modules
/
nutools
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

diverses modification de apacheconfig et apache.tools 

- rétablir deux répertoires de templates différents: celui pour debian wheezy-
  est distinct de celui pour jessie+
- support d'une configuration complète ou partielle
- support de la mise à jour de la configuration réseau: configuration complète
  (interfaces standards et bridge) ou partielle (ajout d'adresse ip)
- support de templates pour la création de nouveaux site
- améliorer le support des certificats: utiliser ceux qui sont déjà installés le
  cas échéant.
- support de fichiers *rewrite*.rules directement dans le répertoire
  principal. Les fichiers de RewriteRules/ sont obsolètes.
- quickstart pour apacheconfig, afin de simplifier son utilisation dans des
  scripts
- fonction legacy_mkRewriteRules() pour pouvoir traiter les fichiers
  *rewrite*.rules dans des scripts.
This commit is contained in:
Jephté Clain 2016-12-30 18:10:59 +04:00
parent c552d2de56
commit e3cd3cec3f
39 changed files with 1395 additions and 588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
apacheconfig
View File

@ -16,6 +16,19 @@ OPTIONS
Créer un nouveau répertoire de configuration pour un hôte
-d, --destdir DESTDIR[=$TEMPLATECTL_NAME]
Nom du répertoire local de configuration.
-f,--full
--partial
Indiquer respectivement que la configuration est complète ou partielle.
Avec la configuration complète, le serveur peut être complètement
configuré avec tous les fichiers présents. Avec la configuration
partielle, uniquement les informations spécifiques à un service en
particulier sont disponibles.
Cette option est utilisée avec --create. Par défaut, la configuration
est partielle.
Pour le moment, la seule différence est que --full crée un fichier de
configuration nommé .apacheconfig alors que --partial crée un fichier
nommé apacheconfig.conf qui est visible et donc découvrable et éditable
plus facilement
-t, --template [OPT]
Gérer les fichiers du répertoire local avec templatectl. La valeur de
@ -46,9 +59,12 @@ OPTIONS
Lors du déploiement de la configuration, les valeurs des variables
dynamiques sont remplacées dans les fichiers destination.
Les arguments qui restent sont passés tels quels à apache_autoconf
-N, --network-config
Mettre aussi à jour la configuration réseau.
-r, --certsdir CERTSDIR
Spécifier le cas échéant le répertoire contenant les certificats à
déployer. Cet argument est requis si le répertoire certsconf/ existe.
déployer. Cet argument est requis si le répertoire certsconf/ existe,
sauf si les certificats sont déjà déployés.
--localhosts
Créer dans le fichier /etc/hosts tous les noms d'hôte ayant un suffixe
@ -63,24 +79,45 @@ OPTIONS
-S, --one-site SITE
Ne déployer que le fichier de site spécifié. Cette option est utilisée
avec --deploy ou --localhosts et est utile pour le développement et les
tests."
tests.
-k, --new-site HOST.TLD
Créer une définition pour un nouveau site à partir des fichiers du
répertoires templates/
-K, --new-site-templatedir TEMPLATEDIR
Spécifier le répertoire source pour les templates de site utilisés par
l'option --new-site. Par défaut, utiliser le répertoire templates/ situé
dans le répertoire de configuration.
Si TEMPLATEDIR est un nom simple sans séparateur de chemin '/' et qu'un
répertoire templates/TEMPLATEDIR existe, alors prendre ce répertoire-là
comme source.
--new-site-force
Avec --new-site, utiliser le nom d'hôte fourni même s'il n'est pas
pleinement qualifié"
}
action=
destdir=
nohideconfig=
nohideconfig=auto
templateopt=
FULLCONF=
netconf=
aac_certsdir=
bits=
oneconf=
onemodule=
onesite=
site_host=
site_templdir=
site_force=
args=(
--help '$exit_with display_help'
-c,--create action=create
-d:,--destdir: destdir=
--no-hideconfig nohideconfig=1
--hideconfig nohideconfig=
-f,--full FULLCONF=1
--partial FULLCONF=
-t::,--template:: '$set@ templateopt; action=template'
--help-template '$templateopt=-help; action=template'
-l,--list '$templateopt=l; action=template'
@ -96,15 +133,23 @@ args=(
-8,--jessie '$array_add TEMPLATECTL_VARS sysver=jessie'
--bits: bits=
-u,--update,--deploy action=deploy
-N,--network-config netconf=1
-r:,--certsdir: aac_certsdir=
--localhosts action=localhosts
-C:,--one-conf: oneconf=
-M:,--one-module: onemodule=
-S:,--one-site: onesite=
-k:,--new-site: '$action=new-site; set@ site_host'
-K:,--new-site-templatedir: site_templdir=
--new-site-force site_force=
)
parse_args "$@"; set -- "${args[@]}"
apacheconfig_loadconf "$destdir" || die
if [ "$nohideconfig" == auto ]; then
[ -n "$FULLCONF" ] && nohideconfig= || nohideconfig=1
fi
apacheconfig_loadconf "$destdir" "$nohideconfig" || die
apacheconfig_sysinfos "$sysname" "$sysdist" "$sysver" "$bits"
################################################################################
@ -128,7 +173,7 @@ if [ "$action" == create ]; then
ask_yesno "Le fichier $(ppath "$config") sera écrasé. Voulez-vous continuer?" O || die
rm -f "$config" || die
fi
templatectl -d "$destdir" --config "$config" --no-load-vars -m --write-vars
templatectl -d "$destdir" --config "$config" ${nohideconfig:+--no-hide-config} --no-load-vars -m --write-vars
################################################################################
elif [ "$action" == template ]; then
@ -142,7 +187,9 @@ elif [ "$action" == deploy -o "$action" == localhosts ]; then
[ -d "$destdir" ] || die "$destdir: répertoire introuvable"
args=(
-d "$destdir" --$action ${aac_certsdir:+-r "$aac_certsdir"}
-d "$destdir" --$action
${netconf:+--network-config}
${aac_certsdir:+-r "$aac_certsdir"}
${oneconf:+--one-conf "$oneconf"}
${onemodule:+--one-module "$onemodule"}
${onesite:+--one-site "$onesite"}
@ -160,11 +207,113 @@ elif [ "$action" == deploy -o "$action" == localhosts ]; then
apacheconfig_deploy \
"$destdir" "$aac_certsdir" \
"$config" "$oneconf" "$onemodule" "$onesite" \
"$custom_sysinfos" "$sysname" "$sysdist" "$sysver" "$bits" || die
"$custom_sysinfos" "$sysname" "$sysdist" "$sysver" "$bits" \
"$netconf" || die
eend
elif [ "$action" == localhosts ]; then
etitle "Mise à jour de /etc/hosts"
apacheconfig_deploy_localhosts "$destdir" "$aac_certsdir" "$onesite" || die
eend
fi
################################################################################
elif [ "$action" == new-site ]; then
host="$site_host"
templdir="$site_templdir"
if [[ "$templdir" != */* ]] && [ -d "$destdir/templates/$templdir" ]; then
templdir="$destdir/templates/$templdir"
elif [ -z "$templdir" ]; then
templdir="$destdir/templates"
fi
[ -d "$templdir" ] || die "$templdir: répertoire introuvable"
force="$site_force"
clrtempl=
ssltempl=
certstempl=
wwwtempl=
array_from_lines templs "$(list_files "$templdir" "*SITE.conf")"
[ ${#templs[*]} -gt 0 ] && clrtempl="${templs[0]}"
array_from_lines templs "$(list_files "$templdir" "*SITE.ssl.conf")"
[ ${#templs[*]} -gt 0 ] && ssltempl="${templs[0]}"
array_from_lines templs "$(list_files "$templdir" "*SITE-certs.conf")"
[ ${#templs[*]} -gt 0 ] && certstempl="${templs[0]}"
array_from_lines templs "$(list_dirs "$templdir" "*SITE")"
[ ${#templs[*]} -gt 0 ] && wwwtempl="${templs[0]}"
found=
for i in "$clrtempl" "$ssltempl" "$certstempl" "$wwwtempl"; do
[ -n "$i" ] && { found=1; break; }
done
[ -n "$found" ] || die "Aucun template disponible"
if [ -z "$force" ] && [[ "$host" != *.* ]]; then
die "$host n'est pas un nom d'hôte pleinement qualifié"
fi
etitle "$host"
hostname="${host%%.*}"
clrconf="${clrtempl/SITE/$hostname}"
sslconf="${ssltempl/SITE/$hostname}"
certsconf="${certstempl/SITE/$hostname}"
wwwdir="${wwwtempl/SITE/$hostname}"
mkdir -p "$destdir/certsconf"
mkdir -p "$destdir/sites"
sedscript="\
s/SITE.TLD/$host/g
s/SITE/$hostname/g"
if [ -z "$clrtempl" ]; then
:
elif [ ! -f "$templdir/$clrtempl" ]; then
ewarn "Le fichier $(ppath "$templdir/$clrtempl") n'existe pas. La copie ne sera pas complète"
elif [ -f "$destdir/sites/$clrconf" ]; then
ewarn "Le fichier sites/$clrconf existe déjà. Il ne sera pas écrasé."
else
estep "sites/$clrconf"
sed "$sedscript" "$templdir/$clrtempl" >"$destdir/sites/$clrconf" || die
fi
if [ -z "$ssltempl" ]; then
:
elif [ ! -f "$templdir/$ssltempl" ]; then
ewarn "Le fichier $(ppath "$templdir/$ssltempl") n'existe pas. La copie ne sera pas complète"
elif [ -f "$destdir/sites/$sslconf" ]; then
ewarn "Le fichier sites/$sslconf existe déjà. Il ne sera pas écrasé."
else
estep "sites/$sslconf"
sed "$sedscript" "$templdir/$ssltempl" >"$destdir/sites/$sslconf" || die
fi
if [ -z "$certstempl" ]; then
:
elif [ ! -f "$templdir/$certstempl" ]; then
ewarn "Le fichier $(ppath "$templdir/$certstempl") n'existe pas. La copie ne sera pas complète"
elif [ -f "$destdir/certsconf/$certsconf" ]; then
ewarn "Le fichier certsconf/$certsconf exite déjà. Il ne sera pas écrasé."
else
estep "certsconf/$certsconf"
sed "$sedscript" "$templdir/$certstempl" >"$destdir/certsconf/$certsconf" || die
fi
if [ -z "$wwwtempl" ]; then
:
elif [ ! -d "$templdir/$wwwtempl" ]; then
ewarn "Le répertoire $(ppath "$templdir/$wwwtempl") n'existe pas. La copie ne sera pas complète"
elif [ -d "$destdir/$wwwdir" ]; then
ewarn "Le répertoire $wwwdir existe déjà. Il ne sera pas écrasé."
else
estep "$wwwdir"
cpdirnovcs "$templdir/$wwwtempl" "$destdir/$wwwdir" || die
sed -i "$sedscript" "$destdir/$wwwdir/.udir" || die
fi
eend
if [ -n "$wwwtempl" ]; then
eimportant "Ne pas oublier le cas échéant de mettre à jour HTDMAPPINGS dans $(ppath "$config") e.g.
HTDMAPPINGS=($wwwdir)"
fi
fi

