From 8d9e318bf5be4578e018de1e5b78e792ddf8b8ea Mon Sep 17 00:00:00 2001 From: Sven Gothel Date: Mon, 23 Jan 2023 01:24:34 +0100 Subject: Bump server settings updates --- server/setup/05-service-settings/02-SERVICES.txt | 33 +++++++++---- .../apache2/sites-available/jogamp_org-ssl.conf | 57 ++++++++++++++++------ 2 files changed, 64 insertions(+), 26 deletions(-) (limited to 'server/setup') diff --git a/server/setup/05-service-settings/02-SERVICES.txt b/server/setup/05-service-settings/02-SERVICES.txt index f832bea..4438c55 100644 --- a/server/setup/05-service-settings/02-SERVICES.txt +++ b/server/setup/05-service-settings/02-SERVICES.txt @@ -164,27 +164,40 @@ Debian 7.00 (Wheezy) 11.2 bugzilla - Debian 7 - Squash that - DO NOT INSTALL SYSTEM WIDE modules: - apt-get install libgd-gd2-perl libgd-graph-perl libgd-tools libgdal-perl libgdal-dev libgdata-dev libgd2-xpm-dev - apt-get install libappconfig-perl libdate-calc-perl libtemplate-perl libmime-perl libdatetime-timezone-perl libdatetime-perl libemail-sender-perl libemail-mime-perl libemail-mime-modifier-perl libdbi-perl libdbd-mysql-perl libcgi-pm-perl libmath-random-isaac-perl libmath-random-isaac-xs-perl apache2-mpm-prefork libapache2-mod-perl2 libapache2-mod-perl2-dev libchart-perl libxml-perl libxml-twig-perl perlmagick libgd-graph-perl libtemplate-plugin-gd-perl libsoap-lite-perl libhtml-scrubber-perl libjson-rpc-perl libtheschwartz-perl libtest-taint-perl libauthen-radius-perl libfile-slurp-perl libencode-detect-perl libmodule-build-perl libnet-ldap-perl libauthen-sasl-perl libtemplate-perl-doc libfile-mimeinfo-perl libhtml-formattext-withlinks-perl libmysqlclient-dev lynx-cur graphviz python-sphinx libgd2-xpm-dev - Ensure the following are NOT installed: - dpkg -P libjson-any-perl libcgi-application-plugin-json-perl libcgi-application-extra-plugin-bundle-perl libjson-perl - - I had to remove system wide perl modules .. collision .. why o why - i.e. how to enforce bugzilla to use bugzilla/lib installed modules only? - - - misc for perl/bugzilla + Install + apt-get install libapache2-mod-perl2-dev libapache2-mod-perl2 + apt-get install libgd-dev libgd3 + apt install libgdbm-dev libgdbm6 + apt-get install libdbd-mysql-perl + libcgi-pm-perl libcgi-fast-perl libcgi-session-perl libfcgi-perl + libemail-mime-perl libemail-sender-perl + libtemplate-perl libhtml-template-perl + libjson-perl libjson-xs-perl + libmath-bigint-perl libmath-random-isaac-perl libmath-random-isaac-xs-perl + + - As User: misc for perl/bugzilla - Perl: redo init (find closest mirror ..) - perl -MCPAN -e shell - o conf init + a2enmod rewrite + a2enmod expires + + As User: See https://bugzilla.readthedocs.org/en/5.0/installing/linux.html#perl-modules ./checksetup.pl --check-modules + /usr/bin/perl install-module.pl --all /usr/bin/perl install-module.pl --upgrade-all ./checksetup.pl --check-modules ./checksetup.pl + # bugzilla folder must be owned by webrunner (suexec) + chown -R webrunner:webrunner . + + systemctl restart apache2 + /etc/init.d/apache2 restart + - https://www.bugzilla.org/download/#stable 11.3 mediawiki diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf index cc27035..be36970 100644 --- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf +++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf @@ -1,6 +1,9 @@ - +SSLSessionCache shmcb:/var/run/apache/sslcache(512000) +SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) + + # General setup for the virtual host, inherited from global configuration ServerName jogamp.org ServerAlias www.jogamp.org @@ -9,11 +12,33 @@ RewriteEngine On DocumentRoot /srv/www/jogamp.org + UseCanonicalName Off + + # Guarantee HTTPS for 1 Year including Sub Domains + # Not OK: Header always set Strict-Transport-Security "max-age=31536000;includeSubDomains" + Header always set Strict-Transport-Security "max-age=31536000" + + Header always set Content-Security-Policy "frame-ancestors 'self'" + Header always set X-Frame-Options "SAMEORIGIN" + Header always set X-XSS-Protection "1; mode=block" + # Prevent browsers from incorrectly detecting non-scripts as scripts + Header always set X-Content-Type-Options "nosniff" + + ##Header always set Content-Security-Policy "default-src https:" + ##Header always set Content-Security-Policy "default-src 'self'; img-src 'self'; script-src 'self'; object-src 'self'" + # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. - ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log - TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log LogLevel warn + ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log + #TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log + CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined + + # Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a + # compact non-error SSL logfile on a virtual host basis. + CustomLog /var/log/apache2/jogamp.org-ssl-request.log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. @@ -30,13 +55,19 @@ # LOW: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW # Enable only secure ciphers: #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + #SSLCipherSuite HIGH:!ECDHE:!aNULL:!MD5 + #SSLCipherSuite HIGH:!aNULL:!MD5 + SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + + # 2017: https://weakdh.org/sysadmin.html + #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK #SSLCipherSuite DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK - SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + #SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK SSLHonorCipherOrder on - SetEnv no-gzip + SSLOpenSSLConfCmd DHParameters "/etc/ssl/local/dhparams-4096.pem" # Add content to the 1st file of SSLCertificateFile # /etc/ssl/local/DH-1024.pem @@ -50,8 +81,8 @@ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - SSLCertificateFile /etc/ssl/local/jogamp2020a.org.crt.pem - SSLCertificateKeyFile /etc/ssl/local/jogamp2020a.org.key.apache.pem + SSLCertificateFile /etc/ssl/local/jogamp2022a.org.crt.pem + SSLCertificateKeyFile /etc/ssl/local/jogamp2022a.org.key.apache.pem # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the @@ -171,14 +202,9 @@ # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown - # Per-Server Logging: - # The home of a custom SSL log file. Use this when you want a - # compact non-error SSL logfile on a virtual host basis. - CustomLog /var/log/apache2/jogamp.org-ssl-request.log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + SSLUseStapling on - ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log - CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined + SetEnv no-gzip # configures the footer on server-generated documents ServerSignature On @@ -223,7 +249,6 @@ # ScriptAlias /cgit/ "/srv/www/cgit/cgit.cgi/" - #RedirectMatch ^/cgit$ /cgit/ Alias /cgit-css "/usr/share/cgit/" AllowOverride None @@ -276,7 +301,7 @@ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE] RewriteCond %{HTTP_HOST} ^scm\.jogamp\.org$ [NC] - RewriteRule ^/(.*)$ https://jogamp.org/git/$1 [R=301,L,NE] + RewriteRule ^/(.*)$ https://jogamp.org/cgit/$1 [R=301,L,NE] RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC] RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE] -- cgit v1.2.3