Accepting request 663183 from home:dirkmueller:branches:Apache

- use secure http sites by default in configs - Switch to DEFAULT_SUSE Cipher suite READ https://httpd.apache.org/docs/2.4/upgrading.html at https://httpd.apache.org/docs/2.4/new_features_2_4.html OBS-URL: https://build.opensuse.org/request/show/663183 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=573
2019-01-07 08:22:38 +00:00 · 2019-01-07 08:22:38 +00:00 · bf4d7cec8d
commit bf4d7cec8d
parent e86bea8079
11 changed files with 38 additions and 30 deletions
--- a/apache2-default-server.conf
+++ b/apache2-default-server.conf
@ -17,7 +17,7 @@ DocumentRoot "/srv/www/htdocs"
 	# doesn't give it to you.
 	#
 	# The Options directive is both complicated and important.  Please see
-	# http://httpd.apache.org/docs/2.4/mod/core.html#options
+	# https://httpd.apache.org/docs/2.4/mod/core.html#options
 	# for more information.
 	# NOTE: For directories where RewriteRule is used, FollowSymLinks
 	# or SymLinksIfOwnerMatch needs to be set in Options directive.
--- a/apache2-httpd.conf
+++ b/apache2-httpd.conf
@ -3,7 +3,7 @@
 #
 # This is the main Apache server configuration file.  It contains the
 # configuration directives that give the server its instructions.
-# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information about
+# See <URL:https://httpd.apache.org/docs/2.4/> for detailed information about
 # the directives.

 # Based upon the default apache configuration file that ships with apache,
@ -15,7 +15,7 @@
 # configuration of your virtual hosts.

 # Quickstart guide:
-# http://en.opensuse.org/SDB:Apache_installation
+# https://en.opensuse.org/SDB:Apache_installation


 # Overview of include files, chronologically:
@ -218,7 +218,7 @@ Include /etc/apache2/default-server.conf
 # IP addresses. This is indicated by the asterisks in the directives below.
 #
 # Please see the documentation at
-# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
+# <URL:https://httpd.apache.org/docs/2.4/vhosts/>
 # for further details before you try to setup virtual hosts.
 #
 # You may use the command line option '-S' to verify your virtual host
--- a/apache2-listen.conf
+++ b/apache2-listen.conf
@ -1,7 +1,7 @@
 # Listen: Allows you to bind Apache to specific IP addresses and/or
 # ports. See also the <VirtualHost> directive.
 #
-# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
+# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
 #
 # Change this to Listen on specific IP addresses as shown below to 
 # prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
--- a/apache2-mod_autoindex-defaults.conf
+++ b/apache2-mod_autoindex-defaults.conf
@ -1,7 +1,7 @@
 #
 # Directives controlling the display of server-generated directory listings.
 #
-# see http://httpd.apache.org/docs/2.4/mod/mod_autoindex.html
+# see https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html
 #

 <IfModule mod_autoindex.c>
--- a/apache2-mod_info.conf
+++ b/apache2-mod_info.conf
@ -2,7 +2,7 @@
 # Allow remote server configuration reports, with the URL of
 #  http://servername/server-info (requires that mod_info.c be loaded).
 #
-# see http://httpd.apache.org/docs/2.4/mod/mod_info.html
+# see https://httpd.apache.org/docs/2.4/mod/mod_info.html
 #
 <IfModule mod_info.c>
 	<Location /server-info>
--- a/apache2-mod_log_config.conf
+++ b/apache2-mod_log_config.conf
@ -2,7 +2,7 @@
 # The following directives define some format nicknames for use with
 # a CustomLog directive.
 #
-# http://httpd.apache.org/docs/2.4/mod/mod_log_config.html
+# https://httpd.apache.org/docs/2.4/mod/mod_log_config.html
 #

 #
--- a/apache2-mod_mime-defaults.conf
+++ b/apache2-mod_mime-defaults.conf
@ -2,7 +2,7 @@
 # mod_mime configuration: 
 # associate various bits of "meta information" with files by their filename extensions
 #
-# see http://httpd.apache.org/docs/2.4/mod/mod_mime.html
+# see https://httpd.apache.org/docs/2.4/mod/mod_mime.html
 #

 # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
@ -152,7 +152,7 @@ AddHandler type-map var