659
lib/ulib/apache.tools
View File

@ -5,28 +5,101 @@
##@require sysinfos
##@require apache
uprovide apache.tools
urequire base sysinfos apache
urequire base sysinfos template apache
function __apache_resolvcert() {
function __apache_rc_destdir() {
[ -z "$3" ] && set_var "${1:-certsdir}" "$(get_APACHESSLCERTSDIR_prefix)"
[ -z "$4" ] && set_var "${2:-keysdir}" "$(get_APACHESSLKEYSDIR_prefix)"
}
function __apache_rc_loadconf() {
[ -n "$__rc_dir" ] || __rc_dir="$(dirname "$__rc_conf")"
eval "$(
source "$__rc_conf"
set_var_cmd __rc_cert "$cert"
set_var_cmd __rc_key "$key"
set_var_cmd __rc_ca "$ca"
echo_setv __rc_cert "$cert"
echo_setv __rc_key "$key"
echo_setv __rc_ca "$ca"
)"
[ -n "$__rc_cert" ] && __rc_cert="$(abspath "$__rc_cert" "$__rc_dir")"
[ -n "$__rc_key" ] && __rc_key="$(abspath "$__rc_key" "$__rc_dir")"
[ -n "$__rc_ca" ] && __rc_ca="$(abspath "$__rc_ca" "$__rc_dir")"
}
function __apache_checkvars() {
function __apache_rc_resolveprefix() {
local __prefix __cert __key
local __certsdir="$1" __keysdir="$2"
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
if [ -z "$__rc_cert" ]; then
# si pas de certificat, alors générer un préfixe pour chercher les
# fichiers
setx __prefix=basename "$__rc_conf"
__prefix="${__prefix%certs.conf}"
elif [ ! -f "$__rc_cert" ]; then
# si le fichier source n'existe pas, vérifier s'il existe dans la
# destination
setx __cert=basename "$__rc_cert"
setx __key=basename "$__rc_key"
if [ -f "$__certsdir/$__cert" -a -f "$__keysdir/$__key" ]; then
# parfait, les fichiers existent déjà à l'endroit prévu
:
else
# construire un préfixe avec le nom du fichier
__prefix="$__cert"
if [ "${__prefix%.pem}" != "$__prefix" ]; then
__prefix="${__prefix%.pem}"
elif [ "${__prefix%.crt}" != "$__prefix" ]; then
__prefix="${__prefix%.crt}"
fi
if [ -n "${__prefix//[0-9]/}" ]; then
# enlever le suffixe numérique, uniquement si le nom ne contient
# pas que des chiffres
while [ -n "$__prefix" -a "${__prefix%[0-9]}" != "$__prefix" ]; do
__prefix="${__prefix%[0-9]}"
done
fi
fi
fi
if [ -n "$__prefix" ]; then
local -a __certs
array_from_lines __certs "$(list_files "$__certsdir" "$__prefix*" | LANG=C sort -r)"
if [ ${#__certs[*]} -gt 0 ]; then
__cert="${__certs[0]}"
__key="${__cert%.*}.key"
__rc_cert="$__rc_dir/$__cert"
__rc_key="$__rc_dir/$__key"
fi
fi
}
function __apache_rc_checkfiles() {
local destdir="$1"; shift
local file
for file in "$@"; do
[ -n "$file" ] || continue
[ -f "$file" ] && continue
if [ -n "$destdir" -a -f "$destdir/$(basename "$file")" ]; then
[ -z "$__apache_rc_quiet" ] && ewarn "$file: fichier introuvable
Le fichier existant $destdir/$(basename "$file") sera utilisé"
continue
fi
eerror "$file: fichier introuvable"
return 1
done
return 0
}
function __apache_rc_checkvars() {
local __certsdir="$1" __keysdir="$2"
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
if [ -n "$__rc_cert" -a -z "$__rc_key" ]; then
local __rc_name __rc_ext
splitname "$__rc_cert" __rc_name __rc_ext
if [ "$__rc_ext" == "crt" -o "$__rc_ext" == "pem" ]; then
__rc_key="$__rc_name.key"
enote "La clé privée n'a pas été spécifiée. La valeur $(ppath "$__rc_key") sera utilisée"
[ -z "$__apache_rc_quiet" ] && enote "La clé privée n'a pas été spécifiée. La valeur $(ppath "$__rc_key") sera utilisée"
else
eerror "Impossible de trouver la clé privée correspondant au certificat $(ppath "$__rc_cert")"
return 1
@ -36,30 +109,31 @@ function __apache_checkvars() {
eerror "Vous devez spécifier le certificat à installer"
return 1
elif [ -z "$__rc_cert" ]; then
eattention "Seul le certificat autorité a été spécifié."
[ -z "$__apache_rc_quiet" ] && eattention "Seul le certificat autorité a été spécifié."
elif [ -z "$__rc_ca" ]; then
ewarn "Aucun certificat autorité n'a pas été spécifié. Cela ne peut marcher que si le certificat est autosigné"
[ -z "$__apache_rc_quiet" ] && ewarn "Aucun certificat autorité n'a pas été spécifié. Cela ne peut marcher que si le certificat est autosigné"
fi
local i
for i in "$__rc_cert" "$__rc_key" "$__rc_ca"; do
[ -n "$i" ] || continue
[ -f "$i" ] || {
eerror "$i: Fichier introuvable"
return 1
}
done
__apache_rc_checkfiles "$__certsdir" "$__rc_ca" "$__rc_cert" || return 1
__apache_rc_checkfiles "$__keysdir" "$__rc_key" || return 1
return 0
}
function apache_resolvecert() {
# Calculer l'emplacement des certificats correspondant aux arguments $1 et
# $2 (qui correspondent aux options --conf et --dir de apache_addcert()),
# puis initialiser les variables $3(=cert), $4(=key) et $5(=ca)
# Si ces valeurs sont déjà calculées, on peut fournir $6=certsdir et
# $7=keysdir
local __rc_conf="$1" __rc_dir="$2"
local __rc_cert __rc_key __rc_ca
__apache_resolvcert
__apache_checkvars || return 1
local __certsdir="$6" __keysdir="$7"
__apache_rc_destdir __certsdir __keysdir "$__certsdir" "$__keysdir"
__apache_rc_loadconf
__apache_rc_resolveprefix "$__certsdir" "$__keysdir"
__apache_rc_checkvars "$__certsdir" "$__keysdir" || return 1
set_var "${3:-cert}" "$__rc_cert"
set_var "${4:-key}" "$__rc_key"
set_var "${5:-ca}" "$__rc_ca"
@ -93,29 +167,33 @@ OPTIONS
eval "$(utools_local)"
local action=install
local certsconf certsdir cert key ca
local certsconf certssrcdir cert key ca
local __out_cert __out_key __out_ca
parse_opts "${PRETTYOPTS[@]}" \
--help '$exit_with __apache_addcert_display_help' \
-C:,--conf: certsconf= \
-d:,--dir: certsdir= \
-d:,--dir: certssrcdir= \
--out-cert: '$set@ __out_cert; action=dump' \
--out-key: '$set@ __out_key; action=dump' \
--out-ca: '$set@ __out_ca; action=dump' \
@ args -- "$@" && set -- "${args[@]}" || die "$args"
local certsdir keysdir
__apache_rc_destdir certsdir keysdir
local __rc_conf __rc_dir
local __rc_cert __rc_key __rc_ca
if [ -n "$certsconf" ]; then
__rc_conf="$certsconf"
__rc_dir="$certsdir"
__apache_resolvconf
__apache_checkvars || return 1
__rc_dir="$certssrcdir"
__apache_rc_loadconf
__apache_rc_resolveprefix "$certsdir" "$keysdir"
__apache_rc_checkvars "$certsdir" "$keysdir" || return 1
else
__rc_cert="$1"
__rc_key="$2"
__rc_ca="$3"
__apache_checkvars || return 1
__apache_rc_checkvars "$certsdir" "$keysdir" || return 1
fi
cert="$__rc_cert"
key="$__rc_key"
@ -129,9 +207,7 @@ OPTIONS
ask_yesno "Voulez-vous continuer?" O || return 1
urequire install
etitle "Installation des certificats"
certsdir="$(get_APACHESSLCERTSDIR_prefix)"
keysdir="$(get_APACHESSLKEYSDIR_prefix)"
etitled "Copie des fichiers"
if [ ! -d "$certsdir" ]; then
mkdir -p "$certsdir" || return 1
chmod 755 "$certsdir" || return 1
@ -140,38 +216,36 @@ OPTIONS
mkdir -p "$keysdir" || return 1
chmod 710 "$keysdir" || return 1
fi
if [ -n "$cert" ]; then
copy_replace "$cert" "$certsdir" || return 1
chmod 644 "$certsdir/$(basename "$cert")" || return 1
copy_replace "$key" "$keysdir" || return 1
chmod 640 "$keysdir/$(basename "$key")" || return 1
if [ -n "$cert" -a -f "$cert" ]; then
if copy_update "$cert" "$certsdir"; then
chmod 644 "$certsdir/$(basename "$cert")" || return 1
fi
if copy_update "$key" "$keysdir"; then
chmod 640 "$keysdir/$(basename "$key")" || return 1
fi
fi
if [ -n "$ca" ]; then
copy_replace "$ca" "$certsdir" || return 1
chmod 644 "$certsdir/$(basename "$ca")" || return 1
if [ -n "$ca" -a -f "$ca" ]; then
if copy_update "$ca" "$certsdir"; then
chmod 644 "$certsdir/$(basename "$ca")" || return 1
fi
fi
eend
return 0
}
__APACHE_AUTOCONF_SUFFIXES=(d8 d)
__APACHE_AUTOCONF_SUFFIX_d8=(-d debian -v jessie+)
__APACHE_AUTOCONF_SUFFIX_d=(-d debian)
function __apache_autoconf_check_suffix() {
array_contains __APACHE_AUTOCONF_SUFFIXES "$1" || return 1
local sysinfos="__APACHE_AUTOCONF_SUFFIX_${1}[@]"
