Merge branch 'master' of labs.riseup.net:module_apache into riseup

11 files changed, 528 insertions, 18 deletions

diff --git a/files/config/Debian.wheezy/apache2.conf b/files/config/Debian.wheezy/apache2.conf
new file mode 100644
index 0000000..5054567
--- /dev/null
+++ b/files/config/Debian.wheezy/apache2.conf
@@ -0,0 +1,268 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.2/ for detailed information about
+# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
+# Debian specific hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#	/etc/apache2/
+#	|-- apache2.conf
+#	|	`--  ports.conf
+#	|-- mods-enabled
+#	|	|-- *.load
+#	|	`-- *.conf
+#	|-- conf.d
+#	|	`-- *
+# 	`-- sites-enabled
+#	 	`-- *
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+#   In order to avoid conflicts with backup files, the Include directive is
+#   adapted to ignore files that:
+#   - do not begin with a letter or number
+#   - contain a character that is neither letter nor number nor _-:.
+#   - contain .dpkg
+#
+#   Yet we strongly suggest that all configuration files either end with a
+#   .conf or .load suffix in the file name. The next Debian release will
+#   ignore files not ending with .conf (or .load for mods-enabled).
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections, and which
+#   of these ports are used for name based virtual hosts.
+#
+# * Configuration files in the mods-enabled/ and sites-enabled/ directories
+#   contain particular configuration snippets which manage modules or virtual
+#   host configurations, respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite. See
+#   their respective man pages for detailed information.
+#
+# * Configuration files in the conf.d directory are either provided by other
+#   packages or may be added by the local administrator. Local additions
+#   should start with local- or end with .local.conf to avoid name clashes. All
+#   files in conf.d are considered (excluding the exceptions noted above) by
+#   the Apache 2 web server.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+LockFile ${APACHE_LOCK_DIR}/accept.lock
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_prefork_module>
+    StartServers          5
+    MinSpareServers       5
+    MaxSpareServers      10
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
+#              graceful restart. ThreadLimit can only be changed by stopping
+#              and starting Apache.
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_worker_module>
+    StartServers          2
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadLimit          64
+    ThreadsPerChild      25
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
+
+# event MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_event_module>
+    StartServers          2
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadLimit          64
+    ThreadsPerChild      25
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+    Satisfy all
+</Files>
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value.  If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+# It is also possible to omit any default MIME type and let the
+# client's browser guess an appropriate action instead. Typically the
+# browser will decide based on the file's extension then. In cases
+# where no good assumption can be made, letting the default MIME type
+# unset is suggested  instead of forcing the browser to accept
+# incorrect  metadata.
+#
+DefaultType None
+
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+# Include module configuration:
+Include mods-enabled/*.load
+Include mods-enabled/*.conf
+
+# Include list of ports to listen on and which to use for name based vhosts
+Include ports.conf
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see the comments above for details.
+
+# Include generic snippets of statements
+Include conf.d/
+
+# Include the virtual host configurations:
+Include sites-enabled/
diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc
index 5cc663f..7735ebb 100644
--- a/files/include.d/CentOS/ssl_defaults.inc
+++ b/files/include.d/CentOS/ssl_defaults.inc
@@ -1,9 +1,3 @@
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
@@ -11,13 +5,16 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+#SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
 
