diverses modification de apacheconfig et apache.tools
- rétablir deux répertoires de templates différents: celui pour debian wheezy- est distinct de celui pour jessie+ - support d'une configuration complète ou partielle - support de la mise à jour de la configuration réseau: configuration complète (interfaces standards et bridge) ou partielle (ajout d'adresse ip) - support de templates pour la création de nouveaux site - améliorer le support des certificats: utiliser ceux qui sont déjà installés le cas échéant. - support de fichiers *rewrite*.rules directement dans le répertoire principal. Les fichiers de RewriteRules/ sont obsolètes. - quickstart pour apacheconfig, afin de simplifier son utilisation dans des scripts - fonction legacy_mkRewriteRules() pour pouvoir traiter les fichiers *rewrite*.rules dans des scripts.
This commit is contained in:
parent
c552d2de56
commit
e3cd3cec3f
163
apacheconfig
163
apacheconfig
|
@ -16,6 +16,19 @@ OPTIONS
|
||||||
Créer un nouveau répertoire de configuration pour un hôte
|
Créer un nouveau répertoire de configuration pour un hôte
|
||||||
-d, --destdir DESTDIR[=$TEMPLATECTL_NAME]
|
-d, --destdir DESTDIR[=$TEMPLATECTL_NAME]
|
||||||
Nom du répertoire local de configuration.
|
Nom du répertoire local de configuration.
|
||||||
|
-f,--full
|
||||||
|
--partial
|
||||||
|
Indiquer respectivement que la configuration est complète ou partielle.
|
||||||
|
Avec la configuration complète, le serveur peut être complètement
|
||||||
|
configuré avec tous les fichiers présents. Avec la configuration
|
||||||
|
partielle, uniquement les informations spécifiques à un service en
|
||||||
|
particulier sont disponibles.
|
||||||
|
Cette option est utilisée avec --create. Par défaut, la configuration
|
||||||
|
est partielle.
|
||||||
|
Pour le moment, la seule différence est que --full crée un fichier de
|
||||||
|
configuration nommé .apacheconfig alors que --partial crée un fichier
|
||||||
|
nommé apacheconfig.conf qui est visible et donc découvrable et éditable
|
||||||
|
plus facilement
|
||||||
|
|
||||||
-t, --template [OPT]
|
-t, --template [OPT]
|
||||||
Gérer les fichiers du répertoire local avec templatectl. La valeur de
|
Gérer les fichiers du répertoire local avec templatectl. La valeur de
|
||||||
|
@ -46,9 +59,12 @@ OPTIONS
|
||||||
Lors du déploiement de la configuration, les valeurs des variables
|
Lors du déploiement de la configuration, les valeurs des variables
|
||||||
dynamiques sont remplacées dans les fichiers destination.
|
dynamiques sont remplacées dans les fichiers destination.
|
||||||
Les arguments qui restent sont passés tels quels à apache_autoconf
|
Les arguments qui restent sont passés tels quels à apache_autoconf
|
||||||
|
-N, --network-config
|
||||||
|
Mettre aussi à jour la configuration réseau.
|
||||||
-r, --certsdir CERTSDIR
|
-r, --certsdir CERTSDIR
|
||||||
Spécifier le cas échéant le répertoire contenant les certificats à
|
Spécifier le cas échéant le répertoire contenant les certificats à
|
||||||
déployer. Cet argument est requis si le répertoire certsconf/ existe.
|
déployer. Cet argument est requis si le répertoire certsconf/ existe,
|
||||||
|
sauf si les certificats sont déjà déployés.
|
||||||
|
|
||||||
--localhosts
|
--localhosts
|
||||||
Créer dans le fichier /etc/hosts tous les noms d'hôte ayant un suffixe
|
Créer dans le fichier /etc/hosts tous les noms d'hôte ayant un suffixe
|
||||||
|
@ -63,24 +79,45 @@ OPTIONS
|
||||||
-S, --one-site SITE
|
-S, --one-site SITE
|
||||||
Ne déployer que le fichier de site spécifié. Cette option est utilisée
|
Ne déployer que le fichier de site spécifié. Cette option est utilisée
|
||||||
avec --deploy ou --localhosts et est utile pour le développement et les
|
avec --deploy ou --localhosts et est utile pour le développement et les
|
||||||
tests."
|
tests.
|
||||||
|
|
||||||
|
-k, --new-site HOST.TLD
|
||||||
|
Créer une définition pour un nouveau site à partir des fichiers du
|
||||||
|
répertoires templates/
|
||||||
|
-K, --new-site-templatedir TEMPLATEDIR
|
||||||
|
Spécifier le répertoire source pour les templates de site utilisés par
|
||||||
|
l'option --new-site. Par défaut, utiliser le répertoire templates/ situé
|
||||||
|
dans le répertoire de configuration.
|
||||||
|
Si TEMPLATEDIR est un nom simple sans séparateur de chemin '/' et qu'un
|
||||||
|
répertoire templates/TEMPLATEDIR existe, alors prendre ce répertoire-là
|
||||||
|
comme source.
|
||||||
|
--new-site-force
|
||||||
|
Avec --new-site, utiliser le nom d'hôte fourni même s'il n'est pas
|
||||||
|
pleinement qualifié"
|
||||||
}
|
}
|
||||||
|
|
||||||
action=
|
action=
|
||||||
destdir=
|
destdir=
|
||||||
nohideconfig=
|
nohideconfig=auto
|
||||||
templateopt=
|
templateopt=
|
||||||
|
FULLCONF=
|
||||||
|
netconf=
|
||||||
aac_certsdir=
|
aac_certsdir=
|
||||||
bits=
|
bits=
|
||||||
oneconf=
|
oneconf=
|
||||||
onemodule=
|
onemodule=
|
||||||
onesite=
|
onesite=
|
||||||
|
site_host=
|
||||||
|
site_templdir=
|
||||||
|
site_force=
|
||||||
args=(
|
args=(
|
||||||
--help '$exit_with display_help'
|
--help '$exit_with display_help'
|
||||||
-c,--create action=create
|
-c,--create action=create
|
||||||
-d:,--destdir: destdir=
|
-d:,--destdir: destdir=
|
||||||
--no-hideconfig nohideconfig=1
|
--no-hideconfig nohideconfig=1
|
||||||
--hideconfig nohideconfig=
|
--hideconfig nohideconfig=
|
||||||
|
-f,--full FULLCONF=1
|
||||||
|
--partial FULLCONF=
|
||||||
-t::,--template:: '$set@ templateopt; action=template'
|
-t::,--template:: '$set@ templateopt; action=template'
|
||||||
--help-template '$templateopt=-help; action=template'
|
--help-template '$templateopt=-help; action=template'
|
||||||
-l,--list '$templateopt=l; action=template'
|
-l,--list '$templateopt=l; action=template'
|
||||||
|
@ -96,15 +133,23 @@ args=(
|
||||||
-8,--jessie '$array_add TEMPLATECTL_VARS sysver=jessie'
|
-8,--jessie '$array_add TEMPLATECTL_VARS sysver=jessie'
|
||||||
--bits: bits=
|
--bits: bits=
|
||||||
-u,--update,--deploy action=deploy
|
-u,--update,--deploy action=deploy
|
||||||
|
-N,--network-config netconf=1
|
||||||
-r:,--certsdir: aac_certsdir=
|
-r:,--certsdir: aac_certsdir=
|
||||||
--localhosts action=localhosts
|
--localhosts action=localhosts
|
||||||
-C:,--one-conf: oneconf=
|
-C:,--one-conf: oneconf=
|
||||||
-M:,--one-module: onemodule=
|
-M:,--one-module: onemodule=
|
||||||
-S:,--one-site: onesite=
|
-S:,--one-site: onesite=
|
||||||
|
-k:,--new-site: '$action=new-site; set@ site_host'
|
||||||
|
-K:,--new-site-templatedir: site_templdir=
|
||||||
|
--new-site-force site_force=
|
||||||
)
|
)
|
||||||
parse_args "$@"; set -- "${args[@]}"
|
parse_args "$@"; set -- "${args[@]}"
|
||||||
|
|
||||||
apacheconfig_loadconf "$destdir" || die
|
if [ "$nohideconfig" == auto ]; then
|
||||||
|
[ -n "$FULLCONF" ] && nohideconfig= || nohideconfig=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
apacheconfig_loadconf "$destdir" "$nohideconfig" || die
|
||||||
apacheconfig_sysinfos "$sysname" "$sysdist" "$sysver" "$bits"
|
apacheconfig_sysinfos "$sysname" "$sysdist" "$sysver" "$bits"
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -128,7 +173,7 @@ if [ "$action" == create ]; then
|
||||||
ask_yesno "Le fichier $(ppath "$config") sera écrasé. Voulez-vous continuer?" O || die
|
ask_yesno "Le fichier $(ppath "$config") sera écrasé. Voulez-vous continuer?" O || die
|
||||||
rm -f "$config" || die
|
rm -f "$config" || die
|
||||||
fi
|
fi
|
||||||
templatectl -d "$destdir" --config "$config" --no-load-vars -m --write-vars
|
templatectl -d "$destdir" --config "$config" ${nohideconfig:+--no-hide-config} --no-load-vars -m --write-vars
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
elif [ "$action" == template ]; then
|
elif [ "$action" == template ]; then
|
||||||
|
@ -142,7 +187,9 @@ elif [ "$action" == deploy -o "$action" == localhosts ]; then
|
||||||
[ -d "$destdir" ] || die "$destdir: répertoire introuvable"
|
[ -d "$destdir" ] || die "$destdir: répertoire introuvable"
|
||||||
|
|
||||||
args=(
|
args=(
|
||||||
-d "$destdir" --$action ${aac_certsdir:+-r "$aac_certsdir"}
|
-d "$destdir" --$action
|
||||||
|
${netconf:+--network-config}
|
||||||
|
${aac_certsdir:+-r "$aac_certsdir"}
|
||||||
${oneconf:+--one-conf "$oneconf"}
|
${oneconf:+--one-conf "$oneconf"}
|
||||||
${onemodule:+--one-module "$onemodule"}
|
${onemodule:+--one-module "$onemodule"}
|
||||||
${onesite:+--one-site "$onesite"}
|
${onesite:+--one-site "$onesite"}
|
||||||
|
@ -160,11 +207,113 @@ elif [ "$action" == deploy -o "$action" == localhosts ]; then
|
||||||
apacheconfig_deploy \
|
apacheconfig_deploy \
|
||||||
"$destdir" "$aac_certsdir" \
|
"$destdir" "$aac_certsdir" \
|
||||||
"$config" "$oneconf" "$onemodule" "$onesite" \
|
"$config" "$oneconf" "$onemodule" "$onesite" \
|
||||||
"$custom_sysinfos" "$sysname" "$sysdist" "$sysver" "$bits" || die
|
"$custom_sysinfos" "$sysname" "$sysdist" "$sysver" "$bits" \
|
||||||
|
"$netconf" || die
|
||||||
eend
|
eend
|
||||||
elif [ "$action" == localhosts ]; then
|
elif [ "$action" == localhosts ]; then
|
||||||
etitle "Mise à jour de /etc/hosts"
|
etitle "Mise à jour de /etc/hosts"
|
||||||
apacheconfig_deploy_localhosts "$destdir" "$aac_certsdir" "$onesite" || die
|
apacheconfig_deploy_localhosts "$destdir" "$aac_certsdir" "$onesite" || die
|
||||||
eend
|
eend
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
elif [ "$action" == new-site ]; then
|
||||||
|
host="$site_host"
|
||||||
|
templdir="$site_templdir"
|
||||||
|
if [[ "$templdir" != */* ]] && [ -d "$destdir/templates/$templdir" ]; then
|
||||||
|
templdir="$destdir/templates/$templdir"
|
||||||
|
elif [ -z "$templdir" ]; then
|
||||||
|
templdir="$destdir/templates"
|
||||||
|
fi
|
||||||
|
[ -d "$templdir" ] || die "$templdir: répertoire introuvable"
|
||||||
|
force="$site_force"
|
||||||
|
|
||||||
|
clrtempl=
|
||||||
|
ssltempl=
|
||||||
|
certstempl=
|
||||||
|
wwwtempl=
|
||||||
|
array_from_lines templs "$(list_files "$templdir" "*SITE.conf")"
|
||||||
|
[ ${#templs[*]} -gt 0 ] && clrtempl="${templs[0]}"
|
||||||
|
array_from_lines templs "$(list_files "$templdir" "*SITE.ssl.conf")"
|
||||||
|
[ ${#templs[*]} -gt 0 ] && ssltempl="${templs[0]}"
|
||||||
|
array_from_lines templs "$(list_files "$templdir" "*SITE-certs.conf")"
|
||||||
|
[ ${#templs[*]} -gt 0 ] && certstempl="${templs[0]}"
|
||||||
|
array_from_lines templs "$(list_dirs "$templdir" "*SITE")"
|
||||||
|
[ ${#templs[*]} -gt 0 ] && wwwtempl="${templs[0]}"
|
||||||
|
|
||||||
|
found=
|
||||||
|
for i in "$clrtempl" "$ssltempl" "$certstempl" "$wwwtempl"; do
|
||||||
|
[ -n "$i" ] && { found=1; break; }
|
||||||
|
done
|
||||||
|
[ -n "$found" ] || die "Aucun template disponible"
|
||||||
|
|
||||||
|
if [ -z "$force" ] && [[ "$host" != *.* ]]; then
|
||||||
|
die "$host n'est pas un nom d'hôte pleinement qualifié"
|
||||||
|
fi
|
||||||
|
|
||||||
|
etitle "$host"
|
||||||
|
hostname="${host%%.*}"
|
||||||
|
clrconf="${clrtempl/SITE/$hostname}"
|
||||||
|
sslconf="${ssltempl/SITE/$hostname}"
|
||||||
|
certsconf="${certstempl/SITE/$hostname}"
|
||||||
|
wwwdir="${wwwtempl/SITE/$hostname}"
|
||||||
|
|
||||||
|
mkdir -p "$destdir/certsconf"
|
||||||
|
mkdir -p "$destdir/sites"
|
||||||
|
|
||||||
|
sedscript="\
|
||||||
|
s/SITE.TLD/$host/g
|
||||||
|
s/SITE/$hostname/g"
|
||||||
|
|
||||||
|
if [ -z "$clrtempl" ]; then
|
||||||
|
:
|
||||||
|
elif [ ! -f "$templdir/$clrtempl" ]; then
|
||||||
|
ewarn "Le fichier $(ppath "$templdir/$clrtempl") n'existe pas. La copie ne sera pas complète"
|
||||||
|
elif [ -f "$destdir/sites/$clrconf" ]; then
|
||||||
|
ewarn "Le fichier sites/$clrconf existe déjà. Il ne sera pas écrasé."
|
||||||
|
else
|
||||||
|
estep "sites/$clrconf"
|
||||||
|
sed "$sedscript" "$templdir/$clrtempl" >"$destdir/sites/$clrconf" || die
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$ssltempl" ]; then
|
||||||
|
:
|
||||||
|
elif [ ! -f "$templdir/$ssltempl" ]; then
|
||||||
|
ewarn "Le fichier $(ppath "$templdir/$ssltempl") n'existe pas. La copie ne sera pas complète"
|
||||||
|
elif [ -f "$destdir/sites/$sslconf" ]; then
|
||||||
|
ewarn "Le fichier sites/$sslconf existe déjà. Il ne sera pas écrasé."
|
||||||
|
else
|
||||||
|
estep "sites/$sslconf"
|
||||||
|
sed "$sedscript" "$templdir/$ssltempl" >"$destdir/sites/$sslconf" || die
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$certstempl" ]; then
|
||||||
|
:
|
||||||
|
elif [ ! -f "$templdir/$certstempl" ]; then
|
||||||
|
ewarn "Le fichier $(ppath "$templdir/$certstempl") n'existe pas. La copie ne sera pas complète"
|
||||||
|
elif [ -f "$destdir/certsconf/$certsconf" ]; then
|
||||||
|
ewarn "Le fichier certsconf/$certsconf exite déjà. Il ne sera pas écrasé."
|
||||||
|
else
|
||||||
|
estep "certsconf/$certsconf"
|
||||||
|
sed "$sedscript" "$templdir/$certstempl" >"$destdir/certsconf/$certsconf" || die
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$wwwtempl" ]; then
|
||||||
|
:
|
||||||
|
elif [ ! -d "$templdir/$wwwtempl" ]; then
|
||||||
|
ewarn "Le répertoire $(ppath "$templdir/$wwwtempl") n'existe pas. La copie ne sera pas complète"
|
||||||
|
elif [ -d "$destdir/$wwwdir" ]; then
|
||||||
|
ewarn "Le répertoire $wwwdir existe déjà. Il ne sera pas écrasé."