check_sysinfos --vars sysname sysdist sysver bits "${!sysinfos}"
}
function __apache_autoconf_filter_suffix_files() {
grep -vF ..
}
function __apache_autoconf_setup() {
if ! check_sysinfos --vars sysname sysdist sysver bits -s linux64 linux32 linux -d debian; then
eerror "apache_autoconf n'est supporté que sur Debian linux"
eerror "$(get_sysinfos_desc): système non supporté. debian linux est requis"
return 1
fi
urequire install
urequire debian install
if [ -z "$__apache_autoconf_no_require_apache" ]; then
pkg_check apache2 || {
eerror "apache2 non installé. impossible de continuer"
return 1
}
fi
compute_apache_prefixes
return 0
}
@ -193,24 +267,8 @@ function __apache_autoconf_fillcopy() {
# script sed $FILLSCRIPT. Le fichier temporaire $FILLTEMP est utilisé pour
# le remplacement des valeurs. $3 contient le cas échéant des commandes sed
# supplémentaires
# Si des fichiers suffixes existent, ne faire la copie que si un fichier
# approprié correspondant au système courant est trouvé
local src="$1" dest="$2" sedscript="$3" perms="${4:-go+rX}"
# vérifier les fichiers suffixe
local suffix have_suffix found_suffix
for suffix in "${__APACHE_AUTOCONF_SUFFIXES[@]}"; do
if [ -f "$src..$suffix" ]; then
have_suffix=1
if __apache_autoconf_check_suffix "$suffix"; then
found_suffix=1
src="$src..$suffix"
break
fi
fi
done
[ -n "$have_suffix" -a -z "$found_suffix" ] && return 1
# valeurs à remplacer dans le fichier
local var found_var
for var in "${FILLVARS[@]}"; do
@ -225,14 +283,16 @@ $sedscript" <"$src" >"$FILLTEMP"
src="$FILLTEMP"
fi
copy_update "$src" "$dest" "$perms"
copy_update "$src" "$dest" "$perms" && return
estepn "$(basename -- "$dest")"
return 1
}
__APACHE_AUTOCONF_HELP="\
--confdir CONFDIR
Spécifier l'emplacement des fichiers de configuration apache ainsi que des
fichiers 'confs.conf', 'modules.conf' et 'sites.conf'. Par défaut, prendre
le répertoire local DESTDIR.
fichiers 'syspkgs.conf', 'confs.conf', 'modules.conf' et 'sites.conf'. Par
défaut, prendre le répertoire local DESTDIR.
--confsdir CONFSDIR
Spécifier l'emplacement des fichiers des configuration. Par défaut, utiliser
DESTDIR/confs si ce répertoire existe.
@ -264,7 +324,7 @@ function apache_autoconf() {
local autoconfdir certsdir confdir confsdir oneconf modulesdir onemodule
local sitesdir onesite cgibindir wwwdir certsconfdir rrdir onecms
local sysname sysdist sysver bits
local destconfsdir a2xconf
local netconf destconfsdir a2xconf
local restart=1
parse_opts "${PRETTYOPTS[@]}" \
--help '$exit_with __display_apache_autoconf_help' \
@ -288,6 +348,7 @@ function apache_autoconf() {
-7,--wheezy sysver=wheezy \
-8,--jessie sysver=jessie \
--bits: bits= \
--network-config netconf=1 \
@ args -- "$@" && set -- "${args[@]}" || die "$args"
if [ -n "$sysname" -o -n "$sysdist" -o -n "$sysver" ]; then
@ -298,13 +359,13 @@ function apache_autoconf() {
sysver=("${MYSYSVER[@]}")
bits="$MYBITS"
fi
__apache_autoconf_setup || return 1
if __apache_autoconf_check_suffix d8; then
__apache_autoconf_no_require_apache= __apache_autoconf_setup || return 1
if check_sysinfos --vars sysname sysdist sysver bits -d debian -v jessie+; then
confdefault=000-default.conf
confdefaultssl=default-ssl.conf
destconfsdir="$APACHECONFDIR/conf-available"
a2xconf=1
elif __apache_autoconf_check_suffix d; then
elif check_sysinfos --vars sysname sysdist sysver bits -d debian; then
confdefault=default
confdefaultssl=default-ssl
destconfsdir="$APACHECONFDIR/conf.d"
@ -340,6 +401,19 @@ function apache_autoconf() {
local -a FILLVARS; local FILLSCRIPT FILLTEMP
__apache_autoconf_fillxxx "$@"
# Installation des packages système
if [ -f "$confdir/syspkgs.conf" ]; then
local -a syspkgs
local syspkg
array_from_lines syspkgs "$(<"$confdir/syspkgs.conf" filter_conf)"
if ! pkg_check "${syspkgs[@]}"; then
etitle "Installation de paquets système"
estep "${syspkgs[@]}"
pkg_install "${syspkgs[@]}" || return 1
eend
fi
fi
# Copie des certificats
local modified rehash conf
if [ -d "$certsconfdir" ]; then
@ -350,17 +424,10 @@ function apache_autoconf() {
array_addu FILLVARS ca
etitle "Installation des certificats"
[ -n "$certsdir" -a ! -d "$certsdir" ] && ewarn "$certsdir: répertoire invalide"
array_lsfiles certsconfs "$certsconfdir" "*.conf"
for certsconf in "${certsconfs[@]}"; do
if [ -z "$certsdir" ]; then
eerror "CERTSDIR est requis si --certsconfdir est spécifié"
return 1
elif [ ! -d "$certsdir" ]; then
eerror "$certsdir: répertoire invalide"
return 1
fi
apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
apache_addcert -y "$cert" "$key" "$ca"
apache_addcert -y -C "$certsconf" -d "$certsdir" "$cert" "$key" "$ca" || return 1
modified=1
done
array_lsfiles certspems "$certsconfdir" "*.crt" "*.pem"
@ -378,11 +445,9 @@ function apache_autoconf() {
local -a confs
local conf
etitle "Installation des configurations"
array_from_lines confs "$(list_files "$confsdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
array_from_lines confs "$(list_files "$confsdir" "*.conf")"
for conf in "${confs[@]}"; do
[ -z "$oneconf" -o "$conf" == "$oneconf" ] || continue
estep "$conf"
__apache_autoconf_fillcopy \
"$confsdir/$conf" \
"$destconfsdir/$conf" && modified=1
@ -395,11 +460,9 @@ function apache_autoconf() {
local -a confs
local conf
etitle "Installation des configurations des modules"
array_from_lines confs "$(list_files "$modulesdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
array_from_lines confs "$(list_files "$modulesdir" "*.conf")"
for conf in "${confs[@]}"; do
[ -z "$onemodule" -o "$conf" == "$onemodule" ] || continue
estep "$conf"
__apache_autoconf_fillcopy \
"$modulesdir/$conf" \
"$APACHECONFDIR/mods-available/$conf" && modified=1
@ -409,12 +472,12 @@ function apache_autoconf() {
# Règles de réécriture
if [ -d "$rrdir" -a -z "$onecms" ]; then
# legacy... remplacé par des fichiers de règles directement dans le répertoire de configuration
local -a confs
local conf
etitle "Installation des règles de réécriture"
array_from_lines confs "$(list_files "$rrdir" "RewriteRules*.conf")"
for conf in "${confs[@]}"; do
estep "$conf"
__apache_autoconf_fillcopy \
"$rrdir/$conf" \
"$APACHECONFDIR/$conf" && modified=1
@ -426,9 +489,9 @@ function apache_autoconf() {
local -a enablesites disablesites
if [ -d "$sitesdir" -a \( -z "$onecms" -o -n "$onesite" \) ]; then
local -a confs
local conf confname destconf certsconf
local conf confname destconf certsconf sedscript copied
etitle "Installation des sites"
array_from_lines confs "$(list_files "$sitesdir" "*.conf" | __apache_autoconf_filter_suffix_files)"
array_from_lines confs "$(list_files "$sitesdir" "*.conf")"
for confname in "${confs[@]}"; do
conf="$sitesdir/$confname"
[ -z "$onesite" -o "$confname" == "$onesite" ] || continue
@ -449,27 +512,44 @@ function apache_autoconf() {
*) destconf="$confname";;
esac
copied=
if [ -n "$certsconf" ]; then
certsconf="$certsconfdir/$certsconf"
if [ -f "$certsconf" ]; then
apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
__apache_autoconf_fillcopy \
"$conf" \
"$APACHEAVSITESDIR/$destconf" "\
__apache_rc_quiet=1 apache_resolvecert "$certsconf" "$certsdir" cert key ca || return 1
if [ -n "$cert" -a -n "$key" ]; then
sedscript="\
s#@@cert@@#$APACHESSLCERTSDIR/$(basename "$cert")#g
s#@@key@@#$APACHESSLKEYSDIR/$(basename "$key")#g
s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
"
s#@@key@@#$APACHESSLKEYSDIR/$(basename "$key")#g"
if [ -n "$ca" ]; then
sedscript="$sedscript
s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g"
else
sedscript="$sedscript
/@@ca@@/s/^/#/g"
fi
__apache_autoconf_fillcopy \
"$conf" \
