diff --git a/apache2-README.default-vhost b/apache2-README.default-vhost new file mode 100644 index 0000000..3e1dccf --- /dev/null +++ b/apache2-README.default-vhost @@ -0,0 +1,27 @@ +# provided by ChrisWi aka chris@computersalat.de +This is a short introduction about how to use the delivered + - default-vhost.conf + - default-vhost-ssl.conf +configuration files. + +When using virtual hosts (vhosts) with apache, you want to have a +"default" config which points to your default hostname (FQDN). +And when apache is reading its configs, then our "default" configs +should be read "at first". +To achieve this, you should adapt the/those config files and then +add them to the /etc/sysconfig/apache2 config like the +following example: + +# /etc/sysconfig/apache2 +---- snip ---- +# This allows you to add e.g. VirtualHost statements without touching +# /etc/apache2/httpd.conf itself, which makes upgrading easier. +# +APACHE_CONF_INCLUDE_FILES="default-vhost.conf default-vhost-ssl.conf" + +---- snip ---- + +This way our "default" config are read in before conf.d/* and vhosts.d/* + +Have fun :) + diff --git a/apache2-default-vhost-ssl.conf b/apache2-default-vhost-ssl.conf new file mode 100644 index 0000000..828d164 --- /dev/null +++ b/apache2-default-vhost-ssl.conf @@ -0,0 +1,247 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + + + + +## +## SSL Virtual Host Context +## + + + + # General setup for the virtual host + ServerName dummy-host.example.com + ServerAdmin webmaster@dummy-host.example.com + ServerAlias example.com www.example.com + + # DocumentRoot: The directory out of which you will serve your + # documents. By default, all requests are taken from this directory, but + # symbolic links and aliases may be used to point to other locations. + DocumentRoot "/srv/www/htdocs" + #ServerName www.example.com:443 + #ServerAdmin webmaster@example.com + ErrorLog /var/log/apache2/error_log + TransferLog /var/log/apache2/access_log + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only: + SSLProtocol all -SSLv2 -SSLv3 + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + # + # formerly, this was set to the following: + # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # + # We now disable weak ciphers by default. + # Please see the documentation via the links above, and + # "openssl ciphers -v" for a complete list of ciphers that are + # available. + # + # The following default should work with openssl running in FIPS + # mode. + # OPENSSL_FORCE_FIPS_MODE=1 rcapache2 restart + # will start the web server with FIPS mode in openssl. + # For more information, please have a look at + # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl + # package. + SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH + + # Server Certificate: + # Point SSLCertificateFile at a PEM encoded certificate. If + # the certificate is encrypted, then you will be prompted for a + # pass phrase. Note that a kill -HUP will prompt again. Keep + # in mind that if you have both an RSA and a DSA certificate you + # can configure both in parallel (to also allow the use of DSA + # ciphers, etc.) + SSLCertificateFile /etc/apache2/ssl.crt/server.crt + #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt + + # Server Private Key: + # If the key is not combined with the certificate, use this + # directive to point at the key file. Keep in mind that if + # you've both a RSA and a DSA private key you can configure + # both in parallel (to also allow the use of DSA ciphers, etc.) + SSLCertificateKeyFile /etc/apache2/ssl.key/server.key + #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/apache2/ssl.crt + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + # + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o CompatEnvVars: + # This exports obsolete environment variables for backward compatibility + # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this + # to provide compatibility to existing CGI scripts. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire + + SSLOptions +StdEnvVars + + + + SSLOptions +StdEnvVars + + + + AllowOverride None + #Options +Indexes +MultiViews +FollowSymLinks + Options -Indexes -MultiViews +FollowSymLinks + #IndexOptions FancyIndexing + + #AuthName "Top Secret on dummy-host.example.com" + #AuthType Basic + #AuthUserFile /srv/www/passwd/default + + # + # Controls who can get stuff from this server. + # + # + # Require valid-user + # Order Deny,Allow + # Deny from All + # Allow from 127.0.0.1 + # Allow from .example.com + # Satisfy any + # + + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + # remark: The below configuration snippet is here for illustration purposes. + # Browser specific deficiencies exist, but generally all of them + # should handle SSL/TLS encapsulated connections well. + #SetEnvIf User-Agent ".*MSIE.*" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 + + # Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a + # compact non-error SSL logfile on a virtual host basis. + CustomLog /var/log/apache2/ssl_request_log ssl_combined + + # + # some Rewrite stuff for sharedssl + # + #RewriteEngine on + ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite-ssl_log" + ##RewriteLogLevel 3 + #RewriteCond %{HTTP_HOST} ^webmail\..* [NC] + #RewriteRule ^/$ https://sharedssl.example.com/roundcube/ [L,R] + #RewriteRule ^/$ /roundcube [R] + + + + + + diff --git a/apache2-default-vhost.conf b/apache2-default-vhost.conf new file mode 100644 index 0000000..3e9898b --- /dev/null +++ b/apache2-default-vhost.conf @@ -0,0 +1,127 @@ +# +# Almost any Apache directive may go into a VirtualHost container. +# The first VirtualHost section is used for requests without a known +# server name. +# + + ServerName dummy-host.example.com + ServerAdmin webmaster@dummy-host.example.com + ServerAlias example.com www.example.com + + # DocumentRoot: The directory out of which you will serve your + # documents. By default, all requests are taken from this directory, but + # symbolic links and aliases may be used to point to other locations. + DocumentRoot "/srv/www/htdocs" + + # if not specified, the global error log is used + ErrorLog /var/log/apache2/dummy-host.example.com-error_log + CustomLog /var/log/apache2/dummy-host.example.com-access_log combined + + # don't loose time with IP address lookups + HostnameLookups Off + + # needed for named virtual hosts + UseCanonicalName Off + + # configures the footer on server-generated documents + ServerSignature On + + + # Optionally, include *.conf files from /etc/apache2/conf.d/ + # + # For example, to allow execution of PHP scripts: + # + # Include /etc/apache2/conf.d/mod_php4.conf + # + # or, to include all configuration snippets added by packages: + # Include /etc/apache2/conf.d/*.conf + + + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the realname directory are treated as applications and + # run by the server when requested rather than as documents sent to the client. + # The same rules about trailing "/" apply to ScriptAlias directives as to + # Alias. + # + ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" + + # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased + # CGI directory exists, if you have one, and where ScriptAlias points to. + # + + AllowOverride None + Options +ExecCGI -Includes + Order allow,deny + Allow from all + + + + # UserDir: The name of the directory that is appended onto a user's home + # directory if a ~user request is received. + # + # To disable it, simply remove userdir from the list of modules in APACHE_MODULES + # in /etc/sysconfig/apache2. + # + + # Note that the name of the user directory ("public_html") cannot simply be + # changed here, since it is a compile time setting. The apache package + # would have to be rebuilt. You could work around by deleting + # /usr/sbin/suexec, but then all scripts from the directories would be + # executed with the UID of the webserver. + UserDir