diverses modification de apacheconfig et apache.tools
- rétablir deux répertoires de templates différents: celui pour debian wheezy- est distinct de celui pour jessie+ - support d'une configuration complète ou partielle - support de la mise à jour de la configuration réseau: configuration complète (interfaces standards et bridge) ou partielle (ajout d'adresse ip) - support de templates pour la création de nouveaux site - améliorer le support des certificats: utiliser ceux qui sont déjà installés le cas échéant. - support de fichiers *rewrite*.rules directement dans le répertoire principal. Les fichiers de RewriteRules/ sont obsolètes. - quickstart pour apacheconfig, afin de simplifier son utilisation dans des scripts - fonction legacy_mkRewriteRules() pour pouvoir traiter les fichiers *rewrite*.rules dans des scripts.
This commit is contained in:
parent
c552d2de56
commit
e3cd3cec3f
163
apacheconfig
163
apacheconfig
|
@ -16,6 +16,19 @@ OPTIONS
|
|||
Créer un nouveau répertoire de configuration pour un hôte
|
||||
-d, --destdir DESTDIR[=$TEMPLATECTL_NAME]
|
||||
Nom du répertoire local de configuration.
|
||||
-f,--full
|
||||
--partial
|
||||
Indiquer respectivement que la configuration est complète ou partielle.
|
||||
Avec la configuration complète, le serveur peut être complètement
|
||||
configuré avec tous les fichiers présents. Avec la configuration
|
||||
partielle, uniquement les informations spécifiques à un service en
|
||||
particulier sont disponibles.
|
||||
Cette option est utilisée avec --create. Par défaut, la configuration
|
||||
est partielle.
|
||||
Pour le moment, la seule différence est que --full crée un fichier de
|
||||
configuration nommé .apacheconfig alors que --partial crée un fichier
|
||||
nommé apacheconfig.conf qui est visible et donc découvrable et éditable
|
||||
plus facilement
|
||||
|
||||
-t, --template [OPT]
|
||||
Gérer les fichiers du répertoire local avec templatectl. La valeur de
|
||||
|
@ -46,9 +59,12 @@ OPTIONS
|
|||
Lors du déploiement de la configuration, les valeurs des variables
|
||||
dynamiques sont remplacées dans les fichiers destination.
|
||||
Les arguments qui restent sont passés tels quels à apache_autoconf
|
||||
-N, --network-config
|
||||
Mettre aussi à jour la configuration réseau.
|
||||
-r, --certsdir CERTSDIR
|
||||
Spécifier le cas échéant le répertoire contenant les certificats à
|
||||
déployer. Cet argument est requis si le répertoire certsconf/ existe.
|
||||
déployer. Cet argument est requis si le répertoire certsconf/ existe,
|
||||
sauf si les certificats sont déjà déployés.
|
||||
|
||||
--localhosts
|
||||
Créer dans le fichier /etc/hosts tous les noms d'hôte ayant un suffixe
|
||||
|
@ -63,24 +79,45 @@ OPTIONS
|
|||
-S, --one-site SITE
|
||||
Ne déployer que le fichier de site spécifié. Cette option est utilisée
|
||||
avec --deploy ou --localhosts et est utile pour le développement et les
|
||||
tests."
|
||||
tests.
|
||||
|
||||
-k, --new-site HOST.TLD
|
||||
Créer une définition pour un nouveau site à partir des fichiers du
|
||||
répertoires templates/
|
||||
-K, --new-site-templatedir TEMPLATEDIR
|
||||
Spécifier le répertoire source pour les templates de site utilisés par
|
||||
l'option --new-site. Par défaut, utiliser le répertoire templates/ situé
|
||||
dans le répertoire de configuration.
|
||||
Si TEMPLATEDIR est un nom simple sans séparateur de chemin '/' et qu'un
|
||||
répertoire templates/TEMPLATEDIR existe, alors prendre ce répertoire-là
|
||||
comme source.
|
||||
--new-site-force
|
||||
Avec --new-site, utiliser le nom d'hôte fourni même s'il n'est pas
|
||||
pleinement qualifié"
|
||||
}
|
||||
|
||||
action=
|
||||
destdir=
|
||||
nohideconfig=
|
||||
nohideconfig=auto
|
||||
templateopt=
|
||||
FULLCONF=
|
||||
netconf=
|
||||
aac_certsdir=
|
||||
bits=
|
||||
oneconf=
|
||||
onemodule=
|
||||
onesite=
|
||||
site_host=
|
||||
site_templdir=
|
||||
site_force=
|
||||
args=(
|
||||
--help '$exit_with display_help'
|
||||
-c,--create action=create
|
||||
-d:,--destdir: destdir=
|
||||
--no-hideconfig nohideconfig=1
|
||||
--hideconfig nohideconfig=
|
||||
-f,--full FULLCONF=1
|
||||
--partial FULLCONF=
|
||||
-t::,--template:: '$set@ templateopt; action=template'
|
||||
--help-template '$templateopt=-help; action=template'
|
||||
-l,--list '$templateopt=l; action=template'
|
||||
|
@ -96,15 +133,23 @@ args=(
|
|||
-8,--jessie '$array_add TEMPLATECTL_VARS sysver=jessie'
|
||||
--bits: bits=
|
||||
-u,--update,--deploy action=deploy
|
||||
-N,--network-config netconf=1
|
||||
-r:,--certsdir: aac_certsdir=
|
||||
--localhosts action=localhosts
|
||||
-C:,--one-conf: oneconf=
|
||||
-M:,--one-module: onemodule=
|
||||
-S:,--one-site: onesite=
|
||||
-k:,--new-site: '$action=new-site; set@ site_host'
|
||||
-K:,--new-site-templatedir: site_templdir=
|
||||
--new-site-force site_force=
|
||||
)
|
||||
parse_args "$@"; set -- "${args[@]}"
|
||||
|
||||
apacheconfig_loadconf "$destdir" || die
|
||||
if [ "$nohideconfig" == auto ]; then
|
||||
[ -n "$FULLCONF" ] && nohideconfig= || nohideconfig=1
|
||||
fi
|
||||
|
||||
apacheconfig_loadconf "$destdir" "$nohideconfig" || die
|
||||
apacheconfig_sysinfos "$sysname" "$sysdist" "$sysver" "$bits"
|
||||
|
||||
################################################################################
|
||||
|
@ -128,7 +173,7 @@ if [ "$action" == create ]; then
|
|||
ask_yesno "Le fichier $(ppath "$config") sera écrasé. Voulez-vous continuer?" O || die
|
||||
rm -f "$config" || die
|
||||
fi
|
||||
templatectl -d "$destdir" --config "$config" --no-load-vars -m --write-vars
|
||||
templatectl -d "$destdir" --config "$config" ${nohideconfig:+--no-hide-config} --no-load-vars -m --write-vars
|
||||
|
||||
################################################################################
|
||||
elif [ "$action" == template ]; then
|
||||
|
@ -142,7 +187,9 @@ elif [ "$action" == deploy -o "$action" == localhosts ]; then
|
|||
[ -d "$destdir" ] || die "$destdir: répertoire introuvable"
|
||||
|
||||
args=(
|
||||
-d "$destdir" --$action ${aac_certsdir:+-r "$aac_certsdir"}
|
||||
-d "$destdir" --$action
|
||||
${netconf:+--network-config}
|
||||
${aac_certsdir:+-r "$aac_certsdir"}
|
||||
${oneconf:+--one-conf "$oneconf"}
|
||||
${onemodule:+--one-module "$onemodule"}
|
||||
${onesite:+--one-site "$onesite"}
|
||||
|
@ -160,11 +207,113 @@ elif [ "$action" == deploy -o "$action" == localhosts ]; then
|
|||
apacheconfig_deploy \
|
||||
"$destdir" "$aac_certsdir" \
|
||||
"$config" "$oneconf" "$onemodule" "$onesite" \
|
||||
"$custom_sysinfos" "$sysname" "$sysdist" "$sysver" "$bits" || die
|
||||
"$custom_sysinfos" "$sysname" "$sysdist" "$sysver" "$bits" \
|
||||
"$netconf" || die
|
||||
eend
|
||||
elif [ "$action" == localhosts ]; then
|
||||
etitle "Mise à jour de /etc/hosts"
|
||||
apacheconfig_deploy_localhosts "$destdir" "$aac_certsdir" "$onesite" || die
|
||||
eend
|
||||
fi
|
||||
|
||||
################################################################################
|
||||
elif [ "$action" == new-site ]; then
|
||||
host="$site_host"
|
||||
templdir="$site_templdir"
|
||||
if [[ "$templdir" != */* ]] && [ -d "$destdir/templates/$templdir" ]; then
|
||||
templdir="$destdir/templates/$templdir"
|
||||
elif [ -z "$templdir" ]; then
|
||||
templdir="$destdir/templates"
|
||||
fi
|
||||
[ -d "$templdir" ] || die "$templdir: répertoire introuvable"
|
||||
force="$site_force"
|
||||
|
||||
clrtempl=
|
||||
ssltempl=
|
||||
certstempl=
|
||||
wwwtempl=
|
||||
array_from_lines templs "$(list_files "$templdir" "*SITE.conf")"
|
||||
[ ${#templs[*]} -gt 0 ] && clrtempl="${templs[0]}"
|
||||
array_from_lines templs "$(list_files "$templdir" "*SITE.ssl.conf")"
|
||||
[ ${#templs[*]} -gt 0 ] && ssltempl="${templs[0]}"
|
||||
array_from_lines templs "$(list_files "$templdir" "*SITE-certs.conf")"
|
||||
[ ${#templs[*]} -gt 0 ] && certstempl="${templs[0]}"
|
||||
array_from_lines templs "$(list_dirs "$templdir" "*SITE")"
|
||||
[ ${#templs[*]} -gt 0 ] && wwwtempl="${templs[0]}"
|
||||
|
||||
found=
|
||||
for i in "$clrtempl" "$ssltempl" "$certstempl" "$wwwtempl"; do
|
||||
[ -n "$i" ] && { found=1; break; }
|
||||
done
|
||||
[ -n "$found" ] || die "Aucun template disponible"
|
||||
|
||||
if [ -z "$force" ] && [[ "$host" != *.* ]]; then
|
||||
die "$host n'est pas un nom d'hôte pleinement qualifié"
|
||||
fi
|
||||
|
||||
etitle "$host"
|
||||
hostname="${host%%.*}"
|
||||
clrconf="${clrtempl/SITE/$hostname}"
|
||||
sslconf="${ssltempl/SITE/$hostname}"
|
||||
certsconf="${certstempl/SITE/$hostname}"
|
||||
wwwdir="${wwwtempl/SITE/$hostname}"
|
||||
|
||||
mkdir -p "$destdir/certsconf"
|
||||
mkdir -p "$destdir/sites"
|
||||
|
||||
sedscript="\
|
||||
s/SITE.TLD/$host/g
|
||||
s/SITE/$hostname/g"
|
||||
|
||||
if [ -z "$clrtempl" ]; then
|
||||
:
|
||||
elif [ ! -f "$templdir/$clrtempl" ]; then
|
||||
ewarn "Le fichier $(ppath "$templdir/$clrtempl") n'existe pas. La copie ne sera pas complète"
|
||||
elif [ -f "$destdir/sites/$clrconf" ]; then
|
||||
ewarn "Le fichier sites/$clrconf existe déjà. Il ne sera pas écrasé."
|
||||
else
|
||||
estep "sites/$clrconf"
|
||||
sed "$sedscript" "$templdir/$clrtempl" >"$destdir/sites/$clrconf" || die
|
||||
fi
|
||||
|
||||
if [ -z "$ssltempl" ]; then
|
||||
:
|
||||
elif [ ! -f "$templdir/$ssltempl" ]; then
|
||||
ewarn "Le fichier $(ppath "$templdir/$ssltempl") n'existe pas. La copie ne sera pas complète"
|
||||
elif [ -f "$destdir/sites/$sslconf" ]; then
|
||||
ewarn "Le fichier sites/$sslconf existe déjà. Il ne sera pas écrasé."
|
||||
else
|
||||
estep "sites/$sslconf"
|
||||
sed "$sedscript" "$templdir/$ssltempl" >"$destdir/sites/$sslconf" || die
|
||||
fi
|
||||
|
||||
if [ -z "$certstempl" ]; then
|
||||
:
|
||||
elif [ ! -f "$templdir/$certstempl" ]; then
|
||||
ewarn "Le fichier $(ppath "$templdir/$certstempl") n'existe pas. La copie ne sera pas complète"
|
||||
elif [ -f "$destdir/certsconf/$certsconf" ]; then
|
||||
ewarn "Le fichier certsconf/$certsconf exite déjà. Il ne sera pas écrasé."
|
||||
else
|
||||
estep "certsconf/$certsconf"
|
||||
sed "$sedscript" "$templdir/$certstempl" >"$destdir/certsconf/$certsconf" || die
|
||||
fi
|
||||
|
||||
if [ -z "$wwwtempl" ]; then
|
||||
:
|
||||
elif [ ! -d "$templdir/$wwwtempl" ]; then
|
||||
ewarn "Le répertoire $(ppath "$templdir/$wwwtempl") n'existe pas. La copie ne sera pas complète"
|
||||
elif [ -d "$destdir/$wwwdir" ]; then
|
||||
ewarn "Le répertoire $wwwdir existe déjà. Il ne sera pas écrasé."