"$APACHEAVSITESDIR/$destconf" "$sedscript"
copied=1
else
eerror "$(ppath "$certsconf"): définition des certificats introuvable
Le fichier de configuration $confname a été ignoré"
fi
else
eerror "$(ppath "$certsconf"): fichier introuvable. Il a été ignoré"
eerror "$(ppath "$certsconf"): fichier introuvable
Le fichier de configuration $confname a été ignoré"
fi
else
__apache_autoconf_fillcopy \
"$conf" \
"$APACHEAVSITESDIR/$destconf"
copied=1
fi
if [ -n "$copied" ]; then
enablesites=("${enablesites[@]}" "$destconf")
modified=1
fi
enablesites=("${enablesites[@]}" "$destconf")
modified=1
done
eend
fi
@ -478,16 +558,28 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
if [ -d "$confdir" -a -z "$onecms" ]; then
local -a confs
local conf
etitle "Configuration de base"
array_add ignores confs.conf modules.conf sites.conf
array_from_lines confs "$(list_files "$confdir" | __apache_autoconf_filter_suffix_files)"
array_add ignores syspkgs.conf confs.conf modules.conf sites.conf network.conf
array_from_lines confs "$(list_files "$confdir")"
for conf in "${confs[@]}"; do
array_contains ignores "$conf" && continue
estep "$conf"
__apache_autoconf_fillcopy \
"$confdir/$conf" \
"$APACHECONFDIR/$conf" && modified=1
done
array_from_lines confs "$(list_files "$confdir" "*rewrite*.rules")"
if [ ${#confs[*]} -gt 0 ]; then
etitle "Règles de réécriture"
for conf in "${confs[@]}"; do
[ -f "$APACHECONFDIR/$conf" ] || continue
estep "$conf"
legacy_mkRewriteRules "$APACHECONFDIR/$conf" && modified=1
done
eend
fi
if [ -f "$confdir/confs.conf" -a -n "$a2xconf" ]; then
local -a confs
local conf
@ -564,9 +656,30 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
fi
# Contenu web
if [ -d "$wwwdir" -a -z "$onecms" ]; then
etitle "Installation des fichiers du serveur web"
cpdirnovcs "$wwwdir" "$HTDOCSDIR"
if [ -z "$onecms" ]; then
etitled "Installation des fichiers du serveur web"
if is_defined HTDMAPPINGS; then
local htdmapping src dest
for htdmapping in "${HTDMAPPINGS[@]}"; do
splitpair "$htdmapping" dest src
[ -n "$dest" ] || dest=html
case "$dest" in
html) [ -n "$src" ] || src=www;;
*) [ -n "$src" ] || src="$dest";;
esac
withpath "$src" || src="$confdir/$src"
withpath "$dest" || dest="$HTDOCSBASE/$dest"
estep "$src --> $dest"
cpdirnovcs "$src" "$dest"
# par défaut, le propriétaire est root. est-ce nécessaire?
#chown -R www-data: "$dest"
done
elif [ -d "$wwwdir" ]; then
estep "$wwwdir --> $HTDOCSDIR"
cpdirnovcs "$wwwdir" "$HTDOCSDIR"
# par défaut, le propriétaire est root. est-ce nécessaire?
#chown -R www-data: "$HTDOCSDIR"
fi
eend
fi
@ -587,6 +700,30 @@ s#@@ca@@#$APACHESSLCERTSDIR/$(basename "$ca")#g
eend
fi
# Mettre à jour la configuration réseau
if [ -z "$onecms" -a -n "$netconf" -a -f "$confdir/network.conf" ]; then
local -a ips brs; local host etc_networks
eval "$(
source "$confdir/network.conf"
set_array_cmd ips
set_array_cmd brs
echo_setv host "$host"
echo_setv etc_networks "$etc_networks"
)"
etitled "Vérification de la configuration du réseau"
if [ -n "$FULLCONF" ]; then
if [ ${#ips[*]} -gt 0 -o ${#brs[*]} -gt 0 -o -n "$hosts" ]; then
network_config "$host" ips brs && modified=1
fi
[ -n "$etc_networks" ] && network_update_etc_networks "$etc_networks"
else
if [ ${#ips[*]} -gt 0 ]; then
network_config_partial ips && modified=1
fi
fi
eend
fi
if [ -n "$modified" ]; then
[ -n "$rehash" ] && elinedots "Hashage des certificats" c_rehash
if [ -n "$restart" ]; then
@ -604,7 +741,7 @@ function apache_autoconf_localhosts() {
--one-site: onesite= \
@ args -- "$@" && set -- "${args[@]}" || die "$args"
__apache_autoconf_setup || return 1
__apache_autoconf_no_require_apache=1 __apache_autoconf_setup || return 1
# Configuration
autoconfdir="$1"; shift
@ -711,27 +848,48 @@ function __template_updatef_dhost() {
[ -n "$ips" ] || __template_set_var ips ""
}
# toujours placer une variable dépendante AVANT la variable maitre
# syntaxe: var[:depvars,...][=desc]
APACHECONFIG_TEMPLATE_STATIC_VARS=(
hostname aliases host
certsdir caname
host:hostname,aliases="hôte pour lequel ce template a été créé.
# les variables hostname et aliases sont automatiquement générées.
# utiliser @@dhost@@ pour déployer dynamiquement avec le nom d'hôte courant."
certsdir="répertoire par défaut contenant les certificats à déployer"
caname="nom de l'autorité par défaut"
)
APACHECONFIG_TEMPLATE_DYNAMIC_VARS=(
ips_namevirtualhosts ips_listens ips
dhostname daliases dhost
admin configdir
ips:ips_namevirtualhosts,ips_listens="liste d'adresses de la forme ip[:port], séparées par un espace.
# ces adresses sont celles sur lesquelles apache doit écouter. ce paramètre n'a
# de sens que sur squeeze. en effet, la configuration par défaut sur jessie rend
# ce paramétrage inutile."
dhost:dhostname,daliases="hôte pour lequel les fichiers doivent être déployés.
# les variables dhostname et daliases sont automatiquement générées.
# cette variable n'a besoin d'être modifiée que si host=@@dhost@@ ci-dessous"
admin="mail de l'administrateur du serveur"
configdir="répertoire dans lequel le template a été généré"
)
APACHECONFIG_TEMPLATE_NOWRITE_VARS=(configdir)
APACHECONFIG_TEMPLATE_USER_VARS=(
FULLCONF="Est-on en mode configuration complète?"
HTDMAPPINGS="Mapping des répertoires destination dans /var/www vers le répertoire local, e.g. html:www"
)
APACHECONFIG_TEMPLATE_NOWRITE_VARS=(hostname aliases dhostname daliases configdir)
function __apacheconfig_initsrcdirs() {
if check_sysinfos "$@" -d debian -v jessie+; then
TEMPLATECTL_SRCDIRS=(apacheconfig.d8)
else
TEMPLATECTL_SRCDIRS=(apacheconfig)
fi
}
function apacheconfig_initvars() {
DEFAULT_ADMIN=supervision-gdrsi@listes.univ-reunion.fr
DEFAULT_CERTSDIR=1507-renater
DEFAULT_CANAME=1507-DigiCertCA.crt
set_defaults apacheconfig
TEMPLATE_STATIC_VARS=("${APACHECONFIG_TEMPLATE_STATIC_VARS[@]}")
TEMPLATE_DYNAMIC_VARS=("${APACHECONFIG_TEMPLATE_DYNAMIC_VARS[@]}")
TEMPLATE_NOWRITE_VARS=("${APACHECONFIG_TEMPLATE_NOWRITE_VARS[@]}")
template_build_vars TEMPLATE_STATIC_VARS TEMPLATE_NOWRITE_VARS "${APACHECONFIG_TEMPLATE_STATIC_VARS[@]}"
template_build_vars TEMPLATE_DYNAMIC_VARS TEMPLATE_NOWRITE_VARS "${APACHECONFIG_TEMPLATE_DYNAMIC_VARS[@]}"
template_build_vars TEMPLATE_USER_VARS "" "${APACHECONFIG_TEMPLATE_USER_VARS[@]}"
__TEMPLATE_DEFAULTF_host=__template_defaultf_host
__TEMPLATE_UPDATEF_host=__template_updatef_host
__TEMPLATE_DEFAULTF_ips=__template_defaultf_ips
@ -740,7 +898,7 @@ function apacheconfig_initvars() {
__TEMPLATE_UPDATEF_dhost=__template_updatef_dhost
TEMPLATECTL_NAME=apacheconfig
TEMPLATECTL_SRCDIRS=(apacheconfig)
__apacheconfig_initsrcdirs
TEMPLATECTL_CONFIG="$TEMPLATECTL_NAME"
TEMPLATECTL_DEFAULTS=(
admin="$DEFAULT_ADMIN"
@ -751,11 +909,14 @@ function apacheconfig_initvars() {
}
function apacheconfig_loadconf() {
local config modified
local destdir="$1" autocreate
local config modified autocreate
local destdir="$1" nohideconfig="$2"
# valeurs par défaut
is_defined HTDMAPPINGS || HTDMAPPINGS=(html:www)
__template_set_destdir destdir autocreate "$TEMPLATECTL_NAME" || return 1
setx config=templatectl_config "$destdir"
setx config=templatectl_config "$destdir" ${nohideconfig:+nohideconfig}
modified=
templatectl_loadvars "$config" && modified=1
@ -779,7 +940,8 @@ function apacheconfig_sysinfos() {
__template_set_var sysname "$sysname"
__template_set_var sysdist "$sysdist"
__template_set_var sysver "$sysver"
#check_sysinfos --vars sysname sysdist sysver bits "${templatectl_suffix[@]}
# mettre à jour la source en fonction du système cible
__apacheconfig_initsrcdirs --vars sysname sysdist sysver bits
upvars sysname "$sysname" sysdist "$sysdist" sysver "$sysver" bits "$bits" \
