From patchwork Mon Apr 12 21:00:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4149 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FK1N82MR7z3yBW for ; Mon, 12 Apr 2021 21:00:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FK1N66VF4zBC; Mon, 12 Apr 2021 21:00:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FK1N65H5jz2yk9; Mon, 12 Apr 2021 21:00:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FK1N560H5z2xbr for ; Mon, 12 Apr 2021 21:00:21 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FK1N460wrz94 for ; Mon, 12 Apr 2021 21:00:20 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1618261221; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GWIp6b/OJfCS+17mAb214VE3cKwJBxytE5NIJf0xSMA=; b=8z2vI+9AapRZKeoL8SWedkjcK18rSumIZH/9RIPwil9Gmp/w8nbtzziPKbxqzjT2CLiM63 kcOQta4YfPC+wUBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1618261221; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GWIp6b/OJfCS+17mAb214VE3cKwJBxytE5NIJf0xSMA=; b=ukuD4UDSP0M1gLxs+kbL62yM8toPNtNp/oYyzEbkBVyfD8E0ugIqiYEJPwkWkKw7Xi6xLE uM/WMu38f+XNuXpAnczKOcBVduaeRpgKEU+5QMyIUdg0kC0Q4ndKB2/UFlkDXmqAlWSGs+ 72hBhJz6v22dU5ZP279F1ABu/g5i/A+CtuhKn34PHH/bIFD1Bq+Hejozy9K61dyZFnKOdY NJq0uOMUTl1aocoI/hO4LNBQiUJ6Fhp2x3qpDUtHhEj+9UXB0NOV8iKEsUpoFsFr7XXSWR gEpfG45WvbTMOg92fsov5Wx04QPu63VJKxwfyf3+MF/h60j9GnMwQTWlkGcg7g== To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 1/4] httpd: remove compatibility instructions for very old browsers Message-ID: <0b270dd5-9a61-2901-c75e-8698dd4373e8@ipfire.org> Date: Mon, 12 Apr 2021 23:00:19 +0200 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" These are not in use any more - and if they would, we don't support them. Signed-off-by: Peter Müller --- config/httpd/server-tuning.conf | 10 ---------- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 3 --- 2 files changed, 13 deletions(-) diff --git a/config/httpd/server-tuning.conf b/config/httpd/server-tuning.conf index 5642a1e44..9ee651e45 100644 --- a/config/httpd/server-tuning.conf +++ b/config/httpd/server-tuning.conf @@ -22,13 +22,3 @@ MaxSpareThreads 20 StartServers 2 MaxRequestWorkers 256 ThreadsPerChild 16 - -# -# The following directives modify normal HTTP response behavior to -# handle known problems with browser implementations. -# -BrowserMatch "Mozilla/2" nokeepalive -BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 -BrowserMatch "RealPlayer 4\.0" force-response-1.0 -BrowserMatch "Java/1\.0" force-response-1.0 -BrowserMatch "JDK/1\.0" force-response-1.0 diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index de7b8559d..8c4cf3806 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -64,9 +64,6 @@ SSLOptions +StdEnvVars SetEnv HOME /home/nobody - SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" From patchwork Mon Apr 12 21:00:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4150 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FK1Nf2S17z3yBW for ; Mon, 12 Apr 2021 21:00:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FK1Nd6mVQzjZ; Mon, 12 Apr 2021 21:00:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FK1Nd6Bwnz2xcM; Mon, 12 Apr 2021 21:00:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FK1Nc3kH8z2xbr for ; Mon, 12 Apr 2021 21:00:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FK1Nb2sXDzD4 for ; Mon, 12 Apr 2021 21:00:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1618261247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KIV2QKokI73WVHyYh9drutl9AEZxsAlg+9daI2oQJ4k=; b=Xw8hGSVJU2nuw3omI9EPpvR7M0tDwnZEw7KqtXDyjfpJgJr9MjvomMNx4yVuR64I4SaBQ4 xBDllzHZYvy4LTAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1618261247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KIV2QKokI73WVHyYh9drutl9AEZxsAlg+9daI2oQJ4k=; b=PcZQnLLwMiaFNOp5Qe8lrW0oJrPiSl1LQohXZMBlqk/DTYOezYNzJlnLKtkrOMgC3uMLnc rgbRFrh5XtiajV33xTyCORKHHYWxX2t5dMmFxekcrJ1Z1384reWCjwNRQYnBVxDBpWR6RW 2FKohgVcxZvw2UsX65+7J/CLxcWobT6z9//WYnacp/Yhmn60qGvcOhmvXW723wV3DV+jPz mGJPoYzqwYrvNQgAkWuai9Z8IveHS24UGLTEDr9UgWSI4KM3KzR9s8iJz34JpXBz0DnJZH 23pbxLE94sT7STUIhoAK+oT+gLPTKpF8WTbfzraifZk3MxpbF5qMRlQf6myh1A== Subject: [PATCH 2/4] httpd: disable sending ETag header completely To: development@lists.ipfire.org References: <0b270dd5-9a61-2901-c75e-8698dd4373e8@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <8698f06c-19c9-1680-f179-4d50c00bed1a@ipfire.org> Date: Mon, 12 Apr 2021 23:00:46 +0200 MIME-Version: 1.0 In-Reply-To: <0b270dd5-9a61-2901-c75e-8698dd4373e8@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" These cause caching trouble and pose a potential security risk due to exposing inode numbers of files within the Apache site directories on an IPFire machine. Signed-off-by: Peter Müller --- config/httpd/global.