user/apache-httpd: new package

8 files changed, 209 insertions, 0 deletions

diff --git a/user/apache-httpd/conf/alias.conf b/user/apache-httpd/conf/alias.conf
new file mode 100644
index 000000000..d7df50c58
--- /dev/null
+++ b/user/apache-httpd/conf/alias.conf
@@ -0,0 +1,13 @@
+<IfModule alias_module>
+# This configuration allows for acmetool to run in webroot mode, aliasing
+# the ACME challenge to the acmetool runtime challenge directory.
+#
+#Alias "/.well-known/acme-challenge/" "/var/run/acme/acme-challenge/"
+#<Directory "/var/run/acme/acme-challenge">
+#    AllowOverride None
+#    Options None
+#  
+#    # If using Apache 2.4+
+#    Require all granted
+#</Directory>
+</IfModule>
\ No newline at end of file
diff --git a/user/apache-httpd/conf/host.conf b/user/apache-httpd/conf/host.conf
new file mode 100644
index 000000000..1c5902a70
--- /dev/null
+++ b/user/apache-httpd/conf/host.conf
@@ -0,0 +1,38 @@
+# This is a sample configuration. Please read the documentation provided
+# by the Apache HTTP server for information on how to modify this file.
+#
+# Note that these settings are normally defined in a <VirtualHost> block.
+# This is omitted here in order to allow users to confirm that Apache works
+# before they start poking around with site-specific configuration.
+
+# This is the directory in which Apache looks for files to serve. Generally,
+# documents should be located in /srv, using either of the following example
+# hierarchies:
+#
+# /srv/
+# `-> www/ -- the protocol; 'www' is used here for both HTTP and HTTPS.
+#     `-> localhost/ -- the domain name
+#
+# For systems serving many disparate groups, you may try the following:
+# /srv/
+# `-> groupname/ -- for instance, 'physics' or 'chemistry' or 'history'
+#     `-> www/
+#       `-> localhost/
+#
+# We use /var/www here because /srv is intended for sysadmin (that is, you,
+# the person reading this document) use.
+DocumentRoot /var/www/localhost
+
+<Directory /var/www/localhost>
+# Some configuration options that don't really go anywhere else.
+# Here, we want empty directories to have an index generated for them
+# ('Indexes') and for symlinks to be followed only if the owner of the
+# directory matches the owner of the target.
+Options Indexes SymLinksifOwnerMatch
+
+# Don't allow .htaccess files to override these settings.
+AllowOverride None
+
+# Grants access if an authentication system is loaded (not the default).
+Require all granted
+</Directory>
diff --git a/user/apache-httpd/conf/http2.conf b/user/apache-httpd/conf/http2.conf
new file mode 100644
index 000000000..fb4ef9f08
--- /dev/null
+++ b/user/apache-httpd/conf/http2.conf
@@ -0,0 +1,3 @@
+<IfModule http2_module>
+Protocols h2 http/1.1
+</IfModule>
\ No newline at end of file
diff --git a/user/apache-httpd/conf/httpd.conf b/user/apache-httpd/conf/httpd.conf
new file mode 100644
index 000000000..7fe8adfdf
--- /dev/null
+++ b/user/apache-httpd/conf/httpd.conf
@@ -0,0 +1,110 @@
+# This is a sample apache-httpd configuration file.
+#
+# Sensible defaults have been chosen for everyday use. It is suggested
+# that you read the documentation before modifying this file.
+
+# This controls what information is sent in the 'Server' HTTP header.
+# This is the most secure option. For internal use, you might go into
+# more detail. In order from most informative to least, the possible
+# values are: Full, OS, Minor, Minimal, Major, Prod.
+ServerTokens Prod
+# What IP/port to listen on. By default, listens to port 80 on all IPs.
+Listen 80
+
+# The rest of these modules are required for basic operations.
+LoadModule log_config_module /usr/libexec/apache2/mod_log_config.so
+LoadModule mime_module /usr/libexec/apache2/mod_mime.so
+LoadModule mime_magic_module /usr/libexec/apache2/mod_mime_magic.so
+LoadModule autoindex_module /usr/libexec/apache2/mod_autoindex.so
+LoadModule authz_core_module /usr/libexec/apache2/mod_authz_core.so
+LoadModule dir_module /usr/libexec/apache2/mod_dir.so
+LoadModule unixd_module /usr/libexec/apache2/mod_unixd.so
+LoadModule deflate_module /usr/libexec/apache2/mod_deflate.so
+
+# This module is optional, but it's necessary for things like automatically
+# upgrading connections to HTTPS if clients try to connect on port 80.
+LoadModule rewrite_module /usr/libexec/apache2/mod_rewrite.so
+
+# This module is optional, but you need this if you want to proxy connections,
+# particularly via HTTP (e.g. for the acmetool proxy example in
+# conf.d/proxy.conf).
+#LoadModule proxy_module /usr/libexec/apache2/mod_proxy.so
+#LoadModule proxy_http_module /usr/libexec/apache2/mod_proxy_http.so
+
+# This module enables per-user directories.
