # Server Certificate Chain: ++ # Point SSLCertificateChainFile at a file containing the ++ # concatenation of PEM encoded CA certificates which form the ++ # certificate chain for the server certificate. Alternatively ++ # the referenced file can be the same as SSLCertificateFile ++ # when the CA certificates are directly appended to the server ++ # certificate for convinience. ++ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt ++ ++ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem ++ ++ # Certificate Authority (CA): ++ # Set the CA certificate verification path where to find CA ++ # certificates for client authentication or alternatively one ++ # huge file containing all of them (file must be PEM encoded) ++ # Note: Inside SSLCACertificatePath you need hash symlinks ++ # to point to the certificate files. Use the provided ++ # Makefile to update the hash symlinks after changes. ++ #SSLCACertificatePath /etc/ssl/certs/ ++ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt ++ ++ # Certificate Revocation Lists (CRL): ++ # Set the CA revocation path where to find CA CRLs for client ++ # authentication or alternatively one huge file containing all ++ # of them (file must be PEM encoded) ++ # Note: Inside SSLCARevocationPath you need hash symlinks ++ # to point to the certificate files. Use the provided ++ # Makefile to update the hash symlinks after changes. ++ #SSLCARevocationPath /etc/apache2/ssl.crl/ ++ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl ++ ++ # Client Authentication (Type): ++ # Client certificate verification type and depth. Types are ++ # none, optional, require and optional_no_ca. Depth is a ++ # number which specifies how deeply to verify the certificate ++ # issuer chain before deciding the certificate is not valid. ++ #SSLVerifyClient require ++ #SSLVerifyDepth 10 ++ ++ # Access Control: ++ # With SSLRequire you can do per-directory access control based ++ # on arbitrary complex boolean expressions containing server ++ # variable checks and other lookup directives. The syntax is a ++ # mixture between C and Perl. See the mod_ssl documentation ++ # for more details. ++ #<Location /> ++ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ ++ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ ++ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ ++ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ ++ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ ++ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ ++ #</Location> ++ ++ # SSL Engine Options: ++ # Set various options for the SSL engine. ++ # o FakeBasicAuth: ++ # Translate the client X.509 into a Basic Authorisation. This means that ++ # the standard Auth/DBMAuth methods can be used for access control. The ++ # user name is the `one line' version of the client's X.509 certificate. ++ # Note that no password is obtained from the user. Every entry in the user ++ # file needs this password: `xxj31ZMTZzkVA'. ++ # o ExportCertData: ++ # This exports two additional environment variables: SSL_CLIENT_CERT and ++ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the ++ # server (always existing) and the client (only existing when client ++ # authentication is used). This can be used to import the certificates ++ # into CGI scripts. ++ # o StdEnvVars: ++ # This exports the standard SSL/TLS related `SSL_*' environment variables. ++ # Per default this exportation is switched off for performance reasons, ++ # because the extraction step is an expensive operation and is usually ++ # useless for serving static content. So one usually enables the ++ # exportation for CGI and SSI requests only. ++ # o StrictRequire: ++ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even ++ # under a "Satisfy any" situation, i.e. when it applies access is denied ++ # and no other module can change it. ++ # o OptRenegotiate: ++ # This enables optimized SSL connection renegotiation handling when SSL ++ # directives are used in per-directory context. ++ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire ++ <Files ~ "\.(cgi|shtml|phtml|php3?)$"> ++ SSLOptions +StdEnvVars ++ </Files> ++ ++ # SSL Protocol Adjustments: ++ # The safe and default but still SSL/TLS standard compliant shutdown ++ # approach is that mod_ssl sends the close notify alert but doesn't wait for ++ # the close notify alert from client. When you need a different shutdown ++ # approach you can use one of the following variables: ++ # o ssl-unclean-shutdown: ++ # This forces an unclean shutdown when the connection is closed, i.e. no ++ # SSL close notify alert is send or allowed to received. This violates ++ # the SSL/TLS standard but is needed for some brain-dead browsers. Use ++ # this when you receive I/O errors because of the standard approach where ++ # mod_ssl sends the close notify alert. ++ # o ssl-accurate-shutdown: ++ # This forces an accurate shutdown when the connection is closed, i.e. a ++ # SSL close notify alert is send and mod_ssl waits for the close notify ++ # alert of the client. This is 100% SSL/TLS standard compliant, but in ++ # practice