custom_sysinfos "$custom_sysinfos"
@ -789,6 +951,7 @@ function apacheconfig_deploy() {
local destdir="$1" certsdir="$2"; shift; shift
local config="$1" oneconf="$2" onemodule="$3"; onesite="$4"; shift; shift; shift; shift
local custom_sysinfos="$1" sysname="$2" sysdist="$3" sysver="$4" bits="$5"; shift; shift; shift; shift; shift
local netconf="$1"; shift
local -a args
args=(--ignore "$(basename -- "$config")")
@ -796,6 +959,7 @@ function apacheconfig_deploy() {
[ -n "$onemodule" ] && array_add args --one-module "$(basename -- "$onemodule")"
[ -n "$onesite" ] && array_add args --one-site "$(basename -- "$onesite")"
[ -n "$custom_sysinfos" ] && array_add args --sysname "$sysname" --sysdist "$sysdist" --sysver "$sysver" --bits "$bits"
[ -n "$netconf" ] && array_add args --network-config
array_add args "$destdir" "$certsdir"
for __name in "${TEMPLATE_DYNAMIC_VARS[@]}"; do
array_add args "$__name=${!__name}"
@ -803,6 +967,21 @@ function apacheconfig_deploy() {
apache_autoconf "${args[@]}" "$@"
}
function apacheconfig_qs() {
# fonction pour simplifier l'utilisation de apacheconfig_deploy pour un
# répertoire spécifique
# $1=destdir $2=certsdir $3=netconf
local destdir="$1" certsdir="$2" netconf="$3"
local config modified destdir autocreate
apacheconfig_initvars
apacheconfig_loadconf "$1"
apacheconfig_deploy \
"$destdir" "$2" \
"$config" "" "" "" \
"" "" "" "" "" \
"$3"
}
function apacheconfig_localhosts() {
local destdir="$1" certsdir="$2"; shift; shift
local onesite="$1"; shift
@ -815,3 +994,241 @@ function apacheconfig_localhosts() {
done
apache_autoconf_localhosts "${args[@]}" "$@"
}
function __mrr_joinurl() {
# joindre chaque élément de $1..@ par /, en évitant les slashes en double
local i url
for i in "$@"; do
[ -n "$i" ] || continue
if [ -n "$url" ]; then
url="${url%/}/${i#/}"
else
url="$i"
fi
done
[ -n "$url" ] && echo "$url"
}
function __mrr_has_proxy() {
# vérifier que les options $1 contiennent 'P'
local -a options
array_split options "$1" ","
array_contains options P
}
function legacy_mkRewriteRules() {
# $1=infile, $2=thishost, $3=outfile, $4=htmlfile, $5=proxy_enabled?
local infile="$1" thishost="$2" outfile="$3" htmlfile="$4" proxy_enabled="$5"
local -a rules; local rule prefix index done current
local tmpinfile tmpoutfile
local src dest host suffix options prot proxy_acls usrc trail noslash proxy_url proxy_use
if [ -z "$infile" -o "$infile" == - ]; then
infile=/dev/stdin
elif [ -z "$outfile" ]; then
local outdir="$(dirname -- "$infile")"
outfile="$(basename -- "$infile")"
if [[ "$outfile" == *rewrite*.rules ]]; then
outfile="${outfile/rewrite/RewriteRules}"
outfile="${outfile/.rules/.conf}"
else
outfile="$outfile-RewriteRules.conf"
fi
outfile="$outdir/$outfile"
fi
[ -n "$outfile" -a "$outfile" != - ] || outfile=/dev/stdout
if [ -z "$thishost" -o -z "$proxy_enabled" ]; then
# le cas échéant, lire les paramètres manquant depuis le fichier
if [ "$infile" == /dev/stdin ]; then
ac_set_tmpfile tmpinfile
cat >"$tmpinfile"
infile="$tmpinfile"
fi
eval "$(awkrun -f <"$infile" '
/^[^#]/ { exit 0 }
/^#+ *host *=/ { sub(/^#+ *host *= */, ""); sub(/ *$/, ""); print "thishost=" qval($0); next }
/^#+ *enable_proxy *=/ { sub(/^#+ *enable_proxy *= */, ""); sub(/ *$/, ""); print "proxy_enabled=" qval($0); next }
')"
fi
[ -n "$thishost" ] || thishost="$(myhost)"
normyesval proxy_enabled
if [ -n "$htmlfile" ]; then
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!-- -*- coding: utf-8 mode: html -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>'"$thishost</title>
</head>
<body>
<h2>$thishost</h2>
<ul>" >"$htmlfile"
fi
ac_set_tmpfile tmpoutfile
array_from_lines rules "$(<"$infile" filter_comment)"
prefix=
for rule in "${rules[@]}"; do
if beginswith "$rule" ^; then
# Collecter les préfixe pour la règle suivante
prefix="${prefix:+$prefix
}${rule#^}"
continue
elif beginswith "$rule" =; then
# ligne litérale
echo "${rule#=}" >>"$tmpoutfile"
continue
fi
local IFS=:; set -- $rule; unset IFS
index=1
done=
while [ -z "$done" ]; do
current="$1"; shift
while [ "${current%\\}" != "$current" ]; do
current="${current%\\}:$1"; shift
done
case $index in
1) src="$current";;
2) dest="$current";;
3) host="$current";;
4) suffix="$current";;
5) options="$current";;
6) prot="${current:-http}";;
7) proxy_acls="$current";;
*) done=1;;
esac
index=$(($index + 1))
done
# mettre en forme prefix s'il est défini
[ -n "$prefix" ] && prefix="$prefix
"
[ "$thishost" == "$host" ] && host=
usrc="$src"
trail=1
if endswith "$src" '$'; then
trail=
usrc="${src%$}"
fi
noslash=
if endswith "$suffix" '$'; then
noslash=1
suffix="${suffix%$}"
fi
if endswith "$dest" '$'; then
noslash=1
dest="${dest%$}"
fi
proxy_url=
proxy_use=
if endswith "$dest" .woa; then
# lien vers une application
if [ -n "$host" ]; then
# sur un autre hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc"
setx proxy_url __mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix"
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc/"
setx proxy_url __mrr_joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix/"
fi
else
# sur le même hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl /cgi-bin/WebObjects "$dest" "$suffix")${trail:+\$1} [L,P${options:+,$options}]" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc"
setx proxy_url __mrr_joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix"
proxy_use=1
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl /cgi-bin/WebObjects "$dest" "$suffix" "\$1") [L,P${options:+,$options}]" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc/"
setx proxy_url __mrr_joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix/"
proxy_use=1
fi
fi
else
# lien vers une url
if [ -n "$host" ]; then
# sur un autre hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl "$prot://$host" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc"
setx proxy_url __mrr_joinurl "$prot://$host" "$dest" "$suffix"
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl "$prot://$host" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc/"
setx proxy_url __mrr_joinurl "$prot://$host" "$dest" "$suffix/"
fi
else
# sur le même hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(__mrr_joinurl / "$dest" "$suffix")${trail:+\$1}${options:+ [$options]}" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc"
setx proxy_url __mrr_joinurl "http://$thishost" "$dest" "$suffix"
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$tmpoutfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(__mrr_joinurl / "$dest" "$suffix" "\$1")${options:+ [$options]}" >>"$tmpoutfile"
setx url __mrr_joinurl "http://$thishost" "$usrc/"
setx proxy_url __mrr_joinurl "http://$thishost" "$dest" "$suffix/"
fi
fi
fi
__mrr_has_proxy "$options" && proxy_use=1
if [ -n "$proxy_enabled" -a -n "$proxy_use" ]; then
if [ "$proxy_acls" == "None" ]; then
:
elif [ -z "$proxy_acls" ]; then
echo "\
<Proxy $proxy_url*>
AddDefaultCharset off
Order Deny,Allow
Allow from all
</Proxy>" >>"$tmpoutfile"
else
echo "\
<Proxy $proxy_url*>
AddDefaultCharset off
Order Allow,Deny
Allow from $proxy_acls
</Proxy>" >>"$tmpoutfile"
fi
fi
echo "" >>"$tmpoutfile"
if [ -n "$htmlfile" ]; then
echo "<li><a href=\"$url\">$url</a></li>" >>"$htmlfile"
fi
# Réinitialiser les préfixes pour chaque règle
prefix=
done
local modified
if testupdated "$tmpoutfile" "$outfile"; then
cat "$tmpoutfile" >"$outfile"
modified=1
fi
if [ -n "$htmlfile" ]; then
echo '</ul>
</body>
</html>' >>"$htmlfile"
fi
[ -n "$tmpinfile" ] && ac_clean "$tmpinfile"
ac_clean "$tmpoutfile"
[ -n "$modified" ]
}

