From be6bc7b26c9ad0574ed6cfb17470224d2a5e8820 Mon Sep 17 00:00:00 2001 From: Kiyoshi Aman Date: Sun, 4 Feb 2018 21:15:27 +0000 Subject: user/apache-httpd: new package --- user/apache-httpd/conf/alias.conf | 13 +++++ user/apache-httpd/conf/host.conf | 38 +++++++++++++ user/apache-httpd/conf/http2.conf | 3 + user/apache-httpd/conf/httpd.conf | 110 ++++++++++++++++++++++++++++++++++++ user/apache-httpd/conf/proxy.conf | 6 ++ user/apache-httpd/conf/rewrite.conf | 8 +++ user/apache-httpd/conf/ssl.conf | 24 ++++++++ user/apache-httpd/conf/userdir.conf | 7 +++ 8 files changed, 209 insertions(+) create mode 100644 user/apache-httpd/conf/alias.conf create mode 100644 user/apache-httpd/conf/host.conf create mode 100644 user/apache-httpd/conf/http2.conf create mode 100644 user/apache-httpd/conf/httpd.conf create mode 100644 user/apache-httpd/conf/proxy.conf create mode 100644 user/apache-httpd/conf/rewrite.conf create mode 100644 user/apache-httpd/conf/ssl.conf create mode 100644 user/apache-httpd/conf/userdir.conf (limited to 'user/apache-httpd/conf') diff --git a/user/apache-httpd/conf/alias.conf b/user/apache-httpd/conf/alias.conf new file mode 100644 index 000000000..d7df50c58 --- /dev/null +++ b/user/apache-httpd/conf/alias.conf @@ -0,0 +1,13 @@ + +# This configuration allows for acmetool to run in webroot mode, aliasing +# the ACME challenge to the acmetool runtime challenge directory. +# +#Alias "/.well-known/acme-challenge/" "/var/run/acme/acme-challenge/" +# +# AllowOverride None +# Options None +# +# # If using Apache 2.4+ +# Require all granted +# + \ No newline at end of file diff --git a/user/apache-httpd/conf/host.conf b/user/apache-httpd/conf/host.conf new file mode 100644 index 000000000..1c5902a70 --- /dev/null +++ b/user/apache-httpd/conf/host.conf @@ -0,0 +1,38 @@ +# This is a sample configuration. Please read the documentation provided +# by the Apache HTTP server for information on how to modify this file. +# +# Note that these settings are normally defined in a block. +# This is omitted here in order to allow users to confirm that Apache works +# before they start poking around with site-specific configuration. + +# This is the directory in which Apache looks for files to serve. Generally, +# documents should be located in /srv, using either of the following example +# hierarchies: +# +# /srv/ +# `-> www/ -- the protocol; 'www' is used here for both HTTP and HTTPS. +# `-> localhost/ -- the domain name +# +# For systems serving many disparate groups, you may try the following: +# /srv/ +# `-> groupname/ -- for instance, 'physics' or 'chemistry' or 'history' +# `-> www/ +# `-> localhost/ +# +# We use /var/www here because /srv is intended for sysadmin (that is, you, +# the person reading this document) use. +DocumentRoot /var/www/localhost + + +# Some configuration options that don't really go anywhere else. +# Here, we want empty directories to have an index generated for them +# ('Indexes') and for symlinks to be followed only if the owner of the +# directory matches the owner of the target. +Options Indexes SymLinksifOwnerMatch + +# Don't allow .htaccess files to override these settings. +AllowOverride None + +# Grants access if an authentication system is loaded (not the default). +Require all granted + diff --git a/user/apache-httpd/conf/http2.conf b/user/apache-httpd/conf/http2.conf new file mode 100644 index 000000000..fb4ef9f08 --- /dev/null +++ b/user/apache-httpd/conf/http2.conf @@ -0,0 +1,3 @@ + +Protocols h2 http/1.1 + \ No newline at end of file diff --git a/user/apache-httpd/conf/httpd.conf b/user/apache-httpd/conf/httpd.conf new file mode 100644 index 000000000..7fe8adfdf --- /dev/null +++ b/user/apache-httpd/conf/httpd.conf @@ -0,0 +1,110 @@ +# This is a sample apache-httpd configuration file. +# +# Sensible defaults have been chosen for everyday use. It is suggested +# that you read the documentation before modifying this file. + +# This controls what information is sent in the 'Server' HTTP header. +# This is the most secure option. For internal use, you might go into +# more detail. In order from most informative to least, the possible +# values are: Full, OS, Minor, Minimal, Major, Prod. +ServerTokens Prod +# What IP/port to listen on. By default, listens to port 80 on all IPs. +Listen 80 + +# The rest of these modules are required for basic operations. +LoadModule log_config_module /usr/libexec/apache2/mod_log_config.so +LoadModule mime_module /usr/libexec/apache2/mod_mime.so +LoadModule mime_magic_module /usr/libexec/apache2/mod_mime_magic.so +LoadModule autoindex_module /usr/libexec/apache2/mod_autoindex.so +LoadModule authz_core_module /usr/libexec/apache2/mod_authz_core.so +LoadModule dir_module /usr/libexec/apache2/mod_dir.so +LoadModule unixd_module /usr/libexec/apache2/mod_unixd.so +LoadModule deflate_module /usr/libexec/apache2/mod_deflate.so + +# This module is optional, but it's necessary for things like automatically +# upgrading connections to HTTPS if clients try to connect on port 80. +LoadModule rewrite_module /usr/libexec/apache2/mod_rewrite.so + +# This module is optional, but you need this if you want to proxy connections, +# particularly via HTTP (e.g. for the acmetool proxy example in +# conf.d/proxy.conf). +#LoadModule proxy_module /usr/libexec/apache2/mod_proxy.so +#LoadModule proxy_http_module /usr/libexec/apache2/mod_proxy_http.so + +# This module enables per-user directories. +#LoadModule userdir_module /usr/libexec/apache2/mod_userdir.so + +# This module is optional; you must have it enabled if you want HTTP/2. +#LoadModule ssl_module /usr/libexec/apache2/mod_ssl.so + +# This module is optional; it enables HTTP/2 support. +#LoadModule http2_module /usr/libexec/apache2/mod_http2.so + +# Unix daemon configuration. + +User apache +Group apache + + +# Per-server configuration; these will be the defaults unless modified +# within blocks. + +# Server contact address. Not visible by default. +ServerAdmin you@example.com + +# Whether to include server information in server-generated pages. +# This is the secure default. +ServerSignature Off + +# This directive denies access to the entire server filesystem by default. +# You must explicitly permit access in other blocks, such as +# in blocks. This is the secure default. + +AllowOverride none +Require all denied + + +# Default to index.html or index.htm for directory indexes. + +DirectoryIndex index.html index.htm + + +# This prevents clients from accessing .htpasswd and .htaccess files. +# This is a secure default. + +Require all denied + + +# This is where errors will be logged. This directive is subsumed by +# blocks which also use the directive. +ErrorLog /var/log/apache2/error.log + +# How verbose the error log is. Possible values, from most to least verbose: +# debug, info, notice, warn, error, crit, alert, emerg +LogLevel Warn + +# A sensible default logging format. Like ErrorLog, this directive is +# subsumed by blocks which also use it. + +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +CustomLog /var/log/apache2/access.log combined + + +# Mapping of file extension to MIME types. This uses the mapping provided +# by Apache. + +TypesConfig /etc/apache2/mime.types + + +# On the other hand, this module allows Apache to inspect the file in order +# to provide a possibly more accurate MIME type. + +MIMEMagicFile /etc/apache2/magic + + +# Include other configurations which may be available. Configuration for +# optional modules will be found here. +IncludeOptional /etc/apache2/conf.d/*.conf + +# Site-specific configurations. +IncludeOptional /etc/apache2/sites.d/*.conf diff --git a/user/apache-httpd/conf/proxy.conf b/user/apache-httpd/conf/proxy.conf new file mode 100644 index 000000000..153236b17 --- /dev/null +++ b/user/apache-httpd/conf/proxy.conf @@ -0,0 +1,6 @@ + +# This rule allows for acmetool to handle Let's Encrypt certification +# using the proxy method, and is provided here as an example. +# You will need both mod_proxy and mod_proxy_http loaded for this. +#ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:402/.well-known/acme-challenge" + diff --git a/user/apache-httpd/conf/rewrite.conf b/user/apache-httpd/conf/rewrite.conf new file mode 100644 index 000000000..07513e990 --- /dev/null +++ b/user/apache-httpd/conf/rewrite.conf @@ -0,0 +1,8 @@ + +RewriteEngine On +# These rules automatically redirect bare HTTP to HTTPS. +# +#RewriteCond %{HTTPS} off +#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} +# + diff --git a/user/apache-httpd/conf/ssl.conf b/user/apache-httpd/conf/ssl.conf new file mode 100644 index 000000000..bb3dd02c5 --- /dev/null +++ b/user/apache-httpd/conf/ssl.conf @@ -0,0 +1,24 @@ + +# The following should appear in each block that plans to +# use SSL/TLS. +# +# SSLEngine on +# SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs +# SSLCertificateKeyFile /path/to/private/key +# +# # Uncomment the following directive when using client certificate authentication +# #SSLCACertificateFile /path/to/ca_certs_for_client_authentication +# +# # HSTS (mod_headers is required) (15768000 seconds = 6 months) +# +# Header always set Strict-Transport-Security "max-age=15768000" +# +# + +Listen 443 +# At the moment, these options the current best practices for modern users. +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 +SSLHonorCipherOrder on +SSLSessionTickets off + diff --git a/user/apache-httpd/conf/userdir.conf b/user/apache-httpd/conf/userdir.conf new file mode 100644 index 000000000..bc05ff9c0 --- /dev/null +++ b/user/apache-httpd/conf/userdir.conf @@ -0,0 +1,7 @@ + +# This directive disables UserDir. To enable it, supply a directory. You +# might append 'enabled' and a list of users to white-list them, or +# 'disabled' and a list of users to blacklist them. This directive can +# appear multiple times. +UserDir disabled + \ No newline at end of file -- cgit v1.2.3-60-g2f50