|
||||||
|
else
|
||||||
|
estep "$wwwdir"
|
||||||
|
cpdirnovcs "$templdir/$wwwtempl" "$destdir/$wwwdir" || die
|
||||||
|
sed -i "$sedscript" "$destdir/$wwwdir/.udir" || die
|
||||||
|
fi
|
||||||
|
|
||||||
|
eend
|
||||||
|
|
||||||
|
if [ -n "$wwwtempl" ]; then
|
||||||
|
eimportant "Ne pas oublier le cas échéant de mettre à jour HTDMAPPINGS dans $(ppath "$config") e.g.
|
||||||
|
HTDMAPPINGS=($wwwdir)"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -5,28 +5,101 @@
|
||||||
##@require sysinfos
|
##@require sysinfos
|
||||||
##@require apache
|
##@require apache
|
||||||
uprovide apache.tools
|
uprovide apache.tools
|
||||||
urequire base sysinfos apache
|
urequire base sysinfos template apache
|
||||||
|
|
||||||
function __apache_resolvcert() {
|
function __apache_rc_destdir() {
|
||||||
|
[ -z "$3" ] && set_var "${1:-certsdir}" "$(get_APACHESSLCERTSDIR_prefix)"
|
||||||
|
[ -z "$4" ] && set_var "${2:-keysdir}" "$(get_APACHESSLKEYSDIR_prefix)"
|
||||||
|
}
|
||||||
|
|
||||||
|
function __apache_rc_loadconf() {
|
||||||
[ -n "$__rc_dir" ] || __rc_dir="$(dirname "$__rc_conf")"
|
[ -n "$__rc_dir" ] || __rc_dir="$(dirname "$__rc_conf")"
|
||||||
eval "$(
|
eval "$(
|
||||||
source "$__rc_conf"
|
source "$__rc_conf"
|
||||||
set_var_cmd __rc_cert "$cert"
|
echo_setv __rc_cert "$cert"
|
||||||
set_var_cmd __rc_key "$key"
|
echo_setv __rc_key "$key"
|
||||||
set_var_cmd __rc_ca "$ca"
|
echo_setv __rc_ca "$ca"
|
||||||
)"
|
)"
|
||||||
[ -n "$__rc_cert" ] && __rc_cert="$(abspath "$__rc_cert" "$__rc_dir")"
|
[ -n "$__rc_cert" ] && __rc_cert="$(abspath "$__rc_cert" "$__rc_dir")"
|
||||||
[ -n "$__rc_key" ] && __rc_key="$(abspath "$__rc_key" "$__rc_dir")"
|
[ -n "$__rc_key" ] && __rc_key="$(abspath "$__rc_key" "$__rc_dir")"
|
||||||
[ -n "$__rc_ca" ] && __rc_ca="$(abspath "$__rc_ca" "$__rc_dir")"
|
[ -n "$__rc_ca" ] && __rc_ca="$(abspath "$__rc_ca" "$__rc_dir")"
|
||||||
}
|
}
|
||||||
|
|
||||||
function __apache_checkvars() {
|
function __apache_rc_resolveprefix() {
|
||||||
|
local __prefix __cert __key
|
||||||
|
local __certsdir="$1" __keysdir="$2"
|
||||||
|
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
|
||||||
|
|
||||||
|
if [ -z "$__rc_cert" ]; then
|
||||||
|
# si pas de certificat, alors générer un préfixe pour chercher les
|
||||||
|
# fichiers
|
||||||
|
setx __prefix=basename "$__rc_conf"
|
||||||
|
__prefix="${__prefix%certs.conf}"
|
||||||
|
elif [ ! -f "$__rc_cert" ]; then
|
||||||
|
# si le fichier source n'existe pas, vérifier s'il existe dans la
|
||||||
|
# destination
|
||||||
|
setx __cert=basename "$__rc_cert"
|
||||||
|
setx __key=basename "$__rc_key"
|
||||||
|
if [ -f "$__certsdir/$__cert" -a -f "$__keysdir/$__key" ]; then
|
||||||
|
# parfait, les fichiers existent déjà à l'endroit prévu
|
||||||
|
:
|
||||||
|
else
|
||||||
|
# construire un préfixe avec le nom du fichier
|
||||||
|
__prefix="$__cert"
|
||||||
|
if [ "${__prefix%.pem}" != "$__prefix" ]; then
|
||||||
|
__prefix="${__prefix%.pem}"
|
||||||
|
elif [ "${__prefix%.crt}" != "$__prefix" ]; then
|
||||||
|
__prefix="${__prefix%.crt}"
|
||||||
|
fi
|
||||||
|
if [ -n "${__prefix//[0-9]/}" ]; then
|
||||||
|
# enlever le suffixe numérique, uniquement si le nom ne contient
|
||||||
|
# pas que des chiffres
|
||||||
|
while [ -n "$__prefix" -a "${__prefix%[0-9]}" != "$__prefix" ]; do
|
||||||
|
__prefix="${__prefix%[0-9]}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$__prefix" ]; then
|
||||||
|
local -a __certs
|
||||||
|
array_from_lines __certs "$(list_files "$__certsdir" "$__prefix*" | LANG=C sort -r)"
|
||||||
|
if [ ${#__certs[*]} -gt 0 ]; then
|
||||||
|
__cert="${__certs[0]}"
|
||||||
|
__key="${__cert%.*}.key"
|
||||||
|
__rc_cert="$__rc_dir/$__cert"
|
||||||
|
__rc_key="$__rc_dir/$__key"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function __apache_rc_checkfiles() {
|
||||||
|
local destdir="$1"; shift
|
||||||
|
local file
|
||||||
|
for file in "$@"; do
|
||||||
|
[ -n "$file" ] || continue
|
||||||
|
[ -f "$file" ] && continue
|
||||||
|
if [ -n "$destdir" -a -f "$destdir/$(basename "$file")" ]; then
|
||||||
|
[ -z "$__apache_rc_quiet" ] && ewarn "$file: fichier introuvable
|
||||||
|
Le fichier existant $destdir/$(basename "$file") sera utilisé"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
eerror "$file: fichier introuvable"
|
||||||
|
return 1
|
||||||
|
done
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
function __apache_rc_checkvars() {
|
||||||
|
local __certsdir="$1" __keysdir="$2"
|
||||||
|
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
|
||||||
|
|
||||||
if [ -n "$__rc_cert" -a -z "$__rc_key" ]; then
|
if [ -n "$__rc_cert" -a -z "$__rc_key" ]; then
|
||||||
local __rc_name __rc_ext
|
local __rc_name __rc_ext
|
||||||
splitname "$__rc_cert" __rc_name __rc_ext
|
splitname "$__rc_cert" __rc_name __rc_ext
|
||||||
if [ "$__rc_ext" == "crt" -o "$__rc_ext" == "pem" ]; then
|
if [ "$__rc_ext" == "crt" -o "$__rc_ext" == "pem" ]; then
|
||||||
__rc_key="$__rc_name.key"
|
__rc_key="$__rc_name.key"
|
||||||
enote "La clé privée n'a pas été spécifiée. La valeur $(ppath "$__rc_key") sera utilisée"
|
[ -z "$__apache_rc_quiet" ] && enote "La clé privée n'a pas été spécifiée. La valeur $(ppath "$__rc_key") sera utilisée"
|
||||||
else
|
else
|
||||||
eerror "Impossible de trouver la clé privée correspondant au certificat $(ppath "$__rc_cert")"
|
eerror "Impossible de trouver la clé privée correspondant au certificat $(ppath "$__rc_cert")"
|
||||||
return 1
|
return 1
|
||||||
|
@ -36,30 +109,31 @@ function __apache_checkvars() {
|
||||||
eerror "Vous devez spécifier le certificat à installer"
|
eerror "Vous devez spécifier le certificat à installer"
|
||||||
return 1
|
return 1
|
||||||
elif [ -z "$__rc_cert" ]; then
|
elif [ -z "$__rc_cert" ]; then
|
||||||
eattention "Seul le certificat autorité a été spécifié."
|
[ -z "$__apache_rc_quiet" ] && eattention "Seul le certificat autorité a été spécifié."
|
||||||
elif [ -z "$__rc_ca" ]; then
|
elif [ -z "$__rc_ca" ]; then
|
||||||
ewarn "Aucun certificat autorité n'a pas été spécifié. Cela ne peut marcher que si le certificat est autosigné"
|
[ -z "$__apache_rc_quiet" ] && ewarn "Aucun certificat autorité n'a pas été spécifié. Cela ne peut marcher que si le certificat est autosigné"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local i
|
__apache_rc_checkfiles "$__certsdir" "$__rc_ca" "$__rc_cert" || return 1
|
||||||
for i in "$__rc_cert" "$__rc_key" "$__rc_ca"; do
|
__apache_rc_checkfiles "$__keysdir" "$__rc_key" || return 1
|
||||||
[ -n "$i" ] || continue
|
return 0
|
||||||
[ -f "$i" ] || {
|
|
||||||
eerror "$i: Fichier introuvable"
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
done
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function apache_resolvecert() {
|
function apache_resolvecert() {
|
||||||
# Calculer l'emplacement des certificats correspondant aux arguments $1 et
|
# Calculer l'emplacement des certificats correspondant aux arguments $1 et
|
||||||
# $2 (qui correspondent aux options --conf et --dir de apache_addcert()),
|
# $2 (qui correspondent aux options --conf et --dir de apache_addcert()),
|
||||||
# puis initialiser les variables $3(=cert), $4(=key) et $5(=ca)
|
# puis initialiser les variables $3(=cert), $4(=key) et $5(=ca)
|
||||||
|
# Si ces valeurs sont déjà calculées, on peut fournir $6=certsdir et
|
||||||
|
# $7=keysdir
|
||||||
local __rc_conf="$1" __rc_dir="$2"
|
local __rc_conf="$1" __rc_dir="$2"
|
||||||
local __rc_cert __rc_key __rc_ca
|
local __rc_cert __rc_key __rc_ca
|
||||||
|
|
||||||
__apache_resolvcert
|
local __certsdir="$6" __keysdir="$7"
|
||||||
__apache_checkvars || return 1
|
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
|
||||||
|
|
||||||
|
__apache_rc_loadconf
|
||||||
|
__apache_rc_resolveprefix "$__certsdir" "$__keysdir"
|
||||||
|
__apache_rc_checkvars "$__certsdir" "$__keysdir" || return 1
|
||||||
set_var "${3:-cert}" "$__rc_cert"
|
set_var "${3:-cert}" "$__rc_cert"
|
||||||
set_var "${4:-key}" "$__rc_key"
|
set_var "${4:-key}" "$__rc_key"
|
||||||
set_var "${5:-ca}" "$__rc_ca"
|
set_var "${5:-ca}" "$__rc_ca"
|
||||||
|
@ -93,29 +167,33 @@ OPTIONS
|
||||||
|
|
||||||
eval "$(utools_local)"
|
eval "$(utools_local)"
|
||||||
local action=install
|
local action=install
|
||||||
local certsconf certsdir cert key ca
|
local certsconf certssrcdir cert key ca
|
||||||
local __out_cert __out_key __out_ca
|
local __out_cert __out_key __out_ca
|
||||||
parse_opts "${PRETTYOPTS[@]}" \
|
parse_opts "${PRETTYOPTS[@]}" \
|
||||||
--help '$exit_with __apache_addcert_display_help' \
|
--help '$exit_with __apache_addcert_display_help' \
|
||||||
-C:,--conf: certsconf= \
|
-C:,--conf: certsconf= \
|
||||||
-d:,--dir: certsdir= \
|
-d:,--dir: certssrcdir= \
|
||||||
--out-cert: '$set@ __out_cert; action=dump' \
|
--out-cert: '$set@ __out_cert; action=dump' \
|
||||||
--out-key: '$set@ __out_key; action=dump' \
|
--out-key: '$set@ __out_key; action=dump' \
|
||||||
--out-ca: '$set@ __out_ca; action=dump' \
|
--out-ca: '$set@ __out_ca; action=dump' \
|
||||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||||
|
|
||||||
|
local certsdir keysdir
|
||||||
|
__apache_rc_destdir certsdir keysdir
|
||||||
|
|
||||||
local __rc_conf __rc_dir
|
local __rc_conf __rc_dir
|
||||||
local __rc_cert __rc_key __rc_ca
|
local __rc_cert __rc_key __rc_ca
|
||||||
if [ -n "$certsconf" ]; then
|
if [ -n "$certsconf" ]; then
|
||||||
__rc_conf="$certsconf"
|
__rc_conf="$certsconf"
|
||||||
__rc_dir="$certsdir"
|
__rc_dir="$certssrcdir"
|
||||||
__apache_resolvconf
|
__apache_rc_loadconf
|
||||||
__apache_checkvars || return 1
|
__apache_rc_resolveprefix "$certsdir" "$keysdir"
|
||||||
|
__apache_rc_checkvars "$certsdir" "$keysdir" || return 1
|
||||||
else
|
else
|
||||||
__rc_cert="$1"
|
__rc_cert="$1"
|
||||||
__rc_key="$2"
|
__rc_key="$2"
|
||||||
__rc_ca="$3"
|
__rc_ca="$3"
|
||||||
__apache_checkvars || return 1
|
__apache_rc_checkvars "$certsdir" "$keysdir" || return 1
|
||||||
fi
|
fi
|
||||||
cert="$__rc_cert"
|
cert="$__rc_cert"
|
||||||
key="$__rc_key"
|
key="$__rc_key"
|
||||||
|
@ -129,9 +207,7 @@ OPTIONS
|
||||||
ask_yesno "Voulez-vous continuer?" O || return 1
|
ask_yesno "Voulez-vous continuer?" O || return 1
|
||||||
urequire install
|
urequire install
|
||||||
|
|
||||||
etitle "Installation des certificats"
|
etitled "Copie des fichiers"
|
||||||
certsdir="$(get_APACHESSLCERTSDIR_prefix)"
|
|
||||||
keysdir="$(get_APACHESSLKEYSDIR_prefix)"
|
|
||||||
if [ ! -d "$certsdir" ]; then
|
if [ ! -d "$certsdir" ]; then
|
||||||
mkdir -p "$certsdir" || return 1
|
mkdir -p "$certsdir" || return 1
|
||||||
chmod 755 "$certsdir" || return 1
|
chmod 755 "$certsdir" || return 1
|
||||||
|
@ -140,38 +216,36 @@ OPTIONS
|
||||||
mkdir -p "$keysdir" || return 1
|
mkdir -p "$keysdir" || return 1
|
||||||
chmod 710 "$keysdir" || return 1
|
chmod 710 "$keysdir" || return 1
|
||||||
fi
|
fi
|
||||||
if [ -n "$cert" ]; then
|
if [ -n "$cert" -a -f "$cert" ]; then
|
||||||
copy_replace "$cert" "$certsdir" || return 1
|
if copy_update "$cert" "$certsdir"; then
|
||||||
chmod 644 "$certsdir/$(basename "$cert")" || return 1
|
chmod 644 "$certsdir/$(basename "$cert")" || return 1
|
||||||
copy_replace "$key" "$keysdir" || return 1
|
fi
|
||||||
chmod 640 "$keysdir/$(basename "$key")" || return 1
|
if copy_update "$key" "$keysdir"; then
|
||||||
|
chmod 640 "$keysdir/$(basename "$key")" || return 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -n "$ca" ]; then
|
if [ -n "$ca" -a -f "$ca" ]; then
|
||||||
copy_replace "$ca" "$certsdir" || return 1
|
if copy_update "$ca" "$certsdir"; then
|
||||||
chmod 644 "$certsdir/$(basename "$ca")" || return 1
|
chmod 644 "$certsdir/$(basename "$ca")" || return 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
eend
|
eend
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
__APACHE_AUTOCONF_SUFFIXES=(d8 d)
|
|
||||||
__APACHE_AUTOCONF_SUFFIX_d8=(-d debian -v jessie+)
|
|
||||||
__APACHE_AUTOCONF_SUFFIX_d=(-d debian)
|
|
||||||
function __apache_autoconf_check_suffix() {
|
|
||||||
array_contains __APACHE_AUTOCONF_SUFFIXES "$1" || return 1
|
|
||||||
local sysinfos="__APACHE_AUTOCONF_SUFFIX_${1}[@]"
|
|
||||||
check_sysinfos --vars sysname sysdist sysver bits "${!sysinfos}"
|
|
||||||
}
|
|
||||||
function __apache_autoconf_filter_suffix_files() {
|
|
||||||
grep -vF ..