|
||||
else
|
||||
estep "$wwwdir"
|
||||
cpdirnovcs "$templdir/$wwwtempl" "$destdir/$wwwdir" || die
|
||||
sed -i "$sedscript" "$destdir/$wwwdir/.udir" || die
|
||||
fi
|
||||
|
||||
eend
|
||||
|
||||
if [ -n "$wwwtempl" ]; then
|
||||
eimportant "Ne pas oublier le cas échéant de mettre à jour HTDMAPPINGS dans $(ppath "$config") e.g.
|
||||
HTDMAPPINGS=($wwwdir)"
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -5,28 +5,101 @@
|
|||
##@require sysinfos
|
||||
##@require apache
|
||||
uprovide apache.tools
|
||||
urequire base sysinfos apache
|
||||
urequire base sysinfos template apache
|
||||
|
||||
function __apache_resolvcert() {
|
||||
function __apache_rc_destdir() {
|
||||
[ -z "$3" ] && set_var "${1:-certsdir}" "$(get_APACHESSLCERTSDIR_prefix)"
|
||||
[ -z "$4" ] && set_var "${2:-keysdir}" "$(get_APACHESSLKEYSDIR_prefix)"
|
||||
}
|
||||
|
||||
function __apache_rc_loadconf() {
|
||||
[ -n "$__rc_dir" ] || __rc_dir="$(dirname "$__rc_conf")"
|
||||
eval "$(
|
||||
source "$__rc_conf"
|
||||
set_var_cmd __rc_cert "$cert"
|
||||
set_var_cmd __rc_key "$key"
|
||||
set_var_cmd __rc_ca "$ca"
|
||||
echo_setv __rc_cert "$cert"
|
||||
echo_setv __rc_key "$key"
|
||||
echo_setv __rc_ca "$ca"
|
||||
)"
|
||||
[ -n "$__rc_cert" ] && __rc_cert="$(abspath "$__rc_cert" "$__rc_dir")"
|
||||
[ -n "$__rc_key" ] && __rc_key="$(abspath "$__rc_key" "$__rc_dir")"
|
||||
[ -n "$__rc_ca" ] && __rc_ca="$(abspath "$__rc_ca" "$__rc_dir")"
|
||||
}
|
||||
|
||||
function __apache_checkvars() {
|
||||
function __apache_rc_resolveprefix() {
|
||||
local __prefix __cert __key
|
||||
local __certsdir="$1" __keysdir="$2"
|
||||
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
|
||||
|
||||
if [ -z "$__rc_cert" ]; then
|
||||
# si pas de certificat, alors générer un préfixe pour chercher les
|
||||
# fichiers
|
||||
setx __prefix=basename "$__rc_conf"
|
||||
__prefix="${__prefix%certs.conf}"
|
||||
elif [ ! -f "$__rc_cert" ]; then
|
||||
# si le fichier source n'existe pas, vérifier s'il existe dans la
|
||||
# destination
|
||||
setx __cert=basename "$__rc_cert"
|
||||
setx __key=basename "$__rc_key"
|
||||
if [ -f "$__certsdir/$__cert" -a -f "$__keysdir/$__key" ]; then
|
||||
# parfait, les fichiers existent déjà à l'endroit prévu
|
||||
:
|
||||
else
|
||||
# construire un préfixe avec le nom du fichier
|
||||
__prefix="$__cert"
|
||||
if [ "${__prefix%.pem}" != "$__prefix" ]; then
|
||||
__prefix="${__prefix%.pem}"
|
||||
elif [ "${__prefix%.crt}" != "$__prefix" ]; then
|
||||
__prefix="${__prefix%.crt}"
|
||||
fi
|
||||
if [ -n "${__prefix//[0-9]/}" ]; then
|
||||
# enlever le suffixe numérique, uniquement si le nom ne contient
|
||||
# pas que des chiffres
|
||||
while [ -n "$__prefix" -a "${__prefix%[0-9]}" != "$__prefix" ]; do
|
||||
__prefix="${__prefix%[0-9]}"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$__prefix" ]; then
|
||||
local -a __certs
|
||||
array_from_lines __certs "$(list_files "$__certsdir" "$__prefix*" | LANG=C sort -r)"
|
||||
if [ ${#__certs[*]} -gt 0 ]; then
|
||||
__cert="${__certs[0]}"
|
||||
__key="${__cert%.*}.key"
|
||||
__rc_cert="$__rc_dir/$__cert"
|
||||
__rc_key="$__rc_dir/$__key"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function __apache_rc_checkfiles() {
|
||||
local destdir="$1"; shift
|
||||
local file
|
||||
for file in "$@"; do
|
||||
[ -n "$file" ] || continue
|
||||
[ -f "$file" ] && continue
|
||||
if [ -n "$destdir" -a -f "$destdir/$(basename "$file")" ]; then
|
||||
[ -z "$__apache_rc_quiet" ] && ewarn "$file: fichier introuvable
|
||||
Le fichier existant $destdir/$(basename "$file") sera utilisé"
|
||||
continue
|
||||
fi
|
||||
eerror "$file: fichier introuvable"
|
||||
return 1
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
function __apache_rc_checkvars() {
|
||||
local __certsdir="$1" __keysdir="$2"
|
||||
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
|
||||
|
||||
if [ -n "$__rc_cert" -a -z "$__rc_key" ]; then
|
||||
local __rc_name __rc_ext
|
||||
splitname "$__rc_cert" __rc_name __rc_ext
|
||||
if [ "$__rc_ext" == "crt" -o "$__rc_ext" == "pem" ]; then
|
||||
__rc_key="$__rc_name.key"
|
||||
enote "La clé privée n'a pas été spécifiée. La valeur $(ppath "$__rc_key") sera utilisée"
|
||||
[ -z "$__apache_rc_quiet" ] && enote "La clé privée n'a pas été spécifiée. La valeur $(ppath "$__rc_key") sera utilisée"
|
||||
else
|
||||
eerror "Impossible de trouver la clé privée correspondant au certificat $(ppath "$__rc_cert")"
|
||||
return 1
|
||||
|
@ -36,30 +109,31 @@ function __apache_checkvars() {
|
|||
eerror "Vous devez spécifier le certificat à installer"
|
||||
return 1
|
||||
elif [ -z "$__rc_cert" ]; then
|
||||
eattention "Seul le certificat autorité a été spécifié."
|
||||
[ -z "$__apache_rc_quiet" ] && eattention "Seul le certificat autorité a été spécifié."
|
||||
elif [ -z "$__rc_ca" ]; then
|
||||
ewarn "Aucun certificat autorité n'a pas été spécifié. Cela ne peut marcher que si le certificat est autosigné"
|
||||
[ -z "$__apache_rc_quiet" ] && ewarn "Aucun certificat autorité n'a pas été spécifié. Cela ne peut marcher que si le certificat est autosigné"
|
||||
fi
|
||||
|
||||
local i
|
||||
for i in "$__rc_cert" "$__rc_key" "$__rc_ca"; do
|
||||
[ -n "$i" ] || continue
|
||||
[ -f "$i" ] || {
|
||||
eerror "$i: Fichier introuvable"
|
||||
return 1
|
||||
}
|
||||
done
|
||||
__apache_rc_checkfiles "$__certsdir" "$__rc_ca" "$__rc_cert" || return 1
|
||||
__apache_rc_checkfiles "$__keysdir" "$__rc_key" || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
function apache_resolvecert() {
|
||||
# Calculer l'emplacement des certificats correspondant aux arguments $1 et
|
||||
# $2 (qui correspondent aux options --conf et --dir de apache_addcert()),
|
||||
# puis initialiser les variables $3(=cert), $4(=key) et $5(=ca)
|
||||
# Si ces valeurs sont déjà calculées, on peut fournir $6=certsdir et
|
||||
# $7=keysdir
|
||||
local __rc_conf="$1" __rc_dir="$2"
|
||||
local __rc_cert __rc_key __rc_ca
|
||||
|
||||
__apache_resolvcert
|
||||
__apache_checkvars || return 1
|
||||
local __certsdir="$6" __keysdir="$7"
|
||||
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
|
||||
|
||||
__apache_rc_loadconf
|
||||
__apache_rc_resolveprefix "$__certsdir" "$__keysdir"
|
||||
__apache_rc_checkvars "$__certsdir" "$__keysdir" || return 1
|
||||
set_var "${3:-cert}" "$__rc_cert"
|
||||
set_var "${4:-key}" "$__rc_key"
|
||||
set_var "${5:-ca}" "$__rc_ca"
|
||||
|
@ -93,29 +167,33 @@ OPTIONS
|
|||
|
||||
eval "$(utools_local)"
|
||||
local action=install
|
||||
local certsconf certsdir cert key ca
|
||||
local certsconf certssrcdir cert key ca
|
||||
local __out_cert __out_key __out_ca
|
||||
parse_opts "${PRETTYOPTS[@]}" \
|
||||
--help '$exit_with __apache_addcert_display_help' \
|
||||
-C:,--conf: certsconf= \
|
||||
-d:,--dir: certsdir= \
|
||||
-d:,--dir: certssrcdir= \
|
||||
--out-cert: '$set@ __out_cert; action=dump' \
|
||||
--out-key: '$set@ __out_key; action=dump' \
|
||||
--out-ca: '$set@ __out_ca; action=dump' \
|
||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||
|
||||
local certsdir keysdir
|
||||
__apache_rc_destdir certsdir keysdir
|
||||
|
||||
local __rc_conf __rc_dir
|
||||
local __rc_cert __rc_key __rc_ca
|
||||
if [ -n "$certsconf" ]; then
|
||||
__rc_conf="$certsconf"
|
||||
__rc_dir="$certsdir"
|
||||
__apache_resolvconf
|
||||
__apache_checkvars || return 1
|
||||
__rc_dir="$certssrcdir"
|
||||
__apache_rc_loadconf
|
||||
__apache_rc_resolveprefix "$certsdir" "$keysdir"
|
||||
__apache_rc_checkvars "$certsdir" "$keysdir" || return 1
|
||||
else
|
||||
__rc_cert="$1"
|
||||
__rc_key="$2"
|
||||
__rc_ca="$3"
|
||||
__apache_checkvars || return 1
|
||||
__apache_rc_checkvars "$certsdir" "$keysdir" || return 1
|
||||
fi
|
||||
cert="$__rc_cert"
|
||||
key="$__rc_key"
|
||||
|
@ -129,9 +207,7 @@ OPTIONS
|
|||
ask_yesno "Voulez-vous continuer?" O || return 1
|
||||
urequire install
|
||||
|
||||
etitle "Installation des certificats"
|
||||
certsdir="$(get_APACHESSLCERTSDIR_prefix)"
|
||||
keysdir="$(get_APACHESSLKEYSDIR_prefix)"
|
||||
etitled "Copie des fichiers"
|
||||
if [ ! -d "$certsdir" ]; then
|
||||
mkdir -p "$certsdir" || return 1
|
||||
chmod 755 "$certsdir" || return 1
|
||||
|
@ -140,38 +216,36 @@ OPTIONS
|
|||
mkdir -p "$keysdir" || return 1
|
||||
chmod 710 "$keysdir" || return 1
|
||||
fi
|
||||
if [ -n "$cert" ]; then
|
||||
copy_replace "$cert" "$certsdir" || return 1
|
||||
chmod 644 "$certsdir/$(basename "$cert")" || return 1
|
||||
copy_replace "$key" "$keysdir" || return 1
|
||||
chmod 640 "$keysdir/$(basename "$key")" || return 1
|
||||
if [ -n "$cert" -a -f "$cert" ]; then
|
||||
if copy_update "$cert" "$certsdir"; then
|
||||
chmod 644 "$certsdir/$(basename "$cert")" || return 1
|
||||
fi
|
||||
if copy_update "$key" "$keysdir"; then
|
||||
chmod 640 "$keysdir/$(basename "$key")" || return 1
|
||||
fi
|
||||
fi
|
||||
if [ -n "$ca" ]; then
|
||||
copy_replace "$ca" "$certsdir" || return 1
|
||||
chmod 644 "$certsdir/$(basename "$ca")" || return 1
|
||||
if [ -n "$ca" -a -f "$ca" ]; then
|
||||
if copy_update "$ca" "$certsdir"; then
|
||||
chmod 644 "$certsdir/$(basename "$ca")" || return 1
|
||||
fi
|
||||
fi
|
||||
eend
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
__APACHE_AUTOCONF_SUFFIXES=(d8 d)
|
||||
__APACHE_AUTOCONF_SUFFIX_d8=(-d debian -v jessie+)
|
||||
__APACHE_AUTOCONF_SUFFIX_d=(-d debian)
|
||||
function __apache_autoconf_check_suffix() {
|
||||
array_contains __APACHE_AUTOCONF_SUFFIXES "$1" || return 1
|
||||
local sysinfos="__APACHE_AUTOCONF_SUFFIX_${1}[@]"
|
||||
check_sysinfos --vars sysname sysdist sysver bits "${!sysinfos}"
|
||||
}
|
||||
function __apache_autoconf_filter_suffix_files() {
|
||||
grep -vF ..