+SSLHonorCipherOrder on
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -134,8 +131,5 @@ SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 
-#   Per-Server Logging:
-#   The home of a custom SSL log file. Use this when you want a
-#   compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+# set STS Header
+Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc
index 3a67cd3..7030ec8 100644
--- a/files/include.d/Debian/ssl_defaults.inc
+++ b/files/include.d/Debian/ssl_defaults.inc
@@ -11,13 +11,13 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+SSLHonorCipherOrder on
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -139,3 +139,6 @@ SetEnvIf User-Agent ".*MSIE.*" \
 #   compact non-error SSL logfile on a virtual host basis.
 CustomLog /var/log/apache2/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+# set STS Header
+Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc
index e7d2c36..67cf36f 100644
--- a/files/include.d/OpenBSD/ssl_defaults.inc
+++ b/files/include.d/OpenBSD/ssl_defaults.inc
@@ -1,4 +1,5 @@
 SSLEngine on
-SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
 SSLCertificateFile    /etc/ssl/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key
diff --git a/files/include.d/silverstripe.inc b/files/include.d/silverstripe.inc
new file mode 100644
index 0000000..40c44e4
--- /dev/null
+++ b/files/include.d/silverstripe.inc
@@ -0,0 +1,17 @@
+# silverstripe .htaccess
+<Files *.ss>
+  Order deny,allow
+  Deny from all
+  #Allow from 127.0.0.1
+</Files>
+
+<IfModule mod_rewrite.c>
+  RewriteEngine On
+  #RewriteBase /
+
+  RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$)
+
+  RewriteCond %{REQUEST_URI} ^(.*)$
+  RewriteCond %{REQUEST_FILENAME} !-f
+  RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]
+</IfModule>
diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf
new file mode 100644
index 0000000..fb0c915
--- /dev/null
+++ b/files/itk_plus/conf.d/CentOS/ssl.conf
@@ -0,0 +1,75 @@
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these 
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+# 
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# When we also provide SSL we have to listen to the 
+# the HTTPS port in addition.
+#
+NameVirtualHost *:443
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog  builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
+SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout  300
+
+#   Semaphore:
+#   Configure the path to the mutual exclusion semaphore the
+#   SSL engine uses internally for inter-process synchronization. 
+SSLMutex default
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
diff --git a/files/munin/apache_activity b/files/munin/apache_activity
new file mode 100755
index 0000000..65fc072
--- /dev/null
+++ b/files/munin/apache_activity
@@ -0,0 +1,99 @@
+#!/usr/bin/perl
+#
+# Parameters supported:
+#
+# 	config
+# 	autoconf
+#
+# Configurable variables
+#
+# 	url      - Override default status-url
+#
+# Magic markers:
+#%# family=auto
+#%# capabilities=autoconf
+
+my $ret = undef;
+if (!eval "require LWP::UserAgent;") {
+    $ret = "LWP::UserAgent not found";
+}
+
+my $URL = exists $ENV{'url'} ? $ENV{'url'} : "http://127.0.0.1:%d/server-status?auto";
+my @PORTS = exists $ENV{'ports'} ? split(' ', $ENV{'ports'}) : (80);
+my %chars = (
+	     # '\_' => 'Waiting',
+	     # 'S' => 'Starting up',
+	     'R' => 'Reading request',
+	     'W' => 'Sending reply',
+	     'K' => 'Keepalive',
+	     'D' => 'DNS lookup',
+	     'C' => 'Closing',
+	     # 'L' => 'Logging',
+	     # 'G' => 'Gracefully finishing',
+	     # 'I' => 'Idle cleanup',
+	     # '\.' => 'Open slot',
+	     );
+
+#    "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
+#    "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
+#    "C" Closing connection, "L" Logging, "G" Gracefully finishing,
+#    "I" Idle cleanup of worker, "." Open slot with no current process
+
+if (exists $ARGV[0] and $ARGV[0] eq "autoconf") {
+    if ($ret) {
+	print "no ($ret)\n";
+	exit 1;
+    }
+    my $ua = LWP::UserAgent->new(timeout => 30);