|
|
||||||
}
|
|
||||||
function __apache_autoconf_setup() {
|
function __apache_autoconf_setup() {
|
||||||
if ! check_sysinfos --vars sysname sysdist sysver bits -s linux64 linux32 linux -d debian; then
|
if ! check_sysinfos --vars sysname sysdist sysver bits -s linux64 linux32 linux -d debian; then
|
||||||
eerror "apache_autoconf n'est supporté que sur Debian linux"
|
eerror "$(get_sysinfos_desc): système non supporté. debian linux est requis"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
urequire install
|
urequire debian install
|
||||||
|
if [ -z "$__apache_autoconf_no_require_apache" ]; then
|
||||||
|
pkg_check apache2 || {
|
||||||
|
eerror "apache2 non installé. impossible de continuer"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
fi
|
||||||
compute_apache_prefixes
|
compute_apache_prefixes
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
@ -193,24 +267,8 @@ function __apache_autoconf_fillcopy() {
|
||||||
# script sed $FILLSCRIPT. Le fichier temporaire $FILLTEMP est utilisé pour
|
# script sed $FILLSCRIPT. Le fichier temporaire $FILLTEMP est utilisé pour
|
||||||
# le remplacement des valeurs. $3 contient le cas échéant des commandes sed
|
# le remplacement des valeurs. $3 contient le cas échéant des commandes sed
|
||||||
# supplémentaires
|
# supplémentaires
|
||||||
# Si des fichiers suffixes existent, ne faire la copie que si un fichier
|
|
||||||
# approprié correspondant au système courant est trouvé
|
|
||||||
local src="$1" dest="$2" sedscript="$3" perms="${4:-go+rX}"
|
local src="$1" dest="$2" sedscript="$3" perms="${4:-go+rX}"
|
||||||
|
|
||||||
# vérifier les fichiers suffixe
|
|
||||||
local suffix have_suffix found_suffix
|
|
||||||
for suffix in "${__APACHE_AUTOCONF_SUFFIXES[@]}"; do
|
|
||||||
if [ -f "$src..$suffix" ]; then
|
|
||||||
have_suffix=1
|
|
||||||
if __apache_autoconf_check_suffix "$suffix"; then
|
|
||||||
found_suffix=1
|
|
||||||
src="$src..$suffix"
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
[ -n "$have_suffix" -a -z "$found_suffix" ] && return 1
|
|
||||||
|
|
||||||
# valeurs à remplacer dans le fichier
|
# valeurs à remplacer dans le fichier
|
||||||
local var found_var
|
local var found_var
|
||||||
for var in "${FILLVARS[@]}"; do
|
for var in "${FILLVARS[@]}"; do
|
||||||
|
@ -225,14 +283,16 @@ $sedscript" <"$src" >"$FILLTEMP"
|
||||||
src="$FILLTEMP"
|
src="$FILLTEMP"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
copy_update "$src" "$dest" "$perms"
|
copy_update "$src" "$dest" "$perms" && return
|
||||||
|
estepn "$(basename -- "$dest")"
|
||||||
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
__APACHE_AUTOCONF_HELP="\
|
__APACHE_AUTOCONF_HELP="\
|
||||||
--confdir CONFDIR
|
--confdir CONFDIR
|
||||||
Spécifier l'emplacement des fichiers de configuration apache ainsi que des
|
Spécifier l'emplacement des fichiers de configuration apache ainsi que des
|
||||||
fichiers 'confs.conf', 'modules.conf' et 'sites.conf'. Par défaut, prendre
|
fichiers 'syspkgs.conf', 'confs.conf', 'modules.conf' et 'sites.conf'. Par
|
||||||
le répertoire local DESTDIR.
|
défaut, prendre le répertoire local DESTDIR.
|
||||||
--confsdir CONFSDIR
|
--confsdir CONFSDIR
|
||||||
Spécifier l'emplacement des fichiers des configuration. Par défaut, utiliser
|
Spécifier l'emplacement des fichiers des configuration. Par défaut, utiliser
|
||||||
DESTDIR/confs si ce répertoire existe.
|
DESTDIR/confs si ce répertoire existe.
|
||||||
|
@ -264,7 +324,7 @@ function apache_autoconf() {
|
||||||
local autoconfdir certsdir confdir confsdir oneconf modulesdir onemodule
|
local autoconfdir certsdir confdir confsdir oneconf modulesdir onemodule
|
||||||
local sitesdir onesite cgibindir wwwdir certsconfdir rrdir onecms
|
local sitesdir onesite cgibindir wwwdir certsconfdir rrdir onecms
|
||||||
local sysname sysdist sysver bits
|
local sysname sysdist sysver bits
|
||||||
local destconfsdir a2xconf
|
local netconf destconfsdir a2xconf
|
||||||
local restart=1
|
local restart=1
|
||||||
parse_opts "${PRETTYOPTS[@]}" \
|
parse_opts "${PRETTYOPTS[@]}" \
|
||||||
--help '$exit_with __display_apache_autoconf_help' \
|
--help '$exit_with __display_apache_autoconf_help' \
|
||||||
|
@ -288,6 +348,7 @@ function apache_autoconf() {
|
||||||
-7,--wheezy sysver=wheezy \
|
-7,--wheezy sysver=wheezy \
|
||||||
-8,--jessie sysver=jessie \
|
-8,--jessie sysver=jessie \
|
||||||
--bits: bits= \
|
--bits: bits= \
|
||||||
|
--network-config netconf=1 \
|
||||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||||
|
|
||||||
if [ -n "$sysname" -o -n "$sysdist" -o -n "$sysver" ]; then
|
if [ -n "$sysname" -o -n "$sysdist" -o -n "$sysver" ]; then
|
||||||
|
@ -298,13 +359,13 @@ function apache_autoconf() {
|
||||||
sysver=("${MYSYSVER[@]}")
|
sysver=("${MYSYSVER[@]}")
|
||||||
bits="$MYBITS"
|
bits="$MYBITS"
|
||||||
fi
|
fi
|
||||||
__apache_autoconf_setup || return 1
|
__apache_autoconf_no_require_apache= __apache_autoconf_setup || return 1
|
||||||
if __apache_autoconf_check_suffix d8; then
|
if check_sysinfos --vars sysname sysdist sysver bits -d debian -v jessie+; then
|
||||||
confdefault=000-default.conf
|
confdefault=000-default.conf
|
||||||
confdefaultssl=default-ssl.conf
|
confdefaultssl=default-ssl.conf
|
||||||
destconfsdir="$APACHECONFDIR/conf-available"
|
destconfsdir="$APACHECONFDIR/conf-available"
|
||||||
a2xconf=1
|
a2xconf=1
|
||||||
elif __apache_autoconf_check_suffix d; then
|
elif check_sysinfos --vars sysname sysdist sysver bits -d debian; then
|
||||||
confdefault=default
|
confdefault=default
|
||||||
confdefaultssl=default-ssl
|
confdefaultssl=default-ssl
|
||||||
destconfsdir="$APACHECONFDIR/conf.d"
|
destconfsdir="$APACHECONFDIR/conf.d"
|
||||||
|
@ -340,6 +401,19 @@ function apache_autoconf() {
|
||||||
local -a FILLVARS; local FILLSCRIPT FILLTEMP
|
local -a FILLVARS; local FILLSCRIPT FILLTEMP
|
||||||
__apache_autoconf_fillxxx "$@"
|
__apache_autoconf_fillxxx "$@"
|
||||||
|
|
||||||
|
# Installation des packages système
|
||||||
|
if [ -f "$confdir/syspkgs.conf" ]; then
|
||||||
|
local -a syspkgs
|
||||||
|
local syspkg
|
||||||
|
array_from_lines syspkgs "$(<"$confdir/syspkgs.conf" filter_conf)"
|
||||||
|
if ! pkg_check "${syspkgs[@]}"; then
|
||||||
|
etitle "Installation de paquets système"
|
||||||
|
estep "${syspkgs[@]}"
|
||||||
|
pkg_install "${syspkgs[@]}" || return 1
|
||||||
|
eend
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Copie des certificats
|
# Copie des certificats
|
||||||
local modified rehash conf
|
local modified rehash conf
|
||||||
if [ -d "$certsconfdir" ]; then
|
if [ -d "$certsconfdir" ]; then
|
||||||
|
@ -350,17 +424,10 @@ function apache_autoconf() {
|
||||||
array_addu FILLVARS ca
|
array_addu FILLVARS ca
|
||||||
|
|
||||||
etitle "Installation des certificats"
|
etitle "Installation des certificats"
|
||||||
|
[ -n "$certsdir" -a ! -d "$certsdir" ] && ewarn "$certsdir: répertoire invalide"
|
||||||
array_lsfiles certsconfs "$certsconfdir" "*.conf"
|
array_lsfiles certsconfs "$certsconfdir" "*.conf"
|
||||||
for certsconf in "${certsconfs[@]}"; do
|
for certsconf in "${certsconfs[@]}"; do
|
||||||
if [ -z "$certsdir" ]; then
|
apache_addcert -y -C "$certsconf" -d "$certsdir" "$cert" "$key" "$ca" || return 1
|
||||||
eerror "CERTSDIR est requis si --certsconfdir est spécifié"
|
|
||||||
return 1
|
|
||||||
elif [ ! -d "$certsdir" ]; then
|
|
||||||
eerror "$certsdir: répertoire invalide"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
|
|
||||||
apache_addcert -y "$cert" "$key" "$ca"
|
|
||||||
modified=1
|
modified=1
|
||||||
done
|
done
|
||||||
array_lsfiles certspems "$certsconfdir" "*.crt" "*.pem"
|
array_lsfiles certspems "$certsconfdir" "*.crt" "*.pem"
|
||||||
|
@ -378,11 +445,9 @@ function apache_autoconf() {
|
||||||
local -a confs
|
local -a confs
|
||||||
local conf
|
local conf
|
||||||
etitle "Installation des configurations"
|
etitle "Installation des configurations"
|
||||||
array_from_lines confs "$(list_files "$confsdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
|
array_from_lines confs "$(list_files "$confsdir" "*.conf")"
|
||||||
for conf in "${confs[@]}"; do
|
for conf in "${confs[@]}"; do
|
||||||
[ -z "$oneconf" -o "$conf" == "$oneconf" ] || continue
|
[ -z "$oneconf" -o "$conf" == "$oneconf" ] || continue
|
||||||
|
|
||||||
estep "$conf"
|
|
||||||
__apache_autoconf_fillcopy \
|
__apache_autoconf_fillcopy \
|
||||||
"$confsdir/$conf" \
|
"$confsdir/$conf" \
|
||||||
"$destconfsdir/$conf" && modified=1
|
"$destconfsdir/$conf" && modified=1
|
||||||
|
@ -395,11 +460,9 @@ function apache_autoconf() {
|
||||||
local -a confs
|
local -a confs
|
||||||
local conf
|
local conf
|
||||||
etitle "Installation des configurations des modules"
|
etitle "Installation des configurations des modules"
|
||||||
array_from_lines confs "$(list_files "$modulesdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
|
array_from_lines confs "$(list_files "$modulesdir" "*.conf")"
|
||||||
for conf in "${confs[@]}"; do
|
for conf in "${confs[@]}"; do
|
||||||
[ -z "$onemodule" -o "$conf" == "$onemodule" ] || continue
|
[ -z "$onemodule" -o "$conf" == "$onemodule" ] || continue
|
||||||
|
|
||||||
estep "$conf"
|
|
||||||
__apache_autoconf_fillcopy \
|
__apache_autoconf_fillcopy \
|
||||||
"$modulesdir/$conf" \
|
"$modulesdir/$conf" \
|
||||||
"$APACHECONFDIR/mods-available/$conf" && modified=1
|
"$APACHECONFDIR/mods-available/$conf" && modified=1
|
||||||
|
@ -409,12 +472,12 @@ function apache_autoconf() {
|
||||||
|
|
||||||
# Règles de réécriture
|
# Règles de réécriture
|
||||||
if [ -d "$rrdir" -a -z "$onecms" ]; then
|
if [ -d "$rrdir" -a -z "$onecms" ]; then
|
||||||
|
# legacy... remplacé par des fichiers de règles directement dans le répertoire de configuration
|
||||||
local -a confs
|
local -a confs
|
||||||
local conf
|
local conf
|
||||||
etitle "Installation des règles de réécriture"
|
etitle "Installation des règles de réécriture"
|
||||||
array_from_lines confs "$(list_files "$rrdir" "RewriteRules*.conf")"
|
array_from_lines confs "$(list_files "$rrdir" "RewriteRules*.conf")"
|
||||||
for conf in "${confs[@]}"; do
|
for conf in "${confs[@]}"; do
|
||||||
estep "$conf"
|
|
||||||
__apache_autoconf_fillcopy \
|
__apache_autoconf_fillcopy \
|
||||||
"$rrdir/$conf" \
|
"$rrdir/$conf" \
|
||||||
"$APACHECONFDIR/$conf" && modified=1
|
"$APACHECONFDIR/$conf" && modified=1
|
||||||
|
@ -426,9 +489,9 @@ function apache_autoconf() {
|
||||||
local -a enablesites disablesites
|
local -a enablesites disablesites
|
||||||
if [ -d "$sitesdir" -a \( -z "$onecms" -o -n "$onesite" \) ]; then
|
if [ -d "$sitesdir" -a \( -z "$onecms" -o -n "$onesite" \) ]; then
|
||||||
local -a confs
|
local -a confs
|
||||||
local conf confname destconf certsconf
|
local conf confname destconf certsconf sedscript copied
|
||||||
etitle "Installation des sites"
|
etitle "Installation des sites"
|
||||||
array_from_lines confs "$(list_files "$sitesdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
|
array_from_lines confs "$(list_files "$sitesdir" "*.conf")"
|
||||||
for confname in "${confs[@]}"; do
|
for confname in "${confs[@]}"; do
|
||||||
conf="$sitesdir/$confname"
|
conf="$sitesdir/$confname"
|
||||||
[ -z "$onesite" -o "$confname" == "$onesite" ] || continue
|
[ -z "$onesite" -o "$confname" == "$onesite" ] || continue
|
||||||
|
@ -449,27 +512,44 @@ function apache_autoconf() {
|
||||||
*) destconf="$confname";;
|
*) destconf="$confname";;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
copied=
|
||||||
if [ -n "$certsconf" ]; then
|
if [ -n "$certsconf" ]; then
|
||||||
certsconf="$certsconfdir/$certsconf"
|
certsconf="$certsconfdir/$certsconf"
|
||||||
if [ -f "$certsconf" ]; then
|
if [ -f "$certsconf" ]; then
|
||||||
apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
|
__apache_rc_quiet=1 apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
|
||||||
__apache_autoconf_fillcopy \
|
if [ -n "$cert" -a -n "$key" ]; then
|
||||||
"$conf" \
|
sedscript="\
|
||||||
"$APACHEAVSITESDIR/$destconf" "\
|
|
||||||
s#@@cert@@#$APACHESSLCERTSDIR/$(basename "$cert")#g
|
s#@@cert@@#$APACHESSLCERTSDIR/$(basename "$cert")#g
|
||||||
s#@@key@@#$APACHESSLKEYSDIR/$(basename "$key")#g
|
s#@@key@@#$APACHESSLKEYSDIR/$(basename "$key")#g"
|
||||||
s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
if [ -n "$ca" ]; then
|
||||||
"
|
sedscript="$sedscript
|
||||||
|
s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g"
|
||||||
|
else
|
||||||
|
sedscript="$sedscript
|
||||||
|
/@@ca@@/s/^/#/g"
|
||||||
|
fi
|
||||||
|
__apache_autoconf_fillcopy \
|
||||||
|
"$conf" \
|
||||||
|
"$APACHEAVSITESDIR/$destconf" "$sedscript"
|
||||||
|
copied=1
|
||||||
|
else
|
||||||
|
eerror "$(ppath "$certsconf"): définition des certificats introuvable
|
||||||
|
Le fichier de configuration $confname a été ignoré"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
eerror "$(ppath "$certsconf"): fichier introuvable. Il a été ignoré"
|
eerror "$(ppath "$certsconf"): fichier introuvable
|
||||||
|
Le fichier de configuration $confname a été ignoré"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
__apache_autoconf_fillcopy \
|
__apache_autoconf_fillcopy \
|
||||||
"$conf" \
|
"$conf" \
|
||||||
"$APACHEAVSITESDIR/$destconf"
|
"$APACHEAVSITESDIR/$destconf"
|
||||||
|
copied=1
|
||||||
|
fi
|
||||||
|
if [ -n "$copied" ]; then
|
||||||
|
enablesites=("${enablesites[@]}" "$destconf")
|
||||||
|
modified=1
|
||||||
fi
|
fi
|
||||||
enablesites=("${enablesites[@]}" "$destconf")
|
|
||||||
modified=1
|
|
||||||
done
|
done
|
||||||
eend
|
eend
|
||||||
fi
|
fi
|
||||||
|
@ -478,16 +558,28 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
||||||
if [ -d "$confdir" -a -z "$onecms" ]; then
|
if [ -d "$confdir" -a -z "$onecms" ]; then
|
||||||
local -a confs
|
local -a confs
|
||||||
local conf
|
local conf
|
||||||
|
|
||||||
etitle "Configuration de base"
|
etitle "Configuration de base"
|
||||||
array_add ignores confs.conf modules.conf sites.conf
|
array_add ignores syspkgs.conf confs.conf modules.conf sites.conf network.conf
|
||||||
array_from_lines confs "$(list_files "$confdir" | __apache_autoconf_filter_suffix_files)"
|
array_from_lines confs "$(list_files "$confdir")"
|
||||||
for conf in "${confs[@]}"; do
|
for conf in "${confs[@]}"; do
|
||||||
array_contains ignores "$conf" && continue
|
array_contains ignores "$conf" && continue
|
||||||
estep "$conf"
|
|
||||||
__apache_autoconf_fillcopy \
|
__apache_autoconf_fillcopy \
|
||||||
"$confdir/$conf" \
|
"$confdir/$conf" \
|
||||||
"$APACHECONFDIR/$conf" && modified=1
|
"$APACHECONFDIR/$conf" && modified=1
|
||||||
done
|
done
|
||||||
|
|
||||||
|
array_from_lines confs "$(list_files "$confdir" "*rewrite*.rules")"
|
||||||
|
if [ ${#confs[*]} -gt 0 ]; then
|
||||||
|
etitle "Règles de réécriture"
|
||||||
|
for conf in "${confs[@]}"; do
|
||||||
|
[ -f "$APACHECONFDIR/$conf" ] || continue
|
||||||
|
estep "$conf"
|
||||||
|
legacy_mkRewriteRules "$APACHECONFDIR/$conf" && modified=1
|
||||||
|
done
|
||||||
|
eend
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "$confdir/confs.conf" -a -n "$a2xconf" ]; then
|
if [ -f "$confdir/confs.conf" -a -n "$a2xconf" ]; then
|
||||||
local -a confs
|
local -a confs
|
||||||
local conf
|
local conf
|
||||||
|
@ -564,9 +656,30 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Contenu web
|
# Contenu web
|
||||||
if [ -d "$wwwdir" -a -z "$onecms" ]; then
|
if [ -z "$onecms" ]; then
|
||||||
etitle "Installation des fichiers du serveur web"
|
etitled "Installation des fichiers du serveur web"
|
||||||
cpdirnovcs "$wwwdir" "$HTDOCSDIR"
|
if is_defined HTDMAPPINGS; then
|
||||||
|
local htdmapping src dest
|
||||||
|
for htdmapping in "${HTDMAPPINGS[@]}"; do
|
||||||
|
splitpair "$htdmapping" dest src
|
||||||
|
[ -n "$dest" ] || dest=html
|
||||||
|
case "$dest" in
|
||||||
|
html) [ -n "$src" ] || src=www;;
|
||||||
|
*) [ -n "$src" ] || src="$dest";;
|
||||||
|
esac
|
||||||
|
withpath "$src" || src="$confdir/$src"
|
||||||
|
withpath "$dest" || dest="$HTDOCSBASE/$dest"
|
||||||
|
estep "$src --> $dest"
|
||||||
|
cpdirnovcs "$src" "$dest"
