diff options
Diffstat (limited to 'setup/projects/kaas/files/etc/apache2/extra')
11 files changed, 933 insertions, 0 deletions
diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-autoindex.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-autoindex.conf new file mode 100644 index 0000000..c581e97 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-autoindex.conf @@ -0,0 +1,93 @@ +# +# Directives controlling the display of server-generated directory listings. +# +# Required modules: mod_autoindex, mod_alias +# +# To see the listing of a directory, the Options directive for the +# directory must include "Indexes", and the directory must not contain +# a file matching those listed in the DirectoryIndex directive. +# + +# +# IndexOptions: Controls the appearance of server-generated directory +# listings. +# +IndexOptions FancyIndexing HTMLTable VersionSort + +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. +# +Alias /icons/ "/usr/local/apache2/icons/" + +<Directory "/usr/local/apache2/icons"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all +</Directory> + +# +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +# +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +# +DefaultIcon /icons/unknown.gif + +# +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename +# +#AddDescription "GZIP compressed document" .gz +#AddDescription "tar archive" .tar +#AddDescription "GZIP compressed tar archive" .tgz + +# +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. +# +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +# +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-dav.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-dav.conf new file mode 100644 index 0000000..29dfb72 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-dav.conf @@ -0,0 +1,52 @@ +# +# Distributed authoring and versioning (WebDAV) +# +# Required modules: mod_dav, mod_dav_fs, mod_setenvif, mod_alias +# mod_auth_digest, mod_authn_file +# + +# The following example gives DAV write access to a directory called +# "uploads" under the ServerRoot directory. +# +# The User/Group specified in httpd.conf needs to have write permissions +# on the directory where the DavLockDB is placed and on any directory where +# "Dav On" is specified. + +DavLockDB "/usr/local/apache2/var/DavLock" + +Alias /uploads "/usr/local/apache2/uploads" + +<Directory "/usr/local/apache2/uploads"> + Dav On + + Order Allow,Deny + Allow from all + + AuthType Digest + AuthName DAV-upload + + # You can use the htdigest program to create the password database: + # htdigest -c "/usr/local/apache2/user.passwd" DAV-upload admin + AuthUserFile "/usr/local/apache2/user.passwd" + AuthDigestProvider file + + # Allow universal read-access, but writes are restricted + # to the admin user. + <LimitExcept GET OPTIONS> + require user admin + </LimitExcept> +</Directory> + +# +# The following directives disable redirects on non-GET requests for +# a directory that does not include the trailing slash. This fixes a +# problem with several clients that do not appropriately handle +# redirects for folders with DAV methods. +# +BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully +BrowserMatch "MS FrontPage" redirect-carefully +BrowserMatch "^WebDrive" redirect-carefully +BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully +BrowserMatch "^gnome-vfs/1.0" redirect-carefully +BrowserMatch "^XML Spy" redirect-carefully +BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-default.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-default.conf new file mode 100644 index 0000000..efeca05 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-default.conf @@ -0,0 +1,75 @@ +# +# This configuration file reflects default settings for Apache HTTP Server. +# +# You may change these, but chances are that you may not need to. +# + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + +# +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +# +UseCanonicalName Off + +# +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +# +ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature On + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-info.