76
lib/ulib/templates/apacheconfig.d8/README-apacheconfig.txt Normal file
View File

@ -0,0 +1,76 @@
# -*- coding: utf-8 mode: text -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
Ce répertoire peut contenir les fichiers et répertoires suivants, qui sont tous
optionnels:
confs.conf
Liste des configurations qu'il faut activer. Si un fichier de configuration
existe mais n'est pas mentionnée dans ce fichier, ou si ce fichier n'existe
pas, aucune modification n'est effectuée. Ce fichier contient une liste de
ligne de configuration.
Si une configuration est de la forme -conf, elle est désactivée. Si une
configuration est de la forme +conf, elle est activée. Cette syntaxe permet
de supporter les configurations dont le nom commencerait par '-'
IMPORTANT: Ce fichier n'est supporté qu'à partir de debian jessie.
modules.conf
Liste des modules qu'il faut activer. Si un module existe mais n'est pas
mentionné dans ce fichier, ou si ce fichier n'existe pas, aucune
modification n'est effectuée.
Si un module est de la forme -module, il est désactivé. Si un module est de
la forme +module, il est activé. Cette syntaxe permet de supporter les
modules dont le nom commencerait par '-'
sites.conf
Liste des sites qu'il faut activer. Si ce fichier n'existe pas, tous les
sites existant sont activés. Si un site existe mais ne figure pas dans ce
fichier, il est désactivé.
confs/
Répertoire des configurations à installer. Les fichiers de ce répertoire
sont de la forme CONF.conf et sont installés dans le répertoire
/etc/apache2/conf-available. Il faut mentionner la configuration dans le
fichier confs.conf pour l'activer.
IMPORTANT: Ce répertoire n'est supporté qu'à partir de debian jessie.
modules/
Répertoire des configurations de modules à installer. Les fichiers de ce
répertoire sont de la forme MODULE.conf et sont installés dans le répertoire
/etc/apache2/mods-available. Il faut mentioner le module dans le fichier
modules.conf pour l'activer.
sites/
Répertoire des sites à installer. Les fichiers de ce répertoire sont de la
forme SITE.conf pour les sites écoutant en clair, et SITE.ssl.conf pour les
sites écoutant en https.
Pour chaque site SITE.ssl.conf, un fichier SITE-certs.conf doit exister dans
certsconf/. Pour chaque fichier SITE.ssl.conf, les balises @@ca@@, @@cert@@
et @@key@@ sont remplacés par les valeurs des variables ca, cert et key
définies dans le fichier correspondant SITE-certs.conf
cgi-bin/
Répertoire des scripts cgi
www/
Répertoire des fichiers du serveur web
certsconf/
Répertoire qui contient la configuration pour les certificats à installer.
Les fichiers de ce répertoire sont de la forme SITE-certs.conf et chacun
d'eux correspond à un fichier SITE.ssl.conf dans sites/
RewriteRules/
Répertoire qui contient la configuration de réécriture. Tous les fichiers
RewriteRules*.conf de ce répertoire sont copiés dans /etc/apache2
Tous les autres fichiers sont copiés tels quels dans /etc/apache2. Notamment,
apache2.conf est le fichier de configuration principal d'apache et ports.conf le
fichier de configuration des ports d'écoute.
## Configuration TLS
Le site https://mozilla.github.io/server-side-tls/ssl-config-generator/ contient
des informations sur la façon de configurer ssl côté serveur pour la sécurité et
les navigateurs modernes
Voir les détails sur https://wiki.mozilla.org/Security/Server_Side_TLS

15
lib/ulib/templates/apacheconfig.d8/certsconf/default-certs.conf Normal file
View File

@ -0,0 +1,15 @@
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Cette variable est utilisée par la fonction refcerts() du script runs. C'est
# le nom d'un répertoire à chercher dans RUNSMODULESPATH qui contient les
# certificats à installer sur le serveur.
certsdir=@@certsdir@@
# Fichier contenant les certificats racines qui valident le certificat à
# installer, ainsi que les certificats qui sont rencontrés dans le dialogue avec
# d'autres serveurs web
ca=@@caname@@
# Certificat et clé privée à installer
cert=
key=

24
lib/ulib/templates/apacheconfig.d8/cgi-bin/.udir Normal file
View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Utiliser 'udir --help-vars' pour une description de la signification des
# variables suivantes:
udir_desc="Fichiers à déployer sur @@host@@ dans le répertoire des cgi-bins"
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
udir_types=(uinst:rsync)
uinc=release
uinc_options=()
uinc_args=()
configure_variables=(dest)
configure_dest_for=()
config_scripts=()
install_profiles=false
workdir_rsync_options=()
workdir_excludes=()
workdir_includes=()
copy_files=true
rsync_options=()
destdir=root@@@host@@:CGIBINDIR
srcdir=.
files=()
owner=root:
modes=(u=rwX,g=rX,o=rX)
root_scripts=()

6
lib/ulib/templates/apacheconfig.d8/cgi-bin/test.cgi Executable file
View File

@ -0,0 +1,6 @@
#!/bin/bash
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
echo "Content-Type: text/plain"
echo ""
echo "OK"

0
lib/ulib/templates/apacheconfig/confs.conf..d8 → lib/ulib/templates/apacheconfig.d8/confs.conf
View File

15
lib/ulib/templates/apacheconfig.d8/confs/ssl-config.conf Normal file
View File

@ -0,0 +1,15 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
<IfModule mod_ssl.c>
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
# Choisir un des profils. Clients les plus anciens pouvant se connecter:
# modern: Firefox 27, Chrome 30, Windows 7 IE 11, Edge, Opera 17, Safari 9, Android 5.0, Java 8
# intermediate: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
# old: Windows XP IE6, Java 6
#Define SSL_CONFIG_MODERN
#Define SSL_CONFIG_INTERMEDIATE
#Define SSL_CONFIG_OLD
# Faut-il activer HSTS?
#Define SSL_CONFIG_HSTS
</IfModule>

4
lib/ulib/templates/apacheconfig.d8/modules.conf Normal file
View File

@ -0,0 +1,4 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Liste des modules à activer. Syntaxe:
# module ou +module pour activer un module
# -module pour le désactiver

0
lib/ulib/templates/apacheconfig/modules/ssl.conf..d8 → lib/ulib/templates/apacheconfig.d8/modules/ssl.conf
View File

24
lib/ulib/templates/apacheconfig.d8/network.conf Normal file
View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Configuration du réseau sur le serveur. Ce fichier est traité différemment
# selon le mode de configuration.
# - En mode complet, ce fichier définit le nom d'hôte ainsi que toutes les
# interfaces, ponts et adresses. La variable host et les tableaux ips et brs
# sont pris en compte.
# - En mode partiel, seuls le tableau ips est pris en compte: il est utilisé
# pour définir des adresses ips supplémentaires à configurer sur le serveur.
# Liste des adresses IPs à configurer. Chaque élément est de la forme
# [IFACE:]dhcp ou [[IFACE][//GATEWAY]:]IP[/SUFFIX]
ips=()
# Liste des ponts à configurer. Chaque élément est de la forme BR:IFACES
# BR est le nom du pont, e.g. br0. IFACES est une liste d'interfaces séparées
# par une virgule. e.g. br0:eth0,eth1
brs=()
# Nom d'hôte pleinement qualifié. Si ce paramètre est spécifié, les fichiers
# /etc/hosts, /etc/hostname et /etc/mailname sont mis à jour.
host=
# Contenu du fichier /etc/networks
etc_networks=