|
||||||
|
# par défaut, le propriétaire est root. est-ce nécessaire?
|
||||||
|
#chown -R www-data: "$dest"
|
||||||
|
done
|
||||||
|
elif [ -d "$wwwdir" ]; then
|
||||||
|
estep "$wwwdir --> $HTDOCSDIR"
|
||||||
|
cpdirnovcs "$wwwdir" "$HTDOCSDIR"
|
||||||
|
# par défaut, le propriétaire est root. est-ce nécessaire?
|
||||||
|
#chown -R www-data: "$HTDOCSDIR"
|
||||||
|
fi
|
||||||
eend
|
eend
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -587,6 +700,30 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
|
||||||
eend
|
eend
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Mettre à jour la configuration réseau
|
||||||
|
if [ -z "$onecms" -a -n "$netconf" -a -f "$confdir/network.conf" ]; then
|
||||||
|
local -a ips brs; local host etc_networks
|
||||||
|
eval "$(
|
||||||
|
source "$confdir/network.conf"
|
||||||
|
set_array_cmd ips
|
||||||
|
set_array_cmd brs
|
||||||
|
echo_setv host "$host"
|
||||||
|
echo_setv etc_networks "$etc_networks"
|
||||||
|
)"
|
||||||
|
etitled "Vérification de la configuration du réseau"
|
||||||
|
if [ -n "$FULLCONF" ]; then
|
||||||
|
if [ ${#ips[*]} -gt 0 -o ${#brs[*]} -gt 0 -o -n "$hosts" ]; then
|
||||||
|
network_config "$host" ips brs && modified=1
|
||||||
|
fi
|
||||||
|
[ -n "$etc_networks" ] && network_update_etc_networks "$etc_networks"
|
||||||
|
else
|
||||||
|
if [ ${#ips[*]} -gt 0 ]; then
|
||||||
|
network_config_partial ips && modified=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
eend
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "$modified" ]; then
|
if [ -n "$modified" ]; then
|
||||||
[ -n "$rehash" ] && elinedots "Hashage des certificats" c_rehash
|
[ -n "$rehash" ] && elinedots "Hashage des certificats" c_rehash
|
||||||
if [ -n "$restart" ]; then
|
if [ -n "$restart" ]; then
|
||||||
|
@ -604,7 +741,7 @@ function apache_autoconf_localhosts() {
|
||||||
--one-site: onesite= \
|
--one-site: onesite= \
|
||||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||||
|
|
||||||
__apache_autoconf_setup || return 1
|
__apache_autoconf_no_require_apache=1 __apache_autoconf_setup || return 1
|
||||||
|
|
||||||
# Configuration
|
# Configuration
|
||||||
autoconfdir="$1"; shift
|
autoconfdir="$1"; shift
|
||||||
|
@ -711,27 +848,48 @@ function __template_updatef_dhost() {
|
||||||
[ -n "$ips" ] || __template_set_var ips ""
|
[ -n "$ips" ] || __template_set_var ips ""
|
||||||
}
|
}
|
||||||
|
|
||||||
# toujours placer une variable dépendante AVANT la variable maitre
|
# syntaxe: var[:depvars,...][=desc]
|
||||||
APACHECONFIG_TEMPLATE_STATIC_VARS=(
|
APACHECONFIG_TEMPLATE_STATIC_VARS=(
|
||||||
hostname aliases host
|
host:hostname,aliases="hôte pour lequel ce template a été créé.
|
||||||
certsdir caname
|
# les variables hostname et aliases sont automatiquement générées.
|
||||||
|
# utiliser @@dhost@@ pour déployer dynamiquement avec le nom d'hôte courant."
|
||||||
|
certsdir="répertoire par défaut contenant les certificats à déployer"
|
||||||
|
caname="nom de l'autorité par défaut"
|
||||||
)
|
)
|
||||||
APACHECONFIG_TEMPLATE_DYNAMIC_VARS=(
|
APACHECONFIG_TEMPLATE_DYNAMIC_VARS=(
|
||||||
ips_namevirtualhosts ips_listens ips
|
ips:ips_namevirtualhosts,ips_listens="liste d'adresses de la forme ip[:port], séparées par un espace.
|
||||||
dhostname daliases dhost
|
# ces adresses sont celles sur lesquelles apache doit écouter. ce paramètre n'a
|
||||||
admin configdir
|
# de sens que sur squeeze. en effet, la configuration par défaut sur jessie rend
|
||||||
|
# ce paramétrage inutile."
|
||||||
|
dhost:dhostname,daliases="hôte pour lequel les fichiers doivent être déployés.
|
||||||
|
# les variables dhostname et daliases sont automatiquement générées.
|
||||||
|
# cette variable n'a besoin d'être modifiée que si host=@@dhost@@ ci-dessous"
|
||||||
|
admin="mail de l'administrateur du serveur"
|
||||||
|
configdir="répertoire dans lequel le template a été généré"
|
||||||
|
)
|
||||||
|
APACHECONFIG_TEMPLATE_NOWRITE_VARS=(configdir)
|
||||||
|
APACHECONFIG_TEMPLATE_USER_VARS=(
|
||||||
|
FULLCONF="Est-on en mode configuration complète?"
|
||||||
|
HTDMAPPINGS="Mapping des répertoires destination dans /var/www vers le répertoire local, e.g. html:www"
|
||||||
)
|
)
|
||||||
APACHECONFIG_TEMPLATE_NOWRITE_VARS=(hostname aliases dhostname daliases configdir)
|
|
||||||
|
|
||||||
|
function __apacheconfig_initsrcdirs() {
|
||||||
|
if check_sysinfos "$@" -d debian -v jessie+; then
|
||||||
|
TEMPLATECTL_SRCDIRS=(apacheconfig.d8)
|
||||||
|
else
|
||||||
|
TEMPLATECTL_SRCDIRS=(apacheconfig)
|
||||||
|
fi
|
||||||
|
}
|
||||||
function apacheconfig_initvars() {
|
function apacheconfig_initvars() {
|
||||||
DEFAULT_ADMIN=supervision-gdrsi@listes.univ-reunion.fr
|
DEFAULT_ADMIN=supervision-gdrsi@listes.univ-reunion.fr
|
||||||
DEFAULT_CERTSDIR=1507-renater
|
DEFAULT_CERTSDIR=1507-renater
|
||||||
DEFAULT_CANAME=1507-DigiCertCA.crt
|
DEFAULT_CANAME=1507-DigiCertCA.crt
|
||||||
set_defaults apacheconfig
|
set_defaults apacheconfig
|
||||||
|
|
||||||
TEMPLATE_STATIC_VARS=("${APACHECONFIG_TEMPLATE_STATIC_VARS[@]}")
|
|
||||||
TEMPLATE_DYNAMIC_VARS=("${APACHECONFIG_TEMPLATE_DYNAMIC_VARS[@]}")
|
|
||||||
TEMPLATE_NOWRITE_VARS=("${APACHECONFIG_TEMPLATE_NOWRITE_VARS[@]}")
|
TEMPLATE_NOWRITE_VARS=("${APACHECONFIG_TEMPLATE_NOWRITE_VARS[@]}")
|
||||||
|
template_build_vars TEMPLATE_STATIC_VARS TEMPLATE_NOWRITE_VARS "${APACHECONFIG_TEMPLATE_STATIC_VARS[@]}"
|
||||||
|
template_build_vars TEMPLATE_DYNAMIC_VARS TEMPLATE_NOWRITE_VARS "${APACHECONFIG_TEMPLATE_DYNAMIC_VARS[@]}"
|
||||||
|
template_build_vars TEMPLATE_USER_VARS "" "${APACHECONFIG_TEMPLATE_USER_VARS[@]}"
|
||||||
__TEMPLATE_DEFAULTF_host=__template_defaultf_host
|
__TEMPLATE_DEFAULTF_host=__template_defaultf_host
|
||||||
__TEMPLATE_UPDATEF_host=__template_updatef_host
|
__TEMPLATE_UPDATEF_host=__template_updatef_host
|
||||||
__TEMPLATE_DEFAULTF_ips=__template_defaultf_ips
|
__TEMPLATE_DEFAULTF_ips=__template_defaultf_ips
|
||||||
|
@ -740,7 +898,7 @@ function apacheconfig_initvars() {
|
||||||
__TEMPLATE_UPDATEF_dhost=__template_updatef_dhost
|
__TEMPLATE_UPDATEF_dhost=__template_updatef_dhost
|
||||||
|
|
||||||
TEMPLATECTL_NAME=apacheconfig
|
TEMPLATECTL_NAME=apacheconfig
|
||||||
TEMPLATECTL_SRCDIRS=(apacheconfig)
|
__apacheconfig_initsrcdirs
|
||||||
TEMPLATECTL_CONFIG="$TEMPLATECTL_NAME"
|
TEMPLATECTL_CONFIG="$TEMPLATECTL_NAME"
|
||||||
TEMPLATECTL_DEFAULTS=(
|
TEMPLATECTL_DEFAULTS=(
|
||||||
admin="$DEFAULT_ADMIN"
|
admin="$DEFAULT_ADMIN"
|
||||||
|
@ -751,11 +909,14 @@ function apacheconfig_initvars() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function apacheconfig_loadconf() {
|
function apacheconfig_loadconf() {
|
||||||
local config modified
|
local config modified autocreate
|
||||||
local destdir="$1" autocreate
|
local destdir="$1" nohideconfig="$2"
|
||||||
|
|
||||||
|
# valeurs par défaut
|
||||||
|
is_defined HTDMAPPINGS || HTDMAPPINGS=(html:www)
|
||||||
|
|
||||||
__template_set_destdir destdir autocreate "$TEMPLATECTL_NAME" || return 1
|
__template_set_destdir destdir autocreate "$TEMPLATECTL_NAME" || return 1
|
||||||
setx config=templatectl_config "$destdir"
|
setx config=templatectl_config "$destdir" ${nohideconfig:+nohideconfig}
|
||||||
modified=
|
modified=
|
||||||
templatectl_loadvars "$config" && modified=1
|
templatectl_loadvars "$config" && modified=1
|
||||||
|
|
||||||
|
@ -779,7 +940,8 @@ function apacheconfig_sysinfos() {
|
||||||
__template_set_var sysname "$sysname"
|
__template_set_var sysname "$sysname"
|
||||||
__template_set_var sysdist "$sysdist"
|
__template_set_var sysdist "$sysdist"
|
||||||
__template_set_var sysver "$sysver"
|
__template_set_var sysver "$sysver"
|
||||||
#check_sysinfos --vars sysname sysdist sysver bits "${templatectl_suffix[@]}
|
# mettre à jour la source en fonction du système cible
|
||||||
|
__apacheconfig_initsrcdirs --vars sysname sysdist sysver bits
|
||||||
|
|
||||||
upvars sysname "$sysname" sysdist "$sysdist" sysver "$sysver" bits "$bits" \
|
upvars sysname "$sysname" sysdist "$sysdist" sysver "$sysver" bits "$bits" \
|
||||||
custom_sysinfos "$custom_sysinfos"
|
custom_sysinfos "$custom_sysinfos"
|
||||||
|
@ -789,6 +951,7 @@ function apacheconfig_deploy() {
|
||||||
local destdir="$1" certsdir="$2"; shift; shift
|
local destdir="$1" certsdir="$2"; shift; shift
|
||||||
local config="$1" oneconf="$2" onemodule="$3"; onesite="$4"; shift; shift; shift; shift
|
local config="$1" oneconf="$2" onemodule="$3"; onesite="$4"; shift; shift; shift; shift
|
||||||
local custom_sysinfos="$1" sysname="$2" sysdist="$3" sysver="$4" bits="$5"; shift; shift; shift; shift; shift
|
local custom_sysinfos="$1" sysname="$2" sysdist="$3" sysver="$4" bits="$5"; shift; shift; shift; shift; shift
|
||||||
|
local netconf="$1"; shift
|
||||||
|
|
||||||
local -a args
|
local -a args
|
||||||
args=(--ignore "$(basename -- "$config")")
|
args=(--ignore "$(basename -- "$config")")
|
||||||
|
@ -796,6 +959,7 @@ function apacheconfig_deploy() {
|
||||||
[ -n "$onemodule" ] && array_add args --one-module "$(basename -- "$onemodule")"
|
[ -n "$onemodule" ] && array_add args --one-module "$(basename -- "$onemodule")"
|
||||||
[ -n "$onesite" ] && array_add args --one-site "$(basename -- "$onesite")"
|
[ -n "$onesite" ] && array_add args --one-site "$(basename -- "$onesite")"
|
||||||
[ -n "$custom_sysinfos" ] && array_add args --sysname "$sysname" --sysdist "$sysdist" --sysver "$sysver" --bits "$bits"
|
[ -n "$custom_sysinfos" ] && array_add args --sysname "$sysname" --sysdist "$sysdist" --sysver "$sysver" --bits "$bits"
|
||||||
|
[ -n "$netconf" ] && array_add args --network-config
|
||||||
array_add args "$destdir" "$certsdir"
|
array_add args "$destdir" "$certsdir"
|
||||||
for __name in "${TEMPLATE_DYNAMIC_VARS[@]}"; do
|
for __name in "${TEMPLATE_DYNAMIC_VARS[@]}"; do
|
||||||
array_add args "$__name=${!__name}"
|
array_add args "$__name=${!__name}"
|
||||||
|
@ -803,6 +967,21 @@ function apacheconfig_deploy() {
|
||||||
apache_autoconf "${args[@]}" "$@"
|
apache_autoconf "${args[@]}" "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function apacheconfig_qs() {
|
||||||
|
# fonction pour simplifier l'utilisation de apacheconfig_deploy pour un
|
||||||
|
# répertoire spécifique
|
||||||
|
# $1=destdir $2=certsdir $3=netconf
|
||||||
|
local destdir="$1" certsdir="$2" netconf="$3"
|
||||||
|
local config modified destdir autocreate
|
||||||
|
apacheconfig_initvars
|
||||||
|
apacheconfig_loadconf "$1"
|
||||||
|
apacheconfig_deploy \
|
||||||
|
"$destdir" "$2" \
|
||||||
|
"$config" "" "" "" \
|
||||||
|
"" "" "" "" "" \
|
||||||
|
"$3"
|
||||||
|
}
|
||||||
|
|
||||||
function apacheconfig_localhosts() {
|
function apacheconfig_localhosts() {
|
||||||
local destdir="$1" certsdir="$2"; shift; shift
|
local destdir="$1" certsdir="$2"; shift; shift
|
||||||
local onesite="$1"; shift
|
local onesite="$1"; shift
|
||||||
|
@ -815,3 +994,241 @@ function apacheconfig_localhosts() {
|
||||||
done
|
done
|
||||||
apache_autoconf_localhosts "${args[@]}" "$@"
|
apache_autoconf_localhosts "${args[@]}" "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function __mrr_joinurl() {
|
||||||
|
# joindre chaque élément de $1..@ par /, en évitant les slashes en double
|
||||||
|
local i url
|
||||||
|
for i in "$@"; do
|
||||||
|
[ -n "$i" ] || continue
|
||||||
|
if [ -n "$url" ]; then
|
||||||
|
url="${url%/}/${i#/}"
|
||||||
|
else
|
||||||
|
url="$i"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[ -n "$url" ] && echo "$url"
|
||||||
|
}
|
||||||
|
function __mrr_has_proxy() {
|
||||||
|
# vérifier que les options $1 contiennent 'P'
|
||||||
|
local -a options
|
||||||
|
array_split options "$1" ","