|
||||
}
|
||||
function __apache_autoconf_setup() {
|
||||
if ! check_sysinfos --vars sysname sysdist sysver bits -s linux64 linux32 linux -d debian; then
|
||||
eerror "apache_autoconf n'est supporté que sur Debian linux"
|
||||
eerror "$(get_sysinfos_desc): système non supporté. debian linux est requis"
|
||||
return 1
|
||||
fi
|
||||
urequire install
|
||||
urequire debian install
|
||||
if [ -z "$__apache_autoconf_no_require_apache" ]; then
|
||||
pkg_check apache2 || {
|
||||
eerror "apache2 non installé. impossible de continuer"
|
||||
return 1
|
||||
}
|
||||
fi
|
||||
compute_apache_prefixes
|
||||
return 0
|
||||
}
|
||||
|
@ -193,24 +267,8 @@ function __apache_autoconf_fillcopy() {
|
|||
# script sed $FILLSCRIPT. Le fichier temporaire $FILLTEMP est utilisé pour
|
||||
# le remplacement des valeurs. $3 contient le cas échéant des commandes sed
|
||||
# supplémentaires
|
||||
# Si des fichiers suffixes existent, ne faire la copie que si un fichier
|
||||
# approprié correspondant au système courant est trouvé
|
||||
local src="$1" dest="$2" sedscript="$3" perms="${4:-go+rX}"
|
||||
|
||||
# vérifier les fichiers suffixe
|
||||
local suffix have_suffix found_suffix
|
||||
for suffix in "${__APACHE_AUTOCONF_SUFFIXES[@]}"; do
|
||||
if [ -f "$src..$suffix" ]; then
|
||||
have_suffix=1
|
||||
if __apache_autoconf_check_suffix "$suffix"; then
|
||||
found_suffix=1
|
||||
src="$src..$suffix"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
[ -n "$have_suffix" -a -z "$found_suffix" ] && return 1
|
||||
|
||||
# valeurs à remplacer dans le fichier
|
||||
local var found_var
|
||||
for var in "${FILLVARS[@]}"; do
|
||||
|
@ -225,14 +283,16 @@ $sedscript" <"$src" >"$FILLTEMP"
|
|||
src="$FILLTEMP"
|
||||
fi
|
||||
|
||||
copy_update "$src" "$dest" "$perms"
|
||||
copy_update "$src" "$dest" "$perms" && return
|
||||
estepn "$(basename -- "$dest")"
|
||||
return 1
|
||||
}
|
||||
|
||||
__APACHE_AUTOCONF_HELP="\
|
||||
--confdir CONFDIR
|
||||
Spécifier l'emplacement des fichiers de configuration apache ainsi que des
|
||||
fichiers 'confs.conf', 'modules.conf' et 'sites.conf'. Par défaut, prendre
|
||||
le répertoire local DESTDIR.
|
||||
fichiers 'syspkgs.conf', 'confs.conf', 'modules.conf' et 'sites.conf'. Par
|
||||
défaut, prendre le répertoire local DESTDIR.
|
||||
--confsdir CONFSDIR
|
||||
Spécifier l'emplacement des fichiers des configuration. Par défaut, utiliser
|
||||
DESTDIR/confs si ce répertoire existe.
|
||||
|
@ -264,7 +324,7 @@ function apache_autoconf() {
|
|||
local autoconfdir certsdir confdir confsdir oneconf modulesdir onemodule
|
||||
local sitesdir onesite cgibindir wwwdir certsconfdir rrdir onecms
|
||||
local sysname sysdist sysver bits
|
||||
local destconfsdir a2xconf
|
||||
local netconf destconfsdir a2xconf
|
||||
local restart=1
|
||||
parse_opts "${PRETTYOPTS[@]}" \
|
||||
--help '$exit_with __display_apache_autoconf_help' \
|
||||
|
@ -288,6 +348,7 @@ function apache_autoconf() {
|
|||
-7,--wheezy sysver=wheezy \
|
||||
-8,--jessie sysver=jessie \
|
||||
--bits: bits= \
|
||||
--network-config netconf=1 \
|
||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||
|
||||
if [ -n "$sysname" -o -n "$sysdist" -o -n "$sysver" ]; then
|
||||
|
@ -298,13 +359,13 @@ function apache_autoconf() {
|
|||
sysver=("${MYSYSVER[@]}")
|
||||
bits="$MYBITS"
|
||||
fi
|
||||
__apache_autoconf_setup || return 1
|
||||
if __apache_autoconf_check_suffix d8; then
|
||||
__apache_autoconf_no_require_apache= __apache_autoconf_setup || return 1
|
||||
if check_sysinfos --vars sysname sysdist sysver bits -d debian -v jessie+; then
|
||||
confdefault=000-default.conf
|
||||
confdefaultssl=default-ssl.conf
|
||||
destconfsdir="$APACHECONFDIR/conf-available"
|
||||
a2xconf=1
|
||||
elif __apache_autoconf_check_suffix d; then
|
||||
elif check_sysinfos --vars sysname sysdist sysver bits -d debian; then
|
||||
confdefault=default
|
||||
confdefaultssl=default-ssl
|
||||
destconfsdir="$APACHECONFDIR/conf.d"
|
||||
|
@ -340,6 +401,19 @@ function apache_autoconf() {
|
|||
local -a FILLVARS; local FILLSCRIPT FILLTEMP
|
||||
__apache_autoconf_fillxxx "$@"
|
||||
|
||||
# Installation des packages système
|
||||
if [ -f "$confdir/syspkgs.conf" ]; then
|
||||
local -a syspkgs
|
||||
local syspkg
|
||||
array_from_lines syspkgs "$(<"$confdir/syspkgs.conf" filter_conf)"
|
||||
if ! pkg_check "${syspkgs[@]}"; then
|
||||
etitle "Installation de paquets système"
|
||||
estep "${syspkgs[@]}"
|
||||
pkg_install "${syspkgs[@]}" || return 1
|
||||
eend
|
||||
fi
|
||||
fi
|
||||
|
||||
# Copie des certificats
|
||||
local modified rehash conf
|
||||
if [ -d "$certsconfdir" ]; then
|
||||
|
@ -350,17 +424,10 @@ function apache_autoconf() {
|
|||
array_addu FILLVARS ca
|
||||
|
||||
etitle "Installation des certificats"
|
||||
[ -n "$certsdir" -a ! -d "$certsdir" ] && ewarn "$certsdir: répertoire invalide"
|
||||
array_lsfiles certsconfs "$certsconfdir" "*.conf"
|
||||
for certsconf in "${certsconfs[@]}"; do
|
||||
if [ -z "$certsdir" ]; then
|
||||
eerror "CERTSDIR est requis si --certsconfdir est spécifié"
|
||||
return 1
|
||||
elif [ ! -d "$certsdir" ]; then
|
||||
eerror "$certsdir: répertoire invalide"
|
||||
return 1
|
||||
fi
|
||||
apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
|
||||
apache_addcert -y "$cert" "$key" "$ca"
|
||||
apache_addcert -y -C "$certsconf" -d "$certsdir" "$cert" "$key" "$ca" || return 1
|
||||
modified=1
|
||||
done
|
||||
array_lsfiles certspems "$certsconfdir" "*.crt" "*.pem"
|
||||
|
@ -378,11 +445,9 @@ function apache_autoconf() {
|
|||
local -a confs
|
||||
local conf
|
||||
etitle "Installation des configurations"
|
||||
array_from_lines confs "$(list_files "$confsdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
|
||||
array_from_lines confs "$(list_files "$confsdir" "*.conf")"
|
||||
for conf in "${confs[@]}"; do
|
||||
[ -z "$oneconf" -o "$conf" == "$oneconf" ] || continue
|
||||
|
||||
estep "$conf"
|
||||
__apache_autoconf_fillcopy \
|
||||
"$confsdir/$conf" \
|
||||
"$destconfsdir/$conf" && modified=1
|
||||
|
@ -395,11 +460,9 @@ function apache_autoconf() {
|
|||
local -a confs
|
||||
local conf
|
||||
etitle "Installation des configurations des modules"
|
||||
array_from_lines confs "$(list_files "$modulesdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
|
||||
array_from_lines confs "$(list_files "$modulesdir" "*.conf")"
|
||||
for conf in "${confs[@]}"; do
|
||||
[ -z "$onemodule" -o "$conf" == "$onemodule" ] || continue
|
||||
|
||||
estep "$conf"
|
||||
__apache_autoconf_fillcopy \
|
||||
"$modulesdir/$conf" \
|
||||
"$APACHECONFDIR/mods-available/$conf" && modified=1
|
||||
|
@ -409,12 +472,12 @@ function apache_autoconf() {
|
|||
|
||||
# Règles de réécriture
|
||||
if [ -d "$rrdir" -a -z "$onecms" ]; then
|
||||
# legacy... remplacé par des fichiers de règles directement dans le répertoire de configuration
|
||||
local -a confs
|
||||
local conf
|
||||
etitle "Installation des règles de réécriture"
|
||||
array_from_lines confs "$(list_files "$rrdir" "RewriteRules*.conf")"
|
||||
for conf in "${confs[@]}"; do
|
||||
estep "$conf"
|
||||
__apache_autoconf_fillcopy \
|
||||
"$rrdir/$conf" \
|
||||
"$APACHECONFDIR/$conf" && modified=1
|
||||
|
@ -426,9 +489,9 @@ function apache_autoconf() {
|
|||
local -a enablesites disablesites
|
||||
if [ -d "$sitesdir" -a \( -z "$onecms" -o -n "$onesite" \) ]; then
|
||||
local -a confs
|
||||
local conf confname destconf certsconf
|
||||
local conf confname destconf certsconf sedscript copied
|
||||
etitle "Installation des sites"
|
||||
array_from_lines confs "$(list_files "$sitesdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
|
||||
array_from_lines confs "$(list_files "$sitesdir" "*.conf")"
|
||||
for confname in "${confs[@]}"; do
|
||||
conf="$sitesdir/$confname"
|
||||
[ -z "$onesite" -o "$confname" == "$onesite" ] || continue
|
||||
|
@ -449,27 +512,44 @@ function apache_autoconf() {
|
|||
*) destconf="$confname";;
|
||||
esac
|
||||
|
||||
copied=
|
||||
if [ -n "$certsconf" ]; then
|
||||
certsconf="$certsconfdir/$certsconf"
|
||||
if [ -f "$certsconf" ]; then
|
||||
apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
|
||||
__apache_autoconf_fillcopy \
|
||||
"$conf" \
|
||||
"$APACHEAVSITESDIR/$destconf" "\
|
||||
__apache_rc_quiet=1 apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
|
||||
if [ -n "$cert" -a -n "$key" ]; then
|
||||
sedscript="\
|
||||
s#@@cert@@#$APACHESSLCERTSDIR/$(basename "$cert")#g
|
||||
s#@@key@@#$APACHESSLKEYSDIR/$(basename "$key")#g
|
||||
s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
||||
"
|
||||
s#@@key@@#$APACHESSLKEYSDIR/$(basename "$key")#g"
|
||||
if [ -n "$ca" ]; then
|
||||
sedscript="$sedscript
|
||||
s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g"
|
||||
else
|
||||
sedscript="$sedscript
|
||||
/@@ca@@/s/^/#/g"
|
||||
fi
|
||||
__apache_autoconf_fillcopy \
|
||||
"$conf" \
|
||||
"$APACHEAVSITESDIR/$destconf" "$sedscript"
|
||||
copied=1
|
||||
else
|
||||
eerror "$(ppath "$certsconf"): définition des certificats introuvable
|
||||
Le fichier de configuration $confname a été ignoré"
|
||||
fi
|
||||
else
|
||||
eerror "$(ppath "$certsconf"): fichier introuvable. Il a été ignoré"
|
||||
eerror "$(ppath "$certsconf"): fichier introuvable
|
||||
Le fichier de configuration $confname a été ignoré"
|
||||
fi
|
||||
else
|
||||
__apache_autoconf_fillcopy \
|
||||
"$conf" \
|
||||
"$APACHEAVSITESDIR/$destconf"
|
||||
copied=1
|
||||
fi
|
||||
if [ -n "$copied" ]; then
|
||||
enablesites=("${enablesites[@]}" "$destconf")
|
||||
modified=1
|
||||
fi
|
||||
enablesites=("${enablesites[@]}" "$destconf")
|
||||
modified=1
|
||||
done
|
||||
eend
|
||||
fi
|
||||
|
@ -478,16 +558,28 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
|||
if [ -d "$confdir" -a -z "$onecms" ]; then
|
||||
local -a confs
|
||||
local conf
|
||||
|
||||
etitle "Configuration de base"
|
||||
array_add ignores confs.conf modules.conf sites.conf
|
||||
array_from_lines confs "$(list_files "$confdir" | __apache_autoconf_filter_suffix_files)"
|
||||
array_add ignores syspkgs.conf confs.conf modules.conf sites.conf network.conf
|
||||
array_from_lines confs "$(list_files "$confdir")"
|
||||
for conf in "${confs[@]}"; do
|
||||
array_contains ignores "$conf" && continue
|
||||
estep "$conf"
|
||||
__apache_autoconf_fillcopy \
|
||||
"$confdir/$conf" \
|
||||
"$APACHECONFDIR/$conf" && modified=1
|
||||
done
|
||||
|
||||
array_from_lines confs "$(list_files "$confdir" "*rewrite*.rules")"
|
||||
if [ ${#confs[*]} -gt 0 ]; then
|
||||
etitle "Règles de réécriture"
|
||||
for conf in "${confs[@]}"; do
|
||||
[ -f "$APACHECONFDIR/$conf" ] || continue
|
||||
estep "$conf"
|
||||
legacy_mkRewriteRules "$APACHECONFDIR/$conf" && modified=1
|
||||
done
|
||||
eend
|
||||
fi
|
||||
|
||||
if [ -f "$confdir/confs.conf" -a -n "$a2xconf" ]; then
|
||||
local -a confs
|
||||
local conf
|
||||
|
@ -564,9 +656,30 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
|||
fi
|
||||
|
||||
# Contenu web
|
||||
if [ -d "$wwwdir" -a -z "$onecms" ]; then
|
||||
etitle "Installation des fichiers du serveur web"
|
||||
cpdirnovcs "$wwwdir" "$HTDOCSDIR"
|
||||
if [ -z "$onecms" ]; then
|
||||
etitled "Installation des fichiers du serveur web"
|
||||
if is_defined HTDMAPPINGS; then
|
||||
local htdmapping src dest
|
||||
for htdmapping in "${HTDMAPPINGS[@]}"; do
|
||||
splitpair "$htdmapping" dest src
|
||||
[ -n "$dest" ] || dest=html
|
||||
case "$dest" in
|
||||
html) [ -n "$src" ] || src=www;;
|
||||
*) [ -n "$src" ] || src="$dest";;
|
||||
esac
|
||||
withpath "$src" || src="$confdir/$src"
|
||||
withpath "$dest" || dest="$HTDOCSBASE/$dest"
|
||||
estep "$src --> $dest"
|
||||
cpdirnovcs "$src" "$dest"