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-info.conf new file mode 100644 index 0000000..db316c0 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-info.conf @@ -0,0 +1,37 @@ +# +# Get information about the requests being processed by the server +# and the configuration of the server. +# +# Required modules: mod_status (for the server-status handler), +# mod_info (for the server-info handler) + +# +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status +# Change the ".example.com" to match your domain to enable. + +<Location /server-status> + SetHandler server-status + Order deny,allow + Deny from all + Allow from .example.com +</Location> + +# +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. The default is Off. +# +#ExtendedStatus On + +# +# Allow remote server configuration reports, with the URL of +# http://servername/server-info (requires that mod_info.c be loaded). +# Change the ".example.com" to match your domain to enable. +# +<Location /server-info> + SetHandler server-info + Order deny,allow + Deny from all + Allow from .example.com +</Location> diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-languages.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-languages.conf new file mode 100644 index 0000000..7f66461 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-languages.conf @@ -0,0 +1,141 @@ +# +# Settings for hosting different languages. +# +# Required modules: mod_mime, mod_negotiation + +# DefaultLanguage and AddLanguage allows you to specify the language of +# a document. You can then use content negotiation to give a browser a +# file in a language the user can understand. +# +# Specify a default language. This means that all data +# going out without a specific language tag (see below) will +# be marked with this one. You probably do NOT want to set +# this unless you are sure it is correct for all cases. +# +# * It is generally better to not mark a page as +# * being a certain language than marking it with the wrong +# * language! +# +# DefaultLanguage nl +# +# Note 1: The suffix does not have to be the same as the language +# keyword --- those with documents in Polish (whose net-standard +# language code is pl) may wish to use "AddLanguage pl .po" to +# avoid the ambiguity with the common suffix for perl scripts. +# +# Note 2: The example entries below illustrate that in some cases +# the two character 'Language' abbreviation is not identical to +# the two character 'Country' code for its country, +# E.g. 'Danmark/dk' versus 'Danish/da'. +# +# Note 3: In the case of 'ltz' we violate the RFC by using a three char +# specifier. There is 'work in progress' to fix this and get +# the reference data for rfc1766 cleaned up. +# +# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) +# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) +# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) +# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) +# Norwegian (no) - Polish (pl) - Portugese (pt) +# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) +# Turkish (tr) - Simplified Chinese (zh-CN) - Spanish (es) +# Traditional Chinese (zh-TW) +# +AddLanguage ca .ca +AddLanguage cs .cz .cs +AddLanguage da .dk +AddLanguage de .de +AddLanguage el .el +AddLanguage en .en +AddLanguage eo .eo +AddLanguage es .es +AddLanguage et .et +AddLanguage fr .fr +AddLanguage he .he +AddLanguage hr .hr +AddLanguage it .it +AddLanguage ja .ja +AddLanguage ko .ko +AddLanguage ltz .ltz +AddLanguage nl .nl +AddLanguage nn .nn +AddLanguage no .no +AddLanguage pl .po +AddLanguage pt .pt +AddLanguage pt-BR .pt-br +AddLanguage ru .ru +AddLanguage sv .sv +AddLanguage tr .tr +AddLanguage zh-CN .zh-cn +AddLanguage zh-TW .zh-tw + +# LanguagePriority allows you to give precedence to some languages +# in case of a tie during content negotiation. +# +# Just list the languages in decreasing order of preference. We have +# more or less alphabetized them here. You probably want to change this. +# +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW + +# +# ForceLanguagePriority allows you to serve a result page rather than +# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) +# [in case no accepted languages matched the available variants] +# +ForceLanguagePriority Prefer Fallback + +# +# Commonly used filename extensions to character sets. You probably +# want to avoid clashes with the language extensions, unless you +# are good at carefully testing your setup after each change. +# See http://www.iana.org/assignments/character-sets for the +# official list of charset names and their respective RFCs. +# +AddCharset us-ascii.ascii .us-ascii +AddCharset ISO-8859-1 .iso8859-1 .latin1 +AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen +AddCharset ISO-8859-3 .iso8859-3 .latin3 +AddCharset ISO-8859-4 .iso8859-4 .latin4 +AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru +AddCharset ISO-8859-6 .iso8859-6 .arb .arabic +AddCharset ISO-8859-7 .iso8859-7 .grk .greek +AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew +AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk +AddCharset ISO-8859-10 .iso8859-10 .latin6 +AddCharset ISO-8859-13 .iso8859-13 +AddCharset ISO-8859-14 .iso8859-14 .latin8 +AddCharset ISO-8859-15 .iso8859-15 .latin9 +AddCharset ISO-8859-16 .iso8859-16 .latin10 +AddCharset ISO-2022-JP .iso2022-jp .jis +AddCharset ISO-2022-KR .iso2022-kr .kis +AddCharset ISO-2022-CN .iso2022-cn .cis +AddCharset Big5.Big5 .big5 .b5 +AddCharset cn-Big5 .cn-big5 +# For russian, more than one charset is used (depends on client, mostly): +AddCharset WINDOWS-1251 .cp-1251 .win-1251 +AddCharset CP866 .cp866 +AddCharset KOI8 .koi8 +AddCharset KOI8-E .koi8-e +AddCharset KOI8-r .koi8-r .koi8-ru +AddCharset KOI8-U .koi8-u +AddCharset KOI8-ru .koi8-uk .ua +AddCharset ISO-10646-UCS-2 .ucs2 +AddCharset ISO-10646-UCS-4 .ucs4 +AddCharset UTF-7 .utf7 +AddCharset UTF-8 .utf8 +AddCharset UTF-16 .utf16 +AddCharset UTF-16BE .utf16be +AddCharset UTF-16LE .utf16le +AddCharset UTF-32 .utf32 +AddCharset UTF-32BE .utf32be +AddCharset UTF-32LE .utf32le +AddCharset euc-cn .euc-cn +AddCharset euc-gb .euc-gb +AddCharset euc-jp .euc-jp +AddCharset euc-kr .euc-kr +#Not sure how euc-tw got in - IANA doesn't list it??? +AddCharset EUC-TW .euc-tw +AddCharset gb2312 .gb2312 .gb +AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 +AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 +AddCharset shift_jis .shift_jis .sjis diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-manual.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-manual.conf new file mode 100644 index 0000000..fc12fb9 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-manual.conf @@ -0,0 +1,31 @@ +# +# Provide access to the documentation on your server as +# http://yourserver.example.com/manual/ +# The documentation is always available at +# http://httpd.apache.org/docs/2.2/ +# +# Required modules: mod_alias, mod_setenvif, mod_negotiation +# + +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "/usr/local/apache2/manual$1" + +<Directory "/usr/local/apache2/manual"> + Options Indexes + AllowOverride None + Order allow,deny + Allow from all + + <Files *.html> + SetHandler type-map + </Files> + # .tr is text/troff in mime.types! + <Files *.html.tr.utf8> + ForceType "text/html; charset=utf-8" + </Files> + + SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br|ru|tr)/ prefer-language=$1 + RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br|ru|tr)){2,}(/.*)?$ /manual/$1$2 + + LanguagePriority en de es fr ja ko pt-br ru tr + ForceLanguagePriority Prefer Fallback +</Directory> diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-mpm.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-mpm.conf new file mode 100644 index 0000000..8c44c60 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-mpm.conf @@ -0,0 +1,110 @@ +# +# Server-Pool Management (MPM specific) +# + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# +# Note that this is the default PidFile for most MPMs. +# +<IfModule !mpm_netware_module> + PidFile "logs/httpd.pid" +</IfModule> + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +<IfModule !mpm_winnt_module> +<IfModule !mpm_netware_module> +LockFile "logs/accept.lock" +</IfModule> +</IfModule> + +# +# Only one of the below sections will be relevant on your +# installed httpd. Use "apachectl -l" to find out the +# active mpm. +# + +# prefork MPM +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# MaxClients: maximum number of server processes allowed to start +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_prefork_module> + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 0 +</IfModule> + +# worker MPM +# StartServers: initial number of server processes to start +# MaxClients: maximum number of simultaneous client connections +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_worker_module> + StartServers 2 + MaxClients 150 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxRequestsPerChild 0 +</IfModule> + +# BeOS MPM +# StartThreads: how many threads do we initially spawn? +# MaxClients: max number of threads we can have (1 thread == 1 client) +# MaxRequestsPerThread: maximum number of requests each thread will process +<IfModule mpm_beos_module> + StartThreads 10 + MaxClients 50 + MaxRequestsPerThread 10000 +</IfModule> + +# NetWare MPM +# ThreadStackSize: Stack size allocated for each worker thread +# StartThreads: Number of worker threads launched at server startup +# MinSpareThreads: Minimum number of idle threads, to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# MaxThreads: Maximum number of worker threads alive at the same time +# MaxRequestsPerChild: Maximum number of requests a thread serves. It is +# recommended