public_html + # The actual configuration of the directory is in + # /etc/apache2/mod_userdir.conf. + Include /etc/apache2/mod_userdir.conf + # You can, however, change the ~ if you find it awkward, by mapping e.g. + # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/ + #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2 + + + + # + # This should be changed to whatever you set DocumentRoot to. + # + + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs-2.2/mod/core.html#options + # for more information. + # + Options +Indexes +MultiViews +FollowSymLinks + IndexOptions FancyIndexing + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Order allow,deny + Allow from all + + + + # + # some Rewrite stuff for sharedssl + # + #RewriteEngine on + ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite_log" + ##RewriteLogLevel 3 + #RewriteCond %{HTTP_HOST} ^sharedssl\.* [OR] + #RewriteRule ^/$ https://sharedssl.example.com/$1 [L,R] + + + diff --git a/apache2-mod_reqtimeout.conf b/apache2-mod_reqtimeout.conf new file mode 100644 index 0000000..728516b --- /dev/null +++ b/apache2-mod_reqtimeout.conf @@ -0,0 +1,29 @@ +# +# Set timeout and minimum data rate for receiving requests to limit +# the effects of denial of service attacks that connect, but let the +# server wait for the completion of the request, thereby allocating +# resources. The most commonly name for this attack method is +# slowloris. +# +# mod_reqtimeout.c must be loaded. +# +# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html +# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en +# +# Note: +# the RequestReadTimeout directive can also be placed into a +# virtual host context. +# +# Play around with variations of the below values if you are +# under attack from slowloris or a similar tool. + + + # allow 10s timeout for the headers and allow 1s more until 20s upon + # receipt of 1000 bytes. + # almost the same with the body, except that it is tricky to + # limit the request timeout within the body at all - it may take + # time to generate the body. + RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000 + + + diff --git a/apache2.changes b/apache2.changes index e13c514..6ffdee6 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com + +- compile with pcre 8.30 - patch taken from apache bugzilla + +------------------------------------------------------------------- +Sat Jan 21 13:54:01 CET 2012 - draht@suse.de + +- enable mod_reqtimeout by default via APACHE_MODULES in + /etc/sysconfig/apache2, configuration + /etc/apache2/mod_reqtimeout.conf . + Of course, the existing configuration remains unchanged. + +------------------------------------------------------------------- +Fri Dec 16 20:53:39 UTC 2011 - chris@computersalat.de + +- add default vhost configs + * default-vhost.conf, default-vhost-ssl.conf, README.default-vhost + ------------------------------------------------------------------- Sat Dec 10 10:34:26 CET 2011 - meissner@suse.de diff --git a/apache2.spec b/apache2.spec index df51ddf..5b3b98e 100644 --- a/apache2.spec +++ b/apache2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - Name: apache2 BuildRequires: automake BuildRequires: db-devel @@ -88,8 +87,9 @@ Source11: rc.%{pname} Source13: sysconfig.%{pname} Source18: robots.txt Source20: favicon.ico -Source22: apache2-README.QUICKSTART -Source24: apache2-README +Source22: apache2-README +Source23: apache2-README.QUICKSTART +Source24: apache2-README.default-vhost Source25: gensslcert Source27: %{pname}.logrotate Source28: permissions.%{pname} @@ -121,8 +121,11 @@ Source110: apache2-mod_userdir.conf Source111: apache2-server-tuning.conf Source113: apache2-ssl-global.conf Source114: apache2-mod_usertrack.conf +Source115: apache2-mod_reqtimeout.conf Source130: apache2-vhost.template Source131: apache2-vhost-ssl.template +Source132: apache2-default-vhost.conf +Source133: apache2-default-vhost-ssl.conf Source140: apache2-check_forensic Source141: apache-20-22-upgrade Source142: start_apache2 @@ -140,6 +143,8 @@ Patch102: httpd-keepalivetimeout-millisecs.patch Patch104: httpd-mod_deflate_head.patch Patch105: ssl-mode-release-buffers.patch Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff +# PATCH-FIX-UPSTREAM https://issues.apache.org/bugzilla/show_bug.cgi?id=52623 +Patch107: httpd-new_pcre.