|
||||
# par défaut, le propriétaire est root. est-ce nécessaire?
|
||||
#chown -R www-data: "$dest"
|
||||
done
|
||||
elif [ -d "$wwwdir" ]; then
|
||||
estep "$wwwdir --> $HTDOCSDIR"
|
||||
cpdirnovcs "$wwwdir" "$HTDOCSDIR"
|
||||
# par défaut, le propriétaire est root. est-ce nécessaire?
|
||||
#chown -R www-data: "$HTDOCSDIR"
|
||||
fi
|
||||
eend
|
||||
fi
|
||||
|
||||
|
@ -587,6 +700,30 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
|||
eend
|
||||
fi
|
||||
|
||||
# Mettre à jour la configuration réseau
|
||||
if [ -z "$onecms" -a -n "$netconf" -a -f "$confdir/network.conf" ]; then
|
||||
local -a ips brs; local host etc_networks
|
||||
eval "$(
|
||||
source "$confdir/network.conf"
|
||||
set_array_cmd ips
|
||||
set_array_cmd brs
|
||||
echo_setv host "$host"
|
||||
echo_setv etc_networks "$etc_networks"
|
||||
)"
|
||||
etitled "Vérification de la configuration du réseau"
|
||||
if [ -n "$FULLCONF" ]; then
|
||||
if [ ${#ips[*]} -gt 0 -o ${#brs[*]} -gt 0 -o -n "$hosts" ]; then
|
||||
network_config "$host" ips brs && modified=1
|
||||
fi
|
||||
[ -n "$etc_networks" ] && network_update_etc_networks "$etc_networks"
|
||||
else
|
||||
if [ ${#ips[*]} -gt 0 ]; then
|
||||
network_config_partial ips && modified=1
|
||||
fi
|
||||
fi
|
||||
eend
|
||||
fi
|
||||
|
||||
if [ -n "$modified" ]; then
|
||||
[ -n "$rehash" ] && elinedots "Hashage des certificats" c_rehash
|
||||
if [ -n "$restart" ]; then
|
||||
|
@ -604,7 +741,7 @@ function apache_autoconf_localhosts() {
|
|||
--one-site: onesite= \
|
||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||
|
||||
__apache_autoconf_setup || return 1
|
||||
__apache_autoconf_no_require_apache=1 __apache_autoconf_setup || return 1
|
||||
|
||||
# Configuration
|
||||
autoconfdir="$1"; shift
|
||||
|
@ -711,27 +848,48 @@ function __template_updatef_dhost() {
|
|||
[ -n "$ips" ] || __template_set_var ips ""
|
||||
}
|
||||
|
||||
# toujours placer une variable dépendante AVANT la variable maitre
|
||||
# syntaxe: var[:depvars,...][=desc]
|
||||
APACHECONFIG_TEMPLATE_STATIC_VARS=(
|
||||
hostname aliases host
|
||||
certsdir caname
|
||||
host:hostname,aliases="hôte pour lequel ce template a été créé.
|
||||
# les variables hostname et aliases sont automatiquement générées.
|
||||
# utiliser @@dhost@@ pour déployer dynamiquement avec le nom d'hôte courant."
|
||||
certsdir="répertoire par défaut contenant les certificats à déployer"
|
||||
caname="nom de l'autorité par défaut"
|
||||
)
|
||||
APACHECONFIG_TEMPLATE_DYNAMIC_VARS=(
|
||||
ips_namevirtualhosts ips_listens ips
|
||||
dhostname daliases dhost
|
||||
admin configdir
|
||||
ips:ips_namevirtualhosts,ips_listens="liste d'adresses de la forme ip[:port], séparées par un espace.
|
||||
# ces adresses sont celles sur lesquelles apache doit écouter. ce paramètre n'a
|
||||
# de sens que sur squeeze. en effet, la configuration par défaut sur jessie rend
|
||||
# ce paramétrage inutile."
|
||||
dhost:dhostname,daliases="hôte pour lequel les fichiers doivent être déployés.
|
||||
# les variables dhostname et daliases sont automatiquement générées.
|
||||
# cette variable n'a besoin d'être modifiée que si host=@@dhost@@ ci-dessous"
|
||||
admin="mail de l'administrateur du serveur"
|
||||
configdir="répertoire dans lequel le template a été généré"
|
||||
)
|
||||
APACHECONFIG_TEMPLATE_NOWRITE_VARS=(configdir)
|
||||
APACHECONFIG_TEMPLATE_USER_VARS=(
|
||||
FULLCONF="Est-on en mode configuration complète?"
|
||||
HTDMAPPINGS="Mapping des répertoires destination dans /var/www vers le répertoire local, e.g. html:www"
|
||||
)
|
||||
APACHECONFIG_TEMPLATE_NOWRITE_VARS=(hostname aliases dhostname daliases configdir)
|
||||
|
||||
function __apacheconfig_initsrcdirs() {
|
||||
if check_sysinfos "$@" -d debian -v jessie+; then
|
||||
TEMPLATECTL_SRCDIRS=(apacheconfig.d8)
|
||||
else
|
||||
TEMPLATECTL_SRCDIRS=(apacheconfig)
|
||||
fi
|
||||
}
|
||||
function apacheconfig_initvars() {
|
||||
DEFAULT_ADMIN=supervision-gdrsi@listes.univ-reunion.fr
|
||||
DEFAULT_CERTSDIR=1507-renater
|
||||
DEFAULT_CANAME=1507-DigiCertCA.crt
|
||||
set_defaults apacheconfig
|
||||
|
||||
TEMPLATE_STATIC_VARS=("${APACHECONFIG_TEMPLATE_STATIC_VARS[@]}")
|
||||
TEMPLATE_DYNAMIC_VARS=("${APACHECONFIG_TEMPLATE_DYNAMIC_VARS[@]}")
|
||||
TEMPLATE_NOWRITE_VARS=("${APACHECONFIG_TEMPLATE_NOWRITE_VARS[@]}")
|
||||
template_build_vars TEMPLATE_STATIC_VARS TEMPLATE_NOWRITE_VARS "${APACHECONFIG_TEMPLATE_STATIC_VARS[@]}"
|
||||
template_build_vars TEMPLATE_DYNAMIC_VARS TEMPLATE_NOWRITE_VARS "${APACHECONFIG_TEMPLATE_DYNAMIC_VARS[@]}"
|
||||
template_build_vars TEMPLATE_USER_VARS "" "${APACHECONFIG_TEMPLATE_USER_VARS[@]}"
|
||||
__TEMPLATE_DEFAULTF_host=__template_defaultf_host
|
||||
__TEMPLATE_UPDATEF_host=__template_updatef_host
|
||||
__TEMPLATE_DEFAULTF_ips=__template_defaultf_ips
|
||||
|
@ -740,7 +898,7 @@ function apacheconfig_initvars() {
|
|||
__TEMPLATE_UPDATEF_dhost=__template_updatef_dhost
|
||||
|
||||
TEMPLATECTL_NAME=apacheconfig
|
||||
TEMPLATECTL_SRCDIRS=(apacheconfig)
|
||||
__apacheconfig_initsrcdirs
|
||||
TEMPLATECTL_CONFIG="$TEMPLATECTL_NAME"
|
||||
TEMPLATECTL_DEFAULTS=(
|
||||
admin="$DEFAULT_ADMIN"
|
||||
|
@ -751,11 +909,14 @@ function apacheconfig_initvars() {
|
|||
}
|
||||
|
||||
function apacheconfig_loadconf() {
|
||||
local config modified
|
||||
local destdir="$1" autocreate
|
||||
local config modified autocreate
|
||||
local destdir="$1" nohideconfig="$2"
|
||||
|
||||
# valeurs par défaut
|
||||
is_defined HTDMAPPINGS || HTDMAPPINGS=(html:www)
|
||||
|
||||
__template_set_destdir destdir autocreate "$TEMPLATECTL_NAME" || return 1
|
||||
setx config=templatectl_config "$destdir"
|
||||
setx config=templatectl_config "$destdir" ${nohideconfig:+nohideconfig}
|
||||
modified=
|
||||
templatectl_loadvars "$config" && modified=1
|
||||
|
||||
|
@ -779,7 +940,8 @@ function apacheconfig_sysinfos() {
|
|||
__template_set_var sysname "$sysname"
|
||||
__template_set_var sysdist "$sysdist"
|
||||
__template_set_var sysver "$sysver"
|
||||
#check_sysinfos --vars sysname sysdist sysver bits "${templatectl_suffix[@]}
|
||||
# mettre à jour la source en fonction du système cible
|
||||
__apacheconfig_initsrcdirs --vars sysname sysdist sysver bits
|
||||
|
||||
upvars sysname "$sysname" sysdist "$sysdist" sysver "$sysver" bits "$bits" \
|
||||
custom_sysinfos "$custom_sysinfos"
|
||||
|
@ -789,6 +951,7 @@ function apacheconfig_deploy() {
|
|||
local destdir="$1" certsdir="$2"; shift; shift
|
||||
local config="$1" oneconf="$2" onemodule="$3"; onesite="$4"; shift; shift; shift; shift
|
||||
local custom_sysinfos="$1" sysname="$2" sysdist="$3" sysver="$4" bits="$5"; shift; shift; shift; shift; shift
|
||||
local netconf="$1"; shift
|
||||
|
||||
local -a args
|
||||
args=(--ignore "$(basename -- "$config")")
|
||||
|
@ -796,6 +959,7 @@ function apacheconfig_deploy() {
|
|||
[ -n "$onemodule" ] && array_add args --one-module "$(basename -- "$onemodule")"
|
||||
[ -n "$onesite" ] && array_add args --one-site "$(basename -- "$onesite")"
|
||||
[ -n "$custom_sysinfos" ] && array_add args --sysname "$sysname" --sysdist "$sysdist" --sysver "$sysver" --bits "$bits"
|
||||
[ -n "$netconf" ] && array_add args --network-config
|
||||
array_add args "$destdir" "$certsdir"
|
||||
for __name in "${TEMPLATE_DYNAMIC_VARS[@]}"; do
|
||||
array_add args "$__name=${!__name}"
|
||||
|
@ -803,6 +967,21 @@ function apacheconfig_deploy() {
|
|||
apache_autoconf "${args[@]}" "$@"
|
||||
}
|
||||
|
||||
function apacheconfig_qs() {
|
||||
# fonction pour simplifier l'utilisation de apacheconfig_deploy pour un
|
||||
# répertoire spécifique
|
||||
# $1=destdir $2=certsdir $3=netconf
|
||||
local destdir="$1" certsdir="$2" netconf="$3"
|
||||
local config modified destdir autocreate
|
||||
apacheconfig_initvars
|
||||
apacheconfig_loadconf "$1"
|
||||
apacheconfig_deploy \
|
||||
"$destdir" "$2" \
|
||||
"$config" "" "" "" \
|
||||
"" "" "" "" "" \
|
||||
"$3"
|
||||
}
|
||||
|
||||
function apacheconfig_localhosts() {
|
||||
local destdir="$1" certsdir="$2"; shift; shift
|
||||
local onesite="$1"; shift
|
||||
|
@ -815,3 +994,241 @@ function apacheconfig_localhosts() {
|
|||
done
|
||||
apache_autoconf_localhosts "${args[@]}" "$@"
|
||||
}
|
||||
|
||||
function __mrr_joinurl() {
|
||||
# joindre chaque élément de $1..@ par /, en évitant les slashes en double
|
||||
local i url
|
||||
for i in "$@"; do
|
||||
[ -n "$i" ] || continue
|
||||
if [ -n "$url" ]; then
|
||||
url="${url%/}/${i#/}"
|
||||
else
|
||||
url="$i"
|
||||
fi
|
||||
done
|
||||
[ -n "$url" ] && echo "$url"
|
||||
}
|
||||
function __mrr_has_proxy() {
|
||||
# vérifier que les options $1 contiennent 'P'
|
||||
local -a options
|
||||
array_split options "$1" ","
