From 13d64a00b526b5b5c3dca9fab2a1e59bad9489d8 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Sun, 26 Aug 2012 18:45:57 -0400 Subject: [PATCH] Upstream config updates (Lucid->Precise) Major changes ignored: * increasing server counts for mpm_prefork * mods/available/dav_svn revert --- apache2.conf | 55 ++++++++++++++-------------- conf.d/other-vhosts-access-log | 2 ++ conf.d/security | 2 +- mods-available/alias.conf | 2 +- mods-available/authz_svn.load | 2 ++ mods-available/cgid.conf | 2 +- mods-available/dav_fs.conf | 2 +- mods-available/dav_svn.conf | 4 ++- mods-available/dav_svn.load | 1 - mods-available/info.conf | 7 ++-- mods-available/ldap.conf | 8 +++++ mods-available/mime.conf | 57 ++++++++++++++++++++++++++++-- mods-available/proxy.conf | 33 ++++++++++------- mods-available/proxy_balancer.conf | 16 +++++++++ mods-available/proxy_ftp.conf | 6 ++++ mods-available/reqtimeout.conf | 21 ++++++++--- mods-available/ssl.conf | 19 +++++++--- mods-available/status.conf | 22 +++++++++--- mods-enabled/authz_svn.load | 1 + sites-available/default-ssl | 5 ++- sites-common/default | 5 ++- 21 files changed, 204 insertions(+), 68 deletions(-) create mode 100644 conf.d/other-vhosts-access-log create mode 100644 mods-available/authz_svn.load create mode 100644 mods-available/ldap.conf create mode 100644 mods-available/proxy_balancer.conf create mode 100644 mods-available/proxy_ftp.conf create mode 120000 mods-enabled/authz_svn.load diff --git a/apache2.conf b/apache2.conf index a2cca1e..318d530 100644 --- a/apache2.conf +++ b/apache2.conf @@ -24,9 +24,9 @@ # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log" -# with ServerRoot set to "" will be interpreted by the -# server as "//var/log/apache2/foo.log". +# with "/", the value of ServerRoot is prepended -- so "foo.log" +# with ServerRoot set to "/etc/apache2" will be interpreted by the +# server as "/etc/apache2/foo.log". # ### Section 1: Global Environment @@ -42,21 +42,17 @@ # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation (available -# at ); +# at ); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # -ServerRoot "/etc/apache2" +#ServerRoot "/etc/apache2" # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # -# -# -LockFile /var/lock/apache2/accept.lock -# -# +LockFile ${APACHE_LOCK_DIR}/accept.lock # # PidFile: The file in which the server should record its process @@ -87,7 +83,7 @@ MaxKeepAliveRequests 100 # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # -KeepAliveTimeout 15 +KeepAliveTimeout 5 ## ## Server-Pool Size Regulation (MPM specific) @@ -109,10 +105,13 @@ KeepAliveTimeout 15 # worker MPM # StartServers: initial number of server processes to start -# MaxClients: maximum number of simultaneous client connections # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a +# graceful restart. ThreadLimit can only be changed by stopping +# and starting Apache. # ThreadsPerChild: constant number of worker threads in each server process +# MaxClients: maximum number of simultaneous client connections # MaxRequestsPerChild: maximum number of requests a server process serves StartServers 2 @@ -126,18 +125,18 @@ KeepAliveTimeout 15 # event MPM # StartServers: initial number of server processes to start -# MaxClients: maximum number of simultaneous client connections # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process +# MaxClients: maximum number of simultaneous client connections # MaxRequestsPerChild: maximum number of requests a server process serves StartServers 2 - MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 + MaxClients 150 MaxRequestsPerChild 0 @@ -160,6 +159,7 @@ AccessFileName .htaccess Order allow,deny Deny from all + Satisfy all # @@ -171,7 +171,14 @@ AccessFileName .htaccess # keep browsers from trying to display binary files as though they are # text. # -DefaultType text/plain +# It is also possible to omit any default MIME type and let the +# client's browser guess an appropriate action instead. Typically the +# browser will decide based on the file's extension then. In cases +# where no good assumption can be made, letting the default MIME type +# unset is suggested instead of forcing the browser to accept +# incorrect metadata. +# +DefaultType None # @@ -190,7 +197,7 @@ HostnameLookups Off # logged here. If you *do* define an error logfile for a # container, that host's errors will be logged there and not here. # -ErrorLog /var/log/apache2/error.log +ErrorLog ${APACHE_LOG_DIR}/error.log # # LogLevel: Control the number of messages logged to the error_log. @@ -200,14 +207,14 @@ ErrorLog /var/log/apache2/error.log LogLevel warn # Include module configuration: -Include /etc/apache2/mods-enabled/*.load -Include /etc/apache2/mods-enabled/*.conf +Include mods-enabled/*.load +Include mods-enabled/*.conf # Include all the user configurations: -Include /etc/apache2/httpd.conf +Include httpd.conf # Include ports listing -Include /etc/apache2/ports.conf +Include ports.conf # # The following directives define some format nicknames for use with @@ -220,16 +227,12 @@ LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent -# -# Define an access log for VirtualHosts that don't define their own logfile -CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined - # Include of directories ignores editors' and dpkg's backup files, # see README.Debian for details. # Include generic snippets of statements -Include /etc/apache2/conf.d/ +Include conf.d/ # Include the virtual host configurations: -Include /etc/apache2/sites-enabled/ +Include sites-enabled/ diff --git a/conf.d/other-vhosts-access-log b/conf.d/other-vhosts-access-log new file mode 100644 index 0000000..9f7aecd --- /dev/null +++ b/conf.d/other-vhosts-access-log @@ -0,0 +1,2 @@ +# Define an access log for VirtualHosts that don't define their own logfile +CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined diff --git a/conf.d/security b/conf.d/security index 3720618..081d77e 100644 --- a/conf.d/security +++ b/conf.d/security @@ -3,7 +3,7 @@ # are explicitly allowed later. # # This currently breaks the configurations that come with some web application -# Debian packages. It will be made the default for the release after lenny. +# Debian packages. # # # AllowOverride None diff --git a/mods-available/alias.conf b/mods-available/alias.conf index ef786e9..ab9e8a3 100644 --- a/mods-available/alias.conf +++ b/mods-available/alias.conf @@ -15,7 +15,7 @@ Alias /icons/ "/usr/share/apache2/icons/" - Options Indexes MultiViews + Options FollowSymlinks AllowOverride None Order allow,deny Allow from all diff --git a/mods-available/authz_svn.load b/mods-available/authz_svn.load new file mode 100644 index 0000000..2e466fd --- /dev/null +++ b/mods-available/authz_svn.load @@ -0,0 +1,2 @@ +# Depends: dav_svn +LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so diff --git a/mods-available/cgid.conf b/mods-available/cgid.conf index a9eee10..ffd7c23 100644 --- a/mods-available/cgid.conf +++ b/mods-available/cgid.conf @@ -1,2 +1,2 @@ # Socket for cgid communication -ScriptSock /var/run/apache2/cgisock +ScriptSock ${APACHE_RUN_DIR}/cgisock diff --git a/mods-available/dav_fs.conf b/mods-available/dav_fs.conf index e591418..c7130c2 100644 --- a/mods-available/dav_fs.conf +++ b/mods-available/dav_fs.conf @@ -1 +1 @@ -DAVLockDB /var/lock/apache2/DAVLock +DAVLockDB ${APACHE_LOCK_DIR}/DAVLock diff --git a/mods-available/dav_svn.conf b/mods-available/dav_svn.conf index 1974d0b..8588917 100644 --- a/mods-available/dav_svn.conf +++ b/mods-available/dav_svn.conf @@ -232,8 +232,10 @@ #AuthName "Subversion Repository" #AuthUserFile /etc/apache2/dav_svn.passwd - # To enable authorization via mod_authz_svn + # To enable authorization via mod_authz_svn (enable that module separately): + # #AuthzSVNAccessFile /etc/apache2/dav_svn.authz + # # The following three lines allow anonymous read, but make # committers authenticate themselves. It requires the 'authz_user' diff --git a/mods-available/dav_svn.load b/mods-available/dav_svn.load index 388a197..68e1e0c 100644 --- a/mods-available/dav_svn.load +++ b/mods-available/dav_svn.load @@ -1,3 +1,2 @@ # Depends: dav LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so -LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so diff --git a/mods-available/info.conf b/mods-available/info.conf index 837a641..6c14e63 100644 --- a/mods-available/info.conf +++ b/mods-available/info.conf @@ -2,15 +2,14 @@ # # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). -# Uncomment and change the ".example.com" to allow -# access from other hosts. +# Uncomment and change the "192.0.2.0/24" to allow access from other hosts. # SetHandler server-info Order deny,allow Deny from all - Allow from localhost ip6-localhost -# Allow from .example.com + Allow from 127.0.0.1 ::1 +# Allow from 192.0.2.0/24 diff --git a/mods-available/ldap.conf b/mods-available/ldap.conf new file mode 100644 index 0000000..6d3b6d1 --- /dev/null +++ b/mods-available/ldap.conf @@ -0,0 +1,8 @@ + + SetHandler ldap-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 ::1 +# Allow from 192.0.2.0/24 + Satisfy