diff options
| author | mh <mh@immerda.ch> | 2010-08-16 19:01:24 +0200 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2010-08-16 19:20:22 +0200 |
| commit | 1bdb39c6dd8ccaf76d8a4aa2e9486069afd2d476 (patch) | |
| tree | 9809ed82773911d4306c9315796592b9f45a5550 /templates | |
| parent | 888e0d3dde723fff0ba11d8a24a4c2e64d299ea5 (diff) | |
impelement itk plus mode
itk plus mode is an additional mode to deploy itk based hostings
which should be a bit more performant. The idea is that we have
two apache-instances running:
A) prefork based, listening on the external interface
B) itk based, listening on the loopback interface
A) will serve all static webpages, as well as possibly serve all static
content of dynamic websites. All requests to dynamic content will be
redirected to B). The idea is that A) doesn't load any modules to server
dynamic content at all.
B) will serve all the dynamic scripts of a vhost.
This will mean that for vhosts (static ones) as well as static content (all
none dynamic scripts) we can benefit from the fast prefork model, while we
can use itk's security model for all the dynamic scripts.
There are two new additional run_modes:
- proxy-itk: this just passes all requests to apache instance B). This one
is similar to plain itk based mode and should be used for vhosts
that shouldn't (yet) changed to the mixed mode.
- static-itk: this passes only requests to dynamic scripts to B) while all
static content is served by A). Beware that the user with which
A) is running should be member of the run group of B) and all
static files need to readable by the group. This reduces
the security model you have with plain itk, as the prefork
apache user will be able to read php (config-) files of any
vhost that runs in static-itk mode. If you want to keep
the level of security for a certain vhost, you need to run
the specific vhost in proxy-itk mode.
Note 1: you cannot run vhosts in itk mode and others in proxy or static
itk mode. There is a duplicate file resource definition that
blocks that possibility.
Note 2: This mode works currently only on CentOS based systems, as no
work have been done so far to implement an init.d script that's
able to run 2 apache instances.
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/itk_plus/CentOS/00-listen.conf.erb | 8 | ||||
| -rw-r--r-- | templates/vhosts/perl/perl.erb | 218 | ||||
| -rw-r--r-- | templates/vhosts/php/php.erb | 204 | ||||
| -rw-r--r-- | templates/vhosts/php_drupal/php_drupal.erb | 238 | ||||
| -rw-r--r-- | templates/vhosts/php_gallery2/php_gallery.erb | 215 | ||||
| -rw-r--r-- | templates/vhosts/php_joomla/php_joomla.erb | 244 | ||||
| -rw-r--r-- | templates/vhosts/php_mediawiki/php_mediawiki.erb | 189 | ||||
| -rw-r--r-- | templates/vhosts/php_silverstripe/php_silverstripe.erb | 248 | ||||
| -rw-r--r-- | templates/vhosts/php_simplemachine/php_simplemachine.erb | 203 | ||||
| -rw-r--r-- | templates/vhosts/php_spip/php_spip.erb | 203 | ||||
| -rw-r--r-- | templates/vhosts/php_typo3/php_typo3.erb | 239 | ||||
| -rw-r--r-- | templates/vhosts/php_wordpress/php_wordpress.erb | 202 | ||||
| -rw-r--r-- | templates/vhosts/webdav/webdav.erb | 153 |
13 files changed, 2508 insertions, 56 deletions
diff --git a/templates/itk_plus/CentOS/00-listen.conf.erb b/templates/itk_plus/CentOS/00-listen.conf.erb new file mode 100644 index 0000000..9f2c626 --- /dev/null +++ b/templates/itk_plus/CentOS/00-listen.conf.erb @@ -0,0 +1,8 @@ +<IfDefine HttpdLocal> +Listen 127.0.0.1:80 +PidFile run/httpdlocal.pid +</IfDefine> +<IfDefine !HttpdLocal> +Listen <%= ipaddress %>:80 +PidFile run/httpd.pid +</IfDefine> diff --git a/templates/vhosts/perl/perl.erb b/templates/vhosts/perl/perl.erb index 5be25fa..5cb30bc 100644 --- a/templates/vhosts/perl/perl.erb +++ b/templates/vhosts/perl/perl.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -63,6 +70,7 @@ ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -80,6 +88,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -115,13 +124,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -147,6 +159,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -164,9 +177,210 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.pl + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.pl/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + + <%- unless htpasswd_file.to_s == 'absent' then -%> + <Directory "<%= cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + </Directory> + <%- end -%> + ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.pl + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.pl/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- unless run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + + <%- if htpasswd_file.to_s == 'absent' then -%> + <Directory "<%= cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + </Directory> + <%- end -%> + ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php/php.erb b/templates/vhosts/php/php.erb index 99c94e2..4d5d984 100644 --- a/templates/vhosts/php/php.erb +++ b/templates/vhosts/php/php.