8
lib/ulib/templates/apacheconfig/ports.conf..d8 → lib/ulib/templates/apacheconfig.d8/ports.conf
View File

@ -7,16 +7,8 @@ Listen 80
<IfModule ssl_module>
Listen 443
#NameVirtualHost IP:443
#Listen IP:443
#@@ips_namevirtualhosts@@
#@@ips_listens@@
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
#NameVirtualHost IP:443
#Listen IP:443
#@@ips_namevirtualhosts@@
#@@ips_listens@@
</IfModule>

2
lib/ulib/templates/apacheconfig.d8/rewrite.rules Normal file
View File

@ -0,0 +1,2 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8

4
lib/ulib/templates/apacheconfig.d8/sites.conf Normal file
View File

@ -0,0 +1,4 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Liste des sites à activer. Syntaxe:
# site ou +site pour activer un site
# -site pour le désactiver

0
lib/ulib/templates/apacheconfig/sites/default.conf..d8 → lib/ulib/templates/apacheconfig.d8/sites/default.conf
View File

0
lib/ulib/templates/apacheconfig/sites/default.ssl.conf..d8 → lib/ulib/templates/apacheconfig.d8/sites/default.ssl.conf
View File

9
lib/ulib/templates/apacheconfig.d8/syspkgs.conf Normal file
View File

@ -0,0 +1,9 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Liste de paquets système à installer, e.g. php5 ou libapache2-mod-jk
# Chaque package doit être indiqué sur une ligne à part
#libapache2-mod-jk
#libapache2-mod-auth-cas
#php5-mysql
#php5-ldap
#php5-gmp
#php5-gd

15
lib/ulib/templates/apacheconfig.d8/templates/SITE-certs.conf Normal file
View File

@ -0,0 +1,15 @@
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Cette variable est utilisée par la fonction refcerts() du script runs. C'est
# le nom d'un répertoire à chercher dans RUNSMODULESPATH qui contient les
# certificats à installer sur le serveur.
certsdir=@@certsdir@@
# Fichier contenant les certificats racines qui valident le certificat à
# installer, ainsi que les certificats qui sont rencontrés dans le dialogue avec
# d'autres serveurs web
ca=@@caname@@
# Certificat et clé privée à installer
cert=
key=

31
lib/ulib/templates/apacheconfig.d8/templates/SITE.conf Normal file
View File

@ -0,0 +1,31 @@
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName SITE.TLD
ServerAlias SITE SITE.local
ServerAdmin @@admin@@
DocumentRoot /var/www/SITE
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/SITE_error.log
CustomLog ${APACHE_LOG_DIR}/SITE_access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

90
lib/ulib/templates/apacheconfig/sites/default.ssl.conf..d → lib/ulib/templates/apacheconfig.d8/templates/SITE.ssl.conf
View File

@ -1,54 +1,27 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName @@host@@
ServerAlias @@aliases@@
ServerName SITE.TLD
ServerAlias SITE SITE.local
ServerAdmin @@admin@@
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
DocumentRoot /var/www/SITE
# Pour les serveurs qui ont le module mod_WebObjects:
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
# mod-webobjects.conf
# Sinon, il suffit de commenter les lignes suivantes:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
ErrorLog ${APACHE_LOG_DIR}/SITE_error.log
CustomLog ${APACHE_LOG_DIR}/SITE_access.log combined
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
<LocationMatch "/cgi-bin/WebObjects/.*">
Order allow,deny
Allow from all
</LocationMatch>
<Location /WebObjects>
Order allow,deny
Allow from all
</Location>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
@ -56,7 +29,7 @@
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile @@cert@@
@ -99,21 +72,6 @@
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
@ -134,19 +92,15 @@
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
@ -174,8 +128,8 @@
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

24
lib/ulib/templates/apacheconfig.d8/templates/SITE/.udir Normal file
View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Utiliser 'udir --help-vars' pour une description de la signification des
# variables suivantes:
udir_desc="Fichiers à déployer dans le répertoire des documents web"
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
udir_types=(uinst:rsync)
uinc=release
uinc_options=()
uinc_args=()
configure_variables=(dest)
configure_dest_for=()
config_scripts=()
install_profiles=false
workdir_rsync_options=()
workdir_excludes=()
workdir_includes=()
copy_files=true
rsync_options=(--delete-after)
destdir=root@@@host@@:HTDOCSBASE/SITE
srcdir=.
files=()
owner=www-data:
modes=(u=rwX,g=rX,o=rX)
root_scripts=()

BIN
lib/ulib/templates/apacheconfig.d8/templates/SITE/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
lib/ulib/templates/apacheconfig.d8/templates/SITE/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

17
lib/ulib/templates/apacheconfig.d8/workers.properties Normal file
View File

@ -0,0 +1,17 @@
worker.list=prod,dev
worker.prod.port=8009
worker.prod.host=@@prod_host@@
worker.prod.type=ajp13
worker.prod.lbfactor=1
worker.prod.connection_pool_timeout=600
worker.prod.socket_keepalive=1
worker.prod.socket_timeout=60
worker.dev.port=8009
worker.dev.host=@@dev_host@@
worker.dev.type=ajp13
worker.dev.lbfactor=1
worker.dev.connection_pool_timeout=600
worker.dev.socket_keepalive=1
worker.dev.socket_timeout=60

24
lib/ulib/templates/apacheconfig.d8/www/.udir Normal file
View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# Utiliser 'udir --help-vars' pour une description de la signification des
# variables suivantes:
udir_desc="Fichiers à déployer sur @@host@@ dans le répertoire des documents web"
udir_note="Il est possible de déployer les modifications dans ce répertoire avec 'uinst -y'"
udir_types=(uinst:rsync)
uinc=release
uinc_options=()
uinc_args=()
configure_variables=(dest)
configure_dest_for=()
config_scripts=()
install_profiles=false
workdir_rsync_options=()
workdir_excludes=()
workdir_includes=()
copy_files=true
rsync_options=()
destdir=root@@@host@@:HTDOCSDIR
srcdir=.
files=()
owner=www-data:
modes=(u=rwX,g=rX,o=rX)
root_scripts=()

BIN
lib/ulib/templates/apacheconfig.d8/www/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
lib/ulib/templates/apacheconfig.d8/www/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

6
lib/ulib/templates/apacheconfig/RewriteRules/update.sh
View File

@ -1,10 +1,6 @@
#!/bin/bash
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
source /etc/ulib &&
urequire DEFAULTS ||
exit 1
OENC="$UTF8"
source /etc/ulibauto || exit 1
PRIHOST=
PUBHOST=

0
lib/ulib/templates/apacheconfig/confs.conf
View File

103
lib/ulib/templates/apacheconfig/modules/ssl.conf
View File

@ -0,0 +1,103 @@
<IfModule mod_ssl.c>
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
<IfDefine SSL_CONFIG_MODERN>
# modern configuration not supported. same as SSL_CONFIG_INTERMEDIATE below
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
</IfDefine>
<IfDefine !SSL_CONFIG_MODERN>
<IfDefine SSL_CONFIG_INTERMEDIATE>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
</IfDefine>
<IfDefine !SSL_CONFIG_INTERMEDIATE>
<IfDefine SSL_CONFIG_OLD>
# old configuration, tweak to your needs
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
</IfDefine>
<IfDefine !SSL_CONFIG_OLD>
# default debian configuration
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
</IfDefine>
</IfDefine>
</IfDefine>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>

103
lib/ulib/templates/apacheconfig/modules/ssl.conf..d
View File

@ -1,103 +0,0 @@
<IfModule mod_ssl.c>
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
<IfDefine SSL_CONFIG_MODERN>
# modern configuration not supported. same as SSL_CONFIG_INTERMEDIATE below
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
</IfDefine>
<IfDefine !SSL_CONFIG_MODERN>
<IfDefine SSL_CONFIG_INTERMEDIATE>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
</IfDefine>
<IfDefine !SSL_CONFIG_INTERMEDIATE>
<IfDefine SSL_CONFIG_OLD>
# old configuration, tweak to your needs
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
</IfDefine>
<IfDefine !SSL_CONFIG_OLD>
# default debian configuration
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
</IfDefine>
</IfDefine>
</IfDefine>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>

29
lib/ulib/templates/apacheconfig/ports.conf
View File

@ -0,0 +1,29 @@
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen *:80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
#NameVirtualHost IP:443
#Listen IP:443
#@@ips_namevirtualhosts@@
#@@ips_listens@@
</IfModule>
<IfModule mod_gnutls.c>
#NameVirtualHost IP:443
#Listen IP:443
#@@ips_namevirtualhosts@@
#@@ips_listens@@
</IfModule>

29
lib/ulib/templates/apacheconfig/ports.conf..d
View File

@ -1,29 +0,0 @@
# -*- coding: utf-8 mode: conf -*- vim:syntax=apache:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen *:80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
#NameVirtualHost IP:443
#Listen IP:443
#@@ips_namevirtualhosts@@
#@@ips_listens@@
</IfModule>
<IfModule mod_gnutls.c>
#NameVirtualHost IP:443
#Listen IP:443
#@@ips_namevirtualhosts@@
#@@ips_listens@@
</IfModule>