often causes hanging connections with brain-dead browsers. Use ++ # this only for browsers where you know that their SSL implementation ++ # works correctly. ++ # Notice: Most problems of broken clients are also related to the HTTP ++ # keep-alive facility, so you usually additionally want to disable ++ # keep-alive for those clients, too. Use variable "nokeepalive" for this. ++ # Similarly, one has to force some clients to use HTTP/1.0 to workaround ++ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and ++ # "force-response-1.0" for this. ++ BrowserMatch "MSIE [2-6]" \ ++ nokeepalive ssl-unclean-shutdown \ ++ downgrade-1.0 force-response-1.0 ++ # MSIE 7 and newer should be able to use keepalive ++ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown ++ ++ # Per-Server Logging: ++ # The home of a custom SSL log file. Use this when you want a ++ # compact non-error SSL logfile on a virtual host basis. ++ CustomLog /var/log/apache2/jogamp.org-ssl-request.log \ ++ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ++ ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined ++ ++ # configures the footer on server-generated documents ++ ServerSignature On ++ ++ <Directory "/srv/www/jogamp.org"> ++ Options Indexes FollowSymLinks ++ AllowOverride All ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla" ++ <Directory /srv/www/jogamp.org/bugzilla> ++ AddHandler cgi-script .cgi ++ Options +Indexes +ExecCGI -MultiViews +FollowSymLinks ++ DirectoryIndex index.cgi ++ AllowOverride Limit FileInfo Indexes ++ </Directory> ++ ++ SetEnv GIT_PROJECT_ROOT /srv/scm ++ SetEnv GIT_HTTP_EXPORT_ALL ++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ ++ <Directory "/srv/www/jogamp.org/git"> ++ DirectoryIndex gitweb.cgi ++ Allow from all ++ AllowOverride all ++ Order allow,deny ++ Options ExecCGI ++ <Files gitweb.cgi> ++ SetHandler cgi-script ++ </Files> ++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf ++ </Directory> ++ ++ Alias /icons/ "/srv/www/jogamp.org/icons/" ++ ++ <Directory "/srv/www/jogamp.org/icons"> ++ Options Indexes MultiViews ++ AllowOverride None ++ Order allow,deny ++ Allow from all ++ </Directory> ++ ++ # ++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache ++ # ++ ProxyRequests Off ++ ProxyPreserveHost On ++ ++ # Local reverse proxy authorization override ++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) ++ <Proxy http://127.0.0.1:8080/chuck*> ++ Order deny,allow ++ Allow from all ++ </Proxy> ++ ++ ProxyPass /chuck http://127.0.0.1:8080/chuck ++ ProxyPassReverse /chuck http://127.0.0.1:8080/chuck ++ ProxyPassReverse /chuck http://jogamp.org/chuck ++ ++# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/ ++# <Location /chuck/> ++# ProxyPassReverse / ++# Order deny,allow ++# Allow from all ++# </Location> ++ Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/ ++ ++</VirtualHost> ++ ++<VirtualHost *:443> ++ ServerName jogamp.com ++ ServerAlias *.jogamp.com ++ ServerPath /jogamp.org/ ++ SSLEngine on ++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log ++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined ++ ++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem ++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem ++ ++ RewriteEngine On ++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] ++ ++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] ++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] ++</VirtualHost> ++ diff --git a/server/setup/05-service-settings/etc/apache2/mods-enabled.lst b/server/setup/05-service-settings/etc/apache2/mods-enabled.lst new file mode 100644 index 0000000..c2df5c0 --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/mods-enabled.lst @@ -0,0 +1,44 @@ +alias.conf +alias.load +auth_basic.load +authn_file.load +authz_default.load +authz_groupfile.load +authz_host.load +authz_user.load +autoindex.conf +autoindex.load +cgid.conf +cgid.load +cgi.load +deflate.conf +deflate.load +dir.conf +dir.load +env.load +headers.load +mime.conf +mime.load +negotiation.conf +negotiation.load +php5.conf +php5.load +proxy_ajp.load +proxy_balancer.conf +proxy_balancer.load +proxy.conf +proxy_connect.load +proxy_ftp.conf +proxy_ftp.load +proxy_http.load +proxy.load +proxy_scgi.load +reqtimeout.conf +reqtimeout.load +rewrite.load +setenvif.conf +setenvif.load +ssl.conf +ssl.load +status.conf +status.load diff --git a/server/setup/05-service-settings/etc/apache2/ports.conf b/server/setup/05-service-settings/etc/apache2/ports.conf new file mode 100644 index 0000000..a319afa --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/ports.conf @@ -0,0 +1,25 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default +# This is also true if you have upgraded from before 2.2.9-3 (i.e. from +# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# README.Debian.gz + +NameVirtualHost *:80 +# NameVirtualHost * +Listen 80 + +<IfModule mod_ssl.c> + NameVirtualHost *:443 + # If you add NameVirtualHost *:443 here, you will also have to change + # the VirtualHost statement in /etc/apache2/sites-available/default-ssl + # to <VirtualHost *:443> + # Server Name Indication for SSL named virtual hosts is currently not + # supported by MSIE on Windows XP. + Listen 443 +</IfModule> + +<IfModule mod_gnutls.c> + Listen 443 +</IfModule> + diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org new file mode 100644 index 0000000..f9101fa --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org @@ -0,0 +1,247 @@ +# +# Almost any Apache directive may go into a VirtualHost container. +# The first VirtualHost section is used for requests without a known +# server name. +# +<VirtualHost *:80> + ServerAdmin [email protected] + ServerName jogamp.org + ServerAlias www.jogamp.org + ServerPath /jogamp.org/ + RewriteEngine On + + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + + DocumentRoot /srv/www/jogamp.org + + # don't loose time with IP address lookups + HostnameLookups Off + + # needed for named virtual hosts + UseCanonicalName Off + + # configures the footer on server-generated documents + ServerSignature On + + <Directory "/srv/www/jogamp.org"> + Options Indexes FollowSymLinks + AllowOverride All + Order allow,deny + Allow from all + </Directory> + + RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] + + #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] + + RewriteCond %{REQUEST_URI} ^/wiki/index.php$ + RewriteCond %{QUERY_STRING} ^title=Special:UserLogin + RewriteCond %{REQUEST_METHOD} ^GET$ + RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE] + + # + # Due to security concerns, session hijacking .. etc .. the whole + # bugzilla stream will go over https + # + RewriteCond %{REQUEST_URI} ^/bugzilla + RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE] + + SetEnv GIT_PROJECT_ROOT /srv/scm + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ + <Directory "/srv/www/jogamp.org/git"> + DirectoryIndex gitweb.cgi + Allow from all + AllowOverride all + Order allow,deny + Options ExecCGI + <Files gitweb.cgi> + SetHandler cgi-script + </Files> + SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf + </Directory> + + Alias /icons/ "/srv/www/jogamp.org/icons/" + + <Directory "/srv/www/jogamp.org/icons"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + </Directory> + + # + # Due to security concerns, session hijacking .. etc .. the whole + # hudson and bugzilla stream will go over https + # + RewriteCond %{REQUEST_URI} ^/chuck + RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] + + #RewriteCond %{REQUEST_URI} ^/chuck + #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE] + # + #RewriteCond %{REQUEST_URI} ^/chuck + #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR] + #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC] + #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE] + # + # Cookies: + # wikidb_mw_LoggedOut / + # wikidb_mw__session / + # wikidb_mw_Token / + # wikidb_mw_UserID / + # wikidb_mw_UserName / + # + # Bugzilla_login /bugzilla + # Bugzilla_logincookie /bugzilla + # DEFAULTFORMAT /bugzilla + # + # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck + # JSESSIONID /chuck + # + + # + # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache + # + #ProxyRequests Off + #ProxyPreserveHost On + + # Local reverse proxy authorization override + # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) + #<Proxy http://localhost:8089/chuck*> + # Order deny,allow + # Allow from all + #</Proxy> + #ProxyPass /chuck http://localhost:8080/chuck + #ProxyPassReverse /chuck http://localhost:8080/chuck +</VirtualHost> + +<VirtualHost *:80> + ServerName blog.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName bugzilla.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName wiki.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName scm.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName jogl.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName jocl.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName joal.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName demos.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName chuck.jogamp.org + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined + RewriteEngine On + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] +</VirtualHost> + +<VirtualHost *:80> + ServerName jogamp.com + ServerAlias *.jogamp.com + ServerPath /jogamp.org/ + ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log + CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined + + RewriteEngine On + RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] + RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE] +</VirtualHost> + +# +# Directives to allow use of AWStats as a CGI +# +#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/" +#Alias /awstatscss "/usr/local/awstats/wwwroot/css/" +#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/" +#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/" + +# +# This is to permit URL access to scripts/files in AWStats directory. +# +<Directory "/usr/local/awstats/wwwroot"> + Options None + AllowOverride None + Order allow,deny + Allow from all +</Directory> + diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl new file mode 100644 index 0000000..062d2d5 --- /dev/null +++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl @@ -0,0 +1,256 @@ +<IfModule mod_ssl.c> +<VirtualHost *:443> + + # General setup for the virtual host, inherited from global configuration + ServerName jogamp.org + ServerPath /jogamp.org/ + RewriteEngine On + DocumentRoot /srv/www/jogamp.org + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log + TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log + LogLevel warn + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # SSL Protocol support: + # List the enable protocol levels with which clients will be able to + # connect. Disable SSLv2 access by default: + SSLProtocol all -SSLv2 + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem + SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + #<Location /> + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + #</Location> + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + <Files ~ "\.(cgi|shtml|phtml|php3?)$"> + SSLOptions +StdEnvVars + </Files> + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + # Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a + # compact non-error SSL logfile on a virtual host basis. + CustomLog /var/log/apache2/jogamp.org-ssl-request.log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined + + # configures the footer on server-generated documents + ServerSignature On + + <Directory "/srv/www/jogamp.org"> + Options Indexes FollowSymLinks + AllowOverride All + Order allow,deny + Allow from all + </Directory> + +# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla" + <Directory /srv/www/jogamp.org/bugzilla> + AddHandler cgi-script .cgi + Options +Indexes +ExecCGI -MultiViews +FollowSymLinks + DirectoryIndex index.cgi + AllowOverride Limit FileInfo Indexes + </Directory> + + SetEnv GIT_PROJECT_ROOT /srv/scm + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/ + <Directory "/srv/www/jogamp.org/git"> + DirectoryIndex gitweb.cgi + Allow from all + AllowOverride all + Order allow,deny + Options ExecCGI + <Files gitweb.cgi> + SetHandler cgi-script + </Files> + SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf + </Directory> + + Alias /icons/ "/srv/www/jogamp.org/icons/" + + <Directory "/srv/www/jogamp.org/icons"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + </Directory> + + # + # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache + # + ProxyRequests Off + ProxyPreserveHost On + + # Local reverse proxy authorization override + # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) + <Proxy http://127.0.0.1:8080/chuck*> + Order deny,allow + Allow from all + </Proxy> + + ProxyPass /chuck http://127.0.0.1:8080/chuck + ProxyPassReverse /chuck http://127.0.0.1:8080/chuck + ProxyPassReverse /chuck http://jogamp.org/chuck + +# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/ +# <Location /chuck/> +# ProxyPassReverse / +# Order deny,allow +# Allow from all +# </Location> + Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/ + +</VirtualHost> + +<VirtualHost *:443> + ServerName jogamp.com + ServerAlias *.jogamp.com + ServerPath /jogamp.org/ + SSLEngine on + ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log + CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined + + SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem + SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem + + RewriteEngine On + RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] + + RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC] + RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] +</VirtualHost> + diff --git a/server/setup/05-service-settings/etc/xinetd.d/git b/server/setup/05-service-settings/etc/xinetd.d/git new file mode 100644 index 0000000..fed3461 --- /dev/null +++ b/server/setup/05-service-settings/etc/xinetd.d/git @@ -0,0 +1,15 @@ +# default: off +# description: The rsync server is a good addition to an ftp server, as it \ +# allows crc checksumming etc. +service git +{ + disable = no + socket_type = stream + port = 9418 + wait = no + user = nobody + server = /usr/bin/git + server_args = daemon --inetd --syslog --verbose --export-all /srv/scm + log_on_failure += USERID +} + diff --git a/server/setup/05-service-settings/srv/scm/gitweb.conf b/server/setup/05-service-settings/srv/scm/gitweb.conf new file mode 100644 index 0000000..36056e0 --- /dev/null +++ b/server/setup/05-service-settings/srv/scm/gitweb.conf @@ -0,0 +1,20 @@ + +$git_temp = "/tmp"; + +# The directories where your projects are. Must not end with a slash. +$projectroot = "/srv/scm"; + +# Base URLs for links displayed in the web interface. +our @git_base_url_list = qw(git://jausoft.com/srv/scm http://jausoft.com/srv/scm); + +$feature{'blame'}{'default'} = [1]; +$feature{'blame'}{'override'} = 1; + +$feature{'pickaxe'}{'default'} = [1]; +$feature{'pickaxe'}{'override'} = 1; + +$feature{'snapshot'}{'default'} = ['']; +#$feature{'snapshot'}{'default'} = ['tbz2']; +#$feature{'snapshot'}{'default'} = ['tbz2', 'tgz', 'zip', 't7z']; +#$feature{'snapshot'}{'override'} = 2; + |