|
||||
array_contains options P
|
||||
}
|
||||
function legacy_mkRewriteRules() {
|
||||
# $1=infile, $2=thishost, $3=outfile, $4=htmlfile, $5=proxy_enabled?
|
||||
local infile="$1" thishost="$2" outfile="$3" htmlfile="$4" proxy_enabled="$5"
|
||||
local -a rules; local rule prefix index done current
|
||||
local tmpinfile tmpoutfile
|
||||
local src dest host suffix options prot proxy_acls usrc trail noslash proxy_url proxy_use
|
||||
|
||||
if [ -z "$infile" -o "$infile" == - ]; then
|
||||
infile=/dev/stdin
|
||||
elif [ -z "$outfile" ]; then
|
||||
local outdir="$(dirname -- "$infile")"
|
||||
outfile="$(basename -- "$infile")"
|
||||
if [[ "$outfile" == *rewrite*.rules ]]; then
|
||||
outfile="${outfile/rewrite/RewriteRules}"
|
||||
outfile="${outfile/.rules/.conf}"
|
||||
else
|
||||
outfile="$outfile-RewriteRules.conf"
|
||||
fi
|
||||
outfile="$outdir/$outfile"
|
||||
fi
|
||||
[ -n "$outfile" -a "$outfile" != - ] || outfile=/dev/stdout
|
||||
|
||||
if [ -z "$thishost" -o -z "$proxy_enabled" ]; then
|
||||
# le cas échéant, lire les paramètres manquant depuis le fichier
|
||||
if [ "$infile" == /dev/stdin ]; then
|
||||
ac_set_tmpfile tmpinfile
|
||||
cat >"$tmpinfile"
|
||||
infile="$tmpinfile"
|
||||
fi
|
||||
eval "$(awkrun -f <"$infile" '
|
||||
/^[^#]/ { exit 0 }
|
||||
/^#+ *host *=/ { sub(/^#+ *host *= */, ""); sub(/ *$/, ""); print "thishost=" qval($0); next }
|
||||
/^#+ *enable_proxy *=/ { sub(/^#+ *enable_proxy *= */, ""); sub(/ *$/, ""); print "proxy_enabled=" qval($0); next }
|
||||
')"
|
||||
fi
|
||||
[ -n "$thishost" ] || thishost="$(myhost)"
|
||||
normyesval proxy_enabled
|
||||
|
||||
if [ -n "$htmlfile" ]; then
|
||||
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
|
||||
<!-- -*- coding: utf-8 mode: html -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
-->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>'"$thishost</title>
|
||||
</head>
|
||||
<body>
|
||||
<h2>$thishost</h2>
|
||||
<ul>" >"$htmlfile"
|
||||
fi
|
||||
|
||||
ac_set_tmpfile tmpoutfile
|
||||
array_from_lines rules "$(<"$infile" filter_comment)"
|
||||
prefix=
|
||||
for rule in "${rules[@]}"; do
|
||||
if beginswith "$rule" ^; then
|
||||
# Collecter les préfixe pour la règle suivante
|
||||
prefix="${prefix:+$prefix
|
||||
}${rule#^}"
|
||||
continue
|
||||
elif beginswith "$rule" =; then
|
||||
# ligne litérale
|
||||
echo "${rule#=}" >>"$tmpoutfile"
|
||||
continue
|
||||
fi
|
||||
|
||||
local IFS=:; set -- $rule; unset IFS
|
||||
index=1
|
||||
done=
|
||||
while [ -z "$done" ]; do
|
||||
current="$1"; shift
|
||||
while [ "${current%\\}" != "$current" ]; do
|
||||
current="${current%\\}:$1"; shift
|
||||
done
|
||||
case $index in
|
||||
1) src="$current";;
|
||||
2) dest="$current";;
|
||||
3) host="$current";;
|
||||
4) suffix="$current";;
|
||||
5) options="$current";;
|
||||
6) prot="${current:-http}";;
|
||||
7) proxy_acls="$current";;
|
||||
*) done=1;;
|
||||
esac
|
||||
index=$(($index + 1))
|
||||
done
|
||||
|
||||
# mettre en forme prefix s'il est défini
|
||||
[ -n "$prefix" ] && prefix="$prefix
|
||||
"
|
||||
|
||||
[ "$thishost" == "$host" ] && host=
|
||||
|
||||
usrc="$src"
|
||||
|
||||
trail=1
|
||||
if endswith "$src" '$'; then
|
||||
trail=
|
||||
usrc="${src%$}"
|
||||
fi
|
||||
|
||||
noslash=
|
||||
if endswith "$suffix" '$'; then
|
||||
noslash=1
|
||||
suffix="${suffix%$}"
|
||||
fi
|
||||
if endswith "$dest" '$'; then
|
||||
noslash=1
|
||||
dest="${dest%$}"
|
||||
fi
|
||||
|
||||
proxy_url=
|
||||
proxy_use=
|
||||
|
||||
if endswith "$dest" .woa; then
|
||||
# lien vers une application
|
||||
if [ -n "$host" ]; then
|
||||
# sur un autre hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url __mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix"
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url __mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix/"
|
||||
fi
|
||||
else
|
||||
# sur le même hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl /cgi-bin/WebObjects "$dest" "$suffix")${trail:+\$1} [L,P${options:+,$options}]" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url __mrr_joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix"
|
||||
proxy_use=1
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl /cgi-bin/WebObjects "$dest" "$suffix" "\$1") [L,P${options:+,$options}]" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url __mrr_joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix/"
|
||||
proxy_use=1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
# lien vers une url
|
||||
if [ -n "$host" ]; then
|
||||
# sur un autre hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl "$prot://$host" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url __mrr_joinurl "$prot://$host" "$dest" "$suffix"
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl "$prot://$host" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url __mrr_joinurl "$prot://$host" "$dest" "$suffix/"
|
||||
fi
|
||||
else
|
||||
# sur le même hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl / "$dest" "$suffix")${trail:+\$1}${options:+ [$options]}" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url __mrr_joinurl "http://$thishost" "$dest" "$suffix"
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl / "$dest" "$suffix" "\$1")${options:+ [$options]}" >>"$tmpoutfile"
|
||||
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url __mrr_joinurl "http://$thishost" "$dest" "$suffix/"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
__mrr_has_proxy "$options" && proxy_use=1
|
||||
if [ -n "$proxy_enabled" -a -n "$proxy_use" ]; then
|
||||
if [ "$proxy_acls" == "None" ]; then
|
||||
:
|
||||
elif [ -z "$proxy_acls" ]; then
|
||||
echo "\
|
||||
<Proxy $proxy_url*>
|
||||
AddDefaultCharset off
|
||||
Order Deny,Allow
|
||||
Allow from all
|
||||
</Proxy>" >>"$tmpoutfile"
|
||||
else
|
||||
echo "\
|
||||
<Proxy $proxy_url*>
|
||||
AddDefaultCharset off
|
||||
Order Allow,Deny
|
||||
Allow from $proxy_acls
|
||||
</Proxy>" >>"$tmpoutfile"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "" >>"$tmpoutfile"
|
||||
if [ -n "$htmlfile" ]; then
|
||||
echo "<li><a href=\"$url\">$url</a></li>" >>"$htmlfile"
|
||||
fi
|
||||
|
||||
# Réinitialiser les préfixes pour chaque règle
|
||||
prefix=
|
||||
done
|
||||
|
||||
local modified
|
||||
if testupdated "$tmpoutfile" "$outfile"; then
|
||||
cat "$tmpoutfile" >"$outfile"
|
||||
modified=1
|
||||
fi
|
||||
|
||||
if [ -n "$htmlfile" ]; then
|
||||
echo '</ul>
|
||||
</body>
|
||||
</html>' >>"$htmlfile"
|
||||
fi
|
||||
|
||||
[ -n "$tmpinfile" ] && ac_clean "$tmpinfile"
|
||||
ac_clean "$tmpoutfile"
|
||||
[ -n "$modified" ]
|
||||
}
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
# -*- coding: utf-8 mode: text -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
Ce répertoire peut contenir les fichiers et répertoires suivants, qui sont tous
|
||||
optionnels:
|
||||
|
||||
confs.conf
|
||||
Liste des configurations qu'il faut activer. Si un fichier de configuration
|
||||
existe mais n'est pas mentionnée dans ce fichier, ou si ce fichier n'existe
|
||||
pas, aucune modification n'est effectuée. Ce fichier contient une liste de
|
||||
ligne de configuration.
|
||||
Si une configuration est de la forme -conf, elle est désactivée. Si une
|
||||
configuration est de la forme +conf, elle est activée. Cette syntaxe permet
|
||||
de supporter les configurations dont le nom commencerait par '-'
|
||||
IMPORTANT: Ce fichier n'est supporté qu'à partir de debian jessie.
|
||||
|
||||
modules.conf
|
||||
Liste des modules qu'il faut activer. Si un module existe mais n'est pas
|
||||
mentionné dans ce fichier, ou si ce fichier n'existe pas, aucune
|
||||
modification n'est effectuée.
|
||||
Si un module est de la forme -module, il est désactivé. Si un module est de
|
||||
la forme +module, il est activé. Cette syntaxe permet de supporter les
|
||||
modules dont le nom commencerait par '-'
|
||||
|
||||
sites.conf
|
||||
Liste des sites qu'il faut activer. Si ce fichier n'existe pas, tous les
|
||||
sites existant sont activés. Si un site existe mais ne figure pas dans ce
|
||||
fichier, il est désactivé.
|
||||
|
||||
confs/
|
||||
Répertoire des configurations à installer. Les fichiers de ce répertoire
|
||||
sont de la forme CONF.conf et sont installés dans le répertoire
|
||||
/etc/apache2/conf-available. Il faut mentionner la configuration dans le
|
||||
fichier confs.conf pour l'activer.
|
||||
IMPORTANT: Ce répertoire n'est supporté qu'à partir de debian jessie.
|
||||
|
||||
modules/
|
||||
Répertoire des configurations de modules à installer. Les fichiers de ce
|
||||
répertoire sont de la forme MODULE.conf et sont installés dans le répertoire
|
||||
/etc/apache2/mods-available. Il faut mentioner le module dans le fichier
|
||||
modules.conf pour l'activer.
|
||||
|
||||
sites/
|
||||
Répertoire des sites à installer. Les fichiers de ce répertoire sont de la
|
||||
forme SITE.conf pour les sites écoutant en clair, et SITE.ssl.conf pour les
|
||||
sites écoutant en https.
|
||||
Pour chaque site SITE.ssl.conf, un fichier SITE-certs.conf doit exister dans
|
||||
certsconf/. Pour chaque fichier SITE.ssl.conf, les balises @@ca@@, @@cert@@
|
||||
et @@key@@ sont remplacés par les valeurs des variables ca, cert et key
|
||||
définies dans le fichier correspondant SITE-certs.conf
|
||||
|
||||
cgi-bin/
|
||||
Répertoire des scripts cgi
|
||||
|
||||
www/
|
||||
Répertoire des fichiers du serveur web
|
||||
|
||||
certsconf/
|
||||
Répertoire qui contient la configuration pour les certificats à installer.
|
||||
Les fichiers de ce répertoire sont de la forme SITE-certs.conf et chacun
|
||||
d'eux correspond à un fichier SITE.ssl.conf dans sites/
|
||||
|
||||
RewriteRules/
|
||||
Répertoire qui contient la configuration de réécriture. Tous les fichiers
|
||||
RewriteRules*.conf de ce répertoire sont copiés dans /etc/apache2
|
||||
|
||||
Tous les autres fichiers sont copiés tels quels dans /etc/apache2. Notamment,
|
||||
apache2.conf est le fichier de configuration principal d'apache et ports.conf le
|
||||
fichier de configuration des ports d'écoute.
|
||||
|
||||
## Configuration TLS
|
||||
|
||||
Le site https://mozilla.github.io/server-side-tls/ssl-config-generator/ contient
|
||||
des informations sur la façon de configurer ssl côté serveur pour la sécurité et
|
||||
les navigateurs modernes
|
||||
|
||||
Voir les détails sur https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
@ -0,0 +1,15 @@
|
|||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
# Cette variable est utilisée par la fonction refcerts() du script runs. C'est
|
||||
# le nom d'un répertoire à chercher dans RUNSMODULESPATH qui contient les
|
||||
# certificats à installer sur le serveur.
|
||||
certsdir=@@certsdir@@
|
||||
|
||||
# Fichier contenant les certificats racines qui valident le certificat à
|
||||
# installer, ainsi que les certificats qui sont rencontrés dans le dialogue avec
|
||||
# d'autres serveurs web
|
||||
ca=@@caname@@
|
||||
|
||||
# Certificat et clé privée à installer
|
||||
cert=
|
||||
key=
|
|
@ -0,0 +1,24 @@
|
|||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Utiliser 'udir --help-vars' pour une description de la signification des
|
||||
# variables suivantes:
|
||||
udir_desc="Fichiers à déployer sur @@host@@ dans le répertoire des cgi-bins"
|
||||
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
|
||||
udir_types=(uinst:rsync)
|
||||
uinc=release
|
||||
uinc_options=()
|
||||
uinc_args=()
|
||||
configure_variables=(dest)
|
||||
configure_dest_for=()
|
||||
config_scripts=()
|
||||
install_profiles=false
|
||||
workdir_rsync_options=()
|
||||
workdir_excludes=()
|
||||
workdir_includes=()
|
||||
copy_files=true
|
||||
rsync_options=()
|
||||
destdir=root@@@host@@:CGIBINDIR
|
||||
srcdir=.