+    my @badports;
+    
+    foreach my $port (@PORTS) {
+	my $url = sprintf $URL, $port;
+	my $response = $ua->request(HTTP::Request->new('GET',$url));
+	push @badports, $port unless $response->is_success and $response->content =~ /Scoreboard/im;
+    }
+    
+    if (@badports) {
+	print "no (no apache server-status on ports @badports)\n";
+	exit 1;
+    } else {
+	print "yes\n";
+	exit 0;
+    }
+}
+
+if (exists $ARGV[0] and $ARGV[0] eq "config") {
+    print "graph_title Apache activity\n";
+    print "graph_args --base 1000 -l 0\n";
+    print "graph_category apache\n";
+    print "graph_vlabel processes\n";
+    foreach my $port (@PORTS) {
+	while (my ($char, $val) = each (%chars)) {
+	    $char =~ s/\\\./dot/;
+            $char =~ s/\\\_/underline/;
+            print "activity_${port}_${char}.label ";
+	    print $val, "\n";
+            print "activity_${port}_${char}.type GAUGE\n";
+        }
+    }    
+    exit 0;
+}
+
+foreach my $port (@PORTS) {
+    my $ua = LWP::UserAgent->new (timeout => 30);
+    my $url = sprintf $URL, $port;
+    my $response = $ua->request (HTTP::Request->new('GET',$url));
+    if ($response->content =~ /^Scoreboard\:\s?(.*)$/sm) {
+	my $string = $1;
+	chomp $string;
+	my @act = split (//, $string);
+	foreach my $char (keys (%chars)) {
+	    my $num = scalar (grep (/$char/, @act));
+	    $char =~ s/\\\./dot/;
+	    $char =~ s/\\\_/underline/;
+	    print "activity_${port}_${char}.value $num\n";
+	}
+    }
+}
+
+
diff --git a/files/service/CentOS/httpd.itk_plus b/files/service/CentOS/httpd.itk_plus
new file mode 100644
index 0000000..4d74de2
--- /dev/null
+++ b/files/service/CentOS/httpd.itk_plus
@@ -0,0 +1,24 @@
+# Configuration file for the httpd service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model.  A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+#HTTPD=/usr/sbin/httpd.worker
+HTTPD=/usr/sbin/httpd
+HTTPD_LOCAL=/usr/sbin/httpd.itk
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set OPTIONS here.
+#
+#OPTIONS=
+
+#
+# By default, the httpd process is started in the C locale; to 
+# change the locale in which the server runs, the HTTPD_LANG
+# variable can be set.
+#
+#HTTPD_LANG=C
diff --git a/files/service/CentOS/httpd.worker b/files/service/CentOS/httpd.worker
new file mode 100644
index 0000000..290923f
--- /dev/null
+++ b/files/service/CentOS/httpd.worker
@@ -0,0 +1,22 @@
+# Configuration file for the httpd service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model.  A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+HTTPD=/usr/sbin/httpd.worker
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set OPTIONS here.
+#
+#OPTIONS=
+
+#
+# By default, the httpd process is started in the C locale; to 
+# change the locale in which the server runs, the HTTPD_LANG
+# variable can be set.
+#
+#HTTPD_LANG=C
diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf
index 9f8c4b6..d018bcc 100644
--- a/files/vhosts.d/CentOS/0-default_ssl.conf
+++ b/files/vhosts.d/CentOS/0-default_ssl.conf
@@ -8,6 +8,12 @@
     Include include.d/ssl_defaults.inc
     DocumentRoot /var/www/html
 
+    # Use separate log files for the SSL virtual host; note that LogLevel
+    # is not inherited from httpd.conf.
+    ErrorLog logs/ssl_error_log
+    TransferLog logs/ssl_access_log
+    LogLevel warn
+
     SSLCertificateFile /etc/pki/tls/certs/localhost.crt
     SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 </VirtualHost>
diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf
index 7efe879..a123de8 100644
--- a/files/vhosts.d/Gentoo/0-default_ssl.conf
+++ b/files/vhosts.d/Gentoo/0-default_ssl.conf
@@ -31,7 +31,8 @@ UseCanonicalName On
 	# List the ciphers that the client is permitted to negotiate.
 	# See the mod_ssl documentation for a complete list.
 	#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-    SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+    #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH
  
     SSLCertificateFile /e/certs/server.crt
     SSLCertificateKeyFile /e/certs/server.key