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -356,8 +361,20 @@ to administrators of web servers in general. %patch104 %patch105 %patch106 +%if 0%{?suse_version} >= 1220 +%patch107 +%endif # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE + +# install READMEs +a=$(basename %{S:22}) +cp %{S:22} ./${a##%{name}-} +b=$(basename %{S:23}) +cp %{S:23} ./${b##%{name}-} +c=$(basename %{S:24}) +cp %{S:24} ./${c##%{name}-} + # # replace PLATFORM string that's seen in the "Server:" header # @@ -640,10 +657,6 @@ all_modules=$(echo $all_modules | fmt | sed 's/\(.*\)/# \1\\/') sed "s+@@all_modules@@+$all_modules +" $RPM_SOURCE_DIR/sysconfig.%{pname} \ > $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/sysconfig.%{pname} # -# install READMEs -cp -p $RPM_SOURCE_DIR/%{pname}-README README.%VENDOR -cp -p $RPM_SOURCE_DIR/%{pname}-README.QUICKSTART README.QUICKSTART -# # install configuration files: mkdir -p $RPM_BUILD_ROOT/%{runtimedir} touch $RPM_BUILD_ROOT/%{sysconfdir}/sysconfig.d/include.conf @@ -680,9 +693,14 @@ for mpm_conf in $mpm_confs; do ;; esac done -install -m 644 $RPM_SOURCE_DIR/apache2-vhost.template $RPM_BUILD_ROOT/%{sysconfdir}/vhosts.d/vhost.template -install -m 644 $RPM_SOURCE_DIR/apache2-vhost-ssl.template $RPM_BUILD_ROOT/%{sysconfdir}/vhosts.d/vhost-ssl.template -install -m 644 $RPM_SOURCE_DIR/apache2-manual.conf $RPM_BUILD_ROOT/%{sysconfdir}/conf.d/ +install -m 644 %{S:130} $RPM_BUILD_ROOT/%{sysconfdir}/vhosts.d/vhost.template +install -m 644 %{S:131} $RPM_BUILD_ROOT/%{sysconfdir}/vhosts.d/vhost-ssl.template +install -m 644 %{S:104} $RPM_BUILD_ROOT/%{sysconfdir}/conf.d/manual.conf +# install default vhost +dvh=$(basename %{S:132}) +install -m 644 %{S:132} $RPM_BUILD_ROOT/%{sysconfdir}/${dvh##%{name}-} +dvhs=$(basename %{S:133}) +install -m 644 %{S:133} $RPM_BUILD_ROOT/%{sysconfdir}/${dvhs##%{name}-} # for mod_auth_ldap install -m 644 docs/conf/charset.conv $RPM_BUILD_ROOT/%{sysconfdir}/ @@ -948,7 +966,7 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original . %doc %{manualdir} %dir %{sysconfdir} %dir %{sysconfdir}/conf.d -%config %{sysconfdir}/conf.d/apache2-manual.conf +%config %{sysconfdir}/conf.d/manual.conf %files example-pages %defattr(-,root,root) diff --git a/httpd-new_pcre.patch b/httpd-new_pcre.patch new file mode 100644 index 0000000..dd558af --- /dev/null +++ b/httpd-new_pcre.patch @@ -0,0 +1,23 @@ +Index: server/util_pcre.c +=================================================================== +--- server/util_pcre.c.orig 2012-02-11 10:07:31.000000000 +0100 ++++ server/util_pcre.c 2012-02-11 10:08:23.062838133 +0100 +@@ -128,6 +128,7 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t *p + const char *errorptr; + int erroffset; + int options = 0; ++int nsub; + + if ((cflags & AP_REG_ICASE) != 0) options |= PCRE_CASELESS; + if ((cflags & AP_REG_NEWLINE) != 0) options |= PCRE_MULTILINE; +@@ -137,7 +138,9 @@ preg->re_erroffset = erroffset; + + if (preg->re_pcre == NULL) return AP_REG_INVARG; + +-preg->re_nsub = pcre_info((const pcre *)preg->re_pcre, NULL, NULL); ++pcre_fullinfo((const pcre *)preg->re_pcre, NULL, ++ PCRE_INFO_CAPTURECOUNT, &nsub); ++preg->re_nsub = nsub; + return 0; + } + diff --git a/sysconfig.apache2 b/sysconfig.apache2 index dadb865..46149e5 100644 --- a/sysconfig.apache2 +++ b/sysconfig.apache2 @@ -72,7 +72,7 @@ APACHE_CONF_INCLUDE_DIRS="" # apache's default installation # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" # your settings -APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5" +APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout" ## Type: string