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/httpd/global.conf b/config/httpd/global.conf index cc8000379..46878baf5 100644 --- a/config/httpd/global.conf +++ b/config/httpd/global.conf @@ -8,6 +8,7 @@ Include /etc/httpd/conf/hostname.conf HostnameLookups off AddHandler cgi-script .cgi EnableSendfile Off +FileETag None # Always unset HTTP_PROXY variable, https://httpoxy.org RequestHeader unset Proxy early From patchwork Mon Apr 12 21:01:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4151 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FK1P96Kxkz3yBW for ; Mon, 12 Apr 2021 21:01:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FK1P91xhSzZV; Mon, 12 Apr 2021 21:01:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FK1P871HPz2yk9; Mon, 12 Apr 2021 21:01:16 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FK1P74NNKz2xbr for ; Mon, 12 Apr 2021 21:01:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FK1P649QBzZV for ; Mon, 12 Apr 2021 21:01:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1618261275; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tM0rpHAGRiLA91kgBTSbIGRDHaTZ/hZfhXI7+FHEUws=; b=KqsD7DKLmins3+b8CrwZqwVShaRhGVx2aLRIfj0sXr82gexgpsEXLysX7m7AJCHoIdOYcz 4CC6ehhuEOvuW2CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1618261275; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tM0rpHAGRiLA91kgBTSbIGRDHaTZ/hZfhXI7+FHEUws=; b=SUMf4ucip75CtqdpqLpPBm54KwRuFf+MVg68AgUmD7tJUMQ3W5udGbiAWz8vOpkkQbK9TG agu2TbkTRoxWlw+Sw5nAiA20q6M+fZho/kV63s1KKfXOiscHTKOVsDLgYlM4ht2LMDIF9F MkisiIF1toeM2mtzCYhkSIgK8XCiiepCybp9S2QlMlMcayYwsUz4Uwvsl3W6dFzx4TgmB9 qCuCyK9Z8IE1BmPDbYGmwMmomvArucH3g/TxV8UH22Jz2vUFLUcmWXXo/CX26hDNSPWy6s gxkdomGOF2aZPTnlY/Sa0NFpFYBai//zA8ijoraBDjQ8FOxXHkRF+lYNde2rZg== Subject: [PATCH 3/4] httpd: apply the same security headers on the captive portal instance as we do elsewhere To: development@lists.ipfire.org References: <0b270dd5-9a61-2901-c75e-8698dd4373e8@ipfire.org> <8698f06c-19c9-1680-f179-4d50c00bed1a@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <5251bce1-49af-64e5-a858-5e33210d9e6b@ipfire.org> Date: Mon, 12 Apr 2021 23:01:13 +0200 MIME-Version: 1.0 In-Reply-To: <8698f06c-19c9-1680-f179-4d50c00bed1a@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The Captive Portal should not be framed or leak sensitive detail via Referrers either. Signed-off-by: Peter Müller --- config/httpd/vhosts.d/captive.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf index 629fa8180..51af6eac4 100644 --- a/config/httpd/vhosts.d/captive.conf +++ b/config/httpd/vhosts.d/captive.conf @@ -11,6 +11,8 @@ Listen 1013 Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + Header always set Referrer-Policy strict-origin + Header always set X-Frame-Options sameorigin ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/ Alias /assets/ /srv/web/ipfire/html/captive/assets/ From patchwork Mon Apr 12 21:01:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4152 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FK1Ph4dwrz3yBW for ; Mon, 12 Apr 2021 21:01:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FK1Ph1HTwzjv; Mon, 12 Apr 2021 21:01:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FK1Ph0nCRz2yk9; Mon, 12 Apr 2021 21:01:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FK1Pg0W5Fz2xbr for ; Mon, 12 Apr 2021 21:01:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FK1Pf1D4jzjZ for ; Mon, 12 Apr 2021 21:01:41 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1618261302; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xHTtJ8IEMni3aoC8ACItiBV44Eg1pCLwbzNp2h86y8c=; b=iEPN2lUHxI2ZwzBvrgu75OZJoXRcepmSx2XzHZvVUzevXTz/v6S//n2nkrpwIXS9j2aShD 8zS3iPo09CmqWPBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1618261302; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xHTtJ8IEMni3aoC8ACItiBV44Eg1pCLwbzNp2h86y8c=; b=qzkvAssKgNjVOGxHNu+Vf3uufd2pd6Ct1ZlNEhGahEUeYRZqUcvmsBkt4TmC+1aF9ijdoe