 # Guess the MIME type of a file by looking at a few bytes of its contents
-# http://httpd.apache.org/docs/2.4/mod/mod_mime_magic.html
+# https://httpd.apache.org/docs/2.4/mod/mod_mime_magic.html
 <IfModule mod_mime_magic.c>
    MIMEMagicFile /etc/apache2/magic
 </IfModule>
--- a/apache2-mod_status.conf
+++ b/apache2-mod_status.conf
@ -2,7 +2,7 @@
 # Allow server status reports generated by mod_status,
 # with the URL of http://servername/server-status
 #
-# see http://httpd.apache.org/docs/2.4/mod/mod_status.html
+# see https://httpd.apache.org/docs/2.4/mod/mod_status.html
 #
 <IfModule mod_status.c>
 	<Location /server-status>
--- a/apache2-server-tuning.conf
+++ b/apache2-server-tuning.conf
@ -10,47 +10,47 @@
 # prefork MPM
 <IfModule prefork.c>
 	# number of server processes to start
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
 	StartServers         5
 	# minimum number of server processes which are kept spare
-	# http://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers
+	# https://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers
 	MinSpareServers      5
 	# maximum number of server processes which are kept spare
-	# http://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers
+	# https://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers
 	MaxSpareServers     10
 	# highest possible MaxRequestWorkers setting for the lifetime of the Apache process.
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit
 	ServerLimit        150
 	# maximum number of server processes allowed to start (formerly MaxClients)
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers
 	MaxRequestWorkers         150
 	# maximum number of requests a server process serves
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
 	MaxRequestsPerChild  10000
 </IfModule>

 # worker MPM
 <IfModule worker.c>
 	# initial number of server processes to start
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
 	StartServers         3
 	# minimum number of worker threads which are kept spare
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads
 	MinSpareThreads     25
 	# maximum number of worker threads which are kept spare
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads
 	MaxSpareThreads     75 
 	# upper limit on the configurable number of threads per child process
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit
 	ThreadLimit         64
 	# maximum number of simultaneous client connections (formerly MaxClients)
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers
 	MaxRequestWorkers         150
 	# number of worker threads created by each child process
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild
 	ThreadsPerChild     25
 	# maximum number of requests a server process serves
-	# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
+	# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
 	MaxRequestsPerChild  10000
 </IfModule>

@ -86,7 +86,7 @@ KeepAliveTimeout 15
 # The default is on; turn this off if you serve from NFS-mounted
 # filesystems.  On some systems, turning it off (regardless of
 # filesystem) can improve performance; for details, please see
-# http://httpd.apache.org/docs/2.4/mod/core.html#enablemmap
+# https://httpd.apache.org/docs/2.4/mod/core.html#enablemmap
 #
 #EnableMMAP off

@ -95,7 +95,7 @@ KeepAliveTimeout 15
 # used  to deliver files (assuming that the OS supports it).
 # The default is on; turn this off if you serve from NFS-mounted
 # filesystems.  Please see
-# http://httpd.apache.org/docs/2.4/mod/core.html#enablesendfile
+# https://httpd.apache.org/docs/2.4/mod/core.html#enablesendfile
 #
 EnableSendfile on

--- a/apache2-ssl-global.conf
+++ b/apache2-ssl-global.conf
@ -7,7 +7,7 @@

 # These are the configuration directives to instruct the server how to
 # serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
+# directives see <URL:https://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
 #
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
@ -93,7 +93,9 @@
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
 	#   See the mod_ssl documentation for a complete list.
-	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+        #   The magic string "DEFAULT_SUSE" expands to an openssl defined
+        #   secure list of default ciphers.
+	SSLCipherSuite DEFAULT_SUSE

 	#   SSLHonorCipherOrder
 	#   If SSLHonorCipherOrder is disabled, then the client's preferences
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sun Jan  6 15:14:43 UTC 2019 - Dirk Mueller <dmueller@suse.com>
+
+- use secure http sites by default in configs
+- Switch to DEFAULT_SUSE Cipher suite
+
 -------------------------------------------------------------------
 Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte <suse+build@de-korte.org>

@ -1760,12 +1766,12 @@ Wed Aug  1 01:14:35 UTC 2012 - crrodriguez@opensuse.org

 - Upgrade to apache 2.4.2
 ** ATTENTION, before installing this update YOU MUST
-READ http://httpd.apache.org/docs/2.4/upgrading.html
+READ https://httpd.apache.org/docs/2.4/upgrading.html
 CAREFULLY otherwise your server will most likely
 fail to start due to backward incompatible changes.

 * You can read the huge complete list of changes
-  at http://httpd.apache.org/docs/2.4/new_features_2_4.html 
+  at https://httpd.apache.org/docs/2.4/new_features_2_4.html 

 -------------------------------------------------------------------
 Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de