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -66,6 +73,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -117,14 +126,17 @@ <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -153,6 +165,185 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -176,3 +367,6 @@ <%- end -%> </VirtualHost> <%- end -%> +</IfDefine> +<%- end -%> + diff --git a/templates/vhosts/php_drupal/php_drupal.erb b/templates/vhosts/php_drupal/php_drupal.erb index 9b6c3ef..db01248 100644 --- a/templates/vhosts/php_drupal/php_drupal.erb +++ b/templates/vhosts/php_drupal/php_drupal.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -31,11 +34,13 @@ <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -88,6 +93,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -105,6 +111,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -140,13 +147,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -197,6 +207,119 @@ Options +FollowSymLinks </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> + <%- end -%> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -220,3 +343,108 @@ <%- end -%> </VirtualHost> <%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_gallery2/php_gallery.erb b/templates/vhosts/php_gallery2/php_gallery.erb index 8d10d02..fdcc89b 100644 --- a/templates/vhosts/php_gallery2/php_gallery.erb +++ b/templates/vhosts/php_gallery2/php_gallery.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -74,6 +81,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -91,6 +99,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -126,13 +135,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -169,6 +181,7 @@ RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -182,9 +195,201 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + # https -> see below + # Then, unset baseUri in config.php (to keep Gallery from trying to redirect users to either HTTP or HTTPS): + # $gallery->setConfig('baseUri', ''); + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + # Always rewrite login's (see above) + RewriteEngine On + RewriteCond %{HTTP_COOKIE} ="" + RewriteCond %{REQUEST_METHOD} =GET + RewriteCond %{QUERY_STRING} !subView=core\.UserLogin + RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_joomla/php_joomla.erb b/templates/vhosts/php_joomla/php_joomla.erb index 8803765..9911a15 100644 --- a/templates/vhosts/php_joomla/php_joomla.erb +++ b/templates/vhosts/php_joomla/php_joomla.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -75,6 +82,7 @@ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -106,6 +114,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -141,13 +150,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> Include include.d/joomla.inc @@ -175,6 +187,226 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch '^/'> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> + SecRuleRemoveById 960010 + </LocationMatch> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + Include include.d/joomla.inc + + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <Directory "<%= documentroot %>/administrator/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch '^/'> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> + SecRuleRemoveById 960010 + </LocationMatch> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + Include include.d/joomla.inc + + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -212,3 +444,5 @@ <%- end -%> </VirtualHost> <%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_mediawiki/php_mediawiki.erb b/templates/vhosts/php_mediawiki/php_mediawiki.erb index 45a19c8..ac51dcc 100644 --- a/templates/vhosts/php_mediawiki/php_mediawiki.erb +++ b/templates/vhosts/php_mediawiki/php_mediawiki.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -61,6 +68,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -74,6 +82,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -109,13 +118,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -139,6 +151,7 @@ php_admin_value session.save_path <%= real_php_session_save_path %> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -152,9 +165,181 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%><%- unless options.to_s.include?('+FollowSymLinks') -%> +FollowSymLinks<% end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_silverstripe/php_silverstripe.erb b/templates/vhosts/php_silverstripe/php_silverstripe.erb index 8b739b7..888c066 100644 --- a/templates/vhosts/php_silverstripe/php_silverstripe.erb +++ b/templates/vhosts/php_silverstripe/php_silverstripe.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,19 +29,24 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> # silverstripe RedirectMatch /admin(.*) https://<%= servername %>/admin$1 RedirectMatch /Security(.*) https://<%= servername %>/Security$1 + <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -70,6 +78,7 @@ Deny from all #Allow from 127.0.0.1 </Files> + <IfModule mod_rewrite.c> RewriteEngine On #RewriteBase / @@ -83,6 +92,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -102,6 +112,7 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -136,14 +147,18 @@ <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + + <%- end -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -188,6 +203,7 @@ </IfModule> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -207,9 +223,231 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + # silverstripe + RedirectMatch /admin(.