mEeqRyNB0y8KSpsXy7XzrcUcbhArsSySm3buiarsGEJzC6dPdRfnf/NXf7YXO8DfolGkrK kZPe2sBDy37qiHm9PwcieJkAlIY/IUHv/z0+ZYgY9Dph4P5ENyBXJ4SKK6RPvs8YYdLXWw THOdrL0NEN1v2lctCE/j3iN3kHnjEzQKev2oEINbqItjui7YP4VIRho9ZAnzY4n2pPrti+ T+M94XsHRtTP8gR5/vEpV+tmgsN5+dlX7CsjRtAWrwrz4kYspmc8BgVXWTuKjw== Subject: [PATCH 4/4] httpd: delete comment blocks and unused directives from our configuration To: development@lists.ipfire.org References: <0b270dd5-9a61-2901-c75e-8698dd4373e8@ipfire.org> <8698f06c-19c9-1680-f179-4d50c00bed1a@ipfire.org> <5251bce1-49af-64e5-a858-5e33210d9e6b@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <1bfb3e68-b349-133c-8f57-c0de4311db8d@ipfire.org> Date: Mon, 12 Apr 2021 23:01:41 +0200 MIME-Version: 1.0 In-Reply-To: <5251bce1-49af-64e5-a858-5e33210d9e6b@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- config/httpd/default-server.conf | 3 -- config/httpd/httpd.conf | 81 +++----------------------------- config/httpd/mod_log_config.conf | 33 +------------ config/httpd/ssl-global.conf | 45 ++---------------- 4 files changed, 13 insertions(+), 149 deletions(-) diff --git a/config/httpd/default-server.conf b/config/httpd/default-server.conf index db082298a..e82dfa088 100644 --- a/config/httpd/default-server.conf +++ b/config/httpd/default-server.conf @@ -2,7 +2,4 @@ # Global configuration that will be applicable for all virtual hosts, unless # deleted here, or overriden elswhere. # - DocumentRoot /srv/web/ipfire/html - -#Include /etc/httpd/conf/conf.d/*.conf diff --git a/config/httpd/httpd.conf b/config/httpd/httpd.conf index 14dcc735c..c694bffe2 100644 --- a/config/httpd/httpd.conf +++ b/config/httpd/httpd.conf @@ -1,37 +1,4 @@ -# -# /etc/httpd/conf/httpd.conf -# -# This is the main Apache2 server configuration file for IPFire. -# Plese do not change this file! - -# Overview of include files, chronologically: -# -# httpd.conf -# | -# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under -# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...) -# |-- loadmodule.conf . . . . . . . . . . . load these modules -# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on -# |-- mod_log_config.conf . . . . . . . . . define logging formats -# |-- sysconfig.d/global.conf . . . . . . . server-wide general settings -# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring) -# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info -# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking -# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings -# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration -# |-- errors.conf . . . . . . . . . . . . . customize error responses -# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts -# | -# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests -# | -# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here -# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included) -# - -### Global Environment ###################################################### -# -# The directives in this section affect the overall operation of Apache, -# such as the number of concurrent requests. +# Apache2 server configuration file for IPFire # run under this user/group id Include /etc/httpd/conf/uid.conf @@ -40,17 +7,13 @@ Include /etc/httpd/conf/uid.conf # - usage of KeepAlive Include /etc/httpd/conf/server-tuning.conf -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. +# ErrorLog: The location of the error log file ErrorLog /var/log/httpd/error_log # Load Modules here Include /etc/httpd/conf/loadmodule.conf -# IP addresses / ports to listen on +# IP addresses and ports to listen on Include /etc/httpd/conf/listen.conf # predefined logging formats @@ -59,15 +22,10 @@ Include /etc/httpd/conf/mod_log_config.conf # global settings Include /etc/httpd/conf/global.conf -# optional mod_status, mod_info -#Include /etc/httpd/conf/mod_status.conf -#Include /etc/httpd/conf/mod_info.conf - # associate MIME types with filename extensions TypesConfig /etc/mime.types -# global (server-wide) SSL configuration, that is not specific to -# any virtual host +# global (server-wide) SSL configuration, that is not specific to any virtual host Include /etc/httpd/conf/ssl-global.conf @@ -85,35 +43,10 @@ AccessFileName .htaccess # List of resources to look for when the client requests a directory DirectoryIndex index.html index.htm index.shtml