+#LoadModule userdir_module /usr/libexec/apache2/mod_userdir.so
+
+# This module is optional; you must have it enabled if you want HTTP/2.
+#LoadModule ssl_module /usr/libexec/apache2/mod_ssl.so
+
+# This module is optional; it enables HTTP/2 support.
+#LoadModule http2_module /usr/libexec/apache2/mod_http2.so
+
+# Unix daemon configuration.
+<IfModule unixd_module>
+User apache
+Group apache
+</IfModule>
+
+# Per-server configuration; these will be the defaults unless modified
+# within <VirtualHost> blocks.
+
+# Server contact address. Not visible by default.
+ServerAdmin you@example.com
+
+# Whether to include server information in server-generated pages.
+# This is the secure default.
+ServerSignature Off
+
+# This directive denies access to the entire server filesystem by default.
+# You must explicitly permit access in other <Directory> blocks, such as
+# in <VirtualHost> blocks. This is the secure default.
+<Directory />
+AllowOverride none
+Require all denied
+</Directory>
+
+# Default to index.html or index.htm for directory indexes.
+<IfModule dir_module>
+DirectoryIndex index.html index.htm
+</IfModule>
+
+# This prevents clients from accessing .htpasswd and .htaccess files.
+# This is a secure default.
+<Files ".ht*">
+Require all denied
+</Files>
+
+# This is where errors will be logged. This directive is subsumed by
+# <VirtualHost> blocks which also use the directive.
+ErrorLog /var/log/apache2/error.log
+
+# How verbose the error log is. Possible values, from most to least verbose:
+# debug, info, notice, warn, error, crit, alert, emerg
+LogLevel Warn
+
+# A sensible default logging format. Like ErrorLog, this directive is
+# subsumed by <VirtualHost> blocks which also use it.
+<IfModule log_config_module>
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+CustomLog /var/log/apache2/access.log combined
+</IfModule>
+
+# Mapping of file extension to MIME types. This uses the mapping provided
+# by Apache.
+<IfModule mime_module>
+TypesConfig /etc/apache2/mime.types
+</IfModule>
+
+# On the other hand, this module allows Apache to inspect the file in order
+# to provide a possibly more accurate MIME type.
+<IfModule mime_magic_module>
+MIMEMagicFile /etc/apache2/magic
+</IfModule>
+
+# Include other configurations which may be available. Configuration for
+# optional modules will be found here.
+IncludeOptional /etc/apache2/conf.d/*.conf
+
+# Site-specific configurations.
+IncludeOptional /etc/apache2/sites.d/*.conf
diff --git a/user/apache-httpd/conf/proxy.conf b/user/apache-httpd/conf/proxy.conf
new file mode 100644
index 000000000..153236b17
--- /dev/null
+++ b/user/apache-httpd/conf/proxy.conf
@@ -0,0 +1,6 @@
+<IfModule proxy_module>
+# This rule allows for acmetool to handle Let's Encrypt certification
+# using the proxy method, and is provided here as an example.
+# You will need both mod_proxy and mod_proxy_http loaded for this.
+#ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:402/.well-known/acme-challenge"
+</IfModule>
diff --git a/user/apache-httpd/conf/rewrite.conf b/user/apache-httpd/conf/rewrite.conf
new file mode 100644
index 000000000..07513e990
--- /dev/null
+++ b/user/apache-httpd/conf/rewrite.conf
@@ -0,0 +1,8 @@
+<IfModule rewrite_module>
+RewriteEngine On
+# These rules automatically redirect bare HTTP to HTTPS.
+#<IfModule ssl_module>
+#RewriteCond %{HTTPS} off
+#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
+#</IfModule>
+</IfModule>
diff --git a/user/apache-httpd/conf/ssl.conf b/user/apache-httpd/conf/ssl.conf
new file mode 100644
index 000000000..bb3dd02c5
--- /dev/null
+++ b/user/apache-httpd/conf/ssl.conf
@@ -0,0 +1,24 @@
+<IfModule ssl_module>
+# The following should appear in each <VirtualHost> block that plans to
+# use SSL/TLS.
+#
+#    SSLEngine on
+#    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
+#    SSLCertificateKeyFile   /path/to/private/key
+#
+#    # Uncomment the following directive when using client certificate authentication
+#    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication
+#
+#    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+#    <IfModule headers_module>
+#    Header always set Strict-Transport-Security "max-age=15768000"
+#    </IfModule>
+#
+
+Listen 443
+# At the moment, these options the current best practices for modern users.
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+SSLHonorCipherOrder     on
+SSLSessionTickets       off
+</IfModule>
diff --git a/user/apache-httpd/conf/userdir.conf b/user/apache-httpd/conf/userdir.conf
new file mode 100644
index 000000000..bc05ff9c0
--- /dev/null
+++ b/user/apache-httpd/conf/userdir.conf
@@ -0,0 +1,7 @@
+<IfModule userdir_module>
+# This directive disables UserDir. To enable it, supply a directory. You
+# might append 'enabled' and a list of users to white-list them, or
+# 'disabled' and a list of users to blacklist them. This directive can
+# appear multiple times.
+UserDir disabled
+</IfModule>
\ No newline at end of file