51
lib/ulib/templates/apacheconfig/sites/default.conf
View File

@ -0,0 +1,51 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
<VirtualHost *:80>
ServerName @@host@@
ServerAlias @@aliases@@
ServerAdmin @@admin@@
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
# Pour les serveurs qui ont le module mod_WebObjects:
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
# mod-webobjects.conf
# Sinon, il suffit de commenter les lignes suivantes:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Pour les serveurs qui ont le module mod_WebObjects:
<LocationMatch "/cgi-bin/WebObjects/.*">
Order allow,deny
Allow from all
</LocationMatch>
<Location /WebObjects>
Order allow,deny
Allow from all
</Location>
</VirtualHost>

51
lib/ulib/templates/apacheconfig/sites/default.conf..d
View File

@ -1,51 +0,0 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
<VirtualHost *:80>
ServerName @@host@@
ServerAlias @@aliases@@
ServerAdmin @@admin@@
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
# Pour les serveurs qui ont le module mod_WebObjects:
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
# mod-webobjects.conf
# Sinon, il suffit de commenter les lignes suivantes:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Pour les serveurs qui ont le module mod_WebObjects:
<LocationMatch "/cgi-bin/WebObjects/.*">
Order allow,deny
Allow from all
</LocationMatch>
<Location /WebObjects>
Order allow,deny
Allow from all
</Location>
</VirtualHost>

190
lib/ulib/templates/apacheconfig/sites/default.ssl.conf
View File

@ -0,0 +1,190 @@
# -*- coding: utf-8 mode: conf -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName @@host@@
ServerAlias @@aliases@@
ServerAdmin @@admin@@
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
# Pour les serveurs qui ont le module mod_WebObjects:
# mod_WebObjects et ScriptAlias ne peuvent pas gérer le même préfixe. Pour
# utiliser des cgi-bin avec WebObjects, il faut soit changer le préfixe de
# ScriptAlias, soit changer le préfixe de WebObjectsAlias dans le fichier
# mod-webobjects.conf
# Sinon, il suffit de commenter les lignes suivantes:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
<LocationMatch "/cgi-bin/WebObjects/.*">
Order allow,deny
Allow from all
</LocationMatch>
<Location /WebObjects>
Order allow,deny
Allow from all
</Location>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile @@cert@@
SSLCertificateKeyFile @@key@@
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile @@ca@@
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# cf https://wiki.mozilla.org/Security/Server_Side_TLS
<IfDefine SSL_CONFIG_HSTS>
<IfModule mod_headers.c>
# HSTS (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
</IfModule>
</IfDefine>
</VirtualHost>
</IfModule>

BIN
lib/ulib/templates/apacheconfig/www/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
lib/ulib/templates/apacheconfig/www/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

207
mkRewriteRules
View File

@ -1,7 +1,7 @@
#!/bin/bash
# -*- coding: utf-8 mode: sh -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
source "$(dirname "$0")/lib/ulib/ulib" || exit 1
urequire DEFAULTS
urequire DEFAULTS apache.tools
function display_help() {
uecho "$scriptname: Créer un fichier de redirections pour Apache à partir d'un certain
@ -82,23 +82,9 @@ Dans les exemples donnés ci-dessus, $URL est l'\''url générée par la réécr
et $proxy_acls la valeur du champ proxy_acls spécifiée ci-dessus.'
}
function joinurl() {
# joindre chaque élément de $1..@ par /, en évitant les slashes en double
local i url
for i in "$@"; do
[ -n "$i" ] || continue
if [ -n "$url" ]; then
url="${url%/}/${i#/}"
else
url="$i"
fi
done
[ -n "$url" ] && echo "$url"
}
proxy_enabled=
infile=
outfile="RewriteRules.conf"
outfile=
htmlfile=
host=
parse_opts "${PRETTYOPTS[@]}" \
@ -109,187 +95,20 @@ parse_opts "${PRETTYOPTS[@]}" \
-w: htmlfile= \
@ args -- "$@" && set -- "${args[@]}" || die "$args"
[ -n "$infile" ] || die "Il faut spécifier le fichier de règles"
[ -f "$infile" ] || die "Fichier de règles non trouvé: $(ppath "$infile")"
thishost="$1"
[ -n "$thishost" ] || die "Il faut spécifier l'hôte pour lequel créer le fichier de configuration"
function has_proxy() {
# vérifier que les options $1 contiennent 'P'
local options
array_split options "$1" ","
array_contains options P
}
if [ -n "$htmlfile" ]; then
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!-- -*- coding: utf-8 mode: html -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>'"$thishost</title>
</head>
<body>
<h2>$thishost</h2>
<ul>" >"$htmlfile"
if [ -n "$infile" ]; then infiles=("$infile")
else array_lsfiles infiles . "*rewrite*.rules"
fi
>"$outfile"
array_from_lines rules "$(<"$infile" filter_comment)"
prefix=
for rule in "${rules[@]}"; do
if beginswith "$rule" ^; then
# Collecter les préfixe pour la règle suivante
prefix="${prefix:+$prefix
}${rule#^}"
continue
elif beginswith "$rule" =; then
# ligne litérale
echo "${rule#=}" >>"$outfile"
continue
fi
IFS=:; set -- $rule; unset IFS
index=1
done=
while [ -z "$done" ]; do
current="$1"; shift
while endswith "$current" "\\"; do
current="${current%\\}:$1"; shift
done
case $index in
1) src="$current";;
2) dest="$current";;
3) host="$current";;
4) suffix="$current";;
5) options="$current";;
6) prot="${current:-http}";;
7) proxy_acls="$current";;
*) done=1;;
esac
index=$(($index + 1))
done
# mettre en forme prefix s'il est défini
[ -n "$prefix" ] && prefix="$prefix
"
if [ "$thishost" == "$host" ]; then
host=
fi
usrc="$src"
trail=1
if endswith "$src" '$'; then
trail=
usrc="${src%$}"
fi
noslash=
if endswith "$suffix" '$'; then
noslash=1
suffix="${suffix%$}"
fi
if endswith "$dest" '$'; then
noslash=1
dest="${dest%$}"
fi
proxy_url=
proxy_use=
if endswith "$dest" .woa; then
# lien vers une application
if [ -n "$host" ]; then
# sur un autre hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc"
setx proxy_url joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix"
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc/"
setx proxy_url joinurl "$prot://$host/cgi-bin/WebObjects" "$dest" "$suffix/"
fi
else
# sur le même hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl /cgi-bin/WebObjects "$dest" "$suffix")${trail:+\$1} [L,P${options:+,$options}]" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc"
setx proxy_url joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix"
proxy_use=1
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl /cgi-bin/WebObjects "$dest" "$suffix" "\$1") [L,P${options:+,$options}]" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc/"
setx proxy_url joinurl "$prot://$thishost/cgi-bin/WebObjects" "$dest" "$suffix/"
proxy_use=1
fi
fi
[ ${#infiles[*]} -gt 0 ] || die "Il faut spécifier le fichier de règles avec -f"
for infile in "${infiles[@]}"; do
if [ -f "$infile" ]; then
estep "$(ppath "$infile")"
legacy_mkRewriteRules "$infile" "$thishost" "$outfile" "$htmlfile" "$proxy_enabled"
else
# lien vers une url
if [ -n "$host" ]; then
# sur un autre hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl "$prot://$host" "$dest" "$suffix")${trail:+\$1} [L${options:+,$options}]" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc"
setx proxy_url joinurl "$prot://$host" "$dest" "$suffix"
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl "$prot://$host" "$dest" "$suffix" "\$1") [L${options:+,$options}]" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc/"
setx proxy_url joinurl "$prot://$host" "$dest" "$suffix/"
fi
else
# sur le même hôte
if [ -n "$noslash" ]; then
echo "${prefix}RewriteRule ^/$src${trail:+(.*)} $(joinurl / "$dest" "$suffix")${trail:+\$1}${options:+ [$options]}" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc"
setx proxy_url joinurl "http://$thishost" "$dest" "$suffix"
else
echo "${prefix}RewriteRule ^/$src\$ /$src/" >>"$outfile"
echo "${prefix}RewriteRule ^/$src/(.*) $(joinurl / "$dest" "$suffix" "\$1")${options:+ [$options]}" >>"$outfile"
setx url joinurl "http://$thishost" "$usrc/"
setx proxy_url joinurl "http://$thishost" "$dest" "$suffix/"
fi
fi
eerror "$(ppath "$infile"): fichier introuvable"
fi
has_proxy "$options" && proxy_use=1
if [ -n "$proxy_enabled" -a -n "$proxy_use" ]; then
if [ "$proxy_acls" == "None" ]; then
:
elif [ -z "$proxy_acls" ]; then
echo "\
<Proxy $proxy_url*>
AddDefaultCharset off
Order Deny,Allow
Allow from all
</Proxy>" >>"$outfile"
else
echo "\
<Proxy $proxy_url*>
AddDefaultCharset off
Order Allow,Deny
Allow from $proxy_acls
</Proxy>" >>"$outfile"
fi
fi
echo "" >>"$outfile"
if [ -n "$htmlfile" ]; then
echo "<li><a href=\"$url\">$url</a></li>" >>"$htmlfile"
fi
# Réinitialiser les préfixes pour chaque règle
prefix=
# réinitialiser pour ne pas écraser un fichier existant
outfile=
htmlfile=
done
if [ -n "$htmlfile" ]; then
echo '</ul>
</body>
</html>' >>"$htmlfile"
fi