|
||||
files=()
|
||||
owner=root:
|
||||
modes=(u=rwX,g=rX,o=rX)
|
||||
root_scripts=()
|
|
@ -0,0 +1,6 @@
|
|||
#!/bin/bash
|
||||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
echo "Content-Type: text/plain"
|
||||
echo ""
|
||||
echo "OK"
|
|
@ -0,0 +1,15 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
<IfModule mod_ssl.c>
|
||||
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
|
||||
# Choisir un des profils. Clients les plus anciens pouvant se connecter:
|
||||
# modern: Firefox 27, Chrome 30, Windows 7 IE 11, Edge, Opera 17, Safari 9, Android 5.0, Java 8
|
||||
# intermediate: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
|
||||
# old: Windows XP IE6, Java 6
|
||||
#Define SSL_CONFIG_MODERN
|
||||
#Define SSL_CONFIG_INTERMEDIATE
|
||||
#Define SSL_CONFIG_OLD
|
||||
|
||||
# Faut-il activer HSTS?
|
||||
#Define SSL_CONFIG_HSTS
|
||||
</IfModule>
|
|
@ -0,0 +1,4 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Liste des modules à activer. Syntaxe:
|
||||
# module ou +module pour activer un module
|
||||
# -module pour le désactiver
|
|
@ -107,7 +107,7 @@
|
|||
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
|
||||
|
||||
# Inter-Process Session Cache:
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# to use and second the expiring timeout (in seconds).
|
||||
# (The mechanism dbm has known memory leaks and should not be used).
|
||||
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
||||
|
@ -116,7 +116,7 @@
|
|||
|
||||
# Semaphore:
|
||||
# Configure the path to the mutual exclusion semaphore the
|
||||
# SSL engine uses internally for inter-process synchronization.
|
||||
# SSL engine uses internally for inter-process synchronization.
|
||||
# (Disabled by default, the global Mutex directive consolidates by default
|
||||
# this)
|
||||
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
|
|
@ -0,0 +1,24 @@
|
|||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Configuration du réseau sur le serveur. Ce fichier est traité différemment
|
||||
# selon le mode de configuration.
|
||||
# - En mode complet, ce fichier définit le nom d'hôte ainsi que toutes les
|
||||
# interfaces, ponts et adresses. La variable host et les tableaux ips et brs
|
||||
# sont pris en compte.
|
||||
# - En mode partiel, seuls le tableau ips est pris en compte: il est utilisé
|
||||
# pour définir des adresses ips supplémentaires à configurer sur le serveur.
|
||||
|
||||
# Liste des adresses IPs à configurer. Chaque élément est de la forme
|
||||
# [IFACE:]dhcp ou [[IFACE][//GATEWAY]:]IP[/SUFFIX]
|
||||
ips=()
|
||||
|
||||
# Liste des ponts à configurer. Chaque élément est de la forme BR:IFACES
|
||||
# BR est le nom du pont, e.g. br0. IFACES est une liste d'interfaces séparées
|
||||
# par une virgule. e.g. br0:eth0,eth1
|
||||
brs=()
|
||||
|
||||
# Nom d'hôte pleinement qualifié. Si ce paramètre est spécifié, les fichiers
|
||||
# /etc/hosts, /etc/hostname et /etc/mailname sont mis à jour.
|
||||
host=
|
||||
|
||||
# Contenu du fichier /etc/networks
|
||||
etc_networks=
|
|
@ -7,16 +7,8 @@ Listen 80
|
|||
|
||||
<IfModule ssl_module>
|
||||
Listen 443
|
||||
#NameVirtualHost IP:443
|
||||
#Listen IP:443
|
||||
#@@ips_namevirtualhosts@@
|
||||
#@@ips_listens@@
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_gnutls.c>
|
||||
Listen 443
|
||||
#NameVirtualHost IP:443
|
||||
#Listen IP:443
|
||||
#@@ips_namevirtualhosts@@
|
||||
#@@ips_listens@@
|
||||
</IfModule>
|
|
@ -0,0 +1,2 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Liste des sites à activer. Syntaxe:
|
||||
# site ou +site pour activer un site
|
||||
# -site pour le désactiver
|
|
@ -0,0 +1,9 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Liste de paquets système à installer, e.g. php5 ou libapache2-mod-jk
|
||||
# Chaque package doit être indiqué sur une ligne à part
|
||||
#libapache2-mod-jk
|
||||
#libapache2-mod-auth-cas
|
||||
#php5-mysql
|
||||
#php5-ldap
|
||||
#php5-gmp
|
||||
#php5-gd
|
|
@ -0,0 +1,15 @@
|
|||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
# Cette variable est utilisée par la fonction refcerts() du script runs. C'est
|
||||
# le nom d'un répertoire à chercher dans RUNSMODULESPATH qui contient les
|
||||
# certificats à installer sur le serveur.
|
||||
certsdir=@@certsdir@@
|
||||
|
||||
# Fichier contenant les certificats racines qui valident le certificat à
|
||||
# installer, ainsi que les certificats qui sont rencontrés dans le dialogue avec
|
||||
# d'autres serveurs web
|
||||
ca=@@caname@@
|
||||
|
||||
# Certificat et clé privée à installer
|
||||
cert=
|
||||
key=
|
|
@ -0,0 +1,31 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
<VirtualHost *:80>
|
||||
# The ServerName directive sets the request scheme, hostname and port that
|
||||
# the server uses to identify itself. This is used when creating
|
||||
# redirection URLs. In the context of virtual hosts, the ServerName
|
||||
# specifies what hostname must appear in the request's Host: header to
|
||||
# match this virtual host. For the default virtual host (this file) this
|
||||
# value is not decisive as it is used as a last resort host regardless.
|
||||
# However, you must set it for any further virtual host explicitly.
|
||||
ServerName SITE.TLD
|
||||
ServerAlias SITE SITE.local
|
||||
ServerAdmin @@admin@@
|
||||
|
||||
DocumentRoot /var/www/SITE
|
||||
|
||||
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
|
||||
# error, crit, alert, emerg.
|
||||
# It is also possible to configure the loglevel for particular
|
||||
# modules, e.g.
|
||||
#LogLevel info ssl:warn
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/SITE_error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/SITE_access.log combined
|
||||
|
||||
# For most configuration files from conf-available/, which are
|
||||
# enabled or disabled at a global level, it is possible to
|
||||
# include a line for only one particular virtual host. For example the
|
||||
# following line enables the CGI configuration for this host only
|
||||
# after it has been globally disabled with "a2disconf".
|
||||
#Include conf-available/serve-cgi-bin.conf
|
||||
</VirtualHost>
|
|
@ -1,54 +1,27 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost _default_:443>
|
||||
ServerName @@host@@
|
||||
ServerAlias @@aliases@@
|
||||
ServerName SITE.TLD
|
||||
ServerAlias SITE SITE.local
|
||||
ServerAdmin @@admin@@
|
||||
|
||||
DocumentRoot /var/www
|
||||
<Directory />
|
||||
Options FollowSymLinks
|
||||
AllowOverride None
|
||||
</Directory>
|
||||
<Directory /var/www/>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
DocumentRoot /var/www/SITE
|
||||
|
||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
||||
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
||||
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
||||
# mod-webobjects.conf
|
||||
# Sinon, il suffit de commenter les lignes suivantes:
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory "/usr/lib/cgi-bin">
|
||||
AllowOverride None
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
|
||||
# error, crit, alert, emerg.
|
||||
# It is also possible to configure the loglevel for particular
|
||||
# modules, e.g.
|
||||
#LogLevel info ssl:warn
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
|
||||
ErrorLog ${APACHE_LOG_DIR}/SITE_error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/SITE_access.log combined
|
||||
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
||||
|
||||
<LocationMatch "/cgi-bin/WebObjects/.*">
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</LocationMatch>
|
||||
|
||||
<Location /WebObjects>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Location>
|
||||
# For most configuration files from conf-available/, which are
|
||||
# enabled or disabled at a global level, it is possible to
|
||||
# include a line for only one particular virtual host. For example the
|
||||
# following line enables the CGI configuration for this host only
|
||||
# after it has been globally disabled with "a2disconf".
|
||||
#Include conf-available/serve-cgi-bin.conf
|
||||
|
||||
# SSL Engine Switch:
|
||||
# Enable/Disable SSL for this virtual host.
|
||||
|
@ -56,7 +29,7 @@
|
|||
|
||||
# A self-signed (snakeoil) certificate can be created by installing
|
||||
# the ssl-cert package. See
|
||||
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
|
||||
# /usr/share/doc/apache2/README.Debian.gz for more info.
|
||||
# If both key and certificate are stored in the same file, only the
|
||||
# SSLCertificateFile directive is needed.
|
||||
SSLCertificateFile @@cert@@
|
||||
|
@ -99,21 +72,6 @@
|
|||
#SSLVerifyClient require
|
||||
#SSLVerifyDepth 10
|
||||
|
||||
# Access Control:
|
||||
# With SSLRequire you can do per-directory access control based
|
||||
# on arbitrary complex boolean expressions containing server
|
||||
# variable checks and other lookup directives. The syntax is a
|
||||
# mixture between C and Perl. See the mod_ssl documentation
|
||||
# for more details.
|
||||
#<Location />
|
||||
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||
#</Location>
|
||||
|
||||
# SSL Engine Options:
|
||||
# Set various options for the SSL engine.
|
||||
# o FakeBasicAuth:
|
||||
|
@ -134,19 +92,15 @@
|
|||
# because the extraction step is an expensive operation and is usually
|
||||
# useless for serving static content. So one usually enables the
|
||||
# exportation for CGI and SSI requests only.
|
||||
# o StrictRequire:
|
||||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||
# and no other module can change it.
|
||||
# o OptRenegotiate:
|
||||
# This enables optimized SSL connection renegotiation handling when SSL
|
||||
# directives are used in per-directory context.
|
||||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SSLOptions +StdEnvVars
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
SSLOptions +StdEnvVars
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
# SSL Protocol Adjustments:
|
||||
|
@ -174,8 +128,8 @@
|
|||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||||
# "force-response-1.0" for this.
|
||||
BrowserMatch "MSIE [2-6]" \
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
# MSIE 7 and newer should be able to use keepalive
|
||||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Utiliser 'udir --help-vars' pour une description de la signification des
|
||||
# variables suivantes:
|
||||
udir_desc="Fichiers à déployer dans le répertoire des documents web"
|
||||
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
|
||||
udir_types=(uinst:rsync)
|
||||
uinc=release
|
||||
uinc_options=()
|
||||
uinc_args=()
|
||||
configure_variables=(dest)
|
||||
configure_dest_for=()
|
||||
config_scripts=()
|
||||
install_profiles=false
|
||||
workdir_rsync_options=()
|
||||
workdir_excludes=()
|
||||
workdir_includes=()
|
||||
copy_files=true
|
||||
rsync_options=(--delete-after)
|
||||
destdir=root@@@host@@:HTDOCSBASE/SITE
|
||||
srcdir=.
|
||||
files=()
|
||||
owner=www-data:
|
||||
modes=(u=rwX,g=rX,o=rX)
|
||||
root_scripts=()
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
|
@ -0,0 +1,17 @@
|
|||
worker.list=prod,dev
|
||||
|
||||
worker.prod.port=8009
|
||||
worker.prod.host=@@prod_host@@
|
||||
worker.prod.type=ajp13
|
||||
worker.prod.lbfactor=1
|
||||
worker.prod.connection_pool_timeout=600
|
||||
worker.prod.socket_keepalive=1
|
||||
worker.prod.socket_timeout=60
|
||||
|
||||
worker.dev.port=8009
|
||||
worker.dev.host=@@dev_host@@
|
||||
worker.dev.type=ajp13
|
||||
worker.dev.lbfactor=1
|
||||
worker.dev.connection_pool_timeout=600
|
||||
worker.dev.socket_keepalive=1
|
||||
worker.dev.socket_timeout=60
|
|
@ -0,0 +1,24 @@
|
|||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# Utiliser 'udir --help-vars' pour une description de la signification des
|
||||
# variables suivantes:
|
||||
udir_desc="Fichiers à déployer sur @@host@@ dans le répertoire des documents web"
|
||||
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
|
||||
udir_types=(uinst:rsync)
|
||||
uinc=release
|
||||
uinc_options=()
|
||||
uinc_args=()
|
||||
configure_variables=(dest)
|
||||
configure_dest_for=()
|
||||
config_scripts=()
|
||||
install_profiles=false
|
||||
workdir_rsync_options=()
|
||||
workdir_excludes=()
|
||||
workdir_includes=()
|
||||
copy_files=true
|
||||
rsync_options=()
|
||||
destdir=root@@@host@@:HTDOCSDIR
|
||||
srcdir=.
