From: Alex Dehnert <alex@dehnerts.com>
Date: Thu, 20 Jul 2023 05:22:35 +0000 (+0000)
Subject: Add a bunch of PHP-related config files
X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=4978abc96721d7159671007a23ee3ec3db5b8319;p=sysconfig%2Fapache2.git

Add a bunch of PHP-related config files

This seems to successfully run Roundcube and nagios with php-fpm instead of
mod_php.
---

diff --git a/conf-available/nagios4-cgi.conf b/conf-available/nagios4-cgi.conf
new file mode 100644
index 0000000..1ff1692
--- /dev/null
+++ b/conf-available/nagios4-cgi.conf
@@ -0,0 +1,54 @@
+# apache configuration for nagios 4.x
+
+#ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+#ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+Alias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+Alias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    # 
+
+    AuthDigestDomain "Nagios4"
+    AuthDigestProvider file
+    AuthUserFile	"/etc/apache2/htdigest"
+    AuthGroupFile	"/etc/apache2/htgroups"
+    AuthName	"dehnerts.com"
+    AuthType	Digest
+    Require group   nagios
+    #Require	valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI	
+</Directory>
+
+<Directory /usr/lib/cgi-bin/nagios4>
+    Options	+ExecCGI	
+</Directory>
diff --git a/conf-available/nagios4.conf b/conf-available/nagios4.conf
deleted file mode 120000
index ea6da5c..0000000
--- a/conf-available/nagios4.conf
+++ /dev/null
@@ -1 +0,0 @@
-../../nagios4/apache2.conf
\ No newline at end of file
diff --git a/conf-available/php8.1-fpm.conf b/conf-available/php8.1-fpm.conf
new file mode 100644
index 0000000..a156ef4
--- /dev/null
+++ b/conf-available/php8.1-fpm.conf
@@ -0,0 +1,32 @@
+# Redirect to local php-fpm if mod_php is not available
+<IfModule !mod_php8.c>
+<IfModule proxy_fcgi_module>
+    # Enable http authorization headers
+    <IfModule setenvif_module>
+    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+    </IfModule>
+
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+        SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
+    </FilesMatch>
+# The default configuration works for most of the installation, however it could
+# be improved in various ways. One simple improvement is to not pass files that
+# doesn't exist to the handler as shown below, for more configuration examples
+# see https://wiki.apache.org/httpd/PHP-FPM
+#    <FilesMatch ".+\.ph(ar|p|tml)$">
+#        <If "-f %{REQUEST_FILENAME}">
+#            SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
+#        </If>
+#    </FilesMatch>
+    <FilesMatch ".+\.phps$">
+        # Deny access to raw php sources by default
+        # To re-enable it's recommended to enable access to the files
+        # only in specific virtual host or directory
+        Require all denied
+    </FilesMatch>
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(ar|p|ps|tml)$">
+        Require all denied
+    </FilesMatch>
+</IfModule>
+</IfModule>
diff --git a/conf-enabled/nagios4-cgi.conf b/conf-enabled/nagios4-cgi.conf
new file mode 120000
index 0000000..735f7e2
--- /dev/null
+++ b/conf-enabled/nagios4-cgi.conf
@@ -0,0 +1 @@
+../conf-available/nagios4-cgi.conf
\ No newline at end of file
diff --git a/conf-enabled/nagios4.conf b/conf-enabled/nagios4.conf
deleted file mode 120000
index b0bb44b..0000000
--- a/conf-enabled/nagios4.conf
+++ /dev/null
@@ -1 +0,0 @@
-../conf-available/nagios4.conf
\ No newline at end of file
diff --git a/conf-enabled/php8.1-fpm.conf b/conf-enabled/php8.1-fpm.conf
new file mode 120000
index 0000000..1e8f164
--- /dev/null
+++ b/conf-enabled/php8.1-fpm.conf
@@ -0,0 +1 @@
+../conf-available/php8.1-fpm.conf
\ No newline at end of file
diff --git a/htgroups b/htgroups
index 6ceae1d..0001b5b 100644
--- a/htgroups
+++ b/htgroups
@@ -1,2 +1,3 @@
 logs: alex
 roundcube: alex
+nagios: alex
diff --git a/mods-enabled/proxy_fcgi.load b/mods-enabled/proxy_fcgi.load
new file mode 120000
index 0000000..5f187b2
--- /dev/null
+++ b/mods-enabled/proxy_fcgi.load
@@ -0,0 +1 @@
+../mods-available/proxy_fcgi.load
\ No newline at end of file