all + diff --git a/mods-available/mime.conf b/mods-available/mime.conf index 92a2c45..331aa3f 100644 --- a/mods-available/mime.conf +++ b/mods-available/mime.conf @@ -66,10 +66,19 @@ AddType application/x-bzip2 .bz2 # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) # +AddLanguage am .amh +AddLanguage ar .ara +AddLanguage be .be +AddLanguage bg .bg +AddLanguage bn .bn +AddLanguage br .br +AddLanguage bs .bs AddLanguage ca .ca AddLanguage cs .cz .cs +AddLanguage cy .cy AddLanguage da .dk AddLanguage de .de +AddLanguage dz .dz AddLanguage el .el AddLanguage en .en AddLanguage eo .eo @@ -77,24 +86,68 @@ AddLanguage eo .eo RemoveType es AddLanguage es .es AddLanguage et .et +AddLanguage eu .eu +AddLanguage fa .fa +AddLanguage fi .fi AddLanguage fr .fr +AddLanguage ga .ga +AddLanguage gl .glg +AddLanguage gu .gu AddLanguage he .he +AddLanguage hi .hi AddLanguage hr .hr +AddLanguage hu .hu +AddLanguage hy .hy +AddLanguage id .id +AddLanguage is .is AddLanguage it .it AddLanguage ja .ja +AddLanguage ka .ka +AddLanguage kk .kk +AddLanguage km .km +AddLanguage kn .kn AddLanguage ko .ko +AddLanguage ku .ku +AddLanguage lo .lo +AddLanguage lt .lt AddLanguage ltz .ltz +AddLanguage lv .lv +AddLanguage mg .mg +AddLanguage mk .mk +AddLanguage ml .ml +AddLanguage mr .mr +AddLanguage ms .msa +AddLanguage nb .nob +AddLanguage ne .ne AddLanguage nl .nl AddLanguage nn .nn AddLanguage no .no +AddLanguage pa .pa AddLanguage pl .po -AddLanguage pt .pt AddLanguage pt-BR .pt-br +AddLanguage pt .pt +AddLanguage ro .ro AddLanguage ru .ru +AddLanguage sa .sa +AddLanguage se .se +AddLanguage si .si +AddLanguage sk .sk +AddLanguage sl .sl +AddLanguage sq .sq +AddLanguage sr .sr AddLanguage sv .sv -# tr is troff in /etc/mime.types +AddLanguage ta .ta +AddLanguage te .te +AddLanguage th .th +AddLanguage tl .tl RemoveType tr +# tr is troff in /etc/mime.types AddLanguage tr .tr +AddLanguage uk .uk +AddLanguage ur .ur +AddLanguage vi .vi +AddLanguage wo .wo +AddLanguage xh .xh AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw diff --git a/mods-available/proxy.conf b/mods-available/proxy.conf index 46407a1..882daf0 100644 --- a/mods-available/proxy.conf +++ b/mods-available/proxy.conf @@ -1,19 +1,26 @@ - #turning ProxyRequests on and allowing proxying from all may allow - #spammers to use your proxy to send email. - ProxyRequests Off +# If you want to use apache2 as a forward proxy, uncomment the +# 'ProxyRequests On' line and the block below. +# WARNING: Be careful to restrict access inside the block. +# Open proxy servers are dangerous both to your network and to the +# Internet at large. +# +# If you only want to use apache2 as a reverse proxy/gateway in +# front of some web application server, you DON'T need +# 'ProxyRequests On'. - - AddDefaultCharset off - Order deny,allow - Deny from all - #Allow from .example.com - +#ProxyRequests On +# +# AddDefaultCharset off +# Order deny,allow +# Deny from all +# #Allow from .example.com +# - # Enable/disable the handling of HTTP/1.1 "Via:" headers. - # ("Full" adds the server version; "Block" removes all outgoing Via: headers) - # Set to one of: Off | On | Full | Block +# Enable/disable the handling of HTTP/1.1 "Via:" headers. +# ("Full" adds the server version; "Block" removes all outgoing Via: headers) +# Set to one of: Off | On | Full | Block +#ProxyVia Off - ProxyVia On diff --git a/mods-available/proxy_balancer.conf b/mods-available/proxy_balancer.conf new file mode 100644 index 0000000..4849b96 --- /dev/null +++ b/mods-available/proxy_balancer.conf @@ -0,0 +1,16 @@ + + +# Balancer manager enables dynamic update of balancer members +# (needs mod_status). Uncomment to enable. +# +# +# +# SetHandler balancer-manager +# Order deny,allow +# Deny from all +# Allow from 127.0.0.1 ::1 +# Satisfy all +# +# + + diff --git a/mods-available/proxy_ftp.conf b/mods-available/proxy_ftp.conf new file mode 100644 index 0000000..6da381a --- /dev/null +++ b/mods-available/proxy_ftp.conf @@ -0,0 +1,6 @@ + + +# Define the character set for proxied FTP listings. Default is ISO-8859-1 +ProxyFtpDirCharset UTF-8 + + diff --git a/mods-available/reqtimeout.conf b/mods-available/reqtimeout.conf index 0dd49af..615e81e 100644 --- a/mods-available/reqtimeout.conf +++ b/mods-available/reqtimeout.conf @@ -1,12 +1,25 @@ -# Wait max 10 seconds for the first byte of the request line+headers +# mod_reqtimeout limits the time waiting on the client to prevent an +# attacker from causing a denial of service by opening many connections +# but not sending requests. This file tries to give a sensible default +# configuration, but it may be necessary to tune the timeout values to +# the actual situation. Note that it is also possible to configure +# mod_reqtimeout per virtual host. + + +# Wait max 20 seconds for the first byte of the request line+headers # From then, require a minimum data rate of 500 bytes/s, but don't -# wait longer than 20 seconds in total. -RequestReadTimeout header=10-20,minrate=500 +# wait longer than 40 seconds in total. +# Note: Lower timeouts may make sense on non-ssl virtual hosts but can +# cause problem with ssl enabled virtual hosts: This timeout includes +# the time a browser may need to fetch the CRL for the certificate. If +# the CRL server is not reachable, it may take more than 10 seconds +# until the browser gives up. +RequestReadTimeout header=20-40,minrate=500 # Wait max 10 seconds for the first byte of the request body (if any) -# From then, require a minimum data rate of 500 byte/s. +# From then, require a minimum data rate of 500 bytes/s RequestReadTimeout body=10,minrate=500 diff --git a/mods-available/ssl.conf b/mods-available/ssl.conf index 1e4ce40..79f5a12 100644 --- a/mods-available/ssl.conf +++ b/mods-available/ssl.conf @@ -33,25 +33,26 @@ AddType application/x-pkcs7-crl .crl # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin +SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). -#SSLSessionCache dbm:/var/run/apache2/ssl_scache -SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) +# (The mechanism dbm has known memory leaks and should not be used). +#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache +SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. -SSLMutex file:/var/run/apache2/ssl_mutex +SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # enable only secure ciphers: -SSLCipherSuite HIGH:MEDIUM:!ADH +SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5 # Use this instead if you want to allow cipher upgrades via SGC facility. # In this case you also have to use something like # SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 @@ -61,4 +62,12 @@ SSLCipherSuite HIGH:MEDIUM:!ADH # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 SSLProtocol all -SSLv2 +# Allow insecure renegotiation with clients which do not yet support the +# secure renegotiation protocol. Default: Off +#SSLInsecureRenegotiation on + +# Whether to forbid non-SNI clients to access name based virtual hosts. +# Default: Off +#SSLStrictSNIVHostCheck On + diff --git a/mods-available/status.conf b/mods-available/status.conf index 679d111..c608c9c 100644 --- a/mods-available/status.conf +++ b/mods-available/status.conf @@ -2,15 +2,29 @@ # # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status -# Uncomment and change the ".example.com" to allow -# access from other hosts. +# Uncomment and change the "192.0.2.0/24" to allow access from other hosts. # SetHandler server-status Order deny,allow Deny from all - Allow from localhost ip6-localhost -# Allow from .example.com + Allow from 127.0.0.1 ::1 +# Allow from 192.0.2.0/24 +# Keep track of extended status information for each request +ExtendedStatus On + +# Determine if mod_status displays the first 63 characters of a request or +# the last 63, assuming the request itself is greater than 63 chars. +# Default: Off +#SeeRequestTail On + + + + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On + + + diff --git a/mods-enabled/authz_svn.load b/mods-enabled/authz_svn.load new file mode 120000 index 0000000..7ac0725 --- /dev/null +++ b/mods-enabled/authz_svn.load @@ -0,0 +1 @@ +../mods-available/authz_svn.load \ No newline at end of file diff --git a/sites-available/default-ssl b/sites-available/default-ssl index 545da24..37ddad3 100644 --- a/sites-available/default-ssl +++ b/sites-available/default-ssl @@ -127,8 +127,11 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - BrowserMatch ".*MSIE.*" \ + BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + diff --git a/sites-common/default b/sites-common/default index 3c99e5d..ba73b41 100644 --- a/sites-common/default +++ b/sites-common/default @@ -22,13 +22,13 @@ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ Allow from all -ErrorLog /var/log/apache2/error.olinda.log +ErrorLog ${APACHE_LOG_DIR}/error.olinda.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn -CustomLog /var/log/apache2/access.olinda.log combined +CustomLog ${APACHE_LOG_DIR}/access.olinda.log combined Alias /doc/ "/usr/share/doc/" @@ -40,4 +40,3 @@ Alias /doc/ "/usr/share/doc/" Include sites-common/awstats - -- 2.34.1