|
||||
files=()
|
||||
owner=www-data:
|
||||
modes=(u=rwX,g=rX,o=rX)
|
||||
root_scripts=()
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
|
@ -1,10 +1,6 @@
|
|||
#!/bin/bash
|
||||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
source /etc/ulib &&
|
||||
urequire DEFAULTS ||
|
||||
exit 1
|
||||
OENC="$UTF8"
|
||||
source /etc/ulibauto || exit 1
|
||||
|
||||
PRIHOST=
|
||||
PUBHOST=
|
||||
|
|
|
@ -0,0 +1,103 @@
|
|||
<IfModule mod_ssl.c>
|
||||
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
<IfDefine SSL_CONFIG_MODERN>
|
||||
# modern configuration not supported. same as SSL_CONFIG_INTERMEDIATE below
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
SSLHonorCipherOrder on
|
||||
</IfDefine>
|
||||
<IfDefine !SSL_CONFIG_MODERN>
|
||||
<IfDefine SSL_CONFIG_INTERMEDIATE>
|
||||
# intermediate configuration, tweak to your needs
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
SSLHonorCipherOrder on
|
||||
SSLCompression off
|
||||
SSLSessionTickets off
|
||||
</IfDefine>
|
||||
<IfDefine !SSL_CONFIG_INTERMEDIATE>
|
||||
<IfDefine SSL_CONFIG_OLD>
|
||||
# old configuration, tweak to your needs
|
||||
SSLProtocol all -SSLv2
|
||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
SSLCompression off
|
||||
SSLSessionTickets off
|
||||
</IfDefine>
|
||||
<IfDefine !SSL_CONFIG_OLD>
|
||||
# default debian configuration
|
||||
|
||||
# SSL Cipher Suite:
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_ssl documentation for a complete list.
|
||||
# enable only secure ciphers:
|
||||
SSLCipherSuite HIGH:MEDIUM:!ADH
|
||||
# Use this instead if you want to allow cipher upgrades via SGC facility.
|
||||
# In this case you also have to use something like
|
||||
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
|
||||
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
|
||||
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
|
||||
|
||||
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
|
||||
SSLProtocol all -SSLv2
|
||||
</IfDefine>
|
||||
</IfDefine>
|
||||
</IfDefine>
|
||||
|
||||
#
|
||||
# Pseudo Random Number Generator (PRNG):
|
||||
# Configure one or more sources to seed the PRNG of the SSL library.
|
||||
# The seed data should be of good random quality.
|
||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||
# is available. This means you then cannot use the /dev/random device
|
||||
# because it would lead to very long connection times (as long as
|
||||
# it requires to make more entropy available). But usually those
|
||||
# platforms additionally provide a /dev/urandom device which doesn't
|
||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||
# Manual for more details.
|
||||
#
|
||||
SSLRandomSeed startup builtin
|
||||
SSLRandomSeed startup file:/dev/urandom 512
|
||||
SSLRandomSeed connect builtin
|
||||
SSLRandomSeed connect file:/dev/urandom 512
|
||||
|
||||
##
|
||||
## SSL Global Context
|
||||
##
|
||||
## All SSL configuration in this context applies both to
|
||||
## the main server and all SSL-enabled virtual hosts.
|
||||
##
|
||||
|
||||
#
|
||||
# Some MIME-types for downloading Certificates and CRLs
|
||||
#
|
||||
AddType application/x-x509-ca-cert .crt
|
||||
AddType application/x-pkcs7-crl .crl
|
||||
|
||||
# Pass Phrase Dialog:
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
SSLPassPhraseDialog builtin
|
||||
|
||||
# Inter-Process Session Cache:
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# to use and second the expiring timeout (in seconds).
|
||||
# (The mechanism dbm has known memory leaks and should not be used).
|
||||
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
||||
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
|
||||
SSLSessionCacheTimeout 300
|
||||
|
||||
# Semaphore:
|
||||
# Configure the path to the mutual exclusion semaphore the
|
||||
# SSL engine uses internally for inter-process synchronization.
|
||||
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
|
||||
|
||||
# Allow insecure renegotiation with clients which do not yet support the
|
||||
# secure renegotiation protocol. Default: Off
|
||||
#SSLInsecureRenegotiation on
|
||||
|
||||
# Whether to forbid non-SNI clients to access name based virtual hosts.
|
||||
# Default: Off
|
||||
#SSLStrictSNIVHostCheck On
|
||||
</IfModule>
|
|
@ -1,103 +0,0 @@
|
|||
<IfModule mod_ssl.c>
|
||||
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
<IfDefine SSL_CONFIG_MODERN>
|
||||
# modern configuration not supported. same as SSL_CONFIG_INTERMEDIATE below
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
SSLHonorCipherOrder on
|
||||
</IfDefine>
|
||||
<IfDefine !SSL_CONFIG_MODERN>
|
||||
<IfDefine SSL_CONFIG_INTERMEDIATE>
|
||||
# intermediate configuration, tweak to your needs
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
SSLHonorCipherOrder on
|
||||
SSLCompression off
|
||||
SSLSessionTickets off
|
||||
</IfDefine>
|
||||
<IfDefine !SSL_CONFIG_INTERMEDIATE>
|
||||
<IfDefine SSL_CONFIG_OLD>
|
||||
# old configuration, tweak to your needs
|
||||
SSLProtocol all -SSLv2
|
||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
SSLCompression off
|
||||
SSLSessionTickets off
|
||||
</IfDefine>
|
||||
<IfDefine !SSL_CONFIG_OLD>
|
||||
# default debian configuration
|
||||
|
||||
# SSL Cipher Suite:
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_ssl documentation for a complete list.
|
||||
# enable only secure ciphers:
|
||||
SSLCipherSuite HIGH:MEDIUM:!ADH
|
||||
# Use this instead if you want to allow cipher upgrades via SGC facility.
|
||||
# In this case you also have to use something like
|
||||
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
|
||||
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
|
||||
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
|
||||
|
||||
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
|
||||
SSLProtocol all -SSLv2
|
||||
</IfDefine>
|
||||
</IfDefine>
|
||||
</IfDefine>
|
||||
|
||||
#
|
||||
# Pseudo Random Number Generator (PRNG):
|
||||
# Configure one or more sources to seed the PRNG of the SSL library.
|
||||
# The seed data should be of good random quality.
|
||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||
# is available. This means you then cannot use the /dev/random device
|
||||
# because it would lead to very long connection times (as long as
|
||||
# it requires to make more entropy available). But usually those
|
||||
# platforms additionally provide a /dev/urandom device which doesn't
|
||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||
# Manual for more details.
|
||||
#
|
||||
SSLRandomSeed startup builtin
|
||||
SSLRandomSeed startup file:/dev/urandom 512
|
||||
SSLRandomSeed connect builtin
|
||||
SSLRandomSeed connect file:/dev/urandom 512
|
||||
|
||||
##
|
||||
## SSL Global Context
|
||||
##
|
||||
## All SSL configuration in this context applies both to
|
||||
## the main server and all SSL-enabled virtual hosts.
|
||||
##
|
||||
|
||||
#
|
||||
# Some MIME-types for downloading Certificates and CRLs
|
||||
#
|
||||
AddType application/x-x509-ca-cert .crt
|
||||
AddType application/x-pkcs7-crl .crl
|
||||
|
||||
# Pass Phrase Dialog:
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
SSLPassPhraseDialog builtin
|
||||
|
||||
# Inter-Process Session Cache:
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# to use and second the expiring timeout (in seconds).
|
||||
# (The mechanism dbm has known memory leaks and should not be used).
|
||||
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
||||
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
|
||||
SSLSessionCacheTimeout 300
|
||||
|
||||
# Semaphore:
|
||||
# Configure the path to the mutual exclusion semaphore the
|
||||
# SSL engine uses internally for inter-process synchronization.
|
||||
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
|
||||
|
||||
# Allow insecure renegotiation with clients which do not yet support the
|
||||
# secure renegotiation protocol. Default: Off
|
||||
#SSLInsecureRenegotiation on
|
||||
|
||||
# Whether to forbid non-SNI clients to access name based virtual hosts.
|
||||
# Default: Off
|
||||
#SSLStrictSNIVHostCheck On
|
||||
</IfModule>
|
|
@ -0,0 +1,29 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# If you just change the port or add more ports here, you will likely also
|
||||
# have to change the VirtualHost statement in
|
||||
# /etc/apache2/sites-enabled/000-default
|
||||
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
|
||||
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
|
||||
# README.Debian.gz
|
||||
|
||||
NameVirtualHost *:80
|
||||
Listen *:80
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
# If you add NameVirtualHost *:443 here, you will also have to change
|
||||
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
|
||||
# to <VirtualHost *:443>
|
||||
# Server Name Indication for SSL named virtual hosts is currently not
|
||||
# supported by MSIE on Windows XP.
|
||||
#NameVirtualHost IP:443
|
||||
#Listen IP:443
|
||||
#@@ips_namevirtualhosts@@
|
||||
#@@ips_listens@@
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_gnutls.c>
|
||||
#NameVirtualHost IP:443
|
||||
#Listen IP:443
|
||||
#@@ips_namevirtualhosts@@
|
||||
#@@ips_listens@@
|
||||
</IfModule>
|
|
@ -1,29 +0,0 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
# If you just change the port or add more ports here, you will likely also
|
||||
# have to change the VirtualHost statement in
|
||||
# /etc/apache2/sites-enabled/000-default
|
||||
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
|
||||
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
|
||||
# README.Debian.gz
|
||||
|
||||
NameVirtualHost *:80
|
||||
Listen *:80
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
# If you add NameVirtualHost *:443 here, you will also have to change
|
||||
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
|
||||
# to <VirtualHost *:443>
|
||||
# Server Name Indication for SSL named virtual hosts is currently not
|
||||
# supported by MSIE on Windows XP.
|
||||
#NameVirtualHost IP:443
|
||||
#Listen IP:443
|
||||
#@@ips_namevirtualhosts@@
|
||||
#@@ips_listens@@
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_gnutls.c>
|
||||
#NameVirtualHost IP:443
|
||||
#Listen IP:443
|
||||
#@@ips_namevirtualhosts@@
|
||||
#@@ips_listens@@
|
||||
</IfModule>
|
|
@ -0,0 +1,51 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName @@host@@
|
||||
ServerAlias @@aliases@@
|
||||
ServerAdmin @@admin@@
|
||||
|
||||
DocumentRoot /var/www
|
||||
<Directory />
|
||||
Options FollowSymLinks
|
||||
AllowOverride None
|
||||
</Directory>
|
||||
<Directory /var/www/>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
||||
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
||||
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
||||
# mod-webobjects.conf
|
||||
# Sinon, il suffit de commenter les lignes suivantes:
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory "/usr/lib/cgi-bin">
|
||||
AllowOverride None
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||
|
||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||
<LocationMatch "/cgi-bin/WebObjects/.*">
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</LocationMatch>
|
||||
<Location /WebObjects>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Location>
|
||||
</VirtualHost>
|
|
@ -1,51 +0,0 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName @@host@@
|
||||
ServerAlias @@aliases@@
|
||||
ServerAdmin @@admin@@
|
||||
|
||||
DocumentRoot /var/www
|
||||
<Directory />
|
||||
Options FollowSymLinks
|
||||
AllowOverride None
|
||||
</Directory>
|
||||
<Directory /var/www/>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
||||
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
||||
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
||||
# mod-webobjects.conf
|
||||
# Sinon, il suffit de commenter les lignes suivantes:
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory "/usr/lib/cgi-bin">
|
||||
AllowOverride None
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||
|
||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||
<LocationMatch "/cgi-bin/WebObjects/.*">
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</LocationMatch>
|
||||
<Location /WebObjects>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Location>
|
||||
</VirtualHost>
|
|
@ -0,0 +1,190 @@
|
|||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost _default_:443>
|
||||
ServerName @@host@@
|
||||
ServerAlias @@aliases@@
|
||||
ServerAdmin @@admin@@
|
||||
|
||||
DocumentRoot /var/www
|
||||
<Directory />
|
||||
Options FollowSymLinks
|
||||
AllowOverride None
|
||||
</Directory>
|
||||
<Directory /var/www/>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
||||
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
||||
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
||||
# mod-webobjects.conf
|
||||
# Sinon, il suffit de commenter les lignes suivantes:
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory "/usr/lib/cgi-bin">
|
||||
AllowOverride None
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
|
||||
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
||||
|
||||
<LocationMatch "/cgi-bin/WebObjects/.*">
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</LocationMatch>
|
||||
|
||||
<Location /WebObjects>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Location>