that the default value of 0 be set for this +# directive on NetWare. This will allow the thread to +# continue to service requests indefinitely. +<IfModule mpm_netware_module> + ThreadStackSize 65536 + StartThreads 250 + MinSpareThreads 25 + MaxSpareThreads 250 + MaxThreads 1000 + MaxRequestsPerChild 0 + MaxMemFree 100 +</IfModule> + +# OS/2 MPM +# StartServers: Number of server processes to maintain +# MinSpareThreads: Minimum number of idle threads per process, +# to handle request spikes +# MaxSpareThreads: Maximum number of idle threads per process +# MaxRequestsPerChild: Maximum number of connections per server process +<IfModule mpm_mpmt_os2_module> + StartServers 2 + MinSpareThreads 5 + MaxSpareThreads 10 + MaxRequestsPerChild 0 +</IfModule> + +# WinNT MPM +# ThreadsPerChild: constant number of worker threads in the server process +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_winnt_module> + ThreadsPerChild 150 + MaxRequestsPerChild 0 +</IfModule> + diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-multilang-errordoc.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-multilang-errordoc.conf new file mode 100644 index 0000000..8ff9a45 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-multilang-errordoc.conf @@ -0,0 +1,52 @@ +# +# The configuration below implements multi-language error documents through +# content-negotiation. +# +# Required modules: mod_alias, mod_include, mod_negotiation +# +# We use Alias to redirect any /error/HTTP_<error>.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# +# You can modify the messages' appearance without changing any of the +# default HTTP_<error>.html.var files by adding the line: +# +# Alias /error/include/ "/your/include/path/" +# +# which allows you to create your own set of files by starting with the +# /usr/local/apache2/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. The default include files will display +# your Apache version number and your ServerAdmin email address regardless +# of the setting of ServerSignature. + +Alias /error/ "/usr/local/apache2/error/" + +<Directory "/usr/local/apache2/error"> + AllowOverride None + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Order allow,deny + Allow from all + LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr + ForceLanguagePriority Prefer Fallback +</Directory> + +ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +ErrorDocument 410 /error/HTTP_GONE.html.var +ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-ssl.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-ssl.conf new file mode 100644 index 0000000..f8c023e --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-ssl.conf @@ -0,0 +1,269 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailed information about these +# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +# +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +# +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed startup file:/dev/urandom 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + + +# +# When we also provide SSL we have to listen to the +# standard HTTP port (see above) and to the HTTPS port +# +# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" +# +Listen 8443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate, +# and that httpd will negotiate as the client of a proxied server. +# See the OpenSSL documentation for a complete list of ciphers, and +# ensure these follow appropriate best practices for this deployment. +# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, +# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 + +# By the end of 2016, only TLSv1.2 ciphers should remain in use. +# Older ciphers should be disallowed as soon as possible, while the +# kRSA ciphers do not offer forward secrecy. These changes inhibit +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy +# non-browser tooling) from successfully connecting. +# +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable +# those protocols which do not support forward secrecy, replace +# the SSLCipherSuite and SSLProxyCipherSuite directives above with +# the following two directives, as soon as practical. +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Protocol support: +# List the protocol versions which clients are allowed to connect with. +# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) +# should be disabled as quickly as practical. By the end of 2016, only +# the TLSv1.2 protocol or later should remain in use. +SSLProtocol all -SSLv2 -SSLv3 +SSLProxyProtocol all -SSLv2 -SSLv3 + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache" +SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex "file:/usr/local/apache2/logs/ssl_mutex" + +## +## SSL Virtual Host Context +## + +<VirtualHost _default_:443> + +# General setup for the virtual host +DocumentRoot "/usr/local/apache2/htdocs" +ServerName www.example.com:443 +ServerAdmin you@example.com +ErrorLog "/usr/local/apache2/logs/error_log" +TransferLog "/usr/local/apache2/logs/access_log" + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. +SSLCertificateFile "/usr/local/apache2/conf/server.crt" +#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt" +#SSLCertificateFile "/usr/local/apache2/conf/server-ecc.crt" + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel +SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" +#SSLCertificateKeyFile "/usr/local/apache2/conf/server-dsa.key" +#SSLCertificateKeyFile "/usr/local/apache2/conf/server-ecc.key" + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convenience. +#SSLCertificateChainFile "/usr/local/apache2/conf/server-ca.crt" + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +# Note: Inside SSLCACertificatePath you need hash symlinks +# to point to the certificate files. Use the provided +# Makefile to update the hash symlinks after changes. +#SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt" +#SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt" + +# Certificate Revocation Lists (CRL): +# Set the CA revocation path where to find CA CRLs for client +# authentication or alternatively one huge file containing all +# of them (file must be PEM encoded) +# Note: Inside SSLCARevocationPath you need hash symlinks +# to point to the certificate files. Use the provided +# Makefile to update the hash symlinks after changes. +#SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl" +#SSLCARevocationFile "/usr/local/apache2/conf/ssl.crl/ca-bundle.crl" + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +<FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars +</FilesMatch> +<Directory "/usr/local/apache2/cgi-bin"> + SSLOptions +StdEnvVars +</Directory> + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is sent or allowed to be received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog "/usr/local/apache2/logs/ssl_request_log" \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-userdir.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-userdir.conf new file mode 100644 index 0000000..567bd6d --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-userdir.conf @@ -0,0 +1,28 @@ +# Settings for user home directories +# +# Required module: mod_userdir + +# +# UserDir: The name of the directory that is appended onto a user's home +# directory if a ~user request is received. Note that you must also set +# the default access control for these directories, as in the example below. +# +UserDir public_html + +# +# Control access to UserDir directories. The following is an example +# for a site where these directories are restricted to read-only. +# +<Directory "/home/*/public_html"> + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS> + Order allow,deny + Allow from all + </Limit> + <LimitExcept GET POST OPTIONS> + Order deny,allow + Deny from all + </LimitExcept> +</Directory> + diff --git a/setup/projects/kaas/files/etc/apache2/extra/httpd-vhosts.conf b/setup/projects/kaas/files/etc/apache2/extra/httpd-vhosts.conf new file mode 100644 index 0000000..01a73f3 --- /dev/null +++ b/setup/projects/kaas/files/etc/apache2/extra/httpd-vhosts.conf @@ -0,0 +1,45 @@ +# +# Virtual Hosts +# +# If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# <URL:http://httpd.apache.org/docs/2.2/vhosts/> +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. + +# +# Use name-based virtual hosting. +# +NameVirtualHost *:8080 + +# +# VirtualHost example: +# Almost any Apache directive may go into a VirtualHost container. +# The first VirtualHost section is used for all requests that do not +# match a ServerName or ServerAlias in any <VirtualHost> block. +# +<VirtualHost *:8080> + ServerAdmin webmaster@dummy-host.example.com + DocumentRoot "/usr/local/apache2/docs/dummy-host.example.com" + ServerName dummy-host.example.com + ServerAlias www.dummy-host.example.com + ErrorLog "logs/dummy-host.example.com-error_log" + CustomLog "logs/dummy-host.example.com-access_log" common +</VirtualHost> + +<VirtualHost *:8080> + ServerAdmin webmaster@dummy-host2.example.com + DocumentRoot "/usr/local/apache2/docs/dummy-host2.example.com" + ServerName dummy-host2.example.com + ErrorLog "logs/dummy-host2.example.com-error_log" + CustomLog "logs/dummy-host2.example.com-access_log" common +</VirtualHost> + + + |