*) https://<%= servername %>/admin$1 + RedirectMatch /Security(.*) https://<%= servername %>/Security$1 + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + # silverstripe .htaccess + <Files *.ss> + Order deny,allow + Deny from all + #Allow from 127.0.0.1 + </Files> + + <IfModule mod_rewrite.c> + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] + </IfModule> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # silverstripe .htaccess + <Files *.ss> + Order deny,allow + Deny from all + #Allow from 127.0.0.1 + </Files> + <IfModule mod_rewrite.c> + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] + </IfModule> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> + diff --git a/templates/vhosts/php_simplemachine/php_simplemachine.erb b/templates/vhosts/php_simplemachine/php_simplemachine.erb index b2b0419..7042647 100644 --- a/templates/vhosts/php_simplemachine/php_simplemachine.erb +++ b/templates/vhosts/php_simplemachine/php_simplemachine.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -60,6 +67,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -77,6 +85,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -112,13 +121,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -141,6 +153,7 @@ php_admin_value session.save_path <%= real_php_session_save_path %> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -158,9 +171,189 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 99c94e2..c63cf77 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -66,6 +73,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -118,13 +127,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -153,6 +165,7 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -170,9 +183,189 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_typo3/php_typo3.erb b/templates/vhosts/php_typo3/php_typo3.erb index c3bb0d4..6272576 100644 --- a/templates/vhosts/php_typo3/php_typo3.erb +++ b/templates/vhosts/php_typo3/php_typo3.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -61,8 +68,6 @@ php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> <%- end -%> </Directory> - <%- end -%> - <Directory "<%= documentroot %>/typo3/"> RewriteEngine on @@ -72,8 +77,17 @@ RewriteCond %{REQUEST_URI} (.*/typo3/.*) RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] </Directory> + <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <Location "/typo3"> + <IfModule mod_security2.c> + SecRuleEngine Off + SecAuditEngine Off + </IfModule> + </Location> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -93,6 +107,7 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -128,13 +143,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -162,9 +180,11 @@ php_admin_value allow_url_fopen On </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <Location "/typo3"> <IfModule mod_security2.c> SecRuleEngine Off + SecAuditEngine Off </IfModule> </Location> @@ -187,9 +207,214 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <Directory "<%= documentroot %>/typo3/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> + <%- end -%> + <%- end -%> + + <Location "/typo3"> + <IfModule mod_security2.c> + SecRuleEngine Off + </IfModule> + </Location> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <Location "/typo3"> + <IfModule mod_security2.c> + SecRuleEngine Off + </IfModule> + </Location> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_wordpress/php_wordpress.erb b/templates/vhosts/php_wordpress/php_wordpress.erb index 5dbf9dc..2a90c69 100644 --- a/templates/vhosts/php_wordpress/php_wordpress.erb +++ b/templates/vhosts/php_wordpress/php_wordpress.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -63,6 +70,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -79,6 +87,7 @@ SecRuleRemoveById "960010" SecRuleRemoveById "950018" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -114,13 +123,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -146,6 +158,99 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + SecRuleRemoveById "950018" + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -168,3 +273,90 @@ <%- end -%> </VirtualHost> <%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + SecRuleRemoveById "950018" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> + diff --git a/templates/vhosts/webdav/webdav.erb b/templates/vhosts/webdav/webdav.erb index 6e66f30..a7dfa37 100644 --- a/templates/vhosts/webdav/webdav.erb +++ b/templates/vhosts/webdav/webdav.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> DAVLockDB <%= real_dav_db_dir %>/DAVLock @@ -66,6 +73,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -118,13 +127,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> DAVLockDB <%= real_dav_db_dir %>/DAVLock <Directory "<%= documentroot %>/"> @@ -153,6 +165,7 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -170,9 +183,139 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + ProxyPass / https://127.0.0.1/ + ProxyPassReverse / https://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + ProxyPass / http://127.0.0.1/ + ProxyPassReverse / http://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> |