|
||||||
|
array_contains options P
|
||||||
|
}
|
||||||
|
function legacy_mkRewriteRules() {
|
||||||
|
# $1=infile, $2=thishost, $3=outfile, $4=htmlfile, $5=proxy_enabled?
|
||||||
|
local infile="$1" thishost="$2" outfile="$3" htmlfile="$4" proxy_enabled="$5"
|
||||||
|
local -a rules; local rule prefix index done current
|
||||||
|
local tmpinfile tmpoutfile
|
||||||
|
local src dest host suffix options prot proxy_acls usrc trail noslash proxy_url proxy_use
|
||||||
|
|
||||||
|
if [ -z "$infile" -o "$infile" == - ]; then
|
||||||
|
infile=/dev/stdin
|
||||||
|
elif [ -z "$outfile" ]; then
|
||||||
|
local outdir="$(dirname -- "$infile")"
|
||||||
|
outfile="$(basename -- "$infile")"
|
||||||
|
if [[ "$outfile" == *rewrite*.rules ]]; then
|
||||||
|
outfile="${outfile/rewrite/RewriteRules}"
|
||||||
|
outfile="${outfile/.rules/.conf}"
|
||||||
|
else
|
||||||
|
outfile="$outfile-RewriteRules.conf"
|
||||||
|
fi
|
||||||
|
outfile="$outdir/$outfile"
|
||||||
|
fi
|
||||||
|
[ -n "$outfile" -a "$outfile" != - ] || outfile=/dev/stdout
|
||||||
|
|
||||||
|
if [ -z "$thishost" -o -z "$proxy_enabled" ]; then
|
||||||
|
# le cas échéant, lire les paramètres manquant depuis le fichier
|
||||||
|
if [ "$infile" == /dev/stdin ]; then
|
||||||
|
ac_set_tmpfile tmpinfile
|
||||||
|
cat >"$tmpinfile"
|
||||||
|
infile="$tmpinfile"
|
||||||
|
fi
|
||||||
|
eval "$(awkrun -f <"$infile" '
|
||||||
|
/^[^#]/ { exit 0 }
|
||||||
|
/^#+ *host *=/ { sub(/^#+ *host *= */, ""); sub(/ *$/, ""); print "thishost=" qval($0); next }
|
||||||
|
/^#+ *enable_proxy *=/ { sub(/^#+ *enable_proxy *= */, ""); sub(/ *$/, ""); print "proxy_enabled=" qval($0); next }
|
||||||
|
')"
|
||||||
|
fi
|
||||||
|
[ -n "$thishost" ] || thishost="$(myhost)"
|
||||||
|
normyesval proxy_enabled
|
||||||
|
|
||||||
|
if [ -n "$htmlfile" ]; then
|
||||||
|
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
|
||||||
|
<!-- -*- coding: utf-8 mode: html -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
-->
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||||
|
<title>'"$thishost</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h2>$thishost</h2>
|
||||||
|
<ul>" >"$htmlfile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
ac_set_tmpfile tmpoutfile
|
||||||
|
array_from_lines rules "$(<"$infile" filter_comment)"
|
||||||
|
prefix=
|
||||||
|
for rule in "${rules[@]}"; do
|
||||||
|
if beginswith "$rule" ^; then
|
||||||
|
# Collecter les préfixe pour la règle suivante
|
||||||
|
prefix="${prefix:+$prefix
|
||||||
|
}${rule#^}"
|
||||||
|
continue
|
||||||
|
elif beginswith "$rule" =; then
|
||||||
|
# ligne litérale
|
||||||
|
echo "${rule#=}" >>"$tmpoutfile"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
local IFS=:; set -- $rule; unset IFS
|
||||||
|
index=1
|
||||||
|
done=
|
||||||
|
while [ -z "$done" ]; do
|
||||||
|
current="$1"; shift
|
||||||
|
while [ "${current%\\}" != "$current" ]; do
|
||||||
|
current="${current%\\}:$1"; shift
|
||||||
|
done
|
||||||
|
case $index in
|
||||||
|
1) src="$current";;
|
||||||
|
2) dest="$current";;
|
||||||
|
3) host="$current";;
|
||||||
|
4) suffix="$current";;
|
||||||
|
5) options="$current";;
|
||||||
|
6) prot="${current:-http}";;
|
||||||
|
7) proxy_acls="$current";;
|
||||||
|
*) done=1;;
|
||||||
|
esac
|
||||||
|
index=$(($index + 1))
|
||||||
|
done
|
||||||
|
|
||||||
|
# mettre en forme prefix s'il est défini
|
||||||
|
[ -n "$prefix" ] && prefix="$prefix
|
||||||
|
"
|
||||||
|
|
||||||
|
[ "$thishost" == "$host" ] && host=
|
||||||
|
|
||||||
|
usrc="$src"
|
||||||
|
|
||||||
|
trail=1
|
||||||
|
if endswith "$src" '$'; then
|
||||||
|
trail=
|
||||||
|
usrc="${src%$}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
noslash=
|
||||||
|
if endswith "$suffix" '$'; then
|
||||||
|
noslash=1
|
||||||
|
suffix="${suffix%$}"
|
||||||
|
fi
|
||||||
|
if endswith "$dest" '$'; then
|
||||||
|
noslash=1
|
||||||
|
dest="${dest%$}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
proxy_url=
|
||||||
|
proxy_use=
|
||||||
|
|
||||||
|
if endswith "$dest" .woa; then
|
||||||
|
# lien vers une application
|
||||||
|
if [ -n "$host" ]; then
|
||||||
|
# sur un autre hôte
|
||||||
|
if [ -n "$noslash" ]; then
|
||||||
|
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||||
|
setx proxy_url __mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix"
|
||||||
|
else
|
||||||
|
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||||
|
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||||
|
setx proxy_url __mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix/"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# sur le même hôte
|
||||||
|
if [ -n "$noslash" ]; then
|
||||||
|
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl /cgi-bin/WebObjects "$dest" "$suffix")${trail:+\$1} [L,P${options:+,$options}]" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||||
|
setx proxy_url __mrr_joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix"
|
||||||
|
proxy_use=1
|
||||||
|
else
|
||||||
|
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||||
|
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl /cgi-bin/WebObjects "$dest" "$suffix" "\$1") [L,P${options:+,$options}]" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||||
|
setx proxy_url __mrr_joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix/"
|
||||||
|
proxy_use=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# lien vers une url
|
||||||
|
if [ -n "$host" ]; then
|
||||||
|
# sur un autre hôte
|
||||||
|
if [ -n "$noslash" ]; then
|
||||||
|
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl "$prot://$host" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||||
|
setx proxy_url __mrr_joinurl "$prot://$host" "$dest" "$suffix"
|
||||||
|
else
|
||||||
|
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||||
|
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl "$prot://$host" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||||
|
setx proxy_url __mrr_joinurl "$prot://$host" "$dest" "$suffix/"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# sur le même hôte
|
||||||
|
if [ -n "$noslash" ]; then
|
||||||
|
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl / "$dest" "$suffix")${trail:+\$1}${options:+ [$options]}" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc"
|
||||||
|
setx proxy_url __mrr_joinurl "http://$thishost" "$dest" "$suffix"
|
||||||
|
else
|
||||||
|
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
|
||||||
|
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl / "$dest" "$suffix" "\$1")${options:+ [$options]}" >>"$tmpoutfile"
|
||||||
|
setx url __mrr_joinurl "http://$thishost" "$usrc/"
|
||||||
|
setx proxy_url __mrr_joinurl "http://$thishost" "$dest" "$suffix/"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
__mrr_has_proxy "$options" && proxy_use=1
|
||||||
|
if [ -n "$proxy_enabled" -a -n "$proxy_use" ]; then
|
||||||
|
if [ "$proxy_acls" == "None" ]; then
|
||||||
|
:
|
||||||
|
elif [ -z "$proxy_acls" ]; then
|
||||||
|
echo "\
|
||||||
|
<Proxy $proxy_url*>
|
||||||
|
AddDefaultCharset off
|
||||||
|
Order Deny,Allow
|
||||||
|
Allow from all
|
||||||
|
</Proxy>" >>"$tmpoutfile"
|
||||||
|
else
|
||||||
|
echo "\
|
||||||
|
<Proxy $proxy_url*>
|
||||||
|
AddDefaultCharset off
|
||||||
|
Order Allow,Deny
|
||||||
|
Allow from $proxy_acls
|
||||||
|
</Proxy>" >>"$tmpoutfile"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "" >>"$tmpoutfile"
|
||||||
|
if [ -n "$htmlfile" ]; then
|
||||||
|
echo "<li><a href=\"$url\">$url</a></li>" >>"$htmlfile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Réinitialiser les préfixes pour chaque règle
|
||||||
|
prefix=
|
||||||
|
done
|
||||||
|
|
||||||
|
local modified
|
||||||
|
if testupdated "$tmpoutfile" "$outfile"; then
|
||||||
|
cat "$tmpoutfile" >"$outfile"
|
||||||
|
modified=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$htmlfile" ]; then
|
||||||
|
echo '</ul>
|
||||||
|
</body>
|
||||||
|
</html>' >>"$htmlfile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$tmpinfile" ] && ac_clean "$tmpinfile"
|
||||||
|
ac_clean "$tmpoutfile"
|
||||||
|
[ -n "$modified" ]
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
# -*- coding: utf-8 mode: text -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
|
Ce répertoire peut contenir les fichiers et répertoires suivants, qui sont tous
|
||||||
|
optionnels:
|
||||||
|
|
||||||
|
confs.conf
|
||||||
|
Liste des configurations qu'il faut activer. Si un fichier de configuration
|
||||||
|
existe mais n'est pas mentionnée dans ce fichier, ou si ce fichier n'existe
|
||||||
|
pas, aucune modification n'est effectuée. Ce fichier contient une liste de
|
||||||
|
ligne de configuration.
|
||||||
|
Si une configuration est de la forme -conf, elle est désactivée. Si une
|
||||||
|
configuration est de la forme +conf, elle est activée. Cette syntaxe permet
|
||||||
|
de supporter les configurations dont le nom commencerait par '-'
|
||||||
|
IMPORTANT: Ce fichier n'est supporté qu'à partir de debian jessie.
|
||||||
|
|
||||||
|
modules.conf
|
||||||
|
Liste des modules qu'il faut activer. Si un module existe mais n'est pas
|
||||||
|
mentionné dans ce fichier, ou si ce fichier n'existe pas, aucune
|
||||||
|
modification n'est effectuée.
|
||||||
|
Si un module est de la forme -module, il est désactivé. Si un module est de
|
||||||
|
la forme +module, il est activé. Cette syntaxe permet de supporter les
|
||||||
|
modules dont le nom commencerait par '-'
|
||||||
|
|
||||||
|
sites.conf
|
||||||
|
Liste des sites qu'il faut activer. Si ce fichier n'existe pas, tous les
|
||||||
|
sites existant sont activés. Si un site existe mais ne figure pas dans ce
|
||||||
|
fichier, il est désactivé.
|
||||||
|
|
||||||
|
confs/
|
||||||
|
Répertoire des configurations à installer. Les fichiers de ce répertoire
|
||||||
|
sont de la forme CONF.conf et sont installés dans le répertoire
|
||||||
|
/etc/apache2/conf-available. Il faut mentionner la configuration dans le
|
||||||
|
fichier confs.conf pour l'activer.
|
||||||
|
IMPORTANT: Ce répertoire n'est supporté qu'à partir de debian jessie.
|
||||||
|
|
||||||
|
modules/
|
||||||
|
Répertoire des configurations de modules à installer. Les fichiers de ce
|
||||||
|
répertoire sont de la forme MODULE.conf et sont installés dans le répertoire
|
||||||
|
/etc/apache2/mods-available. Il faut mentioner le module dans le fichier
|
||||||
|
modules.conf pour l'activer.
|
||||||
|
|
||||||
|
sites/
|
||||||
|
Répertoire des sites à installer. Les fichiers de ce répertoire sont de la
|
||||||
|
forme SITE.conf pour les sites écoutant en clair, et SITE.ssl.conf pour les
|
||||||
|
sites écoutant en https.
|
||||||
|
Pour chaque site SITE.ssl.conf, un fichier SITE-certs.conf doit exister dans
|
||||||
|
certsconf/. Pour chaque fichier SITE.ssl.conf, les balises @@ca@@, @@cert@@
|
||||||
|
et @@key@@ sont remplacés par les valeurs des variables ca, cert et key
|
||||||
|
définies dans le fichier correspondant SITE-certs.conf
|
||||||
|
|
||||||
|
cgi-bin/
|
||||||
|
Répertoire des scripts cgi
|
||||||
|
|
||||||
|
www/
|
||||||
|
Répertoire des fichiers du serveur web
|
||||||
|
|
||||||
|
certsconf/
|
||||||
|
Répertoire qui contient la configuration pour les certificats à installer.
|
||||||
|
Les fichiers de ce répertoire sont de la forme SITE-certs.conf et chacun
|
||||||
|
d'eux correspond à un fichier SITE.ssl.conf dans sites/
|
||||||
|
|
||||||
|
RewriteRules/
|
||||||
|
Répertoire qui contient la configuration de réécriture. Tous les fichiers
|
||||||
|
RewriteRules*.conf de ce répertoire sont copiés dans /etc/apache2
|
||||||
|
|
||||||
|
Tous les autres fichiers sont copiés tels quels dans /etc/apache2. Notamment,
|
||||||
|
apache2.conf est le fichier de configuration principal d'apache et ports.conf le
|
||||||
|
fichier de configuration des ports d'écoute.
|
||||||
|
|
||||||
|
## Configuration TLS
|
||||||
|
|
||||||
|
Le site https://mozilla.github.io/server-side-tls/ssl-config-generator/ contient
|
||||||
|
des informations sur la façon de configurer ssl côté serveur pour la sécurité et
|
||||||
|
les navigateurs modernes
|
||||||
|
|
||||||
|
Voir les détails sur https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
@ -0,0 +1,15 @@
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
|
# Cette variable est utilisée par la fonction refcerts() du script runs. C'est
|
||||||
|
# le nom d'un répertoire à chercher dans RUNSMODULESPATH qui contient les
|
||||||
|
# certificats à installer sur le serveur.
|
||||||
|
certsdir=@@certsdir@@
|
||||||
|
|
||||||
|
# Fichier contenant les certificats racines qui valident le certificat à
|
||||||
|
# installer, ainsi que les certificats qui sont rencontrés dans le dialogue avec
|
||||||
|
# d'autres serveurs web
|
||||||
|
ca=@@caname@@
|
||||||
|
|
||||||
|
# Certificat et clé privée à installer
|
||||||
|
cert=
|
||||||
|
key=
|
|
@ -0,0 +1,24 @@
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Utiliser 'udir --help-vars' pour une description de la signification des
|
||||||
|
# variables suivantes:
|
||||||
|
udir_desc="Fichiers à déployer sur @@host@@ dans le répertoire des cgi-bins"
|
||||||
|
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
|
||||||
|
udir_types=(uinst:rsync)
|
||||||
|
uinc=release
|
||||||
|
uinc_options=()
|
||||||
|
uinc_args=()
|
||||||
|
configure_variables=(dest)
|
||||||
|
configure_dest_for=()
|
||||||
|
config_scripts=()
|
||||||
|
install_profiles=false
|
||||||
|
workdir_rsync_options=()
|
||||||
|
workdir_excludes=()
|
||||||
|
workdir_includes=()
|
||||||
|
copy_files=true
|
||||||
|
rsync_options=()
|
||||||
|
destdir=root@@@host@@:CGIBINDIR
|
||||||
|
srcdir=.