|
||||
|
||||
# SSL Engine Switch:
|
||||
# Enable/Disable SSL for this virtual host.
|
||||
SSLEngine on
|
||||
|
||||
# A self-signed (snakeoil) certificate can be created by installing
|
||||
# the ssl-cert package. See
|
||||
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
|
||||
# If both key and certificate are stored in the same file, only the
|
||||
# SSLCertificateFile directive is needed.
|
||||
SSLCertificateFile @@cert@@
|
||||
SSLCertificateKeyFile @@key@@
|
||||
|
||||
# Server Certificate Chain:
|
||||
# Point SSLCertificateChainFile at a file containing the
|
||||
# concatenation of PEM encoded CA certificates which form the
|
||||
# certificate chain for the server certificate. Alternatively
|
||||
# the referenced file can be the same as SSLCertificateFile
|
||||
# when the CA certificates are directly appended to the server
|
||||
# certificate for convinience.
|
||||
SSLCertificateChainFile @@ca@@
|
||||
|
||||
# Certificate Authority (CA):
|
||||
# Set the CA certificate verification path where to find CA
|
||||
# certificates for client authentication or alternatively one
|
||||
# huge file containing all of them (file must be PEM encoded)
|
||||
# Note: Inside SSLCACertificatePath you need hash symlinks
|
||||
# to point to the certificate files. Use the provided
|
||||
# Makefile to update the hash symlinks after changes.
|
||||
#SSLCACertificatePath /etc/ssl/certs/
|
||||
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
|
||||
|
||||
# Certificate Revocation Lists (CRL):
|
||||
# Set the CA revocation path where to find CA CRLs for client
|
||||
# authentication or alternatively one huge file containing all
|
||||
# of them (file must be PEM encoded)
|
||||
# Note: Inside SSLCARevocationPath you need hash symlinks
|
||||
# to point to the certificate files. Use the provided
|
||||
# Makefile to update the hash symlinks after changes.
|
||||
#SSLCARevocationPath /etc/apache2/ssl.crl/
|
||||
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
|
||||
|
||||
# Client Authentication (Type):
|
||||
# Client certificate verification type and depth. Types are
|
||||
# none, optional, require and optional_no_ca. Depth is a
|
||||
# number which specifies how deeply to verify the certificate
|
||||
# issuer chain before deciding the certificate is not valid.
|
||||
#SSLVerifyClient require
|
||||
#SSLVerifyDepth 10
|
||||
|
||||
# Access Control:
|
||||
# With SSLRequire you can do per-directory access control based
|
||||
# on arbitrary complex boolean expressions containing server
|
||||
# variable checks and other lookup directives. The syntax is a
|
||||
# mixture between C and Perl. See the mod_ssl documentation
|
||||
# for more details.
|
||||
#<Location />
|
||||
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||
#</Location>
|
||||
|
||||
# SSL Engine Options:
|
||||
# Set various options for the SSL engine.
|
||||
# o FakeBasicAuth:
|
||||
# Translate the client X.509 into a Basic Authorisation. This means that
|
||||
# the standard Auth/DBMAuth methods can be used for access control. The
|
||||
# user name is the `one line' version of the client's X.509 certificate.
|
||||
# Note that no password is obtained from the user. Every entry in the user
|
||||
# file needs this password: `xxj31ZMTZzkVA'.
|
||||
# o ExportCertData:
|
||||
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||||
# server (always existing) and the client (only existing when client
|
||||
# authentication is used). This can be used to import the certificates
|
||||
# into CGI scripts.
|
||||
# o StdEnvVars:
|
||||
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||||
# Per default this exportation is switched off for performance reasons,
|
||||
# because the extraction step is an expensive operation and is usually
|
||||
# useless for serving static content. So one usually enables the
|
||||
# exportation for CGI and SSI requests only.
|
||||
# o StrictRequire:
|
||||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||
# and no other module can change it.
|
||||
# o OptRenegotiate:
|
||||
# This enables optimized SSL connection renegotiation handling when SSL
|
||||
# directives are used in per-directory context.
|
||||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
# SSL Protocol Adjustments:
|
||||
# The safe and default but still SSL/TLS standard compliant shutdown
|
||||
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
||||
# the close notify alert from client. When you need a different shutdown
|
||||
# approach you can use one of the following variables:
|
||||
# o ssl-unclean-shutdown:
|
||||
# This forces an unclean shutdown when the connection is closed, i.e. no
|
||||
# SSL close notify alert is send or allowed to received. This violates
|
||||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
||||
# this when you receive I/O errors because of the standard approach where
|
||||
# mod_ssl sends the close notify alert.
|
||||
# o ssl-accurate-shutdown:
|
||||
# This forces an accurate shutdown when the connection is closed, i.e. a
|
||||
# SSL close notify alert is send and mod_ssl waits for the close notify
|
||||
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
||||
# practice often causes hanging connections with brain-dead browsers. Use
|
||||
# this only for browsers where you know that their SSL implementation
|
||||
# works correctly.
|
||||
# Notice: Most problems of broken clients are also related to the HTTP
|
||||
# keep-alive facility, so you usually additionally want to disable
|
||||
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
||||
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
||||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||||
# "force-response-1.0" for this.
|
||||
BrowserMatch "MSIE [2-6]" \
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
# MSIE 7 and newer should be able to use keepalive
|
||||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||
|
||||
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
<IfDefine SSL_CONFIG_HSTS>
|
||||
<IfModule mod_headers.c>
|
||||
# HSTS (15768000 seconds = 6 months)
|
||||
Header always set Strict-Transport-Security "max-age=15768000"
|
||||
</IfModule>
|
||||
</IfDefine>
|
||||
</VirtualHost>
|
||||
</IfModule>
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
207
mkRewriteRules
207
mkRewriteRules
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
source "$(dirname "$0")/lib/ulib/ulib" || exit 1
|
||||
urequire DEFAULTS
|
||||
urequire DEFAULTS apache.tools
|
||||
|
||||
function display_help() {
|
||||
uecho "$scriptname: Créer un fichier de redirections pour Apache à partir d'un certain
|
||||
|
@ -82,23 +82,9 @@ Dans les exemples donnés ci-dessus, $URL est l'\''url générée par la réécr
|
|||
et $proxy_acls la valeur du champ proxy_acls spécifiée ci-dessus.'
|
||||
}
|
||||
|
||||
function joinurl() {
|
||||
# joindre chaque élément de $1..@ par /, en évitant les slashes en double
|
||||
local i url
|
||||
for i in "$@"; do
|
||||
[ -n "$i" ] || continue
|
||||
if [ -n "$url" ]; then
|
||||
url="${url%/}/${i#/}"
|
||||
else
|
||||
url="$i"
|
||||
fi
|
||||
done
|
||||
[ -n "$url" ] && echo "$url"
|
||||
}
|
||||
|
||||
proxy_enabled=
|
||||
infile=
|
||||
outfile="RewriteRules.conf"
|
||||
outfile=
|
||||
htmlfile=
|
||||
host=
|
||||
parse_opts "${PRETTYOPTS[@]}" \
|
||||
|
@ -109,187 +95,20 @@ parse_opts "${PRETTYOPTS[@]}" \
|
|||
-w: htmlfile= \
|
||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||
|
||||
[ -n "$infile" ] || die "Il faut spécifier le fichier de règles"
|
||||
[ -f "$infile" ] || die "Fichier de règles non trouvé: $(ppath "$infile")"
|
||||
|
||||
thishost="$1"
|
||||
[ -n "$thishost" ] || die "Il faut spécifier l'hôte pour lequel créer le fichier de configuration"
|
||||
|
||||
function has_proxy() {
|
||||
# vérifier que les options $1 contiennent 'P'
|
||||
local options
|
||||
array_split options "$1" ","
|
||||
array_contains options P
|
||||
}
|
||||
|
||||
if [ -n "$htmlfile" ]; then
|
||||
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
|
||||
<!-- -*- coding: utf-8 mode: html -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||
-->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>'"$thishost</title>
|
||||
</head>
|
||||
<body>
|
||||
<h2>$thishost</h2>
|
||||
<ul>" >"$htmlfile"
|
||||
if [ -n "$infile" ]; then infiles=("$infile")
|
||||
else array_lsfiles infiles . "*rewrite*.rules"
|
||||
fi
|
||||
|
||||
>"$outfile"
|
||||
array_from_lines rules "$(<"$infile" filter_comment)"
|
||||
prefix=
|
||||
for rule in "${rules[@]}"; do
|
||||
if beginswith "$rule" ^; then
|
||||
# Collecter les préfixe pour la règle suivante
|
||||
prefix="${prefix:+$prefix
|
||||
}${rule#^}"
|
||||
continue
|
||||
elif beginswith "$rule" =; then
|
||||
# ligne litérale
|
||||
echo "${rule#=}" >>"$outfile"
|
||||
continue
|
||||
fi
|
||||
|
||||
IFS=:; set -- $rule; unset IFS
|
||||
index=1
|
||||
done=
|
||||
while [ -z "$done" ]; do
|
||||
current="$1"; shift
|
||||
while endswith "$current" "\\"; do
|
||||
current="${current%\\}:$1"; shift
|
||||
done
|
||||
case $index in
|
||||
1) src="$current";;
|
||||
2) dest="$current";;
|
||||
3) host="$current";;
|
||||
4) suffix="$current";;
|
||||
5) options="$current";;
|
||||
6) prot="${current:-http}";;
|
||||
7) proxy_acls="$current";;
|
||||
*) done=1;;
|
||||
esac
|
||||
index=$(($index + 1))
|
||||
done
|
||||
|
||||
# mettre en forme prefix s'il est défini
|
||||
[ -n "$prefix" ] && prefix="$prefix
|
||||
"
|
||||
|
||||
if [ "$thishost" == "$host" ]; then
|
||||
host=
|
||||
fi
|
||||
|
||||
usrc="$src"
|
||||
|
||||
trail=1
|
||||
if endswith "$src" '$'; then
|
||||
trail=
|
||||
usrc="${src%$}"
|
||||
fi
|
||||
|
||||
noslash=
|
||||
if endswith "$suffix" '$'; then
|
||||
noslash=1
|
||||
suffix="${suffix%$}"
|
||||
fi
|
||||
if endswith "$dest" '$'; then
|
||||
noslash=1
|
||||
dest="${dest%$}"
|
||||
fi
|
||||
|
||||
proxy_url=
|
||||
proxy_use=
|
||||
|
||||
if endswith "$dest" .woa; then
|
||||
# lien vers une application
|
||||
if [ -n "$host" ]; then
|
||||
# sur un autre hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix"
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix/"
|
||||
fi
|
||||
else
|
||||
# sur le même hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl /cgi-bin/WebObjects "$dest" "$suffix")${trail:+\$1} [L,P${options:+,$options}]" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix"
|
||||
proxy_use=1
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl /cgi-bin/WebObjects "$dest" "$suffix" "\$1") [L,P${options:+,$options}]" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix/"
|
||||
proxy_use=1
|
||||
fi
|
||||
fi
|
||||
[ ${#infiles[*]} -gt 0 ] || die "Il faut spécifier le fichier de règles avec -f"
|
||||
for infile in "${infiles[@]}"; do
|
||||
if [ -f "$infile" ]; then
|
||||
estep "$(ppath "$infile")"
|
||||
legacy_mkRewriteRules "$infile" "$thishost" "$outfile" "$htmlfile" "$proxy_enabled"
|
||||
else
|
||||
# lien vers une url
|
||||
if [ -n "$host" ]; then
|
||||
# sur un autre hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl "$prot://$host" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url joinurl "$prot://$host" "$dest" "$suffix"
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl "$prot://$host" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url joinurl "$prot://$host" "$dest" "$suffix/"
|
||||
fi
|
||||
else
|
||||
# sur le même hôte
|
||||
if [ -n "$noslash" ]; then
|
||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl / "$dest" "$suffix")${trail:+\$1}${options:+ [$options]}" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc"
|
||||
setx proxy_url joinurl "http://$thishost" "$dest" "$suffix"
|
||||
else
|
||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl / "$dest" "$suffix" "\$1")${options:+ [$options]}" >>"$outfile"
|
||||
setx url joinurl "http://$thishost" "$usrc/"
|
||||
setx proxy_url joinurl "http://$thishost" "$dest" "$suffix/"
|
||||
fi
|
||||
fi
|
||||
eerror "$(ppath "$infile"): fichier introuvable"
|
||||
fi
|
||||
has_proxy "$options" && proxy_use=1
|
||||
if [ -n "$proxy_enabled" -a -n "$proxy_use" ]; then
|
||||
if [ "$proxy_acls" == "None" ]; then
|
||||
:
|
||||
elif [ -z "$proxy_acls" ]; then
|
||||
echo "\
|
||||
<Proxy $proxy_url*>
|
||||
AddDefaultCharset off
|
||||
Order Deny,Allow
|
||||
Allow from all
|
||||
</Proxy>" >>"$outfile"
|
||||
else
|
||||
echo "\
|
||||
<Proxy $proxy_url*>
|
||||
AddDefaultCharset off
|
||||
Order Allow,Deny
|
||||
Allow from $proxy_acls
|
||||
</Proxy>" >>"$outfile"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "" >>"$outfile"
|
||||
if [ -n "$htmlfile" ]; then
|
||||
echo "<li><a href=\"$url\">$url</a></li>" >>"$htmlfile"
|
||||
fi
|
||||
|
||||
# Réinitialiser les préfixes pour chaque règle
|
||||
prefix=
|
||||
# réinitialiser pour ne pas écraser un fichier existant
|
||||
outfile=
|
||||
htmlfile=
|
||||
done
|
||||
|
||||
if [ -n "$htmlfile" ]; then
|
||||
echo '</ul>
|
||||
</body>
|
||||
</html>' >>"$htmlfile"
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue