From bf4d7cec8dd1428764d9070e1075ad53a49447c51523bd505b31fc1b27e3712a Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 7 Jan 2019 08:22:38 +0000 Subject: [PATCH] Accepting request 663183 from home:dirkmueller:branches:Apache - use secure http sites by default in configs - Switch to DEFAULT_SUSE Cipher suite READ https://httpd.apache.org/docs/2.4/upgrading.html at https://httpd.apache.org/docs/2.4/new_features_2_4.html OBS-URL: https://build.opensuse.org/request/show/663183 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=573 --- apache2-default-server.conf | 2 +- apache2-httpd.conf | 6 +++--- apache2-listen.conf | 2 +- apache2-mod_autoindex-defaults.conf | 2 +- apache2-mod_info.conf | 2 +- apache2-mod_log_config.conf | 2 +- apache2-mod_mime-defaults.conf | 4 ++-- apache2-mod_status.conf | 2 +- apache2-server-tuning.conf | 30 ++++++++++++++--------------- apache2-ssl-global.conf | 6 ++++-- apache2.changes | 10 ++++++++-- 11 files changed, 38 insertions(+), 30 deletions(-) diff --git a/apache2-default-server.conf b/apache2-default-server.conf index 13ffee7..0995d7d 100644 --- a/apache2-default-server.conf +++ b/apache2-default-server.conf @@ -17,7 +17,7 @@ DocumentRoot "/srv/www/htdocs" # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options + # https://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # NOTE: For directories where RewriteRule is used, FollowSymLinks # or SymLinksIfOwnerMatch needs to be set in Options directive. diff --git a/apache2-httpd.conf b/apache2-httpd.conf index 9e88d0f..ebb2415 100644 --- a/apache2-httpd.conf +++ b/apache2-httpd.conf @@ -3,7 +3,7 @@ # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. -# See for detailed information about +# See for detailed information about # the directives. # Based upon the default apache configuration file that ships with apache, @@ -15,7 +15,7 @@ # configuration of your virtual hosts. # Quickstart guide: -# http://en.opensuse.org/SDB:Apache_installation +# https://en.opensuse.org/SDB:Apache_installation # Overview of include files, chronologically: @@ -218,7 +218,7 @@ Include /etc/apache2/default-server.conf # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# +# # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host diff --git a/apache2-listen.conf b/apache2-listen.conf index e23967d..6a8e6ee 100644 --- a/apache2-listen.conf +++ b/apache2-listen.conf @@ -1,7 +1,7 @@ # Listen: Allows you to bind Apache to specific IP addresses and/or # ports. See also the directive. # -# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen +# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) diff --git a/apache2-mod_autoindex-defaults.conf b/apache2-mod_autoindex-defaults.conf index 5780685..dd5360a 100644 --- a/apache2-mod_autoindex-defaults.conf +++ b/apache2-mod_autoindex-defaults.conf @@ -1,7 +1,7 @@ # # Directives controlling the display of server-generated directory listings. # -# see http://httpd.apache.org/docs/2.4/mod/mod_autoindex.html +# see https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html # diff --git a/apache2-mod_info.conf b/apache2-mod_info.conf index c0f53c8..330b3a3 100644 --- a/apache2-mod_info.conf +++ b/apache2-mod_info.conf @@ -2,7 +2,7 @@ # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # -# see http://httpd.apache.org/docs/2.4/mod/mod_info.html +# see https://httpd.apache.org/docs/2.4/mod/mod_info.html # diff --git a/apache2-mod_log_config.conf b/apache2-mod_log_config.conf index e82e1d4..4aa40e4 100644 --- a/apache2-mod_log_config.conf +++ b/apache2-mod_log_config.conf @@ -2,7 +2,7 @@ # The following directives define some format nicknames for use with # a CustomLog directive. # -# http://httpd.apache.org/docs/2.4/mod/mod_log_config.html +# https://httpd.apache.org/docs/2.4/mod/mod_log_config.html # # diff --git a/apache2-mod_mime-defaults.conf b/apache2-mod_mime-defaults.conf index d6ab868..704c577 100644 --- a/apache2-mod_mime-defaults.conf +++ b/apache2-mod_mime-defaults.conf @@ -2,7 +2,7 @@ # mod_mime configuration: # associate various bits of "meta information" with files by their filename extensions # -# see http://httpd.apache.org/docs/2.4/mod/mod_mime.html +# see https://httpd.apache.org/docs/2.4/mod/mod_mime.html # # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) @@ -152,7 +152,7 @@ AddHandler type-map var # Guess the MIME type of a file by looking at a few bytes of its contents -# http://httpd.apache.org/docs/2.4/mod/mod_mime_magic.html +# https://httpd.apache.org/docs/2.4/mod/mod_mime_magic.html MIMEMagicFile /etc/apache2/magic diff --git a/apache2-mod_status.conf b/apache2-mod_status.conf index 8a60fe9..7d11e64 100644 --- a/apache2-mod_status.conf +++ b/apache2-mod_status.conf @@ -2,7 +2,7 @@ # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # -# see http://httpd.apache.org/docs/2.4/mod/mod_status.html +# see https://httpd.apache.org/docs/2.4/mod/mod_status.html # diff --git a/apache2-server-tuning.conf b/apache2-server-tuning.conf index 2eda2d3..a65e0c6 100644 --- a/apache2-server-tuning.conf +++ b/apache2-server-tuning.conf @@ -10,47 +10,47 @@ # prefork MPM # number of server processes to start - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers StartServers 5 # minimum number of server processes which are kept spare - # http://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers + # https://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers MinSpareServers 5 # maximum number of server processes which are kept spare - # http://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers + # https://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers MaxSpareServers 10 # highest possible MaxRequestWorkers setting for the lifetime of the Apache process. - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit ServerLimit 150 # maximum number of server processes allowed to start (formerly MaxClients) - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers MaxRequestWorkers 150 # maximum number of requests a server process serves - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 # worker MPM # initial number of server processes to start - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers StartServers 3 # minimum number of worker threads which are kept spare - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads MinSpareThreads 25 # maximum number of worker threads which are kept spare - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads MaxSpareThreads 75 # upper limit on the configurable number of threads per child process - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit ThreadLimit 64 # maximum number of simultaneous client connections (formerly MaxClients) - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers MaxRequestWorkers 150 # number of worker threads created by each child process - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild ThreadsPerChild 25 # maximum number of requests a server process serves - # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild + # https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 @@ -86,7 +86,7 @@ KeepAliveTimeout 15 # The default is on; turn this off if you serve from NFS-mounted # filesystems. On some systems, turning it off (regardless of # filesystem) can improve performance; for details, please see -# http://httpd.apache.org/docs/2.4/mod/core.html#enablemmap +# https://httpd.apache.org/docs/2.4/mod/core.html#enablemmap # #EnableMMAP off @@ -95,7 +95,7 @@ KeepAliveTimeout 15 # used to deliver files (assuming that the OS supports it). # The default is on; turn this off if you serve from NFS-mounted # filesystems. Please see -# http://httpd.apache.org/docs/2.4/mod/core.html#enablesendfile +# https://httpd.apache.org/docs/2.4/mod/core.html#enablesendfile # EnableSendfile on diff --git a/apache2-ssl-global.conf b/apache2-ssl-global.conf index cf1e27f..2765439 100644 --- a/apache2-ssl-global.conf +++ b/apache2-ssl-global.conf @@ -7,7 +7,7 @@ # These are the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see +# directives see # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure @@ -93,7 +93,9 @@ # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + # The magic string "DEFAULT_SUSE" expands to an openssl defined + # secure list of default ciphers. + SSLCipherSuite DEFAULT_SUSE # SSLHonorCipherOrder # If SSLHonorCipherOrder is disabled, then the client's preferences diff --git a/apache2.changes b/apache2.changes index 1e4542d..e693d57 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sun Jan 6 15:14:43 UTC 2019 - Dirk Mueller + +- use secure http sites by default in configs +- Switch to DEFAULT_SUSE Cipher suite + ------------------------------------------------------------------- Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte @@ -1760,12 +1766,12 @@ Wed Aug 1 01:14:35 UTC 2012 - crrodriguez@opensuse.org - Upgrade to apache 2.4.2 ** ATTENTION, before installing this update YOU MUST -READ http://httpd.apache.org/docs/2.4/upgrading.html +READ https://httpd.apache.org/docs/2.4/upgrading.html CAREFULLY otherwise your server will most likely fail to start due to backward incompatible changes. * You can read the huge complete list of changes - at http://httpd.apache.org/docs/2.4/new_features_2_4.html + at https://httpd.apache.org/docs/2.4/new_features_2_4.html ------------------------------------------------------------------- Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de