|
||||||
|
files=()
|
||||||
|
owner=root:
|
||||||
|
modes=(u=rwX,g=rX,o=rX)
|
||||||
|
root_scripts=()
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
|
echo "Content-Type: text/plain"
|
||||||
|
echo ""
|
||||||
|
echo "OK"
|
|
@ -0,0 +1,15 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||||
|
|
||||||
|
# Choisir un des profils. Clients les plus anciens pouvant se connecter:
|
||||||
|
# modern: Firefox 27, Chrome 30, Windows 7 IE 11, Edge, Opera 17, Safari 9, Android 5.0, Java 8
|
||||||
|
# intermediate: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
|
||||||
|
# old: Windows XP IE6, Java 6
|
||||||
|
#Define SSL_CONFIG_MODERN
|
||||||
|
#Define SSL_CONFIG_INTERMEDIATE
|
||||||
|
#Define SSL_CONFIG_OLD
|
||||||
|
|
||||||
|
# Faut-il activer HSTS?
|
||||||
|
#Define SSL_CONFIG_HSTS
|
||||||
|
</IfModule>
|
|
@ -0,0 +1,4 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Liste des modules à activer. Syntaxe:
|
||||||
|
# module ou +module pour activer un module
|
||||||
|
# -module pour le désactiver
|
|
@ -107,7 +107,7 @@
|
||||||
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
|
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
|
||||||
|
|
||||||
# Inter-Process Session Cache:
|
# Inter-Process Session Cache:
|
||||||
# Configure the SSL Session Cache: First the mechanism
|
# Configure the SSL Session Cache: First the mechanism
|
||||||
# to use and second the expiring timeout (in seconds).
|
# to use and second the expiring timeout (in seconds).
|
||||||
# (The mechanism dbm has known memory leaks and should not be used).
|
# (The mechanism dbm has known memory leaks and should not be used).
|
||||||
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
||||||
|
@ -116,7 +116,7 @@
|
||||||
|
|
||||||
# Semaphore:
|
# Semaphore:
|
||||||
# Configure the path to the mutual exclusion semaphore the
|
# Configure the path to the mutual exclusion semaphore the
|
||||||
# SSL engine uses internally for inter-process synchronization.
|
# SSL engine uses internally for inter-process synchronization.
|
||||||
# (Disabled by default, the global Mutex directive consolidates by default
|
# (Disabled by default, the global Mutex directive consolidates by default
|
||||||
# this)
|
# this)
|
||||||
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
|
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
|
|
@ -0,0 +1,24 @@
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Configuration du réseau sur le serveur. Ce fichier est traité différemment
|
||||||
|
# selon le mode de configuration.
|
||||||
|
# - En mode complet, ce fichier définit le nom d'hôte ainsi que toutes les
|
||||||
|
# interfaces, ponts et adresses. La variable host et les tableaux ips et brs
|
||||||
|
# sont pris en compte.
|
||||||
|
# - En mode partiel, seuls le tableau ips est pris en compte: il est utilisé
|
||||||
|
# pour définir des adresses ips supplémentaires à configurer sur le serveur.
|
||||||
|
|
||||||
|
# Liste des adresses IPs à configurer. Chaque élément est de la forme
|
||||||
|
# [IFACE:]dhcp ou [[IFACE][//GATEWAY]:]IP[/SUFFIX]
|
||||||
|
ips=()
|
||||||
|
|
||||||
|
# Liste des ponts à configurer. Chaque élément est de la forme BR:IFACES
|
||||||
|
# BR est le nom du pont, e.g. br0. IFACES est une liste d'interfaces séparées
|
||||||
|
# par une virgule. e.g. br0:eth0,eth1
|
||||||
|
brs=()
|
||||||
|
|
||||||
|
# Nom d'hôte pleinement qualifié. Si ce paramètre est spécifié, les fichiers
|
||||||
|
# /etc/hosts, /etc/hostname et /etc/mailname sont mis à jour.
|
||||||
|
host=
|
||||||
|
|
||||||
|
# Contenu du fichier /etc/networks
|
||||||
|
etc_networks=
|
|
@ -7,16 +7,8 @@ Listen 80
|
||||||
|
|
||||||
<IfModule ssl_module>
|
<IfModule ssl_module>
|
||||||
Listen 443
|
Listen 443
|
||||||
#NameVirtualHost IP:443
|
|
||||||
#Listen IP:443
|
|
||||||
#@@ips_namevirtualhosts@@
|
|
||||||
#@@ips_listens@@
|
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
|
||||||
<IfModule mod_gnutls.c>
|
<IfModule mod_gnutls.c>
|
||||||
Listen 443
|
Listen 443
|
||||||
#NameVirtualHost IP:443
|
|
||||||
#Listen IP:443
|
|
||||||
#@@ips_namevirtualhosts@@
|
|
||||||
#@@ips_listens@@
|
|
||||||
</IfModule>
|
</IfModule>
|
|
@ -0,0 +1,2 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Liste des sites à activer. Syntaxe:
|
||||||
|
# site ou +site pour activer un site
|
||||||
|
# -site pour le désactiver
|
|
@ -0,0 +1,9 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Liste de paquets système à installer, e.g. php5 ou libapache2-mod-jk
|
||||||
|
# Chaque package doit être indiqué sur une ligne à part
|
||||||
|
#libapache2-mod-jk
|
||||||
|
#libapache2-mod-auth-cas
|
||||||
|
#php5-mysql
|
||||||
|
#php5-ldap
|
||||||
|
#php5-gmp
|
||||||
|
#php5-gd
|
|
@ -0,0 +1,15 @@
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
|
# Cette variable est utilisée par la fonction refcerts() du script runs. C'est
|
||||||
|
# le nom d'un répertoire à chercher dans RUNSMODULESPATH qui contient les
|
||||||
|
# certificats à installer sur le serveur.
|
||||||
|
certsdir=@@certsdir@@
|
||||||
|
|
||||||
|
# Fichier contenant les certificats racines qui valident le certificat à
|
||||||
|
# installer, ainsi que les certificats qui sont rencontrés dans le dialogue avec
|
||||||
|
# d'autres serveurs web
|
||||||
|
ca=@@caname@@
|
||||||
|
|
||||||
|
# Certificat et clé privée à installer
|
||||||
|
cert=
|
||||||
|
key=
|
|
@ -0,0 +1,31 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
<VirtualHost *:80>
|
||||||
|
# The ServerName directive sets the request scheme, hostname and port that
|
||||||
|
# the server uses to identify itself. This is used when creating
|
||||||
|
# redirection URLs. In the context of virtual hosts, the ServerName
|
||||||
|
# specifies what hostname must appear in the request's Host: header to
|
||||||
|
# match this virtual host. For the default virtual host (this file) this
|
||||||
|
# value is not decisive as it is used as a last resort host regardless.
|
||||||
|
# However, you must set it for any further virtual host explicitly.
|
||||||
|
ServerName SITE.TLD
|
||||||
|
ServerAlias SITE SITE.local
|
||||||
|
ServerAdmin @@admin@@
|
||||||
|
|
||||||
|
DocumentRoot /var/www/SITE
|
||||||
|
|
||||||
|
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
|
||||||
|
# error, crit, alert, emerg.
|
||||||
|
# It is also possible to configure the loglevel for particular
|
||||||
|
# modules, e.g.
|
||||||
|
#LogLevel info ssl:warn
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/SITE_error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/SITE_access.log combined
|
||||||
|
|
||||||
|
# For most configuration files from conf-available/, which are
|
||||||
|
# enabled or disabled at a global level, it is possible to
|
||||||
|
# include a line for only one particular virtual host. For example the
|
||||||
|
# following line enables the CGI configuration for this host only
|
||||||
|
# after it has been globally disabled with "a2disconf".
|
||||||
|
#Include conf-available/serve-cgi-bin.conf
|
||||||
|
</VirtualHost>
|
|
@ -1,54 +1,27 @@
|
||||||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
<IfModule mod_ssl.c>
|
<IfModule mod_ssl.c>
|
||||||
<VirtualHost _default_:443>
|
<VirtualHost _default_:443>
|
||||||
ServerName @@host@@
|
ServerName SITE.TLD
|
||||||
ServerAlias @@aliases@@
|
ServerAlias SITE SITE.local
|
||||||
ServerAdmin @@admin@@
|
ServerAdmin @@admin@@
|
||||||
|
|
||||||
DocumentRoot /var/www
|
DocumentRoot /var/www/SITE
|
||||||
<Directory />
|
|
||||||
Options FollowSymLinks
|
|
||||||
AllowOverride None
|
|
||||||
</Directory>
|
|
||||||
<Directory /var/www/>
|
|
||||||
Options Indexes FollowSymLinks MultiViews
|
|
||||||
AllowOverride None
|
|
||||||
Order allow,deny
|
|
||||||
allow from all
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
|
||||||
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
# error, crit, alert, emerg.
|
||||||
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
# It is also possible to configure the loglevel for particular
|
||||||
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
# modules, e.g.
|
||||||
# mod-webobjects.conf
|
#LogLevel info ssl:warn
|
||||||
# Sinon, il suffit de commenter les lignes suivantes:
|
|
||||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
|
||||||
<Directory "/usr/lib/cgi-bin">
|
|
||||||
AllowOverride None
|
|
||||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
|
||||||
Order allow,deny
|
|
||||||
Allow from all
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
|
ErrorLog ${APACHE_LOG_DIR}/SITE_error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/SITE_access.log combined
|
||||||
|
|
||||||
# Possible values include: debug, info, notice, warn, error, crit,
|
# For most configuration files from conf-available/, which are
|
||||||
# alert, emerg.
|
# enabled or disabled at a global level, it is possible to
|
||||||
LogLevel warn
|
# include a line for only one particular virtual host. For example the
|
||||||
|
# following line enables the CGI configuration for this host only
|
||||||
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
# after it has been globally disabled with "a2disconf".
|
||||||
|
#Include conf-available/serve-cgi-bin.conf
|
||||||
<LocationMatch "/cgi-bin/WebObjects/.*">
|
|
||||||
Order allow,deny
|
|
||||||
Allow from all
|
|
||||||
</LocationMatch>
|
|
||||||
|
|
||||||
<Location /WebObjects>
|
|
||||||
Order allow,deny
|
|
||||||
Allow from all
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# SSL Engine Switch:
|
# SSL Engine Switch:
|
||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
|
@ -56,7 +29,7 @@
|
||||||
|
|
||||||
# A self-signed (snakeoil) certificate can be created by installing
|
# A self-signed (snakeoil) certificate can be created by installing
|
||||||
# the ssl-cert package. See
|
# the ssl-cert package. See
|
||||||
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
|
# /usr/share/doc/apache2/README.Debian.gz for more info.
|
||||||
# If both key and certificate are stored in the same file, only the
|
# If both key and certificate are stored in the same file, only the
|
||||||
# SSLCertificateFile directive is needed.
|
# SSLCertificateFile directive is needed.
|
||||||
SSLCertificateFile @@cert@@
|
SSLCertificateFile @@cert@@
|
||||||
|
@ -99,21 +72,6 @@
|
||||||
#SSLVerifyClient require
|
#SSLVerifyClient require
|
||||||
#SSLVerifyDepth 10
|
#SSLVerifyDepth 10
|
||||||
|
|
||||||
# Access Control:
|
|
||||||
# With SSLRequire you can do per-directory access control based
|
|
||||||
# on arbitrary complex boolean expressions containing server
|
|
||||||
# variable checks and other lookup directives. The syntax is a
|
|
||||||
# mixture between C and Perl. See the mod_ssl documentation
|
|
||||||
# for more details.
|
|
||||||
#<Location />
|
|
||||||
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
|
||||||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
|
||||||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
|
||||||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
|
||||||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
|
||||||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
|
||||||
#</Location>
|
|
||||||
|
|
||||||
# SSL Engine Options:
|
# SSL Engine Options:
|
||||||
# Set various options for the SSL engine.
|
# Set various options for the SSL engine.
|
||||||
# o FakeBasicAuth:
|
# o FakeBasicAuth:
|
||||||
|
@ -134,19 +92,15 @@
|
||||||
# because the extraction step is an expensive operation and is usually
|
# because the extraction step is an expensive operation and is usually
|
||||||
# useless for serving static content. So one usually enables the
|
# useless for serving static content. So one usually enables the
|
||||||
# exportation for CGI and SSI requests only.
|
# exportation for CGI and SSI requests only.
|
||||||
# o StrictRequire:
|
|
||||||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
|
||||||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
|
||||||
# and no other module can change it.
|
|
||||||
# o OptRenegotiate:
|
# o OptRenegotiate:
|
||||||
# This enables optimized SSL connection renegotiation handling when SSL
|
# This enables optimized SSL connection renegotiation handling when SSL
|
||||||
# directives are used in per-directory context.
|
# directives are used in per-directory context.
|
||||||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||||
SSLOptions +StdEnvVars
|
SSLOptions +StdEnvVars
|
||||||
</FilesMatch>
|
</FilesMatch>
|
||||||
<Directory /usr/lib/cgi-bin>
|
<Directory /usr/lib/cgi-bin>
|
||||||
SSLOptions +StdEnvVars
|
SSLOptions +StdEnvVars
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
# SSL Protocol Adjustments:
|
# SSL Protocol Adjustments:
|
||||||
|
@ -174,8 +128,8 @@
|
||||||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||||||
# "force-response-1.0" for this.
|
# "force-response-1.0" for this.
|
||||||
BrowserMatch "MSIE [2-6]" \
|
BrowserMatch "MSIE [2-6]" \
|
||||||
nokeepalive ssl-unclean-shutdown \
|
nokeepalive ssl-unclean-shutdown \
|
||||||
downgrade-1.0 force-response-1.0
|
downgrade-1.0 force-response-1.0
|
||||||
# MSIE 7 and newer should be able to use keepalive
|
# MSIE 7 and newer should be able to use keepalive
|
||||||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Utiliser 'udir --help-vars' pour une description de la signification des
|
||||||
|
# variables suivantes:
|
||||||
|
udir_desc="Fichiers à déployer dans le répertoire des documents web"
|
||||||
|
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
|
||||||
|
udir_types=(uinst:rsync)
|
||||||
|
uinc=release
|
||||||
|
uinc_options=()
|
||||||
|
uinc_args=()
|
||||||
|
configure_variables=(dest)
|
||||||
|
configure_dest_for=()
|
||||||
|
config_scripts=()
|
||||||
|
install_profiles=false
|
||||||
|
workdir_rsync_options=()
|
||||||
|
workdir_excludes=()
|
||||||
|
workdir_includes=()
|
||||||
|
copy_files=true
|
||||||
|
rsync_options=(--delete-after)
|
||||||
|
destdir=root@@@host@@:HTDOCSBASE/SITE
|
||||||
|
srcdir=.
|
||||||
|
files=()
|
||||||
|
owner=www-data:
|
||||||
|
modes=(u=rwX,g=rX,o=rX)
|
||||||
|
root_scripts=()
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
|
@ -0,0 +1,17 @@
|
||||||
|
worker.list=prod,dev
|
||||||
|
|
||||||
|
worker.prod.port=8009
|
||||||
|
worker.prod.host=@@prod_host@@
|
||||||
|
worker.prod.type=ajp13
|
||||||
|
worker.prod.lbfactor=1
|
||||||
|
worker.prod.connection_pool_timeout=600
|
||||||
|
worker.prod.socket_keepalive=1
|
||||||
|
worker.prod.socket_timeout=60
|
||||||
|
|
||||||
|
worker.dev.port=8009
|
||||||
|
worker.dev.host=@@dev_host@@
|
||||||
|
worker.dev.type=ajp13
|
||||||
|
worker.dev.lbfactor=1
|
||||||
|
worker.dev.connection_pool_timeout=600
|
||||||
|
worker.dev.socket_keepalive=1
|
||||||
|
worker.dev.socket_timeout=60
|
|
@ -0,0 +1,24 @@
|
||||||
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# Utiliser 'udir --help-vars' pour une description de la signification des
|
||||||
|
# variables suivantes:
|
||||||
|
udir_desc="Fichiers à déployer sur @@host@@ dans le répertoire des documents web"
|
||||||
|
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
|
||||||
|
udir_types=(uinst:rsync)
|
||||||
|
uinc=release
|
||||||
|
uinc_options=()
|
||||||
|
uinc_args=()
|
||||||
|
configure_variables=(dest)
|
||||||
|
configure_dest_for=()
|
||||||
|
config_scripts=()
|
||||||
|
install_profiles=false
|
||||||
|
workdir_rsync_options=()
|
||||||
|
workdir_excludes=()
|
||||||
|
workdir_includes=()
|
||||||
|
copy_files=true
|
||||||
|
rsync_options=()
|
||||||
|
destdir=root@@@host@@:HTDOCSDIR
|
||||||
|
srcdir=.