index.cgi -### 'Main' server configuration ############################################# -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# +# 'Main' server configuration Include /etc/httpd/conf/default-server.conf - -### Virtual server configuration ############################################ -# -# VirtualHost: If you want to maintain multiple domains/hostnames on your -# machine you can setup VirtualHost containers for them. Most configurations -# use only name-based virtual hosts so the server doesn't need to worry about -# IP addresses. This is indicated by the asterisks in the directives below. -# -# Please see the documentation at -# -# for further details before you try to setup virtual hosts. -# -# You may use the command line option '-S' to verify your virtual host -# configuration. -# +# Virtual server configuration Include /etc/httpd/conf/vhosts.d/*.conf -# Dummy LoadModule directive to aid module installations -#LoadModule dummy_module /usr/lib/apache2/modules/mod_dummy.so +# EOF diff --git a/config/httpd/mod_log_config.conf b/config/httpd/mod_log_config.conf index 89ad09a80..94151c29d 100644 --- a/config/httpd/mod_log_config.conf +++ b/config/httpd/mod_log_config.conf @@ -1,31 +1,2 @@ -# -# The following directives define some format nicknames for use with -# a CustomLog directive. -# - -# -# Format string: Nickname: -# -LogFormat "%h %l %u %t \"%r\" %>s %b" common -LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common -LogFormat "%{Referer}i -> %U" referer -LogFormat "%{User-agent}i" agent -LogFormat "%h %l %u %t \"%r\" %>s %b \ -\"%{Referer}i\" \"%{User-Agent}i\"" combined -LogFormat "%v %h %l %u %t \"%r\" %>s %b \ -\"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined - -# To use %I and %O, you need to enable mod_logio - -LogFormat "%h %l %u %t \"%r\" %>s %b \ -\"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - -# Use one of these when you want a compact non-error SSL logfile on a virtual -# host basis: - -Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ -\"%r\" %b" ssl_common -Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ -\"%r\" %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined - +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined diff --git a/config/httpd/ssl-global.conf b/config/httpd/ssl-global.conf index 154815cea..0c3a96a6c 100644 --- a/config/httpd/ssl-global.conf +++ b/config/httpd/ssl-global.conf @@ -1,54 +1,17 @@ -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# These are the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these -# directives see -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. - - # - # Some MIME-types for downloading Certificates and CRLs - # + # Some MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl - # Pass Phrase Dialog: - # Configure the pass phrase gathering process. - # The filtering dialog program (`builtin' is a internal - # terminal dialog) has to provide the pass phrase on stdout. + # Pass Phrase Dialog SSLPassPhraseDialog builtin - # Inter-Process Session Cache: - # Configure the SSL Session Cache: First the mechanism - # to use and second the expiring timeout (in seconds). - # shm means the same as shmht. - # Note that on most platforms shared memory segments are not allowed to be on - # network-mounted drives, so in that case you need to use the dbm method. - #SSLSessionCache none - #SSLSessionCache dbm:/var/log/httpd/ssl_scache - #SSLSessionCache shmht:/var/log/httpd/ssl_scache(512000) + # Inter-Process Session Cache SSLSessionCache shmcb:/var/log/httpd/ssl_scache(512000) SSLSessionCacheTimeout 900 - # Pseudo Random Number Generator (PRNG): - # Configure one or more sources to seed the PRNG of the - # SSL library. The seed data should be of good random quality. - # WARNING! On some platforms /dev/random blocks if not enough entropy - # is available. This means you then cannot use the /dev/random device - # because it would lead to very long connection times (as long as - # it requires to make more entropy available). But usually those - # platforms additionally provide a /dev/urandom device which doesn't - # block. So, if available, use this one instead. Read the mod_ssl User - # Manual for more details. + # Pseudo Random Number Generator (PRNG) SSLRandomSeed startup builtin SSLRandomSeed connect builtin