|
||||||
|
files=()
|
||||||
|
owner=www-data:
|
||||||
|
modes=(u=rwX,g=rX,o=rX)
|
||||||
|
root_scripts=()
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
|
@ -1,10 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
source /etc/ulibauto || exit 1
|
||||||
source /etc/ulib &&
|
|
||||||
urequire DEFAULTS ||
|
|
||||||
exit 1
|
|
||||||
OENC="$UTF8"
|
|
||||||
|
|
||||||
PRIHOST=
|
PRIHOST=
|
||||||
PUBHOST=
|
PUBHOST=
|
||||||
|
|
|
@ -0,0 +1,103 @@
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||||
|
<IfDefine SSL_CONFIG_MODERN>
|
||||||
|
# modern configuration not supported. same as SSL_CONFIG_INTERMEDIATE below
|
||||||
|
SSLProtocol all -SSLv2 -SSLv3
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</IfDefine>
|
||||||
|
<IfDefine !SSL_CONFIG_MODERN>
|
||||||
|
<IfDefine SSL_CONFIG_INTERMEDIATE>
|
||||||
|
# intermediate configuration, tweak to your needs
|
||||||
|
SSLProtocol all -SSLv2 -SSLv3
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
SSLCompression off
|
||||||
|
SSLSessionTickets off
|
||||||
|
</IfDefine>
|
||||||
|
<IfDefine !SSL_CONFIG_INTERMEDIATE>
|
||||||
|
<IfDefine SSL_CONFIG_OLD>
|
||||||
|
# old configuration, tweak to your needs
|
||||||
|
SSLProtocol all -SSLv2
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
SSLCompression off
|
||||||
|
SSLSessionTickets off
|
||||||
|
</IfDefine>
|
||||||
|
<IfDefine !SSL_CONFIG_OLD>
|
||||||
|
# default debian configuration
|
||||||
|
|
||||||
|
# SSL Cipher Suite:
|
||||||
|
# List the ciphers that the client is permitted to negotiate.
|
||||||
|
# See the mod_ssl documentation for a complete list.
|
||||||
|
# enable only secure ciphers:
|
||||||
|
SSLCipherSuite HIGH:MEDIUM:!ADH
|
||||||
|
# Use this instead if you want to allow cipher upgrades via SGC facility.
|
||||||
|
# In this case you also have to use something like
|
||||||
|
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
|
||||||
|
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
|
||||||
|
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
|
||||||
|
|
||||||
|
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
|
||||||
|
SSLProtocol all -SSLv2
|
||||||
|
</IfDefine>
|
||||||
|
</IfDefine>
|
||||||
|
</IfDefine>
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pseudo Random Number Generator (PRNG):
|
||||||
|
# Configure one or more sources to seed the PRNG of the SSL library.
|
||||||
|
# The seed data should be of good random quality.
|
||||||
|
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||||
|
# is available. This means you then cannot use the /dev/random device
|
||||||
|
# because it would lead to very long connection times (as long as
|
||||||
|
# it requires to make more entropy available). But usually those
|
||||||
|
# platforms additionally provide a /dev/urandom device which doesn't
|
||||||
|
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||||
|
# Manual for more details.
|
||||||
|
#
|
||||||
|
SSLRandomSeed startup builtin
|
||||||
|
SSLRandomSeed startup file:/dev/urandom 512
|
||||||
|
SSLRandomSeed connect builtin
|
||||||
|
SSLRandomSeed connect file:/dev/urandom 512
|
||||||
|
|
||||||
|
##
|
||||||
|
## SSL Global Context
|
||||||
|
##
|
||||||
|
## All SSL configuration in this context applies both to
|
||||||
|
## the main server and all SSL-enabled virtual hosts.
|
||||||
|
##
|
||||||
|
|
||||||
|
#
|
||||||
|
# Some MIME-types for downloading Certificates and CRLs
|
||||||
|
#
|
||||||
|
AddType application/x-x509-ca-cert .crt
|
||||||
|
AddType application/x-pkcs7-crl .crl
|
||||||
|
|
||||||
|
# Pass Phrase Dialog:
|
||||||
|
# Configure the pass phrase gathering process.
|
||||||
|
# The filtering dialog program (`builtin' is a internal
|
||||||
|
# terminal dialog) has to provide the pass phrase on stdout.
|
||||||
|
SSLPassPhraseDialog builtin
|
||||||
|
|
||||||
|
# Inter-Process Session Cache:
|
||||||
|
# Configure the SSL Session Cache: First the mechanism
|
||||||
|
# to use and second the expiring timeout (in seconds).
|
||||||
|
# (The mechanism dbm has known memory leaks and should not be used).
|
||||||
|
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
||||||
|
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
|
||||||
|
SSLSessionCacheTimeout 300
|
||||||
|
|
||||||
|
# Semaphore:
|
||||||
|
# Configure the path to the mutual exclusion semaphore the
|
||||||
|
# SSL engine uses internally for inter-process synchronization.
|
||||||
|
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
|
||||||
|
|
||||||
|
# Allow insecure renegotiation with clients which do not yet support the
|
||||||
|
# secure renegotiation protocol. Default: Off
|
||||||
|
#SSLInsecureRenegotiation on
|
||||||
|
|
||||||
|
# Whether to forbid non-SNI clients to access name based virtual hosts.
|
||||||
|
# Default: Off
|
||||||
|
#SSLStrictSNIVHostCheck On
|
||||||
|
</IfModule>
|
|
@ -1,103 +0,0 @@
|
||||||
<IfModule mod_ssl.c>
|
|
||||||
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
||||||
<IfDefine SSL_CONFIG_MODERN>
|
|
||||||
# modern configuration not supported. same as SSL_CONFIG_INTERMEDIATE below
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
|
||||||
SSLHonorCipherOrder on
|
|
||||||
</IfDefine>
|
|
||||||
<IfDefine !SSL_CONFIG_MODERN>
|
|
||||||
<IfDefine SSL_CONFIG_INTERMEDIATE>
|
|
||||||
# intermediate configuration, tweak to your needs
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
|
||||||
SSLHonorCipherOrder on
|
|
||||||
SSLCompression off
|
|
||||||
SSLSessionTickets off
|
|
||||||
</IfDefine>
|
|
||||||
<IfDefine !SSL_CONFIG_INTERMEDIATE>
|
|
||||||
<IfDefine SSL_CONFIG_OLD>
|
|
||||||
# old configuration, tweak to your needs
|
|
||||||
SSLProtocol all -SSLv2
|
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
|
||||||
SSLHonorCipherOrder on
|
|
||||||
SSLCompression off
|
|
||||||
SSLSessionTickets off
|
|
||||||
</IfDefine>
|
|
||||||
<IfDefine !SSL_CONFIG_OLD>
|
|
||||||
# default debian configuration
|
|
||||||
|
|
||||||
# SSL Cipher Suite:
|
|
||||||
# List the ciphers that the client is permitted to negotiate.
|
|
||||||
# See the mod_ssl documentation for a complete list.
|
|
||||||
# enable only secure ciphers:
|
|
||||||
SSLCipherSuite HIGH:MEDIUM:!ADH
|
|
||||||
# Use this instead if you want to allow cipher upgrades via SGC facility.
|
|
||||||
# In this case you also have to use something like
|
|
||||||
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
|
|
||||||
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
|
|
||||||
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
|
|
||||||
|
|
||||||
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
|
|
||||||
SSLProtocol all -SSLv2
|
|
||||||
</IfDefine>
|
|
||||||
</IfDefine>
|
|
||||||
</IfDefine>
|
|
||||||
|
|
||||||
#
|
|
||||||
# Pseudo Random Number Generator (PRNG):
|
|
||||||
# Configure one or more sources to seed the PRNG of the SSL library.
|
|
||||||
# The seed data should be of good random quality.
|
|
||||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
|
||||||
# is available. This means you then cannot use the /dev/random device
|
|
||||||
# because it would lead to very long connection times (as long as
|
|
||||||
# it requires to make more entropy available). But usually those
|
|
||||||
# platforms additionally provide a /dev/urandom device which doesn't
|
|
||||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
|
||||||
# Manual for more details.
|
|
||||||
#
|
|
||||||
SSLRandomSeed startup builtin
|
|
||||||
SSLRandomSeed startup file:/dev/urandom 512
|
|
||||||
SSLRandomSeed connect builtin
|
|
||||||
SSLRandomSeed connect file:/dev/urandom 512
|
|
||||||
|
|
||||||
##
|
|
||||||
## SSL Global Context
|
|
||||||
##
|
|
||||||
## All SSL configuration in this context applies both to
|
|
||||||
## the main server and all SSL-enabled virtual hosts.
|
|
||||||
##
|
|
||||||
|
|
||||||
#
|
|
||||||
# Some MIME-types for downloading Certificates and CRLs
|
|
||||||
#
|
|
||||||
AddType application/x-x509-ca-cert .crt
|
|
||||||
AddType application/x-pkcs7-crl .crl
|
|
||||||
|
|
||||||
# Pass Phrase Dialog:
|
|
||||||
# Configure the pass phrase gathering process.
|
|
||||||
# The filtering dialog program (`builtin' is a internal
|
|
||||||
# terminal dialog) has to provide the pass phrase on stdout.
|
|
||||||
SSLPassPhraseDialog builtin
|
|
||||||
|
|
||||||
# Inter-Process Session Cache:
|
|
||||||
# Configure the SSL Session Cache: First the mechanism
|
|
||||||
# to use and second the expiring timeout (in seconds).
|
|
||||||
# (The mechanism dbm has known memory leaks and should not be used).
|
|
||||||
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
|
|
||||||
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
|
|
||||||
SSLSessionCacheTimeout 300
|
|
||||||
|
|
||||||
# Semaphore:
|
|
||||||
# Configure the path to the mutual exclusion semaphore the
|
|
||||||
# SSL engine uses internally for inter-process synchronization.
|
|
||||||
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
|
|
||||||
|
|
||||||
# Allow insecure renegotiation with clients which do not yet support the
|
|
||||||
# secure renegotiation protocol. Default: Off
|
|
||||||
#SSLInsecureRenegotiation on
|
|
||||||
|
|
||||||
# Whether to forbid non-SNI clients to access name based virtual hosts.
|
|
||||||
# Default: Off
|
|
||||||
#SSLStrictSNIVHostCheck On
|
|
||||||
</IfModule>
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
# If you just change the port or add more ports here, you will likely also
|
||||||
|
# have to change the VirtualHost statement in
|
||||||
|
# /etc/apache2/sites-enabled/000-default
|
||||||
|
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
|
||||||
|
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
|
||||||
|
# README.Debian.gz
|
||||||
|
|
||||||
|
NameVirtualHost *:80
|
||||||
|
Listen *:80
|
||||||
|
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
# If you add NameVirtualHost *:443 here, you will also have to change
|
||||||
|
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
|
||||||
|
# to <VirtualHost *:443>
|
||||||
|
# Server Name Indication for SSL named virtual hosts is currently not
|
||||||
|
# supported by MSIE on Windows XP.
|
||||||
|
#NameVirtualHost IP:443
|
||||||
|
#Listen IP:443
|
||||||
|
#@@ips_namevirtualhosts@@
|
||||||
|
#@@ips_listens@@
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_gnutls.c>
|
||||||
|
#NameVirtualHost IP:443
|
||||||
|
#Listen IP:443
|
||||||
|
#@@ips_namevirtualhosts@@
|
||||||
|
#@@ips_listens@@
|
||||||
|
</IfModule>
|
|
@ -1,29 +0,0 @@
|
||||||
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
|
||||||
# If you just change the port or add more ports here, you will likely also
|
|
||||||
# have to change the VirtualHost statement in
|
|
||||||
# /etc/apache2/sites-enabled/000-default
|
|
||||||
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
|
|
||||||
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
|
|
||||||
# README.Debian.gz
|
|
||||||
|
|
||||||
NameVirtualHost *:80
|
|
||||||
Listen *:80
|
|
||||||
|
|
||||||
<IfModule mod_ssl.c>
|
|
||||||
# If you add NameVirtualHost *:443 here, you will also have to change
|
|
||||||
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
|
|
||||||
# to <VirtualHost *:443>
|
|
||||||
# Server Name Indication for SSL named virtual hosts is currently not
|
|
||||||
# supported by MSIE on Windows XP.
|
|
||||||
#NameVirtualHost IP:443
|
|
||||||
#Listen IP:443
|
|
||||||
#@@ips_namevirtualhosts@@
|
|
||||||
#@@ips_listens@@
|
|
||||||
</IfModule>
|
|
||||||
|
|
||||||
<IfModule mod_gnutls.c>
|
|
||||||
#NameVirtualHost IP:443
|
|
||||||
#Listen IP:443
|
|
||||||
#@@ips_namevirtualhosts@@
|
|
||||||
#@@ips_listens@@
|
|
||||||
</IfModule>
|
|
|
@ -0,0 +1,51 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName @@host@@
|
||||||
|
ServerAlias @@aliases@@
|
||||||
|
ServerAdmin @@admin@@
|
||||||
|
|
||||||
|
DocumentRoot /var/www
|
||||||
|
<Directory />
|
||||||
|
Options FollowSymLinks
|
||||||
|
AllowOverride None
|
||||||
|
</Directory>
|
||||||
|
<Directory /var/www/>
|
||||||
|
Options Indexes FollowSymLinks MultiViews
|
||||||
|
AllowOverride None
|
||||||
|
Order allow,deny
|
||||||
|
allow from all
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||||
|
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
||||||
|
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
||||||
|
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
||||||
|
# mod-webobjects.conf
|
||||||
|
# Sinon, il suffit de commenter les lignes suivantes:
|
||||||
|
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||||
|
<Directory "/usr/lib/cgi-bin">
|
||||||
|
AllowOverride None
|
||||||
|
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||||
|
|
||||||
|
# Possible values include: debug, info, notice, warn, error, crit,
|
||||||
|
# alert, emerg.
|
||||||
|
LogLevel warn
|
||||||
|
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||||
|
|
||||||
|
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||||
|
<LocationMatch "/cgi-bin/WebObjects/.*">
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</LocationMatch>
|
||||||
|
<Location /WebObjects>
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
|
</VirtualHost>
|
|
@ -1,51 +0,0 @@
|
||||||
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
|
||||||
|
|
||||||
<VirtualHost *:80>
|
|
||||||
ServerName @@host@@
|
|
||||||
ServerAlias @@aliases@@
|
|
||||||
ServerAdmin @@admin@@
|
|
||||||
|
|
||||||
DocumentRoot /var/www
|
|
||||||
<Directory />
|
|
||||||
Options FollowSymLinks
|
|
||||||
AllowOverride None
|
|
||||||
</Directory>
|
|
||||||
<Directory /var/www/>
|
|
||||||
Options Indexes FollowSymLinks MultiViews
|
|
||||||
AllowOverride None
|
|
||||||
Order allow,deny
|
|
||||||
allow from all
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
|
||||||
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
|
||||||
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
|
||||||
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
|
||||||
# mod-webobjects.conf
|
|
||||||
# Sinon, il suffit de commenter les lignes suivantes:
|
|
||||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
|
||||||
<Directory "/usr/lib/cgi-bin">
|
|
||||||
AllowOverride None
|
|
||||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
|
||||||
Order allow,deny
|
|
||||||
Allow from all
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
|
||||||
|
|
||||||
# Possible values include: debug, info, notice, warn, error, crit,
|
|
||||||
# alert, emerg.
|
|
||||||
LogLevel warn
|
|
||||||
|
|
||||||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
|
||||||
|
|
||||||
# Pour les serveurs qui ont le module mod_WebObjects:
|
|
||||||
<LocationMatch "/cgi-bin/WebObjects/.*">
|
|
||||||
Order allow,deny
|
|
||||||
Allow from all
|
|
||||||
</LocationMatch>
|
|
||||||
<Location /WebObjects>
|
|
||||||
Order allow,deny
|
|
||||||
Allow from all
|
|
||||||
</Location>
|
|
||||||
</VirtualHost>
|
|
|
@ -0,0 +1,190 @@
|
||||||
|
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
|
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
<VirtualHost _default_:443>
|
||||||
|
ServerName @@host@@
|
||||||
|
ServerAlias @@aliases@@
|
||||||
|
ServerAdmin @@admin@@
|
||||||
|
|
||||||
|
DocumentRoot /var/www
|
||||||
|
<Directory />
|
||||||
|
Options FollowSymLinks
|
||||||
|
AllowOverride None
|
||||||
|
</Directory>
|
||||||
|
<Directory /var/www/>
|
||||||
|
Options Indexes FollowSymLinks MultiViews
|
||||||
|
AllowOverride None
|
||||||
|
Order allow,deny
|
||||||
|
allow from all
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Pour les serveurs qui ont le module mod_WebObjects:
|
||||||
|
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
|
||||||
|
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
|
||||||
|
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
|
||||||
|
# mod-webobjects.conf
|
||||||
|
# Sinon, il suffit de commenter les lignes suivantes:
|
||||||
|
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||||
|
<Directory "/usr/lib/cgi-bin">
|
||||||
|
AllowOverride None
|
||||||
|
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
|
||||||
|
|
||||||
|
# Possible values include: debug, info, notice, warn, error, crit,
|
||||||
|
# alert, emerg.
|
||||||
|
LogLevel warn
|
||||||
|
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
||||||
|
|
||||||
|
<LocationMatch "/cgi-bin/WebObjects/.*">
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</LocationMatch>
|
||||||
|
|
||||||
|
<Location /WebObjects>
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
# SSL Engine Switch:
|
||||||
|
# Enable/Disable SSL for this virtual host.
|
||||||
|
SSLEngine on
|
||||||
|
|
||||||
|
# A self-signed (snakeoil) certificate can be created by installing
|
||||||
|
# the ssl-cert package. See
|
||||||
|
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
|
||||||
|
# If both key and certificate are stored in the same file, only the
|
||||||
|
# SSLCertificateFile directive is needed.
|
||||||
|
SSLCertificateFile @@cert@@
|
||||||
|
SSLCertificateKeyFile @@key@@
|
||||||
|
|
||||||
|
# Server Certificate Chain:
|
||||||
|
# Point SSLCertificateChainFile at a file containing the
|
||||||
|
# concatenation of PEM encoded CA certificates which form the
|
||||||
|
# certificate chain for the server certificate. Alternatively
|
||||||
|
# the referenced file can be the same as SSLCertificateFile
|
||||||
|
# when the CA certificates are directly appended to the server
|
||||||
|
# certificate for convinience.
|
||||||
|
SSLCertificateChainFile @@ca@@
|
||||||
|
|
||||||
|
# Certificate Authority (CA):
|
||||||
|
# Set the CA certificate verification path where to find CA
|
||||||
|
# certificates for client authentication or alternatively one
|
||||||
|
# huge file containing all of them (file must be PEM encoded)
|
||||||
|
# Note: Inside SSLCACertificatePath you need hash symlinks
|
||||||
|
# to point to the certificate files. Use the provided
|
||||||
|
# Makefile to update the hash symlinks after changes.
|
||||||
|
#SSLCACertificatePath /etc/ssl/certs/
|
||||||
|
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
|
||||||
|
|
||||||
|
# Certificate Revocation Lists (CRL):
|
||||||
|
# Set the CA revocation path where to find CA CRLs for client
|
||||||
|
# authentication or alternatively one huge file containing all
|
||||||
|
# of them (file must be PEM encoded)
|
||||||
|
# Note: Inside SSLCARevocationPath you need hash symlinks
|
||||||
|
# to point to the certificate files. Use the provided
|
||||||
|
# Makefile to update the hash symlinks after changes.
|
||||||
|
#SSLCARevocationPath /etc/apache2/ssl.crl/
|
||||||
|
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
|
||||||
|
|
||||||
|
# Client Authentication (Type):
|
||||||
|
# Client certificate verification type and depth. Types are
|
||||||
|
# none, optional, require and optional_no_ca. Depth is a
|
||||||
|
# number which specifies how deeply to verify the certificate
|
||||||
|
# issuer chain before deciding the certificate is not valid.
|
||||||
|
#SSLVerifyClient require
|
||||||
|
#SSLVerifyDepth 10
|
||||||
|
|
||||||
|
# Access Control:
|
||||||
|
# With SSLRequire you can do per-directory access control based
|
||||||
|
# on arbitrary complex boolean expressions containing server
|
||||||
|
# variable checks and other lookup directives. The syntax is a
|
||||||
|
# mixture between C and Perl. See the mod_ssl documentation
|
||||||
|
# for more details.
|
||||||
|
#<Location />
|
||||||
|
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||||
|
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||||
|
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||||
|
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||||
|
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||||
|
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||||
|
#</Location>
|
||||||
|
|
||||||
|
# SSL Engine Options:
|
||||||
|
# Set various options for the SSL engine.
|
||||||
|
# o FakeBasicAuth:
|
||||||
|
# Translate the client X.509 into a Basic Authorisation. This means that
|
||||||
|
# the standard Auth/DBMAuth methods can be used for access control. The
|
||||||
|
# user name is the `one line' version of the client's X.509 certificate.
|
||||||
|
# Note that no password is obtained from the user. Every entry in the user
|
||||||
|
# file needs this password: `xxj31ZMTZzkVA'.
|
||||||
|
# o ExportCertData:
|
||||||
|
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||||||
|
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||||||
|
# server (always existing) and the client (only existing when client
|
||||||
|
# authentication is used). This can be used to import the certificates
|
||||||
|
# into CGI scripts.
|
||||||
|
# o StdEnvVars:
|
||||||
|
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||||||
|
# Per default this exportation is switched off for performance reasons,
|
||||||
|
# because the extraction step is an expensive operation and is usually
|
||||||
|
# useless for serving static content. So one usually enables the
|
||||||
|
# exportation for CGI and SSI requests only.
|
||||||
|
# o StrictRequire:
|
||||||
|
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||||||
|
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||||
|
# and no other module can change it.
|
||||||
|
# o OptRenegotiate:
|
||||||
|
# This enables optimized SSL connection renegotiation handling when SSL
|
||||||
|
# directives are used in per-directory context.
|
||||||
|
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||||||
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</FilesMatch>
|
||||||
|
<Directory /usr/lib/cgi-bin>
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# SSL Protocol Adjustments:
|
||||||
|
# The safe and default but still SSL/TLS standard compliant shutdown
|
||||||
|
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
||||||
|
# the close notify alert from client. When you need a different shutdown
|
||||||
|
# approach you can use one of the following variables:
|
||||||
|
# o ssl-unclean-shutdown:
|
||||||
|
# This forces an unclean shutdown when the connection is closed, i.e. no
|
||||||
|
# SSL close notify alert is send or allowed to received. This violates
|
||||||
|
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
||||||
|
# this when you receive I/O errors because of the standard approach where
|
||||||
|
# mod_ssl sends the close notify alert.
|
||||||
|
# o ssl-accurate-shutdown:
|
||||||
|
# This forces an accurate shutdown when the connection is closed, i.e. a
|
||||||
|
# SSL close notify alert is send and mod_ssl waits for the close notify
|
||||||
|
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
||||||
|
# practice often causes hanging connections with brain-dead browsers. Use
|
||||||
|
# this only for browsers where you know that their SSL implementation
|
||||||
|
# works correctly.
|
||||||
|
# Notice: Most problems of broken clients are also related to the HTTP
|
||||||
|
# keep-alive facility, so you usually additionally want to disable
|
||||||
|
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
||||||
|
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
||||||
|
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||||||
|
# "force-response-1.0" for this.
|
||||||
|
BrowserMatch "MSIE [2-6]" \
|
||||||
|
nokeepalive ssl-unclean-shutdown \
|
||||||
|
downgrade-1.0 force-response-1.0
|
||||||
|
# MSIE 7 and newer should be able to use keepalive
|
||||||
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||||
|
|
||||||
|
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||||
|
<IfDefine SSL_CONFIG_HSTS>
|
||||||
|
<IfModule mod_headers.c>
|
||||||
|
# HSTS (15768000 seconds = 6 months)
|
||||||
|
Header always set Strict-Transport-Security "max-age=15768000"
|
||||||
|
</IfModule>
|
||||||
|
</IfDefine>
|
||||||
|
</VirtualHost>
|
||||||
|
</IfModule>
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
207
mkRewriteRules
207
mkRewriteRules
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
||||||
source "$(dirname "$0")/lib/ulib/ulib" || exit 1
|
source "$(dirname "$0")/lib/ulib/ulib" || exit 1
|
||||||
urequire DEFAULTS
|
urequire DEFAULTS apache.tools
|
||||||
|
|
||||||
function display_help() {
|
function display_help() {
|
||||||
uecho "$scriptname: Créer un fichier de redirections pour Apache à partir d'un certain
|
uecho "$scriptname: Créer un fichier de redirections pour Apache à partir d'un certain
|
||||||
|
@ -82,23 +82,9 @@ Dans les exemples donnés ci-dessus, $URL est l'\''url générée par la réécr
|
||||||
et $proxy_acls la valeur du champ proxy_acls spécifiée ci-dessus.'
|
et $proxy_acls la valeur du champ proxy_acls spécifiée ci-dessus.'
|
||||||
}
|
}
|
||||||
|
|
||||||
function joinurl() {
|
|
||||||
# joindre chaque élément de $1..@ par /, en évitant les slashes en double
|
|
||||||
local i url
|
|
||||||
for i in "$@"; do
|
|
||||||
[ -n "$i" ] || continue
|
|
||||||
if [ -n "$url" ]; then
|
|
||||||
url="${url%/}/${i#/}"
|
|
||||||
else
|
|
||||||
url="$i"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
[ -n "$url" ] && echo "$url"
|
|
||||||
}
|
|
||||||
|
|
||||||
proxy_enabled=
|
proxy_enabled=
|
||||||
infile=
|
infile=
|
||||||
outfile="RewriteRules.conf"
|
outfile=
|
||||||
htmlfile=
|
htmlfile=
|
||||||
host=
|
host=
|
||||||
parse_opts "${PRETTYOPTS[@]}" \
|
parse_opts "${PRETTYOPTS[@]}" \
|
||||||
|
@ -109,187 +95,20 @@ parse_opts "${PRETTYOPTS[@]}" \
|
||||||
-w: htmlfile= \
|
-w: htmlfile= \
|
||||||
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
@ args -- "$@" && set -- "${args[@]}" || die "$args"
|
||||||
|
|
||||||
[ -n "$infile" ] || die "Il faut spécifier le fichier de règles"
|
|
||||||
[ -f "$infile" ] || die "Fichier de règles non trouvé: $(ppath "$infile")"
|
|
||||||
|
|
||||||
thishost="$1"
|
thishost="$1"
|
||||||
[ -n "$thishost" ] || die "Il faut spécifier l'hôte pour lequel créer le fichier de configuration"
|
if [ -n "$infile" ]; then infiles=("$infile")
|
||||||
|
else array_lsfiles infiles . "*rewrite*.rules"
|
||||||
function has_proxy() {
|
|
||||||
# vérifier que les options $1 contiennent 'P'
|
|
||||||
local options
|
|
||||||
array_split options "$1" ","
|
|
||||||
array_contains options P
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ -n "$htmlfile" ]; then
|
|
||||||
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
|
|
||||||
<!-- -*- coding: utf-8 mode: html -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
|
||||||
-->
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
||||||
<title>'"$thishost</title>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<h2>$thishost</h2>
|
|
||||||
<ul>" >"$htmlfile"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
>"$outfile"
|
[ ${#infiles[*]} -gt 0 ] || die "Il faut spécifier le fichier de règles avec -f"
|
||||||
array_from_lines rules "$(<"$infile" filter_comment)"
|
for infile in "${infiles[@]}"; do
|
||||||
prefix=
|
if [ -f "$infile" ]; then
|
||||||
for rule in "${rules[@]}"; do
|
estep "$(ppath "$infile")"
|
||||||
if beginswith "$rule" ^; then
|
legacy_mkRewriteRules "$infile" "$thishost" "$outfile" "$htmlfile" "$proxy_enabled"
|
||||||
# Collecter les préfixe pour la règle suivante
|
|
||||||
prefix="${prefix:+$prefix
|
|
||||||
}${rule#^}"
|
|
||||||
continue
|
|
||||||
elif beginswith "$rule" =; then
|
|
||||||
# ligne litérale
|
|
||||||
echo "${rule#=}" >>"$outfile"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
IFS=:; set -- $rule; unset IFS
|
|
||||||
index=1
|
|
||||||
done=
|
|
||||||
while [ -z "$done" ]; do
|
|
||||||
current="$1"; shift
|
|
||||||
while endswith "$current" "\\"; do
|
|
||||||
current="${current%\\}:$1"; shift
|
|
||||||
done
|
|
||||||
case $index in
|
|
||||||
1) src="$current";;
|
|
||||||
2) dest="$current";;
|
|
||||||
3) host="$current";;
|
|
||||||
4) suffix="$current";;
|
|
||||||
5) options="$current";;
|
|
||||||
6) prot="${current:-http}";;
|
|
||||||
7) proxy_acls="$current";;
|
|
||||||
*) done=1;;
|
|
||||||
esac
|
|
||||||
index=$(($index + 1))
|
|
||||||
done
|
|
||||||
|
|
||||||
# mettre en forme prefix s'il est défini
|
|
||||||
[ -n "$prefix" ] && prefix="$prefix
|
|
||||||
"
|
|
||||||
|
|
||||||
if [ "$thishost" == "$host" ]; then
|
|
||||||
host=
|
|
||||||
fi
|
|
||||||
|
|
||||||
usrc="$src"
|
|
||||||
|
|
||||||
trail=1
|
|
||||||
if endswith "$src" '$'; then
|
|
||||||
trail=
|
|
||||||
usrc="${src%$}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
noslash=
|
|
||||||
if endswith "$suffix" '$'; then
|
|
||||||
noslash=1
|
|
||||||
suffix="${suffix%$}"
|
|
||||||
fi
|
|
||||||
if endswith "$dest" '$'; then
|
|
||||||
noslash=1
|
|
||||||
dest="${dest%$}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
proxy_url=
|
|
||||||
proxy_use=
|
|
||||||
|
|
||||||
if endswith "$dest" .woa; then
|
|
||||||
# lien vers une application
|
|
||||||
if [ -n "$host" ]; then
|
|
||||||
# sur un autre hôte
|
|
||||||
if [ -n "$noslash" ]; then
|
|
||||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc"
|
|
||||||
setx proxy_url joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix"
|
|
||||||
else
|
|
||||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
|
||||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc/"
|
|
||||||
setx proxy_url joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix/"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# sur le même hôte
|
|
||||||
if [ -n "$noslash" ]; then
|
|
||||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl /cgi-bin/WebObjects "$dest" "$suffix")${trail:+\$1} [L,P${options:+,$options}]" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc"
|
|
||||||
setx proxy_url joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix"
|
|
||||||
proxy_use=1
|
|
||||||
else
|
|
||||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
|
||||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl /cgi-bin/WebObjects "$dest" "$suffix" "\$1") [L,P${options:+,$options}]" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc/"
|
|
||||||
setx proxy_url joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix/"
|
|
||||||
proxy_use=1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
# lien vers une url
|
eerror "$(ppath "$infile"): fichier introuvable"
|
||||||
if [ -n "$host" ]; then
|
|
||||||
# sur un autre hôte
|
|
||||||
if [ -n "$noslash" ]; then
|
|
||||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl "$prot://$host" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc"
|
|
||||||
setx proxy_url joinurl "$prot://$host" "$dest" "$suffix"
|
|
||||||
else
|
|
||||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
|
||||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl "$prot://$host" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc/"
|
|
||||||
setx proxy_url joinurl "$prot://$host" "$dest" "$suffix/"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# sur le même hôte
|
|
||||||
if [ -n "$noslash" ]; then
|
|
||||||
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl / "$dest" "$suffix")${trail:+\$1}${options:+ [$options]}" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc"
|
|
||||||
setx proxy_url joinurl "http://$thishost" "$dest" "$suffix"
|
|
||||||
else
|
|
||||||
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
|
|
||||||
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl / "$dest" "$suffix" "\$1")${options:+ [$options]}" >>"$outfile"
|
|
||||||
setx url joinurl "http://$thishost" "$usrc/"
|
|
||||||
setx proxy_url joinurl "http://$thishost" "$dest" "$suffix/"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
has_proxy "$options" && proxy_use=1
|
# réinitialiser pour ne pas écraser un fichier existant
|
||||||
if [ -n "$proxy_enabled" -a -n "$proxy_use" ]; then
|
outfile=
|
||||||
if [ "$proxy_acls" == "None" ]; then
|
htmlfile=
|
||||||
:
|
|
||||||
elif [ -z "$proxy_acls" ]; then
|
|
||||||
echo "\
|
|
||||||
<Proxy $proxy_url*>
|
|
||||||
AddDefaultCharset off
|
|
||||||
Order Deny,Allow
|
|
||||||
Allow from all
|
|
||||||
</Proxy>" >>"$outfile"
|
|
||||||
else
|
|
||||||
echo "\
|
|
||||||
<Proxy $proxy_url*>
|
|
||||||
AddDefaultCharset off
|
|
||||||
Order Allow,Deny
|
|
||||||
Allow from $proxy_acls
|
|
||||||
</Proxy>" >>"$outfile"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "" >>"$outfile"
|
|
||||||
if [ -n "$htmlfile" ]; then
|
|
||||||
echo "<li><a href=\"$url\">$url</a></li>" >>"$htmlfile"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Réinitialiser les préfixes pour chaque règle
|
|
||||||
prefix=
|
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$htmlfile" ]; then
|
|
||||||
echo '</ul>
|
|
||||||
</body>
|
|
||||||
</html>' >>"$htmlfile"
|
|
||||||
fi
|
|
||||||
|
|
Loading…
Reference in New Issue